intelops / kubviz

Visualize Kubernetes & DevSecOps Workflows. Tracks changes/events real-time across your entire K8s clusters, git repos, container registries, SBOM, Vulnerability foot print, etc. , analyzing their effects and providing you with the context you need to troubleshoot efficiently. Get the Observability you need, easily.
Apache License 2.0
40 stars 16 forks source link

feat: added mtls support #361

Closed alanjino closed 5 months ago

dryrunsecurity[bot] commented 6 months ago

Hi there :wave:, @dryrunsecurity here, below is a summary of our analysis and findings.

DryRun Security Status Findings
Configured Codepaths Analyzer :white_check_mark: 0 findings
Sensitive Files Analyzer :white_check_mark: 0 findings
Authn/Authz Analyzer :white_check_mark: 0 findings
AppSec Analyzer :white_check_mark: 0 findings
Secrets Analyzer :white_check_mark: 0 findings

[!Note] :green_circle: Risk threshold not exceeded.

Change Summary (click to expand) The following is a summary of changes in this pull request made by me, your security buddy :robot:. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective. **Summary:** The code changes in this pull request focus on updating the Helm chart versions for the "agent" and "client" applications, as well as introducing support for mutual TLS (mTLS) authentication and improving the overall security and observability of the applications. The key security-related changes include: 1. **mTLS Configuration**: The code adds support for mTLS authentication, allowing for secure communication between the agent, client, and other components. This is a positive security enhancement, but it's important to ensure that the mTLS certificates are properly managed and rotated, and that the Kubernetes Secrets containing the certificates are secured with appropriate access controls. 2. **Secure Credential Management**: The code uses environment variables and Kubernetes Secrets to manage sensitive information, such as the NATS token and Clickhouse database credentials, instead of hardcoding them in the deployment configuration. This is a recommended security practice. 3. **Monitoring and Observability**: The code includes configurations for enabling monitoring and observability features, such as OpenTelemetry and various event consumers. This helps to improve the overall security posture of the application by allowing for better detection and response to potential security incidents. **Files Changed:** - `charts/agent/Chart.yaml`: The Helm chart version for the "agent" application has been updated from "1.1.21" to "1.1.22". This is a routine update and does not introduce any security concerns. - `charts/client/Chart.yaml`: The Helm chart version for the "client" application has been updated from "1.1.27" to "1.1.28". This is also a routine update and does not raise any immediate security concerns. - `charts/agent/values.yaml`: The code adds a new section for configuring mTLS settings, including the ability to enable or disable mTLS and specify the Kubernetes Secret containing the necessary certificates and keys. - `charts/agent/templates/deployment.yaml`: The code adds support for mTLS authentication, including environment variables and volume mounts for the mTLS client certificates and CA certificate. - `charts/client/values.yaml`: The code adds new sections for configuring NATS TLS and mTLS settings, allowing for secure communication between the client and other components. - `charts/client/templates/deployment.yaml`: The code adds support for mTLS authentication, similar to the changes in the "agent" deployment, as well as configurations for NATS token, Clickhouse database, and various monitoring and observability features.

Powered by DryRun Security