Merge branch 'main' into feat/scs-0201-cncf-conformance

Author: depressiveRobot

.zuul.d/secure.yaml

@@ -101,7 +101,7 @@
           gY6QHocYpATL46iLkv97QANNUxTdxL7hQjdl/tf3TAHjCclmxdWhBJdvCJN/1xCM6EgVp
           NykBYxJ+kxSmkcFCSdUM8Td75bA/UzkPCdix1reJMdEAxTE9fC55XQ/liTLlGquQDnZty
           VLDH7x3ZJcxZsvqKR6vNbYYzJvDPTBYpHrhD7kx3ubyO9KX+SzZ+Dfhe9M8T8U=
-      focis_ac_id: !encrypted/pkcs1-oaep
+      cah_dd8a_ac_id: !encrypted/pkcs1-oaep
         - KB/tDE/a07eU+xtwor1iLxhvRdA/6bgkZn2aCPvkYtKKoVmT6sXpfRl1t319WqZRIRkoh
           GK0d9KMJkVT+Q5sbZiSxMD24yMBvwaImIBG6OCzxjyklqal1SOt6CLx4q/uGoGl7QrPOM
           WcRoluG1FCoDeUewgaZ50TQD0TQ8YGxuhRZi6s8KldDrYVkB/9HBUmwNhgd2LhExmNbtR
@@ -112,7 +112,7 @@
           YbdI4KBz6CcfrNdtut9XlmNLT91emT9ayC+XDqBypksHXHcypuqoOHMQUdjSPtXDLsI//
           dsSRxDL+4TtWaVovPAxaLGsiVohsoCEdAxBmYxbkA2DNYdOMf6glu7O4wMtEIjaBdzdfP
           CKfkOiwdCjtq++Ofn/C+3zI+2H+58TosQdCXcYIGmyKw5WSN7/sCosWDUtcsq4=
-      focis_ac_secret: !encrypted/pkcs1-oaep
+      cah_dd8a_ac_secret: !encrypted/pkcs1-oaep
         - E8fpHXVmMa7ptAndyV8fqgC6tmGL9qmtpI10q1Yh6Qo0iIt09HNl8aZLtupmavTqYJg+D
           7BI3ziTG4PNfc6MK0rvsQE/jGCf/XGW7yyfrmcvok+8mwD7foya5gEDLvbxFuIUopdTEt
           Wk+5qLHNv87fKtQVGoda1qZXQ2ZjEw3sLv5eENLEft+u3XZnPLMVJ3p9ZGK0mvBcIfAlk

Standards/scs-0210-v2-k8s-version-policy.md

@@ -57,11 +57,12 @@ In order to keep up-to-date with the latest Kubernetes features, bug fixes and s
 the provided Kubernetes versions should be kept up-to-date with new upstream releases:
 
 - The latest minor version MUST be provided no later than 4 months after release.
-- The latest patch version MUST be provided no later than 2 weeks after release.
-- This time period MUST be even shorter for patches that fix critical CVEs.
+- The latest patch version MUST be provided no later than 1 month after release.
+- This time period (for providing the latest patch version) MUST not be longer than
+  2 weeks if the patch addresses critical CVEs and it is RECOMMENDED to be provided
+  within 2 days of the release.
   In this context, a critical CVE is a CVE with a CVSS base score >= 8 according
   to the CVSS version used in the original CVE record (e.g., CVSSv3.1).
-  It is RECOMMENDED to provide a new patch version in a 2-day time period after their release.
 - New versions MUST be tested before being rolled out on productive infrastructure;
   at least the [CNCF E2E tests][cncf-conformance] should be passed beforehand.
 

Tests/config.toml

@@ -21,7 +21,7 @@ subjects = [
     "artcodix",
     "artcodix-ro",
     # currently not reachable from outside: "cc-rrze",
-    "focis",
+    "cah-dd8a",
     "pco-prod1",
     "pco-prod2",
     "pco-prod3",

Tests/kaas/k8s-version-policy/k8s_version_policy.py

@@ -45,8 +45,9 @@
 
 
 MINOR_VERSION_CADENCE = timedelta(days=120)
-PATCH_VERSION_CADENCE = timedelta(weeks=2)
-CVE_VERSION_CADENCE = timedelta(days=2)
+PATCH_VERSION_CADENCE = timedelta(days=31)
+CVE_VERSION_CADENCE = timedelta(weeks=2)
+CVE_VERSION_CADENCE_WARN = timedelta(days=2)
 CVE_SEVERITY = 8  # CRITICAL
 
 HERE = Path(__file__).parent
@@ -420,19 +421,19 @@ def check_k8s_version_recency(
             # whoops, the cluster should have been updated to this (or a higher version) already!
             return False
         ranges = [_range for _range in cve_affected_ranges if my_version in _range]
-        if ranges and release.age > CVE_VERSION_CADENCE:
-            # -- two FIXMEs:
-            # (a) if the release still has the CVE, then there is no use if we updated to it?
-            # (b) the standard says "time period MUST be even shorter ... it is RECOMMENDED that ...",
-            #     so what is it now, a requirement or a recommendation?
+        if ranges and release.age > CVE_VERSION_CADENCE_WARN:
+            # -- FIXME:
+            # if the release still has the CVE, then there is no use if we updated to it?
             # shouldn't we check for CVEs of my_version and then check whether the new one still has them?
             # -- so, this has to be reworked in a major way, but for the time being, just emit an INFO
             # (unfortunately, the cluster name is not available here)
-            logger.info(
+            logger.warning(
                 "Consider updating from %s to %s to avoid a CVE",
                 my_version,
                 release.version,
             )
+            if release.age > CVE_VERSION_CADENCE:
+                return False
     return True
 
 

Tests/kaas/k8s-version-policy/k8s_version_policy_test.py

@@ -45,7 +45,7 @@ def release_data():
 EXPECTED_RECENCIES = {
     datetime(2024, 1, 17): True,
     datetime(2024, 1, 31): True,
-    datetime(2024, 2, 1): False,
+    datetime(2024, 2, 18): False,
 }
 
 
@@ -65,8 +65,11 @@ def test_check_version_recency_with_cve(caplog, release_data):
         # 2 days after release of patch for affected_version
         dt.now.return_value = datetime(2024, 1, 20)
         assert check_k8s_version_recency(affected_version, release_data, fake_ranges)
-    assert len(caplog.records) == 1, "expected a log message"
-    assert caplog.records[0].levelname == "INFO"
+        # 2 weeks after the release
+        dt.now.return_value = datetime(2024, 2, 1)
+        assert not check_k8s_version_recency(affected_version, release_data, fake_ranges)
+    assert len(caplog.records) >= 1, "expected a log message"
+    assert caplog.records[0].levelname == "WARNING"
     assert "Consider updating from 1.28.5" in caplog.records[0].message
 
 

compliance-monitor/bootstrap.yaml

@@ -35,7 +35,7 @@ accounts:
       - public_key: "AAAAC3NzaC1lZDI1NTE5AAAAIF8kQx6ur/WSSY9ThK/mwhrl/VsYnjRk44GSXBy3VfKI"
         public_key_type: "ssh-ed25519"
         public_key_name: "primary"
-  - subject: focis
+  - subject: cah-dd8a
     delegates:
       - zuul_ci
     api_keys:

compliance-monitor/templates/overview.md.j2

@@ -24,8 +24,8 @@ Version numbers are suffixed by a symbol depending on state: * for _draft_, †
 | [CNDS](https://cnds.io/) | Public cloud for customers (2 regions) | artcodix GmbH |
 {#- #} [{{ results | pick(iaas, 'artcodix', 'artcodix-ro') | summary }}]({{ detail_url('group-artcodix', iaas) }}) {# -#}
 | [HM](https://ohm.muc.cloud.cnds.io/) |
-| FOCIS | ALASCA community environment for [FOCIS](https://alasca.cloud/focis/) | Cloud&Heat Technologies GmbH |
-{#- #} [{{ results | pick(iaas, 'focis') | summary }}]({{ detail_url('focis', iaas) }}) {# -#}
+| [Cloud&Heat IaaS](https://www.cloudandheat.com/en/products/cloud-services/infrastructure-as-a-service/) | Public cloud for customers (1 SCS region) | Cloud&Heat Technologies GmbH |
+{#- #} [{{ results | pick(iaas, 'cah-dd8a') | summary }}]({{ detail_url('cah-dd8a', iaas) }}) {# -#}
 | n/a |
 | [pluscloud open](https://www.plusserver.com/en/products/pluscloud-open) | Public cloud for customers (4 regions)  | plusserver GmbH | {# #}
 {#- #}[{{ results | pick(iaas, 'pco-prod1', 'pco-prod2', 'pco-prod3', 'pco-prod4') | summary }}]({{ detail_url('group-pco-prod', iaas) }}) {# -#}

playbooks/clouds.yaml.j2

@@ -37,15 +37,15 @@ clouds:
       auth_url: https://api.cc.rrze.de:5000
       application_credential_id: "{{ clouds_conf.cc_rrze_ac_id }}"
       application_credential_secret: "{{ clouds_conf.cc_rrze_ac_secret }}"
-  focis:
+  cah-dd8a:
     region_name: "dd8a"
     interface: "public"
     identity_api_version: 3
     auth_type: "v3applicationcredential"
     auth:
       auth_url: https://identity.dd8a.cloudandheat.com:443/v3/
-      application_credential_id: "{{ clouds_conf.focis_ac_id }}"
-      application_credential_secret: "{{ clouds_conf.focis_ac_secret }}"
+      application_credential_id: "{{ clouds_conf.cah_dd8a_ac_id }}"
+      application_credential_secret: "{{ clouds_conf.cah_dd8a_ac_secret }}"
   pco-prod1:
     region_name: "prod1"
     interface: "public"