Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[PM-6553] Update backup job to match old self-host backups. #120

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

spacex
Copy link

@spacex spacex commented Feb 29, 2024

Update example backup job to match old self-hosted server backup script:
https://github.com/bitwarden/server/blob/main/util/MsSql/backup-db.sh

Also add example cronjob that matches the default period from the old self-hosted installation.

@spacex spacex requested a review from a team as a code owner February 29, 2024 16:25
@bitwarden-bot
Copy link

Thank you for your contribution! We've added this to our internal Community PR board for review.
ID: PM-6553

@bitwarden-bot bitwarden-bot changed the title Update backup job to match old self-host backups. [PM-6553] Update backup job to match old self-host backups. Feb 29, 2024
@bitwarden-bot bitwarden-bot added in-product-review Community PR is being reviewed by Bitwarden's Product team community-pr labels Feb 29, 2024
@bitwarden-bot
Copy link

Logo
Checkmarx One – Scan Summary & Details6d4c176f-fdc7-49fe-a3af-2a66c0eec04a

New Issues

Severity Issue Source File / Package Checkmarx Insight
HIGH Privilege Escalation Allowed /backup-cronjob.yaml: 23 Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process
MEDIUM CPU Limits Not Set /backup-cronjob.yaml: 23 CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests
MEDIUM CPU Requests Not Set /backup-cronjob.yaml: 23 CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node
MEDIUM Container Running As Root /backup-cronjob.yaml: 23 Containers should only run as non-root user. This limits the exploitability of security misconfigurations and restricts an attacker's possibilities...
MEDIUM Container Running With Low UID /backup-cronjob.yaml: 23 Check if containers are running with low UID, which might cause conflicts with the host's user table.
MEDIUM Memory Limits Not Defined /backup-cronjob.yaml: 23 Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than t...
MEDIUM Memory Requests Not Defined /backup-cronjob.yaml: 23 Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over...
MEDIUM NET_RAW Capabilities Not Being Dropped /backup-cronjob.yaml: 23 Containers should drop 'ALL' or at least 'NET_RAW' capabilities
MEDIUM Seccomp Profile Is Not Configured /backup-cronjob.yaml: 23 Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls
MEDIUM Service Account Token Automount Not Disabled /backup-cronjob.yaml: 21 Service Account Tokens are automatically mounted even if not necessary
MEDIUM Using Unrecommended Namespace /backup-cronjob.yaml: 5 Namespaces like 'default', 'kube-system' or 'kube-public' should not be used
LOW CronJob Deadline Not Configured /backup-cronjob.yaml: 9 Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined
LOW Image Without Digest /backup-cronjob.yaml: 30 Images should be specified together with their digests to ensure integrity
LOW Invalid Image Tag /backup-cronjob.yaml: 30 Image tag must be defined and not be empty or equal to latest.
LOW Missing AppArmor Profile /backup-cronjob.yaml: 16 Containers should be configured with an AppArmor profile to enforce fine-grained access control over low-level system resources
LOW No Drop Capabilities for Containers /backup-cronjob.yaml: 23 Sees if Kubernetes Drop Capabilities exists to ensure containers security context
LOW Pod or Container Without LimitRange /backup-cronjob.yaml: 5 Each namespace should have a LimitRange policy associated to ensure that resource allocations of Pods, Containers and PersistentVolumeClaims do not...
LOW Pod or Container Without ResourceQuota /backup-cronjob.yaml: 5 Each namespace should have a ResourceQuota policy associated to limit the total amount of resources Pods, Containers and PersistentVolumeClaims can...
LOW Pod or Container Without Security Context /backup-cronjob.yaml: 23 A security context defines privilege and access control settings for a Pod or Container
LOW Root Container Not Mounted Read-only /backup-cronjob.yaml: 23 Check if the root container filesystem is not being mounted read-only.
LOW Secrets As Environment Variables /backup-cronjob.yaml: 27 Container should not use secrets as environment variables

@djsmith85 djsmith85 requested a review from a team July 17, 2024 13:43
@CLAassistant
Copy link

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
community-pr in-product-review Community PR is being reviewed by Bitwarden's Product team
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants