From 7913a4ab7dcfd56ad24ecece5bde52980adf4dbe Mon Sep 17 00:00:00 2001
From: Niklas Roeske <niklas.roeske@cloudogu.com>
Date: Thu, 19 Dec 2024 14:17:54 +0100
Subject: [PATCH] #221 fix CVE-2024-45337

---
 CHANGELOG.md                       |  2 ++
 k8s/helm/component-patch-tpl.yaml  |  6 ------
 k8s/helm/templates/deployment.yaml | 18 ------------------
 k8s/helm/values.yaml               | 11 -----------
 4 files changed, 2 insertions(+), 35 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 63741fb6..bddb7d14 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+### Fixed 
+- [#223] remove rbac proxy to fix CVE-2024-45337
 
 ## [v3.1.0] - 2024-12-16
 ### Added
diff --git a/k8s/helm/component-patch-tpl.yaml b/k8s/helm/component-patch-tpl.yaml
index 6be5d22e..e824aac4 100644
--- a/k8s/helm/component-patch-tpl.yaml
+++ b/k8s/helm/component-patch-tpl.yaml
@@ -2,17 +2,11 @@ apiVersion: v1
 values:
   images:
     doguOperator: cloudogu/k8s-dogu-operator:3.1.0
-    kubeRbacProxy: gcr.io/kubebuilder/kube-rbac-proxy:v0.14.1
     chownInitImage: busybox:1.36
 patches:
   values.yaml:
     additionalImages:
       chownInitImage: "{{ .images.chownInitImage }}"
-    kubeRbacProxy:
-      image:
-        registry: "{{ registryFrom .images.kubeRbacProxy }}"
-        repository: "{{ repositoryFrom .images.kubeRbacProxy }}"
-        tag: "{{ tagFrom .images.kubeRbacProxy }}"
     controllerManager:
       image:
         registry: "{{ registryFrom .images.doguOperator }}"
diff --git a/k8s/helm/templates/deployment.yaml b/k8s/helm/templates/deployment.yaml
index b9e8d7ec..3c65f5ce 100644
--- a/k8s/helm/templates/deployment.yaml
+++ b/k8s/helm/templates/deployment.yaml
@@ -26,24 +26,6 @@ spec:
         {{- toYaml . | nindent 8 }}
         {{- end }}
       containers:
-        - args:
-            - --secure-listen-address=0.0.0.0:8443
-            - --upstream=http://127.0.0.1:8080/
-            - --v=0
-          image: "{{ .Values.kubeRbacProxy.image.registry }}/{{ .Values.kubeRbacProxy.image.repository }}:{{ .Values.kubeRbacProxy.image.tag }}"
-          name: kube-rbac-proxy
-          ports:
-            - containerPort: 8443
-              name: https
-              protocol: TCP
-          resources:
-            limits: {{- toYaml .Values.kubeRbacProxy.resourceLimits | nindent 12 }}
-            requests: {{- toYaml .Values.kubeRbacProxy.resourceRequests | nindent 12 }}
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-                - ALL
         - args:
             - --health-probe-bind-address=:8081
             - --metrics-bind-address=127.0.0.1:8080
diff --git a/k8s/helm/values.yaml b/k8s/helm/values.yaml
index fa71b011..614ecb2b 100644
--- a/k8s/helm/values.yaml
+++ b/k8s/helm/values.yaml
@@ -29,14 +29,3 @@ controllerManager:
   resourceRequests:
     cpu: 10m
     memory: 64Mi
-kubeRbacProxy:
-  image:
-    registry: gcr.io
-    repository: kubebuilder/kube-rbac-proxy
-    tag: v0.14.1
-  resourceLimits:
-    cpu: 500m
-    memory: 128Mi
-  resourceRequests:
-    cpu: 5m
-    memory: 64Mi