Skip to content

Fix high-severity security findings from project audit#651

Open
kseiter-rh wants to merge 2 commits into
openshift-online:mainfrom
kseiter-rh:security/fix-high-severity-findings
Open

Fix high-severity security findings from project audit#651
kseiter-rh wants to merge 2 commits into
openshift-online:mainfrom
kseiter-rh:security/fix-high-severity-findings

Conversation

@kseiter-rh

Copy link
Copy Markdown
Contributor

Summary

Addresses three HIGH severity findings from a full-project security audit (2026-06-25):

  • VPC Flow Logs: Add aws_flow_log with KMS-encrypted CloudWatch log group to the VPC module, gated behind enable_vpc_flow_logs variable (FedRAMP AU-12 network audit trail)
  • Kubernetes NetworkPolicies: Add ingress/egress NetworkPolicy templates to maestro-server, platform-api, hyperfleet-api, and hyperfleet-sentinel charts, gated behind networkPolicy.enabled (defaults to false for safe rollout)
  • CI non-root: Add USER 65534 to ci/Containerfile so CI tasks no longer run as root, matching the pattern in platform-image/Dockerfile

All changes are gated behind feature flags that default to off, so this PR is safe to merge without affecting existing deployments. Production environments should enable the flags explicitly.

Test plan

  • make terraform-fmt passes (verified locally)
  • terraform validate on terraform/modules/vpc/ with enable_vpc_flow_logs = true
  • Helm lint on all modified charts (requires helm CLI)
  • Deploy to ephemeral environment with networkPolicy.enabled: true and verify pod connectivity
  • Verify CI jobs pass with USER 65534 (OpenShift random-UID + chmod 777 cache dirs should handle this)
  • Enable enable_vpc_flow_logs = true in a test region and confirm flow logs appear in CloudWatch

🤖 Generated with Claude Code

Address three HIGH findings from the 2026-06-25 security audit:

1. VPC Flow Logs: Add aws_flow_log with KMS-encrypted CloudWatch log
   group to the VPC module, gated behind enable_vpc_flow_logs flag
   (FedRAMP AU-12 network audit trail).

2. Kubernetes NetworkPolicies: Add ingress/egress NetworkPolicy
   templates to maestro-server, platform-api, hyperfleet-api, and
   hyperfleet-sentinel charts. Gated behind networkPolicy.enabled
   (defaults to false for safe rollout).

3. CI Containerfile: Add USER 65534 so CI tasks no longer run as root.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Warning

Review limit reached

@kseiter-rh, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 53 minutes and 52 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: e91ac4dd-307f-41b3-9aed-fe7357fdb924

📥 Commits

Reviewing files that changed from the base of the PR and between 337be0f and 6af2f51.

📒 Files selected for processing (13)
  • argocd/config/regional-cluster/hyperfleet-api-chart/templates/networkpolicy.yaml
  • argocd/config/regional-cluster/hyperfleet-api-chart/values.yaml
  • argocd/config/regional-cluster/hyperfleet-sentinel-chart/templates/networkpolicy.yaml
  • argocd/config/regional-cluster/hyperfleet-sentinel-chart/values.yaml
  • argocd/config/regional-cluster/maestro-server/templates/networkpolicy.yaml
  • argocd/config/regional-cluster/platform-api/templates/networkpolicy.yaml
  • argocd/config/regional-cluster/platform-api/values.yaml
  • ci/Containerfile
  • security/security-audit-2026-06-25.html
  • security/security-audit-2026-06-25.md
  • terraform/modules/vpc/data.tf
  • terraform/modules/vpc/main.tf
  • terraform/modules/vpc/variables.tf
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant