diff --git a/charts/kubescape-operator/templates/gateway/deployment.yaml b/charts/kubescape-operator/templates/gateway/deployment.yaml index e1b8245d..4b50dd4a 100644 --- a/charts/kubescape-operator/templates/gateway/deployment.yaml +++ b/charts/kubescape-operator/templates/gateway/deployment.yaml @@ -31,7 +31,7 @@ spec: checksum/cloud-secret: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.configMapsDirectory $.Values.global.cloudSecretFile) . | sha256sum }} checksum/cloud-config: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.configMapsDirectory $.Values.global.cloudConfigMapFile) . | sha256sum }} {{- if ne .Values.global.proxySecretFile "" }} - checksum/proxy-config: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.proxySecretDirectory $.Values.global.proxySecretName) . | sha256sum }} + checksum/proxy-config: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.proxySecretDirectory $.Values.global.proxySecretFile) . | sha256sum }} {{- end }} labels: app.kubernetes.io/name: {{ .Values.gateway.name }} diff --git a/charts/kubescape-operator/templates/kollector/statefulset.yaml b/charts/kubescape-operator/templates/kollector/statefulset.yaml index 2cf74ef7..4d353c0e 100644 --- a/charts/kubescape-operator/templates/kollector/statefulset.yaml +++ b/charts/kubescape-operator/templates/kollector/statefulset.yaml @@ -27,7 +27,7 @@ spec: checksum/cloud-secret: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.configMapsDirectory $.Values.global.cloudSecretFile) . | sha256sum }} checksum/cloud-config: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.configMapsDirectory $.Values.global.cloudConfigMapFile) . | sha256sum }} {{- if ne .Values.global.proxySecretFile "" }} - checksum/proxy-config: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.proxySecretDirectory $.Values.global.proxySecretName) . | sha256sum }} + checksum/proxy-config: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.proxySecretDirectory $.Values.global.proxySecretFile) . | sha256sum }} {{- end }} labels: app.kubernetes.io/name: {{ .Values.kollector.name }} diff --git a/charts/kubescape-operator/templates/kubescape/deployment.yaml b/charts/kubescape-operator/templates/kubescape/deployment.yaml index 1ee0f77e..f937ff41 100644 --- a/charts/kubescape-operator/templates/kubescape/deployment.yaml +++ b/charts/kubescape-operator/templates/kubescape/deployment.yaml @@ -39,7 +39,7 @@ spec: checksum/cloud-secret: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.configMapsDirectory $.Values.global.cloudSecretFile) . | sha256sum }} checksum/cloud-config: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.configMapsDirectory $.Values.global.cloudConfigMapFile) . | sha256sum }} {{- if ne .Values.global.proxySecretFile "" }} - checksum/proxy-config: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.proxySecretDirectory $.Values.global.proxySecretName) . | sha256sum }} + checksum/proxy-config: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.proxySecretDirectory $.Values.global.proxySecretFile) . | sha256sum }} {{- end }} labels: app.kubernetes.io/name: {{ .Values.kubescape.name }} diff --git a/charts/kubescape-operator/templates/kubevuln/deployment.yaml b/charts/kubescape-operator/templates/kubevuln/deployment.yaml index 55cd199f..f008659d 100644 --- a/charts/kubescape-operator/templates/kubevuln/deployment.yaml +++ b/charts/kubescape-operator/templates/kubevuln/deployment.yaml @@ -27,7 +27,7 @@ spec: checksum/cloud-secret: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.configMapsDirectory $.Values.global.cloudSecretFile) . | sha256sum }} checksum/cloud-config: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.configMapsDirectory $.Values.global.cloudConfigMapFile) . | sha256sum }} {{- if ne .Values.global.proxySecretFile "" }} - checksum/proxy-config: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.proxySecretDirectory $.Values.global.proxySecretName) . | sha256sum }} + checksum/proxy-config: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.proxySecretDirectory $.Values.global.proxySecretFile) . | sha256sum }} {{- end }} labels: app.kubernetes.io/name: {{ .Values.kubevuln.name }} diff --git a/charts/kubescape-operator/templates/node-agent/daemonset.yaml b/charts/kubescape-operator/templates/node-agent/daemonset.yaml index fcaf58d6..1cfe08ca 100644 --- a/charts/kubescape-operator/templates/node-agent/daemonset.yaml +++ b/charts/kubescape-operator/templates/node-agent/daemonset.yaml @@ -24,7 +24,7 @@ spec: checksum/cloud-secret: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.configMapsDirectory $.Values.global.cloudSecretFile) . | sha256sum }} checksum/cloud-config: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.configMapsDirectory $.Values.global.cloudConfigMapFile) . | sha256sum }} {{- if ne .Values.global.proxySecretFile "" }} - checksum/proxy-config: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.proxySecretDirectory $.Values.global.proxySecretName) . | sha256sum }} + checksum/proxy-config: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.proxySecretDirectory $.Values.global.proxySecretFile) . | sha256sum }} {{- end }} container.apparmor.security.beta.kubernetes.io/node-agent: unconfined labels: diff --git a/charts/kubescape-operator/templates/operator/deployment.yaml b/charts/kubescape-operator/templates/operator/deployment.yaml index 2e7cc92e..e3caec71 100644 --- a/charts/kubescape-operator/templates/operator/deployment.yaml +++ b/charts/kubescape-operator/templates/operator/deployment.yaml @@ -33,7 +33,7 @@ spec: checksum/capabilities-config: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.configMapsDirectory $.Values.global.capabilitiesConfigMap) . | sha256sum }} checksum/matching-rules-config: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.configMapsDirectory $.Values.global.matchingRulesConfigMap) . | sha256sum }} {{- if ne .Values.global.proxySecretFile "" }} - checksum/proxy-config: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.proxySecretDirectory $.Values.global.proxySecretName) . | sha256sum }} + checksum/proxy-config: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.proxySecretDirectory $.Values.global.proxySecretFile) . | sha256sum }} {{- end }} labels: app.kubernetes.io/name: {{ .Values.operator.name }} diff --git a/charts/kubescape-operator/templates/otel-collector/deployment.yaml b/charts/kubescape-operator/templates/otel-collector/deployment.yaml index 80414ed5..34b5869a 100644 --- a/charts/kubescape-operator/templates/otel-collector/deployment.yaml +++ b/charts/kubescape-operator/templates/otel-collector/deployment.yaml @@ -29,7 +29,7 @@ spec: metadata: annotations: {{- if ne .Values.global.proxySecretFile "" }} - checksum/proxy-config: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.proxySecretDirectory $.Values.global.proxySecretName) . | sha256sum }} + checksum/proxy-config: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.proxySecretDirectory $.Values.global.proxySecretFile) . | sha256sum }} {{- end }} labels: app.kubernetes.io/name: {{ .Values.otelCollector.name }} diff --git a/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap b/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap index 0967ef42..d96f4791 100644 --- a/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap +++ b/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap @@ -1 +1,2712 @@ -{} +matches the snapshot: + 1: | + raw: "Thank you for installing kubescape-operator version 1.16.2.\nView your cluster's configuration scanning schedule: \n> kubectl -n kubescape get cj kubescape-scheduler -o=jsonpath='{.metadata.name}{\"\\t\"}{.spec.schedule}{\"\\n\"}'\n\nTo change the schedule, set `.spec.schedule`: \n> kubectl -n kubescape edit cj kubescape-scheduler\nView your cluster's image scanning schedule: \n> kubectl -n kubescape get cj kubevuln-scheduler -o=jsonpath='{.metadata.name}{\"\\t\"}{.spec.schedule}{\"\\n\"}' \n\nTo change the schedule, edit `.spec.schedule`: \n> kubectl -n kubescape edit cj kubevuln-scheduler\n\n\nView your image vulnerabilities scan summaries: \n> kubectl get vulnerabilitymanifestsummaries -A\n\nDetailed reports are also available: \n> kubectl get vulnerabilitymanifests -A\n\n\n\n" + 2: | + apiVersion: batch/v1 + kind: CronJob + metadata: + annotations: + helm.sh/resource-policy: keep + name: helm-release-upgrader + namespace: kubescape + spec: + failedJobsHistoryLimit: 1 + jobTemplate: + spec: + template: + spec: + containers: + - env: + - name: HELM_CACHE_HOME + value: /data/helm-scratch-data/.cache + - name: HELM_CONFIG_HOME + value: /data/helm-scratch-data/.config + - name: HELM_DATA_HOME + value: /data/helm-scratch-data/.data + image: quay.io/kubescape/helm-release-upgrader:v0.1.0 + imagePullPolicy: IfNotPresent + name: helm-release-upgrader + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 500m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /data/helm-scratch-data + name: helm-scratch-data + restartPolicy: OnFailure + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + serviceAccountName: helm-release-upgrader + volumes: + - emptyDir: + sizeLimit: 500Mi + name: helm-scratch-data + schedule: 0 14 * * * + successfulJobsHistoryLimit: 3 + 3: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + helm.sh/resource-policy: keep + name: helm-release-upgrader + rules: + - apiGroups: + - '*' + resources: + - '*' + verbs: + - '*' + 4: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + annotations: + helm.sh/resource-policy: keep + name: helm-release-upgrader + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: helm-release-upgrader + subjects: + - kind: ServiceAccount + name: helm-release-upgrader + namespace: kubescape + 5: | + apiVersion: v1 + kind: ServiceAccount + metadata: + annotations: + helm.sh/resource-policy: keep + name: helm-release-upgrader + namespace: kubescape + 6: | + apiVersion: v1 + data: + accessKey: "" + account: OWU2YzBjMmMtNmJkMC00OTE5LTgxNWItNTUwMzBkZTdjOWEw + kind: Secret + metadata: + labels: + app: cloud-secret + kubescape.io/infra: credentials + tier: ks-control-plane + name: cloud-secret + namespace: kubescape + type: Opaque + 7: | + apiVersion: v1 + data: + clusterData: | + { + "serviceDiscovery": true, + "gatewayWebsocketURL": "gateway:8001", + "gatewayRestURL": "gateway:8002", + "vulnScanURL": "kubevuln:8080", + "kubevulnURL": "kubevuln:8080", + "kubescapeURL": "kubescape:8080", + "triggerNewImageScan": "false", + "clusterName": "kind-kind", + "storage": true, + "relevantImageVulnerabilitiesEnabled": true, + "namespace": "kubescape", + "imageVulnerabilitiesScanningEnabled": true, + "postureScanEnabled": true, + "otelCollector": true, + "nodeAgent": "true", + "maxImageSize": 5.36870912e+09, + "keepLocal": false, + "scanTimeout": "5m", + "vexGeneration": false, + "continuousPostureScan": false, + "listingURL": "http://grype-offline-db:80/listing.json", + "relevantImageVulnerabilitiesConfiguration": "enable" + } + metrics: "" + services: "" + kind: ConfigMap + metadata: + annotations: + argocd.argoproj.io/sync-options: Delete=false + helm.sh/hook: pre-install,pre-upgrade + helm.sh/hook-delete-policy: before-hook-creation + helm.sh/hook-weight: "0" + helm.sh/resource-policy: keep + labels: + app: ks-cloud-config + kubescape.io/infra: config + tier: ks-control-plane + name: ks-cloud-config + namespace: kubescape + 8: | + apiVersion: v1 + data: + capabilities: | + { + "capabilities":{"autoUpgrading":"enable","configurationScan":"enable","continuousScan":"disable","networkPolicyService":"disable","nodeScan":"enable","relevancy":"enable","runtimeObservability":"disable","vexGeneration":"disable","vulnerabilityScan":"enable"}, + "components":{"gateway":{"enabled":true},"hostScanner":{"enabled":true},"kollector":{"enabled":true},"kubescape":{"enabled":true},"kubescapeScheduler":{"enabled":true},"kubevuln":{"enabled":true},"kubevulnScheduler":{"enabled":true},"nodeAgent":{"enabled":true},"operator":{"enabled":true},"otelCollector":{"enabled":true},"serviceDiscovery":{"enabled":true},"storage":{"enabled":true}}, + "configurations":{"otelUrl":"otelCollector:4317","persistence":"enable"} + } + kind: ConfigMap + metadata: + labels: + app: ks-capabilities + tier: ks-control-plane + name: ks-capabilities + namespace: kubescape + 9: | + apiVersion: v1 + data: + matchingRules.json: | + {"match":[{"apiGroups":["apps"],"apiVersions":["v1"],"resources":["deployments"]}],"namespaces":["default"]} + kind: ConfigMap + metadata: + labels: + app: kubescape + tier: ks-control-plane + name: cs-matching-rules + namespace: kubescape + 10: | + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app: gateway + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: gateway + helm.sh/chart: kubescape-operator-1.16.2 + tier: ks-control-plane + name: gateway + namespace: kubescape + spec: + replicas: 1 + revisionHistoryLimit: 2 + selector: + matchLabels: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: gateway + tier: ks-control-plane + strategy: + rollingUpdate: + maxSurge: 0% + maxUnavailable: 100% + type: RollingUpdate + template: + metadata: + annotations: + checksum/cloud-config: bc11c557570531f1993ebd8a8d6ee8174a1dd9f35c00e7640181b82eab213945 + checksum/cloud-secret: 982f4c42f4027cd27ea5c01909373a4909f6a1c61c9d98bb247e2c11b6944799 + checksum/proxy-config: db4555b798c4de89095b86c74974b8c56ead656b02672a86d7368ad88d81509f + labels: + app: gateway + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: gateway + tier: ks-control-plane + spec: + automountServiceAccountToken: false + containers: + - args: + - -alsologtostderr + - -v=4 + - 2>&1 + env: + - name: GOMEMLIMIT + value: 30MiB + - name: KS_LOGGER_LEVEL + value: info + - name: KS_LOGGER_NAME + value: zap + - name: WEBSOCKET_PORT + value: "8001" + - name: HTTP_PORT + value: "8002" + - name: ACCOUNT_ID + valueFrom: + secretKeyRef: + key: account + name: cloud-secret + - name: OTEL_COLLECTOR_SVC + value: otel-collector:4317 + image: quay.io/kubescape/gateway:v0.1.17 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /v1/liveness + port: readiness-port + initialDelaySeconds: 3 + periodSeconds: 3 + name: gateway + ports: + - containerPort: 8000 + name: readiness-port + protocol: TCP + - containerPort: 8001 + name: websocket + protocol: TCP + - containerPort: 8002 + name: rest-api + protocol: TCP + readinessProbe: + httpGet: + path: /v1/readiness + port: readiness-port + initialDelaySeconds: 10 + periodSeconds: 5 + resources: + limits: + cpu: 100m + memory: 50Mi + requests: + cpu: 10m + memory: 30Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/credentials + name: cloud-secret + readOnly: true + - mountPath: /etc/config + name: ks-cloud-config + readOnly: true + - mountPath: /etc/ssl/certs/proxy.crt + name: proxy-secret + subPath: proxy.crt + securityContext: + fsGroup: 65532 + runAsUser: 65532 + volumes: + - name: cloud-secret + secret: + secretName: cloud-secret + - name: proxy-secret + secret: + secretName: kubescape-proxy-certificate + - configMap: + items: + - key: clusterData + path: clusterData.json + - key: services + path: services.json + name: ks-cloud-config + name: ks-cloud-config + 11: | + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + labels: + app: gateway + helm.sh/chart: kubescape-operator-1.16.2 + tier: ks-control-plane + name: gateway + namespace: kubescape + spec: + egress: + - ports: + - port: 443 + protocol: TCP + ingress: + - from: + - podSelector: + matchLabels: + app.kubernetes.io/instance: kubescape + app.kubernetes.io/name: operator + tier: ks-control-plane + ports: + - port: websocket + protocol: TCP + podSelector: + matchLabels: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: gateway + tier: ks-control-plane + policyTypes: + - Ingress + - Egress + 12: | + apiVersion: v1 + kind: Service + metadata: + labels: + app: gateway + name: gateway + namespace: kubescape + spec: + ports: + - name: websocket + port: 8001 + protocol: TCP + targetPort: 8001 + - name: http + port: 8002 + protocol: TCP + targetPort: 8002 + selector: + app: gateway + type: ClusterIP + 13: | + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app: grype-offline-db + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: grype-offline-db + tier: ks-control-plane + name: grype-offline-db + namespace: kubescape + spec: + replicas: 1 + revisionHistoryLimit: 2 + selector: + matchLabels: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: grype-offline-db + tier: ks-control-plane + strategy: + rollingUpdate: + maxSurge: 0% + maxUnavailable: 100% + type: RollingUpdate + template: + metadata: + labels: + app: grype-offline-db + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: grype-offline-db + helm.sh/chart: kubescape-operator-1.16.2 + tier: ks-control-plane + spec: + containers: + - image: ghcr.io/alexandreroman/grype-offline-db@sha256:155db3be4baa461a50cebadfc8f52108fca71aa4ce5e460a30a4e0922e899ed2 + imagePullPolicy: IfNotPresent + name: grype-offline-db + ports: + - containerPort: 8080 + protocol: TCP + resources: + limits: + cpu: 150m + memory: 200Mi + requests: + cpu: 150m + memory: 200Mi + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + 14: | + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + labels: + app: grype-offline-db + tier: ks-control-plane + name: grype-offline-db + namespace: kubescape + spec: + ingress: + - from: + - podSelector: + matchLabels: + app.kubernetes.io/instance: kubescape + app.kubernetes.io/name: kubevuln + tier: ks-control-plane + ports: + - port: 8080 + protocol: TCP + podSelector: + matchLabels: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: grype-offline-db + tier: ks-control-plane + policyTypes: + - Ingress + 15: | + apiVersion: v1 + kind: Service + metadata: + labels: + app: grype-offline-db + name: grype-offline-db + namespace: kubescape + spec: + ports: + - port: 80 + protocol: TCP + targetPort: 8080 + selector: + app: grype-offline-db + type: ClusterIP + 16: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: kollector + rules: + - apiGroups: + - "" + resources: + - pods + - namespaces + - cronjobs + - secrets + - nodes + - services + verbs: + - get + - watch + - list + - apiGroups: + - apps + resources: + - deployments + - statefulsets + - daemonsets + - replicasets + verbs: + - get + - watch + - list + - apiGroups: + - batch + resources: + - jobs + - cronjobs + verbs: + - get + - watch + - list + 17: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: kollector + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kollector + subjects: + - kind: ServiceAccount + name: kollector + namespace: kubescape + 18: | + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + labels: + app: kollector + tier: ks-control-plane + name: kollector + namespace: kubescape + spec: + egress: + - ports: + - port: 443 + protocol: TCP + - ports: + - port: 80 + protocol: TCP + to: + - ipBlock: + cidr: 169.254.169.254/32 + podSelector: + matchLabels: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: kollector + tier: ks-control-plane + policyTypes: + - Egress + 19: | + apiVersion: v1 + automountServiceAccountToken: false + kind: ServiceAccount + metadata: + labels: + app: kollector + name: kollector + namespace: kubescape + 20: | + apiVersion: apps/v1 + kind: StatefulSet + metadata: + labels: + app: kollector + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: kollector + tier: ks-control-plane + name: kollector + namespace: kubescape + spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: kollector + tier: ks-control-plane + serviceName: "" + template: + metadata: + annotations: + checksum/cloud-config: bc11c557570531f1993ebd8a8d6ee8174a1dd9f35c00e7640181b82eab213945 + checksum/cloud-secret: 982f4c42f4027cd27ea5c01909373a4909f6a1c61c9d98bb247e2c11b6944799 + checksum/proxy-config: db4555b798c4de89095b86c74974b8c56ead656b02672a86d7368ad88d81509f + labels: + app: kollector + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: kollector + helm.sh/chart: kubescape-operator-1.16.2 + tier: ks-control-plane + spec: + automountServiceAccountToken: true + containers: + - args: + - -alsologtostderr + - -v=4 + - 2>&1 + env: + - name: GOMEMLIMIT + value: 100MiB + - name: KS_LOGGER_LEVEL + value: info + - name: KS_LOGGER_NAME + value: zap + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: ACCOUNT_ID + valueFrom: + secretKeyRef: + key: account + name: cloud-secret + - name: OTEL_COLLECTOR_SVC + value: otel-collector:4317 + - name: PRINT_REPORT + value: "false" + - name: WAIT_BEFORE_REPORT + value: "0" + image: quay.io/kubescape/kollector:v0.1.29 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /v1/liveness + port: readiness-port + initialDelaySeconds: 3 + periodSeconds: 3 + name: kollector + ports: + - containerPort: 8000 + name: readiness-port + protocol: TCP + readinessProbe: + httpGet: + path: /v1/readiness + port: readiness-port + initialDelaySeconds: 10 + periodSeconds: 5 + resources: + limits: + cpu: 500m + memory: 500Mi + requests: + cpu: 10m + memory: 100Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 100 + volumeMounts: + - mountPath: /etc/credentials + name: cloud-secret + readOnly: true + - mountPath: /tmp + name: tmp-dir + - mountPath: /etc/config + name: ks-cloud-config + readOnly: true + - mountPath: /etc/ssl/certs/proxy.crt + name: proxy-secret + subPath: proxy.crt + serviceAccountName: kollector + volumes: + - name: cloud-secret + secret: + secretName: cloud-secret + - name: proxy-secret + secret: + secretName: kubescape-proxy-certificate + - emptyDir: {} + name: tmp-dir + - configMap: + items: + - key: clusterData + path: clusterData.json + - key: services + path: services.json + name: ks-cloud-config + name: ks-cloud-config + 21: | + apiVersion: v1 + data: + request-body.json: '{"commands":[{"CommandName":"kubescapeScan","args":{"scanV1": {}}}]}' + kind: ConfigMap + metadata: + labels: + app: kubescape-scheduler + tier: ks-control-plane + name: kubescape-scheduler + namespace: kubescape + 22: | + apiVersion: batch/v1 + kind: CronJob + metadata: + labels: + app: kubescape-scheduler + app.kubernetes.io/name: kubescape-scheduler + armo.tier: kubescape-scan + tier: ks-control-plane + name: kubescape-scheduler + namespace: kubescape + spec: + failedJobsHistoryLimit: 1 + jobTemplate: + spec: + template: + metadata: + labels: + app: kubescape-scheduler + app.kubernetes.io/name: kubescape-scheduler + armo.tier: kubescape-scan + spec: + automountServiceAccountToken: false + containers: + - args: + - -method=post + - -scheme=http + - -host=operator:4002 + - -path=v1/triggerAction + - -headers="Content-Type:application/json" + - -path-body=/home/ks/request-body.json + image: quay.io/kubescape/http-request:v0.0.14 + imagePullPolicy: IfNotPresent + name: kubescape-scheduler + resources: + limits: + cpu: 10m + memory: 20Mi + requests: + cpu: 1m + memory: 10Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 100 + volumeMounts: + - mountPath: /home/ks/request-body.json + name: kubescape-scheduler + readOnly: true + subPath: request-body.json + restartPolicy: Never + volumes: + - configMap: + name: kubescape-scheduler + name: kubescape-scheduler + schedule: 1 2 3 4 5 + successfulJobsHistoryLimit: 3 + 23: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: kubescape + rules: + - apiGroups: + - "" + resources: + - pods + - pods/proxy + - namespaces + - secrets + - nodes + - configmaps + - services + - serviceaccounts + - endpoints + - persistentvolumeclaims + - limitranges + - replicationcontrollers + - podtemplates + - resourcequotas + - events + verbs: + - get + - watch + - list + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - watch + - list + - apiGroups: + - apiregistration.k8s.io + resources: + - apiservices + verbs: + - get + - watch + - list + - apiGroups: + - apps + resources: + - deployments + - statefulsets + - daemonsets + - replicasets + - controllerrevisions + verbs: + - get + - watch + - list + - apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - get + - watch + - list + - apiGroups: + - batch + resources: + - jobs + - cronjobs + verbs: + - get + - watch + - list + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - watch + - list + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - watch + - list + - apiGroups: + - events.k8s.io + resources: + - events + verbs: + - get + - watch + - list + - apiGroups: + - hostdata.kubescape.cloud + resources: + - APIServerInfo + - ControlPlaneInfo + verbs: + - get + - watch + - list + - apiGroups: + - networking.k8s.io + resources: + - networkpolicies + - Ingress + verbs: + - get + - watch + - list + - apiGroups: + - policy + resources: + - poddisruptionbudgets + - podsecuritypolicies + - PodSecurityPolicy + verbs: + - get + - watch + - list + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + - clusterrolebindings + - roles + - rolebindings + verbs: + - get + - watch + - list + - apiGroups: + - storage.k8s.io + resources: + - csistoragecapacities + verbs: + - get + - watch + - list + - apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - watch + - list + - apiGroups: + - extensions + resources: + - Ingress + verbs: + - get + - watch + - list + - apiGroups: + - "" + resources: + - namespaces + verbs: + - update + - apiGroups: + - spdx.softwarecomposition.kubescape.io + resources: + - workloadconfigurationscans + - workloadconfigurationscansummaries + verbs: + - create + - update + - patch + 24: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: kubescape + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kubescape + subjects: + - kind: ServiceAccount + name: kubescape + namespace: kubescape + 25: | + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app: kubescape + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: kubescape + helm.sh/chart: kubescape-operator-1.16.2 + tier: ks-control-plane + name: kubescape + namespace: kubescape + spec: + replicas: 1 + revisionHistoryLimit: 2 + selector: + matchLabels: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: kubescape + tier: ks-control-plane + strategy: + rollingUpdate: + maxSurge: 0% + maxUnavailable: 100% + type: RollingUpdate + template: + metadata: + annotations: + checksum/cloud-config: bc11c557570531f1993ebd8a8d6ee8174a1dd9f35c00e7640181b82eab213945 + checksum/cloud-secret: 982f4c42f4027cd27ea5c01909373a4909f6a1c61c9d98bb247e2c11b6944799 + checksum/host-scanner-configmap: 329050cbdabb0c88161e510252b8e3116c6a57d397f321ecb0cfa8837ce31f23 + checksum/proxy-config: db4555b798c4de89095b86c74974b8c56ead656b02672a86d7368ad88d81509f + labels: + app: kubescape + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: kubescape + helm.sh/chart: kubescape-operator-1.16.2 + otel: enabled + tier: ks-control-plane + spec: + automountServiceAccountToken: true + containers: + - command: + - ksserver + env: + - name: GOMEMLIMIT + value: 400MiB + - name: KS_LOGGER_LEVEL + value: info + - name: KS_LOGGER_NAME + value: zap + - name: KS_DOWNLOAD_ARTIFACTS + value: "true" + - name: RULE_PROCESSING_GOMAXPROCS + value: "" + - name: KS_DEFAULT_CONFIGMAP_NAME + value: kubescape-config + - name: KS_DEFAULT_CONFIGMAP_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: KS_CONTEXT + value: kind-kind + - name: KS_DEFAULT_CLOUD_CONFIGMAP_NAME + value: ks-cloud-config + - name: KS_ENABLE_HOST_SCANNER + value: "true" + - name: KS_SKIP_UPDATE_CHECK + value: "false" + - name: KS_HOST_SCAN_YAML + value: /home/nonroot/.kubescape/host-scanner.yaml + - name: LARGE_CLUSTER_SIZE + value: "1500" + - name: ACCOUNT_ID + valueFrom: + secretKeyRef: + key: account + name: cloud-secret + - name: OTEL_COLLECTOR_SVC + value: otel-collector:4317 + image: quay.io/kubescape/kubescape:v3.0.1 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /livez + port: 8080 + initialDelaySeconds: 3 + periodSeconds: 3 + name: kubescape + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: 8080 + initialDelaySeconds: 3 + periodSeconds: 3 + resources: + limits: + cpu: 600m + memory: 1Gi + requests: + cpu: 250m + memory: 400Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/credentials + name: cloud-secret + readOnly: true + - mountPath: /home/nonroot/.kubescape + name: kubescape-volume + subPath: config.json + - mountPath: /home/nonroot/.kubescape/host-scanner.yaml + name: host-scanner-definition + subPath: host-scanner-yaml + - mountPath: /home/nonroot/results + name: results + - mountPath: /home/nonroot/failed + name: failed + - mountPath: /etc/config + name: ks-cloud-config + readOnly: true + - mountPath: /etc/ssl/certs/proxy.crt + name: proxy-secret + subPath: proxy.crt + securityContext: + fsGroup: 65532 + runAsUser: 65532 + serviceAccountName: kubescape + volumes: + - name: cloud-secret + secret: + secretName: cloud-secret + - name: proxy-secret + secret: + secretName: kubescape-proxy-certificate + - configMap: + items: + - key: clusterData + path: clusterData.json + - key: services + path: services.json + name: ks-cloud-config + name: ks-cloud-config + - configMap: + name: host-scanner-definition + name: host-scanner-definition + - emptyDir: {} + name: kubescape-volume + - emptyDir: {} + name: results + - emptyDir: {} + name: failed + 26: | + apiVersion: v1 + data: + host-scanner-yaml: |- + apiVersion: apps/v1 + kind: DaemonSet + metadata: + name: host-scanner + namespace: kubescape + labels: + app: host-scanner + k8s-app: kubescape-host-scanner + spec: + selector: + matchLabels: + name: host-scanner + template: + metadata: + labels: + name: host-scanner + otel: enabled + spec: + + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/master + operator: Exists + containers: + - name: host-sensor + image: "quay.io/kubescape/host-scanner:v1.0.66" + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: true + privileged: true + readOnlyRootFilesystem: true + procMount: Unmasked + env: + - name: KS_LOGGER_LEVEL + value: "info" + - name: KS_LOGGER_NAME + value: "zap" + - name: ACCOUNT_ID + valueFrom: + secretKeyRef: + name: cloud-secret + key: account + - name: CLUSTER_NAME + value: "kind-kind" + - name: OTEL_COLLECTOR_SVC + value: "otel-collector.kubescape.svc:4317" + ports: + - name: scanner # Do not change port name + containerPort: 7888 + protocol: TCP + resources: + limits: + cpu: 0.4m + memory: 400Mi + requests: + cpu: 0.1m + memory: 200Mi + volumeMounts: + - mountPath: /host_fs + name: host-filesystem + startupProbe: + httpGet: + path: /readyz + port: 7888 + failureThreshold: 30 + periodSeconds: 1 + livenessProbe: + httpGet: + path: /healthz + port: 7888 + periodSeconds: 10 + terminationGracePeriodSeconds: 120 + dnsPolicy: ClusterFirstWithHostNet + automountServiceAccountToken: false + volumes: + - hostPath: + path: / + type: Directory + name: host-filesystem + hostPID: true + hostIPC: true + kind: ConfigMap + metadata: + labels: + app: ks-cloud-config + tier: ks-control-plane + name: host-scanner-definition + namespace: kubescape + 27: | + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + labels: + app: kubescape + helm.sh/chart: kubescape-operator-1.16.2 + tier: ks-control-plane + name: kubescape + namespace: kubescape + spec: + egress: + - ports: + - port: 443 + protocol: TCP + ingress: + - from: + - podSelector: + matchLabels: + app.kubernetes.io/instance: kubescape + app.kubernetes.io/name: operator + tier: ks-control-plane + ports: + - port: http + protocol: TCP + podSelector: + matchLabels: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: kubescape + tier: ks-control-plane + policyTypes: + - Ingress + - Egress + 28: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + name: kubescape + namespace: kubescape + rules: + - apiGroups: + - apps + resources: + - daemonsets + verbs: + - create + - get + - update + - watch + - list + - patch + - delete + 29: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: kubescape + namespace: kubescape + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: kubescape + subjects: + - kind: ServiceAccount + name: kubescape + namespace: kubescape + 30: | + apiVersion: v1 + kind: Service + metadata: + labels: + app: kubescape + name: kubescape + namespace: kubescape + spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 8080 + selector: + app: kubescape + type: ClusterIP + 31: | + apiVersion: v1 + automountServiceAccountToken: false + kind: ServiceAccount + metadata: + labels: + app: kubescape + name: kubescape + namespace: kubescape + 32: | + apiVersion: monitoring.coreos.com/v1 + kind: ServiceMonitor + metadata: + labels: + app: kubescape + name: kubescape-monitor + namespace: kubescape + spec: + endpoints: + - interval: 200s + path: /v1/metrics + port: http + scrapeTimeout: 150s + namespaceSelector: + matchNames: + - kubescape + selector: + matchLabels: + app: kubescape + 33: | + apiVersion: v1 + data: + request-body.json: '{"commands":[{"commandName":"scan","designators":[{"designatorType":"Attributes","attributes":{}}]}]}' + kind: ConfigMap + metadata: + labels: + app: kubevuln-scheduler + tier: ks-control-plane + name: kubevuln-scheduler + namespace: kubescape + 34: | + apiVersion: batch/v1 + kind: CronJob + metadata: + labels: + app: kubevuln-scheduler + app.kubernetes.io/name: kubevuln-scheduler + armo.tier: vuln-scan + tier: ks-control-plane + name: kubevuln-scheduler + namespace: kubescape + spec: + failedJobsHistoryLimit: 1 + jobTemplate: + spec: + template: + metadata: + labels: + app: kubevuln-scheduler + app.kubernetes.io/name: kubevuln-scheduler + armo.tier: vuln-scan + spec: + automountServiceAccountToken: false + containers: + - args: + - -method=post + - -scheme=http + - -host=operator:4002 + - -path=v1/triggerAction + - -headers="Content-Type:application/json" + - -path-body=/home/ks/request-body.json + image: quay.io/kubescape/http-request:v0.0.14 + imagePullPolicy: IfNotPresent + name: kubevuln-scheduler + resources: + limits: + cpu: 10m + memory: 20Mi + requests: + cpu: 1m + memory: 10Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 100 + volumeMounts: + - mountPath: /home/ks/request-body.json + name: kubevuln-scheduler + readOnly: true + subPath: request-body.json + restartPolicy: Never + volumes: + - configMap: + name: kubevuln-scheduler + name: kubevuln-scheduler + schedule: 1 2 3 4 5 + successfulJobsHistoryLimit: 3 + 35: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: kubevuln + rules: + - apiGroups: + - spdx.softwarecomposition.kubescape.io + resources: + - vulnerabilitymanifests + - vulnerabilitymanifestsummaries + - sbomsummaries + - sbomspdxv2p3s + - openvulnerabilityexchangecontainers + verbs: + - create + - get + - update + - watch + - list + - patch + - apiGroups: + - spdx.softwarecomposition.kubescape.io + resources: + - sbomspdxv2p3filtereds + verbs: + - get + - watch + - list + 36: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: kubevuln + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kubevuln + subjects: + - kind: ServiceAccount + name: kubevuln + namespace: kubescape + 37: | + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app: kubevuln + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: kubevuln + tier: ks-control-plane + name: kubevuln + namespace: kubescape + spec: + replicas: 1 + revisionHistoryLimit: 2 + selector: + matchLabels: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: kubevuln + tier: ks-control-plane + strategy: + type: Recreate + template: + metadata: + annotations: + checksum/cloud-config: bc11c557570531f1993ebd8a8d6ee8174a1dd9f35c00e7640181b82eab213945 + checksum/cloud-secret: 982f4c42f4027cd27ea5c01909373a4909f6a1c61c9d98bb247e2c11b6944799 + checksum/proxy-config: db4555b798c4de89095b86c74974b8c56ead656b02672a86d7368ad88d81509f + labels: + app: kubevuln + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: kubevuln + helm.sh/chart: kubescape-operator-1.16.2 + otel: enabled + tier: ks-control-plane + spec: + automountServiceAccountToken: true + containers: + - args: + - -alsologtostderr + - -v=4 + - 2>&1 + env: + - name: GOMEMLIMIT + value: 1000MiB + - name: KS_LOGGER_LEVEL + value: info + - name: KS_LOGGER_NAME + value: zap + - name: PRINT_POST_JSON + value: "" + - name: CA_MAX_VULN_SCAN_ROUTINES + value: "1" + - name: ACCOUNT_ID + valueFrom: + secretKeyRef: + key: account + name: cloud-secret + - name: OTEL_COLLECTOR_SVC + value: otel-collector:4317 + image: quay.io/kubescape/kubevuln:v0.2.129 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /v1/liveness + port: 8080 + initialDelaySeconds: 3 + periodSeconds: 3 + name: kubevuln + ports: + - containerPort: 8080 + protocol: TCP + readinessProbe: + httpGet: + path: /v1/readiness + port: 8080 + resources: + limits: + cpu: 1500m + ephemeral-storage: 6Gi + memory: 5000Mi + requests: + cpu: 300m + ephemeral-storage: 5Gi + memory: 1000Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/credentials + name: cloud-secret + readOnly: true + - mountPath: /tmp + name: tmp-dir + - mountPath: /home/nonroot/anchore-resources/db + name: grype-db-cache + - mountPath: /etc/config + name: ks-cloud-config + readOnly: true + - mountPath: /home/nonroot/.cache/grype + name: grype-db + - mountPath: /etc/ssl/certs/proxy.crt + name: proxy-secret + subPath: proxy.crt + securityContext: + fsGroup: 65532 + runAsUser: 65532 + serviceAccountName: kubevuln + volumes: + - name: cloud-secret + secret: + secretName: cloud-secret + - name: proxy-secret + secret: + secretName: kubescape-proxy-certificate + - emptyDir: {} + name: tmp-dir + - emptyDir: {} + name: grype-db-cache + - configMap: + items: + - key: clusterData + path: clusterData.json + - key: services + path: services.json + name: ks-cloud-config + name: ks-cloud-config + - emptyDir: {} + name: grype-db + 38: | + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + labels: + app: kubevuln + tier: ks-control-plane + name: kubevuln + namespace: kubescape + spec: + egress: + - ports: + - port: 443 + protocol: TCP + ingress: + - from: + - podSelector: + matchLabels: + app.kubernetes.io/instance: kubescape + app.kubernetes.io/name: operator + tier: ks-control-plane + ports: + - port: 8080 + protocol: TCP + podSelector: + matchLabels: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: kubevuln + tier: ks-control-plane + policyTypes: + - Ingress + - Egress + 39: | + apiVersion: v1 + kind: Service + metadata: + labels: + app: kubevuln + name: kubevuln + namespace: kubescape + spec: + ports: + - port: 8080 + protocol: TCP + targetPort: 8080 + selector: + app: kubevuln + type: ClusterIP + 40: | + apiVersion: v1 + automountServiceAccountToken: false + kind: ServiceAccount + metadata: + labels: + app: kubevuln + name: kubevuln + namespace: kubescape + 41: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: node-agent + rules: + - apiGroups: + - "" + resources: + - pods + - nodes + - services + - endpoints + verbs: + - get + - watch + - list + - apiGroups: + - "" + resources: + - events + verbs: + - list + - watch + - create + - apiGroups: + - batch + resources: + - jobs + - cronjobs + verbs: + - get + - watch + - list + - apiGroups: + - apps + resources: + - deployments + - daemonsets + - statefulsets + - replicasets + verbs: + - get + - watch + - list + - apiGroups: + - spdx.softwarecomposition.kubescape.io + resources: + - sbomspdxv2p3s + - sbomsummaries + verbs: + - get + - watch + - list + - apiGroups: + - spdx.softwarecomposition.kubescape.io + resources: + - sbomspdxv2p3filtereds + - applicationactivities + - applicationprofiles + - applicationprofilesummaries + - networkneighborses + verbs: + - create + - get + - update + - watch + - list + - patch + 42: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: node-agent + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: node-agent + subjects: + - kind: ServiceAccount + name: node-agent + namespace: kubescape + 43: | + apiVersion: v1 + data: + config.json: | + { + "applicationProfileServiceEnabled": false, + "relevantCVEServiceEnabled": true, + "InitialDelay": "2m", + "updateDataPeriod": "10m", + "maxSniffingTimePerContainer": "3h", + "networkServiceEnabled": "false" + } + kind: ConfigMap + metadata: + name: node-agent + namespace: kubescape + 44: | + apiVersion: apps/v1 + kind: DaemonSet + metadata: + labels: + app: node-agent + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: node-agent + tier: ks-control-plane + name: node-agent + namespace: kubescape + spec: + selector: + matchLabels: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: node-agent + tier: ks-control-plane + template: + metadata: + annotations: + checksum/cloud-config: bc11c557570531f1993ebd8a8d6ee8174a1dd9f35c00e7640181b82eab213945 + checksum/cloud-secret: 982f4c42f4027cd27ea5c01909373a4909f6a1c61c9d98bb247e2c11b6944799 + checksum/node-agent-config: 86b38ffc87a7df25c377369ecdf4cccf7d10f2c4fc1d29f3e220f39b74906de6 + checksum/proxy-config: db4555b798c4de89095b86c74974b8c56ead656b02672a86d7368ad88d81509f + container.apparmor.security.beta.kubernetes.io/node-agent: unconfined + labels: + alt-name: node-agent + app: node-agent + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: node-agent + helm.sh/chart: kubescape-operator-1.16.2 + otel: enabled + tier: ks-control-plane + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/os + operator: In + values: + - linux + automountServiceAccountToken: true + containers: + - env: + - name: GOMEMLIMIT + value: 600MiB + - name: KS_LOGGER_LEVEL + value: info + - name: KS_LOGGER_NAME + value: zap + - name: OTEL_COLLECTOR_SVC + value: otel-collector:4317 + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: HOST_ROOT + value: /host + - name: NodeName + image: quay.io/kubescape/node-agent:v0.1.114 + imagePullPolicy: IfNotPresent + name: node-agent + resources: + limits: + cpu: 500m + memory: 700Mi + requests: + cpu: 100m + memory: 180Mi + securityContext: + capabilities: + add: + - SYS_ADMIN + - SYS_PTRACE + - NET_ADMIN + - SYSLOG + - SYS_RESOURCE + - IPC_LOCK + - NET_RAW + privileged: false + runAsUser: 0 + seLinuxOptions: + type: spc_t + volumeMounts: + - mountPath: /etc/credentials + name: cloud-secret + readOnly: true + - mountPath: /etc/config/clusterData.json + name: ks-cloud-config + readOnly: true + subPath: clusterData.json + - mountPath: /etc/config/config.json + name: config + readOnly: true + subPath: config.json + - mountPath: /host + name: host + - mountPath: /run + name: run + - mountPath: /lib/modules + name: modules + - mountPath: /sys/kernel/debug + name: debugfs + - mountPath: /sys/fs/cgroup + name: cgroup + - mountPath: /sys/fs/bpf + name: bpffs + - mountPath: /data + name: data + - mountPath: /etc/ssl/certs/proxy.crt + name: proxy-secret + subPath: proxy.crt + hostPID: true + nodeSelector: + kubernetes.io/os: linux + serviceAccountName: node-agent + volumes: + - name: cloud-secret + secret: + secretName: cloud-secret + - configMap: + items: + - key: clusterData + path: clusterData.json + - key: services + path: services.json + name: ks-cloud-config + name: ks-cloud-config + - configMap: + items: + - key: config.json + path: config.json + name: node-agent + name: config + - hostPath: + path: / + type: null + name: host + - hostPath: + path: /run + type: null + name: run + - hostPath: + path: /sys/fs/cgroup + type: null + name: cgroup + - hostPath: + path: /lib/modules + type: null + name: modules + - hostPath: + path: /sys/fs/bpf + type: null + name: bpffs + - hostPath: + path: /sys/kernel/debug + type: null + name: debugfs + - name: data + - name: proxy-secret + secret: + secretName: kubescape-proxy-certificate + 45: | + apiVersion: v1 + kind: ServiceAccount + metadata: + name: node-agent + namespace: kubescape + 46: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: operator + rules: + - apiGroups: + - "" + resources: + - pods + - nodes + - namespaces + - configmaps + - secrets + verbs: + - get + - watch + - list + - apiGroups: + - batch + resources: + - jobs + - cronjobs + verbs: + - get + - watch + - list + - apiGroups: + - apps + resources: + - deployments + - daemonsets + - statefulsets + - replicasets + verbs: + - get + - watch + - list + - apiGroups: + - spdx.softwarecomposition.kubescape.io + resources: + - sbomspdxv2p3s + - sbomspdxv2p3filtereds + - vulnerabilitymanifests + - sbomsummaries + - vulnerabilitymanifestsummaries + - workloadconfigurationscans + - workloadconfigurationscansummaries + - openvulnerabilityexchangecontainers + verbs: + - get + - watch + - list + - delete + 47: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: operator + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: operator + subjects: + - kind: ServiceAccount + name: operator + namespace: kubescape + 48: | + apiVersion: v1 + data: + config.json: | + { + "namespace": "kubescape", + "triggersecurityframework": true + } + kind: ConfigMap + metadata: + name: operator + namespace: kubescape + 49: | + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app: operator + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: operator + tier: ks-control-plane + name: operator + namespace: kubescape + spec: + replicas: 1 + revisionHistoryLimit: 2 + selector: + matchLabels: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: operator + tier: ks-control-plane + strategy: + rollingUpdate: + maxSurge: 0% + maxUnavailable: 100% + type: RollingUpdate + template: + metadata: + annotations: + checksum/capabilities-config: 3144fd56c63e675a1787238cf5b1ecb672ee92239a59d453d65e01e86e87da27 + checksum/cloud-config: bc11c557570531f1993ebd8a8d6ee8174a1dd9f35c00e7640181b82eab213945 + checksum/cloud-secret: 982f4c42f4027cd27ea5c01909373a4909f6a1c61c9d98bb247e2c11b6944799 + checksum/matching-rules-config: 0fe866ff165ca62399198397c07ab2d49af3181c569b3d0cce4a4cb310796824 + checksum/operator-config: df99a2aba9854372143be03476352384d33d686923ae071dde264c8c7ffbc999 + checksum/proxy-config: db4555b798c4de89095b86c74974b8c56ead656b02672a86d7368ad88d81509f + labels: + app: operator + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: operator + helm.sh/chart: kubescape-operator-1.16.2 + otel: enabled + tier: ks-control-plane + spec: + automountServiceAccountToken: true + containers: + - args: + - -alsologtostderr + - -v=4 + - 2>&1 + env: + - name: GOMEMLIMIT + value: 100MiB + - name: KS_LOGGER_LEVEL + value: info + - name: KS_LOGGER_NAME + value: zap + - name: OTEL_COLLECTOR_SVC + value: otel-collector:4317 + image: quay.io/kubescape/operator:v0.1.61 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /v1/liveness + port: readiness-port + initialDelaySeconds: 3 + periodSeconds: 3 + name: operator + ports: + - containerPort: 4002 + name: trigger-port + protocol: TCP + - containerPort: 8000 + name: readiness-port + protocol: TCP + readinessProbe: + httpGet: + path: /v1/readiness + port: readiness-port + initialDelaySeconds: 10 + periodSeconds: 5 + resources: + limits: + cpu: 300m + memory: 300Mi + requests: + cpu: 50m + memory: 100Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/credentials + name: cloud-secret + readOnly: true + - mountPath: /tmp + name: tmp-dir + - mountPath: /etc/config/clusterData.json + name: ks-cloud-config + readOnly: true + subPath: clusterData.json + - mountPath: /etc/config/services.json + name: ks-cloud-config + readOnly: true + subPath: services.json + - mountPath: /etc/config/capabilities.json + name: ks-capabilities + readOnly: true + subPath: capabilities.json + - mountPath: /etc/config/matchingRules.json + name: cs-matching-rules + readOnly: true + subPath: matchingRules.json + - mountPath: /etc/config/config.json + name: config + readOnly: true + subPath: config.json + - mountPath: /etc/ssl/certs/proxy.crt + name: proxy-secret + subPath: proxy.crt + securityContext: + fsGroup: 65532 + runAsUser: 65532 + serviceAccountName: operator + volumes: + - name: cloud-secret + secret: + secretName: cloud-secret + - name: proxy-secret + secret: + secretName: kubescape-proxy-certificate + - emptyDir: {} + name: tmp-dir + - configMap: + items: + - key: clusterData + path: clusterData.json + - key: services + path: services.json + name: ks-cloud-config + name: ks-cloud-config + - configMap: + items: + - key: capabilities + path: capabilities.json + name: ks-capabilities + name: ks-capabilities + - configMap: + items: + - key: config.json + path: config.json + name: operator + name: config + - configMap: + items: + - key: matchingRules.json + path: matchingRules.json + name: cs-matching-rules + name: cs-matching-rules + 50: | + apiVersion: v1 + data: + cronjobTemplate: "apiVersion: batch/v1\nkind: CronJob\nmetadata:\n name: kubescape-scheduler\n namespace: kubescape\n labels:\n app: kubescape-scheduler\n tier: ks-control-plane\n armo.tier: \"kubescape-scan\"\nspec:\n schedule: \"1 2 3 4 5\"\n successfulJobsHistoryLimit: 3\n failedJobsHistoryLimit: 1\n jobTemplate:\n spec:\n template:\n metadata:\n labels:\n armo.tier: \"kubescape-scan\"\n spec:\n containers:\n - name: kubescape-scheduler\n image: \"quay.io/kubescape/http-request:v0.0.14\"\n imagePullPolicy: IfNotPresent\n securityContext:\n allowPrivilegeEscalation: false\n readOnlyRootFilesystem: true\n runAsNonRoot: true\n runAsUser: 100\n resources:\n limits:\n cpu: 10m\n memory: 20Mi\n requests:\n cpu: 1m\n memory: 10Mi\n args: \n - -method=post\n - -scheme=http\n - -host=operator:4002\n - -path=v1/triggerAction\n - -headers=\"Content-Type:application/json\"\n - -path-body=/home/ks/request-body.json\n volumeMounts:\n - name: \"request-body-volume\"\n mountPath: /home/ks/request-body.json\n subPath: request-body.json\n readOnly: true\n restartPolicy: Never\n automountServiceAccountToken: false\n volumes:\n - name: \"request-body-volume\" # placeholder\n configMap:\n name: kubescape-scheduler" + kind: ConfigMap + metadata: + labels: + app: ks-cloud-config + tier: ks-control-plane + name: kubescape-cronjob-template + namespace: kubescape + 51: | + apiVersion: v1 + data: + cronjobTemplate: "apiVersion: batch/v1\nkind: CronJob\nmetadata:\n name: kubevuln-scheduler\n namespace: kubescape\n labels:\n app: kubevuln-scheduler\n tier: ks-control-plane\n armo.tier: \"vuln-scan\"\nspec:\n schedule: \"1 2 3 4 5\" \n successfulJobsHistoryLimit: 3\n failedJobsHistoryLimit: 1\n jobTemplate:\n spec:\n template:\n metadata:\n labels:\n armo.tier: \"vuln-scan\"\n spec:\n containers:\n - name: kubevuln-scheduler\n image: \"quay.io/kubescape/http-request:v0.0.14\"\n imagePullPolicy: IfNotPresent\n securityContext:\n allowPrivilegeEscalation: false\n readOnlyRootFilesystem: true\n runAsNonRoot: true\n runAsUser: 100\n resources:\n limits:\n cpu: 10m\n memory: 20Mi\n requests:\n cpu: 1m\n memory: 10Mi\n args: \n - -method=post\n - -scheme=http\n - -host=operator:4002\n - -path=v1/triggerAction\n - -headers=\"Content-Type:application/json\"\n - -path-body=/home/ks/request-body.json\n volumeMounts:\n - name: \"request-body-volume\"\n mountPath: /home/ks/request-body.json\n subPath: request-body.json\n readOnly: true\n restartPolicy: Never\n automountServiceAccountToken: false\n volumes:\n - name: \"request-body-volume\" # placeholder\n configMap:\n name: kubevuln-scheduler" + kind: ConfigMap + metadata: + labels: + app: ks-cloud-config + tier: ks-control-plane + name: kubevuln-cronjob-template + namespace: kubescape + 52: | + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + labels: + app: operator + tier: ks-control-plane + name: operator + namespace: kubescape + spec: + egress: + - ports: + - port: 443 + protocol: TCP + - ports: + - port: 80 + protocol: TCP + to: + - ipBlock: + cidr: 169.254.169.254/32 + ingress: + - from: + - podSelector: + matchLabels: + armo.tier: kubescape-scan + - podSelector: + matchLabels: + armo.tier: vuln-scan + ports: + - port: trigger-port + protocol: TCP + podSelector: + matchLabels: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: operator + tier: ks-control-plane + policyTypes: + - Ingress + - Egress + 53: | + apiVersion: v1 + data: + cronjobTemplate: "apiVersion: batch/v1\nkind: CronJob\nmetadata:\n name: registry-scheduler\n namespace: kubescape\n labels:\n app: registry-scheduler\n tier: ks-control-plane\n armo.tier: \"registry-scan\"\nspec:\n schedule: \"0 0 * * *\"\n successfulJobsHistoryLimit: 3\n failedJobsHistoryLimit: 1\n jobTemplate:\n spec:\n template:\n metadata:\n labels:\n armo.tier: \"registry-scan\"\n spec:\n containers:\n - name: registry-scheduler\n image: \"quay.io/kubescape/http-request:v0.0.14\"\n imagePullPolicy: IfNotPresent\n securityContext:\n allowPrivilegeEscalation: false\n readOnlyRootFilesystem: true\n runAsNonRoot: true\n runAsUser: 100\n resources:\n limits:\n cpu: 10m\n memory: 20Mi\n requests:\n cpu: 1m\n memory: 10Mi\n args: \n - -method=post\n - -scheme=http\n - -host=operator:4002\n - -path=v1/triggerAction\n - -headers=\"Content-Type:application/json\"\n - -path-body=/home/ks/request-body.json\n volumeMounts:\n - name: \"request-body-volume\"\n mountPath: /home/ks/request-body.json\n subPath: request-body.json\n readOnly: true\n restartPolicy: Never\n automountServiceAccountToken: false\n volumes:\n - name: \"request-body-volume\" # placeholder\n configMap:\n name: registry-scheduler" + kind: ConfigMap + metadata: + labels: + app: ks-cloud-config + tier: ks-control-plane + name: registry-scan-cronjob-template + namespace: kubescape + 54: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + name: operator + namespace: kubescape + rules: + - apiGroups: + - "" + resources: + - configmaps + - secrets + verbs: + - create + - get + - update + - watch + - list + - patch + - delete + - apiGroups: + - batch + resources: + - cronjobs + verbs: + - create + - get + - update + - watch + - list + - patch + - delete + 55: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: operator + namespace: kubescape + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: operator + subjects: + - kind: ServiceAccount + name: operator + namespace: kubescape + 56: | + apiVersion: v1 + kind: Service + metadata: + labels: + app: operator + name: operator + namespace: kubescape + spec: + ports: + - port: 4002 + protocol: TCP + targetPort: 4002 + selector: + app: operator + type: ClusterIP + 57: | + apiVersion: v1 + automountServiceAccountToken: false + kind: ServiceAccount + metadata: + labels: + app: operator + name: operator + namespace: kubescape + 58: | + apiVersion: v1 + data: + otel-collector-config.yaml: "\n# receivers configure how data gets into the Collector.\nreceivers:\n otlp:\n protocols:\n grpc:\n http:\n hostmetrics:\n collection_interval: 30s\n scrapers:\n cpu:\n memory:\n\n# processors specify what happens with the received data.\nprocessors:\n attributes/ksCloud:\n actions:\n - key: account_id\n value: \"9e6c0c2c-6bd0-4919-815b-55030de7c9a0\"\n action: upsert\n - key: cluster_name\n value: \"kind-kind\"\n action: upsert\n batch:\n send_batch_size: 10000\n timeout: 10s\n\n# exporters configure how to send processed data to one or more backends.\nexporters:\n otlp/ksCloud:\n endpoint: ${env:CLOUD_OTEL_COLLECTOR_URL}\n tls:\n insecure: false\n otlp:\n endpoint: \"otelCollector:4317\"\n tls:\n insecure: true\n headers:\n uptrace-dsn: \n\n# service pulls the configured receivers, processors, and exporters together into\n# processing pipelines. Unused receivers/processors/exporters are ignored.\nservice:\n pipelines:\n traces:\n receivers: [otlp]\n processors: [batch]\n exporters:\n - otlp/ksCloud\n - otlp\n metrics/2:\n receivers: [hostmetrics]\n processors: [attributes/ksCloud, batch]\n exporters:\n - otlp/ksCloud\n - otlp\n metrics:\n receivers: [otlp]\n processors: [batch]\n exporters:\n - otlp/ksCloud\n - otlp\n logs:\n receivers: [otlp]\n processors: [batch]\n exporters:\n - otlp/ksCloud\n - otlp" + kind: ConfigMap + metadata: + labels: + app: ks-cloud-config + tier: ks-control-plane + name: otel-collector-config + namespace: kubescape + 59: | + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app: otel-collector + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: otel-collector + helm.sh/chart: kubescape-operator-1.16.2 + tier: ks-control-plane + name: otel-collector + namespace: kubescape + spec: + replicas: 1 + revisionHistoryLimit: 2 + selector: + matchLabels: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: otel-collector + tier: ks-control-plane + strategy: + rollingUpdate: + maxSurge: 0% + maxUnavailable: 100% + type: RollingUpdate + template: + metadata: + annotations: + checksum/proxy-config: db4555b798c4de89095b86c74974b8c56ead656b02672a86d7368ad88d81509f + labels: + app: otel-collector + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: otel-collector + tier: ks-control-plane + spec: + containers: + - command: + - /otelcol + - --config=/conf/otel-collector-config.yaml + env: + - name: CLOUD_OTEL_COLLECTOR_URL + valueFrom: + configMapKeyRef: + key: metrics + name: ks-cloud-config + - name: GOMEMLIMIT + value: 500MiB + - name: GOGC + value: "80" + image: docker.io/otel/opentelemetry-collector:0.86.0 + imagePullPolicy: IfNotPresent + name: otel-collector + ports: + - containerPort: 4317 + name: otlp + protocol: TCP + resources: + limits: + cpu: 1 + memory: 1Gi + requests: + cpu: 100m + memory: 500Mi + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 100 + volumeMounts: + - mountPath: /conf + name: otel-collector-config-volume + - mountPath: /etc/ssl/certs/proxy.crt + name: proxy-secret + subPath: proxy.crt + serviceAccountName: default + volumes: + - name: proxy-secret + secret: + secretName: kubescape-proxy-certificate + - configMap: + name: otel-collector-config + name: otel-collector-config-volume + 60: | + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + labels: + app: otel-collector + helm.sh/chart: kubescape-operator-1.16.2 + tier: ks-control-plane + name: otel-collector + namespace: kubescape + spec: + egress: + - ports: + - port: 443 + protocol: TCP + - port: 4317 + protocol: TCP + ingress: + - from: + - podSelector: + matchLabels: + otel: enabled + ports: + - port: otlp + protocol: TCP + podSelector: + matchLabels: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: otel-collector + tier: ks-control-plane + policyTypes: + - Ingress + - Egress + 61: | + apiVersion: v1 + kind: Service + metadata: + labels: + app: otel-collector + name: otel-collector + namespace: kubescape + spec: + ports: + - name: otlp + port: 4317 + protocol: TCP + targetPort: 4317 + selector: + app: otel-collector + type: ClusterIP + 62: | + apiVersion: v1 + data: + proxy.crt: proxy-secret.yaml + kind: Secret + metadata: + name: kubescape-proxy-certificate + namespace: kubescape + type: Opaque + 63: | + apiVersion: batch/v1 + kind: Job + metadata: + annotations: + helm.sh/hook: pre-install,pre-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + helm.sh/hook-weight: "1" + labels: + app: service-discovery + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: service-discovery + tier: ks-control-plane + name: service-discovery + namespace: kubescape + spec: + template: + metadata: + labels: + app: service-discovery + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: service-discovery + helm.sh/chart: kubescape-operator-1.16.2 + otel: enabled + tier: ks-control-plane + name: RELEASE-NAME + spec: + containers: + - args: + - | + kubectl create configmap ks-cloud-config --from-literal=metrics=$(jq -r '.response.metrics' /data/services.json) --from-file=services=/data/services.json -n kubescape --dry-run=client -o yaml | kubectl patch configmap ks-cloud-config --patch "$(cat -)" -n kubescape + command: + - /bin/sh + - -c + image: docker.io/bitnami/kubectl:1.27.6 + imagePullPolicy: IfNotPresent + name: update-configmap + resources: + limits: + cpu: 100m + memory: 50Mi + requests: + cpu: 10m + memory: 10Mi + volumeMounts: + - mountPath: /data + name: shared-data + initContainers: + - args: + - -method=get + - -scheme=https + - -host=api.armosec.io + - -path=api/v1/servicediscovery + - -path-output=/data/services.json + env: null + image: quay.io/kubescape/http-request:v0.2.2 + imagePullPolicy: IfNotPresent + name: url-discovery + resources: + limits: + cpu: 100m + memory: 50Mi + requests: + cpu: 10m + memory: 10Mi + volumeMounts: + - mountPath: /data + name: shared-data + restartPolicy: Never + serviceAccountName: service-discovery + volumes: + - emptyDir: {} + name: shared-data + 64: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + annotations: + helm.sh/hook: pre-install,pre-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + helm.sh/hook-weight: "0" + name: service-discovery + namespace: kubescape + rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - update + - create + - patch + - get + - list + 65: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + annotations: + helm.sh/hook: pre-install,pre-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + helm.sh/hook-weight: "0" + name: service-discovery + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: service-discovery + subjects: + - kind: ServiceAccount + name: service-discovery + namespace: kubescape + 66: | + apiVersion: v1 + kind: ServiceAccount + metadata: + annotations: + helm.sh/hook: pre-install,pre-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + helm.sh/hook-weight: "0" + name: service-discovery + namespace: kubescape + 67: | + apiVersion: apiregistration.k8s.io/v1 + kind: APIService + metadata: + name: v1beta1.spdx.softwarecomposition.kubescape.io + spec: + group: spdx.softwarecomposition.kubescape.io + groupPriorityMinimum: 1000 + insecureSkipTLSVerify: true + service: + name: storage + namespace: kubescape + version: v1beta1 + versionPriority: 15 + 68: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: storage + rules: + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - watch + - list + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - watch + - list + - apiGroups: + - flowcontrol.apiserver.k8s.io + resources: + - prioritylevelconfigurations + - flowschemas + verbs: + - get + - watch + - list + 69: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: storage:system:auth-delegator + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator + subjects: + - kind: ServiceAccount + name: storage + namespace: kubescape + 70: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: storage + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: storage + subjects: + - kind: ServiceAccount + name: storage + namespace: kubescape + 71: | + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app.kubernetes.io/component: apiserver + app.kubernetes.io/name: storage + app.kubernetes.io/part-of: kubescape-storage + name: storage + namespace: kubescape + spec: + replicas: 1 + revisionHistoryLimit: 2 + selector: + matchLabels: + app.kubernetes.io/component: apiserver + app.kubernetes.io/name: storage + app.kubernetes.io/part-of: kubescape-storage + strategy: + type: Recreate + template: + metadata: + labels: + app.kubernetes.io/component: apiserver + app.kubernetes.io/name: storage + app.kubernetes.io/part-of: kubescape-storage + otel: enabled + spec: + containers: + - env: + - name: GOMEMLIMIT + value: 400MiB + - name: ACCOUNT_ID + valueFrom: + secretKeyRef: + key: account + name: cloud-secret + - name: OTEL_COLLECTOR_SVC + value: otel-collector:4317 + image: quay.io/kubescape/storage:v0.0.33 + imagePullPolicy: IfNotPresent + name: apiserver + resources: + limits: + cpu: 150m + memory: 1500Mi + requests: + cpu: 50m + memory: 400Mi + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + volumeMounts: + - mountPath: /data + name: data + - mountPath: /etc/config + name: ks-cloud-config + readOnly: true + initContainers: + - command: + - sh + - -c + - chown -Rc 65532:65532 /data + image: docker.io/busybox:1.36.1 + imagePullPolicy: IfNotPresent + name: fix-permissions + securityContext: + runAsUser: 0 + volumeMounts: + - mountPath: /data + name: data + securityContext: + fsGroup: 65532 + runAsUser: 65532 + serviceAccountName: storage + volumes: + - name: data + persistentVolumeClaim: + claimName: storage + - configMap: + items: + - key: clusterData + path: clusterData.json + - key: services + path: services.json + name: ks-cloud-config + name: ks-cloud-config + 72: | + apiVersion: v1 + kind: PersistentVolumeClaim + metadata: + labels: + app.kubernetes.io/component: apiserver + app.kubernetes.io/name: storage + app.kubernetes.io/part-of: kubescape-storage + name: storage + namespace: kubescape + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi + 73: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: storage-auth-reader + namespace: kube-system + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader + subjects: + - kind: ServiceAccount + name: storage + namespace: kubescape + 74: | + apiVersion: v1 + kind: Service + metadata: + name: storage + namespace: kubescape + spec: + ports: + - port: 443 + protocol: TCP + targetPort: 8443 + selector: + app.kubernetes.io/component: apiserver + app.kubernetes.io/name: storage + app.kubernetes.io/part-of: kubescape-storage + 75: | + apiVersion: v1 + kind: ServiceAccount + metadata: + name: storage + namespace: kubescape diff --git a/charts/kubescape-operator/tests/snapshot_test.yaml b/charts/kubescape-operator/tests/snapshot_test.yaml index 96bd9c24..156156f6 100644 --- a/charts/kubescape-operator/tests/snapshot_test.yaml +++ b/charts/kubescape-operator/tests/snapshot_test.yaml @@ -18,7 +18,7 @@ tests: networkPolicy: createEgressRules: true enabled: true - proxySecretFile: foo + proxySecretFile: proxy-secret.yaml grypeOfflineDB.enabled: true kubescape.serviceMonitor.enabled: true kubescapeScheduler.scanSchedule: "1 2 3 4 5" diff --git a/charts/kubescape-operator/values.yaml b/charts/kubescape-operator/values.yaml index b2236b6c..fd9fa9f8 100644 --- a/charts/kubescape-operator/values.yaml +++ b/charts/kubescape-operator/values.yaml @@ -96,7 +96,7 @@ persistence: global: httpsProxy: "" - proxySecretFile: "" + proxySecretFile: proxy-secret.yaml proxySecretName: kubescape-proxy-certificate namespaceTier: ks-control-plane capabilitiesConfig: ks-capabilities