diff --git a/charts/kubescape-operator/templates/node-agent/clusterrole.yaml b/charts/kubescape-operator/templates/node-agent/clusterrole.yaml index e482ee09..e9538edb 100644 --- a/charts/kubescape-operator/templates/node-agent/clusterrole.yaml +++ b/charts/kubescape-operator/templates/node-agent/clusterrole.yaml @@ -23,10 +23,10 @@ rules: resources: ["deployments", "daemonsets", "statefulsets", "replicasets"] verbs: ["get", "watch", "list"] - apiGroups: ["spdx.softwarecomposition.kubescape.io"] - resources: ["sbomsyfts", "seccompprofiles"] + resources: ["seccompprofiles"] verbs: ["get", "watch", "list"] - apiGroups: ["spdx.softwarecomposition.kubescape.io"] - resources: ["applicationactivities", "applicationprofiles", "networkneighborses", "networkneighborhoods", "sbomsyftfiltereds"] + resources: ["applicationactivities", "applicationprofiles", "networkneighborses", "networkneighborhoods", "sbomsyfts", "sbomsyftfiltereds"] verbs: ["create", "get", "update", "watch", "list", "patch"] - apiGroups: ["kubescape.io"] resources: ["runtimerulealertbindings"] diff --git a/charts/kubescape-operator/templates/node-agent/configmap.yaml b/charts/kubescape-operator/templates/node-agent/configmap.yaml index b49d1397..3cf94c7d 100644 --- a/charts/kubescape-operator/templates/node-agent/configmap.yaml +++ b/charts/kubescape-operator/templates/node-agent/configmap.yaml @@ -26,6 +26,7 @@ data: "networkServiceEnabled": {{ eq .Values.capabilities.networkPolicyService "enable" }}, "malwareDetectionEnabled": {{ eq .Values.capabilities.malwareDetection "enable" }}, "nodeProfileServiceEnabled": {{ eq .Values.capabilities.nodeProfileService "enable" }}, + "sbomGenerationEnabled": true, "seccompServiceEnabled": {{ eq .Values.capabilities.seccompProfileService "enable" }}, "initialDelay": "{{ .Values.nodeAgent.config.learningPeriod }}", "updateDataPeriod": "{{ .Values.nodeAgent.config.updatePeriod }}", diff --git a/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap b/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap index cb118f94..3f21d7c4 100644 --- a/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap +++ b/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap @@ -2390,8 +2390,8 @@ all capabilities: value: https://foo:bar@baz:1234 - name: no_proxy value: gateway,kubescape,kubevuln,node-agent,operator,otel-collector,kubernetes.default.svc.*,127.0.0.1,*.foo,bar.baz - image: quay.io/kubescape/kubevuln:v0.3.38 - imagePullPolicy: IfNotPresent + image: quay.io/matthiasb_1/kubevuln:sbom + imagePullPolicy: Always livenessProbe: httpGet: path: /v1/liveness @@ -2671,7 +2671,6 @@ all capabilities: - apiGroups: - spdx.softwarecomposition.kubescape.io resources: - - sbomsyfts - seccompprofiles verbs: - get @@ -2684,6 +2683,7 @@ all capabilities: - applicationprofiles - networkneighborses - networkneighborhoods + - sbomsyfts - sbomsyftfiltereds verbs: - create @@ -2761,6 +2761,7 @@ all capabilities: "networkServiceEnabled": true, "malwareDetectionEnabled": true, "nodeProfileServiceEnabled": true, + "sbomGenerationEnabled": true, "seccompServiceEnabled": true, "initialDelay": "2m", "updateDataPeriod": "10m", @@ -2854,7 +2855,7 @@ all capabilities: annotations: checksum/cloud-config: e676e6d4282e48cde90d56356ebe417818278b5a260941f00176a2c064b77eb6 checksum/cloud-secret: cf2e73d4ff0ce943730b3ed5bd4740f0bd8c4386e5843870f51c302b41df8da9 - checksum/node-agent-config: 0d6d395a60e006df95e7955f15a6d0b0889ec2a60b815ab1ef8b13fd60d631c0 + checksum/node-agent-config: 3fbd133967aed7b57cea303967a2d1f56bdfcd954963c0dd19c27e40156ab151 checksum/proxy-config: 3669c08e51ef779cd00a107f19592b34195c3ebdb60bedaf8ebf1491a3f2a747 container.apparmor.security.beta.kubernetes.io/node-agent: unconfined labels: @@ -2944,8 +2945,8 @@ all capabilities: fieldRef: fieldPath: metadata.namespace - name: NodeName - image: quay.io/kubescape/node-agent:v0.2.185 - imagePullPolicy: IfNotPresent + image: quay.io/matthiasb_1/node-agent:sbom + imagePullPolicy: Always livenessProbe: httpGet: path: /livez @@ -2962,7 +2963,7 @@ all capabilities: resources: limits: cpu: 500m - memory: 700Mi + memory: 800Mi requests: cpu: 100m memory: 180Mi @@ -3589,8 +3590,8 @@ all capabilities: value: https://foo:bar@baz:1234 - name: no_proxy value: gateway,kubescape,kubevuln,node-agent,operator,otel-collector,kubernetes.default.svc.*,127.0.0.1,*.foo,bar.baz - image: quay.io/kubescape/operator:v0.2.41 - imagePullPolicy: IfNotPresent + image: quay.io/matthiasb_1/operator:sbom + imagePullPolicy: Always livenessProbe: httpGet: path: /v1/liveness @@ -8219,8 +8220,8 @@ default capabilities: name: cloud-secret - name: OTEL_COLLECTOR_SVC value: otel-collector:4318 - image: quay.io/kubescape/kubevuln:v0.3.38 - imagePullPolicy: IfNotPresent + image: quay.io/matthiasb_1/kubevuln:sbom + imagePullPolicy: Always livenessProbe: httpGet: path: /v1/liveness @@ -8462,7 +8463,6 @@ default capabilities: - apiGroups: - spdx.softwarecomposition.kubescape.io resources: - - sbomsyfts - seccompprofiles verbs: - get @@ -8475,6 +8475,7 @@ default capabilities: - applicationprofiles - networkneighborses - networkneighborhoods + - sbomsyfts - sbomsyftfiltereds verbs: - create @@ -8552,6 +8553,7 @@ default capabilities: "networkServiceEnabled": true, "malwareDetectionEnabled": false, "nodeProfileServiceEnabled": false, + "sbomGenerationEnabled": true, "seccompServiceEnabled": true, "initialDelay": "2m", "updateDataPeriod": "10m", @@ -8608,7 +8610,7 @@ default capabilities: annotations: checksum/cloud-config: f753b01d880e21ddc33cef3935d2ff4d41d12899432962a5a9b5dfda91d2c8d9 checksum/cloud-secret: cf2e73d4ff0ce943730b3ed5bd4740f0bd8c4386e5843870f51c302b41df8da9 - checksum/node-agent-config: 95e1b4e2bce876798692fff5f095ad335541e59f48a337c09aa74c7847958c28 + checksum/node-agent-config: 075aa19c8d3f25faf13dae740d6a53e03064ecf8782a8af9951b786426db367f checksum/proxy-config: 3669c08e51ef779cd00a107f19592b34195c3ebdb60bedaf8ebf1491a3f2a747 container.apparmor.security.beta.kubernetes.io/node-agent: unconfined labels: @@ -8665,8 +8667,8 @@ default capabilities: fieldRef: fieldPath: metadata.namespace - name: NodeName - image: quay.io/kubescape/node-agent:v0.2.185 - imagePullPolicy: IfNotPresent + image: quay.io/matthiasb_1/node-agent:sbom + imagePullPolicy: Always livenessProbe: httpGet: path: /livez @@ -8683,7 +8685,7 @@ default capabilities: resources: limits: cpu: 500m - memory: 700Mi + memory: 800Mi requests: cpu: 100m memory: 180Mi @@ -9178,8 +9180,8 @@ default capabilities: value: zap - name: OTEL_COLLECTOR_SVC value: otel-collector:4318 - image: quay.io/kubescape/operator:v0.2.41 - imagePullPolicy: IfNotPresent + image: quay.io/matthiasb_1/operator:sbom + imagePullPolicy: Always livenessProbe: httpGet: path: /v1/liveness @@ -12838,8 +12840,8 @@ disable otel: name: cloud-secret - name: OTEL_COLLECTOR_SVC value: otel-collector:4318 - image: quay.io/kubescape/kubevuln:v0.3.38 - imagePullPolicy: IfNotPresent + image: quay.io/matthiasb_1/kubevuln:sbom + imagePullPolicy: Always livenessProbe: httpGet: path: /v1/liveness @@ -13015,7 +13017,6 @@ disable otel: - apiGroups: - spdx.softwarecomposition.kubescape.io resources: - - sbomsyfts - seccompprofiles verbs: - get @@ -13028,6 +13029,7 @@ disable otel: - applicationprofiles - networkneighborses - networkneighborhoods + - sbomsyfts - sbomsyftfiltereds verbs: - create @@ -13105,6 +13107,7 @@ disable otel: "networkServiceEnabled": true, "malwareDetectionEnabled": false, "nodeProfileServiceEnabled": false, + "sbomGenerationEnabled": true, "seccompServiceEnabled": true, "initialDelay": "2m", "updateDataPeriod": "10m", @@ -13161,7 +13164,7 @@ disable otel: annotations: checksum/cloud-config: d568e07a1bb2d6f372ab0e5a3fb91bd018b05433558890eb621af5234dd7c8c4 checksum/cloud-secret: cf2e73d4ff0ce943730b3ed5bd4740f0bd8c4386e5843870f51c302b41df8da9 - checksum/node-agent-config: 95e1b4e2bce876798692fff5f095ad335541e59f48a337c09aa74c7847958c28 + checksum/node-agent-config: 075aa19c8d3f25faf13dae740d6a53e03064ecf8782a8af9951b786426db367f container.apparmor.security.beta.kubernetes.io/node-agent: unconfined labels: app: node-agent @@ -13217,8 +13220,8 @@ disable otel: fieldRef: fieldPath: metadata.namespace - name: NodeName - image: quay.io/kubescape/node-agent:v0.2.185 - imagePullPolicy: IfNotPresent + image: quay.io/matthiasb_1/node-agent:sbom + imagePullPolicy: Always livenessProbe: httpGet: path: /livez @@ -13235,7 +13238,7 @@ disable otel: resources: limits: cpu: 500m - memory: 700Mi + memory: 800Mi requests: cpu: 100m memory: 180Mi @@ -13610,8 +13613,8 @@ disable otel: value: zap - name: OTEL_COLLECTOR_SVC value: otel-collector:4318 - image: quay.io/kubescape/operator:v0.2.41 - imagePullPolicy: IfNotPresent + image: quay.io/matthiasb_1/operator:sbom + imagePullPolicy: Always livenessProbe: httpGet: path: /v1/liveness @@ -16381,8 +16384,8 @@ minimal capabilities: name: cloud-secret - name: OTEL_COLLECTOR_SVC value: otel-collector:4318 - image: quay.io/kubescape/kubevuln:v0.3.38 - imagePullPolicy: IfNotPresent + image: quay.io/matthiasb_1/kubevuln:sbom + imagePullPolicy: Always livenessProbe: httpGet: path: /v1/liveness @@ -16556,7 +16559,6 @@ minimal capabilities: - apiGroups: - spdx.softwarecomposition.kubescape.io resources: - - sbomsyfts - seccompprofiles verbs: - get @@ -16569,6 +16571,7 @@ minimal capabilities: - applicationprofiles - networkneighborses - networkneighborhoods + - sbomsyfts - sbomsyftfiltereds verbs: - create @@ -16646,6 +16649,7 @@ minimal capabilities: "networkServiceEnabled": true, "malwareDetectionEnabled": false, "nodeProfileServiceEnabled": false, + "sbomGenerationEnabled": true, "seccompServiceEnabled": true, "initialDelay": "2m", "updateDataPeriod": "10m", @@ -16701,7 +16705,7 @@ minimal capabilities: annotations: checksum/cloud-config: f5eda48aecb77a239b89ba75d2c49d92ad3c48f7f2b2951deca9e77052f7c00c checksum/cloud-secret: f1356b6dba8ba4a01197f4030346928c33c7dab7b123a2aecaffb0630352929c - checksum/node-agent-config: c210b0875265f4d1cc5217e0f754632e9c3ce74bec5ba28929706deddb3c425d + checksum/node-agent-config: bea5ad88e2dc905f4e4b69bbd2531070c1fe86df0933448c1a2378473a0d39fd container.apparmor.security.beta.kubernetes.io/node-agent: unconfined labels: app: node-agent @@ -16757,8 +16761,8 @@ minimal capabilities: fieldRef: fieldPath: metadata.namespace - name: NodeName - image: quay.io/kubescape/node-agent:v0.2.185 - imagePullPolicy: IfNotPresent + image: quay.io/matthiasb_1/node-agent:sbom + imagePullPolicy: Always livenessProbe: httpGet: path: /livez @@ -16775,7 +16779,7 @@ minimal capabilities: resources: limits: cpu: 500m - memory: 700Mi + memory: 800Mi requests: cpu: 100m memory: 180Mi @@ -17147,8 +17151,8 @@ minimal capabilities: value: zap - name: OTEL_COLLECTOR_SVC value: otel-collector:4318 - image: quay.io/kubescape/operator:v0.2.41 - imagePullPolicy: IfNotPresent + image: quay.io/matthiasb_1/operator:sbom + imagePullPolicy: Always livenessProbe: httpGet: path: /v1/liveness diff --git a/charts/kubescape-operator/values.yaml b/charts/kubescape-operator/values.yaml index cacde209..2f150a16 100644 --- a/charts/kubescape-operator/values.yaml +++ b/charts/kubescape-operator/values.yaml @@ -273,9 +273,9 @@ operator: image: # -- source code: https://github.com/kubescape/operator - repository: quay.io/kubescape/operator - tag: v0.2.41 - pullPolicy: IfNotPresent + repository: quay.io/matthiasb_1/operator + tag: sbom + pullPolicy: Always service: type: ClusterIP @@ -318,9 +318,9 @@ kubevuln: image: # -- source code: https://github.com/kubescape/kubevuln - repository: quay.io/kubescape/kubevuln - tag: v0.3.38 - pullPolicy: IfNotPresent + repository: quay.io/matthiasb_1/kubevuln + tag: sbom + pullPolicy: Always replicaCount: 1 @@ -505,9 +505,9 @@ nodeAgent: name: node-agent image: # -- source code: https://github.com/kubescape/node-agent - repository: quay.io/kubescape/node-agent - tag: v0.2.185 - pullPolicy: IfNotPresent + repository: quay.io/matthiasb_1/node-agent + tag: sbom + pullPolicy: Always config: maxLearningPeriod: 24h # duration string @@ -539,7 +539,7 @@ nodeAgent: memory: 180Mi limits: cpu: 500m - memory: 700Mi + memory: 800Mi env: - name: NodeName