diff --git a/charts/kubescape-operator/templates/configs/cloudapi-configmap.yaml b/charts/kubescape-operator/templates/configs/cloudapi-configmap.yaml index 8064ea35..bb1a031e 100644 --- a/charts/kubescape-operator/templates/configs/cloudapi-configmap.yaml +++ b/charts/kubescape-operator/templates/configs/cloudapi-configmap.yaml @@ -41,6 +41,7 @@ data: "keepLocal": {{ not $components.serviceDiscovery.enabled }}, "scanTimeout": "{{ .Values.kubevuln.config.scanTimeout }}", "vexGeneration": {{ eq .Values.capabilities.vexGeneration "enable" }}, + "useDefaultMatchers": {{ .Values.kubevuln.config.useDefaultMatchers }}, "continuousPostureScan": {{ $configurations.continuousScan }}, {{- if not (empty .Values.kubevuln.config.grypeDbListingURL) }} "listingURL": "{{ .Values.kubevuln.config.grypeDbListingURL }}", diff --git a/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap b/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap index 9d2a1904..6432b625 100644 --- a/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap +++ b/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap @@ -255,6 +255,7 @@ all capabilities: "keepLocal": false, "scanTimeout": "5m", "vexGeneration": true, + "useDefaultMatchers": true, "continuousPostureScan": false, "listingURL": "http://grype-offline-db:80/listing.json", "relevantImageVulnerabilitiesConfiguration": "enable" @@ -1084,7 +1085,7 @@ all capabilities: template: metadata: annotations: - checksum/cloud-config: d90836e1c52ac818dc8e39dc0d89601cd0d531bf0dfd90a79789f2004500ad22 + checksum/cloud-config: c1f0dc8ff00eb07abf64badead35ad9c9865b493a9b983d017161664bfc7c458 checksum/cloud-secret: cf2e73d4ff0ce943730b3ed5bd4740f0bd8c4386e5843870f51c302b41df8da9 checksum/host-scanner-configmap: 27bc2a07421efcf5f68970eb30bd83f4f3b8ce2a2718644d7ee0a5c9d264dc5b checksum/proxy-config: 3669c08e51ef779cd00a107f19592b34195c3ebdb60bedaf8ebf1491a3f2a747 @@ -1852,7 +1853,7 @@ all capabilities: template: metadata: annotations: - checksum/cloud-config: d90836e1c52ac818dc8e39dc0d89601cd0d531bf0dfd90a79789f2004500ad22 + checksum/cloud-config: c1f0dc8ff00eb07abf64badead35ad9c9865b493a9b983d017161664bfc7c458 checksum/cloud-secret: cf2e73d4ff0ce943730b3ed5bd4740f0bd8c4386e5843870f51c302b41df8da9 checksum/proxy-config: 3669c08e51ef779cd00a107f19592b34195c3ebdb60bedaf8ebf1491a3f2a747 labels: @@ -1903,7 +1904,7 @@ all capabilities: value: https://foo:bar@baz:1234 - name: no_proxy value: kubescape,kubevuln,node-agent,operator,otel-collector,kubernetes.default.svc.*,127.0.0.1,*.foo,bar.baz - image: quay.io/kubescape/kubevuln:v0.3.53 + image: quay.io/kubescape/kubevuln:v0.3.54 imagePullPolicy: IfNotPresent livenessProbe: httpGet: @@ -2366,7 +2367,7 @@ all capabilities: template: metadata: annotations: - checksum/cloud-config: d90836e1c52ac818dc8e39dc0d89601cd0d531bf0dfd90a79789f2004500ad22 + checksum/cloud-config: c1f0dc8ff00eb07abf64badead35ad9c9865b493a9b983d017161664bfc7c458 checksum/cloud-secret: cf2e73d4ff0ce943730b3ed5bd4740f0bd8c4386e5843870f51c302b41df8da9 checksum/node-agent-config: a466fa221874bba84fb7d2397ad6f171549ae53c041c035c45da114214158585 checksum/proxy-config: 3669c08e51ef779cd00a107f19592b34195c3ebdb60bedaf8ebf1491a3f2a747 @@ -3065,7 +3066,7 @@ all capabilities: metadata: annotations: checksum/capabilities-config: 1fa4fbbf3d357c08d09770f44e3b82e81fb855589e3f3aca69e97f05d6e20f4a - checksum/cloud-config: d90836e1c52ac818dc8e39dc0d89601cd0d531bf0dfd90a79789f2004500ad22 + checksum/cloud-config: c1f0dc8ff00eb07abf64badead35ad9c9865b493a9b983d017161664bfc7c458 checksum/cloud-secret: cf2e73d4ff0ce943730b3ed5bd4740f0bd8c4386e5843870f51c302b41df8da9 checksum/matching-rules-config: 4244067153661f0c2577cba49b0dba63db5f77acf9904663ca06610953f55e17 checksum/operator-config: c5e8d0f30f026bfd6059b9ae0a4232211488f34a55d1257c386631e5e8d0935f @@ -5397,7 +5398,7 @@ all capabilities: template: metadata: annotations: - checksum/cloud-config: d90836e1c52ac818dc8e39dc0d89601cd0d531bf0dfd90a79789f2004500ad22 + checksum/cloud-config: c1f0dc8ff00eb07abf64badead35ad9c9865b493a9b983d017161664bfc7c458 checksum/cloud-secret: cf2e73d4ff0ce943730b3ed5bd4740f0bd8c4386e5843870f51c302b41df8da9 checksum/proxy-config: 3669c08e51ef779cd00a107f19592b34195c3ebdb60bedaf8ebf1491a3f2a747 checksum/synchronizer-configmap: ce6e6cd13005cb016ce932c4b8343330c199b0d85bfed657684cb413093e6493 @@ -5796,6 +5797,7 @@ default capabilities: "keepLocal": false, "scanTimeout": "5m", "vexGeneration": false, + "useDefaultMatchers": false, "continuousPostureScan": false, "listingURL": "http://grype-offline-db:80/listing.json", "relevantImageVulnerabilitiesConfiguration": "enable" @@ -6461,7 +6463,7 @@ default capabilities: template: metadata: annotations: - checksum/cloud-config: d7a78918f9cf1972d7a4bfb3e1e02684e90cdb728d5f6b2fab8e8951c403d418 + checksum/cloud-config: 37311949e32a133a70f465c9091dc3addf733af749455321e03f5525703a5063 checksum/cloud-secret: cf2e73d4ff0ce943730b3ed5bd4740f0bd8c4386e5843870f51c302b41df8da9 checksum/host-scanner-configmap: 5638547ec73f645a278a716fac57288e77e6c7319729d6939bb75246e4a6e645 checksum/proxy-config: 3669c08e51ef779cd00a107f19592b34195c3ebdb60bedaf8ebf1491a3f2a747 @@ -7172,7 +7174,7 @@ default capabilities: template: metadata: annotations: - checksum/cloud-config: d7a78918f9cf1972d7a4bfb3e1e02684e90cdb728d5f6b2fab8e8951c403d418 + checksum/cloud-config: 37311949e32a133a70f465c9091dc3addf733af749455321e03f5525703a5063 checksum/cloud-secret: cf2e73d4ff0ce943730b3ed5bd4740f0bd8c4386e5843870f51c302b41df8da9 checksum/proxy-config: 3669c08e51ef779cd00a107f19592b34195c3ebdb60bedaf8ebf1491a3f2a747 labels: @@ -7219,7 +7221,7 @@ default capabilities: name: cloud-secret - name: OTEL_COLLECTOR_SVC value: otel-collector:4318 - image: quay.io/kubescape/kubevuln:v0.3.53 + image: quay.io/kubescape/kubevuln:v0.3.54 imagePullPolicy: IfNotPresent livenessProbe: httpGet: @@ -7607,7 +7609,7 @@ default capabilities: template: metadata: annotations: - checksum/cloud-config: d7a78918f9cf1972d7a4bfb3e1e02684e90cdb728d5f6b2fab8e8951c403d418 + checksum/cloud-config: 37311949e32a133a70f465c9091dc3addf733af749455321e03f5525703a5063 checksum/cloud-secret: cf2e73d4ff0ce943730b3ed5bd4740f0bd8c4386e5843870f51c302b41df8da9 checksum/node-agent-config: b63c41145cab22dc8940dbaee9ed1c00273c9fd71c3a865274186244437de025 checksum/proxy-config: 3669c08e51ef779cd00a107f19592b34195c3ebdb60bedaf8ebf1491a3f2a747 @@ -8145,7 +8147,7 @@ default capabilities: metadata: annotations: checksum/capabilities-config: d05ca000eb2ee6279d1edbff8383652425595eb097b9e8a262f04f22ded60d15 - checksum/cloud-config: d7a78918f9cf1972d7a4bfb3e1e02684e90cdb728d5f6b2fab8e8951c403d418 + checksum/cloud-config: 37311949e32a133a70f465c9091dc3addf733af749455321e03f5525703a5063 checksum/cloud-secret: cf2e73d4ff0ce943730b3ed5bd4740f0bd8c4386e5843870f51c302b41df8da9 checksum/matching-rules-config: 4244067153661f0c2577cba49b0dba63db5f77acf9904663ca06610953f55e17 checksum/operator-config: aa962c01a38229173991c14bea0bedd36ee3f095853d271664eac753f5155a70 @@ -10020,7 +10022,7 @@ default capabilities: template: metadata: annotations: - checksum/cloud-config: d7a78918f9cf1972d7a4bfb3e1e02684e90cdb728d5f6b2fab8e8951c403d418 + checksum/cloud-config: 37311949e32a133a70f465c9091dc3addf733af749455321e03f5525703a5063 checksum/cloud-secret: cf2e73d4ff0ce943730b3ed5bd4740f0bd8c4386e5843870f51c302b41df8da9 checksum/proxy-config: 3669c08e51ef779cd00a107f19592b34195c3ebdb60bedaf8ebf1491a3f2a747 checksum/synchronizer-configmap: eee4d8c0c03abb7b2ec348a9ade592421e69c31d66052e5fcdc0e202271b34d3 @@ -10372,6 +10374,7 @@ disable otel: "keepLocal": false, "scanTimeout": "5m", "vexGeneration": false, + "useDefaultMatchers": false, "continuousPostureScan": false, "relevantImageVulnerabilitiesConfiguration": "enable" } @@ -10857,7 +10860,7 @@ disable otel: template: metadata: annotations: - checksum/cloud-config: 9909982545d67928d59b6afe566c35222eb2094c84e983623dcbb115caca3199 + checksum/cloud-config: 4ae906fd9cea940360abb72cb088bd6f82d009b1748dbeab14a85eef05efd049 checksum/cloud-secret: cf2e73d4ff0ce943730b3ed5bd4740f0bd8c4386e5843870f51c302b41df8da9 checksum/host-scanner-configmap: 5638547ec73f645a278a716fac57288e77e6c7319729d6939bb75246e4a6e645 labels: @@ -11404,7 +11407,7 @@ disable otel: template: metadata: annotations: - checksum/cloud-config: 9909982545d67928d59b6afe566c35222eb2094c84e983623dcbb115caca3199 + checksum/cloud-config: 4ae906fd9cea940360abb72cb088bd6f82d009b1748dbeab14a85eef05efd049 checksum/cloud-secret: cf2e73d4ff0ce943730b3ed5bd4740f0bd8c4386e5843870f51c302b41df8da9 labels: app: kubevuln @@ -11450,7 +11453,7 @@ disable otel: name: cloud-secret - name: OTEL_COLLECTOR_SVC value: otel-collector:4318 - image: quay.io/kubescape/kubevuln:v0.3.53 + image: quay.io/kubescape/kubevuln:v0.3.54 imagePullPolicy: IfNotPresent livenessProbe: httpGet: @@ -11772,7 +11775,7 @@ disable otel: template: metadata: annotations: - checksum/cloud-config: 9909982545d67928d59b6afe566c35222eb2094c84e983623dcbb115caca3199 + checksum/cloud-config: 4ae906fd9cea940360abb72cb088bd6f82d009b1748dbeab14a85eef05efd049 checksum/cloud-secret: cf2e73d4ff0ce943730b3ed5bd4740f0bd8c4386e5843870f51c302b41df8da9 checksum/node-agent-config: b63c41145cab22dc8940dbaee9ed1c00273c9fd71c3a865274186244437de025 container.apparmor.security.beta.kubernetes.io/node-agent: unconfined @@ -12192,7 +12195,7 @@ disable otel: metadata: annotations: checksum/capabilities-config: 46f28cfeabce548d6bce6f72f157d046401b2e56872e92b39ba65a7acbd4b6ba - checksum/cloud-config: 9909982545d67928d59b6afe566c35222eb2094c84e983623dcbb115caca3199 + checksum/cloud-config: 4ae906fd9cea940360abb72cb088bd6f82d009b1748dbeab14a85eef05efd049 checksum/cloud-secret: cf2e73d4ff0ce943730b3ed5bd4740f0bd8c4386e5843870f51c302b41df8da9 checksum/matching-rules-config: 4244067153661f0c2577cba49b0dba63db5f77acf9904663ca06610953f55e17 checksum/operator-config: aa962c01a38229173991c14bea0bedd36ee3f095853d271664eac753f5155a70 @@ -13878,7 +13881,7 @@ disable otel: template: metadata: annotations: - checksum/cloud-config: 9909982545d67928d59b6afe566c35222eb2094c84e983623dcbb115caca3199 + checksum/cloud-config: 4ae906fd9cea940360abb72cb088bd6f82d009b1748dbeab14a85eef05efd049 checksum/cloud-secret: cf2e73d4ff0ce943730b3ed5bd4740f0bd8c4386e5843870f51c302b41df8da9 checksum/synchronizer-configmap: eee4d8c0c03abb7b2ec348a9ade592421e69c31d66052e5fcdc0e202271b34d3 labels: @@ -14149,6 +14152,7 @@ minimal capabilities: "keepLocal": true, "scanTimeout": "5m", "vexGeneration": false, + "useDefaultMatchers": false, "continuousPostureScan": false, "relevantImageVulnerabilitiesConfiguration": "enable" } @@ -14530,7 +14534,7 @@ minimal capabilities: template: metadata: annotations: - checksum/cloud-config: 27607013f320078e1f31ff0e5b16920f10b123bb12e5cce6edf69ed5249685b3 + checksum/cloud-config: 78e0d35288b7978bc95dc0f93426b1f2677459278ad27ddd867f13661142717b checksum/cloud-secret: f1356b6dba8ba4a01197f4030346928c33c7dab7b123a2aecaffb0630352929c checksum/host-scanner-configmap: 5638547ec73f645a278a716fac57288e77e6c7319729d6939bb75246e4a6e645 labels: @@ -14977,7 +14981,7 @@ minimal capabilities: template: metadata: annotations: - checksum/cloud-config: 27607013f320078e1f31ff0e5b16920f10b123bb12e5cce6edf69ed5249685b3 + checksum/cloud-config: 78e0d35288b7978bc95dc0f93426b1f2677459278ad27ddd867f13661142717b checksum/cloud-secret: f1356b6dba8ba4a01197f4030346928c33c7dab7b123a2aecaffb0630352929c labels: app: kubevuln @@ -15023,7 +15027,7 @@ minimal capabilities: name: cloud-secret - name: OTEL_COLLECTOR_SVC value: otel-collector:4318 - image: quay.io/kubescape/kubevuln:v0.3.53 + image: quay.io/kubescape/kubevuln:v0.3.54 imagePullPolicy: IfNotPresent livenessProbe: httpGet: @@ -15341,7 +15345,7 @@ minimal capabilities: template: metadata: annotations: - checksum/cloud-config: 27607013f320078e1f31ff0e5b16920f10b123bb12e5cce6edf69ed5249685b3 + checksum/cloud-config: 78e0d35288b7978bc95dc0f93426b1f2677459278ad27ddd867f13661142717b checksum/cloud-secret: f1356b6dba8ba4a01197f4030346928c33c7dab7b123a2aecaffb0630352929c checksum/node-agent-config: b658595793549f32aed093f8d72f18be9ec60174d15fabc8429674c14a96b12a container.apparmor.security.beta.kubernetes.io/node-agent: unconfined @@ -15758,7 +15762,7 @@ minimal capabilities: metadata: annotations: checksum/capabilities-config: 3bd17bfa7829be49dd8e6d04b110ff841e513cf3e34b49199a1cb414347992e2 - checksum/cloud-config: 27607013f320078e1f31ff0e5b16920f10b123bb12e5cce6edf69ed5249685b3 + checksum/cloud-config: 78e0d35288b7978bc95dc0f93426b1f2677459278ad27ddd867f13661142717b checksum/cloud-secret: f1356b6dba8ba4a01197f4030346928c33c7dab7b123a2aecaffb0630352929c checksum/matching-rules-config: 4244067153661f0c2577cba49b0dba63db5f77acf9904663ca06610953f55e17 checksum/operator-config: b718f34adae5893e4846bb4cce1e40b300355a2e4b3b3fb996cb39e567319f6f diff --git a/charts/kubescape-operator/tests/snapshot_test.yaml b/charts/kubescape-operator/tests/snapshot_test.yaml index dce495da..55a945bb 100644 --- a/charts/kubescape-operator/tests/snapshot_test.yaml +++ b/charts/kubescape-operator/tests/snapshot_test.yaml @@ -56,6 +56,7 @@ tests: grypeOfflineDB.image.tag: "latest" kubescape.serviceMonitor.enabled: true kubescapeScheduler.scanSchedule: "1 2 3 4 5" + kubevuln.config.useDefaultMatchers: true kubevulnScheduler.scanSchedule: "1 2 3 4 5" nodeAgent.config.skipKernelVersionCheck: true storage.forceVirtualCrds: true @@ -201,4 +202,4 @@ tests: imagePullSecret: server: quay.io username: foo - password: xxxxxxx \ No newline at end of file + password: xxxxxxx diff --git a/charts/kubescape-operator/values.yaml b/charts/kubescape-operator/values.yaml index f7c076eb..14b6cd94 100644 --- a/charts/kubescape-operator/values.yaml +++ b/charts/kubescape-operator/values.yaml @@ -327,7 +327,7 @@ kubevuln: image: # -- source code: https://github.com/kubescape/kubevuln repository: quay.io/kubescape/kubevuln - tag: v0.3.53 + tag: v0.3.54 pullPolicy: IfNotPresent replicaCount: 1 @@ -355,6 +355,7 @@ kubevuln: maxSBOMSize: 20971520 scanTimeout: 5m # set timeout for scanning an image grypeDbListingURL: "" # set the URL for the grype db listing, if empty the default URL will be used + useDefaultMatchers: false # set to true to use the default matchers env: - name: CA_MAX_VULN_SCAN_ROUTINES # TODO update the kubevuln