Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: support the Continuous Scanning capability #323

Merged
merged 5 commits into from
Nov 1, 2023
Merged

feat: support the Continuous Scanning capability #323

merged 5 commits into from
Nov 1, 2023

Conversation

vladklokun
Copy link
Collaborator

@vladklokun vladklokun commented Oct 31, 2023
edited
Loading

PR Type:

Enhancement

PR Description:

This PR introduces the Continuous Scanning feature in Kubescape, a tool for Kubernetes security. The main changes include:

  • Enabling Continuous Scanning in the Kubescape Operator Helm chart.
  • Providing detailed documentation on how to use the Continuous Scanning feature.
  • Adding a new ConfigMap for matching rules related to continuous scanning.
  • Modifying the operator deployment to include the new ConfigMap.
  • Updating the values.yaml file to include configurations for continuous scanning.

Once kubescape/storage#59 and kubescape/operator#174 are merged, we can use our proper Quay images.

PR Main Files Walkthrough:

files:

charts/kubescape-operator/README.md: Added extensive documentation on the Continuous Scanning feature, including its installation, accessing results, and how it works.
charts/kubescape-operator/templates/configs/matchingRules-configmap.yaml: Introduced a new ConfigMap for matching rules related to continuous scanning.
charts/kubescape-operator/templates/operator/deployment.yaml: Updated the operator deployment to include the new ConfigMap for continuous scanning.
charts/kubescape-operator/values.yaml: Added new configurations for the continuous scanning feature, including the ConfigMap name and matching rules. Also updated the operator image repository and tag.

User Description:

Overview

This PR adds support for Continuous Scanning. It exposes new values
that control:

  • whether to enable Continuous Scanning
  • which resources to monitor.

I left some docs in the README before we merge kubescape/kubescape.io#25. But after we merge it, I will remove the docs from the README and provide the links to the new documentation.

@vladklokun vladklokun added the release This is a PR for a new release label Oct 31, 2023
@vladklokun vladklokun requested a review from dwertent October 31, 2023 08:39
@vladklokun vladklokun self-assigned this Oct 31, 2023
@codiumai-pr-agent-free codiumai-pr-agent-free bot added the enhancement New feature or request label Oct 31, 2023
@codiumai-pr-agent-free
Copy link

PR Analysis

  • 🎯 Main theme: Adding Continuous Scanning feature to Kubescape
  • 📝 PR summary: This PR introduces the Continuous Scanning feature in Kubescape, a tool for Kubernetes security. The main changes include enabling Continuous Scanning in the Kubescape Operator Helm chart, providing detailed documentation on how to use the Continuous Scanning feature, adding a new ConfigMap for matching rules related to continuous scanning, modifying the operator deployment to include the new ConfigMap, and updating the values.yaml file to include configurations for continuous scanning.
  • 📌 Type of PR: Enhancement
  • 🧪 Relevant tests added: No
  • ⏱️ Estimated effort to review [1-5]: 3, because the PR introduces a new feature and modifies several files, but the changes are well-documented and straightforward.
  • 🔒 Security concerns: No security concerns found

PR Feedback

  • 💡 General suggestions: The PR is well-structured and the changes are well-documented. However, it would be beneficial to include tests for the new feature to ensure its functionality and prevent future regressions.

  • 🤖 Code feedback:

    • relevant file: charts/kubescape-operator/values.yaml
      suggestion: Consider parameterizing the image repository and tag for the continuous scanning feature, similar to how it's done for the operator image. This would make it easier to update or change the image in the future. [medium]
      relevant line: repository: vklokun/ks-operator-test

    • relevant file: charts/kubescape-operator/templates/operator/deployment.yaml
      suggestion: Ensure that the ConfigMap for continuous scanning is only mounted if the feature is enabled. This could be done by wrapping the relevant lines in a conditional block that checks the value of .Values.continuousScanning. [important]
      relevant line: - name: {{ .Values.continuousScanning.configMapName }}

    • relevant file: charts/kubescape-operator/values.yaml
      suggestion: It would be beneficial to provide a way for users to specify the namespaces to monitor in the continuous scanning feature, instead of hardcoding it to the 'default' namespace. [medium]
      relevant line: namespaces:

How to use

To invoke the PR-Agent, add a comment using one of the following commands:
/review [-i]: Request a review of your Pull Request. For an incremental review, which only considers changes since the last review, include the '-i' option.
/describe: Modify the PR title and description based on the contents of the PR.
/improve [--extended]: Suggest improvements to the code in the PR. Extended mode employs several calls, and provides a more thorough feedback.
/ask <QUESTION>: Pose a question about the PR.
/update_changelog: Update the changelog based on the PR's contents.

To edit any configuration parameter from configuration.toml, add --config_path=new_value
For example: /review --pr_reviewer.extra_instructions="focus on the file: ..."
To list the possible configuration parameters, use the /config command.

dwertent
dwertent reviewed Nov 1, 2023
View reviewed changes
Copy link
Contributor

@dwertent dwertent left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good.
I will approve after we change the images to the official released images

@vladklokun vladklokun requested a review from dwertent November 1, 2023 08:05
@vladklokun
Copy link
Collaborator Author

I apologize, I re-requested review for the wrong PR 🤦‍♂️

Daniel-GrunbergerCA
Daniel-GrunbergerCA reviewed Nov 1, 2023
View reviewed changes
charts/kubescape-operator/README.md Outdated

## Installation

Continuous Scanning is built into the Kubescape Operator Helm chart. To use this capibility, you only need to enable it. Start by navigating to the `values.yaml` file and make sure that the corresponding `capabilities.continuousScan` key is set to `enabled`, like so:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Continuous Scanning is built into the Kubescape Operator Helm chart. To use this capibility, you only need to enable it. Start by navigating to the `values.yaml` file and make sure that the corresponding `capabilities.continuousScan` key is set to `enabled`, like so:
Continuous Scanning is built into the Kubescape Operator Helm chart. To use this capability, you only need to enable it. Start by navigating to the `values.yaml` file and make sure that the corresponding `capabilities.continuousScan` key is set to `enabled`, like so:

Copy link
Collaborator Author

@vladklokun vladklokun Nov 1, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for noticing! Fixed in latest.

@vladklokun
feat: support continuous scanning
f6fb0f5 
This commit adds support for Continuous Scanning. It exposes new values
that control:
- whether to enable Continuous Scanning
- which resources to monitor.

Signed-off-by: Vlad Klokun <[email protected]>
@vladklokun vladklokun force-pushed the feat-continuous-scanning-snapshot branch from d8fccc8 to 7982291 Compare November 1, 2023 12:50
dwertent
dwertent reviewed Nov 1, 2023
View reviewed changes
charts/kubescape-operator/values.yaml
# Matching rules for the monitored resources.
# Kubescape will watch resources of every provided GVR across the provided
# namespaces.
matchingRules:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@vladklokun I'm not sure why this should be in the values file.
We don't want users to change it...

Copy link
Collaborator Author

@vladklokun vladklokun Nov 1, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added this to the values.yaml file so that we can change the monitored GVRs more conveniently. I wouldn’t overestimate how often people change the deeply-buried configurables in Helm charts.

@vladklokun vladklokun force-pushed the feat-continuous-scanning-snapshot branch from 7982291 to e1201d6 Compare November 1, 2023 13:22
@vladklokun vladklokun force-pushed the feat-continuous-scanning-snapshot branch from e1201d6 to 6e79b74 Compare November 1, 2023 13:23
@vladklokun vladklokun requested a review from dwertent November 1, 2023 13:32
@vladklokun vladklokun merged commit 6659e48 into main Nov 1, 2023
5 checks passed
@dwertent dwertent deleted the feat-continuous-scanning-snapshot branch December 13, 2023 11:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Daniel-GrunbergerCA Daniel-GrunbergerCA Daniel-GrunbergerCA left review comments

@dwertent dwertent dwertent approved these changes

Assignees

@vladklokun vladklokun

Labels
enhancement New feature or request release This is a PR for a new release
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@vladklokun @dwertent @Daniel-GrunbergerCA