From 8eb221d2b14a8fdddc4ce471bcb1445257be0b1d Mon Sep 17 00:00:00 2001 From: Matthias Bertschy Date: Tue, 14 Nov 2023 12:40:03 +0100 Subject: [PATCH] add synchronizer client Signed-off-by: Matthias Bertschy --- .../kubescape-operator/templates/_helpers.tpl | 3 + .../templates/synchronizer/clusterrole.yaml | 20 ++ .../synchronizer/clusterrolebinding.yaml | 15 + .../templates/synchronizer/configmap.yaml | 77 +++++ .../templates/synchronizer/deployment.yaml | 168 ++++++++++ .../templates/synchronizer/networkpolicy.yaml | 27 ++ .../synchronizer/serviceaccount.yaml | 18 + .../__snapshot__/snapshot_test.yaml.snap | 311 +++++++++++++++++- .../tests/snapshot_test.yaml | 8 + charts/kubescape-operator/values.yaml | 17 +- 10 files changed, 647 insertions(+), 17 deletions(-) create mode 100644 charts/kubescape-operator/templates/synchronizer/clusterrole.yaml create mode 100644 charts/kubescape-operator/templates/synchronizer/clusterrolebinding.yaml create mode 100644 charts/kubescape-operator/templates/synchronizer/configmap.yaml create mode 100644 charts/kubescape-operator/templates/synchronizer/deployment.yaml create mode 100644 charts/kubescape-operator/templates/synchronizer/networkpolicy.yaml create mode 100644 charts/kubescape-operator/templates/synchronizer/serviceaccount.yaml diff --git a/charts/kubescape-operator/templates/_helpers.tpl b/charts/kubescape-operator/templates/_helpers.tpl index 75d82b9f..7c477e21 100644 --- a/charts/kubescape-operator/templates/_helpers.tpl +++ b/charts/kubescape-operator/templates/_helpers.tpl @@ -7,6 +7,7 @@ matchingRulesConfig: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values. nodeAgentConfig: {{ include (printf "%s/node-agent/configmap.yaml" $.Template.BasePath) . | sha256sum }} operatorConfig: {{ include (printf "%s/operator/configmap.yaml" $.Template.BasePath) . | sha256sum }} proxySecret: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.proxySecretDirectory "proxy-secret.yaml") . | sha256sum }} +synchronizerConfig: {{ include (printf "%s/synchronizer/configmap.yaml" $.Template.BasePath) . | sha256sum }} {{- end -}} @@ -59,4 +60,6 @@ storage: cloudSecret: create: {{ $configurations.createCloudSecret }} name: {{ if $configurations.createCloudSecret }}"cloud-secret"{{ else }}{{ .Values.credentials.cloudSecret }}{{ end }} +synchronizer: + enabled: {{ and $configurations.submit (eq .Values.capabilities.synchronizer "enable") }} {{- end -}} diff --git a/charts/kubescape-operator/templates/synchronizer/clusterrole.yaml b/charts/kubescape-operator/templates/synchronizer/clusterrole.yaml new file mode 100644 index 00000000..25be8772 --- /dev/null +++ b/charts/kubescape-operator/templates/synchronizer/clusterrole.yaml @@ -0,0 +1,20 @@ +{{- $components := fromYaml (include "components" .) }} +{{- if $components.synchronizer.enabled }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.synchronizer.name }} +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get", "list", "watch"] + - apiGroups: ["spdx.softwarecomposition.kubescape.io"] + resources: ["applicationactivities", "applicationprofiles", "applicationprofilesummaries", "configurationscansummaries", "networkneighborses", "openvulnerabilityexchangecontainers", "sbomspdxv2p3s", "sbomspdxv2p3filtereds", "sbomsummaries", "vulnerabilitymanifests", "vulnerabilitymanifestsummaries", "vulnerabilitysummaries", "workloadconfigurationscans", "workloadconfigurationscansummaries"] + verbs: ["get", "watch", "list"] +# - apiGroups: ["spdx.softwarecomposition.kubescape.io"] +# resources: ["knownservers"] +# verbs: ["get", "watch", "list", "create", "update", "patch", "delete"] +{{- end }} diff --git a/charts/kubescape-operator/templates/synchronizer/clusterrolebinding.yaml b/charts/kubescape-operator/templates/synchronizer/clusterrolebinding.yaml new file mode 100644 index 00000000..b0569db6 --- /dev/null +++ b/charts/kubescape-operator/templates/synchronizer/clusterrolebinding.yaml @@ -0,0 +1,15 @@ +{{- $components := fromYaml (include "components" .) }} +{{- if $components.synchronizer.enabled }} +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.synchronizer.name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.synchronizer.name }} +subjects: +- kind: ServiceAccount + name: {{ .Values.synchronizer.name }} + namespace: {{ .Values.ksNamespace }} +{{- end }} diff --git a/charts/kubescape-operator/templates/synchronizer/configmap.yaml b/charts/kubescape-operator/templates/synchronizer/configmap.yaml new file mode 100644 index 00000000..e387b2f7 --- /dev/null +++ b/charts/kubescape-operator/templates/synchronizer/configmap.yaml @@ -0,0 +1,77 @@ +{{- $components := fromYaml (include "components" .) }} +{{- $configurations := fromYaml (include "configurations" .) }} +{{- if $components.synchronizer.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Values.synchronizer.name }} + namespace: {{ .Values.ksNamespace }} +data: + config.json: | + { + "inCluster": { + "resources": [ + { + "group": "apps", + "version": "v1", + "resource": "deployments", + "strategy": "patch" + }, + { + "group": "", + "version": "v1", + "resource": "pods", + "strategy": "patch" + }, + { + "group": "spdx.softwarecomposition.kubescape.io", + "version": "v1beta1", + "resource": "sbomspdxv2p3s", + "strategy": "copy" + }, + { + "group": "spdx.softwarecomposition.kubescape.io", + "version": "v1beta1", + "resource": "sbomspdxv2p3filtereds", + "strategy": "copy" + }, + { + "group": "spdx.softwarecomposition.kubescape.io", + "version": "v1beta1", + "resource": "vulnerabilitymanifests", + "strategy": "copy" + }, + { + "group": "spdx.softwarecomposition.kubescape.io", + "version": "v1beta1", + "resource": "workloadconfigurationscans", + "strategy": "copy" + }, + { + "group": "spdx.softwarecomposition.kubescape.io", + "version": "v1beta1", + "resource": "applicationprofiles", + "strategy": "copy" + }, + { + "group": "spdx.softwarecomposition.kubescape.io", + "version": "v1beta1", + "resource": "applicationactivities", + "strategy": "copy" + }, + { + "group": "spdx.softwarecomposition.kubescape.io", + "version": "v1beta1", + "resource": "networkneighborses", + "strategy": "copy" + }, + { + "group": "spdx.softwarecomposition.kubescape.io", + "version": "v1beta1", + "resource": "openvulnerabilityexchangecontainers", + "strategy": "copy" + } + ] + } + } +{{- end }} diff --git a/charts/kubescape-operator/templates/synchronizer/deployment.yaml b/charts/kubescape-operator/templates/synchronizer/deployment.yaml new file mode 100644 index 00000000..5925ff18 --- /dev/null +++ b/charts/kubescape-operator/templates/synchronizer/deployment.yaml @@ -0,0 +1,168 @@ +{{- $checksums := fromYaml (include "checksums" .) }} +{{- $components := fromYaml (include "components" .) }} +{{- if $components.synchronizer.enabled }} +{{- $no_proxy_envar_list := (include "no_proxy_envar_list" .) -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Values.synchronizer.name }} + namespace: {{ .Values.ksNamespace }} + labels: + app.kubernetes.io/name: {{ .Values.synchronizer.name }} + app.kubernetes.io/instance: {{ .Release.Name }} + app: {{ .Values.synchronizer.name }} + tier: {{ .Values.global.namespaceTier }} +spec: + replicas: {{ .Values.synchronizer.replicaCount }} + revisionHistoryLimit: 2 + strategy: + type: Recreate + selector: + matchLabels: + app.kubernetes.io/name: {{ .Values.synchronizer.name }} + app.kubernetes.io/instance: {{ .Release.Name }} + tier: {{ .Values.global.namespaceTier }} + template: + metadata: + annotations: + checksum/synchronizer-configmap: {{ $checksums.synchronizerConfig }} + checksum/cloud-secret: {{ $checksums.cloudSecret }} + checksum/cloud-config: {{ $checksums.cloudConfig }} + {{- if ne .Values.global.proxySecretFile "" }} + checksum/proxy-config: {{ $checksums.proxySecret }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.synchronizer.name }} + app.kubernetes.io/instance: {{ .Release.Name }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + tier: {{ .Values.global.namespaceTier }} + app: {{ .Values.synchronizer.name }} + {{- if $components.otelCollector.enabled }} + otel: enabled + {{- end }} + spec: + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ toYaml .Values.imagePullSecrets }} + {{- end }} + securityContext: + runAsUser: 65532 + fsGroup: 65532 + containers: + - name: {{ .Values.synchronizer.name }} + image: "{{ .Values.synchronizer.image.repository }}:{{ .Values.synchronizer.image.tag }}" + imagePullPolicy: {{ .Values.synchronizer.image.pullPolicy }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + livenessProbe: + httpGet: + path: /healthz + port: 7888 + initialDelaySeconds: 3 + periodSeconds: 3 + resources: +{{ toYaml .Values.synchronizer.resources | indent 12 }} + env: + - name: GOMEMLIMIT + value: "{{ .Values.synchronizer.resources.requests.memory }}B" + - name: KS_LOGGER_LEVEL + value: "{{ .Values.logger.level }}" + - name: KS_LOGGER_NAME + value: "{{ .Values.logger.name }}" + {{- range .Values.synchronizer.env }} + - name: {{ .name }} + value: "{{ .value }}" + {{- end }} + {{- if $components.otelCollector.enabled }} + - name: ACCOUNT_ID + valueFrom: + secretKeyRef: + name: {{ $components.cloudSecret.name }} + key: account + - name: OTEL_COLLECTOR_SVC + value: "otel-collector:4317" + {{- end }} + {{- if ne .Values.global.httpsProxy "" }} + - name: HTTPS_PROXY + value: "{{ .Values.global.httpsProxy }}" + - name : no_proxy + value: "{{ $no_proxy_envar_list }}" + {{- end }} + command: ["/usr/bin/client"] + volumeMounts: + - name: {{ $components.cloudSecret.name }} + mountPath: /etc/credentials + readOnly: true + - name: {{ .Values.global.cloudConfig }} + mountPath: /etc/config/clusterData.json + readOnly: true + subPath: "clusterData.json" + {{- if $components.serviceDiscovery.enabled }} + - name: {{ .Values.global.cloudConfig }} + mountPath: /etc/config/services.json + readOnly: true + subPath: "services.json" + {{- end }} + - name: config + mountPath: /etc/config/config.json + readOnly: true + subPath: "config.json" +{{- if .Values.volumeMounts }} +{{ toYaml .Values.volumeMounts | indent 12 }} +{{- end }} +{{- if .Values.synchronizer.volumeMounts }} +{{ toYaml .Values.synchronizer.volumeMounts | indent 12 }} +{{- end }} +{{- if ne .Values.global.proxySecretFile "" }} + - name: proxy-secret + mountPath: /etc/ssl/certs/proxy.crt + subPath: proxy.crt +{{- end }} + volumes: + - name: {{ $components.cloudSecret.name }} + secret: + secretName: {{ $components.cloudSecret.name }} + {{- if ne .Values.global.proxySecretFile "" }} + - name: proxy-secret + secret: + secretName: {{ .Values.global.proxySecretName }} + {{- end }} + - name: {{ .Values.global.cloudConfig }} + configMap: + name: {{ .Values.global.cloudConfig }} + items: + - key: "clusterData" + path: "clusterData.json" + {{- if $components.serviceDiscovery.enabled }} + - key: "services" + path: "services.json" + {{- end }} + - name: config + configMap: + name: {{ .Values.synchronizer.name }} + items: + - key: "config.json" + path: "config.json" +{{- if .Values.volumes }} +{{ toYaml .Values.volumes | indent 8 }} +{{- end }} +{{- if .Values.synchronizer.volumes }} +{{ toYaml .Values.synchronizer.volumes | indent 8 }} +{{- end }} + serviceAccountName: {{ .Values.synchronizer.name }} + automountServiceAccountToken: true + {{- with .Values.synchronizer.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.synchronizer.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/kubescape-operator/templates/synchronizer/networkpolicy.yaml b/charts/kubescape-operator/templates/synchronizer/networkpolicy.yaml new file mode 100644 index 00000000..63035148 --- /dev/null +++ b/charts/kubescape-operator/templates/synchronizer/networkpolicy.yaml @@ -0,0 +1,27 @@ +{{- $components := fromYaml (include "components" .) }} +{{- if and .Values.global.networkPolicy.enabled $components.synchronizer.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ .Values.synchronizer.name }} + namespace: {{ .Values.ksNamespace }} + labels: + app: {{ .Values.synchronizer.name }} + tier: {{ .Values.global.namespaceTier }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: {{ .Values.synchronizer.name }} + app.kubernetes.io/instance: {{ .Release.Name }} + tier: {{ .Values.global.namespaceTier }} + policyTypes: + - Ingress + {{- if .Values.global.networkPolicy.createEgressRules }} + - Egress + egress: + # - synchronizer server + - ports: + - port: 8443 + protocol: TCP + {{- end }} +{{- end }} diff --git a/charts/kubescape-operator/templates/synchronizer/serviceaccount.yaml b/charts/kubescape-operator/templates/synchronizer/serviceaccount.yaml new file mode 100644 index 00000000..0302a1ad --- /dev/null +++ b/charts/kubescape-operator/templates/synchronizer/serviceaccount.yaml @@ -0,0 +1,18 @@ +{{- $components := fromYaml (include "components" .) }} +{{- if $components.synchronizer.enabled }} +kind: ServiceAccount +apiVersion: v1 +metadata: +{{- if .Values.cloudProviderMetadata.awsIamRoleArn }} + annotations: + eks.amazonaws.com/role-arn: {{ .Values.cloudProviderMetadata.awsIamRoleArn }} + {{- else if .Values.cloudProviderMetadata.gkeServiceAccount }} + annotations: + iam.gke.io/gcp-service-account: {{ .Values.cloudProviderMetadata.gkeServiceAccount }} +{{- end }} + labels: + app: {{ .Values.synchronizer.name }} + name: {{ .Values.synchronizer.name }} + namespace: {{ .Values.ksNamespace }} +automountServiceAccountToken: false +{{- end }} diff --git a/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap b/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap index 5de96068..7f501324 100644 --- a/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap +++ b/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap @@ -1,6 +1,6 @@ matches the snapshot: 1: | - raw: "Thank you for installing kubescape-operator version 1.16.4.\nView your cluster's configuration scanning schedule: \n> kubectl -n kubescape get cj kubescape-scheduler -o=jsonpath='{.metadata.name}{\"\\t\"}{.spec.schedule}{\"\\n\"}'\n\nTo change the schedule, set `.spec.schedule`: \n> kubectl -n kubescape edit cj kubescape-scheduler\nView your cluster's image scanning schedule: \n> kubectl -n kubescape get cj kubevuln-scheduler -o=jsonpath='{.metadata.name}{\"\\t\"}{.spec.schedule}{\"\\n\"}' \n\nTo change the schedule, edit `.spec.schedule`: \n> kubectl -n kubescape edit cj kubevuln-scheduler\n\n\nView your image vulnerabilities scan summaries: \n> kubectl get vulnerabilitymanifestsummaries -A\n\nDetailed reports are also available: \n> kubectl get vulnerabilitymanifests -A\n\n\n\n" + raw: "Thank you for installing kubescape-operator version 1.16.4.\nView your cluster's configuration scanning schedule: \n> kubectl -n kubescape get cj kubescape-scheduler -o=jsonpath='{.metadata.name}{\"\\t\"}{.spec.schedule}{\"\\n\"}'\n\nTo change the schedule, set `.spec.schedule`: \n> kubectl -n kubescape edit cj kubescape-scheduler\nView your cluster's image scanning schedule: \n> kubectl -n kubescape get cj kubevuln-scheduler -o=jsonpath='{.metadata.name}{\"\\t\"}{.spec.schedule}{\"\\n\"}' \n\nTo change the schedule, edit `.spec.schedule`: \n> kubectl -n kubescape edit cj kubevuln-scheduler\nView your configuration scan summaries: \n> kubectl get workloadconfigurationscansummaries -A\n\nDetailed reports are also available: \n> kubectl get workloadconfigurationscans -A\n\nView your image vulnerabilities scan summaries: \n> kubectl get vulnerabilitymanifestsummaries -A\n\nDetailed reports are also available: \n> kubectl get vulnerabilitymanifests -A\n\nkubescape-operator generates suggested network policies. To view them: \n> kubectl get generatednetworkpolicies -n \n\n" 2: | apiVersion: batch/v1 kind: CronJob @@ -126,8 +126,8 @@ matches the snapshot: "maxImageSize": 5.36870912e+09, "keepLocal": false, "scanTimeout": "5m", - "vexGeneration": false, - "continuousPostureScan": false, + "vexGeneration": true, + "continuousPostureScan": true, "listingURL": "http://grype-offline-db:80/listing.json", "relevantImageVulnerabilitiesConfiguration": "enable" } @@ -152,8 +152,8 @@ matches the snapshot: data: capabilities: | { - "capabilities":{"autoUpgrading":"enable","configurationScan":"enable","continuousScan":"disable","networkPolicyService":"disable","nodeScan":"enable","relevancy":"enable","runtimeObservability":"disable","vexGeneration":"disable","vulnerabilityScan":"enable"}, - "components":{"cloudSecret":{"create":true,"name":"cloud-secret"},"gateway":{"enabled":true},"hostScanner":{"enabled":true},"kollector":{"enabled":true},"kubescape":{"enabled":true},"kubescapeScheduler":{"enabled":true},"kubevuln":{"enabled":true},"kubevulnScheduler":{"enabled":true},"nodeAgent":{"enabled":true},"operator":{"enabled":true},"otelCollector":{"enabled":true},"serviceDiscovery":{"enabled":true},"storage":{"enabled":true}}, + "capabilities":{"autoUpgrading":"enable","configurationScan":"enable","continuousScan":"enable","networkPolicyService":"enable","nodeScan":"enable","relevancy":"enable","runtimeObservability":"enable","synchronizer":"enable","vexGeneration":"enable","vulnerabilityScan":"enable"}, + "components":{"cloudSecret":{"create":true,"name":"cloud-secret"},"gateway":{"enabled":true},"hostScanner":{"enabled":true},"kollector":{"enabled":true},"kubescape":{"enabled":true},"kubescapeScheduler":{"enabled":true},"kubevuln":{"enabled":true},"kubevulnScheduler":{"enabled":true},"nodeAgent":{"enabled":true},"operator":{"enabled":true},"otelCollector":{"enabled":true},"serviceDiscovery":{"enabled":true},"storage":{"enabled":true},"synchronizer":{"enabled":true}}, "configurations":{"otelUrl":"otelCollector:4317","persistence":"enable"} } kind: ConfigMap @@ -203,7 +203,7 @@ matches the snapshot: template: metadata: annotations: - checksum/cloud-config: bc11c557570531f1993ebd8a8d6ee8174a1dd9f35c00e7640181b82eab213945 + checksum/cloud-config: 253f0c05e8d2915ab3627479c2f810d8cf3d40b03c0807ec6af34da0e1d1e049 checksum/cloud-secret: 7a52a6a06abb711221729ad1ea112ce6b3d64144afde7ff807e46ed477fa2fe6 checksum/proxy-config: f2071cad863e27de0eec2175d24d505135c28d48c11a520ad04a9f4f8a5ac0b7 labels: @@ -557,7 +557,7 @@ matches the snapshot: template: metadata: annotations: - checksum/cloud-config: bc11c557570531f1993ebd8a8d6ee8174a1dd9f35c00e7640181b82eab213945 + checksum/cloud-config: 253f0c05e8d2915ab3627479c2f810d8cf3d40b03c0807ec6af34da0e1d1e049 checksum/cloud-secret: 7a52a6a06abb711221729ad1ea112ce6b3d64144afde7ff807e46ed477fa2fe6 checksum/proxy-config: f2071cad863e27de0eec2175d24d505135c28d48c11a520ad04a9f4f8a5ac0b7 labels: @@ -942,7 +942,7 @@ matches the snapshot: template: metadata: annotations: - checksum/cloud-config: bc11c557570531f1993ebd8a8d6ee8174a1dd9f35c00e7640181b82eab213945 + checksum/cloud-config: 253f0c05e8d2915ab3627479c2f810d8cf3d40b03c0807ec6af34da0e1d1e049 checksum/cloud-secret: 7a52a6a06abb711221729ad1ea112ce6b3d64144afde7ff807e46ed477fa2fe6 checksum/host-scanner-configmap: 329050cbdabb0c88161e510252b8e3116c6a57d397f321ecb0cfa8837ce31f23 checksum/proxy-config: f2071cad863e27de0eec2175d24d505135c28d48c11a520ad04a9f4f8a5ac0b7 @@ -1414,7 +1414,7 @@ matches the snapshot: template: metadata: annotations: - checksum/cloud-config: bc11c557570531f1993ebd8a8d6ee8174a1dd9f35c00e7640181b82eab213945 + checksum/cloud-config: 253f0c05e8d2915ab3627479c2f810d8cf3d40b03c0807ec6af34da0e1d1e049 checksum/cloud-secret: 7a52a6a06abb711221729ad1ea112ce6b3d64144afde7ff807e46ed477fa2fe6 checksum/proxy-config: f2071cad863e27de0eec2175d24d505135c28d48c11a520ad04a9f4f8a5ac0b7 labels: @@ -1663,12 +1663,12 @@ matches the snapshot: data: config.json: | { - "applicationProfileServiceEnabled": false, + "applicationProfileServiceEnabled": true, "relevantCVEServiceEnabled": true, "InitialDelay": "2m", "updateDataPeriod": "10m", "maxSniffingTimePerContainer": "3h", - "networkServiceEnabled": "false" + "networkServiceEnabled": "true" } kind: ConfigMap metadata: @@ -1694,9 +1694,9 @@ matches the snapshot: template: metadata: annotations: - checksum/cloud-config: bc11c557570531f1993ebd8a8d6ee8174a1dd9f35c00e7640181b82eab213945 + checksum/cloud-config: 253f0c05e8d2915ab3627479c2f810d8cf3d40b03c0807ec6af34da0e1d1e049 checksum/cloud-secret: 7a52a6a06abb711221729ad1ea112ce6b3d64144afde7ff807e46ed477fa2fe6 - checksum/node-agent-config: 86b38ffc87a7df25c377369ecdf4cccf7d10f2c4fc1d29f3e220f39b74906de6 + checksum/node-agent-config: 1f1ed354ec149975e60a35866c9b74c952b526adddf8fdc41ecb1ca64e0aafa5 checksum/proxy-config: f2071cad863e27de0eec2175d24d505135c28d48c11a520ad04a9f4f8a5ac0b7 container.apparmor.security.beta.kubernetes.io/node-agent: unconfined labels: @@ -1739,7 +1739,7 @@ matches the snapshot: - name: HOST_ROOT value: /host - name: NodeName - image: quay.io/kubescape/node-agent:v0.1.121 + image: quay.io/kubescape/node-agent:v0.1.128 imagePullPolicy: IfNotPresent name: node-agent resources: @@ -1954,8 +1954,8 @@ matches the snapshot: template: metadata: annotations: - checksum/capabilities-config: b5dcc3948c0adb1303e22c81e4c068c4e199709d08599ab310c17ccde3795182 - checksum/cloud-config: bc11c557570531f1993ebd8a8d6ee8174a1dd9f35c00e7640181b82eab213945 + checksum/capabilities-config: 117f94e10fb7c5e7769bf06667833984002311bea9280df44333b4c03428a17d + checksum/cloud-config: 253f0c05e8d2915ab3627479c2f810d8cf3d40b03c0807ec6af34da0e1d1e049 checksum/cloud-secret: 7a52a6a06abb711221729ad1ea112ce6b3d64144afde7ff807e46ed477fa2fe6 checksum/matching-rules-config: 0fe866ff165ca62399198397c07ab2d49af3181c569b3d0cce4a4cb310796824 checksum/operator-config: df99a2aba9854372143be03476352384d33d686923ae071dde264c8c7ffbc999 @@ -2697,3 +2697,282 @@ matches the snapshot: metadata: name: storage namespace: kubescape + 76: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: synchronizer + rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch + - apiGroups: + - spdx.softwarecomposition.kubescape.io + resources: + - applicationactivities + - applicationprofiles + - applicationprofilesummaries + - configurationscansummaries + - networkneighborses + - openvulnerabilityexchangecontainers + - sbomspdxv2p3s + - sbomspdxv2p3filtereds + - sbomsummaries + - vulnerabilitymanifests + - vulnerabilitymanifestsummaries + - vulnerabilitysummaries + - workloadconfigurationscans + - workloadconfigurationscansummaries + verbs: + - get + - watch + - list + 77: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: synchronizer + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: synchronizer + subjects: + - kind: ServiceAccount + name: synchronizer + namespace: kubescape + 78: | + apiVersion: v1 + data: + config.json: | + { + "inCluster": { + "resources": [ + { + "group": "apps", + "version": "v1", + "resource": "deployments", + "strategy": "patch" + }, + { + "group": "", + "version": "v1", + "resource": "pods", + "strategy": "patch" + }, + { + "group": "spdx.softwarecomposition.kubescape.io", + "version": "v1beta1", + "resource": "sbomspdxv2p3s", + "strategy": "copy" + }, + { + "group": "spdx.softwarecomposition.kubescape.io", + "version": "v1beta1", + "resource": "sbomspdxv2p3filtereds", + "strategy": "copy" + }, + { + "group": "spdx.softwarecomposition.kubescape.io", + "version": "v1beta1", + "resource": "vulnerabilitymanifests", + "strategy": "copy" + }, + { + "group": "spdx.softwarecomposition.kubescape.io", + "version": "v1beta1", + "resource": "workloadconfigurationscans", + "strategy": "copy" + }, + { + "group": "spdx.softwarecomposition.kubescape.io", + "version": "v1beta1", + "resource": "applicationprofiles", + "strategy": "copy" + }, + { + "group": "spdx.softwarecomposition.kubescape.io", + "version": "v1beta1", + "resource": "applicationactivities", + "strategy": "copy" + }, + { + "group": "spdx.softwarecomposition.kubescape.io", + "version": "v1beta1", + "resource": "networkneighborses", + "strategy": "copy" + }, + { + "group": "spdx.softwarecomposition.kubescape.io", + "version": "v1beta1", + "resource": "openvulnerabilityexchangecontainers", + "strategy": "copy" + } + ] + } + } + kind: ConfigMap + metadata: + name: synchronizer + namespace: kubescape + 79: | + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app: synchronizer + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: synchronizer + tier: ks-control-plane + name: synchronizer + namespace: kubescape + spec: + replicas: null + revisionHistoryLimit: 2 + selector: + matchLabels: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: synchronizer + tier: ks-control-plane + strategy: + type: Recreate + template: + metadata: + annotations: + checksum/cloud-config: 253f0c05e8d2915ab3627479c2f810d8cf3d40b03c0807ec6af34da0e1d1e049 + checksum/cloud-secret: 7a52a6a06abb711221729ad1ea112ce6b3d64144afde7ff807e46ed477fa2fe6 + checksum/proxy-config: f2071cad863e27de0eec2175d24d505135c28d48c11a520ad04a9f4f8a5ac0b7 + checksum/synchronizer-configmap: 2ab60c33d0833338d971786cb779679455f5fa0ca12bee84f0aecb995a8a2e79 + labels: + app: synchronizer + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: synchronizer + helm.sh/chart: kubescape-operator-1.16.4 + otel: enabled + tier: ks-control-plane + spec: + automountServiceAccountToken: true + containers: + - command: + - /usr/bin/client + env: + - name: GOMEMLIMIT + value: 250MiB + - name: KS_LOGGER_LEVEL + value: info + - name: KS_LOGGER_NAME + value: zap + - name: ACCOUNT_ID + valueFrom: + secretKeyRef: + key: account + name: cloud-secret + - name: OTEL_COLLECTOR_SVC + value: otel-collector:4317 + image: quay.io/kubescape/synchronizer:v0.0.17 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 7888 + initialDelaySeconds: 3 + periodSeconds: 3 + name: synchronizer + resources: + limits: + cpu: 200m + memory: 500Mi + requests: + cpu: 100m + memory: 250Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/credentials + name: cloud-secret + readOnly: true + - mountPath: /etc/config/clusterData.json + name: ks-cloud-config + readOnly: true + subPath: clusterData.json + - mountPath: /etc/config/services.json + name: ks-cloud-config + readOnly: true + subPath: services.json + - mountPath: /etc/config/config.json + name: config + readOnly: true + subPath: config.json + - mountPath: /etc/ssl/certs/proxy.crt + name: proxy-secret + subPath: proxy.crt + securityContext: + fsGroup: 65532 + runAsUser: 65532 + serviceAccountName: synchronizer + volumes: + - name: cloud-secret + secret: + secretName: cloud-secret + - name: proxy-secret + secret: + secretName: kubescape-proxy-certificate + - configMap: + items: + - key: clusterData + path: clusterData.json + - key: services + path: services.json + name: ks-cloud-config + name: ks-cloud-config + - configMap: + items: + - key: config.json + path: config.json + name: synchronizer + name: config + 80: | + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + labels: + app: synchronizer + tier: ks-control-plane + name: synchronizer + namespace: kubescape + spec: + egress: + - ports: + - port: 8443 + protocol: TCP + podSelector: + matchLabels: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: synchronizer + tier: ks-control-plane + policyTypes: + - Ingress + - Egress + 81: | + apiVersion: v1 + automountServiceAccountToken: false + kind: ServiceAccount + metadata: + labels: + app: synchronizer + name: synchronizer + namespace: kubescape diff --git a/charts/kubescape-operator/tests/snapshot_test.yaml b/charts/kubescape-operator/tests/snapshot_test.yaml index 96bd9c24..5894a084 100644 --- a/charts/kubescape-operator/tests/snapshot_test.yaml +++ b/charts/kubescape-operator/tests/snapshot_test.yaml @@ -9,8 +9,16 @@ tests: set: account: 9e6c0c2c-6bd0-4919-815b-55030de7c9a0 capabilities: + configurationScan: enable + continuousScan: enable + nodeScan: enable + vulnerabilityScan: enable relevancy: enable + vexGeneration: enable + runtimeObservability: enable + networkPolicyService: enable autoUpgrading: enable + synchronizer: enable server: api.armosec.io configurations.otelUrl: "otelCollector:4317" clusterName: kind-kind diff --git a/charts/kubescape-operator/values.yaml b/charts/kubescape-operator/values.yaml index 3528589b..f5fc6ad3 100644 --- a/charts/kubescape-operator/values.yaml +++ b/charts/kubescape-operator/values.yaml @@ -32,6 +32,7 @@ capabilities: # matching docs before enabling. autoUpgrading: disable + synchronizer: disable # networkGenerator: disable # seccompGenerator: disable @@ -580,7 +581,7 @@ nodeAgent: name: node-agent image: repository: quay.io/kubescape/node-agent - tag: v0.1.121 + tag: v0.1.128 pullPolicy: IfNotPresent config: @@ -691,6 +692,20 @@ serviceDiscovery: cpu: 100m memory: 50Mi +synchronizer: + name: synchronizer + image: + repository: quay.io/kubescape/synchronizer + tag: v0.0.17 + pullPolicy: IfNotPresent + resources: + requests: + cpu: 100m + memory: 250Mi + limits: + cpu: 200m + memory: 500Mi + # Configures the Helm Release Upgrader helmReleaseUpgrader: name: "helm-release-upgrader"