From 8011e77f744584a1381a819255a18313206ffd11 Mon Sep 17 00:00:00 2001 From: Yariv Freifeld Date: Sun, 29 Sep 2024 09:41:42 +0300 Subject: [PATCH 01/11] adding aqua home volume --- gateway/templates/gate-deployment.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/gateway/templates/gate-deployment.yaml b/gateway/templates/gate-deployment.yaml index aff83c90..f1886f27 100644 --- a/gateway/templates/gate-deployment.yaml +++ b/gateway/templates/gate-deployment.yaml @@ -123,6 +123,9 @@ spec: {{ toYaml . | indent 10 }} {{- end }} volumeMounts: + - name: aqua-home + mountPath: /home/aqua + readOnly: false {{- with .Values.extraVolumeMounts }} {{- toYaml . | nindent 10 }} {{- end }} @@ -151,6 +154,8 @@ spec: {{ toYaml .Values.tolerations | indent 6 }} {{- end }} volumes: + - name: aqua-home + emptyDir: {} {{- with .Values.extraVolumes }} {{- toYaml . | nindent 6 }} {{- end }} From 447dc9b2669b05ff577fe067f1f47f76e65cfa09 Mon Sep 17 00:00:00 2001 From: Yariv Freifeld Date: Sun, 29 Sep 2024 14:56:11 +0300 Subject: [PATCH 02/11] remove emptydi --- gateway/templates/gate-deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gateway/templates/gate-deployment.yaml b/gateway/templates/gate-deployment.yaml index f1886f27..adc9443a 100644 --- a/gateway/templates/gate-deployment.yaml +++ b/gateway/templates/gate-deployment.yaml @@ -155,7 +155,7 @@ spec: {{- end }} volumes: - name: aqua-home - emptyDir: {} + {{- with .Values.extraVolumes }} {{- toYaml . | nindent 6 }} {{- end }} From 94d68f659b9e5e0692f36dd8a17f77ead3d4a2ee Mon Sep 17 00:00:00 2001 From: Yariv Freifeld Date: Sun, 29 Sep 2024 16:44:45 +0300 Subject: [PATCH 03/11] addint volume --- gateway/templates/gate-deployment.yaml | 2 +- server/templates/web-deployment.yaml | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/gateway/templates/gate-deployment.yaml b/gateway/templates/gate-deployment.yaml index adc9443a..e7d0bc62 100644 --- a/gateway/templates/gate-deployment.yaml +++ b/gateway/templates/gate-deployment.yaml @@ -125,7 +125,6 @@ spec: volumeMounts: - name: aqua-home mountPath: /home/aqua - readOnly: false {{- with .Values.extraVolumeMounts }} {{- toYaml . | nindent 10 }} {{- end }} @@ -155,6 +154,7 @@ spec: {{- end }} volumes: - name: aqua-home + emptyDir: {} {{- with .Values.extraVolumes }} {{- toYaml . | nindent 6 }} diff --git a/server/templates/web-deployment.yaml b/server/templates/web-deployment.yaml index c22abce6..38e86c8d 100644 --- a/server/templates/web-deployment.yaml +++ b/server/templates/web-deployment.yaml @@ -154,6 +154,8 @@ spec: {{ toYaml . | indent 10 }} {{- end }} volumeMounts: + - name: aqua-home + mountPath: /home/aqua {{- with .Values.web.extraVolumeMounts }} {{- toYaml . | nindent 10 }} {{- end }} @@ -194,6 +196,8 @@ spec: {{ toYaml . | nindent 6 }} {{- end }} volumes: + - name: aqua-home + emptyDir: {} {{- with .Values.web.extraVolumes }} {{- toYaml . | nindent 8 }} {{- end }} From 1c4948f7bba5f53faf00d1d1901665d4fe052203 Mon Sep 17 00:00:00 2001 From: seanposner Date: Mon, 30 Sep 2024 17:02:43 +0300 Subject: [PATCH 04/11] Adding logic for volume creation based on FS type --- gateway/templates/gate-deployment.yaml | 8 ++++++-- server/templates/web-deployment.yaml | 8 ++++++++ 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/gateway/templates/gate-deployment.yaml b/gateway/templates/gate-deployment.yaml index e7d0bc62..c544dd62 100644 --- a/gateway/templates/gate-deployment.yaml +++ b/gateway/templates/gate-deployment.yaml @@ -123,8 +123,11 @@ spec: {{ toYaml . | indent 10 }} {{- end }} volumeMounts: + {{- if eq .Values.rbac.readOnlyRootFilesystem "true"}} - name: aqua-home - mountPath: /home/aqua + mountPath: /home/aqua/data/ + readOnly: false + {{- end }} {{- with .Values.extraVolumeMounts }} {{- toYaml . | nindent 10 }} {{- end }} @@ -153,8 +156,9 @@ spec: {{ toYaml .Values.tolerations | indent 6 }} {{- end }} volumes: + {{- if eq .Values.rbac.readOnlyRootFilesystem "true"}} - name: aqua-home - emptyDir: {} + {{- end }} {{- with .Values.extraVolumes }} {{- toYaml . | nindent 6 }} diff --git a/server/templates/web-deployment.yaml b/server/templates/web-deployment.yaml index 38e86c8d..a6997073 100644 --- a/server/templates/web-deployment.yaml +++ b/server/templates/web-deployment.yaml @@ -173,6 +173,11 @@ spec: mountPath: /etc/ext_db_certs/ readOnly: true {{- end }} + {{- if eq .Values.gateway.rbac.readOnlyRootFilesystem "true"}} + - name: aqua-home + mountPath: /home/aqua/data/ + readOnly: false + {{- end }} {{- include "server.additionalCertVolumeMounts" .Values | nindent 8 }} resources: {{ toYaml .Values.web.resources | indent 12 }} @@ -206,6 +211,9 @@ spec: hostPath: path: {{ .Values.dockerSock.path }} {{- end }} + {{- if eq .Values.gateway.rbac.readOnlyRootFilesystem "true"}} + - name: aqua-home + {{- end }} {{- if .Values.web.TLS.enabled }} - name: certs secret: From 72ec25ed3ac0da407709fac38c55504d4f213bcb Mon Sep 17 00:00:00 2001 From: seanposner Date: Mon, 30 Sep 2024 17:21:23 +0300 Subject: [PATCH 05/11] Removed equal detection --- gateway/templates/gate-deployment.yaml | 4 ++-- server/templates/web-deployment.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/gateway/templates/gate-deployment.yaml b/gateway/templates/gate-deployment.yaml index c544dd62..24eede35 100644 --- a/gateway/templates/gate-deployment.yaml +++ b/gateway/templates/gate-deployment.yaml @@ -123,7 +123,7 @@ spec: {{ toYaml . | indent 10 }} {{- end }} volumeMounts: - {{- if eq .Values.rbac.readOnlyRootFilesystem "true"}} + {{- if eq .Values.rbac.readOnlyRootFilesystem }} - name: aqua-home mountPath: /home/aqua/data/ readOnly: false @@ -156,7 +156,7 @@ spec: {{ toYaml .Values.tolerations | indent 6 }} {{- end }} volumes: - {{- if eq .Values.rbac.readOnlyRootFilesystem "true"}} + {{- if eq .Values.rbac.readOnlyRootFilesystem }} - name: aqua-home {{- end }} diff --git a/server/templates/web-deployment.yaml b/server/templates/web-deployment.yaml index a6997073..89ca8dc6 100644 --- a/server/templates/web-deployment.yaml +++ b/server/templates/web-deployment.yaml @@ -173,7 +173,7 @@ spec: mountPath: /etc/ext_db_certs/ readOnly: true {{- end }} - {{- if eq .Values.gateway.rbac.readOnlyRootFilesystem "true"}} + {{- if eq .Values.gateway.rbac.readOnlyRootFilesystem }} - name: aqua-home mountPath: /home/aqua/data/ readOnly: false @@ -211,7 +211,7 @@ spec: hostPath: path: {{ .Values.dockerSock.path }} {{- end }} - {{- if eq .Values.gateway.rbac.readOnlyRootFilesystem "true"}} + {{- if eq .Values.gateway.rbac.readOnlyRootFilesystem }} - name: aqua-home {{- end }} {{- if .Values.web.TLS.enabled }} From fcb87a20e57b4034ba01ef4a75bf20837906f235 Mon Sep 17 00:00:00 2001 From: seanposner Date: Mon, 30 Sep 2024 17:47:48 +0300 Subject: [PATCH 06/11] Removed equal detection --- gateway/templates/gate-deployment.yaml | 4 ++-- server/templates/web-deployment.yaml | 6 ++---- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/gateway/templates/gate-deployment.yaml b/gateway/templates/gate-deployment.yaml index 24eede35..a3cee96f 100644 --- a/gateway/templates/gate-deployment.yaml +++ b/gateway/templates/gate-deployment.yaml @@ -123,7 +123,7 @@ spec: {{ toYaml . | indent 10 }} {{- end }} volumeMounts: - {{- if eq .Values.rbac.readOnlyRootFilesystem }} + {{- if .Values.rbac.readOnlyRootFilesystem }} - name: aqua-home mountPath: /home/aqua/data/ readOnly: false @@ -156,7 +156,7 @@ spec: {{ toYaml .Values.tolerations | indent 6 }} {{- end }} volumes: - {{- if eq .Values.rbac.readOnlyRootFilesystem }} + {{- if .Values.rbac.readOnlyRootFilesystem }} - name: aqua-home {{- end }} diff --git a/server/templates/web-deployment.yaml b/server/templates/web-deployment.yaml index 89ca8dc6..39fb659a 100644 --- a/server/templates/web-deployment.yaml +++ b/server/templates/web-deployment.yaml @@ -173,7 +173,7 @@ spec: mountPath: /etc/ext_db_certs/ readOnly: true {{- end }} - {{- if eq .Values.gateway.rbac.readOnlyRootFilesystem }} + {{- if .Values.gateway.rbac.readOnlyRootFilesystem }} - name: aqua-home mountPath: /home/aqua/data/ readOnly: false @@ -201,8 +201,6 @@ spec: {{ toYaml . | nindent 6 }} {{- end }} volumes: - - name: aqua-home - emptyDir: {} {{- with .Values.web.extraVolumes }} {{- toYaml . | nindent 8 }} {{- end }} @@ -211,7 +209,7 @@ spec: hostPath: path: {{ .Values.dockerSock.path }} {{- end }} - {{- if eq .Values.gateway.rbac.readOnlyRootFilesystem }} + {{- if .Values.gateway.rbac.readOnlyRootFilesystem }} - name: aqua-home {{- end }} {{- if .Values.web.TLS.enabled }} From 7eaf64d682fc0093222005f8b22c2677f7d2bb6d Mon Sep 17 00:00:00 2001 From: seanposner Date: Tue, 1 Oct 2024 08:36:52 +0300 Subject: [PATCH 07/11] Adding emptyDir --- gateway/templates/gate-deployment.yaml | 1 + server/templates/web-deployment.yaml | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/gateway/templates/gate-deployment.yaml b/gateway/templates/gate-deployment.yaml index a3cee96f..14fc030b 100644 --- a/gateway/templates/gate-deployment.yaml +++ b/gateway/templates/gate-deployment.yaml @@ -158,6 +158,7 @@ spec: volumes: {{- if .Values.rbac.readOnlyRootFilesystem }} - name: aqua-home + emptyDir: {} {{- end }} {{- with .Values.extraVolumes }} diff --git a/server/templates/web-deployment.yaml b/server/templates/web-deployment.yaml index 39fb659a..8978a726 100644 --- a/server/templates/web-deployment.yaml +++ b/server/templates/web-deployment.yaml @@ -155,7 +155,7 @@ spec: {{- end }} volumeMounts: - name: aqua-home - mountPath: /home/aqua + mountPath: /home/aqua/data {{- with .Values.web.extraVolumeMounts }} {{- toYaml . | nindent 10 }} {{- end }} @@ -175,7 +175,7 @@ spec: {{- end }} {{- if .Values.gateway.rbac.readOnlyRootFilesystem }} - name: aqua-home - mountPath: /home/aqua/data/ + mountPath: /home/aqua/data readOnly: false {{- end }} {{- include "server.additionalCertVolumeMounts" .Values | nindent 8 }} @@ -211,6 +211,7 @@ spec: {{- end }} {{- if .Values.gateway.rbac.readOnlyRootFilesystem }} - name: aqua-home + emptyDir: {} {{- end }} {{- if .Values.web.TLS.enabled }} - name: certs From dbcd3373304255363b586081e28d146e17d1b349 Mon Sep 17 00:00:00 2001 From: seanposner Date: Tue, 1 Oct 2024 08:43:29 +0300 Subject: [PATCH 08/11] Updates --- server/templates/web-deployment.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/server/templates/web-deployment.yaml b/server/templates/web-deployment.yaml index 8978a726..26e5d16d 100644 --- a/server/templates/web-deployment.yaml +++ b/server/templates/web-deployment.yaml @@ -154,8 +154,6 @@ spec: {{ toYaml . | indent 10 }} {{- end }} volumeMounts: - - name: aqua-home - mountPath: /home/aqua/data {{- with .Values.web.extraVolumeMounts }} {{- toYaml . | nindent 10 }} {{- end }} From 4227f2df4f999848a70cd90205ff472fe66d695c Mon Sep 17 00:00:00 2001 From: seanposner Date: Mon, 7 Oct 2024 09:52:08 +0300 Subject: [PATCH 09/11] Added new values to support RBAC changes --- gateway/values.yaml | 4 ++++ server/values.yaml | 4 +++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/gateway/values.yaml b/gateway/values.yaml index 1a82a522..cbd00a4f 100644 --- a/gateway/values.yaml +++ b/gateway/values.yaml @@ -8,6 +8,10 @@ imageCredentials: password: "" rbac: + enabled: false + allowPrivilegeEscalation: false + allowPrivilegedContainer: false + readOnlyRootFilesystem: true # Use volume mount to set R/O filesystem create: false # Enable to create RBAC for gateway chart, when deploying Gateway only clusterRole: diff --git a/server/values.yaml b/server/values.yaml index be7c5e7f..34032273 100644 --- a/server/values.yaml +++ b/server/values.yaml @@ -39,7 +39,6 @@ activeactive: "" vaultSecret: enabled: false # Enable to true once you have secrets in vault and annotations are enabled to load admin and db passwords from vault vaultFilepath: "" # Change the path to "/vault/secrets/" as per the setup - # Add hashicorp Vault annotations to enable sidecar/init-container vault agent to load admin and db passwords # example annotations for self-hosted vault server: vaultAnnotations: @@ -225,6 +224,9 @@ gateway: registry: "registry.aquasec.com" rbac: enabled: false + allowPrivilegeEscalation: false + allowPrivilegedContainer: false + readOnlyRootFilesystem: true # Use volume mount to set R/O filesystem clusterRole: roleRef: "" platform: From ed84239b8039b7471e970d8e7aeb11e6ce3a732d Mon Sep 17 00:00:00 2001 From: seanposner Date: Mon, 7 Oct 2024 13:45:05 +0300 Subject: [PATCH 10/11] Added changelog updates and finalising development --- README.md | 6 +++--- gateway/CHANGELOG.md | 8 +++++++- gateway/Chart.yaml | 2 +- server/CHANGELOG.md | 5 +++++ server/Chart.yaml | 4 ++-- server/templates/openshift-scc.yaml | 6 +++--- 6 files changed, 21 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 7451d938..c91a3dd8 100644 --- a/README.md +++ b/README.md @@ -27,7 +27,7 @@ This repository includes the following charts; they can be deployed separately: | Chart | Description | Latest Chart Version | |-------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------| -| [Server](server/) | Deploys the Console, Database, and Gateway components; optionally deploys Envoy component | 2022.4.26 | +| [Server](server/) | Deploys the Console, Database, and Gateway components; optionally deploys Envoy component | 2022.4.27 | | [Enforcer](enforcer/) | Deploys the Aqua Enforcer daemonset | 2022.4.21 | | [Scanner](scanner/) | Deploys the Aqua Scanner deployment | 2022.4.8 | | [KubeEnforcer](kube-enforcer/) | Deploys Aqua KubeEnforcer | 2022.4.47 | @@ -82,9 +82,9 @@ aqua-helm/cloud-connector 2022.4.4 2022.4 A Helm chart for aqua-helm/cyber-center 2022.4.6 2022.4 A Helm chart for Aqua CyberCenter aqua-helm/enforcer 2022.4.23 2022.4 A Helm chart for the Aqua Enforcer aqua-helm/kube-enforcer 2022.4.48 2022.4 A Helm chart for the Aqua KubeEnforcer Starboard -aqua-helm/gateway 2022.4.14 2022.4 A Helm chart for the Aqua Gateway +aqua-helm/gateway 2022.4.15 2022.4 A Helm chart for the Aqua Gateway aqua-helm/scanner 2022.4.8 2022.4 A Helm chart for the Aqua Scanner CLI component -aqua-helm/server 2022.4.26 2022.4 A Helm chart for the Aqua Console components +aqua-helm/server 2022.4.27 2022.4 A Helm chart for the Aqua Console components aqua-helm/tenant-manager 2022.4.1 2022.4 A Helm chart for the Aqua Tenant Manager ``` diff --git a/gateway/CHANGELOG.md b/gateway/CHANGELOG.md index 0c1b7f46..3d1144a1 100644 --- a/gateway/CHANGELOG.md +++ b/gateway/CHANGELOG.md @@ -1,10 +1,16 @@ # Changelog All notable changes to this project will be documented in this file. +## 2022.4.15 (Oct 8th, 2024) +* add configurable allowPrivilegeEscalation, allowPrivilegedContainer, readOnlyRootFilesystem +* defaults stayed the same + +## 2022.4.14 (Mar 20th, 2024) +* Added extra volume mounts + ## 2022.4.13 (Dec 26th, 2023) * Added the ability to specify the API version for the PodDisruptionBudget - ## 2022.4.12 (Apr 10th, 2023) * Change standard name for gateway serviceaccount - PR[#725](https://github.com/aquasecurity/aqua-helm/pull/725) diff --git a/gateway/Chart.yaml b/gateway/Chart.yaml index 258fd859..60ca14fe 100644 --- a/gateway/Chart.yaml +++ b/gateway/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v1 appVersion: "2022.4" description: A Helm chart for the Aqua Gateway name: gateway -version: "2022.4.14" +version: "2022.4.15" icon: https://avatars3.githubusercontent.com/u/12783832?s=200&v=4 home: https://www.aquasec.com/ maintainers: diff --git a/server/CHANGELOG.md b/server/CHANGELOG.md index 00ad3f4e..43f94519 100644 --- a/server/CHANGELOG.md +++ b/server/CHANGELOG.md @@ -1,6 +1,11 @@ # Changelog All notable changes to this project will be documented in this file. +## 2022.4.27 (Oct 8st, 2024) +* add configurable allowPrivilegeEscalation, allowPrivilegedContainer, readOnlyRootFilesystem +* defaults stayed the same +* Changed gateway chart version + ## 2022.4.26 (Jul 29th, 2024) * Fix 'volumes' & 'volumeMounts' indentation in job-check-db-upgrade job (SLK-83783) * Add AQUA_PUBSUB_DBPASSWORD env variable in job-check-db-upgrade job (SLK-84299) diff --git a/server/Chart.yaml b/server/Chart.yaml index c69fb622..9e998603 100644 --- a/server/Chart.yaml +++ b/server/Chart.yaml @@ -2,10 +2,10 @@ apiVersion: v2 appVersion: "2022.4" description: A Helm chart for the Aqua Console components name: server -version: "2022.4.26" +version: "2022.4.27" dependencies: - name: gateway - version: "2022.4.13" + version: "2022.4.15" repository: "https://helm.aquasec.com" condition: gateway.enabled icon: https://avatars3.githubusercontent.com/u/12783832?s=200&v=4 diff --git a/server/templates/openshift-scc.yaml b/server/templates/openshift-scc.yaml index 0f45ad9f..3c6a0bce 100644 --- a/server/templates/openshift-scc.yaml +++ b/server/templates/openshift-scc.yaml @@ -19,8 +19,8 @@ allowHostIPC: false allowHostNetwork: false allowHostPID: false allowHostPorts: false -allowPrivilegeEscalation: false -allowPrivilegedContainer: false +allowPrivilegeEscalation: {{ .Values.gateway.rbac.allowPrivilegeEscalation | default false }} +allowPrivilegedContainer: {{ .Values.gateway.rbac.allowPrivilegedContainer | default false }} apiVersion: security.openshift.io/v1 defaultAddCapabilities: null fsGroup: @@ -36,7 +36,7 @@ metadata: release.openshift.io/create-only: "true" name: {{ .Release.Name }}-scc priority: null -readOnlyRootFilesystem: false +readOnlyRootFilesystem: {{ .Values.gateway.rbac.readOnlyRootFilesystem | default false }} requiredDropCapabilities: null runAsUser: type: MustRunAsNonRoot From 4bd5f164474937714e70a60b847e04cb07e22975 Mon Sep 17 00:00:00 2001 From: seanposner Date: Mon, 7 Oct 2024 16:02:22 +0300 Subject: [PATCH 11/11] Dep version update --- server/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/Chart.yaml b/server/Chart.yaml index 9e998603..376e8f49 100644 --- a/server/Chart.yaml +++ b/server/Chart.yaml @@ -5,7 +5,7 @@ name: server version: "2022.4.27" dependencies: - name: gateway - version: "2022.4.15" + version: "2022.4.14" repository: "https://helm.aquasec.com" condition: gateway.enabled icon: https://avatars3.githubusercontent.com/u/12783832?s=200&v=4