diff --git a/charts/cluster-shield/Chart.yaml b/charts/cluster-shield/Chart.yaml index 4ed2ea12c..851f758ab 100644 --- a/charts/cluster-shield/Chart.yaml +++ b/charts/cluster-shield/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: cluster-shield description: Cluster Shield Helm Chart for Kubernetes type: application -version: 1.7.1 -appVersion: "1.7.1" +version: 1.8.0 +appVersion: "1.8.0" maintainers: - name: AlbertoBarba email: alberto.barba@sysdig.com diff --git a/charts/cluster-shield/templates/_helpers.tpl b/charts/cluster-shield/templates/_helpers.tpl index a5d0b8da4..c4bd91800 100644 --- a/charts/cluster-shield/templates/_helpers.tpl +++ b/charts/cluster-shield/templates/_helpers.tpl @@ -60,7 +60,7 @@ Adds kubernetes related keys to the configuration. {{- $_ := set $conf "cluster_scanner" (merge (include "cluster-shield.configurationClusterScanner" . | fromYaml) (.Values.cluster_shield.cluster_scanner | default dict)) -}} {{- end -}} {{- if and (.Values.cluster_shield.features.admission_control.enabled) (.Values.cluster_shield.features.admission_control.container_vulnerability_management.enabled)}} -{{- $_ := set $conf "admission_controller_secure" (include "cluster-shield.configurationAdmissionControllerSecure" . | fromYaml) -}} +{{- $_ := set $conf "admission_controller_secure" (merge (include "cluster-shield.configurationAdmissionControllerSecure" . | fromYaml) (.Values.cluster_shield.admission_controller_secure | default dict)) -}} {{- end}} {{- $_ := unset $conf.sysdig_endpoint "access_key" -}} {{- $_ := unset $conf.sysdig_endpoint "secure_api_token" -}} @@ -150,9 +150,11 @@ Cluster Scanner Lock Name {{/* Cluster Scanner Service Name +As per DNS naming spec, the length of a service name should be less than 63 characters; +so we truncate the fullname to 47 characters since we append "-cluster-scanner" to it. */}} {{- define "cluster-shield.clusterScannerServiceName" -}} - {{- include "cluster-shield.fullname" . -}}-cluster-scanner + {{- (include "cluster-shield.fullname" .) | trunc 47 -}}-cluster-scanner {{- end }} {{/* diff --git a/charts/cluster-shield/templates/clusterrole.yaml b/charts/cluster-shield/templates/clusterrole.yaml index 9d7310365..ceeade2e2 100644 --- a/charts/cluster-shield/templates/clusterrole.yaml +++ b/charts/cluster-shield/templates/clusterrole.yaml @@ -92,7 +92,7 @@ rules: - secrets verbs: ["get", "list", "watch"] {{- end }} -{{- if .Values.cluster_shield.features.kubernetes_metadata.enabled }} +{{- if or .Values.cluster_shield.features.kubernetes_metadata.enabled (dig "investigations" "network_security" "enabled" false .Values.cluster_shield.features) }} - apiGroups: - "" resources: @@ -143,6 +143,7 @@ rules: - networking.k8s.io resources: - ingresses + - networkpolicies verbs: - get - list diff --git a/charts/cluster-shield/templates/validatingwebhookconfiguration.yaml b/charts/cluster-shield/templates/validatingwebhookconfiguration.yaml index d70c23a6a..c1c7e2534 100644 --- a/charts/cluster-shield/templates/validatingwebhookconfiguration.yaml +++ b/charts/cluster-shield/templates/validatingwebhookconfiguration.yaml @@ -10,7 +10,7 @@ so the template is executed just once apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: - name: {{ include "cluster-shield.fullname" . }}-audit + name: {{ include "cluster-shield.fullname" . }} webhooks: {{- if .Values.cluster_shield.features.audit.enabled }} - name: audit.secure.sysdig.com diff --git a/charts/cluster-shield/tests/clusterrole_test.yaml b/charts/cluster-shield/tests/clusterrole_test.yaml new file mode 100644 index 000000000..8481ef024 --- /dev/null +++ b/charts/cluster-shield/tests/clusterrole_test.yaml @@ -0,0 +1,169 @@ +suite: Test ClusterRole +templates: + - templates/clusterrole.yaml +values: + - ../ci/base-values.yaml +release: + name: shield-release + namespace: shield-namespace +tests: + - it: Test kubernetes_metadata enabled + set: + cluster_shield: + features: + kubernetes_metadata: + enabled: true + asserts: + - isKind: + of: ClusterRole + - isAPIVersion: + of: rbac.authorization.k8s.io/v1 + - contains: + path: rules + content: + apiGroups: + - "" + resources: + - pods + - replicationcontrollers + - services + - events + - limitranges + - namespaces + - nodes + - resourcequotas + - persistentvolumes + - persistentvolumeclaims + - configmaps + verbs: + - get + - list + - watch + - contains: + path: rules + content: + apiGroups: + - apps + resources: + - daemonsets + - deployments + - replicasets + - statefulsets + verbs: + - get + - list + - watch + - contains: + path: rules + content: + apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - get + - list + - watch + - contains: + path: rules + content: + apiGroups: + - batch + resources: + - cronjobs + - jobs + verbs: + - get + - list + - watch + - contains: + path: rules + content: + apiGroups: + - networking.k8s.io + resources: + - ingresses + - networkpolicies + verbs: + - get + - list + - watch + - contains: + path: rules + content: + apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch + - contains: + path: rules + content: + apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests + verbs: + - get + - list + - watch + - contains: + path: rules + content: + apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - get + - list + - watch + - contains: + path: rules + content: + apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch + - contains: + path: rules + content: + apiGroups: + - events.k8s.io + resources: + - events + verbs: + - get + - list + - watch + - it: Test network_security enabled + set: + cluster_shield: + features: + investigations: + network_security: + enabled: true + asserts: + - isKind: + of: ClusterRole + - isAPIVersion: + of: rbac.authorization.k8s.io/v1 + - contains: + path: rules + content: + apiGroups: + - networking.k8s.io + resources: + - ingresses + - networkpolicies + verbs: + - get + - list + - watch diff --git a/charts/cluster-shield/tests/validatingwebhookconfiguration_existing_secret_test.yaml b/charts/cluster-shield/tests/validatingwebhookconfiguration_existing_secret_test.yaml index 771d6d71a..5d137d517 100644 --- a/charts/cluster-shield/tests/validatingwebhookconfiguration_existing_secret_test.yaml +++ b/charts/cluster-shield/tests/validatingwebhookconfiguration_existing_secret_test.yaml @@ -56,7 +56,7 @@ tests: - containsDocument: apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration - name: shield-release-cluster-shield-audit + name: shield-release-cluster-shield documentIndex: 0 - containsDocument: kind: Secret @@ -106,7 +106,7 @@ tests: - containsDocument: apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration - name: shield-release-cluster-shield-audit + name: shield-release-cluster-shield - containsDocument: kind: Secret apiVersion: v1 @@ -140,7 +140,7 @@ tests: - containsDocument: apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration - name: shield-release-cluster-shield-audit + name: shield-release-cluster-shield - containsDocument: kind: Secret apiVersion: v1 diff --git a/charts/cluster-shield/tests/validatingwebhookconfiguration_test.yaml b/charts/cluster-shield/tests/validatingwebhookconfiguration_test.yaml index 3e09b91c9..945aa7394 100644 --- a/charts/cluster-shield/tests/validatingwebhookconfiguration_test.yaml +++ b/charts/cluster-shield/tests/validatingwebhookconfiguration_test.yaml @@ -34,7 +34,7 @@ tests: - containsDocument: kind: ValidatingWebhookConfiguration apiVersion: admissionregistration.k8s.io/v1 - name: shield-release-cluster-shield-audit + name: shield-release-cluster-shield - notExists: path: metadata.namespace - exists: @@ -83,7 +83,7 @@ tests: - containsDocument: kind: ValidatingWebhookConfiguration apiVersion: admissionregistration.k8s.io/v1 - name: shield-release-cluster-shield-audit + name: shield-release-cluster-shield - notExists: path: metadata.namespace - exists: @@ -119,7 +119,7 @@ tests: - containsDocument: kind: ValidatingWebhookConfiguration apiVersion: admissionregistration.k8s.io/v1 - name: shield-release-cluster-shield-audit + name: shield-release-cluster-shield - exists: path: .webhooks[?(@.name == "audit.secure.sysdig.com")] - notExists: @@ -160,7 +160,7 @@ tests: - containsDocument: kind: ValidatingWebhookConfiguration apiVersion: admissionregistration.k8s.io/v1 - name: shield-release-cluster-shield-audit + name: shield-release-cluster-shield - exists: path: .webhooks[?(@.name == "vac.secure.sysdig.com")] - exists: @@ -263,7 +263,7 @@ tests: - containsDocument: kind: ValidatingWebhookConfiguration apiVersion: admissionregistration.k8s.io/v1 - name: shield-release-cluster-shield-audit + name: shield-release-cluster-shield - exists: path: .webhooks[?(@.name == "vac.secure.sysdig.com")] - exists: @@ -336,7 +336,7 @@ tests: - containsDocument: kind: ValidatingWebhookConfiguration apiVersion: admissionregistration.k8s.io/v1 - name: shield-release-cluster-shield-audit + name: shield-release-cluster-shield not: true - isNotNullOrEmpty: path: data["tls.crt"] @@ -364,7 +364,7 @@ tests: - containsDocument: kind: ValidatingWebhookConfiguration apiVersion: admissionregistration.k8s.io/v1 - name: shield-release-cluster-shield-audit + name: shield-release-cluster-shield - exists: path: .webhooks[?(@.name == "audit.secure.sysdig.com")] - exists: @@ -398,7 +398,7 @@ tests: - containsDocument: kind: ValidatingWebhookConfiguration apiVersion: admissionregistration.k8s.io/v1 - name: shield-release-cluster-shield-audit + name: shield-release-cluster-shield - exists: path: .webhooks[?(@.name == "vac.secure.sysdig.com")] - exists: @@ -427,7 +427,7 @@ tests: - containsDocument: kind: ValidatingWebhookConfiguration apiVersion: admissionregistration.k8s.io/v1 - name: shield-release-cluster-shield-audit + name: shield-release-cluster-shield - exists: path: .webhooks[?(@.name == "audit.secure.sysdig.com")] - exists: @@ -490,7 +490,7 @@ tests: - containsDocument: kind: ValidatingWebhookConfiguration apiVersion: admissionregistration.k8s.io/v1 - name: shield-release-cluster-shield-audit + name: shield-release-cluster-shield - exists: path: .webhooks[?(@.name == "audit.secure.sysdig.com")] - exists: diff --git a/charts/cluster-shield/values.schema.json b/charts/cluster-shield/values.schema.json index c16e70e8c..b42f692a3 100644 --- a/charts/cluster-shield/values.schema.json +++ b/charts/cluster-shield/values.schema.json @@ -790,6 +790,30 @@ "local_cluster": { "$ref": "#/$defs/ClusterShieldConfiguration/$defs/ContainerVulnerabilityManagementLocal" }, + "filters": { + "type": "object", + "description": "Filters to apply to the images to scan", + "properties": { + "rules": { + "type": "array", + "items": { + "$ref": "#/$defs/ClusterShieldConfiguration/$defs/ContainerVulnerabilityManagementFilter" + }, + "examples": [ + [ + { + "type": "include", + "field": "k8s.container.image", + "value": "docker.io*" + }, + { + "type": "exclude" + } + ] + ] + } + } + }, "parallel_files_analysis_count": { "type": "integer", "description": "Maximum number of files that are analyzed in parallel", @@ -804,6 +828,11 @@ "type": "integer", "description": "Maximum size in bytes for a file to be analyzed in memory; file whose size is bigger than this are temporarily copied on to the filesystem", "default": 26214400 + }, + "memory_optimized_k8s_mode": { + "type": "boolean", + "description": "Enable memory-optimized access to Kubernetes API. Enabled by default, queries K8s using the Metadata API for all resources but Pods. Set this to false if you need to see the replicas counters, but it will require more memory.", + "default": true } }, "required": [ @@ -882,6 +911,43 @@ ], "additionalProperties": false }, + "ContainerVulnerabilityManagementFilter": { + "type": "object", + "properties": { + "type": { + "enum": [ + "include", + "exclude" + ] + }, + "field": { + "enum": [ + "k8s.container.image" + ], + "description": "The field to run the filter against" + }, + "value": { + "type": "string", + "description": "The value to run the filter against", + "examples": [ + "docker.io*", + "cd.docker-registry.corp.yahoo.co.jp:4443*", + "library*" + ] + } + }, + "required": [ + "type" + ], + "examples": [ + { + "type": "include", + "field": "docker.io*", + "value": "k8s.container.image" + } + ], + "additionalProperties": false + }, "Kubernetes": { "type": "object", "properties": { diff --git a/charts/sysdig-deploy/Chart.yaml b/charts/sysdig-deploy/Chart.yaml index 4a9a974fb..8b304cb3e 100644 --- a/charts/sysdig-deploy/Chart.yaml +++ b/charts/sysdig-deploy/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: sysdig-deploy description: A chart with various Sysdig components for Kubernetes type: application -version: 1.75.1 +version: 1.76.0 maintainers: - name: AlbertoBarba email: alberto.barba@sysdig.com @@ -60,6 +60,6 @@ dependencies: - name: cluster-shield # repository: https://charts.sysdig.com repository: file://../cluster-shield - version: ~1.7.1 + version: ~1.8.0 alias: clusterShield condition: clusterShield.enabled