Skip to content

Commit

Permalink
chore(shield): bump cluster-shield to v1.5.0 (#2016)
Browse files Browse the repository at this point in the history
  • Loading branch information
@AlbertoBarba
AlbertoBarba authored Nov 5, 2024
1 parent 2c34bb0 commit 1a9e6aa
Show file tree
Hide file tree
Showing 10 changed files with 203 additions and 30 deletions.
2 changes: 1 addition & 1 deletion charts/shield/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,5 +13,5 @@ maintainers:
- name: mavimo
email: marcovito.moscaritolo@sysdig.com
type: application
version: 0.1.13
version: 0.1.14
appVersion: "1.0.0"
3 changes: 2 additions & 1 deletion charts/shield/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,7 @@ The following table lists the configurable parameters of the `shield` chart and
| features.detections.kubernetes_audit.timeout | The timeout for the audit feature | <code>10</code> |
| features.detections.kubernetes_audit.http_port | The port that will be used to expose the audit endpoints | <code>6443</code> |
| features.detections.kubernetes_audit.excluded_namespaces | The list of namespaces that will be excluded from the audit feature | <code>[]</code> |
| features.detections.kubernetes_audit.webhook_rules | List of rules used to determine if a request should be audited | <code>[{"apiGroups":["","apps","autoscaling","batch","networking.k8s.io","rbac.authorization.k8s.io","extensions"],"apiVersions":["*"],"operations":["*"],"resources":["*/*"],"scope":"*"}]</code> |
| features.investigations.activity_audit.enabled | | <code>false</code> |
| features.investigations.live_logs.enabled | | <code>false</code> |
| features.investigations.network_security.enabled | | <code>false</code> |
Expand Down Expand Up @@ -170,7 +171,7 @@ The following table lists the configurable parameters of the `shield` chart and
| host.volume_mounts | The custom volume mounts for the host shield | <code>[]</code> |
| cluster.image.registry | The registry where the cluster shield image is stored | <code>quay.io</code> |
| cluster.image.repository | The repository where the cluster shield image is stored | <code>sysdig/cluster-shield</code> |
| cluster.image.tag | The tag for the cluster shield image | <code>1.4.0</code> |
| cluster.image.tag | The tag for the cluster shield image | <code>1.5.0</code> |
| cluster.image.pull_policy | The pull policy for the cluster shield image | <code>IfNotPresent</code> |
| cluster.image.pull_secrets | The pull secrets for the cluster shield image | <code>[]</code> |
| cluster.run_mode | The mode in which the cluster shield should run (Accepted Values: single-process, multi-process) | <code>multi-process</code> |
Expand Down
18 changes: 3 additions & 15 deletions charts/shield/templates/cluster/tls-certificates-admissionregistration.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,21 +54,9 @@ webhooks:
{{ end }}
matchPolicy: Equivalent
rules:
- apiGroups:
- ""
- apps
- autoscaling
- batch
- networking.k8s.io
- rbac.authorization.k8s.io
- extensions
apiVersions:
- '*'
operations:
- '*'
resources:
- '*/*'
scope: '*'
{{- with .Values.features.detections.kubernetes_audit.webhook_rules }}
{{- toYaml . | nindent 4 }}
{{- end }}
clientConfig:
service:
namespace: {{ .Release.Namespace }}
Expand Down
17 changes: 17 additions & 0 deletions charts/shield/tests/cluster/configmap_test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,22 @@ tests:
excluded_namespaces: \[\]
http_port: 6443
timeout: 10
webhook_rules:
- apiGroups:
- ""
- apps
- autoscaling
- batch
- networking.k8s.io
- rbac.authorization.k8s.io
- extensions
apiVersions:
- '\*'
operations:
- '\*'
resources:
- '\*/\*'
scope: '\*'
container_vulnerability_management:
enabled: false
in_use:
Expand Down Expand Up @@ -77,6 +93,7 @@ tests:
sysdig_endpoint:
api_url: https://fake.api.url.com
collector: fake.collector.host:6443
region: custom
- it: Sets NATS Url and Lock Name when Container Vulnerability Management is enabled
set:
Expand Down
6 changes: 3 additions & 3 deletions charts/shield/tests/cluster/service-container-vulnerability-management_test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ tests:
- lengthEqual:
path: spec.ports
count: 1
- isNotNull:
- isNotNullOrEmpty:
path: spec.ports[?(@.name == "nats")]
- equal:
path: spec.ports[?(@.name == "nats")].port
Expand Down Expand Up @@ -68,7 +68,7 @@ tests:
- lengthEqual:
path: spec.ports
count: 2
- isNotNull:
- isNotNullOrEmpty:
path: spec.ports[?(@.name == "nats")]
- equal:
path: spec.ports[?(@.name == "nats")].port
Expand All @@ -79,7 +79,7 @@ tests:
- equal:
path: spec.ports[?(@.name == "nats")].targetPort
value: cvm-nats
- isNotNull:
- isNotNullOrEmpty:
path: spec.ports[?(@.name == "grpc")]
- equal:
path: spec.ports[?(@.name == "grpc")].port
Expand Down
12 changes: 6 additions & 6 deletions charts/shield/tests/cluster/service_test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ tests:
- equal:
path: spec.type
value: ClusterIP
- isNotNull:
- isNotNullOrEmpty:
path: .spec.ports[?(@.name == "monitoring")]
- equal:
path: spec.ports[?(@.name == "monitoring")].port
Expand Down Expand Up @@ -53,7 +53,7 @@ tests:
- equal:
path: spec.type
value: ClusterIP
- isNotNull:
- isNotNullOrEmpty:
path: .spec.ports[?(@.name == "monitoring")]
- equal:
path: spec.ports[?(@.name == "monitoring")].port
Expand Down Expand Up @@ -88,7 +88,7 @@ tests:
- equal:
path: spec.type
value: ClusterIP
- isNotNull:
- isNotNullOrEmpty:
path: .spec.ports[?(@.name == "audit")]
- equal:
path: spec.ports[?(@.name == "audit")].port
Expand Down Expand Up @@ -124,7 +124,7 @@ tests:
- equal:
path: spec.type
value: ClusterIP
- isNotNull:
- isNotNullOrEmpty:
path: .spec.ports[?(@.name == "audit")]
- equal:
path: spec.ports[?(@.name == "audit")].port
Expand Down Expand Up @@ -158,7 +158,7 @@ tests:
- equal:
path: spec.type
value: ClusterIP
- isNotNull:
- isNotNullOrEmpty:
path: .spec.ports[?(@.name == "ac")]
- equal:
path: spec.ports[?(@.name == "ac")].port
Expand Down Expand Up @@ -193,7 +193,7 @@ tests:
- equal:
path: spec.type
value: ClusterIP
- isNotNull:
- isNotNullOrEmpty:
path: .spec.ports[?(@.name == "ac")]
- equal:
path: spec.ports[?(@.name == "ac")].port
Expand Down
Loading

0 comments on commit 1a9e6aa

Please sign in to comment.