diff --git a/charts/shield/Chart.yaml b/charts/shield/Chart.yaml index 39a61e101..96d9dff9c 100644 --- a/charts/shield/Chart.yaml +++ b/charts/shield/Chart.yaml @@ -13,5 +13,5 @@ maintainers: - name: mavimo email: marcovito.moscaritolo@sysdig.com type: application -version: 0.1.13 +version: 0.1.14 appVersion: "1.0.0" diff --git a/charts/shield/README.md b/charts/shield/README.md index 8ed270068..876e7be18 100644 --- a/charts/shield/README.md +++ b/charts/shield/README.md @@ -110,6 +110,7 @@ The following table lists the configurable parameters of the `shield` chart and | features.detections.kubernetes_audit.timeout | The timeout for the audit feature | 10 | | features.detections.kubernetes_audit.http_port | The port that will be used to expose the audit endpoints | 6443 | | features.detections.kubernetes_audit.excluded_namespaces | The list of namespaces that will be excluded from the audit feature | [] | +| features.detections.kubernetes_audit.webhook_rules | List of rules used to determine if a request should be audited | [{"apiGroups":["","apps","autoscaling","batch","networking.k8s.io","rbac.authorization.k8s.io","extensions"],"apiVersions":["*"],"operations":["*"],"resources":["*/*"],"scope":"*"}] | | features.investigations.activity_audit.enabled | | false | | features.investigations.live_logs.enabled | | false | | features.investigations.network_security.enabled | | false | @@ -170,7 +171,7 @@ The following table lists the configurable parameters of the `shield` chart and | host.volume_mounts | The custom volume mounts for the host shield | [] | | cluster.image.registry | The registry where the cluster shield image is stored | quay.io | | cluster.image.repository | The repository where the cluster shield image is stored | sysdig/cluster-shield | -| cluster.image.tag | The tag for the cluster shield image | 1.4.0 | +| cluster.image.tag | The tag for the cluster shield image | 1.5.0 | | cluster.image.pull_policy | The pull policy for the cluster shield image | IfNotPresent | | cluster.image.pull_secrets | The pull secrets for the cluster shield image | [] | | cluster.run_mode | The mode in which the cluster shield should run (Accepted Values: single-process, multi-process) | multi-process | diff --git a/charts/shield/templates/cluster/tls-certificates-admissionregistration.yaml b/charts/shield/templates/cluster/tls-certificates-admissionregistration.yaml index 4c93a92d6..fa9c02caf 100644 --- a/charts/shield/templates/cluster/tls-certificates-admissionregistration.yaml +++ b/charts/shield/templates/cluster/tls-certificates-admissionregistration.yaml @@ -54,21 +54,9 @@ webhooks: {{ end }} matchPolicy: Equivalent rules: - - apiGroups: - - "" - - apps - - autoscaling - - batch - - networking.k8s.io - - rbac.authorization.k8s.io - - extensions - apiVersions: - - '*' - operations: - - '*' - resources: - - '*/*' - scope: '*' + {{- with .Values.features.detections.kubernetes_audit.webhook_rules }} + {{- toYaml . | nindent 4 }} + {{- end }} clientConfig: service: namespace: {{ .Release.Namespace }} diff --git a/charts/shield/tests/cluster/configmap_test.yaml b/charts/shield/tests/cluster/configmap_test.yaml index 597d8b928..531498a4a 100644 --- a/charts/shield/tests/cluster/configmap_test.yaml +++ b/charts/shield/tests/cluster/configmap_test.yaml @@ -50,6 +50,22 @@ tests: excluded_namespaces: \[\] http_port: 6443 timeout: 10 + webhook_rules: + - apiGroups: + - "" + - apps + - autoscaling + - batch + - networking.k8s.io + - rbac.authorization.k8s.io + - extensions + apiVersions: + - '\*' + operations: + - '\*' + resources: + - '\*/\*' + scope: '\*' container_vulnerability_management: enabled: false in_use: @@ -77,6 +93,7 @@ tests: sysdig_endpoint: api_url: https://fake.api.url.com collector: fake.collector.host:6443 + region: custom - it: Sets NATS Url and Lock Name when Container Vulnerability Management is enabled set: diff --git a/charts/shield/tests/cluster/service-container-vulnerability-management_test.yaml b/charts/shield/tests/cluster/service-container-vulnerability-management_test.yaml index 6e8ffc772..847f89c6b 100644 --- a/charts/shield/tests/cluster/service-container-vulnerability-management_test.yaml +++ b/charts/shield/tests/cluster/service-container-vulnerability-management_test.yaml @@ -32,7 +32,7 @@ tests: - lengthEqual: path: spec.ports count: 1 - - isNotNull: + - isNotNullOrEmpty: path: spec.ports[?(@.name == "nats")] - equal: path: spec.ports[?(@.name == "nats")].port @@ -68,7 +68,7 @@ tests: - lengthEqual: path: spec.ports count: 2 - - isNotNull: + - isNotNullOrEmpty: path: spec.ports[?(@.name == "nats")] - equal: path: spec.ports[?(@.name == "nats")].port @@ -79,7 +79,7 @@ tests: - equal: path: spec.ports[?(@.name == "nats")].targetPort value: cvm-nats - - isNotNull: + - isNotNullOrEmpty: path: spec.ports[?(@.name == "grpc")] - equal: path: spec.ports[?(@.name == "grpc")].port diff --git a/charts/shield/tests/cluster/service_test.yaml b/charts/shield/tests/cluster/service_test.yaml index 0c6e77af3..76d77acff 100644 --- a/charts/shield/tests/cluster/service_test.yaml +++ b/charts/shield/tests/cluster/service_test.yaml @@ -19,7 +19,7 @@ tests: - equal: path: spec.type value: ClusterIP - - isNotNull: + - isNotNullOrEmpty: path: .spec.ports[?(@.name == "monitoring")] - equal: path: spec.ports[?(@.name == "monitoring")].port @@ -53,7 +53,7 @@ tests: - equal: path: spec.type value: ClusterIP - - isNotNull: + - isNotNullOrEmpty: path: .spec.ports[?(@.name == "monitoring")] - equal: path: spec.ports[?(@.name == "monitoring")].port @@ -88,7 +88,7 @@ tests: - equal: path: spec.type value: ClusterIP - - isNotNull: + - isNotNullOrEmpty: path: .spec.ports[?(@.name == "audit")] - equal: path: spec.ports[?(@.name == "audit")].port @@ -124,7 +124,7 @@ tests: - equal: path: spec.type value: ClusterIP - - isNotNull: + - isNotNullOrEmpty: path: .spec.ports[?(@.name == "audit")] - equal: path: spec.ports[?(@.name == "audit")].port @@ -158,7 +158,7 @@ tests: - equal: path: spec.type value: ClusterIP - - isNotNull: + - isNotNullOrEmpty: path: .spec.ports[?(@.name == "ac")] - equal: path: spec.ports[?(@.name == "ac")].port @@ -193,7 +193,7 @@ tests: - equal: path: spec.type value: ClusterIP - - isNotNull: + - isNotNullOrEmpty: path: .spec.ports[?(@.name == "ac")] - equal: path: spec.ports[?(@.name == "ac")].port diff --git a/charts/shield/tests/cluster/tls-certificates-admissionregistration_test.yaml b/charts/shield/tests/cluster/tls-certificates-admissionregistration_test.yaml index 8870a3885..1cabd3f16 100644 --- a/charts/shield/tests/cluster/tls-certificates-admissionregistration_test.yaml +++ b/charts/shield/tests/cluster/tls-certificates-admissionregistration_test.yaml @@ -450,7 +450,6 @@ tests: value: "Fail" documentIndex: 1 - - it: Audit Exclude Namespaces set: features: @@ -516,3 +515,123 @@ tests: - kube-system - kube-public documentIndex: 1 + + - it: Audit AdmissionRegistration default Rules + set: + features: + detections: + kubernetes_audit: + enabled: true + asserts: + - hasDocuments: + count: 2 + - containsDocument: + kind: ValidatingWebhookConfiguration + apiVersion: admissionregistration.k8s.io/v1 + name: shield-release-cluster-audit + documentIndex: 1 + - exists: + path: .webhooks[?(@.name == "audit.secure.sysdig.com")] + documentIndex: 1 + - exists: + path: .webhooks[?(@.name == "audit.secure.sysdig.com")].rules + documentIndex: 1 + - lengthEqual: + path: .webhooks[?(@.name == "audit.secure.sysdig.com")].rules + count: 1 + documentIndex: 1 + - contains: + path: .webhooks[?(@.name == "audit.secure.sysdig.com")].rules + content: + apiGroups: + - "" + - apps + - autoscaling + - batch + - networking.k8s.io + - rbac.authorization.k8s.io + - extensions + apiVersions: + - '*' + operations: + - '*' + resources: + - '*/*' + scope: '*' + documentIndex: 1 + + - it: Audit AdmissionRegistration custom Rules + set: + features: + detections: + kubernetes_audit: + enabled: true + webhook_rules: + - apiGroups: + - apps + apiVersions: + - v1 + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - deployments + - replicasets + scope: Namespaced + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods + scope: Namespaced + asserts: + - hasDocuments: + count: 2 + - containsDocument: + kind: ValidatingWebhookConfiguration + apiVersion: admissionregistration.k8s.io/v1 + name: shield-release-cluster-audit + documentIndex: 1 + - exists: + path: .webhooks[?(@.name == "audit.secure.sysdig.com")] + documentIndex: 1 + - exists: + path: .webhooks[?(@.name == "audit.secure.sysdig.com")].rules + documentIndex: 1 + - lengthEqual: + path: .webhooks[?(@.name == "audit.secure.sysdig.com")].rules + count: 2 + documentIndex: 1 + - contains: + path: .webhooks[?(@.name == "audit.secure.sysdig.com")].rules + content: + apiGroups: + - apps + apiVersions: + - v1 + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - deployments + - replicasets + scope: Namespaced + documentIndex: 1 + - contains: + path: .webhooks[?(@.name == "audit.secure.sysdig.com")].rules + content: + apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods + scope: Namespaced + documentIndex: 1 diff --git a/charts/shield/tests/host/service_test.yaml b/charts/shield/tests/host/service_test.yaml index e5f7a3659..9517b5516 100644 --- a/charts/shield/tests/host/service_test.yaml +++ b/charts/shield/tests/host/service_test.yaml @@ -19,7 +19,7 @@ tests: - equal: path: spec.type value: ClusterIP - - isNotNull: + - isNotNullOrEmpty: path: .spec.ports[?(@.name == "http")] - equal: path: spec.ports[?(@.name == "http")].port diff --git a/charts/shield/values.schema.json b/charts/shield/values.schema.json index 4cf57fefd..6da5f1c29 100644 --- a/charts/shield/values.schema.json +++ b/charts/shield/values.schema.json @@ -75,7 +75,7 @@ "type": "object", "description": "Tags you want to apply to the metadata sent to the Sysdig Backend.", "propertyNames": { - "pattern": "^[a-zA-Z0-9_-]{1,255}$", + "pattern": "^[a-zA-Z0-9_.-]{1,255}$", "description": "The tag name", "examples": [ "env", "region" ] }, @@ -730,6 +730,36 @@ "type": "string" }, "description": "List of namespaces to exclude from the audit feature" + }, + "webhook_rules": { + "description": "List of rules used to determine if a request should be audited", + "type": "array", + "items": { + "type": "object" + }, + "default": [ + { + "apiGroups": [ + "", + "apps", + "autoscaling", + "batch", + "networking.k8s.io", + "rbac.authorization.k8s.io", + "extensions" + ], + "apiVersions": [ + "*" + ], + "operations": [ + "*" + ], + "resources": [ + "*/*" + ], + "scope": "*" + } + ] } } } diff --git a/charts/shield/values.yaml b/charts/shield/values.yaml index 4e2d20469..55239cb2c 100644 --- a/charts/shield/values.yaml +++ b/charts/shield/values.yaml @@ -104,6 +104,24 @@ features: http_port: 6443 # The list of namespaces that will be excluded from the audit feature excluded_namespaces: [] + # List of rules used to determine if a request should be audited + webhook_rules: # +doc-gen:break + - apiGroups: + - "" + - apps + - autoscaling + - batch + - networking.k8s.io + - rbac.authorization.k8s.io + - extensions + apiVersions: + - '*' + operations: + - '*' + resources: + - '*/*' + scope: '*' + investigations: activity_audit: enabled: false @@ -275,7 +293,7 @@ cluster: # The repository where the cluster shield image is stored repository: sysdig/cluster-shield # The tag for the cluster shield image - tag: 1.4.0 + tag: 1.5.0 # The pull policy for the cluster shield image pull_policy: IfNotPresent # The pull secrets for the cluster shield image