Merge pull request #467 from kubescape/include

add ns include/exclude config for scans

.gitignore

@@ -1,2 +1,4 @@
 .vscode
-
+.idea
+charts/kubescape-operator/Chart.lock
+charts/kubescape-operator/charts/

charts/kubescape-operator/templates/kubescape/deployment.yaml

@@ -161,6 +161,13 @@ spec:
         - name : no_proxy
           value: "{{ $no_proxy_envar_list }}"
         {{- end }}
+        {{- if ne .Values.includeNamespaces "" }}
+        - name: KS_INCLUDE_NAMESPACES
+          value: "{{ .Values.includeNamespaces }}"
+        {{- else if ne .Values.excludeNamespaces "" }}
+        - name: KS_EXCLUDE_NAMESPACES
+          value: "{{ .Values.excludeNamespaces }}"
+        {{- end }}
         command:
         - ksserver
         resources:

charts/kubescape-operator/templates/node-agent/configmap.yaml

@@ -30,6 +30,11 @@ data:
         "updateDataPeriod": "{{ .Values.nodeAgent.config.updatePeriod }}",
         "nodeProfileInterval": "{{ .Values.nodeAgent.config.nodeProfileInterval }}",
         "maxSniffingTimePerContainer": "{{ .Values.nodeAgent.config.maxLearningPeriod }}",
+        {{- if ne .Values.includeNamespaces "" }}
+        "includeNamespaces": "{{ .Values.includeNamespaces }}",
+        {{- else if ne .Values.excludeNamespaces "" }}
+        "excludeNamespaces": "{{ .Values.excludeNamespaces }}",
+        {{- end }}
         "exporters": {
           "httpExporterConfig": {{- .Values.nodeAgent.config.httpExporterConfig | toJson }},
           "alertManagerExporterUrls": {{- .Values.nodeAgent.config.alertManagerExporterUrls | toJson }},

charts/kubescape-operator/templates/node-agent/default-rule-binding.yaml

@@ -6,15 +6,23 @@ metadata:
 spec:
   namespaceSelector:
     matchExpressions:
+      {{- if ne .Values.includeNamespaces "" }}
+      - key: "kubernetes.io/metadata.name"
+        operator: "In"
+        values:
+          {{- $namespaces := split "," .Values.includeNamespaces }}
+          {{- range $namespaces }}
+          - {{ . | quote }}
+          {{- end }}
+      {{- else if ne .Values.excludeNamespaces "" }}
       - key: "kubernetes.io/metadata.name"
         operator: "NotIn"
         values:
-        - "kube-system"
-        - "kube-public"
-        - "kube-node-lease"
-        - "kubeconfig"
-        - "gmp-system"
-        - "gmp-public"
+          {{- $namespaces := split "," .Values.excludeNamespaces }}
+          {{- range $namespaces }}
+          - {{ . | quote }}
+          {{- end }}
+      {{- end }}
   rules:
     - ruleName: "Unexpected process launched"
     - ruleName: "Unexpected file access"
@@ -41,4 +49,4 @@ spec:
     - ruleName: "Unexpected Sensitive File Access"
     - ruleName: "LD_PRELOAD Hook"
     - ruleName: "Hardlink Created Over Sensitive File"
-{{- end }}
+{{- end }}

charts/kubescape-operator/templates/operator/configmap.yaml

@@ -11,6 +11,11 @@ metadata:
 data:
   config.json: |
     {
+        {{- if ne .Values.includeNamespaces "" }}
+        "includeNamespaces": "{{ .Values.includeNamespaces }}",
+        {{- else if ne .Values.excludeNamespaces "" }}
+        "excludeNamespaces": "{{ .Values.excludeNamespaces }}",
+        {{- end }}
         "namespace": "{{ .Values.ksNamespace }}",
         "triggersecurityframework": {{ .Values.operator.triggerSecurityFramework }}
     }

charts/kubescape-operator/templates/synchronizer/deployment.yaml

@@ -63,8 +63,9 @@ spec:
             httpGet:
               path: /healthz
               port: 7888
-            initialDelaySeconds: 3
-            periodSeconds: 3
+            initialDelaySeconds: 10
+            periodSeconds: 30
+            timeoutSeconds: 10
           resources:
 {{ toYaml .Values.synchronizer.resources | indent 12 }}
           env:

charts/kubescape-operator/tests/snapshot_test.yaml

@@ -29,6 +29,7 @@ tests:
       server: api.armosec.io
       configurations.otelUrl: "otelCollector:4317"
       clusterName: kind-kind
+      includeNamespaces: "my-namespace"
       global:
         httpsProxy: "https://foo:bar@baz:1234"
         networkPolicy:
@@ -55,6 +56,8 @@ tests:
     set:
       configurations.otelUrl: "otelCollector:4317"
       clusterName: kind-kind
+      excludeNamespaces: ""
+      includeNamespaces: ""
       kubescapeScheduler.scanSchedule: "1 2 3 4 5"
       kubevulnScheduler.scanSchedule: "1 2 3 4 5"
   - it: disable otel
@@ -79,6 +82,8 @@ tests:
     set:
       account: 9e6c0c2c-6bd0-4919-815b-55030de7c9a0
       accessKey: f304d73b-d43c-412b-82ea-e4c859493ce6
+      alertCRD:
+        installDefault: true
       capabilities:
         configurationScan: enable
         continuousScan: disable
@@ -96,6 +101,7 @@ tests:
       server: api.armosec.io
       configurations.otelUrl: "otelCollector:4317"
       clusterName: kind-kind
+      excludeNamespaces: "kubescape,kube-system,kube-public,kube-node-lease,kubeconfig,gmp-system,gmp-public"
       global:
         networkPolicy:
           createEgressRules: true

charts/kubescape-operator/values.yaml

@@ -20,6 +20,11 @@ logger:
   level: info
   name: zap
 
+# Targeted scanning
+# If you wish to exclude specific namespaces from scanning, provide the comma-separated list here
+excludeNamespaces: "kubescape,kube-system,kube-public,kube-node-lease,kubeconfig,gmp-system,gmp-public"
+# If you wish to scan only specific namespaces, provide the comma-separated list here (takes precedence over excludeNamespaces)
+includeNamespaces: ""
 
 # Additional volumes applied to all containers
 volumes: [ ]
@@ -255,7 +260,7 @@ operator:
   image:
     # -- source code: https://github.com/kubescape/operator
     repository: quay.io/kubescape/operator
-    tag: v0.2.16
+    tag: v0.2.17
     pullPolicy: IfNotPresent
 
   service:
@@ -477,7 +482,7 @@ nodeAgent:
   image:
     # -- source code: https://github.com/kubescape/node-agent
     repository: quay.io/kubescape/node-agent
-    tag: v0.2.94
+    tag: v0.2.101
     pullPolicy: IfNotPresent
 
   config: