Skip to content

Commit

Permalink
generate sbom locally on node-agent
Browse files Browse the repository at this point in the history 
Signed-off-by: Matthias Bertschy <[email protected]>
  • Loading branch information
@matthyx
matthyx committed Nov 27, 2024
1 parent db12c8a commit 4d8d88b
Show file tree
Hide file tree
Showing 4 changed files with 53 additions and 48 deletions.
4 changes: 2 additions & 2 deletions charts/kubescape-operator/templates/node-agent/clusterrole.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,10 +23,10 @@ rules:
resources: ["deployments", "daemonsets", "statefulsets", "replicasets"]
verbs: ["get", "watch", "list"]
- apiGroups: ["spdx.softwarecomposition.kubescape.io"]
resources: ["sbomsyfts", "seccompprofiles"]
resources: ["seccompprofiles"]
verbs: ["get", "watch", "list"]
- apiGroups: ["spdx.softwarecomposition.kubescape.io"]
resources: ["applicationactivities", "applicationprofiles", "networkneighborses", "networkneighborhoods", "sbomsyftfiltereds"]
resources: ["applicationactivities", "applicationprofiles", "networkneighborses", "networkneighborhoods", "sbomsyfts", "sbomsyftfiltereds"]
verbs: ["create", "get", "update", "watch", "list", "patch"]
- apiGroups: ["kubescape.io"]
resources: ["runtimerulealertbindings"]
Expand Down
1 change: 1 addition & 0 deletions charts/kubescape-operator/templates/node-agent/configmap.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ data:
"networkServiceEnabled": {{ eq .Values.capabilities.networkPolicyService "enable" }},
"malwareDetectionEnabled": {{ eq .Values.capabilities.malwareDetection "enable" }},
"nodeProfileServiceEnabled": {{ eq .Values.capabilities.nodeProfileService "enable" }},
"sbomGenerationEnabled": true,
"seccompServiceEnabled": {{ eq .Values.capabilities.seccompProfileService "enable" }},
"initialDelay": "{{ .Values.nodeAgent.config.learningPeriod }}",
"updateDataPeriod": "{{ .Values.nodeAgent.config.updatePeriod }}",
Expand Down
76 changes: 40 additions & 36 deletions charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2390,8 +2390,8 @@ all capabilities:
value: https://foo:bar@baz:1234
- name: no_proxy
value: gateway,kubescape,kubevuln,node-agent,operator,otel-collector,kubernetes.default.svc.*,127.0.0.1,*.foo,bar.baz
image: quay.io/kubescape/kubevuln:v0.3.38
imagePullPolicy: IfNotPresent
image: quay.io/matthiasb_1/kubevuln:sbom
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /v1/liveness
Expand Down Expand Up @@ -2671,7 +2671,6 @@ all capabilities:
- apiGroups:
- spdx.softwarecomposition.kubescape.io
resources:
- sbomsyfts
- seccompprofiles
verbs:
- get
Expand All @@ -2684,6 +2683,7 @@ all capabilities:
- applicationprofiles
- networkneighborses
- networkneighborhoods
- sbomsyfts
- sbomsyftfiltereds
verbs:
- create
Expand Down Expand Up @@ -2761,6 +2761,7 @@ all capabilities:
"networkServiceEnabled": true,
"malwareDetectionEnabled": true,
"nodeProfileServiceEnabled": true,
"sbomGenerationEnabled": true,
"seccompServiceEnabled": true,
"initialDelay": "2m",
"updateDataPeriod": "10m",
Expand Down Expand Up @@ -2854,7 +2855,7 @@ all capabilities:
annotations:
checksum/cloud-config: e676e6d4282e48cde90d56356ebe417818278b5a260941f00176a2c064b77eb6
checksum/cloud-secret: cf2e73d4ff0ce943730b3ed5bd4740f0bd8c4386e5843870f51c302b41df8da9
checksum/node-agent-config: 0d6d395a60e006df95e7955f15a6d0b0889ec2a60b815ab1ef8b13fd60d631c0
checksum/node-agent-config: 3fbd133967aed7b57cea303967a2d1f56bdfcd954963c0dd19c27e40156ab151
checksum/proxy-config: 3669c08e51ef779cd00a107f19592b34195c3ebdb60bedaf8ebf1491a3f2a747
container.apparmor.security.beta.kubernetes.io/node-agent: unconfined
labels:
Expand Down Expand Up @@ -2944,8 +2945,8 @@ all capabilities:
fieldRef:
fieldPath: metadata.namespace
- name: NodeName
image: quay.io/kubescape/node-agent:v0.2.185
imagePullPolicy: IfNotPresent
image: quay.io/matthiasb_1/node-agent:sbom
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /livez
Expand All @@ -2962,7 +2963,7 @@ all capabilities:
resources:
limits:
cpu: 500m
memory: 700Mi
memory: 800Mi
requests:
cpu: 100m
memory: 180Mi
Expand Down Expand Up @@ -3589,8 +3590,8 @@ all capabilities:
value: https://foo:bar@baz:1234
- name: no_proxy
value: gateway,kubescape,kubevuln,node-agent,operator,otel-collector,kubernetes.default.svc.*,127.0.0.1,*.foo,bar.baz
image: quay.io/kubescape/operator:v0.2.41
imagePullPolicy: IfNotPresent
image: quay.io/matthiasb_1/operator:sbom
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /v1/liveness
Expand Down Expand Up @@ -8219,8 +8220,8 @@ default capabilities:
name: cloud-secret
- name: OTEL_COLLECTOR_SVC
value: otel-collector:4318
image: quay.io/kubescape/kubevuln:v0.3.38
imagePullPolicy: IfNotPresent
image: quay.io/matthiasb_1/kubevuln:sbom
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /v1/liveness
Expand Down Expand Up @@ -8462,7 +8463,6 @@ default capabilities:
- apiGroups:
- spdx.softwarecomposition.kubescape.io
resources:
- sbomsyfts
- seccompprofiles
verbs:
- get
Expand All @@ -8475,6 +8475,7 @@ default capabilities:
- applicationprofiles
- networkneighborses
- networkneighborhoods
- sbomsyfts
- sbomsyftfiltereds
verbs:
- create
Expand Down Expand Up @@ -8552,6 +8553,7 @@ default capabilities:
"networkServiceEnabled": true,
"malwareDetectionEnabled": false,
"nodeProfileServiceEnabled": false,
"sbomGenerationEnabled": true,
"seccompServiceEnabled": true,
"initialDelay": "2m",
"updateDataPeriod": "10m",
Expand Down Expand Up @@ -8608,7 +8610,7 @@ default capabilities:
annotations:
checksum/cloud-config: f753b01d880e21ddc33cef3935d2ff4d41d12899432962a5a9b5dfda91d2c8d9
checksum/cloud-secret: cf2e73d4ff0ce943730b3ed5bd4740f0bd8c4386e5843870f51c302b41df8da9
checksum/node-agent-config: 95e1b4e2bce876798692fff5f095ad335541e59f48a337c09aa74c7847958c28
checksum/node-agent-config: 075aa19c8d3f25faf13dae740d6a53e03064ecf8782a8af9951b786426db367f
checksum/proxy-config: 3669c08e51ef779cd00a107f19592b34195c3ebdb60bedaf8ebf1491a3f2a747
container.apparmor.security.beta.kubernetes.io/node-agent: unconfined
labels:
Expand Down Expand Up @@ -8665,8 +8667,8 @@ default capabilities:
fieldRef:
fieldPath: metadata.namespace
- name: NodeName
image: quay.io/kubescape/node-agent:v0.2.185
imagePullPolicy: IfNotPresent
image: quay.io/matthiasb_1/node-agent:sbom
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /livez
Expand All @@ -8683,7 +8685,7 @@ default capabilities:
resources:
limits:
cpu: 500m
memory: 700Mi
memory: 800Mi
requests:
cpu: 100m
memory: 180Mi
Expand Down Expand Up @@ -9178,8 +9180,8 @@ default capabilities:
value: zap
- name: OTEL_COLLECTOR_SVC
value: otel-collector:4318
image: quay.io/kubescape/operator:v0.2.41
imagePullPolicy: IfNotPresent
image: quay.io/matthiasb_1/operator:sbom
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /v1/liveness
Expand Down Expand Up @@ -12838,8 +12840,8 @@ disable otel:
name: cloud-secret
- name: OTEL_COLLECTOR_SVC
value: otel-collector:4318
image: quay.io/kubescape/kubevuln:v0.3.38
imagePullPolicy: IfNotPresent
image: quay.io/matthiasb_1/kubevuln:sbom
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /v1/liveness
Expand Down Expand Up @@ -13015,7 +13017,6 @@ disable otel:
- apiGroups:
- spdx.softwarecomposition.kubescape.io
resources:
- sbomsyfts
- seccompprofiles
verbs:
- get
Expand All @@ -13028,6 +13029,7 @@ disable otel:
- applicationprofiles
- networkneighborses
- networkneighborhoods
- sbomsyfts
- sbomsyftfiltereds
verbs:
- create
Expand Down Expand Up @@ -13105,6 +13107,7 @@ disable otel:
"networkServiceEnabled": true,
"malwareDetectionEnabled": false,
"nodeProfileServiceEnabled": false,
"sbomGenerationEnabled": true,
"seccompServiceEnabled": true,
"initialDelay": "2m",
"updateDataPeriod": "10m",
Expand Down Expand Up @@ -13161,7 +13164,7 @@ disable otel:
annotations:
checksum/cloud-config: d568e07a1bb2d6f372ab0e5a3fb91bd018b05433558890eb621af5234dd7c8c4
checksum/cloud-secret: cf2e73d4ff0ce943730b3ed5bd4740f0bd8c4386e5843870f51c302b41df8da9
checksum/node-agent-config: 95e1b4e2bce876798692fff5f095ad335541e59f48a337c09aa74c7847958c28
checksum/node-agent-config: 075aa19c8d3f25faf13dae740d6a53e03064ecf8782a8af9951b786426db367f
container.apparmor.security.beta.kubernetes.io/node-agent: unconfined
labels:
app: node-agent
Expand Down Expand Up @@ -13217,8 +13220,8 @@ disable otel:
fieldRef:
fieldPath: metadata.namespace
- name: NodeName
image: quay.io/kubescape/node-agent:v0.2.185
imagePullPolicy: IfNotPresent
image: quay.io/matthiasb_1/node-agent:sbom
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /livez
Expand All @@ -13235,7 +13238,7 @@ disable otel:
resources:
limits:
cpu: 500m
memory: 700Mi
memory: 800Mi
requests:
cpu: 100m
memory: 180Mi
Expand Down Expand Up @@ -13610,8 +13613,8 @@ disable otel:
value: zap
- name: OTEL_COLLECTOR_SVC
value: otel-collector:4318
image: quay.io/kubescape/operator:v0.2.41
imagePullPolicy: IfNotPresent
image: quay.io/matthiasb_1/operator:sbom
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /v1/liveness
Expand Down Expand Up @@ -16381,8 +16384,8 @@ minimal capabilities:
name: cloud-secret
- name: OTEL_COLLECTOR_SVC
value: otel-collector:4318
image: quay.io/kubescape/kubevuln:v0.3.38
imagePullPolicy: IfNotPresent
image: quay.io/matthiasb_1/kubevuln:sbom
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /v1/liveness
Expand Down Expand Up @@ -16556,7 +16559,6 @@ minimal capabilities:
- apiGroups:
- spdx.softwarecomposition.kubescape.io
resources:
- sbomsyfts
- seccompprofiles
verbs:
- get
Expand All @@ -16569,6 +16571,7 @@ minimal capabilities:
- applicationprofiles
- networkneighborses
- networkneighborhoods
- sbomsyfts
- sbomsyftfiltereds
verbs:
- create
Expand Down Expand Up @@ -16646,6 +16649,7 @@ minimal capabilities:
"networkServiceEnabled": true,
"malwareDetectionEnabled": false,
"nodeProfileServiceEnabled": false,
"sbomGenerationEnabled": true,
"seccompServiceEnabled": true,
"initialDelay": "2m",
"updateDataPeriod": "10m",
Expand Down Expand Up @@ -16701,7 +16705,7 @@ minimal capabilities:
annotations:
checksum/cloud-config: f5eda48aecb77a239b89ba75d2c49d92ad3c48f7f2b2951deca9e77052f7c00c
checksum/cloud-secret: f1356b6dba8ba4a01197f4030346928c33c7dab7b123a2aecaffb0630352929c
checksum/node-agent-config: c210b0875265f4d1cc5217e0f754632e9c3ce74bec5ba28929706deddb3c425d
checksum/node-agent-config: bea5ad88e2dc905f4e4b69bbd2531070c1fe86df0933448c1a2378473a0d39fd
container.apparmor.security.beta.kubernetes.io/node-agent: unconfined
labels:
app: node-agent
Expand Down Expand Up @@ -16757,8 +16761,8 @@ minimal capabilities:
fieldRef:
fieldPath: metadata.namespace
- name: NodeName
image: quay.io/kubescape/node-agent:v0.2.185
imagePullPolicy: IfNotPresent
image: quay.io/matthiasb_1/node-agent:sbom
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /livez
Expand All @@ -16775,7 +16779,7 @@ minimal capabilities:
resources:
limits:
cpu: 500m
memory: 700Mi
memory: 800Mi
requests:
cpu: 100m
memory: 180Mi
Expand Down Expand Up @@ -17147,8 +17151,8 @@ minimal capabilities:
value: zap
- name: OTEL_COLLECTOR_SVC
value: otel-collector:4318
image: quay.io/kubescape/operator:v0.2.41
imagePullPolicy: IfNotPresent
image: quay.io/matthiasb_1/operator:sbom
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /v1/liveness
Expand Down
20 changes: 10 additions & 10 deletions charts/kubescape-operator/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -273,9 +273,9 @@ operator:

image:
# -- source code: https://github.com/kubescape/operator
repository: quay.io/kubescape/operator
tag: v0.2.41
pullPolicy: IfNotPresent
repository: quay.io/matthiasb_1/operator
tag: sbom
pullPolicy: Always

service:
type: ClusterIP
Expand Down Expand Up @@ -318,9 +318,9 @@ kubevuln:

image:
# -- source code: https://github.com/kubescape/kubevuln
repository: quay.io/kubescape/kubevuln
tag: v0.3.38
pullPolicy: IfNotPresent
repository: quay.io/matthiasb_1/kubevuln
tag: sbom
pullPolicy: Always

replicaCount: 1

Expand Down Expand Up @@ -505,9 +505,9 @@ nodeAgent:
name: node-agent
image:
# -- source code: https://github.com/kubescape/node-agent
repository: quay.io/kubescape/node-agent
tag: v0.2.185
pullPolicy: IfNotPresent
repository: quay.io/matthiasb_1/node-agent
tag: sbom
pullPolicy: Always

config:
maxLearningPeriod: 24h # duration string
Expand Down Expand Up @@ -539,7 +539,7 @@ nodeAgent:
memory: 180Mi
limits:
cpu: 500m
memory: 700Mi
memory: 800Mi

env:
- name: NodeName
Expand Down

0 comments on commit 4d8d88b

Please sign in to comment.