add capabilities support (#262)

* rename kubescape-cloud-operator to kubescape-operator

Signed-off-by: Matthias Bertschy <[email protected]>

* delete prometheus chart, move stuff to operator

Signed-off-by: Matthias Bertschy <[email protected]>

* implement capabilities and configurations

Signed-off-by: Matthias Bertschy <[email protected]>

* implement review comments

Signed-off-by: Matthias Bertschy <[email protected]>

---------

Signed-off-by: Matthias Bertschy <[email protected]>

.github/workflows/00-cicd.yaml

@@ -46,7 +46,7 @@ jobs:
       IMAGE_TAG: ${{ inputs.IMAGE_TAG }}
       COMPONENT_NAME: ${{ inputs.COMPONENT_NAME }}
       MODE: patch
-      CHART_FILE: charts/kubescape-cloud-operator/Chart.yaml
+      CHART_FILE: charts/kubescape-operator/Chart.yaml
     secrets: inherit
 
   e2e-test:
@@ -78,6 +78,6 @@ jobs:
     if: ${{ (always() && (contains(needs.*.result, 'success') || contains(needs.*.result, 'skipped')) && !(contains(needs.*.result, 'failure')) && !(contains(needs.*.result, 'cancelled'))) }}
     with:
       COMMIT_REF: ${{ needs.helm-chart-update.outputs.COMMIT_REF }}
-      CHARTS_NAME: kubescape-cloud-operator
+      CHARTS_NAME: kubescape-operator
     uses: ./.github/workflows/03-helm-release.yaml
     secrets: inherit

.github/workflows/01-update_tag.yaml

@@ -25,7 +25,7 @@ on:
       CHART_FILE:
         required: true
         type: string
-        default: charts/kubescape-cloud-operator/Chart.yaml
+        default: charts/kubescape-operator/Chart.yaml
     outputs:
       COMMIT_REF:
         description: "latest commit sha"
@@ -57,13 +57,13 @@ jobs:
         if: ${{ inputs.CHANGE_TAG }}
         uses: matanshk/yaml-tag-changer@main
         with:
-          filename: charts/kubescape-cloud-operator/values.yaml
+          filename: charts/kubescape-operator/values.yaml
           component_name: ${{ inputs.COMPONENT_NAME }}
           tag: ${{ inputs.IMAGE_TAG }}
 
       - name: cat-file-values-file
         if: ${{ inputs.CHANGE_TAG }}
-        run: cat charts/kubescape-cloud-operator/values.yaml
+        run: cat charts/kubescape-operator/values.yaml
 
       - name: Bump helm chart version
         id: bumper
@@ -73,7 +73,7 @@ jobs:
           chart_file: ${{ inputs.CHART_FILE }}
 
       - name: cat Chart.yaml
-        run: cat charts/kubescape-cloud-operator/Chart.yaml
+        run: cat charts/kubescape-operator/Chart.yaml
 
       - uses: stefanzweifel/[email protected]
         name: commit changes and push
@@ -97,4 +97,4 @@ jobs:
         run: echo ${{ steps.commit-ref.outputs.COMMIT_REF }}
 
       - name: output-pr-number
-        run: echo ${{ steps.create-pr.outputs.pr_number }}
+        run: echo ${{ steps.create-pr.outputs.pr_number }}

.github/workflows/03-helm-release.yaml

@@ -7,7 +7,7 @@ on:
         type: choice
         description: What chart do you want to release?
         options: 
-        - kubescape-cloud-operator
+        - kubescape-operator
 
   workflow_call:
     inputs:
@@ -47,5 +47,5 @@ jobs:
       - name: Run chart-releaser
         uses: helm/[email protected]
         env: 
-          charts_dir: "charts/kubescape-cloud-operator"
-          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+          charts_dir: "charts/kubescape-operator"
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/relevancy-e2e-test.yaml

@@ -91,7 +91,7 @@ jobs:
           -b production           \
           -c CyberArmorTests      \
           --logger DEBUG          \
-          --kwargs helm_branch=${{ inputs.BRANCH }} helm_repo=charts/kubescape-cloud-operator
+          --kwargs helm_branch=${{ inputs.BRANCH }} helm_repo=charts/kubescape-operator
 
           deactivate
 

README.md

@@ -1,6 +1,6 @@
 # Kubescape Helm charts
 
-* [Kubescape cloud operator](charts/kubescape-cloud-operator/README.md)
+* [Kubescape cloud operator](charts/kubescape-operator/README.md)
 * [Kubescape & prometheus integration](charts/kubescape-prometheus-integrator/README.md)
 
 # Helm-charts - CICD Workflow docs
@@ -56,4 +56,4 @@ This process will run only the release step from the CICD and will create a new
 **Note that running only the release process will not run any E2E tests**
 
 ### A diagram of the full CICD pipeline:
-![Workflow](https://raw.githubusercontent.com/kubescape/workflows/main/assets/incluster_component_flow.jpeg)
+![Workflow](https://raw.githubusercontent.com/kubescape/workflows/main/assets/incluster_component_flow.jpeg)

charts/kubescape-cloud-operator/Chart.yaml → charts/kubescape-operator/Chart.yaml

@@ -1,22 +1,22 @@
 apiVersion: v2
-name: kubescape-cloud-operator
+name: kubescape-operator
 description:
-  Kubescape is an E2E Kubernetes cluster security platform 
- 
+  Kubescape is an E2E Kubernetes cluster security platform
+
 type: application
 
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
 
-version: 1.14.5
+version: 1.15.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
 
-appVersion: 1.14.5
+appVersion: 1.15.0
 
 maintainers:
 - name: Ben Hirschberg

charts/kubescape-cloud-operator/README.md → charts/kubescape-operator/README.md

@@ -26,7 +26,7 @@ Otherwise, get the account ID from the [kubescape SaaS](https://hub.armosec.io/d
 
 Run the install command:
 ```
-helm upgrade --install kubescape kubescape/kubescape-cloud-operator -n kubescape --create-namespace --set account=<my_account_ID> --set clusterName=`kubectl config current-context` 
+helm upgrade --install kubescape kubescape/kubescape-operator -n kubescape --create-namespace --set account=<my_account_ID> --set clusterName=`kubectl config current-context` 
 ```
 
 > Add `--set clientID=<generated client id> --set secretKey=<generated secret key>` if you have [generated an auth key](https://hub.armosec.io/docs/authentication)
@@ -130,7 +130,7 @@ docker-compose logs uptrace
 4. Follow the [instructions above](#installing-kubescape-operator-in-a-kubernetes-cluster-using-helm), add the OTEL collector configuration and install the operator as follows:
 
   ```
-  --set otelCollector.enabled=true --set otelCollector.endpoint.host=<collector host> --set otelCollector.endpoint.port=14317 --set otelCollector.endpoint.insecure=false
+  --set configurations.otelUrl=<collector host>:14317 --set otelCollector.endpoint.insecure=false
   ```
 
 5. Open Uptrace UI at [http://localhost:14318/overview/2](http://localhost:14318/overview/2)
@@ -148,7 +148,6 @@ docker-compose logs uptrace
 | global.httpsProxy | string | `""` | Set https egress proxy for all components. Must supply also port.  |
 | global.proxySecretFile | string | `""` | Set proxy certificate / RootCA for all components to be used for proxy configured in global.httpsProxy |
 | kollector.affinity | object | `{}` | Assign custom [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) rules to the StatefulSet |
-| kollector.enabled | bool | `true` | enable/disable the kollector |
 | kollector.env[0] | object | `{"name":"PRINT_REPORT","value":"false"}` | print in verbose mode (print all reported data) |
 | kollector.image.repository | string | `"quay.io/kubescape/kollector"` | [source code](https://github.com/kubescape/kollector) |
 | kollector.nodeSelector | object | `{}` | [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) |
@@ -157,7 +156,6 @@ docker-compose logs uptrace
 | kubescape.affinity | object | `{}` | Assign custom [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) rules to the deployment |
 | kubescape.downloadArtifacts | bool | `true` | download policies every scan, we recommend it should remain true, you should change to 'false' when running in an air-gapped environment or when scanning with high frequency (when running with Prometheus) |
 | kubescape.enableHostScan | bool | `true` | enable [host scanner feature](https://hub.armosec.io/docs/host-sensor) |
-| kubescape.enabled | bool | `true` | enable/disable kubescape scanning |
 | kubescape.image.repository | string | `"quay.io/kubescape/kubescape"` | [source code](https://github.com/kubescape/kubescape/tree/master/httphandler) (public repo) |
 | kubescape.nodeSelector | object | `{}` | [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) |
 | kubescape.serviceMonitor.enabled | bool | `false` | enable/disable service monitor for prometheus (operator) integration |
@@ -171,13 +169,11 @@ docker-compose logs uptrace
 | kubescapeScheduler.volumes | object | `[]` | Additional volumes for scan scheduler |
 | kubescapeScheduler.volumeMounts | object | `[]` | Additional volumeMounts for scan scheduler |
 | gateway.affinity | object | `{}` | Assign custom [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) rules to the deployment |
-| gateway.enabled | bool | `true` | enable/disable passing notifications from Kubescape SaaS to the Operator microservice. The notifications are the onDemand scanning and the scanning schedule settings |
 | gateway.image.repository | string | `"quay.io/kubescape/gateway"` | [source code](https://github.com/kubescape/gateway) |
 | gateway.nodeSelector | object | `{}` | [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) |
 | gateway.volumes | object | `[]` | Additional volumes for the notification service |
 | gateway.volumeMounts | object | `[]` | Additional volumeMounts for the notification service |
 | kubevuln.affinity | object | `{}` | Assign custom [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) rules to the deployment |
-| kubevuln.enabled | bool | `true` | enable/disable image vulnerability scanning |
 | kubevuln.image.repository | string | `"quay.io/kubescape/kubevuln"` | [source code](https://github.com/kubescape/kubevuln) |
 | kubevuln.nodeSelector | object | `{}` | [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) |
 | kubevuln.volumes | object | `[]` | Additional volumes for the image vulnerability scanning |
@@ -188,7 +184,6 @@ docker-compose logs uptrace
 | kubevulnScheduler.volumes | object | `[]` | Additional volumes for scan scheduler |
 | kubevulnScheduler.volumeMounts | object | `[]` | Additional volumeMounts for scan scheduler |
 | operator.affinity | object | `{}` | Assign custom [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) rules to the deployment |
-| operator.enabled | bool | `true` | enable/disable kubescape and image vulnerability scanning |
 | operator.image.repository | string | `"quay.io/kubescape/operator"` | [source code](https://github.com/kubescape/operator) |
 | operator.nodeSelector | object | `{}` | [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) |
 | operator.volumes | object | `[]` | Additional volumes for the web socket |
@@ -457,7 +452,7 @@ class er,gw,masterGw plain
 
 ---
 
-## [URLs ConfigMap](https://github.com/kubescape/helm-charts/blob/master/charts/kubescape-cloud-operator/templates/cloudapi-configmap.yaml)
+## [URLs ConfigMap](https://github.com/kubescape/helm-charts/blob/master/charts/kubescape-operator/templates/cloudapi-configmap.yaml)
 
 Holds a list of communication URLs. Used by the following components:
 
@@ -621,3 +616,73 @@ sequenceDiagram
 ```
 
 </details>
+
+---
+
+## Kubescape-Prometheus Integration
+
+Most of the end users either use [`kube-prometheus-stack`](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack) prometheus operator else [`prometheus helm chart`](https://github.com/prometheus-community/helm-charts/tree/main/charts/prometheus) to install prometheus for monitoring. Based on your choice of prometheus, you can follow either of the below method to enable kubescape monitoring with Prometheus.
+
+---
+
+### Kubescape integration with Kube-Prometheus-stack (Prometheus operator):
+
+1. Install the `kube-prometheus-stack` Helm Chart
+```
+helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
+helm repo update
+kubectl create namespace prometheus
+helm install -n prometheus kube-prometheus-stack prometheus-community/kube-prometheus-stack --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false,prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false
+```
+
+2. Install the `kubescape-operator` Helm Chart with `capabilities.prometheusExporter` enabled
+
+```
+helm repo add kubescape https://kubescape.github.io/helm-charts/
+helm repo update
+helm upgrade --install <...> --set capabilities.prometheusExporter=enable
+``` 
+
+---
+
+### Kubescape integration with Prometheus community helm chart:
+
+1. Install the `prometheus-community` Helm Chart
+```
+helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
+helm repo update
+kubectl create namespace prometheus
+helm install -n prometheus prometheus prometheus-community/prometheus
+```
+
+2. Install the `kubescape-operator` Helm Chart with `capabilities.prometheusExporter` and `configuration.prometheusAnnotations` enabled
+
+```
+helm repo add kubescape https://kubescape.github.io/helm-charts/
+helm repo update
+helm upgrade --install <...> --set capabilities.prometheusExporter=enable --set configuration.prometheusAnnotations=enable
+``` 
+
+---
+
+### Component Diagram
+
+```mermaid
+graph TB
+
+subgraph Cluster
+    pr(Prometheus)
+    ks(Kubescape)
+    k8sApi(Kubernetes API)
+end
+
+pr -->|Start Scan| ks
+ks -->|Collect Cluster Info|k8sApi
+ks -->|Scan results| pr
+
+classDef k8s fill:#326ce5,stroke:#fff,stroke-width:1px,color:#fff;
+classDef plain fill:#ddd,stroke:#fff,stroke-width:1px,color:#000
+
+class k8sApi k8s
+class pr plain
+```

charts/kubescape-cloud-operator/assets/host-scanner-definition.yaml → charts/kubescape-operator/assets/host-scanner-definition.yaml

@@ -1,4 +1,4 @@
-{{ template "cluster_name" . }}
+{{- $components := fromYaml (include "components" .) -}}
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
@@ -15,7 +15,7 @@ spec:
     metadata:
       labels:
         name: host-scanner
-        {{- if .Values.otelCollector.enabled }}
+        {{- if $components.otelCollector.enabled }}
         otel: enabled
         {{- end }}
     spec:
@@ -53,8 +53,8 @@ spec:
         - name: KS_LOGGER_LEVEL
           value: "{{ .Values.logger.level }}"
         - name: KS_LOGGER_NAME
-          value: "{{ .Values.logger.name }}" 
-        {{- if .Values.otelCollector.enabled }}
+          value: "{{ .Values.logger.name }}"
+        {{- if $components.otelCollector.enabled }}
         - name: ACCOUNT_ID
           value: "{{ .Values.account }}"
         - name: CLUSTER_NAME