diff --git a/charts/kubescape-operator/Chart.yaml b/charts/kubescape-operator/Chart.yaml index 08c521e5..ac2d4438 100644 --- a/charts/kubescape-operator/Chart.yaml +++ b/charts/kubescape-operator/Chart.yaml @@ -9,14 +9,14 @@ type: application # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.19.1 +version: 1.19.2 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: 1.19.1 +appVersion: 1.19.2 maintainers: - name: Ben Hirschberg diff --git a/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap b/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap index 536b6e3a..7de6e310 100644 --- a/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap +++ b/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap @@ -1,6 +1,6 @@ all capabilities: 1: | - raw: "Thank you for installing kubescape-operator version 1.19.1.\nView your cluster's configuration scanning schedule: \n> kubectl -n kubescape get cj kubescape-scheduler -o=jsonpath='{.metadata.name}{\"\\t\"}{.spec.schedule}{\"\\n\"}'\n\nTo change the schedule, set `.spec.schedule`: \n> kubectl -n kubescape edit cj kubescape-scheduler\nView your cluster's image scanning schedule: \n> kubectl -n kubescape get cj kubevuln-scheduler -o=jsonpath='{.metadata.name}{\"\\t\"}{.spec.schedule}{\"\\n\"}' \n\nTo change the schedule, edit `.spec.schedule`: \n> kubectl -n kubescape edit cj kubevuln-scheduler\nView your configuration scan summaries:\n> kubectl get workloadconfigurationscansummaries -A\n\nDetailed reports are also available:\n> kubectl get workloadconfigurationscans -A\n\nView your image vulnerabilities scan summaries:\n> kubectl get vulnerabilitymanifestsummaries -A\n\nDetailed reports are also available:\n> kubectl get vulnerabilitymanifests -A\n\nkubescape-operator generates suggested network policies. To view them: \n> kubectl get generatednetworkpolicies -n \n\n" + raw: "Thank you for installing kubescape-operator version 1.19.2.\nView your cluster's configuration scanning schedule: \n> kubectl -n kubescape get cj kubescape-scheduler -o=jsonpath='{.metadata.name}{\"\\t\"}{.spec.schedule}{\"\\n\"}'\n\nTo change the schedule, set `.spec.schedule`: \n> kubectl -n kubescape edit cj kubescape-scheduler\nView your cluster's image scanning schedule: \n> kubectl -n kubescape get cj kubevuln-scheduler -o=jsonpath='{.metadata.name}{\"\\t\"}{.spec.schedule}{\"\\n\"}' \n\nTo change the schedule, edit `.spec.schedule`: \n> kubectl -n kubescape edit cj kubevuln-scheduler\nView your configuration scan summaries:\n> kubectl get workloadconfigurationscansummaries -A\n\nDetailed reports are also available:\n> kubectl get workloadconfigurationscans -A\n\nView your image vulnerabilities scan summaries:\n> kubectl get vulnerabilitymanifestsummaries -A\n\nDetailed reports are also available:\n> kubectl get vulnerabilitymanifests -A\n\nkubescape-operator generates suggested network policies. To view them: \n> kubectl get generatednetworkpolicies -n \n\n" 2: | apiVersion: batch/v1 kind: CronJob @@ -60,7 +60,7 @@ all capabilities: metadata: labels: app: helm-release-upgrader - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 tier: ks-control-plane name: helm-release-upgrader namespace: kubescape @@ -262,7 +262,7 @@ all capabilities: app: gateway app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: gateway - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 kubescape.io/ignore: "true" kubescape.io/tier: core tier: ks-control-plane @@ -403,7 +403,7 @@ all capabilities: metadata: labels: app: gateway - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 tier: ks-control-plane name: gateway namespace: kubescape @@ -507,7 +507,7 @@ all capabilities: app: grype-offline-db app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: grype-offline-db - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 kubescape.io/tier: core tier: ks-control-plane spec: @@ -639,7 +639,7 @@ all capabilities: metadata: labels: app: kollector - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 tier: ks-control-plane name: kollector namespace: kubescape @@ -725,7 +725,7 @@ all capabilities: app: kollector app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kollector - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 kubescape.io/tier: core otel: enabled tier: ks-control-plane @@ -915,7 +915,7 @@ all capabilities: metadata: labels: app: kubescape-scheduler - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 tier: ks-control-plane name: kubescape-scheduler namespace: kubescape @@ -1175,7 +1175,7 @@ all capabilities: app: kubescape app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 kubescape.io/ignore: "true" kubescape.io/tier: core tier: ks-control-plane @@ -1205,7 +1205,7 @@ all capabilities: app: kubescape app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 kubescape.io/tier: core otel: enabled tier: ks-control-plane @@ -1451,7 +1451,7 @@ all capabilities: metadata: labels: app: kubescape - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 tier: ks-control-plane name: kubescape namespace: kubescape @@ -1689,7 +1689,7 @@ all capabilities: metadata: labels: app: kubevuln-scheduler - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 tier: ks-control-plane name: kubevuln-scheduler namespace: kubescape @@ -1803,7 +1803,7 @@ all capabilities: app: kubevuln app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubevuln - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 kubescape.io/tier: core otel: enabled tier: ks-control-plane @@ -1923,7 +1923,7 @@ all capabilities: metadata: labels: app: kubevuln - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 tier: ks-control-plane name: kubevuln namespace: kubescape @@ -2193,7 +2193,7 @@ all capabilities: app: node-agent app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: node-agent - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 kubescape.io/tier: core otel: enabled tier: ks-control-plane @@ -2400,12 +2400,59 @@ all capabilities: secret: secretName: custom-ca-certificates 51: | + apiVersion: kubescape.io/v1 + kind: RuntimeRuleAlertBinding + metadata: + name: all-rules-all-pods + spec: + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - kube-system + - kube-public + - kube-node-lease + - kubeconfig + - gmp-system + - gmp-public + rules: + - ruleName: Unexpected process launched + - parameters: + ignoreMounts: true + ignorePrefixes: + - /proc + - /run/secrets/kubernetes.io/serviceaccount + - /var/run/secrets/kubernetes.io/serviceaccount + - /tmp + ruleName: Unexpected file access + - ruleName: Unexpected system call + - ruleName: Unexpected capability used + - ruleName: Unexpected domain request + - ruleName: Unexpected Service Account Token Access + - ruleName: Kubernetes Client Executed + - ruleName: Exec from malicious source + - ruleName: Kernel Module Load + - ruleName: Exec Binary Not In Base Image + - ruleName: Malicious SSH Connection + - ruleName: Fileless Execution + - ruleName: XMR Crypto Mining Detection + - ruleName: Exec from mount + - ruleName: Crypto Mining Related Port Communication + - ruleName: Crypto Mining Domain Communication + - ruleName: Read Environment Variables from procfs + - ruleName: eBPF Program Load + - ruleName: Symlink Created Over Sensitive File + - ruleName: Unexpected Sensitive File Access + - ruleName: LD_PRELOAD Hook + - ruleName: Hardlink Created Over Sensitive File + 52: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: labels: app: node-agent - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 tier: ks-control-plane name: node-agent namespace: kubescape @@ -2441,7 +2488,7 @@ all capabilities: tier: ks-control-plane policyTypes: - Egress - 52: | + 53: | apiVersion: v1 kind: Service metadata: @@ -2459,7 +2506,7 @@ all capabilities: targetPort: 8080 selector: app.kubernetes.io/name: node-agent - 53: | + 54: | apiVersion: v1 kind: ServiceAccount metadata: @@ -2467,7 +2514,7 @@ all capabilities: kubescape.io/ignore: "true" name: node-agent namespace: kubescape - 54: | + 55: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -2534,7 +2581,7 @@ all capabilities: - create - update - delete - 55: | + 56: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -2549,7 +2596,7 @@ all capabilities: - kind: ServiceAccount name: operator namespace: kubescape - 56: | + 57: | apiVersion: v1 data: config.json: | @@ -2564,7 +2611,7 @@ all capabilities: kubescape.io/tier: core name: operator namespace: kubescape - 57: | + 58: | apiVersion: apps/v1 kind: Deployment metadata: @@ -2603,7 +2650,7 @@ all capabilities: app: operator app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: operator - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 kubescape.io/tier: core otel: enabled tier: ks-control-plane @@ -2617,7 +2664,7 @@ all capabilities: - 2>&1 env: - name: HELM_RELEASE - value: kubescape-operator-1.19.1 + value: kubescape-operator-1.19.2 - name: GOMEMLIMIT value: 100MiB - name: KS_LOGGER_LEVEL @@ -2741,7 +2788,7 @@ all capabilities: path: matchingRules.json name: cs-matching-rules name: cs-matching-rules - 58: | + 59: | apiVersion: v1 data: cronjobTemplate: "apiVersion: batch/v1\nkind: CronJob\nmetadata:\n name: kubescape-scheduler\n namespace: kubescape\n labels:\n app: kubescape-scheduler\n tier: ks-control-plane\n kubescape.io/ignore: \"true\"\n kubescape.io/tier: \"core\"\n armo.tier: \"kubescape-scan\"\nspec:\n schedule: \"1 2 3 4 5\"\n successfulJobsHistoryLimit: 3\n failedJobsHistoryLimit: 1\n jobTemplate:\n spec:\n template:\n metadata:\n labels:\n armo.tier: \"kubescape-scan\"\n kubescape.io/tier: \"core\"\n spec:\n imagePullSecrets:\n - name: foo\n containers:\n - name: kubescape-scheduler\n image: \"quay.io/kubescape/http-request:v0.2.8\"\n imagePullPolicy: IfNotPresent\n securityContext:\n allowPrivilegeEscalation: false\n readOnlyRootFilesystem: true\n runAsNonRoot: true\n runAsUser: 100\n resources:\n limits:\n cpu: 10m\n memory: 20Mi\n requests:\n cpu: 1m\n memory: 10Mi\n args: \n - -method=post\n - -scheme=http\n - -host=operator:4002\n - -path=v1/triggerAction\n - -headers=Content-Type:application/json\n - -path-body=/home/ks/request-body.json\n volumeMounts:\n - name: \"request-body-volume\"\n mountPath: /home/ks/request-body.json\n subPath: request-body.json\n readOnly: true\n restartPolicy: Never\n automountServiceAccountToken: false\n nodeSelector:\n affinity:\n tolerations:\n volumes:\n - name: \"request-body-volume\" # placeholder\n configMap:\n name: kubescape-scheduler" @@ -2754,7 +2801,7 @@ all capabilities: tier: ks-control-plane name: kubescape-cronjob-template namespace: kubescape - 59: | + 60: | apiVersion: v1 data: cronjobTemplate: "apiVersion: batch/v1\nkind: CronJob\nmetadata:\n name: kubevuln-scheduler\n namespace: kubescape\n labels:\n app: kubevuln-scheduler\n kubescape.io/ignore: \"true\"\n kubescape.io/tier: \"core\"\n tier: ks-control-plane\n armo.tier: \"vuln-scan\"\nspec:\n schedule: \"1 2 3 4 5\" \n successfulJobsHistoryLimit: 3\n failedJobsHistoryLimit: 1\n jobTemplate:\n spec:\n template:\n metadata:\n labels:\n armo.tier: \"vuln-scan\"\n kubescape.io/tier: \"core\"\n spec:\n imagePullSecrets:\n - name: foo\n containers:\n - name: kubevuln-scheduler\n image: \"quay.io/kubescape/http-request:v0.2.8\"\n imagePullPolicy: IfNotPresent\n securityContext:\n allowPrivilegeEscalation: false\n readOnlyRootFilesystem: true\n runAsNonRoot: true\n runAsUser: 100\n resources:\n limits:\n cpu: 10m\n memory: 20Mi\n requests:\n cpu: 1m\n memory: 10Mi\n args: \n - -method=post\n - -scheme=http\n - -host=operator:4002\n - -path=v1/triggerAction\n - -headers=Content-Type:application/json\n - -path-body=/home/ks/request-body.json\n volumeMounts:\n - name: \"request-body-volume\"\n mountPath: /home/ks/request-body.json\n subPath: request-body.json\n readOnly: true\n restartPolicy: Never\n automountServiceAccountToken: false\n nodeSelector:\n affinity:\n tolerations:\n volumes:\n - name: \"request-body-volume\" # placeholder\n configMap:\n name: kubevuln-scheduler" @@ -2767,13 +2814,13 @@ all capabilities: tier: ks-control-plane name: kubevuln-cronjob-template namespace: kubescape - 60: | + 61: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: labels: app: operator - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 tier: ks-control-plane name: operator namespace: kubescape @@ -2857,7 +2904,7 @@ all capabilities: policyTypes: - Ingress - Egress - 61: | + 62: | apiVersion: v1 data: cronjobTemplate: "apiVersion: batch/v1\nkind: CronJob\nmetadata:\n name: registry-scheduler\n namespace: kubescape\n labels:\n app: registry-scheduler\n kubescape.io/ignore: \"true\"\n kubescape.io/tier: \"core\"\n tier: ks-control-plane\n armo.tier: \"registry-scan\"\nspec:\n schedule: \"0 0 * * *\"\n successfulJobsHistoryLimit: 3\n failedJobsHistoryLimit: 1\n jobTemplate:\n spec:\n template:\n metadata:\n labels:\n armo.tier: \"registry-scan\"\n kubescape.io/tier: \"core\"\n spec:\n imagePullSecrets:\n - name: foo\n containers:\n - name: registry-scheduler\n image: \"quay.io/kubescape/http-request:v0.2.8\"\n imagePullPolicy: IfNotPresent\n securityContext:\n allowPrivilegeEscalation: false\n readOnlyRootFilesystem: true\n runAsNonRoot: true\n runAsUser: 100\n resources:\n limits:\n cpu: 10m\n memory: 20Mi\n requests:\n cpu: 1m\n memory: 10Mi\n args: \n - -method=post\n - -scheme=http\n - -host=operator:4002\n - -path=v1/triggerAction\n - -headers=Content-Type:application/json\n - -path-body=/home/ks/request-body.json\n volumeMounts:\n - name: \"request-body-volume\"\n mountPath: /home/ks/request-body.json\n subPath: request-body.json\n readOnly: true\n restartPolicy: Never\n automountServiceAccountToken: false\n nodeSelector:\n affinity:\n tolerations:\n volumes:\n - name: \"request-body-volume\" # placeholder\n configMap:\n name: registry-scheduler" @@ -2870,7 +2917,7 @@ all capabilities: tier: ks-control-plane name: registry-scan-cronjob-template namespace: kubescape - 62: | + 63: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -2904,7 +2951,7 @@ all capabilities: - list - patch - delete - 63: | + 64: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -2920,7 +2967,7 @@ all capabilities: - kind: ServiceAccount name: operator namespace: kubescape - 64: | + 65: | apiVersion: v1 kind: Service metadata: @@ -2937,7 +2984,7 @@ all capabilities: selector: app: operator type: ClusterIP - 65: | + 66: | apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount @@ -2947,7 +2994,7 @@ all capabilities: kubescape.io/ignore: "true" name: operator namespace: kubescape - 66: | + 67: | apiVersion: v1 data: otel-collector-config.yaml: "\n# receivers configure how data gets into the Collector.\nreceivers:\n otlp:\n protocols:\n grpc:\n endpoint: 0.0.0.0:4317\n http:\n endpoint: 0.0.0.0:4318\n hostmetrics:\n collection_interval: 30s\n scrapers:\n cpu:\n memory:\n\n# processors specify what happens with the received data.\nprocessors:\n attributes/ksCloud:\n actions:\n - key: account_id\n value: \"9e6c0c2c-6bd0-4919-815b-55030de7c9a0\"\n action: upsert\n - key: cluster_name\n value: \"kind-kind\"\n action: upsert\n batch:\n send_batch_size: 10000\n timeout: 10s\n\n# exporters configure how to send processed data to one or more backends.\nexporters:\n otlp/ksCloud:\n endpoint: ${env:CLOUD_OTEL_COLLECTOR_URL}\n tls:\n insecure: false\n otlp:\n endpoint: \"otelCollector:4317\"\n tls:\n insecure: true\n headers:\n uptrace-dsn: \n\n# service pulls the configured receivers, processors, and exporters together into\n# processing pipelines. Unused receivers/processors/exporters are ignored.\nservice:\n pipelines:\n traces:\n receivers: [otlp]\n processors: [batch]\n exporters:\n - otlp/ksCloud\n - otlp\n metrics/2:\n receivers: [hostmetrics]\n processors: [attributes/ksCloud, batch]\n exporters:\n - otlp/ksCloud\n - otlp\n metrics:\n receivers: [otlp]\n processors: [attributes/ksCloud, batch]\n exporters:\n - otlp/ksCloud\n - otlp\n logs:\n receivers: [otlp]\n processors: [attributes/ksCloud, batch]\n exporters:\n - otlp/ksCloud\n - otlp" @@ -2960,7 +3007,7 @@ all capabilities: tier: ks-control-plane name: otel-collector-config namespace: kubescape - 67: | + 68: | apiVersion: apps/v1 kind: Deployment metadata: @@ -2968,7 +3015,7 @@ all capabilities: app: otel-collector app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: otel-collector - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 kubescape.io/ignore: "true" kubescape.io/tier: core tier: ks-control-plane @@ -3063,13 +3110,13 @@ all capabilities: - configMap: name: otel-collector-config name: otel-collector-config-volume - 68: | + 69: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: labels: app: otel-collector - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 tier: ks-control-plane name: otel-collector namespace: kubescape @@ -3119,7 +3166,7 @@ all capabilities: policyTypes: - Ingress - Egress - 69: | + 70: | apiVersion: v1 kind: Service metadata: @@ -3141,7 +3188,7 @@ all capabilities: selector: app: otel-collector type: ClusterIP - 70: | + 71: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -3158,7 +3205,7 @@ all capabilities: - get - watch - list - 71: | + 72: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -3173,7 +3220,7 @@ all capabilities: - kind: ServiceAccount name: prometheus-exporter namespace: kubescape - 72: | + 73: | apiVersion: apps/v1 kind: Deployment metadata: @@ -3258,13 +3305,13 @@ all capabilities: path: clusterData.json name: ks-cloud-config name: ks-cloud-config - 73: | + 74: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: labels: app: prometheus-exporter - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 tier: ks-control-plane name: prometheus-exporter namespace: kubescape @@ -3280,7 +3327,7 @@ all capabilities: tier: ks-control-plane policyTypes: - Ingress - 74: | + 75: | apiVersion: v1 kind: Service metadata: @@ -3297,7 +3344,7 @@ all capabilities: selector: app: prometheus-exporter type: null - 75: | + 76: | apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount @@ -3307,7 +3354,7 @@ all capabilities: kubescape.io/ignore: "true" name: prometheus-exporter namespace: kubescape - 76: | + 77: | apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: @@ -3322,7 +3369,7 @@ all capabilities: selector: matchLabels: app: prometheus-exporter - 77: | + 78: | apiVersion: v1 data: proxy.crt: foo @@ -3337,7 +3384,7 @@ all capabilities: name: kubescape-proxy-certificate namespace: kubescape type: Opaque - 78: | + 79: | apiVersion: batch/v1 kind: Job metadata: @@ -3362,7 +3409,7 @@ all capabilities: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: service-discovery - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 otel: enabled tier: ks-control-plane name: RELEASE-NAME @@ -3428,7 +3475,7 @@ all capabilities: - name: proxy-secret secret: secretName: kubescape-proxy-certificate - 79: | + 80: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -3451,7 +3498,7 @@ all capabilities: - patch - get - list - 80: | + 81: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -3470,7 +3517,7 @@ all capabilities: - kind: ServiceAccount name: service-discovery namespace: kubescape - 81: | + 82: | apiVersion: v1 kind: ServiceAccount metadata: @@ -3482,7 +3529,7 @@ all capabilities: kubescape.io/ignore: "true" name: service-discovery namespace: kubescape - 82: | + 83: | apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: @@ -3498,7 +3545,7 @@ all capabilities: namespace: kubescape version: v1beta1 versionPriority: 15 - 83: | + 84: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -3596,7 +3643,7 @@ all capabilities: - get - watch - list - 84: | + 85: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -3611,7 +3658,7 @@ all capabilities: - kind: ServiceAccount name: storage namespace: kubescape - 85: | + 86: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -3624,7 +3671,7 @@ all capabilities: - kind: ServiceAccount name: storage namespace: kubescape - 86: | + 87: | apiVersion: apps/v1 kind: Deployment metadata: @@ -3718,13 +3765,13 @@ all capabilities: path: services.json name: ks-cloud-config name: ks-cloud-config - 87: | + 88: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: labels: app: storage - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 tier: ks-control-plane name: storage namespace: kubescape @@ -3771,7 +3818,7 @@ all capabilities: tier: ks-control-plane policyTypes: - Egress - 88: | + 89: | apiVersion: v1 kind: PersistentVolumeClaim metadata: @@ -3788,7 +3835,7 @@ all capabilities: resources: requests: storage: 5Gi - 89: | + 90: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -3804,7 +3851,7 @@ all capabilities: - kind: ServiceAccount name: storage namespace: kubescape - 90: | + 91: | apiVersion: v1 kind: Service metadata: @@ -3821,7 +3868,7 @@ all capabilities: app.kubernetes.io/component: apiserver app.kubernetes.io/name: storage app.kubernetes.io/part-of: kubescape-storage - 91: | + 92: | apiVersion: v1 kind: ServiceAccount metadata: @@ -3829,7 +3876,7 @@ all capabilities: kubescape.io/ignore: "true" name: storage namespace: kubescape - 92: | + 93: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -3961,7 +4008,7 @@ all capabilities: - get - watch - list - 93: | + 94: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -3976,7 +4023,7 @@ all capabilities: - kind: ServiceAccount name: synchronizer namespace: kubescape - 94: | + 95: | apiVersion: v1 data: config.json: | @@ -4184,7 +4231,7 @@ all capabilities: kubescape.io/tier: core name: synchronizer namespace: kubescape - 95: | + 96: | apiVersion: apps/v1 kind: Deployment metadata: @@ -4218,7 +4265,7 @@ all capabilities: app: synchronizer app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: synchronizer - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 kubescape.io/tier: core otel: enabled tier: ks-control-plane @@ -4230,7 +4277,7 @@ all capabilities: - /usr/bin/client env: - name: HELM_RELEASE - value: kubescape-operator-1.19.1 + value: kubescape-operator-1.19.2 - name: GOMEMLIMIT value: 250MiB - name: KS_LOGGER_LEVEL @@ -4322,13 +4369,13 @@ all capabilities: path: config.json name: synchronizer name: config - 96: | + 97: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: labels: app: synchronizer - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 tier: ks-control-plane name: synchronizer namespace: kubescape @@ -4378,7 +4425,7 @@ all capabilities: policyTypes: - Ingress - Egress - 97: | + 98: | apiVersion: v1 kind: Service metadata: @@ -4395,7 +4442,7 @@ all capabilities: selector: app: synchronizer type: ClusterIP - 98: | + 99: | apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount @@ -4407,7 +4454,7 @@ all capabilities: namespace: kubescape default capabilities: 1: | - raw: "Thank you for installing kubescape-operator version 1.19.1.\nView your cluster's configuration scanning schedule: \n> kubectl -n kubescape get cj kubescape-scheduler -o=jsonpath='{.metadata.name}{\"\\t\"}{.spec.schedule}{\"\\n\"}'\n\nTo change the schedule, set `.spec.schedule`: \n> kubectl -n kubescape edit cj kubescape-scheduler\nView your cluster's image scanning schedule: \n> kubectl -n kubescape get cj kubevuln-scheduler -o=jsonpath='{.metadata.name}{\"\\t\"}{.spec.schedule}{\"\\n\"}' \n\nTo change the schedule, edit `.spec.schedule`: \n> kubectl -n kubescape edit cj kubevuln-scheduler\n\n\nView your image vulnerabilities scan summaries:\n> kubectl get vulnerabilitymanifestsummaries -A\n\nDetailed reports are also available:\n> kubectl get vulnerabilitymanifests -A\n\nkubescape-operator generates suggested network policies. To view them: \n> kubectl get generatednetworkpolicies -n \n\n" + raw: "Thank you for installing kubescape-operator version 1.19.2.\nView your cluster's configuration scanning schedule: \n> kubectl -n kubescape get cj kubescape-scheduler -o=jsonpath='{.metadata.name}{\"\\t\"}{.spec.schedule}{\"\\n\"}'\n\nTo change the schedule, set `.spec.schedule`: \n> kubectl -n kubescape edit cj kubescape-scheduler\nView your cluster's image scanning schedule: \n> kubectl -n kubescape get cj kubevuln-scheduler -o=jsonpath='{.metadata.name}{\"\\t\"}{.spec.schedule}{\"\\n\"}' \n\nTo change the schedule, edit `.spec.schedule`: \n> kubectl -n kubescape edit cj kubevuln-scheduler\n\n\nView your image vulnerabilities scan summaries:\n> kubectl get vulnerabilitymanifestsummaries -A\n\nDetailed reports are also available:\n> kubectl get vulnerabilitymanifests -A\n\nkubescape-operator generates suggested network policies. To view them: \n> kubectl get generatednetworkpolicies -n \n\n" 2: | apiVersion: v1 data: @@ -4517,7 +4564,7 @@ default capabilities: app: gateway app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: gateway - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 kubescape.io/ignore: "true" kubescape.io/tier: core tier: ks-control-plane @@ -4646,7 +4693,7 @@ default capabilities: metadata: labels: app: gateway - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 tier: ks-control-plane name: gateway namespace: kubescape @@ -4744,7 +4791,7 @@ default capabilities: app: grype-offline-db app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: grype-offline-db - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 kubescape.io/tier: core tier: ks-control-plane spec: @@ -4874,7 +4921,7 @@ default capabilities: metadata: labels: app: kollector - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 tier: ks-control-plane name: kollector namespace: kubescape @@ -4954,7 +5001,7 @@ default capabilities: app: kollector app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kollector - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 kubescape.io/tier: core otel: enabled tier: ks-control-plane @@ -5130,7 +5177,7 @@ default capabilities: metadata: labels: app: kubescape-scheduler - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 tier: ks-control-plane name: kubescape-scheduler namespace: kubescape @@ -5384,7 +5431,7 @@ default capabilities: app: kubescape app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 kubescape.io/ignore: "true" kubescape.io/tier: core tier: ks-control-plane @@ -5414,7 +5461,7 @@ default capabilities: app: kubescape app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 kubescape.io/tier: core otel: enabled tier: ks-control-plane @@ -5646,7 +5693,7 @@ default capabilities: metadata: labels: app: kubescape - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 tier: ks-control-plane name: kubescape namespace: kubescape @@ -5871,7 +5918,7 @@ default capabilities: metadata: labels: app: kubevuln-scheduler - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 tier: ks-control-plane name: kubevuln-scheduler namespace: kubescape @@ -5979,7 +6026,7 @@ default capabilities: app: kubevuln app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubevuln - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 kubescape.io/tier: core otel: enabled tier: ks-control-plane @@ -6087,7 +6134,7 @@ default capabilities: metadata: labels: app: kubevuln - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 tier: ks-control-plane name: kubevuln namespace: kubescape @@ -6315,7 +6362,7 @@ default capabilities: app: node-agent app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: node-agent - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 kubescape.io/tier: core otel: enabled tier: ks-control-plane @@ -6488,7 +6535,7 @@ default capabilities: metadata: labels: app: node-agent - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 tier: ks-control-plane name: node-agent namespace: kubescape @@ -6680,7 +6727,7 @@ default capabilities: app: operator app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: operator - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 kubescape.io/tier: core otel: enabled tier: ks-control-plane @@ -6694,7 +6741,7 @@ default capabilities: - 2>&1 env: - name: HELM_RELEASE - value: kubescape-operator-1.19.1 + value: kubescape-operator-1.19.2 - name: GOMEMLIMIT value: 100MiB - name: KS_LOGGER_LEVEL @@ -6838,7 +6885,7 @@ default capabilities: metadata: labels: app: operator - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 tier: ks-control-plane name: operator namespace: kubescape @@ -7027,7 +7074,7 @@ default capabilities: app: otel-collector app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: otel-collector - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 kubescape.io/ignore: "true" kubescape.io/tier: core tier: ks-control-plane @@ -7122,7 +7169,7 @@ default capabilities: metadata: labels: app: otel-collector - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 tier: ks-control-plane name: otel-collector namespace: kubescape @@ -7228,7 +7275,7 @@ default capabilities: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: service-discovery - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 otel: enabled tier: ks-control-plane name: RELEASE-NAME @@ -7582,7 +7629,7 @@ default capabilities: metadata: labels: app: storage - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 tier: ks-control-plane name: storage namespace: kubescape @@ -8065,7 +8112,7 @@ default capabilities: app: synchronizer app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: synchronizer - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 kubescape.io/tier: core otel: enabled tier: ks-control-plane @@ -8077,7 +8124,7 @@ default capabilities: - /usr/bin/client env: - name: HELM_RELEASE - value: kubescape-operator-1.19.1 + value: kubescape-operator-1.19.2 - name: GOMEMLIMIT value: 250MiB - name: KS_LOGGER_LEVEL @@ -8163,7 +8210,7 @@ default capabilities: metadata: labels: app: synchronizer - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 tier: ks-control-plane name: synchronizer namespace: kubescape @@ -8236,7 +8283,7 @@ default capabilities: namespace: kubescape minimal capabilities: 1: | - raw: "Thank you for installing kubescape-operator version 1.19.1.\n\n\n\n\nView your image vulnerabilities scan summaries:\n> kubectl get vulnerabilitymanifestsummaries -A\n\nDetailed reports are also available:\n> kubectl get vulnerabilitymanifests -A\n\nkubescape-operator generates suggested network policies. To view them: \n> kubectl get generatednetworkpolicies -n \n\n" + raw: "Thank you for installing kubescape-operator version 1.19.2.\n\n\n\n\nView your image vulnerabilities scan summaries:\n> kubectl get vulnerabilitymanifestsummaries -A\n\nDetailed reports are also available:\n> kubectl get vulnerabilitymanifests -A\n\nkubescape-operator generates suggested network policies. To view them: \n> kubectl get generatednetworkpolicies -n \n\n" 2: | apiVersion: v1 data: @@ -8553,7 +8600,7 @@ minimal capabilities: app: kubescape app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 kubescape.io/ignore: "true" kubescape.io/tier: core tier: ks-control-plane @@ -8582,7 +8629,7 @@ minimal capabilities: app: kubescape app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 kubescape.io/tier: core otel: enabled tier: ks-control-plane @@ -8942,7 +8989,7 @@ minimal capabilities: app: kubevuln app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubevuln - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 kubescape.io/tier: core otel: enabled tier: ks-control-plane @@ -9219,7 +9266,7 @@ minimal capabilities: app: node-agent app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: node-agent - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 kubescape.io/tier: core otel: enabled tier: ks-control-plane @@ -9539,7 +9586,7 @@ minimal capabilities: app: operator app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: operator - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 kubescape.io/tier: core otel: enabled tier: ks-control-plane @@ -9553,7 +9600,7 @@ minimal capabilities: - 2>&1 env: - name: HELM_RELEASE - value: kubescape-operator-1.19.1 + value: kubescape-operator-1.19.2 - name: GOMEMLIMIT value: 100MiB - name: KS_LOGGER_LEVEL @@ -9790,7 +9837,7 @@ minimal capabilities: app: otel-collector app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: otel-collector - helm.sh/chart: kubescape-operator-1.19.1 + helm.sh/chart: kubescape-operator-1.19.2 kubescape.io/ignore: "true" kubescape.io/tier: core tier: ks-control-plane diff --git a/charts/kubescape-operator/tests/snapshot_test.yaml b/charts/kubescape-operator/tests/snapshot_test.yaml index 7e82cdfb..807731d0 100644 --- a/charts/kubescape-operator/tests/snapshot_test.yaml +++ b/charts/kubescape-operator/tests/snapshot_test.yaml @@ -9,6 +9,8 @@ tests: set: account: 9e6c0c2c-6bd0-4919-815b-55030de7c9a0 accessKey: f304d73b-d43c-412b-82ea-e4c859493ce6 + alertCRD: + installDefault: true capabilities: configurationScan: enable continuousScan: enable @@ -140,4 +142,4 @@ tests: - registry: test.example.com username: xxx password: yyy - insecure: true \ No newline at end of file + insecure: true