From 35e1a420ef3920f1f2a559580bd3a7097c627711 Mon Sep 17 00:00:00 2001 From: Amir Malka Date: Sun, 30 Jun 2024 10:57:16 +0300 Subject: [PATCH] skip ssl verification Signed-off-by: Amir Malka --- .../assets/kubescape-cronjob-full.yaml | 3 ++ .../assets/kubevuln-cronjob-full.yaml | 3 ++ .../assets/registry-scan-cronjob-full.yaml | 3 ++ .../kubescape-scheduler/cronjob.yaml | 3 ++ .../templates/kubevuln-scheduler/cronjob.yaml | 3 ++ .../templates/servicediscovery/job.yaml | 3 ++ .../__snapshot__/snapshot_test.yaml.snap | 30 +++++++++---------- .../tests/snapshot_test.yaml | 2 +- charts/kubescape-operator/values.yaml | 20 ++++++++++--- 9 files changed, 50 insertions(+), 20 deletions(-) diff --git a/charts/kubescape-operator/assets/kubescape-cronjob-full.yaml b/charts/kubescape-operator/assets/kubescape-cronjob-full.yaml index 51dd35fb..2d2d4015 100644 --- a/charts/kubescape-operator/assets/kubescape-cronjob-full.yaml +++ b/charts/kubescape-operator/assets/kubescape-cronjob-full.yaml @@ -43,6 +43,9 @@ apiVersion: batch/v1 - -path=v1/triggerAction - -headers=Content-Type:application/json - -path-body=/home/ks/request-body.json + {{- if .Values.kubescapeScheduler.insecureSkipTLSVerify }} + - -skip-ssl-verify=true + {{- end}} volumeMounts: - name: "request-body-volume" mountPath: /home/ks/request-body.json diff --git a/charts/kubescape-operator/assets/kubevuln-cronjob-full.yaml b/charts/kubescape-operator/assets/kubevuln-cronjob-full.yaml index ae023800..271bb645 100644 --- a/charts/kubescape-operator/assets/kubevuln-cronjob-full.yaml +++ b/charts/kubescape-operator/assets/kubevuln-cronjob-full.yaml @@ -43,6 +43,9 @@ apiVersion: batch/v1 - -path=v1/triggerAction - -headers=Content-Type:application/json - -path-body=/home/ks/request-body.json + {{- if .Values.kubevulnScheduler.insecureSkipTLSVerify }} + - -skip-ssl-verify=true + {{- end}} volumeMounts: - name: "request-body-volume" mountPath: /home/ks/request-body.json diff --git a/charts/kubescape-operator/assets/registry-scan-cronjob-full.yaml b/charts/kubescape-operator/assets/registry-scan-cronjob-full.yaml index edf3dea6..329ff06d 100644 --- a/charts/kubescape-operator/assets/registry-scan-cronjob-full.yaml +++ b/charts/kubescape-operator/assets/registry-scan-cronjob-full.yaml @@ -43,6 +43,9 @@ apiVersion: batch/v1 - -path=v1/triggerAction - -headers=Content-Type:application/json - -path-body=/home/ks/request-body.json + {{- if .Values.registryScanScheduler.insecureSkipTLSVerify }} + - -skip-ssl-verify=true + {{- end}} volumeMounts: - name: "request-body-volume" mountPath: /home/ks/request-body.json diff --git a/charts/kubescape-operator/templates/kubescape-scheduler/cronjob.yaml b/charts/kubescape-operator/templates/kubescape-scheduler/cronjob.yaml index fe8a93b7..4d9e9c9f 100644 --- a/charts/kubescape-operator/templates/kubescape-scheduler/cronjob.yaml +++ b/charts/kubescape-operator/templates/kubescape-scheduler/cronjob.yaml @@ -52,6 +52,9 @@ spec: - -path=v1/triggerAction - -headers=Content-Type:application/json - -path-body=/home/ks/request-body.json + {{- if .Values.kubescapeScheduler.insecureSkipTLSVerify }} + - -skip-ssl-verify=true + {{- end}} volumeMounts: - name: {{ .Values.kubescapeScheduler.name }} mountPath: /home/ks/request-body.json diff --git a/charts/kubescape-operator/templates/kubevuln-scheduler/cronjob.yaml b/charts/kubescape-operator/templates/kubevuln-scheduler/cronjob.yaml index ea2dca39..2dd4dd97 100644 --- a/charts/kubescape-operator/templates/kubevuln-scheduler/cronjob.yaml +++ b/charts/kubescape-operator/templates/kubevuln-scheduler/cronjob.yaml @@ -52,6 +52,9 @@ spec: - -path=v1/triggerAction - -headers=Content-Type:application/json - -path-body=/home/ks/request-body.json + {{- if .Values.kubevulnScheduler.insecureSkipTLSVerify }} + - -skip-ssl-verify=true + {{- end}} volumeMounts: - name: {{ .Values.kubevulnScheduler.name }} mountPath: /home/ks/request-body.json diff --git a/charts/kubescape-operator/templates/servicediscovery/job.yaml b/charts/kubescape-operator/templates/servicediscovery/job.yaml index ee84ecc0..df4a8d0a 100644 --- a/charts/kubescape-operator/templates/servicediscovery/job.yaml +++ b/charts/kubescape-operator/templates/servicediscovery/job.yaml @@ -56,6 +56,9 @@ spec: - -host={{ .Values.server }} - -path=api/v2/servicediscovery - -path-output=/data/services.json + {{- if .Values.serviceDiscovery.urlDiscovery.insecureSkipTLSVerify }} + - -skip-ssl-verify=true + {{- end}} volumeMounts: - name: shared-data mountPath: /data diff --git a/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap b/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap index e0d581cd..6c994342 100644 --- a/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap +++ b/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap @@ -878,7 +878,7 @@ all capabilities: - -path=v1/triggerAction - -headers=Content-Type:application/json - -path-body=/home/ks/request-body.json - image: quay.io/kubescape/http-request:v0.2.6 + image: quay.io/kubescape/http-request:v0.2.8 imagePullPolicy: IfNotPresent name: kubescape-scheduler resources: @@ -1652,7 +1652,7 @@ all capabilities: - -path=v1/triggerAction - -headers=Content-Type:application/json - -path-body=/home/ks/request-body.json - image: quay.io/kubescape/http-request:v0.2.6 + image: quay.io/kubescape/http-request:v0.2.8 imagePullPolicy: IfNotPresent name: kubevuln-scheduler resources: @@ -2744,7 +2744,7 @@ all capabilities: 58: | apiVersion: v1 data: - cronjobTemplate: "apiVersion: batch/v1\nkind: CronJob\nmetadata:\n name: kubescape-scheduler\n namespace: kubescape\n labels:\n app: kubescape-scheduler\n tier: ks-control-plane\n kubescape.io/ignore: \"true\"\n kubescape.io/tier: \"core\"\n armo.tier: \"kubescape-scan\"\nspec:\n schedule: \"1 2 3 4 5\"\n successfulJobsHistoryLimit: 3\n failedJobsHistoryLimit: 1\n jobTemplate:\n spec:\n template:\n metadata:\n labels:\n armo.tier: \"kubescape-scan\"\n kubescape.io/tier: \"core\"\n spec:\n imagePullSecrets:\n - name: foo\n containers:\n - name: kubescape-scheduler\n image: \"quay.io/kubescape/http-request:v0.2.6\"\n imagePullPolicy: IfNotPresent\n securityContext:\n allowPrivilegeEscalation: false\n readOnlyRootFilesystem: true\n runAsNonRoot: true\n runAsUser: 100\n resources:\n limits:\n cpu: 10m\n memory: 20Mi\n requests:\n cpu: 1m\n memory: 10Mi\n args: \n - -method=post\n - -scheme=http\n - -host=operator:4002\n - -path=v1/triggerAction\n - -headers=Content-Type:application/json\n - -path-body=/home/ks/request-body.json\n volumeMounts:\n - name: \"request-body-volume\"\n mountPath: /home/ks/request-body.json\n subPath: request-body.json\n readOnly: true\n restartPolicy: Never\n automountServiceAccountToken: false\n nodeSelector:\n affinity:\n tolerations:\n volumes:\n - name: \"request-body-volume\" # placeholder\n configMap:\n name: kubescape-scheduler" + cronjobTemplate: "apiVersion: batch/v1\nkind: CronJob\nmetadata:\n name: kubescape-scheduler\n namespace: kubescape\n labels:\n app: kubescape-scheduler\n tier: ks-control-plane\n kubescape.io/ignore: \"true\"\n kubescape.io/tier: \"core\"\n armo.tier: \"kubescape-scan\"\nspec:\n schedule: \"1 2 3 4 5\"\n successfulJobsHistoryLimit: 3\n failedJobsHistoryLimit: 1\n jobTemplate:\n spec:\n template:\n metadata:\n labels:\n armo.tier: \"kubescape-scan\"\n kubescape.io/tier: \"core\"\n spec:\n imagePullSecrets:\n - name: foo\n containers:\n - name: kubescape-scheduler\n image: \"quay.io/kubescape/http-request:v0.2.8\"\n imagePullPolicy: IfNotPresent\n securityContext:\n allowPrivilegeEscalation: false\n readOnlyRootFilesystem: true\n runAsNonRoot: true\n runAsUser: 100\n resources:\n limits:\n cpu: 10m\n memory: 20Mi\n requests:\n cpu: 1m\n memory: 10Mi\n args: \n - -method=post\n - -scheme=http\n - -host=operator:4002\n - -path=v1/triggerAction\n - -headers=Content-Type:application/json\n - -path-body=/home/ks/request-body.json\n volumeMounts:\n - name: \"request-body-volume\"\n mountPath: /home/ks/request-body.json\n subPath: request-body.json\n readOnly: true\n restartPolicy: Never\n automountServiceAccountToken: false\n nodeSelector:\n affinity:\n tolerations:\n volumes:\n - name: \"request-body-volume\" # placeholder\n configMap:\n name: kubescape-scheduler" kind: ConfigMap metadata: labels: @@ -2757,7 +2757,7 @@ all capabilities: 59: | apiVersion: v1 data: - cronjobTemplate: "apiVersion: batch/v1\nkind: CronJob\nmetadata:\n name: kubevuln-scheduler\n namespace: kubescape\n labels:\n app: kubevuln-scheduler\n kubescape.io/ignore: \"true\"\n kubescape.io/tier: \"core\"\n tier: ks-control-plane\n armo.tier: \"vuln-scan\"\nspec:\n schedule: \"1 2 3 4 5\" \n successfulJobsHistoryLimit: 3\n failedJobsHistoryLimit: 1\n jobTemplate:\n spec:\n template:\n metadata:\n labels:\n armo.tier: \"vuln-scan\"\n kubescape.io/tier: \"core\"\n spec:\n imagePullSecrets:\n - name: foo\n containers:\n - name: kubevuln-scheduler\n image: \"quay.io/kubescape/http-request:v0.2.6\"\n imagePullPolicy: IfNotPresent\n securityContext:\n allowPrivilegeEscalation: false\n readOnlyRootFilesystem: true\n runAsNonRoot: true\n runAsUser: 100\n resources:\n limits:\n cpu: 10m\n memory: 20Mi\n requests:\n cpu: 1m\n memory: 10Mi\n args: \n - -method=post\n - -scheme=http\n - -host=operator:4002\n - -path=v1/triggerAction\n - -headers=Content-Type:application/json\n - -path-body=/home/ks/request-body.json\n volumeMounts:\n - name: \"request-body-volume\"\n mountPath: /home/ks/request-body.json\n subPath: request-body.json\n readOnly: true\n restartPolicy: Never\n automountServiceAccountToken: false\n nodeSelector:\n affinity:\n tolerations:\n volumes:\n - name: \"request-body-volume\" # placeholder\n configMap:\n name: kubevuln-scheduler" + cronjobTemplate: "apiVersion: batch/v1\nkind: CronJob\nmetadata:\n name: kubevuln-scheduler\n namespace: kubescape\n labels:\n app: kubevuln-scheduler\n kubescape.io/ignore: \"true\"\n kubescape.io/tier: \"core\"\n tier: ks-control-plane\n armo.tier: \"vuln-scan\"\nspec:\n schedule: \"1 2 3 4 5\" \n successfulJobsHistoryLimit: 3\n failedJobsHistoryLimit: 1\n jobTemplate:\n spec:\n template:\n metadata:\n labels:\n armo.tier: \"vuln-scan\"\n kubescape.io/tier: \"core\"\n spec:\n imagePullSecrets:\n - name: foo\n containers:\n - name: kubevuln-scheduler\n image: \"quay.io/kubescape/http-request:v0.2.8\"\n imagePullPolicy: IfNotPresent\n securityContext:\n allowPrivilegeEscalation: false\n readOnlyRootFilesystem: true\n runAsNonRoot: true\n runAsUser: 100\n resources:\n limits:\n cpu: 10m\n memory: 20Mi\n requests:\n cpu: 1m\n memory: 10Mi\n args: \n - -method=post\n - -scheme=http\n - -host=operator:4002\n - -path=v1/triggerAction\n - -headers=Content-Type:application/json\n - -path-body=/home/ks/request-body.json\n volumeMounts:\n - name: \"request-body-volume\"\n mountPath: /home/ks/request-body.json\n subPath: request-body.json\n readOnly: true\n restartPolicy: Never\n automountServiceAccountToken: false\n nodeSelector:\n affinity:\n tolerations:\n volumes:\n - name: \"request-body-volume\" # placeholder\n configMap:\n name: kubevuln-scheduler" kind: ConfigMap metadata: labels: @@ -2860,7 +2860,7 @@ all capabilities: 61: | apiVersion: v1 data: - cronjobTemplate: "apiVersion: batch/v1\nkind: CronJob\nmetadata:\n name: registry-scheduler\n namespace: kubescape\n labels:\n app: registry-scheduler\n kubescape.io/ignore: \"true\"\n kubescape.io/tier: \"core\"\n tier: ks-control-plane\n armo.tier: \"registry-scan\"\nspec:\n schedule: \"0 0 * * *\"\n successfulJobsHistoryLimit: 3\n failedJobsHistoryLimit: 1\n jobTemplate:\n spec:\n template:\n metadata:\n labels:\n armo.tier: \"registry-scan\"\n kubescape.io/tier: \"core\"\n spec:\n imagePullSecrets:\n - name: foo\n containers:\n - name: registry-scheduler\n image: \"quay.io/kubescape/http-request:v0.2.6\"\n imagePullPolicy: IfNotPresent\n securityContext:\n allowPrivilegeEscalation: false\n readOnlyRootFilesystem: true\n runAsNonRoot: true\n runAsUser: 100\n resources:\n limits:\n cpu: 10m\n memory: 20Mi\n requests:\n cpu: 1m\n memory: 10Mi\n args: \n - -method=post\n - -scheme=http\n - -host=operator:4002\n - -path=v1/triggerAction\n - -headers=Content-Type:application/json\n - -path-body=/home/ks/request-body.json\n volumeMounts:\n - name: \"request-body-volume\"\n mountPath: /home/ks/request-body.json\n subPath: request-body.json\n readOnly: true\n restartPolicy: Never\n automountServiceAccountToken: false\n nodeSelector:\n affinity:\n tolerations:\n volumes:\n - name: \"request-body-volume\" # placeholder\n configMap:\n name: registry-scheduler" + cronjobTemplate: "apiVersion: batch/v1\nkind: CronJob\nmetadata:\n name: registry-scheduler\n namespace: kubescape\n labels:\n app: registry-scheduler\n kubescape.io/ignore: \"true\"\n kubescape.io/tier: \"core\"\n tier: ks-control-plane\n armo.tier: \"registry-scan\"\nspec:\n schedule: \"0 0 * * *\"\n successfulJobsHistoryLimit: 3\n failedJobsHistoryLimit: 1\n jobTemplate:\n spec:\n template:\n metadata:\n labels:\n armo.tier: \"registry-scan\"\n kubescape.io/tier: \"core\"\n spec:\n imagePullSecrets:\n - name: foo\n containers:\n - name: registry-scheduler\n image: \"quay.io/kubescape/http-request:v0.2.8\"\n imagePullPolicy: IfNotPresent\n securityContext:\n allowPrivilegeEscalation: false\n readOnlyRootFilesystem: true\n runAsNonRoot: true\n runAsUser: 100\n resources:\n limits:\n cpu: 10m\n memory: 20Mi\n requests:\n cpu: 1m\n memory: 10Mi\n args: \n - -method=post\n - -scheme=http\n - -host=operator:4002\n - -path=v1/triggerAction\n - -headers=Content-Type:application/json\n - -path-body=/home/ks/request-body.json\n volumeMounts:\n - name: \"request-body-volume\"\n mountPath: /home/ks/request-body.json\n subPath: request-body.json\n readOnly: true\n restartPolicy: Never\n automountServiceAccountToken: false\n nodeSelector:\n affinity:\n tolerations:\n volumes:\n - name: \"request-body-volume\" # placeholder\n configMap:\n name: registry-scheduler" kind: ConfigMap metadata: labels: @@ -3402,7 +3402,7 @@ all capabilities: value: https://foo:bar@baz:1234 - name: no_proxy value: gateway,kubescape,kubevuln,node-agent,operator,otel-collector,kubernetes.default.svc.*,127.0.0.1 - image: quay.io/kubescape/http-request:v0.2.6 + image: quay.io/kubescape/http-request:v0.2.8 imagePullPolicy: IfNotPresent name: url-discovery resources: @@ -5095,7 +5095,7 @@ default capabilities: - -path=v1/triggerAction - -headers=Content-Type:application/json - -path-body=/home/ks/request-body.json - image: quay.io/kubescape/http-request:v0.2.6 + image: quay.io/kubescape/http-request:v0.2.8 imagePullPolicy: IfNotPresent name: kubescape-scheduler resources: @@ -5836,7 +5836,7 @@ default capabilities: - -path=v1/triggerAction - -headers=Content-Type:application/json - -path-body=/home/ks/request-body.json - image: quay.io/kubescape/http-request:v0.2.6 + image: quay.io/kubescape/http-request:v0.2.8 imagePullPolicy: IfNotPresent name: kubevuln-scheduler resources: @@ -6809,7 +6809,7 @@ default capabilities: 51: | apiVersion: v1 data: - cronjobTemplate: "apiVersion: batch/v1\nkind: CronJob\nmetadata:\n name: kubescape-scheduler\n namespace: kubescape\n labels:\n app: kubescape-scheduler\n tier: ks-control-plane\n kubescape.io/ignore: \"true\"\n kubescape.io/tier: \"core\"\n armo.tier: \"kubescape-scan\"\nspec:\n schedule: \"1 2 3 4 5\"\n successfulJobsHistoryLimit: 3\n failedJobsHistoryLimit: 1\n jobTemplate:\n spec:\n template:\n metadata:\n labels:\n armo.tier: \"kubescape-scan\"\n kubescape.io/tier: \"core\"\n spec:\n containers:\n - name: kubescape-scheduler\n image: \"quay.io/kubescape/http-request:v0.2.6\"\n imagePullPolicy: IfNotPresent\n securityContext:\n allowPrivilegeEscalation: false\n readOnlyRootFilesystem: true\n runAsNonRoot: true\n runAsUser: 100\n resources:\n limits:\n cpu: 10m\n memory: 20Mi\n requests:\n cpu: 1m\n memory: 10Mi\n args: \n - -method=post\n - -scheme=http\n - -host=operator:4002\n - -path=v1/triggerAction\n - -headers=Content-Type:application/json\n - -path-body=/home/ks/request-body.json\n volumeMounts:\n - name: \"request-body-volume\"\n mountPath: /home/ks/request-body.json\n subPath: request-body.json\n readOnly: true\n restartPolicy: Never\n automountServiceAccountToken: false\n nodeSelector:\n affinity:\n tolerations:\n volumes:\n - name: \"request-body-volume\" # placeholder\n configMap:\n name: kubescape-scheduler" + cronjobTemplate: "apiVersion: batch/v1\nkind: CronJob\nmetadata:\n name: kubescape-scheduler\n namespace: kubescape\n labels:\n app: kubescape-scheduler\n tier: ks-control-plane\n kubescape.io/ignore: \"true\"\n kubescape.io/tier: \"core\"\n armo.tier: \"kubescape-scan\"\nspec:\n schedule: \"1 2 3 4 5\"\n successfulJobsHistoryLimit: 3\n failedJobsHistoryLimit: 1\n jobTemplate:\n spec:\n template:\n metadata:\n labels:\n armo.tier: \"kubescape-scan\"\n kubescape.io/tier: \"core\"\n spec:\n containers:\n - name: kubescape-scheduler\n image: \"quay.io/kubescape/http-request:v0.2.8\"\n imagePullPolicy: IfNotPresent\n securityContext:\n allowPrivilegeEscalation: false\n readOnlyRootFilesystem: true\n runAsNonRoot: true\n runAsUser: 100\n resources:\n limits:\n cpu: 10m\n memory: 20Mi\n requests:\n cpu: 1m\n memory: 10Mi\n args: \n - -method=post\n - -scheme=http\n - -host=operator:4002\n - -path=v1/triggerAction\n - -headers=Content-Type:application/json\n - -path-body=/home/ks/request-body.json\n volumeMounts:\n - name: \"request-body-volume\"\n mountPath: /home/ks/request-body.json\n subPath: request-body.json\n readOnly: true\n restartPolicy: Never\n automountServiceAccountToken: false\n nodeSelector:\n affinity:\n tolerations:\n volumes:\n - name: \"request-body-volume\" # placeholder\n configMap:\n name: kubescape-scheduler" kind: ConfigMap metadata: labels: @@ -6822,7 +6822,7 @@ default capabilities: 52: | apiVersion: v1 data: - cronjobTemplate: "apiVersion: batch/v1\nkind: CronJob\nmetadata:\n name: kubevuln-scheduler\n namespace: kubescape\n labels:\n app: kubevuln-scheduler\n kubescape.io/ignore: \"true\"\n kubescape.io/tier: \"core\"\n tier: ks-control-plane\n armo.tier: \"vuln-scan\"\nspec:\n schedule: \"1 2 3 4 5\" \n successfulJobsHistoryLimit: 3\n failedJobsHistoryLimit: 1\n jobTemplate:\n spec:\n template:\n metadata:\n labels:\n armo.tier: \"vuln-scan\"\n kubescape.io/tier: \"core\"\n spec:\n containers:\n - name: kubevuln-scheduler\n image: \"quay.io/kubescape/http-request:v0.2.6\"\n imagePullPolicy: IfNotPresent\n securityContext:\n allowPrivilegeEscalation: false\n readOnlyRootFilesystem: true\n runAsNonRoot: true\n runAsUser: 100\n resources:\n limits:\n cpu: 10m\n memory: 20Mi\n requests:\n cpu: 1m\n memory: 10Mi\n args: \n - -method=post\n - -scheme=http\n - -host=operator:4002\n - -path=v1/triggerAction\n - -headers=Content-Type:application/json\n - -path-body=/home/ks/request-body.json\n volumeMounts:\n - name: \"request-body-volume\"\n mountPath: /home/ks/request-body.json\n subPath: request-body.json\n readOnly: true\n restartPolicy: Never\n automountServiceAccountToken: false\n nodeSelector:\n affinity:\n tolerations:\n volumes:\n - name: \"request-body-volume\" # placeholder\n configMap:\n name: kubevuln-scheduler" + cronjobTemplate: "apiVersion: batch/v1\nkind: CronJob\nmetadata:\n name: kubevuln-scheduler\n namespace: kubescape\n labels:\n app: kubevuln-scheduler\n kubescape.io/ignore: \"true\"\n kubescape.io/tier: \"core\"\n tier: ks-control-plane\n armo.tier: \"vuln-scan\"\nspec:\n schedule: \"1 2 3 4 5\" \n successfulJobsHistoryLimit: 3\n failedJobsHistoryLimit: 1\n jobTemplate:\n spec:\n template:\n metadata:\n labels:\n armo.tier: \"vuln-scan\"\n kubescape.io/tier: \"core\"\n spec:\n containers:\n - name: kubevuln-scheduler\n image: \"quay.io/kubescape/http-request:v0.2.8\"\n imagePullPolicy: IfNotPresent\n securityContext:\n allowPrivilegeEscalation: false\n readOnlyRootFilesystem: true\n runAsNonRoot: true\n runAsUser: 100\n resources:\n limits:\n cpu: 10m\n memory: 20Mi\n requests:\n cpu: 1m\n memory: 10Mi\n args: \n - -method=post\n - -scheme=http\n - -host=operator:4002\n - -path=v1/triggerAction\n - -headers=Content-Type:application/json\n - -path-body=/home/ks/request-body.json\n volumeMounts:\n - name: \"request-body-volume\"\n mountPath: /home/ks/request-body.json\n subPath: request-body.json\n readOnly: true\n restartPolicy: Never\n automountServiceAccountToken: false\n nodeSelector:\n affinity:\n tolerations:\n volumes:\n - name: \"request-body-volume\" # placeholder\n configMap:\n name: kubevuln-scheduler" kind: ConfigMap metadata: labels: @@ -6919,7 +6919,7 @@ default capabilities: 54: | apiVersion: v1 data: - cronjobTemplate: "apiVersion: batch/v1\nkind: CronJob\nmetadata:\n name: registry-scheduler\n namespace: kubescape\n labels:\n app: registry-scheduler\n kubescape.io/ignore: \"true\"\n kubescape.io/tier: \"core\"\n tier: ks-control-plane\n armo.tier: \"registry-scan\"\nspec:\n schedule: \"0 0 * * *\"\n successfulJobsHistoryLimit: 3\n failedJobsHistoryLimit: 1\n jobTemplate:\n spec:\n template:\n metadata:\n labels:\n armo.tier: \"registry-scan\"\n kubescape.io/tier: \"core\"\n spec:\n containers:\n - name: registry-scheduler\n image: \"quay.io/kubescape/http-request:v0.2.6\"\n imagePullPolicy: IfNotPresent\n securityContext:\n allowPrivilegeEscalation: false\n readOnlyRootFilesystem: true\n runAsNonRoot: true\n runAsUser: 100\n resources:\n limits:\n cpu: 10m\n memory: 20Mi\n requests:\n cpu: 1m\n memory: 10Mi\n args: \n - -method=post\n - -scheme=http\n - -host=operator:4002\n - -path=v1/triggerAction\n - -headers=Content-Type:application/json\n - -path-body=/home/ks/request-body.json\n volumeMounts:\n - name: \"request-body-volume\"\n mountPath: /home/ks/request-body.json\n subPath: request-body.json\n readOnly: true\n restartPolicy: Never\n automountServiceAccountToken: false\n nodeSelector:\n affinity:\n tolerations:\n volumes:\n - name: \"request-body-volume\" # placeholder\n configMap:\n name: registry-scheduler" + cronjobTemplate: "apiVersion: batch/v1\nkind: CronJob\nmetadata:\n name: registry-scheduler\n namespace: kubescape\n labels:\n app: registry-scheduler\n kubescape.io/ignore: \"true\"\n kubescape.io/tier: \"core\"\n tier: ks-control-plane\n armo.tier: \"registry-scan\"\nspec:\n schedule: \"0 0 * * *\"\n successfulJobsHistoryLimit: 3\n failedJobsHistoryLimit: 1\n jobTemplate:\n spec:\n template:\n metadata:\n labels:\n armo.tier: \"registry-scan\"\n kubescape.io/tier: \"core\"\n spec:\n containers:\n - name: registry-scheduler\n image: \"quay.io/kubescape/http-request:v0.2.8\"\n imagePullPolicy: IfNotPresent\n securityContext:\n allowPrivilegeEscalation: false\n readOnlyRootFilesystem: true\n runAsNonRoot: true\n runAsUser: 100\n resources:\n limits:\n cpu: 10m\n memory: 20Mi\n requests:\n cpu: 1m\n memory: 10Mi\n args: \n - -method=post\n - -scheme=http\n - -host=operator:4002\n - -path=v1/triggerAction\n - -headers=Content-Type:application/json\n - -path-body=/home/ks/request-body.json\n volumeMounts:\n - name: \"request-body-volume\"\n mountPath: /home/ks/request-body.json\n subPath: request-body.json\n readOnly: true\n restartPolicy: Never\n automountServiceAccountToken: false\n nodeSelector:\n affinity:\n tolerations:\n volumes:\n - name: \"request-body-volume\" # placeholder\n configMap:\n name: registry-scheduler" kind: ConfigMap metadata: labels: @@ -7262,7 +7262,7 @@ default capabilities: - -path=api/v2/servicediscovery - -path-output=/data/services.json env: null - image: quay.io/kubescape/http-request:v0.2.6 + image: quay.io/kubescape/http-request:v0.2.8 imagePullPolicy: IfNotPresent name: url-discovery resources: @@ -9656,7 +9656,7 @@ minimal capabilities: 30: | apiVersion: v1 data: - cronjobTemplate: "apiVersion: batch/v1\nkind: CronJob\nmetadata:\n name: kubescape-scheduler\n namespace: kubescape\n labels:\n app: kubescape-scheduler\n tier: ks-control-plane\n kubescape.io/ignore: \"true\"\n kubescape.io/tier: \"core\"\n armo.tier: \"kubescape-scan\"\nspec:\n schedule: \"1 2 3 4 5\"\n successfulJobsHistoryLimit: 3\n failedJobsHistoryLimit: 1\n jobTemplate:\n spec:\n template:\n metadata:\n labels:\n armo.tier: \"kubescape-scan\"\n kubescape.io/tier: \"core\"\n spec:\n containers:\n - name: kubescape-scheduler\n image: \"quay.io/kubescape/http-request:v0.2.6\"\n imagePullPolicy: IfNotPresent\n securityContext:\n allowPrivilegeEscalation: false\n readOnlyRootFilesystem: true\n runAsNonRoot: true\n runAsUser: 100\n resources:\n limits:\n cpu: 10m\n memory: 20Mi\n requests:\n cpu: 1m\n memory: 10Mi\n args: \n - -method=post\n - -scheme=http\n - -host=operator:4002\n - -path=v1/triggerAction\n - -headers=Content-Type:application/json\n - -path-body=/home/ks/request-body.json\n volumeMounts:\n - name: \"request-body-volume\"\n mountPath: /home/ks/request-body.json\n subPath: request-body.json\n readOnly: true\n restartPolicy: Never\n automountServiceAccountToken: false\n nodeSelector:\n affinity:\n tolerations:\n volumes:\n - name: \"request-body-volume\" # placeholder\n configMap:\n name: kubescape-scheduler" + cronjobTemplate: "apiVersion: batch/v1\nkind: CronJob\nmetadata:\n name: kubescape-scheduler\n namespace: kubescape\n labels:\n app: kubescape-scheduler\n tier: ks-control-plane\n kubescape.io/ignore: \"true\"\n kubescape.io/tier: \"core\"\n armo.tier: \"kubescape-scan\"\nspec:\n schedule: \"1 2 3 4 5\"\n successfulJobsHistoryLimit: 3\n failedJobsHistoryLimit: 1\n jobTemplate:\n spec:\n template:\n metadata:\n labels:\n armo.tier: \"kubescape-scan\"\n kubescape.io/tier: \"core\"\n spec:\n containers:\n - name: kubescape-scheduler\n image: \"quay.io/kubescape/http-request:v0.2.8\"\n imagePullPolicy: IfNotPresent\n securityContext:\n allowPrivilegeEscalation: false\n readOnlyRootFilesystem: true\n runAsNonRoot: true\n runAsUser: 100\n resources:\n limits:\n cpu: 10m\n memory: 20Mi\n requests:\n cpu: 1m\n memory: 10Mi\n args: \n - -method=post\n - -scheme=http\n - -host=operator:4002\n - -path=v1/triggerAction\n - -headers=Content-Type:application/json\n - -path-body=/home/ks/request-body.json\n volumeMounts:\n - name: \"request-body-volume\"\n mountPath: /home/ks/request-body.json\n subPath: request-body.json\n readOnly: true\n restartPolicy: Never\n automountServiceAccountToken: false\n nodeSelector:\n affinity:\n tolerations:\n volumes:\n - name: \"request-body-volume\" # placeholder\n configMap:\n name: kubescape-scheduler" kind: ConfigMap metadata: labels: @@ -9669,7 +9669,7 @@ minimal capabilities: 31: | apiVersion: v1 data: - cronjobTemplate: "apiVersion: batch/v1\nkind: CronJob\nmetadata:\n name: kubevuln-scheduler\n namespace: kubescape\n labels:\n app: kubevuln-scheduler\n kubescape.io/ignore: \"true\"\n kubescape.io/tier: \"core\"\n tier: ks-control-plane\n armo.tier: \"vuln-scan\"\nspec:\n schedule: \"1 2 3 4 5\" \n successfulJobsHistoryLimit: 3\n failedJobsHistoryLimit: 1\n jobTemplate:\n spec:\n template:\n metadata:\n labels:\n armo.tier: \"vuln-scan\"\n kubescape.io/tier: \"core\"\n spec:\n containers:\n - name: kubevuln-scheduler\n image: \"quay.io/kubescape/http-request:v0.2.6\"\n imagePullPolicy: IfNotPresent\n securityContext:\n allowPrivilegeEscalation: false\n readOnlyRootFilesystem: true\n runAsNonRoot: true\n runAsUser: 100\n resources:\n limits:\n cpu: 10m\n memory: 20Mi\n requests:\n cpu: 1m\n memory: 10Mi\n args: \n - -method=post\n - -scheme=http\n - -host=operator:4002\n - -path=v1/triggerAction\n - -headers=Content-Type:application/json\n - -path-body=/home/ks/request-body.json\n volumeMounts:\n - name: \"request-body-volume\"\n mountPath: /home/ks/request-body.json\n subPath: request-body.json\n readOnly: true\n restartPolicy: Never\n automountServiceAccountToken: false\n nodeSelector:\n affinity:\n tolerations:\n volumes:\n - name: \"request-body-volume\" # placeholder\n configMap:\n name: kubevuln-scheduler" + cronjobTemplate: "apiVersion: batch/v1\nkind: CronJob\nmetadata:\n name: kubevuln-scheduler\n namespace: kubescape\n labels:\n app: kubevuln-scheduler\n kubescape.io/ignore: \"true\"\n kubescape.io/tier: \"core\"\n tier: ks-control-plane\n armo.tier: \"vuln-scan\"\nspec:\n schedule: \"1 2 3 4 5\" \n successfulJobsHistoryLimit: 3\n failedJobsHistoryLimit: 1\n jobTemplate:\n spec:\n template:\n metadata:\n labels:\n armo.tier: \"vuln-scan\"\n kubescape.io/tier: \"core\"\n spec:\n containers:\n - name: kubevuln-scheduler\n image: \"quay.io/kubescape/http-request:v0.2.8\"\n imagePullPolicy: IfNotPresent\n securityContext:\n allowPrivilegeEscalation: false\n readOnlyRootFilesystem: true\n runAsNonRoot: true\n runAsUser: 100\n resources:\n limits:\n cpu: 10m\n memory: 20Mi\n requests:\n cpu: 1m\n memory: 10Mi\n args: \n - -method=post\n - -scheme=http\n - -host=operator:4002\n - -path=v1/triggerAction\n - -headers=Content-Type:application/json\n - -path-body=/home/ks/request-body.json\n volumeMounts:\n - name: \"request-body-volume\"\n mountPath: /home/ks/request-body.json\n subPath: request-body.json\n readOnly: true\n restartPolicy: Never\n automountServiceAccountToken: false\n nodeSelector:\n affinity:\n tolerations:\n volumes:\n - name: \"request-body-volume\" # placeholder\n configMap:\n name: kubevuln-scheduler" kind: ConfigMap metadata: labels: @@ -9682,7 +9682,7 @@ minimal capabilities: 32: | apiVersion: v1 data: - cronjobTemplate: "apiVersion: batch/v1\nkind: CronJob\nmetadata:\n name: registry-scheduler\n namespace: kubescape\n labels:\n app: registry-scheduler\n kubescape.io/ignore: \"true\"\n kubescape.io/tier: \"core\"\n tier: ks-control-plane\n armo.tier: \"registry-scan\"\nspec:\n schedule: \"0 0 * * *\"\n successfulJobsHistoryLimit: 3\n failedJobsHistoryLimit: 1\n jobTemplate:\n spec:\n template:\n metadata:\n labels:\n armo.tier: \"registry-scan\"\n kubescape.io/tier: \"core\"\n spec:\n containers:\n - name: registry-scheduler\n image: \"quay.io/kubescape/http-request:v0.2.6\"\n imagePullPolicy: IfNotPresent\n securityContext:\n allowPrivilegeEscalation: false\n readOnlyRootFilesystem: true\n runAsNonRoot: true\n runAsUser: 100\n resources:\n limits:\n cpu: 10m\n memory: 20Mi\n requests:\n cpu: 1m\n memory: 10Mi\n args: \n - -method=post\n - -scheme=http\n - -host=operator:4002\n - -path=v1/triggerAction\n - -headers=Content-Type:application/json\n - -path-body=/home/ks/request-body.json\n volumeMounts:\n - name: \"request-body-volume\"\n mountPath: /home/ks/request-body.json\n subPath: request-body.json\n readOnly: true\n restartPolicy: Never\n automountServiceAccountToken: false\n nodeSelector:\n affinity:\n tolerations:\n volumes:\n - name: \"request-body-volume\" # placeholder\n configMap:\n name: registry-scheduler" + cronjobTemplate: "apiVersion: batch/v1\nkind: CronJob\nmetadata:\n name: registry-scheduler\n namespace: kubescape\n labels:\n app: registry-scheduler\n kubescape.io/ignore: \"true\"\n kubescape.io/tier: \"core\"\n tier: ks-control-plane\n armo.tier: \"registry-scan\"\nspec:\n schedule: \"0 0 * * *\"\n successfulJobsHistoryLimit: 3\n failedJobsHistoryLimit: 1\n jobTemplate:\n spec:\n template:\n metadata:\n labels:\n armo.tier: \"registry-scan\"\n kubescape.io/tier: \"core\"\n spec:\n containers:\n - name: registry-scheduler\n image: \"quay.io/kubescape/http-request:v0.2.8\"\n imagePullPolicy: IfNotPresent\n securityContext:\n allowPrivilegeEscalation: false\n readOnlyRootFilesystem: true\n runAsNonRoot: true\n runAsUser: 100\n resources:\n limits:\n cpu: 10m\n memory: 20Mi\n requests:\n cpu: 1m\n memory: 10Mi\n args: \n - -method=post\n - -scheme=http\n - -host=operator:4002\n - -path=v1/triggerAction\n - -headers=Content-Type:application/json\n - -path-body=/home/ks/request-body.json\n volumeMounts:\n - name: \"request-body-volume\"\n mountPath: /home/ks/request-body.json\n subPath: request-body.json\n readOnly: true\n restartPolicy: Never\n automountServiceAccountToken: false\n nodeSelector:\n affinity:\n tolerations:\n volumes:\n - name: \"request-body-volume\" # placeholder\n configMap:\n name: registry-scheduler" kind: ConfigMap metadata: labels: diff --git a/charts/kubescape-operator/tests/snapshot_test.yaml b/charts/kubescape-operator/tests/snapshot_test.yaml index 6789a542..7e82cdfb 100644 --- a/charts/kubescape-operator/tests/snapshot_test.yaml +++ b/charts/kubescape-operator/tests/snapshot_test.yaml @@ -140,4 +140,4 @@ tests: - registry: test.example.com username: xxx password: yyy - insecure: true + insecure: true \ No newline at end of file diff --git a/charts/kubescape-operator/values.yaml b/charts/kubescape-operator/values.yaml index 27b276d2..00b3d45f 100644 --- a/charts/kubescape-operator/values.yaml +++ b/charts/kubescape-operator/values.yaml @@ -721,8 +721,11 @@ serviceDiscovery: name: url-discovery image: repository: quay.io/kubescape/http-request - tag: v0.2.6 + tag: v0.2.8 pullPolicy: IfNotPresent + + # Skip SSL certificate verification + insecureSkipTLSVerify: false configMapCheck: name: check-url-configmap @@ -829,9 +832,12 @@ kubescapeScheduler: image: # -- source code: https://github.com/kubescape/http-request (public repo) repository: quay.io/kubescape/http-request - tag: v0.2.6 + tag: v0.2.8 pullPolicy: IfNotPresent + # Skip SSL certificate verification + insecureSkipTLSVerify: false + # Additional volumes to be mounted on the scan scheduler volumes: [ ] @@ -869,8 +875,11 @@ kubevulnScheduler: image: # source code - https://github.com/kubescape/http-request repository: quay.io/kubescape/http-request - tag: v0.2.6 + tag: v0.2.8 pullPolicy: IfNotPresent + + # Skip SSL certificate verification + insecureSkipTLSVerify: false # Additional volumes to be mounted on the vuln scan scheduler volumes: [ ] @@ -911,8 +920,11 @@ registryScanScheduler: image: # -- source code: https://github.com/kubescape/http-request (public repo) repository: quay.io/kubescape/http-request - tag: v0.2.6 + tag: v0.2.8 pullPolicy: IfNotPresent + + # Skip SSL certificate verification + insecureSkipTLSVerify: false # Additional volumes to be mounted on the scan scheduler volumes: [ ]