Merge pull request #368 from kubescape/cleanup

add cleanup interval and missing rbac for storage
kubescape · Jan 8, 2024 · 877bac0 · 877bac0
2 parents 06d6c17 + a22c2f3
commit 877bac0
Show file tree

Hide file tree

Showing 4 changed files with 222 additions and 1 deletion.
diff --git a/charts/kubescape-operator/templates/storage/clusterrole.yaml b/charts/kubescape-operator/templates/storage/clusterrole.yaml
@@ -6,12 +6,30 @@ metadata:
   name: {{ .Values.storage.name }}
 rules:
 - apiGroups: [""]
-  resources: ["namespaces"]
+  resources: ["configmaps", "endpoints", "namespaces", "nodes", "persistentvolumeclaims", "persistentvolumes", "pods", "secrets", "serviceaccounts", "services"]
   verbs: ["get", "watch", "list"]
 - apiGroups: ["admissionregistration.k8s.io"]
   resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
   verbs: ["get", "watch", "list"]
+- apiGroups: ["apiregistration.k8s.io"]
+  resources: ["apiservices"]
+  verbs: ["get", "watch", "list"]
+- apiGroups: ["apps"]
+  resources: ["daemonsets", "deployments", "replicasets", "statefulsets"]
+  verbs: ["get", "watch", "list"]
+- apiGroups: ["batch"]
+  resources: ["cronjobs", "jobs"]
+  verbs: ["get", "watch", "list"]
+- apiGroups: ["coordination.k8s.io"]
+  resources: ["leases"]
+  verbs: ["get", "watch", "list"]
+- apiGroups: ["discovery.k8s.io"]
+  resources: ["endpointslices"]
+  verbs: ["get", "watch", "list"]
 - apiGroups: ["flowcontrol.apiserver.k8s.io"]
   resources: ["prioritylevelconfigurations", "flowschemas"]
   verbs: ["get", "watch", "list"]
+- apiGroups: ["rbac.authorization.k8s.io"]
+  resources: ["clusterroles", "clusterrolebindings", "roles", "rolebindings"]
+  verbs: ["get", "watch", "list"]
 {{- end }}
diff --git a/charts/kubescape-operator/templates/storage/deployment.yaml b/charts/kubescape-operator/templates/storage/deployment.yaml
@@ -35,6 +35,8 @@ spec:
           allowPrivilegeEscalation: false
           runAsNonRoot: true
         env:
+          - name: "CLEANUP_INTERVAL"
+            value: "{{ .Values.storage.cleanupInterval }}"
           - name: "GOMEMLIMIT"
             value: "{{ .Values.storage.resources.requests.memory }}B"
           - name: KS_LOGGER_LEVEL

diff --git a/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap b/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap
@@ -2553,7 +2553,16 @@ all capabilities:
       - apiGroups:
           - ""
         resources:
+          - configmaps
+          - endpoints
           - namespaces
+          - nodes
+          - persistentvolumeclaims
+          - persistentvolumes
+          - pods
+          - secrets
+          - serviceaccounts
+          - services
         verbs:
           - get
           - watch
@@ -2567,6 +2576,50 @@ all capabilities:
           - get
           - watch
           - list
+      - apiGroups:
+          - apiregistration.k8s.io
+        resources:
+          - apiservices
+        verbs:
+          - get
+          - watch
+          - list
+      - apiGroups:
+          - apps
+        resources:
+          - daemonsets
+          - deployments
+          - replicasets
+          - statefulsets
+        verbs:
+          - get
+          - watch
+          - list
+      - apiGroups:
+          - batch
+        resources:
+          - cronjobs
+          - jobs
+        verbs:
+          - get
+          - watch
+          - list
+      - apiGroups:
+          - coordination.k8s.io
+        resources:
+          - leases
+        verbs:
+          - get
+          - watch
+          - list
+      - apiGroups:
+          - discovery.k8s.io
+        resources:
+          - endpointslices
+        verbs:
+          - get
+          - watch
+          - list
       - apiGroups:
           - flowcontrol.apiserver.k8s.io
         resources:
@@ -2576,6 +2629,17 @@ all capabilities:
           - get
           - watch
           - list
+      - apiGroups:
+          - rbac.authorization.k8s.io
+        resources:
+          - clusterroles
+          - clusterrolebindings
+          - roles
+          - rolebindings
+        verbs:
+          - get
+          - watch
+          - list
   69: |
     apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRoleBinding
@@ -2633,6 +2697,8 @@ all capabilities:
           affinity: null
           containers:
             - env:
+                - name: CLEANUP_INTERVAL
+                  value: 24h
                 - name: GOMEMLIMIT
                   value: 400MiB
                 - name: KS_LOGGER_LEVEL
@@ -5516,7 +5582,16 @@ default capabilities:
       - apiGroups:
           - ""
         resources:
+          - configmaps
+          - endpoints
           - namespaces
+          - nodes
+          - persistentvolumeclaims
+          - persistentvolumes
+          - pods
+          - secrets
+          - serviceaccounts
+          - services
         verbs:
           - get
           - watch
@@ -5530,6 +5605,50 @@ default capabilities:
           - get
           - watch
           - list
+      - apiGroups:
+          - apiregistration.k8s.io
+        resources:
+          - apiservices
+        verbs:
+          - get
+          - watch
+          - list
+      - apiGroups:
+          - apps
+        resources:
+          - daemonsets
+          - deployments
+          - replicasets
+          - statefulsets
+        verbs:
+          - get
+          - watch
+          - list
+      - apiGroups:
+          - batch
+        resources:
+          - cronjobs
+          - jobs
+        verbs:
+          - get
+          - watch
+          - list
+      - apiGroups:
+          - coordination.k8s.io
+        resources:
+          - leases
+        verbs:
+          - get
+          - watch
+          - list
+      - apiGroups:
+          - discovery.k8s.io
+        resources:
+          - endpointslices
+        verbs:
+          - get
+          - watch
+          - list
       - apiGroups:
           - flowcontrol.apiserver.k8s.io
         resources:
@@ -5539,6 +5658,17 @@ default capabilities:
           - get
           - watch
           - list
+      - apiGroups:
+          - rbac.authorization.k8s.io
+        resources:
+          - clusterroles
+          - clusterrolebindings
+          - roles
+          - rolebindings
+        verbs:
+          - get
+          - watch
+          - list
   65: |
     apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRoleBinding
@@ -5596,6 +5726,8 @@ default capabilities:
           affinity: null
           containers:
             - env:
+                - name: CLEANUP_INTERVAL
+                  value: 24h
                 - name: GOMEMLIMIT
                   value: 400MiB
                 - name: KS_LOGGER_LEVEL
@@ -7498,7 +7630,16 @@ minimal capabilities:
       - apiGroups:
           - ""
         resources:
+          - configmaps
+          - endpoints
           - namespaces
+          - nodes
+          - persistentvolumeclaims
+          - persistentvolumes
+          - pods
+          - secrets
+          - serviceaccounts
+          - services
         verbs:
           - get
           - watch
@@ -7512,6 +7653,50 @@ minimal capabilities:
           - get
           - watch
           - list
+      - apiGroups:
+          - apiregistration.k8s.io
+        resources:
+          - apiservices
+        verbs:
+          - get
+          - watch
+          - list
+      - apiGroups:
+          - apps
+        resources:
+          - daemonsets
+          - deployments
+          - replicasets
+          - statefulsets
+        verbs:
+          - get
+          - watch
+          - list
+      - apiGroups:
+          - batch
+        resources:
+          - cronjobs
+          - jobs
+        verbs:
+          - get
+          - watch
+          - list
+      - apiGroups:
+          - coordination.k8s.io
+        resources:
+          - leases
+        verbs:
+          - get
+          - watch
+          - list
+      - apiGroups:
+          - discovery.k8s.io
+        resources:
+          - endpointslices
+        verbs:
+          - get
+          - watch
+          - list
       - apiGroups:
           - flowcontrol.apiserver.k8s.io
         resources:
@@ -7521,6 +7706,17 @@ minimal capabilities:
           - get
           - watch
           - list
+      - apiGroups:
+          - rbac.authorization.k8s.io
+        resources:
+          - clusterroles
+          - clusterrolebindings
+          - roles
+          - rolebindings
+        verbs:
+          - get
+          - watch
+          - list
   40: |
     apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRoleBinding
@@ -7578,6 +7774,8 @@ minimal capabilities:
           affinity: null
           containers:
             - env:
+                - name: CLEANUP_INTERVAL
+                  value: 24h
                 - name: GOMEMLIMIT
                   value: 400MiB
                 - name: KS_LOGGER_LEVEL

diff --git a/charts/kubescape-operator/values.yaml b/charts/kubescape-operator/values.yaml
@@ -547,6 +547,9 @@ storage:
   # Values or the Aggregated APIServer
   name: "storage"
 
+  # cleanup interval is a duration string
+  cleanupInterval: "24h"
+
   labels:
     app.kubernetes.io/name: "storage"
     app.kubernetes.io/component: "apiserver"