diff --git a/charts/kubescape-operator/templates/storage/clusterrole.yaml b/charts/kubescape-operator/templates/storage/clusterrole.yaml index acfc39bd..cce6552f 100644 --- a/charts/kubescape-operator/templates/storage/clusterrole.yaml +++ b/charts/kubescape-operator/templates/storage/clusterrole.yaml @@ -6,12 +6,30 @@ metadata: name: {{ .Values.storage.name }} rules: - apiGroups: [""] - resources: ["namespaces"] + resources: ["configmaps", "endpoints", "namespaces", "nodes", "persistentvolumeclaims", "persistentvolumes", "pods", "secrets", "serviceaccounts", "services"] verbs: ["get", "watch", "list"] - apiGroups: ["admissionregistration.k8s.io"] resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] verbs: ["get", "watch", "list"] +- apiGroups: ["apiregistration.k8s.io"] + resources: ["apiservices"] + verbs: ["get", "watch", "list"] +- apiGroups: ["apps"] + resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] + verbs: ["get", "watch", "list"] +- apiGroups: ["batch"] + resources: ["cronjobs", "jobs"] + verbs: ["get", "watch", "list"] +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list"] +- apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "watch", "list"] - apiGroups: ["flowcontrol.apiserver.k8s.io"] resources: ["prioritylevelconfigurations", "flowschemas"] verbs: ["get", "watch", "list"] +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["clusterroles", "clusterrolebindings", "roles", "rolebindings"] + verbs: ["get", "watch", "list"] {{- end }} diff --git a/charts/kubescape-operator/templates/storage/deployment.yaml b/charts/kubescape-operator/templates/storage/deployment.yaml index a9f6d5ee..2a75c759 100644 --- a/charts/kubescape-operator/templates/storage/deployment.yaml +++ b/charts/kubescape-operator/templates/storage/deployment.yaml @@ -35,6 +35,8 @@ spec: allowPrivilegeEscalation: false runAsNonRoot: true env: + - name: "CLEANUP_INTERVAL" + value: "{{ .Values.storage.cleanupInterval }}" - name: "GOMEMLIMIT" value: "{{ .Values.storage.resources.requests.memory }}B" - name: KS_LOGGER_LEVEL diff --git a/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap b/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap index 71d02382..b5e0c34e 100644 --- a/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap +++ b/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap @@ -2553,7 +2553,16 @@ all capabilities: - apiGroups: - "" resources: + - configmaps + - endpoints - namespaces + - nodes + - persistentvolumeclaims + - persistentvolumes + - pods + - secrets + - serviceaccounts + - services verbs: - get - watch @@ -2567,6 +2576,50 @@ all capabilities: - get - watch - list + - apiGroups: + - apiregistration.k8s.io + resources: + - apiservices + verbs: + - get + - watch + - list + - apiGroups: + - apps + resources: + - daemonsets + - deployments + - replicasets + - statefulsets + verbs: + - get + - watch + - list + - apiGroups: + - batch + resources: + - cronjobs + - jobs + verbs: + - get + - watch + - list + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - watch + - list + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - watch + - list - apiGroups: - flowcontrol.apiserver.k8s.io resources: @@ -2576,6 +2629,17 @@ all capabilities: - get - watch - list + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + - clusterrolebindings + - roles + - rolebindings + verbs: + - get + - watch + - list 69: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -2633,6 +2697,8 @@ all capabilities: affinity: null containers: - env: + - name: CLEANUP_INTERVAL + value: 24h - name: GOMEMLIMIT value: 400MiB - name: KS_LOGGER_LEVEL @@ -5516,7 +5582,16 @@ default capabilities: - apiGroups: - "" resources: + - configmaps + - endpoints - namespaces + - nodes + - persistentvolumeclaims + - persistentvolumes + - pods + - secrets + - serviceaccounts + - services verbs: - get - watch @@ -5530,6 +5605,50 @@ default capabilities: - get - watch - list + - apiGroups: + - apiregistration.k8s.io + resources: + - apiservices + verbs: + - get + - watch + - list + - apiGroups: + - apps + resources: + - daemonsets + - deployments + - replicasets + - statefulsets + verbs: + - get + - watch + - list + - apiGroups: + - batch + resources: + - cronjobs + - jobs + verbs: + - get + - watch + - list + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - watch + - list + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - watch + - list - apiGroups: - flowcontrol.apiserver.k8s.io resources: @@ -5539,6 +5658,17 @@ default capabilities: - get - watch - list + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + - clusterrolebindings + - roles + - rolebindings + verbs: + - get + - watch + - list 65: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -5596,6 +5726,8 @@ default capabilities: affinity: null containers: - env: + - name: CLEANUP_INTERVAL + value: 24h - name: GOMEMLIMIT value: 400MiB - name: KS_LOGGER_LEVEL @@ -7498,7 +7630,16 @@ minimal capabilities: - apiGroups: - "" resources: + - configmaps + - endpoints - namespaces + - nodes + - persistentvolumeclaims + - persistentvolumes + - pods + - secrets + - serviceaccounts + - services verbs: - get - watch @@ -7512,6 +7653,50 @@ minimal capabilities: - get - watch - list + - apiGroups: + - apiregistration.k8s.io + resources: + - apiservices + verbs: + - get + - watch + - list + - apiGroups: + - apps + resources: + - daemonsets + - deployments + - replicasets + - statefulsets + verbs: + - get + - watch + - list + - apiGroups: + - batch + resources: + - cronjobs + - jobs + verbs: + - get + - watch + - list + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - watch + - list + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - watch + - list - apiGroups: - flowcontrol.apiserver.k8s.io resources: @@ -7521,6 +7706,17 @@ minimal capabilities: - get - watch - list + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + - clusterrolebindings + - roles + - rolebindings + verbs: + - get + - watch + - list 40: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -7578,6 +7774,8 @@ minimal capabilities: affinity: null containers: - env: + - name: CLEANUP_INTERVAL + value: 24h - name: GOMEMLIMIT value: 400MiB - name: KS_LOGGER_LEVEL diff --git a/charts/kubescape-operator/values.yaml b/charts/kubescape-operator/values.yaml index f319a3df..795b712e 100644 --- a/charts/kubescape-operator/values.yaml +++ b/charts/kubescape-operator/values.yaml @@ -547,6 +547,9 @@ storage: # Values or the Aggregated APIServer name: "storage" + # cleanup interval is a duration string + cleanupInterval: "24h" + labels: app.kubernetes.io/name: "storage" app.kubernetes.io/component: "apiserver"