From b84e86dc7273acd1c055d354ca6946bb365cad11 Mon Sep 17 00:00:00 2001 From: Kubescape bot <128967169+kubescapebot@users.noreply.github.com> Date: Wed, 26 Jul 2023 09:07:24 +0300 Subject: [PATCH] Pulling dev branch into main - Automated PR by CICD (#238) * Automated commit - update node-agent image tag with: v0.1.78 Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * restore TRIGGER_SECURITY_FRAMEWORK Signed-off-by: kooomix * Automated commit - update node-agent image tag with: v0.1.81 Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * Automated commit - update node-agent image tag with: v0.1.83 Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * Automated commit - update node-agent image tag with: v0.1.85 Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * update node-agent Signed-off-by: David Wertenteil * revert chart tag Signed-off-by: David Wertenteil * Automated commit - update node-agent image tag with: v0.1.86 Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * bump node-agent version Signed-off-by: David Wertenteil * after merge Signed-off-by: David Wertenteil * Automated commit - update node-agent image tag with: v0.1.87 Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * bump node-agent version Signed-off-by: David Wertenteil * remove kubevuln pv Signed-off-by: David Wertenteil * adding cr to ks Signed-off-by: David Wertenteil --------- Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Signed-off-by: kooomix Signed-off-by: David Wertenteil Co-authored-by: kubescapebot Co-authored-by: kooomix Co-authored-by: David Wertenteil --- charts/kubescape-cloud-operator/Chart.yaml | 4 +- .../templates/kubescape/clusterrole.yaml | 6 ++ .../templates/kubevuln/deployment.yaml | 5 -- .../templates/kubevuln/pvc.yaml | 18 ----- .../templates/node-agent/daemonset.yaml | 14 ++-- .../templates/operator/deployment.yaml | 2 +- charts/kubescape-cloud-operator/values.yaml | 65 ++++++++++--------- 7 files changed, 48 insertions(+), 66 deletions(-) delete mode 100644 charts/kubescape-cloud-operator/templates/kubevuln/pvc.yaml diff --git a/charts/kubescape-cloud-operator/Chart.yaml b/charts/kubescape-cloud-operator/Chart.yaml index a0d2a380..f335d66c 100644 --- a/charts/kubescape-cloud-operator/Chart.yaml +++ b/charts/kubescape-cloud-operator/Chart.yaml @@ -9,14 +9,14 @@ type: application # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.14.1 +version: 1.14.2 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: 1.14.1 +appVersion: 1.14.2 maintainers: - name: Ben Hirschberg diff --git a/charts/kubescape-cloud-operator/templates/kubescape/clusterrole.yaml b/charts/kubescape-cloud-operator/templates/kubescape/clusterrole.yaml index 2e427468..834d7c0a 100644 --- a/charts/kubescape-cloud-operator/templates/kubescape/clusterrole.yaml +++ b/charts/kubescape-cloud-operator/templates/kubescape/clusterrole.yaml @@ -45,6 +45,12 @@ rules: - apiGroups: ["storage.k8s.io"] resources: ["csistoragecapacities"] verbs: ["get", "watch", "list"] +- apiGroups: ["networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "watch", "list"] +- apiGroups: ["extensions"] + resources: ["Ingress"] + verbs: ["get", "watch", "list"] - apiGroups: [""] resources: ["namespaces"] verbs: ["update"] diff --git a/charts/kubescape-cloud-operator/templates/kubevuln/deployment.yaml b/charts/kubescape-cloud-operator/templates/kubevuln/deployment.yaml index 62477e8d..1ef44f1b 100644 --- a/charts/kubescape-cloud-operator/templates/kubevuln/deployment.yaml +++ b/charts/kubescape-cloud-operator/templates/kubevuln/deployment.yaml @@ -134,12 +134,7 @@ spec: - key: "clusterData" path: "clusterData.json" - name: "grype-db" - {{- if .Values.persistence.enabled }} - persistentVolumeClaim: - claimName: "{{ .Values.kubevuln.name }}" - {{- else }} emptyDir: {} - {{- end }} {{- if .Values.volumes }} {{ toYaml .Values.volumes | indent 8 }} {{- end }} diff --git a/charts/kubescape-cloud-operator/templates/kubevuln/pvc.yaml b/charts/kubescape-cloud-operator/templates/kubevuln/pvc.yaml deleted file mode 100644 index 86d5ef5d..00000000 --- a/charts/kubescape-cloud-operator/templates/kubevuln/pvc.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if and .Values.kubevuln.enabled .Values.persistence.enabled }} -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: {{ .Values.kubevuln.name }} - namespace: {{ .Values.ksNamespace }} - labels: - app: {{ .Values.kubevuln.name }} -spec: - accessModes: - - {{ .Values.persistence.accessMode }} - resources: - requests: - storage: {{ .Values.persistence.size.kubevuln }} - {{- if ne .Values.persistence.storageClass "-" }} - storageClassName: {{ .Values.persistence.storageClass | quote }} - {{- end }} -{{- end }} diff --git a/charts/kubescape-cloud-operator/templates/node-agent/daemonset.yaml b/charts/kubescape-cloud-operator/templates/node-agent/daemonset.yaml index 8fcadcea..1db6a491 100644 --- a/charts/kubescape-cloud-operator/templates/node-agent/daemonset.yaml +++ b/charts/kubescape-cloud-operator/templates/node-agent/daemonset.yaml @@ -41,8 +41,6 @@ spec: operator: In values: - amd64 - # - ppc64le - # - s390x requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: @@ -88,14 +86,14 @@ spec: secretName: {{ .Values.global.proxySecretName }} {{- end }} containers: - - name: {{ .Values.nodeAgent.containers.nodeAgent.name }} - image: "{{ .Values.nodeAgent.containers.nodeAgent.image.repository }}:{{ .Values.nodeAgent.containers.nodeAgent.image.tag }}" - imagePullPolicy: {{ .Values.nodeAgent.containers.nodeAgent.image.pullPolicy }} + - name: {{ .Values.nodeAgent.name }} + image: "{{ .Values.nodeAgent.image.repository }}:{{ .Values.nodeAgent.image.tag }}" + imagePullPolicy: {{ .Values.nodeAgent.image.pullPolicy }} resources: {{ toYaml .Values.nodeAgent.resources | indent 12 }} env: - name: GOMEMLIMIT - value: "{{ .Values.nodeAgent.resources.requests.memory }}B" + value: "600MiB" - name: KS_LOGGER_LEVEL value: "{{ .Values.logger.level }}" - name: KS_LOGGER_NAME @@ -120,7 +118,7 @@ spec: fieldPath: metadata.name - name: HOST_ROOT value: "/host" - {{- range .Values.nodeAgent.containers.nodeAgent.env }} + {{- range .Values.nodeAgent.env }} - name: {{ .name }} {{- if .value }} value: "{{ .value }}" @@ -141,7 +139,7 @@ spec: mountPath: /etc/config/config.json readOnly: true subPath: "config.json" - {{- range .Values.nodeAgent.containers.nodeAgent.volumeMounts }} + {{- range .Values.nodeAgent.volumeMounts }} - mountPath: {{ .mountPath }} name: {{ .name }} {{- end }} diff --git a/charts/kubescape-cloud-operator/templates/operator/deployment.yaml b/charts/kubescape-cloud-operator/templates/operator/deployment.yaml index d384ee29..bc1dd1d8 100644 --- a/charts/kubescape-cloud-operator/templates/operator/deployment.yaml +++ b/charts/kubescape-cloud-operator/templates/operator/deployment.yaml @@ -100,7 +100,7 @@ spec: value: "{{ $no_proxy_envar_list }}" {{- end }} - name: TRIGGER_SECURITY_FRAMEWORK - value: "false" + value: "{{ .Values.operator.triggerSecurityFramework }}" args: - -alsologtostderr - -v=4 diff --git a/charts/kubescape-cloud-operator/values.yaml b/charts/kubescape-cloud-operator/values.yaml index b5e27ae0..28e69db8 100644 --- a/charts/kubescape-cloud-operator/values.yaml +++ b/charts/kubescape-cloud-operator/values.yaml @@ -7,7 +7,7 @@ ksLabel: kubescape createKubescapeServiceAccount: true # TODO: move to kubescape capabilities: - relevancy: disable # enable/disable/detect + relevancy: detect # enable/disable/detect # KS cloud BE URLs environment: "prod" @@ -161,7 +161,7 @@ kubescape: image: # -- source code: https://github.com/kubescape/kubescape/tree/master/httphandler (public repo) repository: quay.io/kubescape/kubescape - tag: v2.3.7 + tag: v2.3.8 pullPolicy: IfNotPresent resources: @@ -566,7 +566,11 @@ grypeOfflineDB: memory: 200Mi nodeAgent: - name: "node-agent" + name: node-agent + image: + repository: quay.io/kubescape/node-agent + tag: v0.1.87 + pullPolicy: IfNotPresent config: maxLearningPeriod: 3h # duration string @@ -575,11 +579,33 @@ nodeAgent: resources: requests: cpu: 100m - memory: 150Mi + memory: 180Mi limits: cpu: 500m memory: 700Mi + env: + - name: NodeName + valueFrom: + fieldRef: + fieldPath: spec.nodeName + + volumeMounts: + - mountPath: /host + name: host + - mountPath: /run + name: run + - mountPath: /lib/modules + name: modules + - mountPath: /sys/kernel/debug + name: debugfs + - mountPath: /sys/fs/cgroup + name: cgroup + - mountPath: /sys/fs/bpf + name: bpffs + - mountPath: /data + name: data + volumes: - hostPath: path: / @@ -601,31 +627,6 @@ nodeAgent: name: debugfs - emptyDir: name: data - - containers: - nodeAgent: - name: node-agent - image: - repository: quay.io/kubescape/node-agent - tag: v0.1.77 - pullPolicy: IfNotPresent - env: - - name: NodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - volumeMounts: - - mountPath: /host - name: host - - mountPath: /run - name: run - - mountPath: /lib/modules - name: modules - - mountPath: /sys/kernel/debug - name: debugfs - - mountPath: /sys/fs/cgroup - name: cgroup - - mountPath: /sys/fs/bpf - name: bpffs - - mountPath: /data - name: data +node-agent: + image: + tag: v0.1.87