create the seerviceAuth CRD and add permission (#455)

* create the seerviceAuth CRD and add permession Signed-off-by: idohu <[email protected]> * add - to edd statement Signed-off-by: idohu <[email protected]> * fix last commit Signed-off-by: idohu <[email protected]> * fix auther Signed-off-by: idohu <[email protected]> * fix syncorniser config map Signed-off-by: idohu <[email protected]> * fix in the crd yaml to right group kubescape.io Signed-off-by: idohu <[email protected]> * delete mistkae file Signed-off-by: idohu <[email protected]> * 'rollbacked' the syncroniser configmap/yaml Signed-off-by: idohu <[email protected]> * fix clusterrole yaml Signed-off-by: idohu <[email protected]> * fix CRD format and add dependecies Signed-off-by: idohu <[email protected]> * add new test sanpshot Signed-off-by: idohu <[email protected]> * fix version + seperate the crd by name and conf(new condition) Signed-off-by: idohu <[email protected]> * new test snapshot Signed-off-by: idohu <[email protected]> * crd chart.yaml - change description + adusting version Signed-off-by: idohu <[email protected]> --------- Signed-off-by: idohu <[email protected]> Co-authored-by: idohu <[email protected]>
kubescape · Jun 18, 2024 · cb35807 · cb35807
1 parent de54505
commit cb35807
Show file tree

Hide file tree

Showing 10 changed files with 170 additions and 12 deletions.
diff --git a/charts/kubescape-operator/Chart.yaml b/charts/kubescape-operator/Chart.yaml
@@ -46,3 +46,7 @@ dependencies:
     version: 0.0.2
     repository: "file://./charts/namespaced-crds"
     condition: alertCRD.scopeNamespaced
+  - name: kubescape-service-crd
+    version: 0.0.1
+    repository: "file://./charts/serviceauthentication-crds"
+    condition: capabilities.enableServiceAuth
diff --git a/charts/kubescape-operator/charts/serviceauthentication-crds/Chart.yaml b/charts/kubescape-operator/charts/serviceauthentication-crds/Chart.yaml
@@ -0,0 +1,9 @@
+apiVersion: v2
+name: kubescape-service-crd
+description: A Helm chart CRDs for Kubescape Operator for service authentication discovery
+
+type: application
+
+version: 0.0.1
+
+appVersion: "0.0.1"
diff --git a/...kubescape-operator/charts/serviceauthentication-crds/crds/service-authentication.crd.yaml b/...kubescape-operator/charts/serviceauthentication-crds/crds/service-authentication.crd.yaml
@@ -0,0 +1,43 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: serviceauthentication.kubescape.io
+spec:
+  group: kubescape.io
+  names:
+    kind: ServiceAuthentication
+    plural: serviceauthentications
+    shortNames:
+    - ksa
+    singular: serviceauthentication
+  scope: Namespaced
+  versions:
+  - name: v1
+    served: true
+    storage: true
+    schema:
+      openAPIV3Schema:
+        type: object
+        properties:
+          spec:
+            type: object
+            properties:
+              clusterIP:
+                type: string             
+              ports:
+                type: array
+                items:
+                  type: object
+                  properties:
+                    port:
+                      type: integer
+                    protocol:
+                      type: string
+                    sessionLayer:
+                      type: string
+                    presentationLayer:
+                      type: string
+                    applicationLayer:
+                      type: string
+                    authenticated:
+                      type: boolean
diff --git a/charts/kubescape-operator/charts/serviceauthentication-crds/values.yaml b/charts/kubescape-operator/charts/serviceauthentication-crds/values.yaml
diff --git a/charts/kubescape-operator/templates/kubescape/clusterrole.yaml b/charts/kubescape-operator/templates/kubescape/clusterrole.yaml
@@ -64,4 +64,7 @@ rules:
 - apiGroups: ["spdx.softwarecomposition.kubescape.io"]
   resources: ["workloadconfigurationscans", "workloadconfigurationscansummaries"]
   verbs: ["create", "update", "patch"]
+- apiGroups: ["kubescape.io"]
+  resources: ["serviceauthentication"]
+  verbs: ["get", "watch", "list"]
 {{ end }}
diff --git a/charts/kubescape-operator/templates/operator/clusterrole.yaml b/charts/kubescape-operator/templates/operator/clusterrole.yaml
@@ -19,4 +19,7 @@ rules:
   - apiGroups: ["spdx.softwarecomposition.kubescape.io"]
     resources: ["vulnerabilitymanifests", "vulnerabilitymanifestsummaries", "workloadconfigurationscans", "workloadconfigurationscansummaries", "openvulnerabilityexchangecontainers", "sbomsyftfiltereds", "sbomsyfts"]
     verbs: ["get", "watch", "list", "delete"]
-{{- end }}
+  - apiGroups: ["kubescape.io"]
+    resources: ["serviceauthentication"]
+    verbs: ["get", "watch", "list", "create", "update", "delete"]
+  {{- end }}
diff --git a/charts/kubescape-operator/templates/synchronizer/clusterrole.yaml b/charts/kubescape-operator/templates/synchronizer/clusterrole.yaml
@@ -40,4 +40,7 @@ rules:
   - apiGroups: ["gateway.networking.k8s.io"]
     resources: ["httproutes", "tcproutes","udproutes"]
     verbs: ["get", "list", "watch"]
+  - apiGroups: ["kubescape.io"]
+    resources: ["serviceauthentication"]
+    verbs: ["get", "watch", "list"]
 {{- end }}
diff --git a/charts/kubescape-operator/templates/synchronizer/configmap.yaml b/charts/kubescape-operator/templates/synchronizer/configmap.yaml
@@ -175,6 +175,12 @@ data:
             "version": "v3",
             "resource": "networkpolicies",
             "strategy": "patch"
+          },
+          {
+            "group": "kubescape.io",
+            "version": "v1",
+            "resource": "serviceauthentication",
+            "strategy": "patch"
           }
         ]
       },
@@ -196,4 +202,4 @@ data:
         ]
       }
     }
-{{- end }}
+{{- end }}
diff --git a/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap b/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap
@@ -163,7 +163,7 @@ all capabilities:
     data:
       capabilities: |
         {
-          "capabilities":{"autoUpgrading":"enable","configurationScan":"enable","continuousScan":"enable","malwareDetection":"enable","networkPolicyService":"enable","nodeProfileService":"enable","nodeScan":"enable","prometheusExporter":"enable","relevancy":"enable","runtimeDetection":"enable","runtimeObservability":"enable","vexGeneration":"enable","vulnerabilityScan":"enable"},
+          "capabilities":{"autoUpgrading":"enable","configurationScan":"enable","continuousScan":"enable","enableServiceAuth":false,"malwareDetection":"enable","networkPolicyService":"enable","nodeProfileService":"enable","nodeScan":"enable","prometheusExporter":"enable","relevancy":"enable","runtimeDetection":"enable","runtimeObservability":"enable","vexGeneration":"enable","vulnerabilityScan":"enable"},
           "components":{"clamAV":{"enabled":true},"cloudSecret":{"create":true,"name":"cloud-secret"},"customCaCertificates":{"name":"custom-ca-certificates"},"gateway":{"enabled":true},"hostScanner":{"enabled":true},"kollector":{"enabled":true},"kubescape":{"enabled":true},"kubescapeScheduler":{"enabled":true},"kubevuln":{"enabled":true},"kubevulnScheduler":{"enabled":true},"nodeAgent":{"enabled":true},"operator":{"enabled":true},"otelCollector":{"enabled":true},"prometheusExporter":{"enabled":true},"serviceDiscovery":{"enabled":true},"storage":{"enabled":true},"synchronizer":{"enabled":true}},
           "configurations":{"otelUrl":"otelCollector:4317","persistence":"enable","priorityClass":{"daemonset":100000100,"enabled":true},"prometheusAnnotations":"disable"}
         }
@@ -996,6 +996,14 @@ all capabilities:
           - create
           - update
           - patch
+      - apiGroups:
+          - kubescape.io
+        resources:
+          - serviceauthentication
+        verbs:
+          - get
+          - watch
+          - list
   26: |
     apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRoleBinding
@@ -2195,6 +2203,17 @@ all capabilities:
           - watch
           - list
           - delete
+      - apiGroups:
+          - kubescape.io
+        resources:
+          - serviceauthentication
+        verbs:
+          - get
+          - watch
+          - list
+          - create
+          - update
+          - delete
   51: |
     apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRoleBinding
@@ -2254,7 +2273,7 @@ all capabilities:
       template:
         metadata:
           annotations:
-            checksum/capabilities-config: f3b50323bb773b2ec8697e87c955f27462c8273d3b5b74320a28bdb0306dc640
+            checksum/capabilities-config: 7514d3b5697fcc1a8958606dfcf8bcd46df5f31b8560cdffc731cbbe9cb21519
             checksum/cloud-config: c4dc912bbe62b0d5fd4734206c3cae52f56d766cbc20024182a2bcef09c0ae8e
             checksum/cloud-secret: 8665d3f0f7282091716b5fbf7356972eb83a5a9e86eb064218d24e9f66612b99
             checksum/matching-rules-config: 9282b3916f506ac98eccbdfe686271420ff520374de611f7efce8235dcdf8809
@@ -3456,6 +3475,14 @@ all capabilities:
           - get
           - list
           - watch
+      - apiGroups:
+          - kubescape.io
+        resources:
+          - serviceauthentication
+        verbs:
+          - get
+          - watch
+          - list
   88: |
     apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRoleBinding
@@ -3474,7 +3501,7 @@ all capabilities:
   89: |
     apiVersion: v1
     data:
-      config.json: |
+      config.json: |-
         {
           "inCluster": {
             "resources": [
@@ -3639,6 +3666,12 @@ all capabilities:
                 "version": "v3",
                 "resource": "networkpolicies",
                 "strategy": "patch"
+              },
+              {
+                "group": "kubescape.io",
+                "version": "v1",
+                "resource": "serviceauthentication",
+                "strategy": "patch"
               }
             ]
           },
@@ -3696,7 +3729,7 @@ all capabilities:
             checksum/cloud-config: c4dc912bbe62b0d5fd4734206c3cae52f56d766cbc20024182a2bcef09c0ae8e
             checksum/cloud-secret: 8665d3f0f7282091716b5fbf7356972eb83a5a9e86eb064218d24e9f66612b99
             checksum/proxy-config: 30e81a4193016803b4b7985b92028c4797c1e84d317a4b6b3e3a5406139f8847
-            checksum/synchronizer-configmap: 87d35f32c50cf98880ce879a4b29629d2d2e5008115381c992d5de1ad6bb573c
+            checksum/synchronizer-configmap: 737f16e4477c76d1da6e50bea7340999fd7607a74e2121cd9b98e27155f6880f
           labels:
             app: synchronizer
             app.kubernetes.io/instance: RELEASE-NAME
@@ -3926,7 +3959,7 @@ default capabilities:
     data:
       capabilities: |
         {
-          "capabilities":{"autoUpgrading":"disable","configurationScan":"enable","continuousScan":"disable","malwareDetection":"disable","networkPolicyService":"enable","nodeProfileService":"disable","nodeScan":"enable","prometheusExporter":"disable","relevancy":"enable","runtimeDetection":"disable","runtimeObservability":"enable","vexGeneration":"disable","vulnerabilityScan":"enable"},
+          "capabilities":{"autoUpgrading":"disable","configurationScan":"enable","continuousScan":"disable","enableServiceAuth":false,"malwareDetection":"disable","networkPolicyService":"enable","nodeProfileService":"disable","nodeScan":"enable","prometheusExporter":"disable","relevancy":"enable","runtimeDetection":"disable","runtimeObservability":"enable","vexGeneration":"disable","vulnerabilityScan":"enable"},
           "components":{"clamAV":{"enabled":false},"cloudSecret":{"create":true,"name":"cloud-secret"},"customCaCertificates":{"name":"custom-ca-certificates"},"gateway":{"enabled":true},"hostScanner":{"enabled":true},"kollector":{"enabled":true},"kubescape":{"enabled":true},"kubescapeScheduler":{"enabled":true},"kubevuln":{"enabled":true},"kubevulnScheduler":{"enabled":true},"nodeAgent":{"enabled":true},"operator":{"enabled":true},"otelCollector":{"enabled":true},"prometheusExporter":{"enabled":false},"serviceDiscovery":{"enabled":true},"storage":{"enabled":true},"synchronizer":{"enabled":true}},
           "configurations":{"otelUrl":"otelCollector:4317","persistence":"enable","priorityClass":{"daemonset":100000100,"enabled":true},"prometheusAnnotations":"disable"}
         }
@@ -4733,6 +4766,14 @@ default capabilities:
           - create
           - update
           - patch
+      - apiGroups:
+          - kubescape.io
+        resources:
+          - serviceauthentication
+        verbs:
+          - get
+          - watch
+          - list
   21: |
     apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRoleBinding
@@ -5851,6 +5892,17 @@ default capabilities:
           - watch
           - list
           - delete
+      - apiGroups:
+          - kubescape.io
+        resources:
+          - serviceauthentication
+        verbs:
+          - get
+          - watch
+          - list
+          - create
+          - update
+          - delete
   45: |
     apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRoleBinding
@@ -5910,7 +5962,7 @@ default capabilities:
       template:
         metadata:
           annotations:
-            checksum/capabilities-config: ca76fce1c8ed0afd8812c20116e9658826cd3b9f09fd623c0e93cadcbd86dccb
+            checksum/capabilities-config: 2bd2ea20adc7bfd3e36a8f54681afb7311d9cc763a9027d918807164d4d74995
             checksum/cloud-config: 98e72a3a1a24264d2cdebc86b61829ee5b941fb590d6ca717ebaa880922046c6
             checksum/cloud-secret: 8665d3f0f7282091716b5fbf7356972eb83a5a9e86eb064218d24e9f66612b99
             checksum/matching-rules-config: 9282b3916f506ac98eccbdfe686271420ff520374de611f7efce8235dcdf8809
@@ -6928,6 +6980,14 @@ default capabilities:
           - get
           - list
           - watch
+      - apiGroups:
+          - kubescape.io
+        resources:
+          - serviceauthentication
+        verbs:
+          - get
+          - watch
+          - list
   75: |
     apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRoleBinding
@@ -6946,7 +7006,7 @@ default capabilities:
   76: |
     apiVersion: v1
     data:
-      config.json: |
+      config.json: |-
         {
           "inCluster": {
             "resources": [
@@ -7111,6 +7171,12 @@ default capabilities:
                 "version": "v3",
                 "resource": "networkpolicies",
                 "strategy": "patch"
+              },
+              {
+                "group": "kubescape.io",
+                "version": "v1",
+                "resource": "serviceauthentication",
+                "strategy": "patch"
               }
             ]
           },
@@ -7168,7 +7234,7 @@ default capabilities:
             checksum/cloud-config: 98e72a3a1a24264d2cdebc86b61829ee5b941fb590d6ca717ebaa880922046c6
             checksum/cloud-secret: 8665d3f0f7282091716b5fbf7356972eb83a5a9e86eb064218d24e9f66612b99
             checksum/proxy-config: 30e81a4193016803b4b7985b92028c4797c1e84d317a4b6b3e3a5406139f8847
-            checksum/synchronizer-configmap: 87d35f32c50cf98880ce879a4b29629d2d2e5008115381c992d5de1ad6bb573c
+            checksum/synchronizer-configmap: 737f16e4477c76d1da6e50bea7340999fd7607a74e2121cd9b98e27155f6880f
           labels:
             app: synchronizer
             app.kubernetes.io/instance: RELEASE-NAME
@@ -7383,7 +7449,7 @@ minimal capabilities:
     data:
       capabilities: |
         {
-          "capabilities":{"autoUpgrading":"disable","configurationScan":"enable","continuousScan":"disable","malwareDetection":"disable","networkPolicyService":"enable","nodeProfileService":"disable","nodeScan":"enable","prometheusExporter":"disable","relevancy":"enable","runtimeDetection":"disable","runtimeObservability":"enable","vexGeneration":"disable","vulnerabilityScan":"enable"},
+          "capabilities":{"autoUpgrading":"disable","configurationScan":"enable","continuousScan":"disable","enableServiceAuth":false,"malwareDetection":"disable","networkPolicyService":"enable","nodeProfileService":"disable","nodeScan":"enable","prometheusExporter":"disable","relevancy":"enable","runtimeDetection":"disable","runtimeObservability":"enable","vexGeneration":"disable","vulnerabilityScan":"enable"},
           "components":{"clamAV":{"enabled":false},"cloudSecret":{"create":true,"name":"cloud-secret"},"customCaCertificates":{"name":"custom-ca-certificates"},"gateway":{"enabled":false},"hostScanner":{"enabled":true},"kollector":{"enabled":false},"kubescape":{"enabled":true},"kubescapeScheduler":{"enabled":false},"kubevuln":{"enabled":true},"kubevulnScheduler":{"enabled":false},"nodeAgent":{"enabled":true},"operator":{"enabled":true},"otelCollector":{"enabled":true},"prometheusExporter":{"enabled":false},"serviceDiscovery":{"enabled":false},"storage":{"enabled":true},"synchronizer":{"enabled":false}},
           "configurations":{"otelUrl":"otelCollector:4317","persistence":"enable","priorityClass":{"daemonset":100000100,"enabled":true},"prometheusAnnotations":"disable"}
         }
@@ -7611,6 +7677,14 @@ minimal capabilities:
           - create
           - update
           - patch
+      - apiGroups:
+          - kubescape.io
+        resources:
+          - serviceauthentication
+        verbs:
+          - get
+          - watch
+          - list
   8: |
     apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRoleBinding
@@ -8539,6 +8613,17 @@ minimal capabilities:
           - watch
           - list
           - delete
+      - apiGroups:
+          - kubescape.io
+        resources:
+          - serviceauthentication
+        verbs:
+          - get
+          - watch
+          - list
+          - create
+          - update
+          - delete
   27: |
     apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRoleBinding
@@ -8598,7 +8683,7 @@ minimal capabilities:
       template:
         metadata:
           annotations:
-            checksum/capabilities-config: 8d8fdeab03d6a23cc4a3d132afe56c821554995659b948b30f8a1d736094fbbc
+            checksum/capabilities-config: 0ee9bed1f50680deb878724d7af3fb24d73ec15b329111a82fa85baa6965e206
             checksum/cloud-config: c8580dbb81fa1c832dc787a966fc068feacfb2ee7f67fdd928c256f4094ad656
             checksum/cloud-secret: baefa7c2a6f06e1afdaffb0829d1caf36ff7428773197f1e5ca4731c132ecb78
             checksum/matching-rules-config: 9282b3916f506ac98eccbdfe686271420ff520374de611f7efce8235dcdf8809

diff --git a/charts/kubescape-operator/values.yaml b/charts/kubescape-operator/values.yaml
@@ -90,6 +90,8 @@ capabilities:
   prometheusExporter: disable
   # seccompGenerator: disable
 
+  enableServiceAuth: false
+
 configurations:
   otelUrl: # default is empty
   persistence: enable