Skip to content

Commit d76fccf

Browse files
draios-jenkinsfrancesco-furlanAlbertoBarba
authored
chore(cluster-shield,sysdig-deploy,shield): Automatic bump to version 1.12.0 (#2272)
Co-authored-by: francesco-furlan <10468205+francesco-furlan@users.noreply.github.com> Co-authored-by: Francesco Furlan <francesco.furlan@sysdig.com> Co-authored-by: Alberto Barba <alberto.barba@sysdig.com>
1 parent cc4dfaf commit d76fccf

File tree

18 files changed

+634
-15
lines changed

18 files changed

+634
-15
lines changed

charts/cluster-shield/Chart.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,8 +2,8 @@ apiVersion: v2
22
name: cluster-shield
33
description: Cluster Shield Helm Chart for Kubernetes
44
type: application
5-
version: 1.11.0
6-
appVersion: "1.11.0"
5+
version: 1.12.0
6+
appVersion: "1.12.0"
77
maintainers:
88
- name: AlbertoBarba
99
email: alberto.barba@sysdig.com

charts/cluster-shield/README.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -122,6 +122,7 @@ The following table lists the configurable parameters of the `cluster-shield` ch
122122
| cluster_shield.features.admission_control.http_port | The port that will be used to expose admission control endpoints | <code>8443</code> |
123123
| cluster_shield.features.admission_control.excluded_namespaces | The list of namespaces to exclude from the admission control feature | <code>[]</code> |
124124
| cluster_shield.features.admission_control.container_vulnerability_management.enabled | Enable the container vulnerability management feature on the admission control | <code>false</code> |
125+
| cluster_shield.features.admission_control.posture.enabled | Enable the posture feature on the admission control | <code>true</code> |
125126
| cluster_shield.features.audit.enabled | Enable the Kubernetes Audit feature | <code>false</code> |
126127
| cluster_shield.features.audit.http_port | The port that will be used to expose the audit endpoints | <code>6443</code> |
127128
| cluster_shield.features.audit.timeout | The timeout for the audit feature | <code>5</code> |
@@ -134,6 +135,7 @@ The following table lists the configurable parameters of the `cluster-shield` ch
134135
| cluster_shield.features.container_vulnerability_management.local_cluster.registry_secrets | Restrict access to specific Docker secrets when Cluster Scanner is running. The default behavior is listing all secrets. | <code>[]</code> |
135136
| cluster_shield.features.container_vulnerability_management.platform_services_enabled | Define if the platform services are enabled | <code>true</code> |
136137
| cluster_shield.features.container_vulnerability_management.registry_ssl.verify | If set to false it allows insecure connections to registries, Such as for registries with self-signed or private certificates. | <code>true</code> |
138+
| cluster_shield.features.investigations.network_security.enabled | Enable the network security feature | <code>false</code> |
137139
| cluster_shield.features.kubernetes_metadata.enabled | Enable the Kubernetes Metadata feature | <code>false</code> |
138140
| cluster_shield.features.monitor.kube_state_metrics.enabled | Enable the Kubernetes State Metrics feature | <code>false</code> |
139141
| cluster_shield.features.monitor.kubernetes_events.enabled | Enable the Kubernetes Events feature | <code>false</code> |

charts/cluster-shield/templates/_helpers.tpl

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -62,6 +62,9 @@ Adds kubernetes related keys to the configuration.
6262
{{- if and (.Values.cluster_shield.features.admission_control.enabled) (.Values.cluster_shield.features.admission_control.container_vulnerability_management.enabled)}}
6363
{{- $_ := set $conf "admission_controller_secure" (merge (include "cluster-shield.configurationAdmissionControllerSecure" . | fromYaml) (.Values.cluster_shield.admission_controller_secure | default dict)) -}}
6464
{{- end}}
65+
{{- if eq "true" (include "cluster-shield.postureEnabled" .) -}}
66+
{{- $_ := set $conf "kspm_collector" (merge (include "cluster-shield.configurationKspmCollector" . | fromYaml) (.Values.cluster_shield.kspm_collector | default dict)) -}}
67+
{{- end -}}
6568
{{- $_ := unset $conf.sysdig_endpoint "access_key" -}}
6669
{{- $_ := unset $conf.sysdig_endpoint "secure_api_token" -}}
6770
{{/* sysdig-deploy support start */}}
@@ -148,6 +151,13 @@ Cluster Scanner Lock Name
148151
{{- include "cluster-shield.fullname" . -}}
149152
{{- end }}
150153

154+
{{/*
155+
KSPM Collector Lock Name
156+
*/}}
157+
{{- define "cluster-shield.kspmCollectorLockName" -}}
158+
{{- (include "cluster-shield.fullname" .) -}}-kspm-collector
159+
{{- end }}
160+
151161
{{/*
152162
Cluster Scanner Service Name
153163
As per DNS naming spec, the length of a service name should be less than 63 characters;
@@ -185,6 +195,12 @@ Admission Controller Secure Configuration
185195
rsi_grpc_endpoint: {{ include "cluster-shield.clusterScannerServiceName" . }}:9999
186196
{{- end }}
187197

198+
{{/*
199+
KSPM Collector Configuration
200+
*/}}
201+
{{- define "cluster-shield.configurationKspmCollector" -}}
202+
leader_election_lock_name: {{ include "cluster-shield.kspmCollectorLockName" . }}
203+
{{- end }}
188204

189205
{{/*
190206
Verify if certs needs to be generated and mounted inside the pod
@@ -375,6 +391,20 @@ Check if Container Vulnerability Management is enabled
375391
{{- or (.Values.cluster_shield.features.container_vulnerability_management.enabled) (and (.Values.cluster_shield.features.admission_control.enabled) (.Values.cluster_shield.features.admission_control.container_vulnerability_management.enabled)) -}}
376392
{{- end -}}
377393

394+
{{/*
395+
Check if Posture is enabled
396+
*/}}
397+
{{- define "cluster-shield.postureEnabled" -}}
398+
{{- .Values.cluster_shield.features.posture.enabled -}}
399+
{{- end -}}
400+
401+
{{/*
402+
Check if Kspm Collector needs to acquire leases from k8s
403+
*/}}
404+
{{- define "cluster-shield.postureNeedsLease" -}}
405+
{{- and (eq (include "cluster-shield.postureEnabled" .) "true") (not (eq (.Values.cluster_shield | dig "kspm_collector" "transport_layer" "" ) "nats")) -}}
406+
{{- end -}}
407+
378408
{{/*
379409
Proxy Secret Name
380410
*/}}

charts/cluster-shield/templates/role.yaml

Lines changed: 14 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -4,17 +4,19 @@ metadata:
44
name: {{ include "cluster-shield.fullname" . }}
55
namespace: {{ .Release.Namespace }}
66
rules:
7+
{{- if or (eq "true" (include "cluster-shield.containerVulnerabilityManagementEnabled" .)) (eq "true" (include "cluster-shield.postureNeedsLease" .)) }}
8+
- apiGroups: ["", "coordination.k8s.io"]
9+
resources:
10+
- "leases"
11+
verbs: ["create"]
12+
{{- end }}
713
{{- if eq "true" (include "cluster-shield.containerVulnerabilityManagementEnabled" .) }}
814
- apiGroups: ["", "coordination.k8s.io"]
915
resources:
1016
- "leases"
1117
resourceNames:
1218
- {{ include "cluster-shield.clusterScannerLockName" . }}
1319
verbs: ["*"]
14-
- apiGroups: ["", "coordination.k8s.io"]
15-
resources:
16-
- "leases"
17-
verbs: ["create"]
1820
- apiGroups: ["*"]
1921
resources:
2022
- "endpoints"
@@ -28,3 +30,11 @@ rules:
2830
- {{ include "cluster-shield.clusterScannerServiceName" . }}
2931
verbs: ["*"]
3032
{{- end }}
33+
{{- if eq "true" (include "cluster-shield.postureNeedsLease" .) }}
34+
- apiGroups: ["", "coordination.k8s.io"]
35+
resources:
36+
- "leases"
37+
resourceNames:
38+
- {{ include "cluster-shield.kspmCollectorLockName" . }}
39+
verbs: ["*"]
40+
{{- end }}

charts/cluster-shield/tests/configmap_test.yaml

Lines changed: 45 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -94,6 +94,51 @@ tests:
9494
nats_url: nats://release-name-cluster-shield-cluster-scanner:4222
9595
leader_election_lock_name: release-name-cluster-shield
9696
97+
- it: Kspm Collector default configuration
98+
set:
99+
cluster_shield:
100+
log_level: info
101+
features:
102+
posture:
103+
enabled: true
104+
asserts:
105+
- containsDocument:
106+
kind: ConfigMap
107+
apiVersion: v1
108+
- hasDocuments:
109+
count: 1
110+
- exists:
111+
path: data
112+
- matchRegex:
113+
path: data['cluster-shield.yaml']
114+
pattern: |
115+
kspm_collector:
116+
leader_election_lock_name: release-name-cluster-shield-kspm-collector
117+
118+
- it: Kspm Collector configuration with additional values
119+
set:
120+
cluster_shield:
121+
log_level: info
122+
features:
123+
posture:
124+
enabled: true
125+
kspm_collector:
126+
transport_layer: http
127+
asserts:
128+
- containsDocument:
129+
kind: ConfigMap
130+
apiVersion: v1
131+
- hasDocuments:
132+
count: 1
133+
- exists:
134+
path: data
135+
- matchRegex:
136+
path: data['cluster-shield.yaml']
137+
pattern: |
138+
kspm_collector:
139+
leader_election_lock_name: release-name-cluster-shield-kspm-collector
140+
transport_layer: http
141+
97142
- it: Set SSL Verify (global flag - disabled)
98143
set:
99144
global:
@@ -217,7 +262,6 @@ tests:
217262
- failedTemplate:
218263
errorMessage: Custom region requires cluster_shield.sysdig_endpoint.collector to be defined.
219264

220-
221265
- it: Local custom region requires Collector when kubernetes_metadata feature is enabled
222266
set:
223267
cluster_shield:

0 commit comments

Comments
 (0)