Implement values for enabling the allowlist- and hashLookup and add c…

…orresponding documentation
GDATASoftwareAG · Apr 25, 2024 · d5deb34 · d5deb34
1 parent 108cd87
commit d5deb34
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -85,7 +85,21 @@ export TOKEN_URL=http://vaas/auth/protocol/openid-connect/token # URL of the tok
 
 ## Configuring Verdict-as-a-Service
 
-If you want to scan larger files, you have to adjust the deployments body size limit in ```vaas.gateway.ingress.annotations```. Should looks like this:
+The default configurations are set to provide the best verdict. When you have the need to run this helm-chart without sending the file hashes to our cloud, you can deactivate the cloud lookups with these options:
+
+```yaml
+cloud:
+  hashLookup:
+    enabled: false
+  allowlistLookup:
+    enabled: false
+```
+
+With the `hashLookup`, VaaS uses the G DATA Cloud to obtain additional information about a file and thus enrich the quality of the verdict. Without the hashLookup, this additional information is omitted and files that would ONLY be recognized via the cloud are therefore not recognized.
+
+The `allowlistLookup` is a request of the hash to the G DATA Cloud, against a list of files that we know for sure are not malicious, to prevent false positives. Some clean files are still detected by the scanners signatures and the `allowlistLookup` will prevent these files to be detected as `malicious` or `pup`.
+
+If you want to scan larger files, you have to adjust the deployments body size limit in `vaas.gateway.ingress.annotations`. Should looks like this:
 
 ```yaml
 nginx.ingress.kubernetes.io/proxy-body-size: <your maximum filesize>
@@ -96,6 +110,8 @@ nginx.ingress.kubernetes.io/proxy-request-buffering: "off"
 | ------------------------------------------ | ----------------------------------------------------------------------------------------------------------- | -------------------------------- |
 | `global.imagePullSecrets`                  | List of image pull secrets                                                                                  | `- name: registry`               |
 | `global.secret.dockerconfigjson`           | Docker authentication configuration                                                                         | `""`                             |
+| `cloud.hashLookup.enabled`                 | Enable/Disable the cloud hash lookup                                                                        | `true`                           |
+| `cloud.allowlistLookup.enabled`            | Enable/Disable the cloud allowlist lookup                                                                   | `true`                           |
 | `gateway.ingress.enabled`                  | Enable/Disable the Ingress resource                                                                         | `false`                          |
 | `gateway.ingress.annotations`              | Additional annotations for Ingress                                                                          | `{}`                             |
 | `gateway.ingress.hosts`                    | Hostnames and paths for Ingress                                                                             | `[]`                             |

diff --git a/charts/vaas/Chart.yaml b/charts/vaas/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: vaas
-version: 1.3.0
+version: 1.4.0
 description: Deployment of a Verdict-as-a-Service on-premise instance
 maintainers:
   - name: G DATA CyberDefense AG

diff --git a/charts/vaas/templates/gateway/statefulset.yaml b/charts/vaas/templates/gateway/statefulset.yaml
@@ -60,6 +60,10 @@ spec:
               value: {{ .Release.Name }}
             - name: MaxAnalysisDuration
               value: {{ include "common.secondsToHHMMSS" .Values.gateway.terminationGracePeriodSeconds | quote }}
+            - name: FileCloudVerdictSource__Enable
+              value: {{ .Values.cloud.hashLookup.enabled | quote  }}
+            - name: FileAllowlistCloudVerdictSource__Enable
+              value: {{ .Values.cloud.allowlistLookup.enabled | quote }}
           ports:
             - name: http
               containerPort: {{ .Values.gateway.service.http.port }}

diff --git a/charts/vaas/values.yaml b/charts/vaas/values.yaml
@@ -39,6 +39,12 @@ mini-identity-provider:
   tolerations: []
   affinity: {}
 
+cloud:
+  hashLookup:
+    enabled: true
+  allowlistLookup:
+    enabled: true
+
 gateway:
   ingress:
     enabled: true
@@ -136,7 +142,7 @@ gateway:
   extraEnvVars: []
 
   # This block is only for G DATA's internal usage.
-  hashlookup:
+  hashLookup:
     enabled: false
     apikey:
       value: ""