Skip to content

Commit

Permalink
Merge pull request #234 from octarinesec/release/6.2.0
Browse files Browse the repository at this point in the history 
Release/6.2.0 merge to main
  • Loading branch information
@BenRub
BenRub authored Feb 15, 2024
2 parents 80160a9 + 8899166 commit cb3c2b5
Show file tree
Hide file tree
Showing 29 changed files with 3,549 additions and 742 deletions.
47 changes: 46 additions & 1 deletion .github/workflows/operator.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,51 @@ on:
- "*"

jobs:
helm:
if: github.ref_type == 'tag' || github.ref == 'refs/heads/develop'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Helm
uses: azure/setup-helm@v3
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_PASSWORD }}
- name: Meta
id: meta
uses: docker/metadata-action@v5
with:
flavor: |
latest=false
tags: |
type=semver,pattern={{version}}
- name: Create and push chart
if: github.ref_type == 'tag'
run: |
TAG_NAME=${GITHUB_REF#refs/tags/}
VERSION=${{ steps.meta.outputs.tags }}
REPO=cbartifactory
cd ${{ github.workspace }}/charts/cbcontainers-operator/cbcontainers-operator-chart
helm package . --version $VERSION --app-version $TAG_NAME
helm push *.tgz oci://registry-1.docker.io/$REPO
cd ${{ github.workspace }}/charts/cbcontainers-agent/cbcontainers-agent-chart
helm package . --version $VERSION --app-version $VERSION
helm push *.tgz oci://registry-1.docker.io/$REPO
- name: Develop branch create and push chart
if: github.ref == 'refs/heads/develop'
run: |
VERSION=1.99.99
REPO=cbartifactory
cd ${{ github.workspace }}/charts/cbcontainers-operator/cbcontainers-operator-chart
helm package . --version $VERSION --app-version develop
helm push *.tgz oci://registry-1.docker.io/$REPO
cd ${{ github.workspace }}/charts/cbcontainers-agent/cbcontainers-agent-chart
helm package . --version $VERSION --app-version main
helm push *.tgz oci://registry-1.docker.io/$REPO
build:
runs-on: ubuntu-latest
steps:
Expand All @@ -33,7 +78,7 @@ jobs:
- name: Set up Go
uses: actions/setup-go@v2
with:
go-version: 1.21.4
go-version: 1.21.6
- name: Setup Operator SDK
run: |
mkdir /tmp/operator-sdk
Expand Down
15 changes: 8 additions & 7 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,12 +14,13 @@ The Carbon Black Cloud Container Operator utilizes the operator-framework to cre

## Compatibility Matrix

| Operator version | Kubernetes Sensor Component Version | Minimum Kubernetes Version |
|------------------|--------------------------------------|----------------------------|
| v6.1.x | 2.10.0, 2.11.0, 2.12.0, 3.0.X, 3.1.X | 1.18 |
| v6.0.x | 2.10.0, 2.11.0, 2.12.0, 3.0.X, 3.1.X | 1.18 |
| v5.6.x | 2.10.0, 2.11.0, 2.12.0 | 1.16 |
| v5.5.x | 2.10.0, 2.11.0 | 1.16 |
| Operator version | Kubernetes Sensor Component Version | Minimum Kubernetes Version |
|------------------|---------------------------------------------|----------------------------|
| v6.2.x | 2.10.0, 2.11.0, 2.12.0, 3.0.X, 3.1.X, 3.2.X | 1.18 |
| v6.1.x | 2.10.0, 2.11.0, 2.12.0, 3.0.X, 3.1.X | 1.18 |
| v6.0.x | 2.10.0, 2.11.0, 2.12.0, 3.0.X, 3.1.X | 1.18 |
| v5.6.x | 2.10.0, 2.11.0, 2.12.0 | 1.16 |
| v5.5.x | 2.10.0, 2.11.0 | 1.16 |

## Operator Deployment

Expand All @@ -28,7 +29,7 @@ Kubernetes 1.18+ is supported.

### From script:
```
export OPERATOR_VERSION=v6.1.0
export OPERATOR_VERSION=v6.2.0
export OPERATOR_SCRIPT_URL=https://setup.containers.carbonblack.io/$OPERATOR_VERSION/operator-apply.sh
curl -s $OPERATOR_SCRIPT_URL | bash
```
Expand Down
2 changes: 2 additions & 0 deletions api/v1/cndr_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@ type CBContainersCndrSensorSpec struct {
Image CBContainersImageSpec `json:"image,omitempty"`
// +kubebuilder:default:={requests: {memory: "64Mi", cpu: "30m"}, limits: {memory: "1024Mi", cpu: "500m"}}
Resources coreV1.ResourceRequirements `json:"resources,omitempty"`
// +kubebuilder:default:={initialDelaySeconds: 240, timeoutSeconds: 1, periodSeconds: 30, successThreshold: 1, failureThreshold: 5, readinessPath: "/tmp/ready", livenessPath: "/tmp/alive" }
Probes CBContainersFileProbesSpec `json:"probes,omitempty"`
// +kubebuilder:default:={port: 7071}
Prometheus CBContainersPrometheusSpec `json:"prometheus,omitempty"`
// +kubebuilder:default:=2
Expand Down
4 changes: 2 additions & 2 deletions api/v1/hardening_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ type CBContainersStateReporterSpec struct {
Env map[string]string `json:"env,omitempty"`
// +kubebuilder:default:={repository:"cbartifactory/guardrails-state-reporter"}
Image CBContainersImageSpec `json:"image,omitempty"`
// +kubebuilder:default:={requests: {memory: "64Mi", cpu: "30m"}, limits: {memory: "256Mi", cpu: "200m"}}
// +kubebuilder:default:={requests: {memory: "256Mi", cpu: "200m"}, limits: {memory: "512Mi", cpu: "400m"}}
Resources coreV1.ResourceRequirements `json:"resources,omitempty"`
// +kubebuilder:default:=<>
Probes CBContainersHTTPProbesSpec `json:"probes,omitempty"`
Expand All @@ -40,7 +40,7 @@ type CBContainersEnforcerSpec struct {
Prometheus CBContainersPrometheusSpec `json:"prometheus,omitempty"`
// +kubebuilder:default:={repository:"cbartifactory/guardrails-enforcer"}
Image CBContainersImageSpec `json:"image,omitempty"`
// +kubebuilder:default:={requests: {memory: "64Mi", cpu: "30m"}, limits: {memory: "256Mi", cpu: "200m"}}
// +kubebuilder:default:={requests: {memory: "256Mi", cpu: "100m"}, limits: {memory: "512Mi", cpu: "200m"}}
Resources coreV1.ResourceRequirements `json:"resources,omitempty"`
// +kubebuilder:default:=<>
Probes CBContainersHTTPProbesSpec `json:"probes,omitempty"`
Expand Down
2 changes: 1 addition & 1 deletion api/v1/runtime_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ type CBContainersRuntimeResolverSpec struct {
Env map[string]string `json:"env,omitempty"`
// +kubebuilder:default:={repository:"cbartifactory/runtime-kubernetes-resolver"}
Image CBContainersImageSpec `json:"image,omitempty"`
// +kubebuilder:default:={requests: {memory: "64Mi", cpu: "200m"}, limits: {memory: "1024Mi", cpu: "900m"}}
// +kubebuilder:default:={requests: {memory: "512Mi", cpu: "200m"}, limits: {memory: "2Gi", cpu: "900m"}}
Resources coreV1.ResourceRequirements `json:"resources,omitempty"`
// +kubebuilder:default:=<>
Probes CBContainersHTTPProbesSpec `json:"probes,omitempty"`
Expand Down
1 change: 1 addition & 0 deletions api/v1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

14 changes: 10 additions & 4 deletions cbcontainers/models/remote_configuration_changes.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,17 @@ var (
ChangeStatusFailed RemoteChangeStatus = "FAILED"
)

type AdvancedSettings struct {
ProxyServer *string `json:"proxy_server,omitempty"`
RegistryServer *string `json:"registry_server,omitempty"`
}

type ConfigurationChange struct {
ID string `json:"id"`
Status RemoteChangeStatus `json:"status"`
AgentVersion *string `json:"agent_version"`
Timestamp string `json:"timestamp"`
ID string `json:"id"`
Status RemoteChangeStatus `json:"status"`
AgentVersion *string `json:"agent_version"`
AdvancedSettings *AdvancedSettings `json:"advanced_settings,omitempty"`
Timestamp string `json:"timestamp"`
}

type ConfigurationChangeStatusUpdate struct {
Expand Down
18 changes: 18 additions & 0 deletions cbcontainers/remote_configuration/change_applier.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ func ApplyConfigChangeToCR(change models.ConfigurationChange, cr *cbcontainersv1
if change.AgentVersion != nil {
cr.Spec.Version = *change.AgentVersion

applyAdvancedSettings(cr, change.AdvancedSettings)
resetImageTagsInCR(cr)
toggleFeaturesBasedOnCompatibility(cr, *change.AgentVersion, sensorMetadata)
}
Expand Down Expand Up @@ -78,3 +79,20 @@ func toggleFeaturesBasedOnCompatibility(cr *cbcontainersv1.CBContainersAgent, ve
cr.Spec.Components.Cndr.Enabled = &falseRef
}
}

func applyAdvancedSettings(cr *cbcontainersv1.CBContainersAgent, settings *models.AdvancedSettings) {
if settings == nil {
return
}

if settings.RegistryServer != nil {
cr.Spec.Components.Settings.DefaultImagesRegistry = *settings.RegistryServer
}
if settings.ProxyServer != nil {
if cr.Spec.Components.Settings.Proxy == nil {
cr.Spec.Components.Settings.Proxy = &cbcontainersv1.CBContainersProxySettings{}
}
cr.Spec.Components.Settings.Proxy.HttpProxy = settings.ProxyServer
cr.Spec.Components.Settings.Proxy.HttpsProxy = settings.ProxyServer
}
}
60 changes: 59 additions & 1 deletion cbcontainers/remote_configuration/change_applier_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ func TestVersionIsAppliedCorrectly(t *testing.T) {
originalVersion := "my-version-42"
newVersion := "new-version"
cr := cbcontainersv1.CBContainersAgent{Spec: cbcontainersv1.CBContainersAgentSpec{Version: originalVersion}}
change := models.ConfigurationChange{AgentVersion: &newVersion}
change := models.ConfigurationChange{AgentVersion: &newVersion, AdvancedSettings: nil}

remote_configuration.ApplyConfigChangeToCR(change, &cr, nil)
assert.Equal(t, newVersion, cr.Spec.Version)
Expand All @@ -28,7 +28,65 @@ func TestMissingVersionDoesNotModifyCR(t *testing.T) {

remote_configuration.ApplyConfigChangeToCR(change, &cr, nil)
assert.Equal(t, originalVersion, cr.Spec.Version)
}

func TestAdvancedSettingsAppliedCorrectly(t *testing.T) {
proxy := "https://proxy.com"
reg := "dockerhub.com"
version := "3.0.0"

advancedSettings := &models.AdvancedSettings{
ProxyServer: &proxy,
RegistryServer: &reg,
}
cr := cbcontainersv1.CBContainersAgent{Spec: cbcontainersv1.CBContainersAgentSpec{Version: version}}
change := models.ConfigurationChange{AgentVersion: &version, AdvancedSettings: advancedSettings}

remote_configuration.ApplyConfigChangeToCR(change, &cr, nil)
assert.Equal(t, version, cr.Spec.Version)
assert.Equal(t, reg, cr.Spec.Components.Settings.DefaultImagesRegistry)
assert.Equal(t, proxy, *cr.Spec.Components.Settings.Proxy.HttpsProxy)
assert.Equal(t, proxy, *cr.Spec.Components.Settings.Proxy.HttpProxy)
}

func TestAdvancedSettingsNoChange(t *testing.T) {
proxy := "https://proxy.com"
reg := "dockerhub.com"
version := "3.0.0"

cr := cbcontainersv1.CBContainersAgent{Spec: cbcontainersv1.CBContainersAgentSpec{Version: version}}
cr.Spec.Components.Settings.DefaultImagesRegistry = reg
cr.Spec.Components.Settings.Proxy = &cbcontainersv1.CBContainersProxySettings{
HttpProxy: &proxy, HttpsProxy: &proxy,
}
change := models.ConfigurationChange{AgentVersion: &version, AdvancedSettings: nil}

remote_configuration.ApplyConfigChangeToCR(change, &cr, nil)
assert.Equal(t, version, cr.Spec.Version)
assert.Equal(t, reg, cr.Spec.Components.Settings.DefaultImagesRegistry)
assert.Equal(t, proxy, *cr.Spec.Components.Settings.Proxy.HttpsProxy)
assert.Equal(t, proxy, *cr.Spec.Components.Settings.Proxy.HttpProxy)
}

func TestAdvancedSettingsOnlyReg(t *testing.T) {
proxy := "https://proxy.com"
reg := "dockerhub.com"
version := "3.0.0"

cr := cbcontainersv1.CBContainersAgent{Spec: cbcontainersv1.CBContainersAgentSpec{Version: version}}
cr.Spec.Components.Settings.Proxy = &cbcontainersv1.CBContainersProxySettings{
HttpProxy: &proxy, HttpsProxy: &proxy,
}
change := models.ConfigurationChange{AgentVersion: &version, AdvancedSettings: &models.AdvancedSettings{
ProxyServer: nil,
RegistryServer: &reg,
}}

remote_configuration.ApplyConfigChangeToCR(change, &cr, nil)
assert.Equal(t, version, cr.Spec.Version)
assert.Equal(t, reg, cr.Spec.Components.Settings.DefaultImagesRegistry)
assert.Equal(t, proxy, *cr.Spec.Components.Settings.Proxy.HttpsProxy)
assert.Equal(t, proxy, *cr.Spec.Components.Settings.Proxy.HttpProxy)
}

func TestVersionOverwritesCustomTagsByRemovingThem(t *testing.T) {
Expand Down
1 change: 1 addition & 0 deletions cbcontainers/state/components/sensor_daemon_set.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -457,6 +457,7 @@ func (obj *SensorDaemonSetK8sObject) mutateCndrContainer(container *coreV1.Conta
container.Name = CndrContainerName
container.Resources = cndrSpec.Resources
commonState.MutateImage(container, cndrSpec.Image, agentSpec.Version, agentSpec.Components.Settings.DefaultImagesRegistry)
//commonState.MutateContainerFileProbes(container, cndrSpec.Probes)
if commonState.IsEnabled(cndrSpec.Prometheus.Enabled) {
container.Ports = []coreV1.ContainerPort{{Name: "metrics", ContainerPort: int32(cndrSpec.Prometheus.Port)}}
}
Expand Down
31 changes: 31 additions & 0 deletions cbcontainers/test_utils/mocks/mock_k8s_client.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion charts/cbcontainers-agent/cbcontainers-agent-chart/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,4 @@ name: cbcontainers-agent
description: A Helm chart for installing the CBContainers Agent
type: application
version: 2.0.0
appVersion: "3.1.0"
appVersion: "3.2.0"
1 change: 1 addition & 0 deletions charts/cbcontainers-agent/cbcontainers-agent-chart/example-values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -205,5 +205,6 @@ components:
enabled: false
cndr:
enabled: true
probes: {}
# accessTokenSecretName is the name of the Kubernetes object of type Secret that holds the values of the Company Code
companyCodeSecretName: "my-company-code-secret-name"
1 change: 1 addition & 0 deletions charts/cbcontainers-agent/cbcontainers-agent-chart/templates/containers-agent.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ spec:
gateways:
apiGateway:
host: {{ required "gateways.apiGatewayHost is required" .Values.gateways.apiGatewayHost }}
adapter: {{ default "containers" .Values.gateways.adapter }}
coreEventsGateway:
host: {{ required "gateways.coreEventsGatewayHost is required" .Values.gateways.coreEventsGatewayHost }}
hardeningEventsGateway:
Expand Down
32 changes: 32 additions & 0 deletions charts/cbcontainers-agent/cbcontainers-agent-chart/templates/post-delete-cndr.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
{{- range $i, $node := (lookup "v1" "Node" "" "").items }}

apiVersion: batch/v1
kind: Job
metadata:
name: cbcontainers-edr-sensor-cleaner
annotations:
"helm.sh/hook": "post-delete"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
spec:
template:
spec:
volumes:
- hostPath:
path: /var
type: Directory
name: var-dir
containers:
- name: edr-sensor-cleaner
image: photon:4.0
imagePullPolicy: IfNotPresent
securityContext:
privileged: true
runAsUser: 0
volumeMounts:
- mountPath: /var
name: var-dir
command: ["/usr/bin/rm", "-rf", "/var/opt/carbonblack"]
restartPolicy: Never
nodeName: "{{ $node.metadata.name }}"
---
{{- end }}
2 changes: 1 addition & 1 deletion charts/cbcontainers-operator/cbcontainers-operator-chart/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,4 @@ name: cbcontainers-operator
description: A Helm chart for installing the CBContainers operator
type: application
version: 2.0.0
appVersion: v6.1.0
appVersion: v6.2.0
14 changes: 14 additions & 0 deletions charts/cbcontainers-operator/cbcontainers-operator-chart/templates/dataplane_rbac.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,20 @@ rules:
- validatingwebhookconfigurations
verbs:
- list
- apiGroups:
- operator.containers.carbonblack.io
resources:
- cbcontainersagents
verbs:
- get
- list
- watch
- apiGroups:
- operator.containers.carbonblack.io
resources:
- cbcontainersagents/status
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
Expand Down
Loading

0 comments on commit cb3c2b5

Please sign in to comment.