Skip to content

Commit

Permalink
update zora chart
Browse files Browse the repository at this point in the history
  • Loading branch information
undistrobot committed Jan 15, 2024
1 parent 90e11c6 commit 1d07917
Show file tree
Hide file tree
Showing 12 changed files with 148 additions and 58 deletions.
4 changes: 2 additions & 2 deletions charts/zora/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ name: zora
description: A multi-plugin solution that reports misconfigurations and vulnerabilities by scanning your cluster at scheduled times.
icon: https://zora-docs.undistro.io/v0.7/assets/logo.svg
type: application
version: 0.7.1-rc1
appVersion: "v0.7.1-rc1"
version: 0.7.0
appVersion: "v0.7.0"
sources:
- https://github.com/undistro/zora
14 changes: 6 additions & 8 deletions charts/zora/README.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Zora Helm Chart

![Version: 0.7.1-rc1](https://img.shields.io/badge/Version-0.7.1--rc1-informational?style=flat-square&color=3CA9DD) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square&color=3CA9DD) ![AppVersion: v0.7.1-rc1](https://img.shields.io/badge/AppVersion-v0.7.1--rc1-informational?style=flat-square&color=3CA9DD)
![Version: 0.7.0](https://img.shields.io/badge/Version-0.7.0-informational?style=flat-square&color=3CA9DD) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square&color=3CA9DD) ![AppVersion: v0.7.0](https://img.shields.io/badge/AppVersion-v0.7.0-informational?style=flat-square&color=3CA9DD)

A multi-plugin solution that reports misconfigurations and vulnerabilities by scanning your cluster at scheduled times.

Expand All @@ -13,7 +13,7 @@ helm repo add undistro https://charts.undistro.io --force-update
helm repo update undistro
helm upgrade --install zora undistro/zora \
-n zora-system \
--version 0.7.1-rc1 \
--version 0.7.0 \
--create-namespace \
--wait \
--set clusterName="$(kubectl config current-context)"
Expand Down Expand Up @@ -82,7 +82,7 @@ The following table lists the configurable parameters of the Zora chart and thei
| operator.serviceMonitor.enabled | bool | `false` | Specifies whether a Prometheus `ServiceMonitor` should be enabled |
| operator.resources | object | `{"limits":{"cpu":"500m","memory":"128Mi"},"requests":{"cpu":"10m","memory":"64Mi"}}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `manager` container |
| operator.rbacProxy.image.repository | string | `"gcr.io/kubebuilder/kube-rbac-proxy"` | `kube-rbac-proxy` image repository |
| operator.rbacProxy.image.tag | string | `"v0.14.1"` | `kube-rbac-proxy` image tag |
| operator.rbacProxy.image.tag | string | `"v0.15.0"` | `kube-rbac-proxy` image tag |
| operator.rbacProxy.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
| operator.rbacProxy.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true}` | [Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context) to add to `kube-rbac-proxy` container |
| operator.rbacProxy.resources | object | `{"limits":{"cpu":"500m","memory":"128Mi"},"requests":{"cpu":"5m","memory":"64Mi"}}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `kube-rbac-proxy` container |
Expand All @@ -93,8 +93,6 @@ The following table lists the configurable parameters of the Zora chart and thei
| operator.log.level | string | `"info"` | Log level to configure the verbosity of logging. Can be one of 'debug', 'info', 'error', or any integer value > 0 which corresponds to custom debug levels of increasing verbosity |
| operator.log.stacktraceLevel | string | `"error"` | Log level at and above which stacktraces are captured (one of 'info', 'error' or 'panic') |
| operator.log.timeEncoding | string | `"rfc3339"` | Log time encoding (one of 'epoch', 'millis', 'nano', 'iso8601', 'rfc3339' or 'rfc3339nano') |
| operator.env | list | `[]` | List of environment variables to set in operator container. Cannot be updated |
| operator.envFrom | list | `[]` | List of sources to populate environment variables in operator container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated. |
| scan.misconfiguration.enabled | bool | `true` | Specifies whether misconfiguration scan is enabled |
| scan.misconfiguration.schedule | string | Cron expression for every hour at the current minute + 5 minutes | Cluster scan schedule in Cron format for misconfiguration scan |
| scan.misconfiguration.successfulScansHistoryLimit | int | `1` | The number of successful finished scans and their issues to retain. |
Expand All @@ -107,18 +105,18 @@ The following table lists the configurable parameters of the Zora chart and thei
| scan.worker.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion |
| scan.plugins.marvin.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"250m","memory":"256Mi"}}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `marvin` container |
| scan.plugins.marvin.image.repository | string | `"ghcr.io/undistro/marvin"` | marvin plugin image repository |
| scan.plugins.marvin.image.tag | string | `"v0.2.0"` | marvin plugin image tag |
| scan.plugins.marvin.image.tag | string | `"v0.2.1"` | marvin plugin image tag |
| scan.plugins.trivy.ignoreUnfixed | bool | `false` | Specifies whether only fixed vulnerabilities should be reported |
| scan.plugins.trivy.ignoreDescriptions | bool | `false` | Specifies whether vulnerability descriptions should be ignored |
| scan.plugins.trivy.resources | object | `{}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `trivy` container |
| scan.plugins.trivy.image.repository | string | `"ghcr.io/aquasecurity/trivy"` | trivy plugin image repository |
| scan.plugins.trivy.image.tag | string | `"0.45.1"` | trivy plugin image tag |
| scan.plugins.trivy.image.tag | string | `"0.48.2"` | trivy plugin image tag |
| scan.plugins.popeye.skipInternalResources | bool | `false` | Specifies whether the following resources should be skipped by `popeye` scans. 1. resources from `kube-system`, `kube-public` and `kube-node-lease` namespaces; 2. kubernetes system reserved RBAC (prefixed with `system:`); 3. `kube-root-ca.crt` configmaps; 4. `default` namespace; 5. `default` serviceaccounts; 6. Helm secrets (prefixed with `sh.helm.release`); 7. Zora components. See `popeye` configuration file that is used for this case: https://github.com/undistro/zora/blob/main/charts/zora/templates/plugins/popeye-config.yaml |
| scan.plugins.popeye.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"250m","memory":"256Mi"}}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `popeye` container |
| scan.plugins.popeye.image.repository | string | `"ghcr.io/undistro/popeye"` | popeye plugin image repository |
| scan.plugins.popeye.image.tag | string | `"pr252"` | popeye plugin image tag |
| kubexnsImage.repository | string | `"ghcr.io/undistro/kubexns"` | kubexns image repository |
| kubexnsImage.tag | string | `"v0.1.1"` | kubexns image tag |
| kubexnsImage.tag | string | `"v0.1.2"` | kubexns image tag |
| customChecksConfigMap | string | `"zora-custom-checks"` | Custom checks ConfigMap name |

Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
Expand Down
5 changes: 2 additions & 3 deletions charts/zora/crds/zora.undistro.io_clusterissues.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Copyright 2023 Undistro Authors
# Copyright 2024 Undistro Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
Expand All @@ -17,8 +17,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.11.3
creationTimestamp: null
controller-gen.kubebuilder.io/version: v0.13.0
name: clusterissues.zora.undistro.io
spec:
group: zora.undistro.io
Expand Down
5 changes: 2 additions & 3 deletions charts/zora/crds/zora.undistro.io_clusters.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Copyright 2023 Undistro Authors
# Copyright 2024 Undistro Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
Expand All @@ -17,8 +17,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.11.3
creationTimestamp: null
controller-gen.kubebuilder.io/version: v0.13.0
name: clusters.zora.undistro.io
spec:
group: zora.undistro.io
Expand Down
5 changes: 2 additions & 3 deletions charts/zora/crds/zora.undistro.io_clusterscans.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Copyright 2023 Undistro Authors
# Copyright 2024 Undistro Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
Expand All @@ -17,8 +17,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.11.3
creationTimestamp: null
controller-gen.kubebuilder.io/version: v0.13.0
name: clusterscans.zora.undistro.io
spec:
group: zora.undistro.io
Expand Down
5 changes: 2 additions & 3 deletions charts/zora/crds/zora.undistro.io_customchecks.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Copyright 2023 Undistro Authors
# Copyright 2024 Undistro Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
Expand All @@ -17,8 +17,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.11.3
creationTimestamp: null
controller-gen.kubebuilder.io/version: v0.13.0
name: customchecks.zora.undistro.io
spec:
group: zora.undistro.io
Expand Down
21 changes: 9 additions & 12 deletions charts/zora/crds/zora.undistro.io_plugins.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Copyright 2023 Undistro Authors
# Copyright 2024 Undistro Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
Expand All @@ -17,8 +17,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.11.3
creationTimestamp: null
controller-gen.kubebuilder.io/version: v0.13.0
name: plugins.zora.undistro.io
spec:
group: zora.undistro.io
Expand Down Expand Up @@ -409,7 +408,8 @@ spec:
in a file on the node should be used. The profile must be
preconfigured on the node to work. Must be a descending
path, relative to the kubelet's configured seccomp profile
location. Must only be set if type is "Localhost".
location. Must be set if type is "Localhost". Must NOT be
set for any other type.
type: string
type:
description: "type indicates which kind of seccomp profile
Expand Down Expand Up @@ -440,14 +440,11 @@ spec:
type: string
hostProcess:
description: HostProcess determines if a container should
be run as a 'Host Process' container. This field is alpha-level
and will only be honored by components that enable the WindowsHostProcessContainers
feature flag. Setting this field without the feature flag
will result in errors when validating the Pod. All of a
Pod's containers must have the same effective HostProcess
value (it is not allowed to have a mix of HostProcess containers
and non-HostProcess containers). In addition, if HostProcess
is true then HostNetwork must also be set to true.
be run as a 'Host Process' container. All of a Pod's containers
must have the same effective HostProcess value (it is not
allowed to have a mix of HostProcess containers and non-HostProcess
containers). In addition, if HostProcess is true then HostNetwork
must also be set to true.
type: boolean
runAsUserName:
description: The UserName in Windows to run the entrypoint
Expand Down
105 changes: 99 additions & 6 deletions charts/zora/crds/zora.undistro.io_vulnerabilityreports.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Copyright 2023 Undistro Authors
# Copyright 2024 Undistro Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
Expand All @@ -17,8 +17,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.11.3
creationTimestamp: null
controller-gen.kubebuilder.io/version: v0.13.0
name: vulnerabilityreports.zora.undistro.io
spec:
group: zora.undistro.io
Expand Down Expand Up @@ -85,13 +84,22 @@ spec:
spec:
description: VulnerabilityReportSpec defines the desired state of VulnerabilityReport
properties:
architecture:
type: string
cluster:
type: string
digest:
type: string
distro:
properties:
name:
type: string
version:
type: string
type: object
image:
type: string
repository:
os:
type: string
resources:
additionalProperties:
Expand Down Expand Up @@ -121,8 +129,10 @@ spec:
- total
- unknown
type: object
tag:
type: string
tags:
items:
type: string
type: array
totalResources:
type: integer
vulnerabilities:
Expand All @@ -134,8 +144,14 @@ spec:
type: string
id:
type: string
lastModifiedDate:
format: date-time
type: string
package:
type: string
publishedDate:
format: date-time
type: string
score:
type: string
severity:
Expand All @@ -160,6 +176,7 @@ spec:
type: array
required:
- cluster
- digest
- image
- resources
- summary
Expand All @@ -168,6 +185,82 @@ spec:
type: object
status:
description: VulnerabilityReportStatus defines the observed state of VulnerabilityReport
properties:
conditions:
description: Conditions the latest available observations of a resource's
current state.
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
\n type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
// +listType=map // +listMapKey=type Conditions []metav1.Condition
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
observedGeneration:
description: ObservedGeneration is the 'Generation' of the resource
that was last processed by the controller.
format: int64
type: integer
type: object
type: object
served: true
Expand Down
4 changes: 0 additions & 4 deletions charts/zora/templates/operator/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -59,10 +59,6 @@ spec:
securityContext:
{{- toYaml .Values.operator.rbacProxy.securityContext | nindent 12 }}
- name: manager
envFrom:
{{- toYaml .Values.operator.envFrom | nindent 12 }}
env:
{{- toYaml .Values.operator.env | nindent 12 }}
command:
- /manager
args:
Expand Down
20 changes: 20 additions & 0 deletions charts/zora/templates/operator/rbac.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -265,6 +265,26 @@ rules:
- get
- list
- watch
- apiGroups:
- zora.undistro.io
resources:
- vulnerabilityreports
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- zora.undistro.io
resources:
- vulnerabilityreports/status
verbs:
- get
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
Expand Down
1 change: 0 additions & 1 deletion charts/zora/templates/plugins/trivy.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,6 @@ spec:
--no-progress \
--all-namespaces \
--scanners=vuln \
--report=summary \
-f=json \
{{- if .Values.scan.plugins.trivy.ignoreUnfixed }}
--ignore-unfixed \
Expand Down
Loading

0 comments on commit 1d07917

Please sign in to comment.