From 1d079176b3da22e091490d9ae8712a9c55ac62c1 Mon Sep 17 00:00:00 2001 From: undistrobot Date: Mon, 15 Jan 2024 19:31:40 +0000 Subject: [PATCH] update zora chart --- charts/zora/Chart.yaml | 4 +- charts/zora/README.md | 14 +-- .../crds/zora.undistro.io_clusterissues.yaml | 5 +- .../zora/crds/zora.undistro.io_clusters.yaml | 5 +- .../crds/zora.undistro.io_clusterscans.yaml | 5 +- .../crds/zora.undistro.io_customchecks.yaml | 5 +- .../zora/crds/zora.undistro.io_plugins.yaml | 21 ++-- ...zora.undistro.io_vulnerabilityreports.yaml | 105 +++++++++++++++++- .../zora/templates/operator/deployment.yaml | 4 - charts/zora/templates/operator/rbac.yaml | 20 ++++ charts/zora/templates/plugins/trivy.yaml | 1 - charts/zora/values.yaml | 17 +-- 12 files changed, 148 insertions(+), 58 deletions(-) diff --git a/charts/zora/Chart.yaml b/charts/zora/Chart.yaml index b32422a..40b01d1 100644 --- a/charts/zora/Chart.yaml +++ b/charts/zora/Chart.yaml @@ -17,7 +17,7 @@ name: zora description: A multi-plugin solution that reports misconfigurations and vulnerabilities by scanning your cluster at scheduled times. icon: https://zora-docs.undistro.io/v0.7/assets/logo.svg type: application -version: 0.7.1-rc1 -appVersion: "v0.7.1-rc1" +version: 0.7.0 +appVersion: "v0.7.0" sources: - https://github.com/undistro/zora diff --git a/charts/zora/README.md b/charts/zora/README.md index f5415fc..2c89447 100644 --- a/charts/zora/README.md +++ b/charts/zora/README.md @@ -1,6 +1,6 @@ # Zora Helm Chart -![Version: 0.7.1-rc1](https://img.shields.io/badge/Version-0.7.1--rc1-informational?style=flat-square&color=3CA9DD) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square&color=3CA9DD) ![AppVersion: v0.7.1-rc1](https://img.shields.io/badge/AppVersion-v0.7.1--rc1-informational?style=flat-square&color=3CA9DD) +![Version: 0.7.0](https://img.shields.io/badge/Version-0.7.0-informational?style=flat-square&color=3CA9DD) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square&color=3CA9DD) ![AppVersion: v0.7.0](https://img.shields.io/badge/AppVersion-v0.7.0-informational?style=flat-square&color=3CA9DD) A multi-plugin solution that reports misconfigurations and vulnerabilities by scanning your cluster at scheduled times. @@ -13,7 +13,7 @@ helm repo add undistro https://charts.undistro.io --force-update helm repo update undistro helm upgrade --install zora undistro/zora \ -n zora-system \ - --version 0.7.1-rc1 \ + --version 0.7.0 \ --create-namespace \ --wait \ --set clusterName="$(kubectl config current-context)" @@ -82,7 +82,7 @@ The following table lists the configurable parameters of the Zora chart and thei | operator.serviceMonitor.enabled | bool | `false` | Specifies whether a Prometheus `ServiceMonitor` should be enabled | | operator.resources | object | `{"limits":{"cpu":"500m","memory":"128Mi"},"requests":{"cpu":"10m","memory":"64Mi"}}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `manager` container | | operator.rbacProxy.image.repository | string | `"gcr.io/kubebuilder/kube-rbac-proxy"` | `kube-rbac-proxy` image repository | -| operator.rbacProxy.image.tag | string | `"v0.14.1"` | `kube-rbac-proxy` image tag | +| operator.rbacProxy.image.tag | string | `"v0.15.0"` | `kube-rbac-proxy` image tag | | operator.rbacProxy.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | | operator.rbacProxy.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true}` | [Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context) to add to `kube-rbac-proxy` container | | operator.rbacProxy.resources | object | `{"limits":{"cpu":"500m","memory":"128Mi"},"requests":{"cpu":"5m","memory":"64Mi"}}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `kube-rbac-proxy` container | @@ -93,8 +93,6 @@ The following table lists the configurable parameters of the Zora chart and thei | operator.log.level | string | `"info"` | Log level to configure the verbosity of logging. Can be one of 'debug', 'info', 'error', or any integer value > 0 which corresponds to custom debug levels of increasing verbosity | | operator.log.stacktraceLevel | string | `"error"` | Log level at and above which stacktraces are captured (one of 'info', 'error' or 'panic') | | operator.log.timeEncoding | string | `"rfc3339"` | Log time encoding (one of 'epoch', 'millis', 'nano', 'iso8601', 'rfc3339' or 'rfc3339nano') | -| operator.env | list | `[]` | List of environment variables to set in operator container. Cannot be updated | -| operator.envFrom | list | `[]` | List of sources to populate environment variables in operator container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated. | | scan.misconfiguration.enabled | bool | `true` | Specifies whether misconfiguration scan is enabled | | scan.misconfiguration.schedule | string | Cron expression for every hour at the current minute + 5 minutes | Cluster scan schedule in Cron format for misconfiguration scan | | scan.misconfiguration.successfulScansHistoryLimit | int | `1` | The number of successful finished scans and their issues to retain. | @@ -107,18 +105,18 @@ The following table lists the configurable parameters of the Zora chart and thei | scan.worker.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion | | scan.plugins.marvin.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"250m","memory":"256Mi"}}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `marvin` container | | scan.plugins.marvin.image.repository | string | `"ghcr.io/undistro/marvin"` | marvin plugin image repository | -| scan.plugins.marvin.image.tag | string | `"v0.2.0"` | marvin plugin image tag | +| scan.plugins.marvin.image.tag | string | `"v0.2.1"` | marvin plugin image tag | | scan.plugins.trivy.ignoreUnfixed | bool | `false` | Specifies whether only fixed vulnerabilities should be reported | | scan.plugins.trivy.ignoreDescriptions | bool | `false` | Specifies whether vulnerability descriptions should be ignored | | scan.plugins.trivy.resources | object | `{}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `trivy` container | | scan.plugins.trivy.image.repository | string | `"ghcr.io/aquasecurity/trivy"` | trivy plugin image repository | -| scan.plugins.trivy.image.tag | string | `"0.45.1"` | trivy plugin image tag | +| scan.plugins.trivy.image.tag | string | `"0.48.2"` | trivy plugin image tag | | scan.plugins.popeye.skipInternalResources | bool | `false` | Specifies whether the following resources should be skipped by `popeye` scans. 1. resources from `kube-system`, `kube-public` and `kube-node-lease` namespaces; 2. kubernetes system reserved RBAC (prefixed with `system:`); 3. `kube-root-ca.crt` configmaps; 4. `default` namespace; 5. `default` serviceaccounts; 6. Helm secrets (prefixed with `sh.helm.release`); 7. Zora components. See `popeye` configuration file that is used for this case: https://github.com/undistro/zora/blob/main/charts/zora/templates/plugins/popeye-config.yaml | | scan.plugins.popeye.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"250m","memory":"256Mi"}}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `popeye` container | | scan.plugins.popeye.image.repository | string | `"ghcr.io/undistro/popeye"` | popeye plugin image repository | | scan.plugins.popeye.image.tag | string | `"pr252"` | popeye plugin image tag | | kubexnsImage.repository | string | `"ghcr.io/undistro/kubexns"` | kubexns image repository | -| kubexnsImage.tag | string | `"v0.1.1"` | kubexns image tag | +| kubexnsImage.tag | string | `"v0.1.2"` | kubexns image tag | | customChecksConfigMap | string | `"zora-custom-checks"` | Custom checks ConfigMap name | Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, diff --git a/charts/zora/crds/zora.undistro.io_clusterissues.yaml b/charts/zora/crds/zora.undistro.io_clusterissues.yaml index c6bf2bf..802bf34 100644 --- a/charts/zora/crds/zora.undistro.io_clusterissues.yaml +++ b/charts/zora/crds/zora.undistro.io_clusterissues.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Undistro Authors +# Copyright 2024 Undistro Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,8 +17,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: clusterissues.zora.undistro.io spec: group: zora.undistro.io diff --git a/charts/zora/crds/zora.undistro.io_clusters.yaml b/charts/zora/crds/zora.undistro.io_clusters.yaml index e8fd268..c7128f3 100644 --- a/charts/zora/crds/zora.undistro.io_clusters.yaml +++ b/charts/zora/crds/zora.undistro.io_clusters.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Undistro Authors +# Copyright 2024 Undistro Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,8 +17,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: clusters.zora.undistro.io spec: group: zora.undistro.io diff --git a/charts/zora/crds/zora.undistro.io_clusterscans.yaml b/charts/zora/crds/zora.undistro.io_clusterscans.yaml index 1412fa4..ad2923f 100644 --- a/charts/zora/crds/zora.undistro.io_clusterscans.yaml +++ b/charts/zora/crds/zora.undistro.io_clusterscans.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Undistro Authors +# Copyright 2024 Undistro Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,8 +17,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: clusterscans.zora.undistro.io spec: group: zora.undistro.io diff --git a/charts/zora/crds/zora.undistro.io_customchecks.yaml b/charts/zora/crds/zora.undistro.io_customchecks.yaml index 1909dbc..b24b085 100644 --- a/charts/zora/crds/zora.undistro.io_customchecks.yaml +++ b/charts/zora/crds/zora.undistro.io_customchecks.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Undistro Authors +# Copyright 2024 Undistro Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,8 +17,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: customchecks.zora.undistro.io spec: group: zora.undistro.io diff --git a/charts/zora/crds/zora.undistro.io_plugins.yaml b/charts/zora/crds/zora.undistro.io_plugins.yaml index d19f1ed..61af8c2 100644 --- a/charts/zora/crds/zora.undistro.io_plugins.yaml +++ b/charts/zora/crds/zora.undistro.io_plugins.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Undistro Authors +# Copyright 2024 Undistro Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,8 +17,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: plugins.zora.undistro.io spec: group: zora.undistro.io @@ -409,7 +408,8 @@ spec: in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet's configured seccomp profile - location. Must only be set if type is "Localhost". + location. Must be set if type is "Localhost". Must NOT be + set for any other type. type: string type: description: "type indicates which kind of seccomp profile @@ -440,14 +440,11 @@ spec: type: string hostProcess: description: HostProcess determines if a container should - be run as a 'Host Process' container. This field is alpha-level - and will only be honored by components that enable the WindowsHostProcessContainers - feature flag. Setting this field without the feature flag - will result in errors when validating the Pod. All of a - Pod's containers must have the same effective HostProcess - value (it is not allowed to have a mix of HostProcess containers - and non-HostProcess containers). In addition, if HostProcess - is true then HostNetwork must also be set to true. + be run as a 'Host Process' container. All of a Pod's containers + must have the same effective HostProcess value (it is not + allowed to have a mix of HostProcess containers and non-HostProcess + containers). In addition, if HostProcess is true then HostNetwork + must also be set to true. type: boolean runAsUserName: description: The UserName in Windows to run the entrypoint diff --git a/charts/zora/crds/zora.undistro.io_vulnerabilityreports.yaml b/charts/zora/crds/zora.undistro.io_vulnerabilityreports.yaml index a9c978f..24e41cf 100644 --- a/charts/zora/crds/zora.undistro.io_vulnerabilityreports.yaml +++ b/charts/zora/crds/zora.undistro.io_vulnerabilityreports.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Undistro Authors +# Copyright 2024 Undistro Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,8 +17,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: vulnerabilityreports.zora.undistro.io spec: group: zora.undistro.io @@ -85,13 +84,22 @@ spec: spec: description: VulnerabilityReportSpec defines the desired state of VulnerabilityReport properties: + architecture: + type: string cluster: type: string digest: type: string + distro: + properties: + name: + type: string + version: + type: string + type: object image: type: string - repository: + os: type: string resources: additionalProperties: @@ -121,8 +129,10 @@ spec: - total - unknown type: object - tag: - type: string + tags: + items: + type: string + type: array totalResources: type: integer vulnerabilities: @@ -134,8 +144,14 @@ spec: type: string id: type: string + lastModifiedDate: + format: date-time + type: string package: type: string + publishedDate: + format: date-time + type: string score: type: string severity: @@ -160,6 +176,7 @@ spec: type: array required: - cluster + - digest - image - resources - summary @@ -168,6 +185,82 @@ spec: type: object status: description: VulnerabilityReportStatus defines the observed state of VulnerabilityReport + properties: + conditions: + description: Conditions the latest available observations of a resource's + current state. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + observedGeneration: + description: ObservedGeneration is the 'Generation' of the resource + that was last processed by the controller. + format: int64 + type: integer type: object type: object served: true diff --git a/charts/zora/templates/operator/deployment.yaml b/charts/zora/templates/operator/deployment.yaml index 1f111cf..21a3ca8 100644 --- a/charts/zora/templates/operator/deployment.yaml +++ b/charts/zora/templates/operator/deployment.yaml @@ -59,10 +59,6 @@ spec: securityContext: {{- toYaml .Values.operator.rbacProxy.securityContext | nindent 12 }} - name: manager - envFrom: - {{- toYaml .Values.operator.envFrom | nindent 12 }} - env: - {{- toYaml .Values.operator.env | nindent 12 }} command: - /manager args: diff --git a/charts/zora/templates/operator/rbac.yaml b/charts/zora/templates/operator/rbac.yaml index 88a5a8c..f2f6e86 100644 --- a/charts/zora/templates/operator/rbac.yaml +++ b/charts/zora/templates/operator/rbac.yaml @@ -265,6 +265,26 @@ rules: - get - list - watch +- apiGroups: + - zora.undistro.io + resources: + - vulnerabilityreports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - zora.undistro.io + resources: + - vulnerabilityreports/status + verbs: + - get + - patch + - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/charts/zora/templates/plugins/trivy.yaml b/charts/zora/templates/plugins/trivy.yaml index 22c344c..cd9b025 100644 --- a/charts/zora/templates/plugins/trivy.yaml +++ b/charts/zora/templates/plugins/trivy.yaml @@ -40,7 +40,6 @@ spec: --no-progress \ --all-namespaces \ --scanners=vuln \ - --report=summary \ -f=json \ {{- if .Values.scan.plugins.trivy.ignoreUnfixed }} --ignore-unfixed \ diff --git a/charts/zora/values.yaml b/charts/zora/values.yaml index f96a572..a972822 100644 --- a/charts/zora/values.yaml +++ b/charts/zora/values.yaml @@ -109,7 +109,7 @@ operator: # -- `kube-rbac-proxy` image repository repository: gcr.io/kubebuilder/kube-rbac-proxy # -- `kube-rbac-proxy` image tag - tag: v0.14.1 + tag: v0.15.0 # -- Image pull policy pullPolicy: IfNotPresent # -- [Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context) to add to `kube-rbac-proxy` container @@ -143,15 +143,6 @@ operator: stacktraceLevel: error # -- Log time encoding (one of 'epoch', 'millis', 'nano', 'iso8601', 'rfc3339' or 'rfc3339nano') timeEncoding: rfc3339 - # -- List of environment variables to set in operator container. Cannot be updated - env: [] - # - name: key - # value: value - - # -- List of sources to populate environment variables in operator container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated. - envFrom: [] - # - configMapRef: - # name: foo scan: misconfiguration: @@ -197,7 +188,7 @@ scan: # -- marvin plugin image repository repository: ghcr.io/undistro/marvin # -- marvin plugin image tag - tag: v0.2.0 + tag: v0.2.1 trivy: # -- Specifies whether only fixed vulnerabilities should be reported @@ -210,7 +201,7 @@ scan: # -- trivy plugin image repository repository: ghcr.io/aquasecurity/trivy # -- trivy plugin image tag - tag: 0.45.1 + tag: 0.48.2 popeye: # -- Specifies whether the following resources should be skipped by `popeye` scans. # 1. resources from `kube-system`, `kube-public` and `kube-node-lease` namespaces; @@ -240,7 +231,7 @@ kubexnsImage: # -- kubexns image repository repository: ghcr.io/undistro/kubexns # -- kubexns image tag - tag: v0.1.1 + tag: v0.1.2 # -- Custom checks ConfigMap name customChecksConfigMap: zora-custom-checks