From 1dfab1675946ce3f73e608af23a7ee41a1f02b49 Mon Sep 17 00:00:00 2001 From: undistrobot Date: Wed, 8 May 2024 15:02:09 +0000 Subject: [PATCH] update zora chart --- charts/zora/README.md | 14 +- ...zora.undistro.io_vulnerabilityreports.yaml | 694 ++++++++++++------ .../zora/templates/operator/deployment.yaml | 39 +- .../templates/operator/webhook-service.yaml | 29 + charts/zora/templates/plugins/marvin.yaml | 3 + charts/zora/templates/plugins/popeye.yaml | 4 + charts/zora/templates/plugins/trivy.yaml | 8 +- charts/zora/values.yaml | 18 +- 8 files changed, 563 insertions(+), 246 deletions(-) create mode 100644 charts/zora/templates/operator/webhook-service.yaml diff --git a/charts/zora/README.md b/charts/zora/README.md index 439bdfc..a9d833c 100644 --- a/charts/zora/README.md +++ b/charts/zora/README.md @@ -1,6 +1,6 @@ # Zora Helm Chart -![Version: 0.8.5-rc2](https://img.shields.io/badge/Version-0.8.5--rc2-informational?style=flat-square&color=3CA9DD) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square&color=3CA9DD) ![AppVersion: v0.8.5-rc2](https://img.shields.io/badge/AppVersion-v0.8.5--rc2-informational?style=flat-square&color=3CA9DD) +![Version: 0.8.5-rc3](https://img.shields.io/badge/Version-0.8.5--rc3-informational?style=flat-square&color=3CA9DD) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square&color=3CA9DD) ![AppVersion: v0.8.5-rc3](https://img.shields.io/badge/AppVersion-v0.8.5--rc3-informational?style=flat-square&color=3CA9DD) A multi-plugin solution that reports misconfigurations and vulnerabilities by scanning your cluster at scheduled times. @@ -13,7 +13,7 @@ helm repo add undistro https://charts.undistro.io --force-update helm repo update undistro helm upgrade --install zora undistro/zora \ -n zora-system \ - --version 0.8.5-rc2 \ + --version 0.8.5-rc3 \ --create-namespace \ --wait \ --set clusterName="$(kubectl config current-context)" @@ -93,6 +93,7 @@ The following table lists the configurable parameters of the Zora chart and thei | operator.log.level | string | `"info"` | Log level to configure the verbosity of logging. Can be one of 'debug', 'info', 'error', or any integer value > 0 which corresponds to custom debug levels of increasing verbosity | | operator.log.stacktraceLevel | string | `"error"` | Log level at and above which stacktraces are captured (one of 'info', 'error' or 'panic') | | operator.log.timeEncoding | string | `"rfc3339"` | Log time encoding (one of 'epoch', 'millis', 'nano', 'iso8601', 'rfc3339' or 'rfc3339nano') | +| operator.webhook.enabled | bool | `true` | Specifies whether webhook server is enabled | | scan.misconfiguration.enabled | bool | `true` | Specifies whether misconfiguration scan is enabled | | scan.misconfiguration.schedule | string | Cron expression for every hour at the current minute + 5 minutes | Cluster scan schedule in Cron format for misconfiguration scan | | scan.misconfiguration.successfulScansHistoryLimit | int | `1` | The number of successful finished scans and their issues to retain. | @@ -108,6 +109,7 @@ The following table lists the configurable parameters of the Zora chart and thei | scan.plugins.marvin.podAnnotations | object | `{}` | Annotations added to the marvin pods | | scan.plugins.marvin.image.repository | string | `"ghcr.io/undistro/marvin"` | marvin plugin image repository | | scan.plugins.marvin.image.tag | string | `"v0.2.3"` | marvin plugin image tag | +| scan.plugins.marvin.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | | scan.plugins.marvin.env | list | `[]` | List of environment variables to set in marvin container. | | scan.plugins.marvin.envFrom | list | `[]` | List of sources to populate environment variables in marvin container. | | scan.plugins.trivy.ignoreUnfixed | bool | `false` | Specifies whether only fixed vulnerabilities should be reported | @@ -115,7 +117,8 @@ The following table lists the configurable parameters of the Zora chart and thei | scan.plugins.trivy.resources | object | `{}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `trivy` container | | scan.plugins.trivy.podAnnotations | object | `{}` | Annotations added to the trivy pods | | scan.plugins.trivy.image.repository | string | `"ghcr.io/undistro/trivy"` | trivy plugin image repository | -| scan.plugins.trivy.image.tag | string | `"0.50.1-1"` | trivy plugin image tag | +| scan.plugins.trivy.image.tag | float | `0.51` | trivy plugin image tag | +| scan.plugins.trivy.image.pullPolicy | string | `"Always"` | Image pull policy | | scan.plugins.trivy.env | list | `[]` | List of environment variables to set in trivy container. | | scan.plugins.trivy.envFrom | list | `[]` | List of sources to populate environment variables in trivy container. | | scan.plugins.trivy.timeout | string | `"10m"` | Trivy timeout | @@ -129,11 +132,12 @@ The following table lists the configurable parameters of the Zora chart and thei | scan.plugins.popeye.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"250m","memory":"256Mi"}}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `popeye` container | | scan.plugins.popeye.podAnnotations | object | `{}` | Annotations added to the popeye pods | | scan.plugins.popeye.image.repository | string | `"ghcr.io/undistro/popeye"` | popeye plugin image repository | -| scan.plugins.popeye.image.tag | string | `"0.21.3-6"` | popeye plugin image tag | +| scan.plugins.popeye.image.tag | float | `0.21` | popeye plugin image tag | +| scan.plugins.popeye.image.pullPolicy | string | `"Always"` | Image pull policy | | scan.plugins.popeye.env | list | `[]` | List of environment variables to set in popeye container. | | scan.plugins.popeye.envFrom | list | `[]` | List of sources to populate environment variables in popeye container. | | kubexnsImage.repository | string | `"ghcr.io/undistro/kubexns"` | kubexns image repository | -| kubexnsImage.tag | string | `"v0.1.3"` | kubexns image tag | +| kubexnsImage.tag | string | `"v0.1.4"` | kubexns image tag | | customChecksConfigMap | string | `"zora-custom-checks"` | Custom checks ConfigMap name | | httpsProxy | string | `""` | HTTPS proxy URL | | noProxy | string | `"kubernetes.default.svc.*,127.0.0.1,localhost"` | Comma-separated list of URL patterns to be excluded from going through the proxy | diff --git a/charts/zora/crds/zora.undistro.io_vulnerabilityreports.yaml b/charts/zora/crds/zora.undistro.io_vulnerabilityreports.yaml index f507404..55b5d3e 100644 --- a/charts/zora/crds/zora.undistro.io_vulnerabilityreports.yaml +++ b/charts/zora/crds/zora.undistro.io_vulnerabilityreports.yaml @@ -18,6 +18,7 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.14.0 + zora.undistro.io/inject-conversion: "true" name: vulnerabilityreports.zora.undistro.io spec: group: zora.undistro.io @@ -26,251 +27,480 @@ spec: listKind: VulnerabilityReportList plural: vulnerabilityreports shortNames: - - vuln - - vulns - - vulnerabilities + - vuln + - vulns + - vulnerabilities singular: vulnerabilityreport scope: Namespaced versions: - - additionalPrinterColumns: - - jsonPath: .spec.cluster - name: Cluster - type: string - - jsonPath: .spec.image - name: Image - type: string - - jsonPath: .spec.summary.total - name: Total - type: string - - jsonPath: .spec.summary.critical - name: Critical - type: string - - jsonPath: .spec.summary.high - name: High - type: string - - jsonPath: .spec.summary.medium - name: Medium - priority: 1 - type: string - - jsonPath: .spec.summary.low - name: Low - priority: 1 - type: string - - jsonPath: .spec.summary.unknown - name: Unknown - priority: 1 - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: VulnerabilityReport is the Schema for the vulnerabilityreports - API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: VulnerabilityReportSpec defines the desired state of VulnerabilityReport - properties: - architecture: - type: string - cluster: - type: string - digest: - type: string - distro: - properties: - name: - type: string - version: - type: string - type: object - image: - type: string - os: - type: string - resources: - additionalProperties: - items: - type: string - type: array - type: object - summary: - properties: - critical: - type: integer - high: - type: integer - low: - type: integer - medium: - type: integer - total: - type: integer - unknown: - type: integer - required: - - critical - - high - - low - - medium - - total - - unknown - type: object - tags: - items: + - additionalPrinterColumns: + - jsonPath: .spec.cluster + name: Cluster + type: string + - jsonPath: .spec.image + name: Image + type: string + - jsonPath: .spec.summary.total + name: Total + type: string + - jsonPath: .spec.summary.critical + name: Critical + type: string + - jsonPath: .spec.summary.high + name: High + type: string + - jsonPath: .spec.summary.medium + name: Medium + priority: 1 + type: string + - jsonPath: .spec.summary.low + name: Low + priority: 1 + type: string + - jsonPath: .spec.summary.unknown + name: Unknown + priority: 1 + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: The v1alpha1 version of VulnerabilityReport has been deprecated. Please use v1alpha2 instead. + name: v1alpha1 + schema: + openAPIV3Schema: + description: VulnerabilityReport is the Schema for the vulnerabilityreports API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: VulnerabilityReportSpec defines the desired state of VulnerabilityReport + properties: + architecture: + type: string + cluster: type: string - type: array - totalResources: - type: integer - vulnerabilities: - items: + digest: + type: string + distro: properties: - description: - type: string - fixVersion: - type: string - id: - type: string - lastModifiedDate: - format: date-time - type: string - package: - type: string - publishedDate: - format: date-time - type: string - score: - type: string - severity: - type: string - status: - type: string - title: - type: string - type: - type: string - url: + name: type: string version: type: string - required: - - id - - package - - severity - - title - - version type: object - type: array - required: - - cluster - - digest - - image - - resources - - summary - - totalResources - - vulnerabilities - type: object - status: - description: VulnerabilityReportStatus defines the observed state of VulnerabilityReport - properties: - conditions: - description: Conditions the latest available observations of a resource's - current state. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 + image: + type: string + os: + type: string + resources: + additionalProperties: + items: type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 + type: array + type: object + summary: + properties: + critical: + type: integer + high: + type: integer + low: + type: integer + medium: type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + total: + type: integer + unknown: + type: integer + required: + - critical + - high + - low + - medium + - total + - unknown + type: object + tags: + items: + type: string + type: array + totalResources: + type: integer + vulnerabilities: + items: + properties: + description: + type: string + fixVersion: + type: string + id: + type: string + lastModifiedDate: + format: date-time + type: string + package: + type: string + publishedDate: + format: date-time + type: string + score: + type: string + severity: + type: string + status: + type: string + title: + type: string + type: + type: string + url: + type: string + version: + type: string + required: + - id + - package + - severity + - title + - version + type: object + type: array + required: + - cluster + - digest + - image + - resources + - summary + - totalResources + - vulnerabilities + type: object + status: + description: VulnerabilityReportStatus defines the observed state of VulnerabilityReport + properties: + conditions: + description: Conditions the latest available observations of a resource's current state. + items: + description: "Condition contains details for one aspect of the current state of this API Resource.\n---\nThis struct is intended for direct use as an array at the field path .status.conditions. For example,\n\n\n\ttype FooStatus struct{\n\t // Represents the observations of a foo's current state.\n\t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + observedGeneration: + description: |- + ObservedGeneration is the 'Generation' of the resource that + was last processed by the controller. + format: int64 + type: integer + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.cluster + name: Cluster + type: string + - jsonPath: .spec.image + name: Image + type: string + - jsonPath: .spec.summary.total + name: Total + type: string + - jsonPath: .spec.summary.critical + name: Critical + type: string + - jsonPath: .spec.summary.high + name: High + type: string + - jsonPath: .spec.summary.medium + name: Medium + priority: 1 + type: string + - jsonPath: .spec.summary.low + name: Low + priority: 1 + type: string + - jsonPath: .spec.summary.unknown + name: Unknown + priority: 1 + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: VulnerabilityReport is the Schema for the vulnerabilityreports API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: VulnerabilityReportSpec defines the desired state of VulnerabilityReport + properties: + architecture: + type: string + cluster: + type: string + digest: + type: string + distro: + properties: + name: type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown + version: type: string - type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: object + image: + type: string + os: + type: string + resources: + additionalProperties: + items: type: string + type: array + type: object + summary: + properties: + critical: + type: integer + high: + type: integer + low: + type: integer + medium: + type: integer + total: + type: integer + unknown: + type: integer required: - - lastTransitionTime - - message - - reason - - status - - type + - critical + - high + - low + - medium + - total + - unknown type: object - type: array - observedGeneration: - description: |- - ObservedGeneration is the 'Generation' of the resource that - was last processed by the controller. - format: int64 - type: integer - type: object - type: object - served: true - storage: true - subresources: - status: {} + tags: + items: + type: string + type: array + totalResources: + type: integer + vulnerabilities: + items: + properties: + description: + type: string + id: + type: string + lastModifiedDate: + format: date-time + type: string + packages: + items: + properties: + fixVersion: + type: string + package: + type: string + status: + type: string + type: + type: string + version: + type: string + required: + - package + - version + type: object + type: array + publishedDate: + format: date-time + type: string + score: + type: string + severity: + type: string + title: + type: string + url: + type: string + required: + - id + - packages + - severity + - title + type: object + type: array + required: + - cluster + - digest + - image + - resources + - summary + - totalResources + - vulnerabilities + type: object + status: + description: VulnerabilityReportStatus defines the observed state of VulnerabilityReport + properties: + conditions: + description: Conditions the latest available observations of a resource's current state. + items: + description: "Condition contains details for one aspect of the current state of this API Resource.\n---\nThis struct is intended for direct use as an array at the field path .status.conditions. For example,\n\n\n\ttype FooStatus struct{\n\t // Represents the observations of a foo's current state.\n\t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + observedGeneration: + description: |- + ObservedGeneration is the 'Generation' of the resource that + was last processed by the controller. + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/zora/templates/operator/deployment.yaml b/charts/zora/templates/operator/deployment.yaml index 3ae6181..05ec122 100644 --- a/charts/zora/templates/operator/deployment.yaml +++ b/charts/zora/templates/operator/deployment.yaml @@ -11,7 +11,24 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - +{{ $secretName := printf "%s-serving-cert" (include "zora.fullname" .) -}} +{{- $serviceName := printf "%s-webhook" (include "zora.fullname" .) -}} +{{- if and .Values.operator.webhook.enabled (not (lookup "v1" "Secret" .Release.Namespace $secretName)) -}} + {{- $cn := $serviceName -}} + {{- $ca := genCA $cn 3650 -}} + {{- $altNames := list ( printf "%s.%s" $serviceName .Release.Namespace ) ( printf "%s.%s.svc" $serviceName .Release.Namespace ) ( printf "%s.%s.svc.cluster.local" $serviceName .Release.Namespace ) -}} + {{- $cert := genSignedCert $cn nil $altNames 3650 $ca -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: kubernetes.io/tls +data: + tls.key: {{ b64enc $cert.Key }} + tls.crt: {{ b64enc $cert.Cert }} + ca.crt: {{ b64enc $ca.Cert }} +--- +{{- end -}} apiVersion: apps/v1 kind: Deployment metadata: @@ -92,6 +109,9 @@ spec: - --checks-configmap-name={{ .Values.customChecksConfigMap }} - --kubexns-image={{ printf "%s:%s" .Values.kubexnsImage.repository .Values.kubexnsImage.tag }} - --update-crds={{ .Values.updateCRDs | default .Release.IsUpgrade }} + - --inject-conversion={{ .Values.operator.webhook.enabled }} + - --webhook-service-name={{ $serviceName }} + - --webhook-service-namespace={{ .Release.Namespace }} image: "{{ .Values.operator.image.repository }}:{{ .Values.operator.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.operator.image.pullPolicy }} ports: @@ -101,6 +121,15 @@ spec: - containerPort: 8080 protocol: TCP name: metrics + {{- if .Values.operator.webhook.enabled }} + - containerPort: 9443 + name: webhook-server + protocol: TCP + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + {{- end }} livenessProbe: httpGet: path: /healthz @@ -117,6 +146,14 @@ spec: {{- toYaml .Values.operator.resources | nindent 12 }} securityContext: {{- toYaml .Values.operator.securityContext | nindent 12 }} + {{- if .Values.operator.webhook.enabled }} + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: {{ $secretName }} + optional: true + {{- end }} securityContext: {{- toYaml .Values.operator.podSecurityContext | nindent 8 }} serviceAccountName: {{ include "zora.operatorServiceAccountName" . }} diff --git a/charts/zora/templates/operator/webhook-service.yaml b/charts/zora/templates/operator/webhook-service.yaml new file mode 100644 index 0000000..3b86170 --- /dev/null +++ b/charts/zora/templates/operator/webhook-service.yaml @@ -0,0 +1,29 @@ +# Copyright 2024 Undistro Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{- if .Values.operator.webhook.enabled }} +apiVersion: v1 +kind: Service +metadata: + labels: + {{- include "zora.operatorLabels" . | nindent 4 }} + name: {{ include "zora.fullname" . }}-webhook +spec: + ports: + - port: 443 + protocol: TCP + targetPort: 9443 + selector: + {{- include "zora.operatorSelectorLabels" . | nindent 4 }} +{{- end }} \ No newline at end of file diff --git a/charts/zora/templates/plugins/marvin.yaml b/charts/zora/templates/plugins/marvin.yaml index 0394b13..cca0c28 100644 --- a/charts/zora/templates/plugins/marvin.yaml +++ b/charts/zora/templates/plugins/marvin.yaml @@ -21,6 +21,9 @@ metadata: spec: type: misconfiguration image: "{{ .Values.scan.plugins.marvin.image.repository }}:{{ .Values.scan.plugins.marvin.image.tag }}" + {{- if .Values.scan.plugins.marvin.image.pullPolicy }} + imagePullPolicy: "{{ .Values.scan.plugins.marvin.image.pullPolicy }}" + {{- end }} {{- if .Values.scan.plugins.marvin.resources }} resources: {{- toYaml .Values.scan.plugins.marvin.resources | nindent 4 }} diff --git a/charts/zora/templates/plugins/popeye.yaml b/charts/zora/templates/plugins/popeye.yaml index 4d9e35b..e059fcd 100644 --- a/charts/zora/templates/plugins/popeye.yaml +++ b/charts/zora/templates/plugins/popeye.yaml @@ -21,6 +21,9 @@ metadata: spec: type: misconfiguration image: "{{ .Values.scan.plugins.popeye.image.repository }}:{{ .Values.scan.plugins.popeye.image.tag }}" + {{- if .Values.scan.plugins.popeye.image.pullPolicy }} + imagePullPolicy: "{{ .Values.scan.plugins.popeye.image.pullPolicy }}" + {{- end }} {{- if .Values.scan.plugins.popeye.resources }} resources: {{- toYaml .Values.scan.plugins.popeye.resources | nindent 4 }} @@ -51,6 +54,7 @@ spec: - /bin/sh - -c - | + sleep 30 start=$(date +%s) echo Scanning... {{- if .Values.scan.plugins.popeye.skipInternalResources }} diff --git a/charts/zora/templates/plugins/trivy.yaml b/charts/zora/templates/plugins/trivy.yaml index 22a2d49..f25c1c5 100644 --- a/charts/zora/templates/plugins/trivy.yaml +++ b/charts/zora/templates/plugins/trivy.yaml @@ -21,12 +21,16 @@ metadata: spec: type: vulnerability image: "{{ .Values.scan.plugins.trivy.image.repository }}:{{ .Values.scan.plugins.trivy.image.tag }}" + {{- if .Values.scan.plugins.trivy.image.pullPolicy }} + imagePullPolicy: "{{ .Values.scan.plugins.trivy.image.pullPolicy }}" + {{- end }} {{- if .Values.scan.plugins.trivy.resources }} resources: {{- toYaml .Values.scan.plugins.trivy.resources | nindent 4 }} {{- end }} mountCustomChecksVolume: false securityContext: + runAsNonRoot: true allowPrivilegeEscalation: false privileged: false {{- with .Values.scan.plugins.trivy.envFrom }} @@ -58,7 +62,6 @@ spec: time trivy k8s \ --debug \ --no-progress \ - --all-namespaces \ --scanners=vuln \ -f=json \ --cache-dir=/tmp/trivy-cache \ @@ -69,8 +72,7 @@ spec: --ignore-unfixed \ {{- end }} --timeout={{ .Values.scan.plugins.trivy.timeout | quote }} \ - -o $(DONE_DIR)/results.json \ - cluster + -o $(DONE_DIR)/results.json exitcode=$(echo $?) if [ $exitcode -ne 0 ]; then diff --git a/charts/zora/values.yaml b/charts/zora/values.yaml index f8847c4..28d997c 100644 --- a/charts/zora/values.yaml +++ b/charts/zora/values.yaml @@ -141,7 +141,9 @@ operator: stacktraceLevel: error # -- Log time encoding (one of 'epoch', 'millis', 'nano', 'iso8601', 'rfc3339' or 'rfc3339nano') timeEncoding: rfc3339 - + webhook: + # -- Specifies whether webhook server is enabled + enabled: true scan: misconfiguration: # -- Specifies whether misconfiguration scan is enabled @@ -191,6 +193,8 @@ scan: repository: ghcr.io/undistro/marvin # -- marvin plugin image tag tag: v0.2.3 + # -- Image pull policy + pullPolicy: IfNotPresent # -- List of environment variables to set in marvin container. env: [] # -- List of sources to populate environment variables in marvin container. @@ -209,7 +213,9 @@ scan: # -- trivy plugin image repository repository: ghcr.io/undistro/trivy # -- trivy plugin image tag - tag: 0.50.1-1 + tag: 0.51 + # -- Image pull policy + pullPolicy: Always # -- List of environment variables to set in trivy container. env: [] # - name: AWS_REGION @@ -266,7 +272,9 @@ scan: # -- popeye plugin image repository repository: ghcr.io/undistro/popeye # -- popeye plugin image tag - tag: 0.21.3-6 + tag: 0.21 + # -- Image pull policy + pullPolicy: Always # -- List of environment variables to set in popeye container. env: [] # -- List of sources to populate environment variables in popeye container. @@ -276,7 +284,7 @@ kubexnsImage: # -- kubexns image repository repository: ghcr.io/undistro/kubexns # -- kubexns image tag - tag: v0.1.3 + tag: v0.1.4 # -- Custom checks ConfigMap name customChecksConfigMap: zora-custom-checks @@ -288,4 +296,4 @@ noProxy: kubernetes.default.svc.*,127.0.0.1,localhost # -- (bool) Specifies whether CRDs should be updated by operator at startup # @default -- `true` for upgrades -updateCRDs: \ No newline at end of file +updateCRDs: