From 7f88eb2e1431c1e69fbb8949343a668042fba1b6 Mon Sep 17 00:00:00 2001 From: undistrobot Date: Tue, 26 Mar 2024 12:54:28 +0000 Subject: [PATCH] update zora chart --- charts/zora/Chart.yaml | 4 ++-- charts/zora/README.md | 6 +++--- charts/zora/templates/NOTES.txt | 13 +++++++++++++ charts/zora/templates/_helpers.tpl | 19 +++++++++++++++++++ .../templates/clusterscan/clusterscan.yaml | 17 ++++++++++++++--- charts/zora/values.yaml | 6 +++--- 6 files changed, 54 insertions(+), 11 deletions(-) diff --git a/charts/zora/Chart.yaml b/charts/zora/Chart.yaml index b3d8b7e..f864337 100644 --- a/charts/zora/Chart.yaml +++ b/charts/zora/Chart.yaml @@ -17,7 +17,7 @@ name: zora description: A multi-plugin solution that reports misconfigurations and vulnerabilities by scanning your cluster at scheduled times. icon: https://zora-docs.undistro.io/v0.7/assets/logo.svg type: application -version: 0.8.4-rc1 -appVersion: "v0.8.4-rc1" +version: 0.8.4-rc2 +appVersion: "v0.8.4-rc2" sources: - https://github.com/undistro/zora diff --git a/charts/zora/README.md b/charts/zora/README.md index 623d252..1e1135c 100644 --- a/charts/zora/README.md +++ b/charts/zora/README.md @@ -114,8 +114,8 @@ The following table lists the configurable parameters of the Zora chart and thei | scan.plugins.trivy.ignoreDescriptions | bool | `false` | Specifies whether vulnerability descriptions should be ignored | | scan.plugins.trivy.resources | object | `{}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `trivy` container | | scan.plugins.trivy.podAnnotations | object | `{}` | Annotations added to the trivy pods | -| scan.plugins.trivy.image.repository | string | `"ghcr.io/aquasecurity/trivy"` | trivy plugin image repository | -| scan.plugins.trivy.image.tag | string | `"0.49.1"` | trivy plugin image tag | +| scan.plugins.trivy.image.repository | string | `"ghcr.io/undistro/trivy"` | trivy plugin image repository | +| scan.plugins.trivy.image.tag | string | `"0.49.1-3"` | trivy plugin image tag | | scan.plugins.trivy.env | list | `[]` | List of environment variables to set in trivy container. | | scan.plugins.trivy.envFrom | list | `[]` | List of sources to populate environment variables in trivy container. | | scan.plugins.trivy.timeout | string | `"10m"` | Trivy timeout | @@ -124,7 +124,7 @@ The following table lists the configurable parameters of the Zora chart and thei | scan.plugins.popeye.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"250m","memory":"256Mi"}}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `popeye` container | | scan.plugins.popeye.podAnnotations | object | `{}` | Annotations added to the popeye pods | | scan.plugins.popeye.image.repository | string | `"ghcr.io/undistro/popeye"` | popeye plugin image repository | -| scan.plugins.popeye.image.tag | string | `"v0.11.3"` | popeye plugin image tag | +| scan.plugins.popeye.image.tag | string | `"0.21.1-4"` | popeye plugin image tag | | scan.plugins.popeye.env | list | `[]` | List of environment variables to set in popeye container. | | scan.plugins.popeye.envFrom | list | `[]` | List of sources to populate environment variables in popeye container. | | kubexnsImage.repository | string | `"ghcr.io/undistro/kubexns"` | kubexns image repository | diff --git a/charts/zora/templates/NOTES.txt b/charts/zora/templates/NOTES.txt index 284e528..aec7ec8 100644 --- a/charts/zora/templates/NOTES.txt +++ b/charts/zora/templates/NOTES.txt @@ -15,3 +15,16 @@ Visit our documentation for in-depth information: https://zora-docs.undistro.io {{ if .Values.saas.workspaceID -}} Visit Zora Dashboard to explore your clusters and issues: {{ .Values.saas.server }} {{- end }} + +{{- $warnMisconfig := and .Values.scan.misconfiguration.schedule (include "zora.IsMisconfigScheduleMoreOftenThanHourly" .) }} +{{- if eq $warnMisconfig "true" }} +WARNING: The misconfiguration scan appears to be scheduled to run more frequently than hourly, you should be aware this + may lead to higher resource utilization and network traffic. +{{- end }} + +{{- $warVuln := and .Values.scan.vulnerability.schedule (include "zora.IsVulnScheduleMoreOftenThanDaily" .) }} +{{- if eq $warVuln "true" }} +WARNING: The vulnerability scan appears to be scheduled to run more frequently than daily, potentially leading to + significant increases in networking costs and resource utilization. This is particularly relevant for + vulnerability scans, which involve downloading a vulnerability database and pulling images. +{{ end }} diff --git a/charts/zora/templates/_helpers.tpl b/charts/zora/templates/_helpers.tpl index 4eac105..0c23f8a 100644 --- a/charts/zora/templates/_helpers.tpl +++ b/charts/zora/templates/_helpers.tpl @@ -130,3 +130,22 @@ Truncate a name to a specific length {{- .name }} {{- end }} {{- end }} + +{{/* Returns true if the explicitly set misconfiguration schedule is more frequently than hourly */}} +{{- define "zora.IsMisconfigScheduleMoreOftenThanHourly" -}} +{{- $cron_fields := split " " .Values.scan.misconfiguration.schedule -}} +{{- $minute := $cron_fields._0 -}} +{{/* minute must be in range [0-59] */}} +{{- not (mustRegexMatch "^(?:\\d|[0-5]\\d)$" $minute) -}} +{{- end -}} + +{{/* Returns true if the explicitly set vulnerability schedule is more frequently than daily */}} +{{- define "zora.IsVulnScheduleMoreOftenThanDaily" -}} +{{- $cron_fields := split " " .Values.scan.vulnerability.schedule -}} +{{- $minute := $cron_fields._0 -}} +{{- $hour := $cron_fields._1 -}} +{{/* minute and hour must be in range [0-59] */}} +{{- $isMinuteBad := not (mustRegexMatch "^(?:\\d|[0-5]\\d)$" $minute) -}} +{{- $isHourBad := not (mustRegexMatch "^(?:\\d|[0-5]\\d)$" $hour) -}} +{{- or $isMinuteBad $isHourBad -}} +{{- end -}} diff --git a/charts/zora/templates/clusterscan/clusterscan.yaml b/charts/zora/templates/clusterscan/clusterscan.yaml index c7764c9..7b8bbca 100644 --- a/charts/zora/templates/clusterscan/clusterscan.yaml +++ b/charts/zora/templates/clusterscan/clusterscan.yaml @@ -30,12 +30,17 @@ metadata: labels: zora.undistro.io/default: "true" {{- include "zora.labels" . | nindent 4 }} - name: {{ include "truncate.name" (dict "name" (printf "%s-misconfig" (include "zora.clusterName" .)) "len" 63 ) }} - + {{- $misconfigScanName := include "truncate.name" (dict "name" (printf "%s-misconfig" (include "zora.clusterName" .)) "len" 63 ) }} + name: {{ $misconfigScanName }} spec: clusterRef: name: {{ include "zora.clusterName" . }} + {{- $currentMisconfigScan := and (.Capabilities.APIVersions.Has "zora.undistro.io/v1alpha1") (lookup "zora.undistro.io/v1alpha1" "ClusterScan" .Release.Namespace $misconfigScanName) }} + {{- if and $currentMisconfigScan (not .Values.scan.misconfiguration.schedule) }} + schedule: {{ $currentMisconfigScan.spec.schedule | quote }} + {{- else }} schedule: {{ include "zora.misconfigSchedule" . | quote }} + {{- end }} successfulScansHistoryLimit: {{ .Values.scan.misconfiguration.successfulScansHistoryLimit }} {{- if .Values.scan.misconfiguration.plugins }} plugins: @@ -52,11 +57,17 @@ metadata: labels: zora.undistro.io/default: "true" {{- include "zora.labels" . | nindent 4 }} - name: {{ include "truncate.name" (dict "name" (printf "%s-vuln" (include "zora.clusterName" .)) "len" 63 ) }} + {{- $vulnScanName := include "truncate.name" (dict "name" (printf "%s-vuln" (include "zora.clusterName" .)) "len" 63 ) }} + name: {{ $vulnScanName }} spec: clusterRef: name: {{ include "zora.clusterName" . }} + {{- $currentVulnScan := and (.Capabilities.APIVersions.Has "zora.undistro.io/v1alpha1") (lookup "zora.undistro.io/v1alpha1" "ClusterScan" .Release.Namespace $vulnScanName) }} + {{- if and $currentVulnScan (not .Values.scan.vulnerability.schedule) }} + schedule: {{ $currentVulnScan.spec.schedule | quote }} + {{- else }} schedule: {{ include "zora.vulnSchedule" . | quote }} + {{- end }} successfulScansHistoryLimit: {{ .Values.scan.vulnerability.successfulScansHistoryLimit }} {{- if .Values.scan.vulnerability.plugins }} plugins: diff --git a/charts/zora/values.yaml b/charts/zora/values.yaml index 479ec92..cbc5558 100644 --- a/charts/zora/values.yaml +++ b/charts/zora/values.yaml @@ -207,9 +207,9 @@ scan: podAnnotations: {} image: # -- trivy plugin image repository - repository: ghcr.io/aquasecurity/trivy + repository: ghcr.io/undistro/trivy # -- trivy plugin image tag - tag: 0.49.1 + tag: 0.49.1-3 # -- List of environment variables to set in trivy container. env: [] # - name: AWS_REGION @@ -254,7 +254,7 @@ scan: # -- popeye plugin image repository repository: ghcr.io/undistro/popeye # -- popeye plugin image tag - tag: v0.11.3 + tag: 0.21.1-4 # -- List of environment variables to set in popeye container. env: [] # -- List of sources to populate environment variables in popeye container.