Skip to content

Commit

Permalink
update zora chart
Browse files Browse the repository at this point in the history
  • Loading branch information
undistrobot committed Jul 31, 2024
1 parent de16e87 commit b6af70e
Show file tree
Hide file tree
Showing 8 changed files with 100 additions and 25 deletions.
11 changes: 6 additions & 5 deletions charts/zora/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -108,16 +108,16 @@ The following table lists the configurable parameters of the Zora chart and thei
| scan.plugins.marvin.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"250m","memory":"256Mi"}}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `marvin` container |
| scan.plugins.marvin.podAnnotations | object | `{}` | Annotations added to the marvin pods |
| scan.plugins.marvin.image.repository | string | `"ghcr.io/undistro/marvin"` | marvin plugin image repository |
| scan.plugins.marvin.image.tag | string | `"v0.2.3"` | marvin plugin image tag |
| scan.plugins.marvin.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
| scan.plugins.marvin.image.tag | string | `"v0.2"` | marvin plugin image tag |
| scan.plugins.marvin.image.pullPolicy | string | `"Always"` | Image pull policy |
| scan.plugins.marvin.env | list | `[]` | List of environment variables to set in marvin container. |
| scan.plugins.marvin.envFrom | list | `[]` | List of sources to populate environment variables in marvin container. |
| scan.plugins.trivy.ignoreUnfixed | bool | `false` | Specifies whether only fixed vulnerabilities should be reported |
| scan.plugins.trivy.ignoreDescriptions | bool | `false` | Specifies whether vulnerability descriptions should be ignored |
| scan.plugins.trivy.resources | object | `{}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `trivy` container |
| scan.plugins.trivy.podAnnotations | object | `{}` | Annotations added to the trivy pods |
| scan.plugins.trivy.image.repository | string | `"ghcr.io/undistro/trivy"` | trivy plugin image repository |
| scan.plugins.trivy.image.tag | float | `0.51` | trivy plugin image tag |
| scan.plugins.trivy.image.tag | float | `0.53` | trivy plugin image tag |
| scan.plugins.trivy.image.pullPolicy | string | `"Always"` | Image pull policy |
| scan.plugins.trivy.env | list | `[]` | List of environment variables to set in trivy container. |
| scan.plugins.trivy.envFrom | list | `[]` | List of sources to populate environment variables in trivy container. |
Expand All @@ -127,7 +127,7 @@ The following table lists the configurable parameters of the Zora chart and thei
| scan.plugins.trivy.persistence.fsGroup | int | `0` | Specifies the fsGroup to use when mounting the persistent volume |
| scan.plugins.trivy.persistence.accessMode | string | `"ReadWriteOnce"` | [Persistence access mode](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes) |
| scan.plugins.trivy.persistence.storageClass | string | `""` | [Persistence storage class](https://kubernetes.io/docs/concepts/storage/storage-classes/). Set to empty for default storage class |
| scan.plugins.trivy.persistence.storageRequest | string | `"1Gi"` | Persistence storage size |
| scan.plugins.trivy.persistence.storageRequest | string | `"2Gi"` | Persistence storage size |
| scan.plugins.trivy.persistence.downloadJavaDB | bool | `false` | Specifies whether Java vulnerability database should be downloaded on helm install/upgrade |
| scan.plugins.popeye.skipInternalResources | bool | `false` | Specifies whether the following resources should be skipped by `popeye` scans. 1. resources from `kube-system`, `kube-public` and `kube-node-lease` namespaces; 2. kubernetes system reserved RBAC (prefixed with `system:`); 3. `kube-root-ca.crt` configmaps; 4. `default` namespace; 5. `default` serviceaccounts; 6. Helm secrets (prefixed with `sh.helm.release`); 7. Zora components. See `popeye` configuration file that is used for this case: https://github.com/undistro/zora/blob/main/charts/zora/templates/plugins/popeye-config.yaml |
| scan.plugins.popeye.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"250m","memory":"256Mi"}}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `popeye` container |
Expand All @@ -138,7 +138,8 @@ The following table lists the configurable parameters of the Zora chart and thei
| scan.plugins.popeye.env | list | `[]` | List of environment variables to set in popeye container. |
| scan.plugins.popeye.envFrom | list | `[]` | List of sources to populate environment variables in popeye container. |
| kubexnsImage.repository | string | `"ghcr.io/undistro/kubexns"` | kubexns image repository |
| kubexnsImage.tag | string | `"v0.1.4"` | kubexns image tag |
| kubexnsImage.tag | string | `"v0.1"` | kubexns image tag |
| kubexnsImage.pullPolicy | string | `"Always"` | Image pull policy |
| customChecksConfigMap | string | `"zora-custom-checks"` | Custom checks ConfigMap name |
| httpsProxy | string | `""` | HTTPS proxy URL |
| noProxy | string | `"kubernetes.default.svc.*,127.0.0.1,localhost"` | Comma-separated list of URL patterns to be excluded from going through the proxy |
Expand Down
7 changes: 6 additions & 1 deletion charts/zora/crds/zora.undistro.io_clusters.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -91,10 +91,15 @@ spec:
namespace that contains the kubeconfig data
properties:
name:
default: ""
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
TODO: Add other useful fields. apiVersion, kind, uid?
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
type: string
type: object
x-kubernetes-map-type: atomic
Expand Down
21 changes: 18 additions & 3 deletions charts/zora/crds/zora.undistro.io_clusterscans.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -96,10 +96,15 @@ spec:
description: ClusterRef is a reference to a Cluster in the same namespace
properties:
name:
default: ""
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
TODO: Add other useful fields. apiVersion, kind, uid?
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
type: string
type: object
x-kubernetes-map-type: atomic
Expand Down Expand Up @@ -150,10 +155,15 @@ spec:
description: The key to select.
type: string
name:
default: ""
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
TODO: Add other useful fields. apiVersion, kind, uid?
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
type: string
optional:
description: Specify whether the ConfigMap or
Expand Down Expand Up @@ -213,10 +223,15 @@ spec:
be a valid secret key.
type: string
name:
default: ""
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
TODO: Add other useful fields. apiVersion, kind, uid?
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
type: string
optional:
description: Specify whether the Secret or its
Expand Down
54 changes: 50 additions & 4 deletions charts/zora/crds/zora.undistro.io_plugins.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -130,10 +130,15 @@ spec:
description: The key to select.
type: string
name:
default: ""
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
TODO: Add other useful fields. apiVersion, kind, uid?
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
type: string
optional:
description: Specify whether the ConfigMap or its key
Expand Down Expand Up @@ -192,10 +197,15 @@ spec:
be a valid secret key.
type: string
name:
default: ""
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
TODO: Add other useful fields. apiVersion, kind, uid?
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
type: string
optional:
description: Specify whether the Secret or its key must
Expand Down Expand Up @@ -225,10 +235,15 @@ spec:
description: The ConfigMap to select from
properties:
name:
default: ""
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
TODO: Add other useful fields. apiVersion, kind, uid?
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
type: string
optional:
description: Specify whether the ConfigMap must be defined
Expand All @@ -243,10 +258,15 @@ spec:
description: The Secret to select from
properties:
name:
default: ""
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
TODO: Add other useful fields. apiVersion, kind, uid?
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
type: string
optional:
description: Specify whether the Secret must be defined
Expand Down Expand Up @@ -346,6 +366,30 @@ spec:
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
appArmorProfile:
description: |-
appArmorProfile is the AppArmor options to use by this container. If set, this profile
overrides the pod's appArmorProfile.
Note that this field cannot be set when spec.os.name is windows.
properties:
localhostProfile:
description: |-
localhostProfile indicates a profile loaded on the node that should be used.
The profile must be preconfigured on the node to work.
Must match the loaded name of the profile.
Must be set if and only if type is "Localhost".
type: string
type:
description: |-
type indicates which kind of AppArmor profile will be applied.
Valid options are:
Localhost - a profile pre-loaded on the node.
RuntimeDefault - the container runtime's default profile.
Unconfined - no AppArmor enforcement.
type: string
required:
- type
type: object
capabilities:
description: |-
The capabilities to add/drop when running containers.
Expand All @@ -358,12 +402,14 @@ spec:
description: Capability represent POSIX capabilities type
type: string
type: array
x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities type
type: string
type: array
x-kubernetes-list-type: atomic
type: object
privileged:
description: |-
Expand Down
3 changes: 2 additions & 1 deletion charts/zora/templates/operator/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -103,7 +103,7 @@ spec:
- --worker-image={{ printf "%s:%s" .Values.scan.worker.image.repository (.Values.scan.worker.image.tag | default .Chart.AppVersion) }}
- --cronjob-clusterrolebinding-name=zora-plugins-rolebinding
- --cronjob-serviceaccount-name=zora-plugins
- --trivy-db-pvc={{- if .Values.scan.plugins.trivy.persistence.enabled }}trivy-db-cache{{- end }}
- --trivy-db-pvc={{- if .Values.scan.plugins.trivy.persistence.enabled }}trivy-db-pvc{{- end }}
- --trivy-db-fsgroup={{ .Values.scan.plugins.trivy.persistence.fsGroup }}
{{- if .Values.scan.plugins.annotations}}
- --cronjob-serviceaccount-annotations={{ $first := true }}{{- range $key, $value := .Values.scan.plugins.annotations }}{{if not $first}},{{else}}{{$first = false}}{{end}}{{ $key }}={{$value}}{{- end }}
Expand All @@ -114,6 +114,7 @@ spec:
- --checks-configmap-namespace={{ .Release.Namespace }}
- --checks-configmap-name={{ .Values.customChecksConfigMap }}
- --kubexns-image={{ printf "%s:%s" .Values.kubexnsImage.repository .Values.kubexnsImage.tag }}
- --kubexns-pull-policy={{ .Values.kubexnsImage.pullPolicy }}
- --update-crds={{ .Values.updateCRDs | default .Release.IsUpgrade }}
- --inject-conversion={{ .Values.operator.webhook.enabled }}
- --webhook-service-name={{ $serviceName }}
Expand Down
15 changes: 10 additions & 5 deletions charts/zora/templates/plugins/trivy-job.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ spec:
volumes:
- name: trivy-db
persistentVolumeClaim:
claimName: trivy-db-cache
claimName: trivy-db-pvc
containers:
- name: trivy-download-db
image: "{{ .Values.scan.plugins.trivy.image.repository }}:{{ .Values.scan.plugins.trivy.image.tag }}"
Expand All @@ -50,11 +50,16 @@ spec:
{{- if .Values.scan.plugins.trivy.insecure }}
--insecure \
{{- end }}
{{- if .Values.scan.plugins.trivy.persistence.downloadJavaDB }}
--download-java-db-only \
--download-db-only{{- if .Values.scan.plugins.trivy.persistence.downloadJavaDB }} && \
time trivy image \
--debug \
--no-progress \
--cache-dir=/tmp/trivy-cache \
{{- if .Values.scan.plugins.trivy.insecure }}
--insecure \
{{- end }}
--download-db-only \
&& chgrp -R {{ .Values.scan.plugins.trivy.persistence.fsGroup }} /tmp/trivy-cache/* && chmod -R g+rwX /tmp/trivy-cache/*
--download-java-db-only
{{- end }}
env:
- name: SSL_CERT_DIR
value: "/etc/ssl/:/run/secrets/kubernetes.io/serviceaccount/"
Expand Down
2 changes: 1 addition & 1 deletion charts/zora/templates/plugins/trivy-pvc.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: trivy-db-cache
name: trivy-db-pvc
spec:
{{- if .Values.scan.plugins.trivy.persistence.storageClass }}
storageClassName: {{ .Values.scan.plugins.trivy.persistence.storageClass | quote }}
Expand Down
Loading

0 comments on commit b6af70e

Please sign in to comment.