From b6af70eee93c53d01d52e87554f1eb2621d13d5e Mon Sep 17 00:00:00 2001 From: undistrobot Date: Wed, 31 Jul 2024 17:07:33 +0000 Subject: [PATCH] update zora chart --- charts/zora/README.md | 11 ++-- .../zora/crds/zora.undistro.io_clusters.yaml | 7 ++- .../crds/zora.undistro.io_clusterscans.yaml | 21 ++++++-- .../zora/crds/zora.undistro.io_plugins.yaml | 54 +++++++++++++++++-- .../zora/templates/operator/deployment.yaml | 3 +- charts/zora/templates/plugins/trivy-job.yaml | 15 ++++-- charts/zora/templates/plugins/trivy-pvc.yaml | 2 +- charts/zora/values.yaml | 12 +++-- 8 files changed, 100 insertions(+), 25 deletions(-) diff --git a/charts/zora/README.md b/charts/zora/README.md index 9508fe8..99a9790 100644 --- a/charts/zora/README.md +++ b/charts/zora/README.md @@ -108,8 +108,8 @@ The following table lists the configurable parameters of the Zora chart and thei | scan.plugins.marvin.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"250m","memory":"256Mi"}}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `marvin` container | | scan.plugins.marvin.podAnnotations | object | `{}` | Annotations added to the marvin pods | | scan.plugins.marvin.image.repository | string | `"ghcr.io/undistro/marvin"` | marvin plugin image repository | -| scan.plugins.marvin.image.tag | string | `"v0.2.3"` | marvin plugin image tag | -| scan.plugins.marvin.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | +| scan.plugins.marvin.image.tag | string | `"v0.2"` | marvin plugin image tag | +| scan.plugins.marvin.image.pullPolicy | string | `"Always"` | Image pull policy | | scan.plugins.marvin.env | list | `[]` | List of environment variables to set in marvin container. | | scan.plugins.marvin.envFrom | list | `[]` | List of sources to populate environment variables in marvin container. | | scan.plugins.trivy.ignoreUnfixed | bool | `false` | Specifies whether only fixed vulnerabilities should be reported | @@ -117,7 +117,7 @@ The following table lists the configurable parameters of the Zora chart and thei | scan.plugins.trivy.resources | object | `{}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `trivy` container | | scan.plugins.trivy.podAnnotations | object | `{}` | Annotations added to the trivy pods | | scan.plugins.trivy.image.repository | string | `"ghcr.io/undistro/trivy"` | trivy plugin image repository | -| scan.plugins.trivy.image.tag | float | `0.51` | trivy plugin image tag | +| scan.plugins.trivy.image.tag | float | `0.53` | trivy plugin image tag | | scan.plugins.trivy.image.pullPolicy | string | `"Always"` | Image pull policy | | scan.plugins.trivy.env | list | `[]` | List of environment variables to set in trivy container. | | scan.plugins.trivy.envFrom | list | `[]` | List of sources to populate environment variables in trivy container. | @@ -127,7 +127,7 @@ The following table lists the configurable parameters of the Zora chart and thei | scan.plugins.trivy.persistence.fsGroup | int | `0` | Specifies the fsGroup to use when mounting the persistent volume | | scan.plugins.trivy.persistence.accessMode | string | `"ReadWriteOnce"` | [Persistence access mode](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes) | | scan.plugins.trivy.persistence.storageClass | string | `""` | [Persistence storage class](https://kubernetes.io/docs/concepts/storage/storage-classes/). Set to empty for default storage class | -| scan.plugins.trivy.persistence.storageRequest | string | `"1Gi"` | Persistence storage size | +| scan.plugins.trivy.persistence.storageRequest | string | `"2Gi"` | Persistence storage size | | scan.plugins.trivy.persistence.downloadJavaDB | bool | `false` | Specifies whether Java vulnerability database should be downloaded on helm install/upgrade | | scan.plugins.popeye.skipInternalResources | bool | `false` | Specifies whether the following resources should be skipped by `popeye` scans. 1. resources from `kube-system`, `kube-public` and `kube-node-lease` namespaces; 2. kubernetes system reserved RBAC (prefixed with `system:`); 3. `kube-root-ca.crt` configmaps; 4. `default` namespace; 5. `default` serviceaccounts; 6. Helm secrets (prefixed with `sh.helm.release`); 7. Zora components. See `popeye` configuration file that is used for this case: https://github.com/undistro/zora/blob/main/charts/zora/templates/plugins/popeye-config.yaml | | scan.plugins.popeye.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"250m","memory":"256Mi"}}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `popeye` container | @@ -138,7 +138,8 @@ The following table lists the configurable parameters of the Zora chart and thei | scan.plugins.popeye.env | list | `[]` | List of environment variables to set in popeye container. | | scan.plugins.popeye.envFrom | list | `[]` | List of sources to populate environment variables in popeye container. | | kubexnsImage.repository | string | `"ghcr.io/undistro/kubexns"` | kubexns image repository | -| kubexnsImage.tag | string | `"v0.1.4"` | kubexns image tag | +| kubexnsImage.tag | string | `"v0.1"` | kubexns image tag | +| kubexnsImage.pullPolicy | string | `"Always"` | Image pull policy | | customChecksConfigMap | string | `"zora-custom-checks"` | Custom checks ConfigMap name | | httpsProxy | string | `""` | HTTPS proxy URL | | noProxy | string | `"kubernetes.default.svc.*,127.0.0.1,localhost"` | Comma-separated list of URL patterns to be excluded from going through the proxy | diff --git a/charts/zora/crds/zora.undistro.io_clusters.yaml b/charts/zora/crds/zora.undistro.io_clusters.yaml index 68099d7..3767184 100644 --- a/charts/zora/crds/zora.undistro.io_clusters.yaml +++ b/charts/zora/crds/zora.undistro.io_clusters.yaml @@ -91,10 +91,15 @@ spec: namespace that contains the kubeconfig data properties: name: + default: "" description: |- Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string type: object x-kubernetes-map-type: atomic diff --git a/charts/zora/crds/zora.undistro.io_clusterscans.yaml b/charts/zora/crds/zora.undistro.io_clusterscans.yaml index d71baef..e5e9976 100644 --- a/charts/zora/crds/zora.undistro.io_clusterscans.yaml +++ b/charts/zora/crds/zora.undistro.io_clusterscans.yaml @@ -96,10 +96,15 @@ spec: description: ClusterRef is a reference to a Cluster in the same namespace properties: name: + default: "" description: |- Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string type: object x-kubernetes-map-type: atomic @@ -150,10 +155,15 @@ spec: description: The key to select. type: string name: + default: "" description: |- Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the ConfigMap or @@ -213,10 +223,15 @@ spec: be a valid secret key. type: string name: + default: "" description: |- Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the Secret or its diff --git a/charts/zora/crds/zora.undistro.io_plugins.yaml b/charts/zora/crds/zora.undistro.io_plugins.yaml index e7150d9..18ccfe3 100644 --- a/charts/zora/crds/zora.undistro.io_plugins.yaml +++ b/charts/zora/crds/zora.undistro.io_plugins.yaml @@ -130,10 +130,15 @@ spec: description: The key to select. type: string name: + default: "" description: |- Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the ConfigMap or its key @@ -192,10 +197,15 @@ spec: be a valid secret key. type: string name: + default: "" description: |- Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the Secret or its key must @@ -225,10 +235,15 @@ spec: description: The ConfigMap to select from properties: name: + default: "" description: |- Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the ConfigMap must be defined @@ -243,10 +258,15 @@ spec: description: The Secret to select from properties: name: + default: "" description: |- Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the Secret must be defined @@ -346,6 +366,30 @@ spec: 2) has CAP_SYS_ADMIN Note that this field cannot be set when spec.os.name is windows. type: boolean + appArmorProfile: + description: |- + appArmorProfile is the AppArmor options to use by this container. If set, this profile + overrides the pod's appArmorProfile. + Note that this field cannot be set when spec.os.name is windows. + properties: + localhostProfile: + description: |- + localhostProfile indicates a profile loaded on the node that should be used. + The profile must be preconfigured on the node to work. + Must match the loaded name of the profile. + Must be set if and only if type is "Localhost". + type: string + type: + description: |- + type indicates which kind of AppArmor profile will be applied. + Valid options are: + Localhost - a profile pre-loaded on the node. + RuntimeDefault - the container runtime's default profile. + Unconfined - no AppArmor enforcement. + type: string + required: + - type + type: object capabilities: description: |- The capabilities to add/drop when running containers. @@ -358,12 +402,14 @@ spec: description: Capability represent POSIX capabilities type type: string type: array + x-kubernetes-list-type: atomic drop: description: Removed capabilities items: description: Capability represent POSIX capabilities type type: string type: array + x-kubernetes-list-type: atomic type: object privileged: description: |- diff --git a/charts/zora/templates/operator/deployment.yaml b/charts/zora/templates/operator/deployment.yaml index 47b1c7b..4082b5a 100644 --- a/charts/zora/templates/operator/deployment.yaml +++ b/charts/zora/templates/operator/deployment.yaml @@ -103,7 +103,7 @@ spec: - --worker-image={{ printf "%s:%s" .Values.scan.worker.image.repository (.Values.scan.worker.image.tag | default .Chart.AppVersion) }} - --cronjob-clusterrolebinding-name=zora-plugins-rolebinding - --cronjob-serviceaccount-name=zora-plugins - - --trivy-db-pvc={{- if .Values.scan.plugins.trivy.persistence.enabled }}trivy-db-cache{{- end }} + - --trivy-db-pvc={{- if .Values.scan.plugins.trivy.persistence.enabled }}trivy-db-pvc{{- end }} - --trivy-db-fsgroup={{ .Values.scan.plugins.trivy.persistence.fsGroup }} {{- if .Values.scan.plugins.annotations}} - --cronjob-serviceaccount-annotations={{ $first := true }}{{- range $key, $value := .Values.scan.plugins.annotations }}{{if not $first}},{{else}}{{$first = false}}{{end}}{{ $key }}={{$value}}{{- end }} @@ -114,6 +114,7 @@ spec: - --checks-configmap-namespace={{ .Release.Namespace }} - --checks-configmap-name={{ .Values.customChecksConfigMap }} - --kubexns-image={{ printf "%s:%s" .Values.kubexnsImage.repository .Values.kubexnsImage.tag }} + - --kubexns-pull-policy={{ .Values.kubexnsImage.pullPolicy }} - --update-crds={{ .Values.updateCRDs | default .Release.IsUpgrade }} - --inject-conversion={{ .Values.operator.webhook.enabled }} - --webhook-service-name={{ $serviceName }} diff --git a/charts/zora/templates/plugins/trivy-job.yaml b/charts/zora/templates/plugins/trivy-job.yaml index 6f817c7..012caa4 100644 --- a/charts/zora/templates/plugins/trivy-job.yaml +++ b/charts/zora/templates/plugins/trivy-job.yaml @@ -26,7 +26,7 @@ spec: volumes: - name: trivy-db persistentVolumeClaim: - claimName: trivy-db-cache + claimName: trivy-db-pvc containers: - name: trivy-download-db image: "{{ .Values.scan.plugins.trivy.image.repository }}:{{ .Values.scan.plugins.trivy.image.tag }}" @@ -50,11 +50,16 @@ spec: {{- if .Values.scan.plugins.trivy.insecure }} --insecure \ {{- end }} - {{- if .Values.scan.plugins.trivy.persistence.downloadJavaDB }} - --download-java-db-only \ + --download-db-only{{- if .Values.scan.plugins.trivy.persistence.downloadJavaDB }} && \ + time trivy image \ + --debug \ + --no-progress \ + --cache-dir=/tmp/trivy-cache \ + {{- if .Values.scan.plugins.trivy.insecure }} + --insecure \ {{- end }} - --download-db-only \ - && chgrp -R {{ .Values.scan.plugins.trivy.persistence.fsGroup }} /tmp/trivy-cache/* && chmod -R g+rwX /tmp/trivy-cache/* + --download-java-db-only + {{- end }} env: - name: SSL_CERT_DIR value: "/etc/ssl/:/run/secrets/kubernetes.io/serviceaccount/" diff --git a/charts/zora/templates/plugins/trivy-pvc.yaml b/charts/zora/templates/plugins/trivy-pvc.yaml index 6a363aa..829b248 100644 --- a/charts/zora/templates/plugins/trivy-pvc.yaml +++ b/charts/zora/templates/plugins/trivy-pvc.yaml @@ -16,7 +16,7 @@ apiVersion: v1 kind: PersistentVolumeClaim metadata: - name: trivy-db-cache + name: trivy-db-pvc spec: {{- if .Values.scan.plugins.trivy.persistence.storageClass }} storageClassName: {{ .Values.scan.plugins.trivy.persistence.storageClass | quote }} diff --git a/charts/zora/values.yaml b/charts/zora/values.yaml index 3c2a221..c45f805 100644 --- a/charts/zora/values.yaml +++ b/charts/zora/values.yaml @@ -192,9 +192,9 @@ scan: # -- marvin plugin image repository repository: ghcr.io/undistro/marvin # -- marvin plugin image tag - tag: v0.2.3 + tag: v0.2 # -- Image pull policy - pullPolicy: IfNotPresent + pullPolicy: Always # -- List of environment variables to set in marvin container. env: [] # -- List of sources to populate environment variables in marvin container. @@ -213,7 +213,7 @@ scan: # -- trivy plugin image repository repository: ghcr.io/undistro/trivy # -- trivy plugin image tag - tag: 0.51 + tag: 0.53 # -- Image pull policy pullPolicy: Always # -- List of environment variables to set in trivy container. @@ -245,7 +245,7 @@ scan: # -- [Persistence storage class](https://kubernetes.io/docs/concepts/storage/storage-classes/). Set to empty for default storage class storageClass: "" # -- Persistence storage size - storageRequest: 1Gi + storageRequest: 2Gi # -- Specifies whether Java vulnerability database should be downloaded on helm install/upgrade downloadJavaDB: false @@ -286,7 +286,9 @@ kubexnsImage: # -- kubexns image repository repository: ghcr.io/undistro/kubexns # -- kubexns image tag - tag: v0.1.4 + tag: v0.1 + # -- Image pull policy + pullPolicy: Always # -- Custom checks ConfigMap name customChecksConfigMap: zora-custom-checks