├── .github ├── ISSUE_TEMPLATE │ ├── bug_report.md │ └── feature_request.md ├── PULL_REQUEST_TEMPLATE.md └── workflows │ ├── 00-cicd.yaml │ ├── 01-update_tag.yaml │ ├── 02-e2e-test.yaml │ ├── 03-helm-release.yaml │ ├── 04-helm-release-no-tests.yaml │ ├── README.md │ ├── inspektor-trigger-e2e-tests.yaml │ ├── kubescape.yaml │ ├── pr-created.yaml │ ├── relevancy-e2e-test.yaml │ └── trigger-performance-test.yaml ├── .gitignore ├── ADOPTERS.md ├── ArgoCDApplication.yaml ├── CODE_OF_CONDUCT.md ├── COMMUNITY.md ├── CONTRIBUTING.md ├── GOVERNANCE.md ├── LICENSE ├── MAINTAINERS.md ├── README.md ├── SECURITY.md └── charts ├── dependency_chart ├── clustered-crds │ ├── Chart.yaml │ ├── crds │ │ └── runtime-rule-binding.crd.yaml │ └── values.yaml ├── namespaced-crds │ ├── Chart.yaml │ ├── crds │ │ └── runtime-rule-binding.crd.yaml │ └── values.yaml ├── operatorcommand-crds │ ├── Chart.yaml │ ├── crds │ │ └── operator-command.crd.yaml │ └── values.yaml └── servicescanresult-crds │ ├── Chart.yaml │ ├── crds │ └── service-scan-result.crd.yaml │ └── values.yaml └── kubescape-operator ├── .helmignore ├── Chart.yaml ├── README.md ├── assets ├── api-server-egress-rules.yaml ├── common-egress-rules.yaml ├── host-scanner-definition.yaml ├── kubescape-cronjob-full.yaml ├── kubevuln-cronjob-full.yaml ├── otel-collector-config.yaml └── registry-scan-cronjob-full.yaml ├── clamav ├── clamd.conf └── freshclam.conf ├── templates ├── NOTES.txt ├── _common.tpl ├── _cronjob.tpl ├── _helpers.tpl ├── autoupdater │ ├── cronjob.yaml │ ├── networkpolicy.yaml │ ├── rbac.yaml │ └── serviceaccount.yaml ├── configs │ ├── cloud-secret.yaml │ ├── cloudapi-configmap.yaml │ ├── components-configmap.yaml │ ├── custom-ca-certificates.yaml │ ├── image-pull-secret.yaml │ ├── matchingRules-configmap.yaml │ ├── priority-class.yaml │ └── private-registries-creds-secret.yaml ├── grype-offline-db │ ├── cronjob.yaml │ ├── deployment.yaml │ ├── networkpolicy.yaml │ ├── role.yaml │ ├── rolebinding.yaml │ ├── service.yaml │ └── serviceaccount.yaml ├── kubescape-scheduler │ ├── configmap.yaml │ ├── cronjob.yaml │ └── networkpolicy.yaml ├── kubescape │ ├── clusterrole.yaml │ ├── clusterrolebinding.yaml │ ├── deployment.yaml │ ├── host-scanner-definition-configmap.yaml │ ├── networkpolicy.yaml │ ├── role.yaml │ ├── rolebinding.yaml │ ├── scc-rolebinding.yaml │ ├── service.yaml │ ├── serviceaccount.yaml │ └── servicemonitor.yaml ├── kubevuln-scheduler │ ├── configmap.yaml │ ├── cronjob.yaml │ └── networkpolicy.yaml ├── kubevuln │ ├── clusterrole.yaml │ ├── clusterrolebinding.yaml │ ├── deployment.yaml │ ├── networkpolicy.yaml │ ├── pvc.yaml │ ├── scc-rolebinding.yaml │ ├── service.yaml │ └── serviceaccount.yaml ├── node-agent │ ├── clusterrole.yaml │ ├── clusterrolebinding.yaml │ ├── configmap.yaml │ ├── daemonset.yaml │ ├── default-rule-binding-namespaced.yaml │ ├── default-rule-binding.yaml │ ├── networkpolicy.yaml │ ├── scc-rolebinding.yaml │ ├── service.yaml │ ├── serviceaccount.yaml │ └── servicemonitor.yaml ├── operator │ ├── admission-service.yaml │ ├── admission-webhook.yaml │ ├── clusterrole.yaml │ ├── clusterrolebinding.yaml │ ├── configmap.yaml │ ├── deployment.yaml │ ├── ks-recurring-cronjob-configmap.yaml │ ├── kv-recurring-cronjob-configmap.yaml │ ├── networkpolicy.yaml │ ├── registry-scan-recurring-cronjob-configmap.yaml │ ├── role.yaml │ ├── rolebinding.yaml │ ├── scc-rolebinding.yaml │ ├── service.yaml │ └── serviceaccount.yaml ├── otel-collector │ ├── configmap.yaml │ ├── deployment.yaml │ ├── networkpolicy.yaml │ ├── scc-rolebinding.yaml │ ├── service.yaml │ └── serviceaccount.yaml ├── prometheus-exporter │ ├── clusterrole.yaml │ ├── clusterrolebinding.yaml │ ├── deployment.yaml │ ├── networkpolicy.yaml │ ├── service.yaml │ ├── serviceaccount.yaml │ └── servicemonitor.yaml ├── proxy-support │ ├── _noproxy_list.tpl │ └── proxy-secret.yaml ├── servicediscovery │ ├── job.yaml │ ├── role.yaml │ ├── rolebinding.yaml │ └── serviceaccount.yaml ├── storage │ ├── _helpersKubescapeStorage.tpl │ ├── apiservice.yaml │ ├── ca-secret.yaml │ ├── clusterrole.yaml │ ├── clusterrolebinding.yaml │ ├── configmap.yaml │ ├── deployment.yaml │ ├── networkpolicy.yaml │ ├── pvc.yaml │ ├── rolebinding.yaml │ ├── scc-rolebinding.yaml │ ├── service.yaml │ ├── serviceaccount.yaml │ └── tests │ │ └── test-connection.yaml └── synchronizer │ ├── clusterrole.yaml │ ├── clusterrolebinding.yaml │ ├── configmap.yaml │ ├── deployment.yaml │ ├── networkpolicy.yaml │ ├── role.yaml │ ├── rolebinding.yaml │ ├── scc-rolebinding.yaml │ ├── service.yaml │ └── serviceaccount.yaml ├── tests ├── README.md ├── __snapshot__ │ └── snapshot_test.yaml.snap └── snapshot_test.yaml └── values.yaml /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Create a report to help us improve 4 | title: '' 5 | labels: 'bug' 6 | assignees: '' 7 | 8 | --- 9 | 10 | # Description 11 | 12 | 13 | # Environment 14 | OS: ` ` 15 | Version: ` ` 16 | 17 | # Steps To Reproduce 18 | 25 | 26 | # Expected behavior 27 | 28 | 29 | # Actual Behavior 30 | 31 | 32 | # Additional context 33 | 34 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Suggest an idea for this project 4 | title: '' 5 | labels: 'feature' 6 | assignees: '' 7 | 8 | --- 9 | 10 | ## Overview 11 | 12 | 13 | ## Problem 14 | 15 | 16 | ## Solution 17 | 18 | 19 | ## Alternatives 20 | 21 | 22 | ## Additional context 23 | 24 | -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | ## Overview 2 | 3 | 4 | 9 | 10 | 15 | 16 | 21 | 22 | 32 | 33 | 47 | -------------------------------------------------------------------------------- /.github/workflows/00-cicd.yaml: -------------------------------------------------------------------------------- 1 | name: 00-CICD-helm-chart 2 | 3 | on: 4 | workflow_dispatch: 5 | inputs: 6 | CHANGE_TAG: 7 | required: true 8 | default: true 9 | type: boolean 10 | IMAGE_TAG: 11 | # required: true 12 | type: string 13 | COMPONENT_NAME: 14 | # required: true 15 | type: string 16 | HELM_E2E_TEST: 17 | required: true 18 | default: true 19 | type: boolean 20 | # secrets: inherit 21 | 22 | jobs: 23 | input-validator: 24 | runs-on: ubuntu-latest 25 | steps: 26 | - name: input validator 27 | run: | 28 | if [ ${{ inputs.CHANGE_TAG }} = true ]; then 29 | echo "CHANGE_TAG = true, checking if inputs COMPONENT_NAME and IMAGE_TAG are not null" 30 | echo "COMPONENT_NAME = ${{ inputs.COMPONENT_NAME }}" 31 | echo "IMAGE_TAG = ${{ inputs.IMAGE_TAG }}" 32 | if [[ "${{ inputs.COMPONENT_NAME }}" = "" ]] || [[ "${{ inputs.IMAGE_TAG }}" = "" ]]; then 33 | echo "One or more inputs are undefined" 34 | exit 1 35 | fi 36 | echo "We are good to go" 37 | elif [ ${{ inputs.CHANGE_TAG }} = false ]; then 38 | echo "CHANGE_TAG = false, the workflow will not change any component image tag" 39 | fi 40 | 41 | helm-chart-update: 42 | needs: input-validator 43 | uses: ./.github/workflows/01-update_tag.yaml 44 | with: 45 | CHANGE_TAG: ${{ inputs.CHANGE_TAG }} 46 | IMAGE_TAG: ${{ inputs.IMAGE_TAG }} 47 | COMPONENT_NAME: ${{ inputs.COMPONENT_NAME }} 48 | MODE: patch 49 | CHART_FILE: charts/kubescape-operator/Chart.yaml 50 | secrets: inherit 51 | 52 | e2e-test: 53 | needs: helm-chart-update 54 | if: ${{ inputs.HELM_E2E_TEST == true }} 55 | uses: ./.github/workflows/02-e2e-test.yaml 56 | with: 57 | HELM_E2E_TEST: ${{ inputs.HELM_E2E_TEST }} 58 | secrets: inherit 59 | 60 | merge-to-main: 61 | needs: [helm-chart-update, e2e-test] 62 | if: ${{ (always() && (contains(needs.*.result, 'success') || contains(needs.*.result, 'skipped')) && !(contains(needs.*.result, 'failure')) && !(contains(needs.*.result, 'cancelled'))) }} 63 | runs-on: ubuntu-latest 64 | steps: 65 | - name: merge-to-main 66 | uses: "pascalgn/automerge-action@v0.15.5" 67 | env: 68 | GITHUB_TOKEN: "${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}" 69 | MERGE_COMMIT_MESSAGE: "Merge to main - PR number: ${{ needs.helm-chart-update.outputs.PR_NUMBER }}" 70 | MERGE_ERROR_FAIL: "true" 71 | MERGE_METHOD: "merge" 72 | MERGE_LABELS: "" 73 | UPDATE_LABELS: "" 74 | PULL_REQUEST: ${{ needs.helm-chart-update.outputs.PR_NUMBER }} 75 | 76 | helm-release: 77 | needs: [helm-chart-update, merge-to-main] 78 | if: ${{ (always() && (contains(needs.*.result, 'success') || contains(needs.*.result, 'skipped')) && !(contains(needs.*.result, 'failure')) && !(contains(needs.*.result, 'cancelled'))) }} 79 | with: 80 | COMMIT_REF: ${{ needs.helm-chart-update.outputs.COMMIT_REF }} 81 | CHARTS_NAME: kubescape-operator 82 | uses: ./.github/workflows/03-helm-release.yaml 83 | secrets: inherit 84 | -------------------------------------------------------------------------------- /.github/workflows/01-update_tag.yaml: -------------------------------------------------------------------------------- 1 | name: 01-Update image tag 2 | 3 | on: 4 | # workflow_dispatch: 5 | # inputs: 6 | # IMAGE_TAG: 7 | # required: true 8 | # type: string 9 | 10 | workflow_call: 11 | inputs: 12 | CHANGE_TAG: 13 | required: true 14 | type: boolean 15 | IMAGE_TAG: 16 | required: true 17 | type: string 18 | COMPONENT_NAME: 19 | required: true 20 | type: string 21 | MODE: 22 | required: true 23 | type: string 24 | default: patch 25 | CHART_FILE: 26 | required: true 27 | type: string 28 | default: charts/kubescape-operator/Chart.yaml 29 | outputs: 30 | COMMIT_REF: 31 | description: "latest commit sha" 32 | value: ${{ jobs.update-helm-chart.outputs.COMMIT_REF }} 33 | PR_NUMBER: 34 | description: "pr number" 35 | value: ${{ jobs.update-helm-chart.outputs.PR_NUMBER }} 36 | 37 | 38 | jobs: 39 | update-helm-chart: 40 | outputs: 41 | COMMIT_REF: ${{ steps.commit-ref.outputs.COMMIT_REF }} 42 | PR_NUMBER: ${{ steps.create-pr.outputs.pr_number }} 43 | runs-on: ubuntu-latest 44 | steps: 45 | - name: echo-input-parameters 46 | run: | 47 | echo "CHANGE_TAG = ${{ inputs.CHANGE_TAG }}" 48 | echo "IMAGE_TAG = ${{ inputs.IMAGE_TAG }}" 49 | echo "COMPONENT_NAME = ${{ inputs.COMPONENT_NAME }}" 50 | echo "MODE = ${{ inputs.MODE }}" 51 | echo "CHART_FILE = ${{ inputs.CHART_FILE }}" 52 | 53 | - uses: actions/checkout@v3 54 | name: Checkout 55 | 56 | - name: change tag 57 | if: ${{ inputs.CHANGE_TAG }} 58 | uses: matanshk/yaml-tag-changer@main 59 | with: 60 | filename: charts/kubescape-operator/values.yaml 61 | component_name: ${{ inputs.COMPONENT_NAME }} 62 | tag: ${{ inputs.IMAGE_TAG }} 63 | 64 | - name: cat-file-values-file 65 | if: ${{ inputs.CHANGE_TAG }} 66 | run: cat charts/kubescape-operator/values.yaml 67 | 68 | - name: Bump helm chart version 69 | id: bumper 70 | uses: matanshk/helm-chart-version-bumper@main 71 | with: 72 | mode: ${{ inputs.MODE }} 73 | chart_file: ${{ inputs.CHART_FILE }} 74 | 75 | - name: cat Chart.yaml 76 | run: cat charts/kubescape-operator/Chart.yaml 77 | 78 | - uses: stefanzweifel/git-auto-commit-action@v4.16.0 79 | name: commit changes and push 80 | with: 81 | commit_message: "Automated commit - update ${{ inputs.COMPONENT_NAME }} image tag with: ${{ inputs.IMAGE_TAG }}" 82 | commit_options: '--signoff' 83 | 84 | - uses: repo-sync/pull-request@v2.11 85 | name: create a new PR 86 | id: create-pr 87 | with: 88 | destination_branch: "main" 89 | pr_title: "Pulling ${{ github.ref_name }} branch into main - Automated PR by CICD" 90 | github_token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} 91 | 92 | - name: get latest commit sha 93 | id: commit-ref 94 | run: echo "COMMIT_REF=$(git log --oneline | head -n1 | awk {'print $1}')" >> $GITHUB_OUTPUT 95 | 96 | - name: echo commit ref 97 | run: echo ${{ steps.commit-ref.outputs.COMMIT_REF }} 98 | 99 | - name: output-pr-number 100 | run: echo ${{ steps.create-pr.outputs.pr_number }} 101 | -------------------------------------------------------------------------------- /.github/workflows/02-e2e-test.yaml: -------------------------------------------------------------------------------- 1 | name: 02-E2E Test helm chart 2 | on: 3 | workflow_dispatch: 4 | inputs: 5 | BRANCH: 6 | description: 'helm chart branch name' 7 | required: false 8 | default: 'main' 9 | type: string 10 | TESTS_BRANCH: 11 | description: 'tests branch name' 12 | required: false 13 | default: 'master' 14 | type: string 15 | KS_BRANCH: 16 | required: false 17 | default: 'release' 18 | type: string 19 | description: 'kubescape branch name' 20 | 21 | workflow_call: 22 | inputs: 23 | BRANCH: 24 | required: false 25 | default: 'main' 26 | type: string 27 | description: 'helm chart branch name' 28 | TESTS_BRANCH: 29 | required: false 30 | default: 'master' 31 | type: string 32 | description: 'tests branch name' 33 | KS_BRANCH: 34 | required: false 35 | default: 'release' 36 | type: string 37 | description: 'kubescape branch name' 38 | 39 | jobs: 40 | e2e-test: 41 | strategy: 42 | fail-fast: false 43 | matrix: 44 | test: [ 45 | relevant_data_is_appended, 46 | relevantCVEs, 47 | relevancy_disabled_installation, 48 | relevancy_storage_disabled, 49 | relevancy_enabled_stop_sniffing, 50 | relevancy_large_image, 51 | relevancy_fix_vuln, 52 | relevancy_python, 53 | relevancy_golang, 54 | relevancy_java, 55 | relevancy_java_and_python, 56 | relevancy_golang_dynamic, 57 | vuln_scan_proxy, 58 | test_registry_scanning, 59 | vuln_scan_triggering_with_cron_job, 60 | ks_microservice_create_2_cronjob_mitre_and_nsa_proxy, 61 | ks_microservice_triggering_with_cron_job, 62 | ks_microservice_update_cronjob_schedule, 63 | ks_microservice_delete_cronjob, 64 | ks_microservice_create_2_cronjob_mitre_and_nsa, 65 | ks_microservice_ns_creation, 66 | ks_microservice_on_demand, 67 | ks_microservice_mitre_framework_on_demand, 68 | ks_microservice_nsa_and_mitre_framework_demand, 69 | scan_compliance_score, 70 | network_policy, 71 | network_policy_data_appended, 72 | network_policy_pod_restarted, 73 | network_policy_multiple_replicas, 74 | network_policy_known_servers, 75 | synchronizer, 76 | synchronizer_reconciliation, 77 | synchronizer_proxy, 78 | synchronizer_race_condition 79 | ] 80 | 81 | runs-on: ubuntu-latest 82 | steps: 83 | 84 | # - name: echo GitHub var - dev 85 | # id: github_context_step 86 | # run: echo '${{ toJSON(github) }}' 87 | 88 | - name: Checkout systests repo 89 | uses: actions/checkout@v3 90 | with: 91 | repository: armosec/system-tests 92 | ref: ${{ inputs.TESTS_BRANCH }} 93 | path: . 94 | 95 | - uses: actions/setup-python@v4 96 | name: installing python 3.8.13 97 | with: 98 | python-version: '3.8.13' 99 | cache: 'pip' 100 | 101 | - name: create env 102 | run: ./create_env.sh 103 | 104 | - name: Generate uuid 105 | id: uuid 106 | run: | 107 | echo "RANDOM_UUID=systests-$(uuidgen)" >> $GITHUB_OUTPUT 108 | 109 | - name: Create k8s Kind Cluster 110 | id: kind-cluster-install 111 | uses: helm/kind-action@v1.10.0 112 | with: 113 | cluster_name: ${{ steps.uuid.outputs.RANDOM_UUID }} 114 | 115 | - name: run-tests 116 | env: 117 | CUSTOMER: ${{ secrets.CUSTOMER }} 118 | USERNAME: ${{ secrets.USERNAME }} 119 | PASSWORD: ${{ secrets.PASSWORD }} 120 | CLIENT_ID: ${{ secrets.CLIENT_ID_PROD }} 121 | SECRET_KEY: ${{ secrets.SECRET_KEY_PROD }} 122 | REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }} 123 | REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }} 124 | QUAY_REGISTRY_ACCESS_TOKEN: "${{ secrets.QUAY_REGISTRY_ACCESS_TOKEN }}" 125 | AZURE_REGISTRY_ACCESS_TOKEN: "${{ secrets.AZURE_REGISTRY_ACCESS_TOKEN }}" 126 | AWS_REGISTRY_SECRET_KEY: "${{ secrets.AWS_REGISTRY_SECRET_KEY }}" 127 | GOOGLE_REGISTRY_KEY: "${{ secrets.GOOGLE_REGISTRY_KEY }}" 128 | run: | 129 | echo "Test history:" 130 | echo " ${{ matrix.test }} " >/tmp/testhistory 131 | cat /tmp/testhistory 132 | source systests_python_env/bin/activate 133 | 134 | python3 systest-cli.py \ 135 | -t ${{ matrix.test }} \ 136 | -b production \ 137 | -c CyberArmorTests \ 138 | --logger DEBUG \ 139 | --kwargs helm_branch=${{ inputs.BRANCH }} ks_branch=${{ inputs.KS_BRANCH }} 140 | 141 | deactivate 142 | 143 | - name: Test Report 144 | uses: mikepenz/action-junit-report@v3 145 | if: always() # always run even if the previous step fails 146 | with: 147 | report_paths: '**/results_xml_format/**.xml' 148 | -------------------------------------------------------------------------------- /.github/workflows/03-helm-release.yaml: -------------------------------------------------------------------------------- 1 | name: 03-Helm chart release 2 | 3 | on: 4 | workflow_dispatch: 5 | inputs: 6 | CHARTS_NAME: 7 | type: choice 8 | description: What chart do you want to release? 9 | options: 10 | - kubescape-operator 11 | HELM_E2E_TEST: 12 | required: false 13 | default: true 14 | type: boolean 15 | TESTS_BRANCH: 16 | description: 'system tests branch name' 17 | required: false 18 | default: 'master' 19 | type: string 20 | 21 | workflow_call: 22 | inputs: 23 | COMMIT_REF: 24 | required: true 25 | type: string 26 | CHARTS_NAME: 27 | required: true 28 | type: string 29 | HELM_E2E_TEST: 30 | required: false 31 | default: true 32 | type: boolean 33 | TESTS_BRANCH: 34 | description: 'system tests branch name' 35 | required: false 36 | default: 'master' 37 | type: string 38 | 39 | jobs: 40 | e2e-test: 41 | if: ${{ github.event.inputs.HELM_E2E_TEST }} 42 | with: 43 | BRANCH: main 44 | TESTS_BRANCH: ${{ github.event.inputs.TESTS_BRANCH }} 45 | KS_BRANCH: "master" 46 | uses: ./.github/workflows/02-e2e-test.yaml 47 | secrets: inherit 48 | 49 | helm-chart-release: 50 | needs: e2e-test 51 | runs-on: ubuntu-latest 52 | steps: 53 | - name: Checkout 54 | uses: actions/checkout@v3 55 | with: 56 | fetch-depth: 0 57 | # will change to: ref: release 58 | 59 | - name: git status 60 | run: git status 61 | 62 | - name: Configure Git 63 | run: | 64 | git config user.name "$GITHUB_ACTOR" 65 | git config user.email "$GITHUB_ACTOR@users.noreply.github.com" 66 | 67 | # - name: git checkout to new commit 68 | # run: git checkout ${{ inputs.COMMIT_REF }} 69 | 70 | - name: Install Helm 71 | uses: azure/setup-helm@v3.5 72 | # with: 73 | # version: v3.4.0 74 | 75 | - name: Run chart-releaser 76 | uses: helm/chart-releaser-action@v1.4.1 77 | env: 78 | charts_dir: "charts/kubescape-operator" 79 | CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" 80 | -------------------------------------------------------------------------------- /.github/workflows/04-helm-release-no-tests.yaml: -------------------------------------------------------------------------------- 1 | name: 03-Helm chart release (Without E2E tests) 2 | 3 | on: 4 | workflow_dispatch: 5 | inputs: 6 | CHARTS_NAME: 7 | type: choice 8 | description: What chart do you want to release? 9 | options: 10 | - kubescape-operator 11 | 12 | workflow_call: 13 | inputs: 14 | COMMIT_REF: 15 | required: true 16 | type: string 17 | CHARTS_NAME: 18 | required: true 19 | type: string 20 | 21 | jobs: 22 | helm-chart-release: 23 | runs-on: ubuntu-latest 24 | steps: 25 | - name: Checkout 26 | uses: actions/checkout@v3 27 | with: 28 | fetch-depth: 0 29 | # will change to: ref: release 30 | 31 | - name: git status 32 | run: git status 33 | 34 | - name: Configure Git 35 | run: | 36 | git config user.name "$GITHUB_ACTOR" 37 | git config user.email "$GITHUB_ACTOR@users.noreply.github.com" 38 | 39 | # - name: git checkout to new commit 40 | # run: git checkout ${{ inputs.COMMIT_REF }} 41 | 42 | - name: Install Helm 43 | uses: azure/setup-helm@v3.5 44 | # with: 45 | # version: v3.4.0 46 | 47 | - name: Run chart-releaser 48 | uses: helm/chart-releaser-action@v1.4.1 49 | env: 50 | charts_dir: "charts/kubescape-operator" 51 | CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" 52 | -------------------------------------------------------------------------------- /.github/workflows/README.md: -------------------------------------------------------------------------------- 1 | # Helm-charts - CICD Workflow docs 2 | 3 | ## The CICD Pipeline types and steps: 4 | 5 | ### Automatically Triggered by in-cluster component 6 | 7 | The helm chart CICD runs on GitHub Actions, and in most cases will be automatically triggered by one of the in-cluster components: 8 | * Operator 9 | * Kubevuln 10 | 11 | You can find more about the automatic process of in-cluster components [here](https://github.com/kubescape/workflows/blob/main/README.md). 12 | 13 | When the CICD will be triggered by one of them, it will run always on the ```dev``` branch and will do the following steps in this order (High-level explanation): 14 | 15 | 1. Check for valid inputs combination to prevent cases of providing incorrect inputs (most useful for manual triggers, see instructions below). 16 | 2. Update the ```values.yaml``` file according to the arguments that passed. 17 | 3. Create a new commit for the new changes. 18 | 4. Create a new PR from the ```main``` 19 | 5. Run E2E tests using ```helm_branch=main``` parameter against the ARMO production backend, the tests will run as parallel jobs. 20 | 6. Create a JUnit report for every test. 21 | 7. Only if all the tests successfully passed, the PR will be automatically merged into the ```main``` branch. 22 | 8. The last step will create a new GitHub release and Helm release for the new chart. 23 | 24 | 25 | ### Manually trigger the full CICD process 26 | If you want to manually trigger the CICD: 27 | 1. Click on the “Actions” tab and click on the ```00-CICD-helm-chart``` workflow on the left side. 28 | 2. Click “Run workflows” on the top of the previous runs list. 29 | 3. A new pop-up will appear with some options: 30 | * ```Branch``` - the branch you want to run the workflow from (in most cases will be the “dev” branch) 31 | * ```CHANGE_TAG ```- if filled (```true```) the workflows will change the ```values.yaml``` file according to the inputs you provided for ```IMAGE_TAG``` and ```COMPONENT_NAME``` 32 | * ```COMPONENT_NAME``` - will be the in-cluster component we want to change the tag for. 33 | * ```IMAGE_TAG``` - the new docker image tag of the ```COMPONENT_NAME```. 34 | * ```HELM_E2E_TEST``` - if filled (```true```), the CICD will run the E2E Tests using ```helm_branch=dev``` parameter 35 | 4. Click on the ```Run workflow``` green button. 36 | 37 | 38 | 39 | ### Manually trigger only the release process 40 | 41 | This process will run only the release step from the CICD and will create a new GitHub release and will be published the helm charts 42 | 43 | 1. Click on the “Actions” tab and click on the ```03-Helm chart release ``` workflow on the left side. 44 | 2. Click “Run workflows” on the top of the previous runs list. 45 | 3. Select the branch you want to create a release from by specifying it using the ```Branch```. in most cases will be the main branch 46 | 4. Click on the ```Run workflow``` green button. 47 | 48 | **Note that running only the release process will not run any E2E tests** 49 | 50 | ### A diagram of the full CICD pipeline: 51 | ![Workflow](https://raw.githubusercontent.com/kubescape/workflows/main/assets/incluster_component_flow.jpeg) 52 | -------------------------------------------------------------------------------- /.github/workflows/inspektor-trigger-e2e-tests.yaml: -------------------------------------------------------------------------------- 1 | name: inspektor-e2e-tests 2 | 3 | on: 4 | push: 5 | branches: 6 | - inspektor 7 | 8 | jobs: 9 | call-e2e-tests: 10 | uses: ./.github/workflows/relevancy-e2e-test.yaml 11 | with: 12 | BRANCH: "inspektor" 13 | secrets: inherit 14 | -------------------------------------------------------------------------------- /.github/workflows/kubescape.yaml: -------------------------------------------------------------------------------- 1 | name: Kubescape scanning for misconfigurations 2 | on: 3 | push: 4 | paths: 5 | - 'charts/**.yaml' 6 | - 'charts/**.tpl' 7 | jobs: 8 | kubescape: 9 | runs-on: ubuntu-latest 10 | steps: 11 | - uses: actions/checkout@v3 12 | - uses: kubescape/github-action@main 13 | continue-on-error: true 14 | with: 15 | frameworks: "allcontrols,workloadscan" 16 | format: sarif 17 | outputFile: results.sarif 18 | severityThreshold: critical 19 | account: ${{secrets.KUBESCAPE_ACCOUNT }} 20 | accessKey: ${{secrets.KUBESCAPE_ACCESS_KEY }} 21 | - name: Upload Kubescape scan results to Github Code Scanning 22 | uses: github/codeql-action/upload-sarif@v2 23 | with: 24 | sarif_file: results.sarif 25 | -------------------------------------------------------------------------------- /.github/workflows/pr-created.yaml: -------------------------------------------------------------------------------- 1 | name: pull_request_created 2 | on: 3 | pull_request: 4 | types: [opened, reopened, synchronize, ready_for_review] 5 | paths-ignore: 6 | - '*.md' 7 | - '.github/workflows/*' 8 | 9 | concurrency: 10 | group: ${{ github.workflow }}-${{ github.ref }} 11 | cancel-in-progress: true 12 | 13 | jobs: 14 | pr-created: 15 | runs-on: ubuntu-latest 16 | 17 | steps: 18 | - name: Checkout 19 | uses: actions/checkout@v3 20 | with: 21 | fetch-depth: 0 22 | 23 | - name: Run Helm Unittests 24 | run: docker run --rm --name unittest --volume "$(pwd)":/apps helmunittest/helm-unittest charts/kubescape-operator/ 25 | -------------------------------------------------------------------------------- /.github/workflows/relevancy-e2e-test.yaml: -------------------------------------------------------------------------------- 1 | name: Relevancy E2E tests 2 | 3 | on: 4 | workflow_dispatch: 5 | inputs: 6 | BRANCH: 7 | description: 'helm chart branch name' 8 | required: false 9 | default: 'main' 10 | type: string 11 | 12 | workflow_call: 13 | inputs: 14 | BRANCH: 15 | required: false 16 | default: 'main' 17 | type: string 18 | description: 'helm chart branch name' 19 | 20 | jobs: 21 | e2e-test: 22 | strategy: 23 | fail-fast: false 24 | matrix: 25 | test: [ 26 | relevantCVEs, 27 | relevancy_disabled_installation, 28 | relevancy_storage_disabled, 29 | relevancy_enabled_stop_sniffing, 30 | relevant_data_is_appended, 31 | relevancy_large_image, 32 | relevancy_fix_vuln, 33 | relevancy_python, 34 | relevancy_golang, 35 | relevancy_java, 36 | relevancy_java_and_python, 37 | relevancy_golang_dynamic 38 | ] 39 | 40 | runs-on: ubuntu-latest 41 | steps: 42 | 43 | - name: echo GitHub var - dev 44 | id: github_context_step 45 | run: echo '${{ toJSON(github) }}' 46 | 47 | - name: Checkout systests repo 48 | uses: actions/checkout@v3 49 | with: 50 | repository: armosec/system-tests 51 | path: . 52 | 53 | - uses: actions/setup-python@v4 54 | name: installing python 3.8.13 55 | with: 56 | python-version: '3.8.13' 57 | cache: 'pip' 58 | 59 | - name: create env 60 | run: ./create_env.sh 61 | 62 | - name: Generate uuid 63 | id: uuid 64 | run: | 65 | echo "RANDOM_UUID=systests-$(uuidgen)" >> $GITHUB_OUTPUT 66 | 67 | - name: Create k8s Kind Cluster 68 | id: kind-cluster-install 69 | uses: helm/kind-action@v1.3.0 70 | with: 71 | cluster_name: ${{ steps.uuid.outputs.RANDOM_UUID }} 72 | 73 | - name: run-tests 74 | env: 75 | CUSTOMER: ${{ secrets.CUSTOMER }} 76 | USERNAME: ${{ secrets.USERNAME }} 77 | PASSWORD: ${{ secrets.PASSWORD }} 78 | CLIENT_ID: ${{ secrets.CLIENT_ID_PROD }} 79 | SECRET_KEY: ${{ secrets.SECRET_KEY_PROD }} 80 | REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }} 81 | REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }} 82 | run: | 83 | echo "Test history:" 84 | echo " ${{ matrix.test }} " >/tmp/testhistory 85 | cat /tmp/testhistory 86 | source systests_python_env/bin/activate 87 | 88 | python3 systest-cli.py \ 89 | -t ${{ matrix.test }} \ 90 | -b production \ 91 | -c CyberArmorTests \ 92 | --logger DEBUG \ 93 | --kwargs helm_branch=${{ inputs.BRANCH }} helm_repo=charts/kubescape-operator 94 | 95 | deactivate 96 | 97 | - name: Test Report 98 | uses: mikepenz/action-junit-report@v3 99 | if: always() # always run even if the previous step fails 100 | with: 101 | report_paths: '**/results_xml_format/**.xml' 102 | -------------------------------------------------------------------------------- /.github/workflows/trigger-performance-test.yaml: -------------------------------------------------------------------------------- 1 | name: Trigger performance test on Label Creation 2 | 3 | on: 4 | pull_request: 5 | types: 6 | - labeled 7 | 8 | jobs: 9 | trigger-performance-test: 10 | if: github.event.label.name == 'ready' 11 | runs-on: ubuntu-latest 12 | steps: 13 | - name: Trigger performance Workflow on bump branch 14 | if: github.event.label.name == 'ready' 15 | run: | 16 | curl -X POST -H "Accept: application/vnd.github.v3+json" \ 17 | -H "Authorization: Bearer ${{ secrets.PERFORM_REPO_TOKEN }}" \ 18 | https://api.github.com/repos/armosec/perfornamce/actions/workflows/performance.yaml/dispatches \ 19 | -d '{ 20 | "ref": "main", 21 | "inputs": { 22 | "CLUSTER_NAME": "perfo-cluster-for-release", 23 | "NODE_SIZE": "s-8vcpu-16gb", 24 | "NODE_COUNT": "40", 25 | "DURATION_TIME": "240", 26 | "KUBERNETES_VERSION": "", 27 | "STORAGE_VERSION": "", 28 | "NODE_AGENT_VERSION": "", 29 | "ENABLE_KDR": false, 30 | "PRIVATE_NODE_AGENT": "", 31 | "HELM_GIT_BRANCH": "bump" 32 | } 33 | }' 34 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .vscode 2 | .idea 3 | charts/kubescape-operator/Chart.lock 4 | charts/kubescape-operator/charts/ 5 | -------------------------------------------------------------------------------- /ADOPTERS.md: -------------------------------------------------------------------------------- 1 | # Adopters 2 | 3 | The Kubescape project manages this document in the central project repository. 4 | 5 | Go to the [centralized ADOPTERS.md](https://github.com/kubescape/project-governance/blob/main/ADOPTERS.md) -------------------------------------------------------------------------------- /ArgoCDApplication.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v2.12.0-rc3 2 | kind: Application 3 | metadata: 4 | name: kubescape 5 | namespace: argocd # change to the argocd namespace 6 | spec: 7 | destination: 8 | name: '' 9 | namespace: kubescape 10 | server: 'https://kubernetes.default.svc' # change to your server 11 | source: 12 | path: charts/kubescape-operator 13 | repoURL: 'https://github.com/kubescape/helm-charts' 14 | targetRevision: HEAD 15 | helm: 16 | valueFiles: 17 | - values.yaml 18 | parameters: 19 | - name: clusterName 20 | value: '' # add cluster name 21 | required: true 22 | type: string 23 | # Add adaptor server and account 24 | # - name: account 25 | # value: '' # add account ID 26 | # - name: accessKey 27 | # value: '' # add accessKey 28 | # - name: server 29 | # value: '' # add Kubescape-compatible backend service URL 30 | project: default 31 | syncPolicy: 32 | syncOptions: 33 | - CreateNamespace=true 34 | - RespectIgnoreDifferences=true 35 | automated: 36 | prune: false 37 | selfHeal: true 38 | ignoreDifferences: 39 | - group: core 40 | kind: ConfigMap 41 | name: ks-cloud-config 42 | namespace: kubescape 43 | jsonPointers: 44 | - /data 45 | - /metadata 46 | - group: batch 47 | kind: CronJob 48 | name: kubescape-scheduler 49 | namespace: kubescape 50 | jsonPointers: 51 | - /spec/schedule 52 | - group: batch 53 | kind: CronJob 54 | name: kubevuln-scheduler 55 | namespace: kubescape 56 | jsonPointers: 57 | - /spec/schedule 58 | - kind: Secret 59 | name: storage-ca 60 | namespace: kubescape 61 | jsonPointers: 62 | - /data 63 | - group: apiregistration.k8s.io 64 | kind: APIService 65 | name: v1beta1.spdx.softwarecomposition.kubescape.io 66 | jsonPointers: 67 | - /spec/caBundle 68 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Code of Conduct 2 | 3 | The Kubescape project manages this document in the central project repository. 4 | 5 | Go to the [centralized CODE_OF_CONDUCT.md](https://github.com/kubescape/project-governance/blob/main/CODE_OF_CONDUCT.md) 6 | -------------------------------------------------------------------------------- /COMMUNITY.md: -------------------------------------------------------------------------------- 1 | # Community 2 | 3 | The Kubescape project manages this document in the central project repository. 4 | 5 | Go to the [centralized COMMUNITY.md](https://github.com/kubescape/project-governance/blob/main/COMMUNITY.md) 6 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing 2 | 3 | The Kubescape project manages this document in the central project repository. 4 | 5 | Go to the [centralized CONTRIBUTING.md](https://github.com/kubescape/project-governance/blob/main/CONTRIBUTING.md) 6 | -------------------------------------------------------------------------------- /GOVERNANCE.md: -------------------------------------------------------------------------------- 1 | # Governance 2 | 3 | The Kubescape project manages this document in the central project repository. 4 | 5 | Go to the [centralized GOVERNANCE.md](https://github.com/kubescape/project-governance/blob/main/GOVERNANCE.md) 6 | -------------------------------------------------------------------------------- /MAINTAINERS.md: -------------------------------------------------------------------------------- 1 | # Maintainers 2 | 3 | The Kubescape project manages this document in the central project repository. 4 | 5 | Go to the [centralized MAINTAINERS.md](https://github.com/kubescape/project-governance/blob/main/MAINTAINERS.md) 6 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Kubescape Helm charts 2 | 3 | * [Kubescape operator](charts/kubescape-operator/README.md) 4 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | # Security 2 | 3 | The Kubescape project manages this document in the central project repository. 4 | 5 | Go to the [centralized SECURITY.md](https://github.com/kubescape/project-governance/blob/main/SECURITY.md) 6 | -------------------------------------------------------------------------------- /charts/dependency_chart/clustered-crds/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: kubescape-alert-crd 3 | description: A Helm chart CRDs required by Kubescape Runtime Security detection 4 | 5 | type: application 6 | 7 | version: 0.0.2 8 | 9 | appVersion: "0.0.2" 10 | -------------------------------------------------------------------------------- /charts/dependency_chart/clustered-crds/crds/runtime-rule-binding.crd.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | name: runtimerulealertbindings.kubescape.io 5 | spec: 6 | group: kubescape.io 7 | names: 8 | kind: RuntimeRuleAlertBinding 9 | plural: runtimerulealertbindings 10 | shortNames: 11 | - rab 12 | singular: runtimerulealertbinding 13 | scope: Cluster 14 | versions: 15 | - name: v1 16 | served: true 17 | storage: true 18 | schema: 19 | openAPIV3Schema: 20 | type: object 21 | properties: 22 | spec: 23 | type: object 24 | properties: 25 | namespaceSelector: 26 | type: object 27 | properties: 28 | matchExpressions: 29 | type: array 30 | items: 31 | type: object 32 | properties: 33 | key: 34 | type: string 35 | operator: 36 | type: string 37 | values: 38 | type: array 39 | items: 40 | type: string 41 | matchLabels: 42 | type: object 43 | additionalProperties: 44 | type: string 45 | podSelector: 46 | type: object 47 | properties: 48 | matchExpressions: 49 | type: array 50 | items: 51 | type: object 52 | properties: 53 | key: 54 | type: string 55 | operator: 56 | type: string 57 | values: 58 | type: array 59 | items: 60 | type: string 61 | matchLabels: 62 | type: object 63 | additionalProperties: 64 | type: string 65 | rules: 66 | type: array 67 | items: 68 | type: object 69 | oneOf: 70 | - not: 71 | anyOf: 72 | - required: ["ruleID"] 73 | - required: ["ruleName"] 74 | required: ["ruleTags"] 75 | - not: 76 | anyOf: 77 | - required: ["ruleTags"] 78 | - required: ["ruleName"] 79 | required: ["ruleID"] 80 | - not: 81 | anyOf: 82 | - required: ["ruleTags"] 83 | - required: ["ruleID"] 84 | required: ["ruleName"] 85 | properties: 86 | parameters: 87 | type: object 88 | additionalProperties: true 89 | ruleID: 90 | type: string 91 | ruleName: 92 | type: string 93 | ruleTags: 94 | type: array 95 | items: 96 | type: string 97 | severity: 98 | type: string 99 | -------------------------------------------------------------------------------- /charts/dependency_chart/clustered-crds/values.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/helm-charts/33a6a5af98ccf551ac7ff0d7a0176cf35367fbcc/charts/dependency_chart/clustered-crds/values.yaml -------------------------------------------------------------------------------- /charts/dependency_chart/namespaced-crds/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: kubescape-alert-crd-ns 3 | description: A Helm chart CRDs required by Kubescape Runtime Security detection 4 | 5 | type: application 6 | 7 | version: 0.0.2 8 | 9 | appVersion: "0.0.2" 10 | -------------------------------------------------------------------------------- /charts/dependency_chart/namespaced-crds/crds/runtime-rule-binding.crd.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | name: runtimerulealertbindings.kubescape.io 5 | spec: 6 | group: kubescape.io 7 | names: 8 | kind: RuntimeRuleAlertBinding 9 | plural: runtimerulealertbindings 10 | shortNames: 11 | - rab 12 | singular: runtimerulealertbinding 13 | scope: Namespaced 14 | versions: 15 | - name: v1 16 | served: true 17 | storage: true 18 | schema: 19 | openAPIV3Schema: 20 | type: object 21 | properties: 22 | spec: 23 | type: object 24 | properties: 25 | namespaceSelector: 26 | type: object 27 | properties: 28 | matchExpressions: 29 | type: array 30 | items: 31 | type: object 32 | properties: 33 | key: 34 | type: string 35 | operator: 36 | type: string 37 | values: 38 | type: array 39 | items: 40 | type: string 41 | matchLabels: 42 | type: object 43 | additionalProperties: 44 | type: string 45 | podSelector: 46 | type: object 47 | properties: 48 | matchExpressions: 49 | type: array 50 | items: 51 | type: object 52 | properties: 53 | key: 54 | type: string 55 | operator: 56 | type: string 57 | values: 58 | type: array 59 | items: 60 | type: string 61 | matchLabels: 62 | type: object 63 | additionalProperties: 64 | type: string 65 | rules: 66 | type: array 67 | items: 68 | type: object 69 | oneOf: 70 | - not: 71 | anyOf: 72 | - required: ["ruleID"] 73 | - required: ["ruleName"] 74 | required: ["ruleTags"] 75 | - not: 76 | anyOf: 77 | - required: ["ruleTags"] 78 | - required: ["ruleName"] 79 | required: ["ruleID"] 80 | - not: 81 | anyOf: 82 | - required: ["ruleTags"] 83 | - required: ["ruleID"] 84 | required: ["ruleName"] 85 | properties: 86 | parameters: 87 | type: object 88 | additionalProperties: true 89 | ruleID: 90 | type: string 91 | ruleName: 92 | type: string 93 | ruleTags: 94 | type: array 95 | items: 96 | type: string 97 | severity: 98 | type: string 99 | subresources: 100 | status: {} 101 | -------------------------------------------------------------------------------- /charts/dependency_chart/namespaced-crds/values.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/helm-charts/33a6a5af98ccf551ac7ff0d7a0176cf35367fbcc/charts/dependency_chart/namespaced-crds/values.yaml -------------------------------------------------------------------------------- /charts/dependency_chart/operatorcommand-crds/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: kubescape-operator-command-crd 3 | description: A Helm chart CRDs for Kubescape Operator commands 4 | 5 | type: application 6 | 7 | version: 0.0.2 8 | 9 | appVersion: "0.0.2" 10 | -------------------------------------------------------------------------------- /charts/dependency_chart/operatorcommand-crds/crds/operator-command.crd.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | name: operatorcommands.kubescape.io 5 | spec: 6 | group: kubescape.io 7 | names: 8 | plural: operatorcommands 9 | singular: operatorcommand 10 | kind: OperatorCommand 11 | shortNames: 12 | - opcmd 13 | scope: Namespaced 14 | versions: 15 | - name: v1alpha1 16 | served: true 17 | storage: true 18 | schema: 19 | openAPIV3Schema: 20 | type: object 21 | properties: 22 | spec: 23 | type: object 24 | properties: 25 | guid: 26 | type: string 27 | commandType: 28 | type: string 29 | commandVersion: 30 | type: string 31 | nullable: true 32 | designators: 33 | type: array 34 | items: 35 | type: object 36 | additionalProperties: true 37 | body: 38 | type: string 39 | format: byte 40 | nullable: true 41 | ttl: 42 | type: string 43 | format: duration 44 | nullable: true 45 | args: 46 | type: object 47 | additionalProperties: true 48 | nullable: true 49 | commandIndex: 50 | type: integer 51 | nullable: true 52 | commandCount: 53 | type: integer 54 | nullable: true 55 | status: 56 | type: object 57 | properties: 58 | started: 59 | type: boolean 60 | startedAt: 61 | type: string 62 | format: date-time 63 | nullable: true 64 | completed: 65 | type: boolean 66 | completedAt: 67 | type: string 68 | format: date-time 69 | nullable: true 70 | executer: 71 | type: string 72 | nullable: true 73 | error: 74 | type: object 75 | nullable: true 76 | properties: 77 | reason: 78 | type: string 79 | nullable: true 80 | message: 81 | type: string 82 | nullable: true 83 | errorCode: 84 | type: integer 85 | nullable: true 86 | payload: 87 | type: string 88 | format: byte 89 | nullable: true 90 | subresources: 91 | status: {} 92 | -------------------------------------------------------------------------------- /charts/dependency_chart/operatorcommand-crds/values.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/helm-charts/33a6a5af98ccf551ac7ff0d7a0176cf35367fbcc/charts/dependency_chart/operatorcommand-crds/values.yaml -------------------------------------------------------------------------------- /charts/dependency_chart/servicescanresult-crds/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: kubescape-service-scan-crd 3 | description: A Helm chart CRDs for Kubescape Operator for service authentication scan 4 | 5 | type: application 6 | 7 | version: 0.0.1 8 | 9 | appVersion: "0.0.1" 10 | -------------------------------------------------------------------------------- /charts/dependency_chart/servicescanresult-crds/crds/service-scan-result.crd.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | name: servicesscanresults.kubescape.io 5 | spec: 6 | group: kubescape.io 7 | names: 8 | kind: ServiceScanResult 9 | plural: servicesscanresults 10 | shortNames: 11 | - kssa 12 | singular: servicescanresult 13 | scope: Namespaced 14 | versions: 15 | - name: v1 16 | served: true 17 | storage: true 18 | schema: 19 | openAPIV3Schema: 20 | type: object 21 | properties: 22 | spec: 23 | type: object 24 | properties: 25 | clusterIP: 26 | type: string 27 | ports: 28 | type: array 29 | items: 30 | type: object 31 | properties: 32 | port: 33 | type: integer 34 | protocol: 35 | type: string 36 | sessionLayer: 37 | type: string 38 | presentationLayer: 39 | type: string 40 | applicationLayer: 41 | type: string 42 | authenticated: 43 | type: boolean 44 | nullable: true 45 | -------------------------------------------------------------------------------- /charts/dependency_chart/servicescanresult-crds/values.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kubescape/helm-charts/33a6a5af98ccf551ac7ff0d7a0176cf35367fbcc/charts/dependency_chart/servicescanresult-crds/values.yaml -------------------------------------------------------------------------------- /charts/kubescape-operator/.helmignore: -------------------------------------------------------------------------------- 1 | tests 2 | -------------------------------------------------------------------------------- /charts/kubescape-operator/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: kubescape-operator 3 | description: 4 | Kubescape is an E2E Kubernetes cluster security platform 5 | 6 | type: application 7 | 8 | # This is the chart version. This version number should be incremented each time you make changes 9 | # to the chart and its templates, including the app version. 10 | # Versions are expected to follow Semantic Versioning (https://semver.org/) 11 | 12 | version: 1.27.8 13 | 14 | # This is the version number of the application being deployed. This version number should be 15 | # incremented each time you make changes to the application. Versions are not expected to 16 | # follow Semantic Versioning. They should reflect the version the application is using. 17 | # It is recommended to use it with quotes. 18 | 19 | appVersion: 1.27.8 20 | 21 | maintainers: 22 | - name: Ben Hirschberg 23 | email: ben@armosec.io 24 | url: https://www.linkedin.com/in/benyamin-ben-hirschberg-66141890 25 | - name: David Wertenteil 26 | email: dw@armosec.io 27 | url: https://www.linkedin.com/in/david-wertenteil-0ba277b9 28 | - name: Bezalel Brandwine 29 | email: bez@armosec.io 30 | url: https://www.linkedin.com/in/bezalel-brandwine 31 | - name: Matthias Bertschy 32 | email: matthiasb@armosec.io 33 | url: https://www.linkedin.com/in/matthias-bertschy-b427b815/ 34 | - name: Amir Malka 35 | email: amirm@armosec.io 36 | url: https://www.linkedin.com/in/amirmalka 37 | 38 | home: https://kubescape.io/ 39 | 40 | dependencies: 41 | - name: kubescape-alert-crd 42 | version: 0.0.2 43 | repository: "file://../dependency_chart/clustered-crds" 44 | condition: alertCRD.scopeClustered 45 | - name: kubescape-alert-crd-ns 46 | version: 0.0.2 47 | repository: "file://../dependency_chart/namespaced-crds" 48 | condition: alertCRD.scopeNamespaced 49 | - name: kubescape-service-scan-crd 50 | version: 0.0.1 51 | repository: "file://../dependency_chart/servicescanresult-crds" 52 | condition: serviceScanConfig.enabled 53 | - name: kubescape-operator-command-crd 54 | version: 0.0.2 55 | repository: "file://../dependency_chart/operatorcommand-crds" 56 | -------------------------------------------------------------------------------- /charts/kubescape-operator/assets/api-server-egress-rules.yaml: -------------------------------------------------------------------------------- 1 | - ports: 2 | - port: {{ .Values.global.networkPolicy.apiServerPort }} 3 | protocol: TCP 4 | to: 5 | {{- if .Values.global.networkPolicy.apiServerIP }} 6 | - ipBlock: 7 | cidr: {{ .Values.global.networkPolicy.apiServerIP }}/32 8 | {{- else }} 9 | - namespaceSelector: 10 | matchLabels: 11 | kubernetes.io/metadata.name: default 12 | podSelector: 13 | matchLabels: 14 | component: apiserver 15 | provider: kubernetes 16 | {{- end -}} 17 | -------------------------------------------------------------------------------- /charts/kubescape-operator/assets/common-egress-rules.yaml: -------------------------------------------------------------------------------- 1 | - ports: 2 | - port: 53 3 | protocol: UDP 4 | to: 5 | - namespaceSelector: 6 | matchLabels: 7 | kubernetes.io/metadata.name: kube-system 8 | podSelector: 9 | matchLabels: 10 | k8s-app: kube-dns 11 | - ports: 12 | - port: 4317 13 | protocol: TCP 14 | - port: 4318 15 | protocol: TCP 16 | to: 17 | - podSelector: 18 | matchLabels: 19 | {{- include "kubescape-operator.selectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.otelCollector.name) | nindent 10 }} 20 | {{- if ne .Values.global.httpsProxy "" }} 21 | - ports: 22 | - port: {{ .Values.global.networkPolicy.httpsProxyPort }} 23 | protocol: TCP 24 | to: 25 | - ipBlock: 26 | cidr: {{ .Values.global.networkPolicy.httpsProxyIP }}/32 27 | {{- end }} 28 | -------------------------------------------------------------------------------- /charts/kubescape-operator/assets/host-scanner-definition.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) -}} 2 | apiVersion: apps/v1 3 | kind: DaemonSet 4 | metadata: 5 | name: {{ .Values.hostScanner.name }} 6 | namespace: {{ .Values.ksNamespace }} 7 | annotations: 8 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 9 | labels: 10 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.hostScanner.name "tier" .Values.global.namespaceTier) | nindent 4 }} 11 | spec: 12 | selector: 13 | matchLabels: 14 | {{- include "kubescape-operator.selectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.hostScanner.name) | nindent 6 }} 15 | template: 16 | metadata: 17 | annotations: 18 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 8 }} 19 | labels: 20 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.hostScanner.name "tier" .Values.global.namespaceTier) | nindent 8 }} 21 | kubescape.io/tier: "core" 22 | name: host-scanner 23 | {{- if $components.otelCollector.enabled }} 24 | otel: enabled 25 | {{- end }} 26 | spec: 27 | nodeSelector: 28 | {{- if .Values.hostScanner.nodeSelector }} 29 | {{- toYaml .Values.hostScanner.nodeSelector | nindent 8 }} 30 | {{- else if .Values.customScheduling.nodeSelector }} 31 | {{- toYaml .Values.customScheduling.nodeSelector | nindent 8 }} 32 | {{- end }} 33 | affinity: 34 | {{- if .Values.hostScanner.affinity }} 35 | {{- toYaml .Values.hostScanner.affinity | nindent 8 }} 36 | {{- else if .Values.customScheduling.affinity }} 37 | {{- toYaml .Values.customScheduling.affinity | nindent 8 }} 38 | {{- end }} 39 | tolerations: 40 | {{- if .Values.hostScanner.tolerations }} 41 | {{- toYaml .Values.hostScanner.tolerations | nindent 8 }} 42 | {{- else if .Values.customScheduling.tolerations }} 43 | {{- toYaml .Values.customScheduling.tolerations | nindent 8 }} 44 | {{- end }} 45 | {{- if .Values.imagePullSecrets }} 46 | imagePullSecrets: 47 | {{- if kindIs "string" .Values.imagePullSecrets }} 48 | - name: {{ .Values.imagePullSecrets }} 49 | {{- else }} 50 | {{- range .Values.imagePullSecrets }} 51 | - name: {{ . }} 52 | {{- end }} 53 | {{- end }} 54 | {{- end }} 55 | containers: 56 | - name: host-sensor 57 | image: "{{ .Values.hostScanner.image.repository }}:{{ .Values.hostScanner.image.tag }}" 58 | imagePullPolicy: {{ .Values.hostScanner.image.pullPolicy }} 59 | securityContext: 60 | allowPrivilegeEscalation: true 61 | privileged: true 62 | readOnlyRootFilesystem: true 63 | procMount: Unmasked 64 | env: 65 | - name: KS_LOGGER_LEVEL 66 | value: "{{ .Values.logger.level }}" 67 | - name: KS_LOGGER_NAME 68 | value: "{{ .Values.logger.name }}" 69 | {{- if $components.otelCollector.enabled }} 70 | - name: ACCOUNT_ID 71 | valueFrom: 72 | secretKeyRef: 73 | name: {{ $components.cloudSecret.name }} 74 | key: account 75 | - name: CLUSTER_NAME 76 | value: "{{ regexReplaceAll "\\W+" .Values.clusterName "-" }}" 77 | - name: OTEL_COLLECTOR_SVC 78 | value: "otel-collector.kubescape.svc:4318" 79 | {{- end }} 80 | {{- if .Values.configurations.otelUrl }} 81 | - name: OTEL_COLLECTOR_SVC 82 | value: {{ .Values.configurations.otelUrl }} 83 | {{- end }} 84 | ports: 85 | - name: scanner # Do not change port name 86 | containerPort: 7888 87 | protocol: TCP 88 | resources: 89 | {{ toYaml .Values.hostScanner.resources | indent 10 }} 90 | volumeMounts: 91 | - mountPath: /host_fs 92 | name: host-filesystem 93 | {{- if .Values.volumeMounts }} 94 | {{ toYaml .Values.volumeMounts | indent 8 }} 95 | {{- end }} 96 | {{- if .Values.hostScanner.volumeMounts }} 97 | {{ toYaml .Values.hostScanner.volumeMounts | nindent 8 }} 98 | {{- end }} 99 | startupProbe: 100 | httpGet: 101 | path: /readyz 102 | port: 7888 103 | failureThreshold: 30 104 | periodSeconds: 1 105 | livenessProbe: 106 | httpGet: 107 | path: /healthz 108 | port: 7888 109 | periodSeconds: 10 110 | terminationGracePeriodSeconds: 120 111 | dnsPolicy: ClusterFirstWithHostNet 112 | serviceAccountName: {{ .Values.nodeAgent.name }} 113 | automountServiceAccountToken: false 114 | volumes: 115 | - hostPath: 116 | path: / 117 | type: Directory 118 | name: host-filesystem 119 | {{- if .Values.volumes }} 120 | {{ toYaml .Values.volumes | indent 6 }} 121 | {{- end }} 122 | {{- if .Values.hostScanner.volumes }} 123 | {{ toYaml .Values.hostScanner.volumes | nindent 6 }} 124 | {{- end }} 125 | hostPID: true 126 | hostIPC: true 127 | -------------------------------------------------------------------------------- /charts/kubescape-operator/assets/kubescape-cronjob-full.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: batch/v1 2 | kind: CronJob 3 | metadata: 4 | name: {{ .Values.kubescapeScheduler.name }} 5 | namespace: {{ .Values.ksNamespace }} 6 | labels: 7 | app: {{ .Values.kubescapeScheduler.name }} 8 | tier: {{ .Values.global.namespaceTier }} 9 | kubescape.io/tier: "core" 10 | armo.tier: "kubescape-scan" 11 | spec: 12 | schedule: "{{ .Values.kubescapeScheduler.scanSchedule }}" 13 | successfulJobsHistoryLimit: {{ .Values.kubescapeScheduler.successfulJobsHistoryLimit }} 14 | failedJobsHistoryLimit: {{ .Values.kubescapeScheduler.failedJobsHistoryLimit }} 15 | jobTemplate: 16 | spec: 17 | template: 18 | metadata: 19 | labels: 20 | armo.tier: "kubescape-scan" 21 | kubescape.io/tier: "core" 22 | spec: 23 | securityContext: 24 | seccompProfile: 25 | type: RuntimeDefault 26 | {{- if .Values.imagePullSecrets }} 27 | imagePullSecrets: 28 | {{- if kindIs "string" .Values.imagePullSecrets }} 29 | - name: {{ .Values.imagePullSecrets }} 30 | {{- else }} 31 | {{- range .Values.imagePullSecrets }} 32 | - name: {{ . }} 33 | {{- end }} 34 | {{- end }} 35 | {{- end }} 36 | containers: 37 | - name: {{ .Values.kubescapeScheduler.name }} 38 | image: "{{ .Values.kubescapeScheduler.image.repository }}:{{ .Values.kubescapeScheduler.image.tag }}" 39 | imagePullPolicy: {{ .Values.kubescapeScheduler.image.pullPolicy }} 40 | securityContext: 41 | allowPrivilegeEscalation: false 42 | readOnlyRootFilesystem: true 43 | runAsNonRoot: true 44 | runAsUser: 100 45 | resources: 46 | {{ toYaml .Values.kubescapeScheduler.resources | indent 18 }} 47 | args: 48 | - -method=post 49 | - -scheme=http 50 | - -host={{ .Values.operator.name }}:{{ .Values.operator.service.port }} 51 | - -path=v1/triggerAction 52 | - -headers=Content-Type:application/json 53 | - -path-body=/home/ks/request-body.json 54 | {{- if .Values.kubescapeScheduler.insecureSkipTLSVerify }} 55 | - -skip-ssl-verify=true 56 | {{- end}} 57 | volumeMounts: 58 | - name: "request-body-volume" 59 | mountPath: /home/ks/request-body.json 60 | subPath: request-body.json 61 | readOnly: true 62 | {{- if .Values.volumeMounts }} 63 | {{ toYaml .Values.volumeMounts | indent 18 }} 64 | {{- end }} 65 | {{- if .Values.kubescapeScheduler.volumeMounts }} 66 | {{ toYaml .Values.kubescapeScheduler.volumeMounts | indent 18 }} 67 | {{- end }} 68 | restartPolicy: Never 69 | serviceAccountName: {{ .Values.kubescape.name }} 70 | automountServiceAccountToken: false 71 | nodeSelector: 72 | {{- if .Values.kubescapeScheduler.nodeSelector }} 73 | {{- toYaml .Values.kubescapeScheduler.nodeSelector | nindent 16 }} 74 | {{- else if .Values.customScheduling.nodeSelector }} 75 | {{- toYaml .Values.customScheduling.nodeSelector | nindent 16 }} 76 | {{- end }} 77 | affinity: 78 | {{- if .Values.kubescapeScheduler.affinity }} 79 | {{- toYaml .Values.kubescapeScheduler.affinity | nindent 16 }} 80 | {{- else if .Values.customScheduling.affinity }} 81 | {{- toYaml .Values.customScheduling.affinity | nindent 16 }} 82 | {{- end }} 83 | tolerations: 84 | {{- if .Values.kubescapeScheduler.tolerations }} 85 | {{- toYaml .Values.kubescapeScheduler.tolerations | nindent 16 }} 86 | {{- else if .Values.customScheduling.tolerations }} 87 | {{- toYaml .Values.customScheduling.tolerations | nindent 16 }} 88 | {{- end }} 89 | volumes: 90 | - name: "request-body-volume" # placeholder 91 | configMap: 92 | name: {{ .Values.kubescapeScheduler.name }} 93 | {{- if .Values.volumes }} 94 | {{ toYaml .Values.volumes | indent 16 }} 95 | {{- end }} 96 | {{- if .Values.kubescapeScheduler.volumes }} 97 | {{ toYaml .Values.kubescapeScheduler.volumes | indent 16 }} 98 | {{- end }} 99 | -------------------------------------------------------------------------------- /charts/kubescape-operator/assets/kubevuln-cronjob-full.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: batch/v1 2 | kind: CronJob 3 | metadata: 4 | name: {{ .Values.kubevulnScheduler.name }} 5 | namespace: {{ .Values.ksNamespace }} 6 | labels: 7 | app: {{ .Values.kubevulnScheduler.name }} 8 | tier: {{ .Values.global.namespaceTier }} 9 | kubescape.io/tier: "core" 10 | armo.tier: "vuln-scan" 11 | spec: 12 | schedule: "{{ .Values.kubevulnScheduler.scanSchedule }}" 13 | successfulJobsHistoryLimit: {{ .Values.kubevulnScheduler.successfulJobsHistoryLimit }} 14 | failedJobsHistoryLimit: {{ .Values.kubevulnScheduler.failedJobsHistoryLimit }} 15 | jobTemplate: 16 | spec: 17 | template: 18 | metadata: 19 | labels: 20 | armo.tier: "vuln-scan" 21 | kubescape.io/tier: "core" 22 | spec: 23 | securityContext: 24 | seccompProfile: 25 | type: RuntimeDefault 26 | {{- if .Values.imagePullSecrets }} 27 | imagePullSecrets: 28 | {{- if kindIs "string" .Values.imagePullSecrets }} 29 | - name: {{ .Values.imagePullSecrets }} 30 | {{- else }} 31 | {{- range .Values.imagePullSecrets }} 32 | - name: {{ . }} 33 | {{- end }} 34 | {{- end }} 35 | {{- end }} 36 | containers: 37 | - name: {{ .Values.kubevulnScheduler.name }} 38 | image: "{{ .Values.kubevulnScheduler.image.repository }}:{{ .Values.kubevulnScheduler.image.tag }}" 39 | imagePullPolicy: {{ .Values.kubevulnScheduler.image.pullPolicy }} 40 | securityContext: 41 | allowPrivilegeEscalation: false 42 | readOnlyRootFilesystem: true 43 | runAsNonRoot: true 44 | runAsUser: 100 45 | resources: 46 | {{ toYaml .Values.kubevulnScheduler.resources | indent 18 }} 47 | args: 48 | - -method=post 49 | - -scheme=http 50 | - -host={{ .Values.operator.name }}:{{ .Values.operator.service.port }} 51 | - -path=v1/triggerAction 52 | - -headers=Content-Type:application/json 53 | - -path-body=/home/ks/request-body.json 54 | {{- if .Values.kubevulnScheduler.insecureSkipTLSVerify }} 55 | - -skip-ssl-verify=true 56 | {{- end}} 57 | volumeMounts: 58 | - name: "request-body-volume" 59 | mountPath: /home/ks/request-body.json 60 | subPath: request-body.json 61 | readOnly: true 62 | {{- if .Values.volumeMounts }} 63 | {{ toYaml .Values.volumeMounts | indent 18 }} 64 | {{- end }} 65 | {{- if .Values.kubevulnScheduler.volumeMounts }} 66 | {{ toYaml .Values.kubevulnScheduler.volumeMounts | indent 18 }} 67 | {{- end }} 68 | restartPolicy: Never 69 | serviceAccountName: {{ .Values.kubevuln.name }} 70 | automountServiceAccountToken: false 71 | nodeSelector: 72 | {{- if .Values.kubevulnScheduler.nodeSelector }} 73 | {{- toYaml .Values.kubevulnScheduler.nodeSelector | nindent 16 }} 74 | {{- else if .Values.customScheduling.nodeSelector }} 75 | {{- toYaml .Values.customScheduling.nodeSelector | nindent 16 }} 76 | {{- end }} 77 | affinity: 78 | {{- if .Values.kubevulnScheduler.affinity }} 79 | {{- toYaml .Values.kubevulnScheduler.affinity | nindent 16 }} 80 | {{- else if .Values.customScheduling.affinity }} 81 | {{- toYaml .Values.customScheduling.affinity | nindent 16 }} 82 | {{- end }} 83 | tolerations: 84 | {{- if .Values.kubevulnScheduler.tolerations }} 85 | {{- toYaml .Values.kubevulnScheduler.tolerations | nindent 16 }} 86 | {{- else if .Values.customScheduling.tolerations }} 87 | {{- toYaml .Values.customScheduling.tolerations | nindent 16 }} 88 | {{- end }} 89 | volumes: 90 | - name: "request-body-volume" # placeholder 91 | configMap: 92 | name: {{ .Values.kubevulnScheduler.name }} 93 | {{- if .Values.volumes }} 94 | {{ toYaml .Values.volumes | indent 16 }} 95 | {{- end }} 96 | {{- if .Values.kubevulnScheduler.volumes }} 97 | {{ toYaml .Values.kubevulnScheduler.volumes | indent 16 }} 98 | {{- end }} 99 | -------------------------------------------------------------------------------- /charts/kubescape-operator/assets/otel-collector-config.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- $configurations := fromYaml (include "configurations" .) }} 3 | # receivers configure how data gets into the Collector. 4 | receivers: 5 | otlp: 6 | protocols: 7 | grpc: 8 | endpoint: 0.0.0.0:4317 9 | http: 10 | endpoint: 0.0.0.0:4318 11 | hostmetrics: 12 | collection_interval: {{ .Values.otelCollector.hostmetrics.scrapeInterval }} 13 | scrapers: 14 | cpu: 15 | memory: 16 | 17 | # processors specify what happens with the received data. 18 | processors: 19 | attributes/ksCloud: 20 | actions: 21 | - key: account_id 22 | value: "{{ .Values.account }}" 23 | action: upsert 24 | - key: cluster_name 25 | value: "{{ regexReplaceAll "\\W+" .Values.clusterName "-" }}" 26 | action: upsert 27 | batch: 28 | send_batch_size: 10000 29 | timeout: 10s 30 | 31 | # exporters configure how to send processed data to one or more backends. 32 | exporters: 33 | debug/noop: 34 | verbosity: basic 35 | sampling_initial: 0 36 | sampling_thereafter: 0 37 | otlp/ksCloud: 38 | {{- if $configurations.ksOtel }} 39 | endpoint: ${env:CLOUD_OTEL_COLLECTOR_URL} 40 | {{- else }} 41 | endpoint: "" 42 | {{- end }} 43 | tls: 44 | insecure: false 45 | {{- if $configurations.otel }} 46 | otlp: 47 | endpoint: "{{ .Values.configurations.otelUrl }}" 48 | tls: 49 | insecure: {{ .Values.otelCollector.endpoint.insecure }} 50 | {{- if .Values.otelCollector.endpoint.headers }} 51 | headers: 52 | {{- range $k, $v := .Values.otelCollector.endpoint.headers }} 53 | {{ $k }}: {{ $v }} 54 | {{- end }} 55 | {{- end }} 56 | {{- end }} 57 | 58 | # service pulls the configured receivers, processors, and exporters together into 59 | # processing pipelines. Unused receivers/processors/exporters are ignored. 60 | service: 61 | pipelines: 62 | traces: 63 | receivers: [otlp] 64 | processors: [batch] 65 | exporters: 66 | - otlp/ksCloud 67 | {{- if $configurations.otel }} 68 | - otlp 69 | {{- end }} 70 | {{- if .Values.otelCollector.hostmetrics.enabled }} 71 | metrics/2: 72 | receivers: [hostmetrics] 73 | processors: [attributes/ksCloud, batch] 74 | exporters: 75 | - otlp/ksCloud 76 | {{- if $configurations.otel }} 77 | - otlp 78 | {{- end }} 79 | {{- end }} 80 | metrics: 81 | receivers: [otlp] 82 | processors: [attributes/ksCloud, batch] 83 | exporters: 84 | - otlp/ksCloud 85 | {{- if $configurations.otel }} 86 | - otlp 87 | {{- end }} 88 | logs: 89 | receivers: [otlp] 90 | processors: [attributes/ksCloud, batch] 91 | exporters: 92 | - debug/noop 93 | -------------------------------------------------------------------------------- /charts/kubescape-operator/assets/registry-scan-cronjob-full.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: batch/v1 2 | kind: CronJob 3 | metadata: 4 | name: {{ .Values.registryScanScheduler.name }} 5 | namespace: {{ .Values.ksNamespace }} 6 | labels: 7 | app: {{ .Values.registryScanScheduler.name }} 8 | kubescape.io/tier: "core" 9 | tier: {{ .Values.global.namespaceTier }} 10 | armo.tier: "registry-scan" 11 | spec: 12 | schedule: "{{ .Values.registryScanScheduler.scanSchedule }}" 13 | successfulJobsHistoryLimit: {{ .Values.registryScanScheduler.successfulJobsHistoryLimit }} 14 | failedJobsHistoryLimit: {{ .Values.registryScanScheduler.failedJobsHistoryLimit }} 15 | jobTemplate: 16 | spec: 17 | template: 18 | metadata: 19 | labels: 20 | armo.tier: "registry-scan" 21 | kubescape.io/tier: "core" 22 | spec: 23 | securityContext: 24 | seccompProfile: 25 | type: RuntimeDefault 26 | {{- if .Values.imagePullSecrets }} 27 | imagePullSecrets: 28 | {{- if kindIs "string" .Values.imagePullSecrets }} 29 | - name: {{ .Values.imagePullSecrets }} 30 | {{- else }} 31 | {{- range .Values.imagePullSecrets }} 32 | - name: {{ . }} 33 | {{- end }} 34 | {{- end }} 35 | {{- end }} 36 | containers: 37 | - name: {{ .Values.registryScanScheduler.name }} 38 | image: "{{ .Values.registryScanScheduler.image.repository }}:{{ .Values.registryScanScheduler.image.tag }}" 39 | imagePullPolicy: {{ .Values.registryScanScheduler.image.pullPolicy }} 40 | securityContext: 41 | allowPrivilegeEscalation: false 42 | readOnlyRootFilesystem: true 43 | runAsNonRoot: true 44 | runAsUser: 100 45 | resources: 46 | {{ toYaml .Values.registryScanScheduler.resources | indent 18 }} 47 | args: 48 | - -method=post 49 | - -scheme=http 50 | - -host={{ .Values.operator.name }}:{{ .Values.operator.service.port }} 51 | - -path=v1/triggerAction 52 | - -headers=Content-Type:application/json 53 | - -path-body=/home/ks/request-body.json 54 | {{- if .Values.registryScanScheduler.insecureSkipTLSVerify }} 55 | - -skip-ssl-verify=true 56 | {{- end}} 57 | volumeMounts: 58 | - name: "request-body-volume" 59 | mountPath: /home/ks/request-body.json 60 | subPath: request-body.json 61 | readOnly: true 62 | {{- if .Values.volumeMounts }} 63 | {{ toYaml .Values.volumeMounts | indent 18 }} 64 | {{- end }} 65 | {{- if .Values.registryScanScheduler.volumeMounts }} 66 | {{ toYaml .Values.registryScanScheduler.volumeMounts | indent 18 }} 67 | {{- end }} 68 | restartPolicy: Never 69 | serviceAccountName: {{ .Values.kubevuln.name }} 70 | automountServiceAccountToken: false 71 | nodeSelector: 72 | {{- if .Values.registryScanScheduler.nodeSelector }} 73 | {{- toYaml .Values.registryScanScheduler.nodeSelector | nindent 16 }} 74 | {{- else if .Values.customScheduling.nodeSelector }} 75 | {{- toYaml .Values.customScheduling.nodeSelector | nindent 16 }} 76 | {{- end }} 77 | affinity: 78 | {{- if .Values.registryScanScheduler.affinity }} 79 | {{- toYaml .Values.registryScanScheduler.affinity | nindent 16 }} 80 | {{- else if .Values.customScheduling.affinity }} 81 | {{- toYaml .Values.customScheduling.affinity | nindent 16 }} 82 | {{- end }} 83 | tolerations: 84 | {{- if .Values.registryScanScheduler.tolerations }} 85 | {{- toYaml .Values.registryScanScheduler.tolerations | nindent 16 }} 86 | {{- else if .Values.customScheduling.tolerations }} 87 | {{- toYaml .Values.customScheduling.tolerations | nindent 16 }} 88 | {{- end }} 89 | volumes: 90 | - name: "request-body-volume" # placeholder 91 | configMap: 92 | name: {{ .Values.registryScanScheduler.name }} 93 | {{- if .Values.volumes }} 94 | {{ toYaml .Values.volumes | indent 16 }} 95 | {{- end }} 96 | {{- if .Values.registryScanScheduler.volumes }} 97 | {{ toYaml .Values.registryScanScheduler.volumes | indent 16 }} 98 | {{- end }} 99 | -------------------------------------------------------------------------------- /charts/kubescape-operator/clamav/clamd.conf: -------------------------------------------------------------------------------- 1 | Foreground yes 2 | User root 3 | Debug no 4 | LeaveTemporaryFiles no 5 | LogTime no 6 | LogClean no 7 | LogVerbose no 8 | LocalSocket /run/clamav/clamd.sock 9 | LocalSocketGroup clamav 10 | LocalSocketMode 660 11 | MaxDirectoryRecursion 20 12 | ExtendedDetectionInfo yes 13 | -------------------------------------------------------------------------------- /charts/kubescape-operator/clamav/freshclam.conf: -------------------------------------------------------------------------------- 1 | Foreground yes 2 | DatabaseDirectory /var/lib/clamav 3 | UpdateLogFile /dev/stdout 4 | Debug no 5 | LogFileMaxSize 0 6 | LogTime yes 7 | DatabaseOwner root 8 | DNSDatabaseInfo current.cvd.clamav.net 9 | DatabaseMirror database.clamav.net 10 | MaxAttempts 3 11 | ScriptedUpdates no 12 | CompressLocalDatabase no 13 | TestDatabases yes 14 | Checks 0 15 | ConnectTimeout 30 16 | ReceiveTimeout 60 17 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | Thank you for installing {{ .Chart.Name }} version {{ .Chart.Version }}. 2 | {{ $components := fromYaml (include "components" .) -}} 3 | {{ if $components.kubescapeScheduler.enabled -}} 4 | 5 | View your cluster's configuration scanning schedule: 6 | > kubectl -n {{ .Values.ksNamespace }} get cj {{ .Values.kubescapeScheduler.name }} -o=jsonpath='{.metadata.name}{"\t"}{.spec.schedule}{"\n"}' 7 | 8 | To change the schedule, set `.spec.schedule`: 9 | > kubectl -n {{ .Values.ksNamespace }} edit cj {{ .Values.kubescapeScheduler.name }} 10 | 11 | {{- end }} 12 | {{ if $components.kubevulnScheduler.enabled -}} 13 | 14 | View your cluster's image scanning schedule: 15 | > kubectl -n {{ .Values.ksNamespace }} get cj {{ .Values.kubevulnScheduler.name }} -o=jsonpath='{.metadata.name}{"\t"}{.spec.schedule}{"\n"}' 16 | 17 | To change the schedule, edit `.spec.schedule`: 18 | > kubectl -n {{ .Values.ksNamespace }} edit cj {{ .Values.kubevulnScheduler.name }} 19 | 20 | {{- end }} 21 | 22 | {{ if eq .Values.capabilities.vulnerabilityScan "enable" -}} 23 | 24 | View your image vulnerabilities scan summaries: 25 | > kubectl get vulnerabilitymanifestsummaries -A 26 | 27 | Detailed reports are also available: 28 | > kubectl get vulnerabilitymanifests -A 29 | {{- end }} 30 | 31 | {{ if eq .Values.capabilities.networkPolicyService "enable" -}} 32 | 33 | {{ .Chart.Name }} generates suggested network policies. To view them: 34 | > kubectl get generatednetworkpolicies -n 35 | {{- end }} 36 | 37 | {{- if and (eq .Values.capabilities.nodeSbomGeneration "disable") (not .Values.global.enableClusterWideSecretAccess) }} 38 | 39 | WARNING: Both nodeSbomGeneration and enableClusterWideSecretAccess are disabled. 40 | This means vulnerability scanning will be limited to images from public repositories only, since Kubescape cannot access image pull secrets. 41 | To enable scanning of private images, either: 42 | - Enable nodeSbomGeneration (recommended): Set capabilities.nodeSbomGeneration: "enable" 43 | - Enable cluster-wide secret access: Set global.enableClusterWideSecretAccess: true 44 | {{- end }} 45 | 46 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/_cronjob.tpl: -------------------------------------------------------------------------------- 1 | {{/* calc values for kubescape cronjobs */}} 2 | {{- define "kubescape_daily_scan_cron_tab_minute" -}} 3 | {{ mod (randNumeric 2) 60 }} 4 | {{- end }} 5 | 6 | {{- define "kubescape_daily_scan_cron_tab_hour" -}} 7 | {{mod (randNumeric 2) 24 }} 8 | {{- end }} 9 | 10 | {{- define "kubescape_daily_scan_cron_tab" -}} 11 | {{- if eq .Values.kubescapeScheduler.scanSchedule "0 8 * * *" -}} 12 | {{- $existingSchedule := (lookup "batch/v1" "CronJob" .Values.ksNamespace .Values.kubescapeScheduler.name) -}} 13 | {{- if $existingSchedule -}} 14 | {{ $existingSchedule.spec.schedule }} 15 | {{- else -}} 16 | {{- $kubescape_daily_scan_cron_tab_minute := (include "kubescape_daily_scan_cron_tab_minute" .) -}} 17 | {{- $kubescape_daily_scan_cron_tab_hour := (include "kubescape_daily_scan_cron_tab_hour" .) -}} 18 | {{ trimPrefix "\n" (trimSuffix "\n" $kubescape_daily_scan_cron_tab_minute) }} {{ trimPrefix "\n" (trimSuffix "\n" $kubescape_daily_scan_cron_tab_hour) }} * * * 19 | {{- end -}} 20 | {{- else -}} 21 | {{- .Values.kubescapeScheduler.scanSchedule -}} 22 | {{- end -}} 23 | {{- end }} 24 | 25 | 26 | 27 | 28 | 29 | {{/* calc values for kube-vuln cronjobs */}} 30 | {{- define "kubevuln_daily_scan_cron_tab_minute" -}} 31 | {{ mod (randNumeric 2) 60 }} 32 | {{- end }} 33 | 34 | {{- define "kubevuln_daily_scan_cron_tab_hour" -}} 35 | {{mod (randNumeric 2) 24 }} 36 | {{- end }} 37 | 38 | 39 | {{- define "kubevuln_daily_scan_cron_tab" -}} 40 | {{- if eq .Values.kubevulnScheduler.scanSchedule "0 0 * * *" -}} 41 | {{- $existingSchedule := (lookup "batch/v1" "CronJob" .Values.ksNamespace .Values.kubevulnScheduler.name) -}} 42 | {{- if $existingSchedule -}} 43 | {{ $existingSchedule.spec.schedule }} 44 | {{- else -}} 45 | {{- $kubescape_daily_scan_cron_tab_minute := (include "kubescape_daily_scan_cron_tab_minute" .) -}} 46 | {{- $kubescape_daily_scan_cron_tab_hour := (include "kubescape_daily_scan_cron_tab_hour" .) -}} 47 | {{ trimPrefix "\n" (trimSuffix "\n" $kubescape_daily_scan_cron_tab_minute) }} {{ trimPrefix "\n" (trimSuffix "\n" $kubescape_daily_scan_cron_tab_hour) }} * * * 48 | {{- end -}} 49 | {{- else -}} 50 | {{- .Values.kubevulnScheduler.scanSchedule -}} 51 | {{- end -}} 52 | {{- end }} 53 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Expand the name of the chart. 3 | */}} 4 | {{- define "kubescape-operator.name" -}} 5 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} 6 | {{- end }} 7 | 8 | {{/* 9 | Create a default fully qualified app name. 10 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 11 | If release name contains chart name it will be used as a full name. 12 | */}} 13 | {{- define "kubescape-operator.fullname" -}} 14 | {{- if .Values.fullnameOverride }} 15 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} 16 | {{- else }} 17 | {{- $name := default .Chart.Name .Values.nameOverride }} 18 | {{- if contains $name .Release.Name }} 19 | {{- .Release.Name | trunc 63 | trimSuffix "-" }} 20 | {{- else }} 21 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} 22 | {{- end }} 23 | {{- end }} 24 | {{- end }} 25 | 26 | {{/* 27 | Create chart name and version as used by the chart label. 28 | */}} 29 | {{- define "kubescape-operator.chart" -}} 30 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} 31 | {{- end }} 32 | 33 | {{/* 34 | Common annotations 35 | */}} 36 | {{- define "kubescape-operator.annotations" -}} 37 | {{- if .Values.additionalAnnotations }} 38 | {{ toYaml .Values.additionalAnnotations }} 39 | {{- end }} 40 | {{- end }} 41 | 42 | {{/* 43 | Common labels 44 | */}} 45 | {{- define "kubescape-operator.labels" -}} 46 | helm.sh/chart: {{ include "kubescape-operator.chart" . }} 47 | {{ include "kubescape-operator.selectorLabels" . }} 48 | {{- if .Chart.AppVersion }} 49 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 50 | {{- end }} 51 | app.kubernetes.io/managed-by: {{ .Release.Service }} 52 | app.kubernetes.io/part-of: kubescape 53 | app: {{ .app }} 54 | tier: {{ .tier }} 55 | kubescape.io/ignore: "true" 56 | {{- if .Values.additionalLabels }} 57 | {{ toYaml .Values.additionalLabels }} 58 | {{- end }} 59 | {{- end }} 60 | 61 | {{/* 62 | Selector labels 63 | */}} 64 | {{- define "kubescape-operator.selectorLabels" -}} 65 | app.kubernetes.io/name: {{ include "kubescape-operator.name" . }} 66 | app.kubernetes.io/instance: {{ .Release.Name }} 67 | app.kubernetes.io/component: {{ .app }} 68 | {{- end }} 69 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/autoupdater/cronjob.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.autoUpdater.enabled }} 3 | apiVersion: batch/v1 4 | kind: CronJob 5 | metadata: 6 | name: {{ .Values.helmReleaseUpgrader.name }} 7 | namespace: {{ .Values.ksNamespace }} 8 | annotations: 9 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 10 | "helm.sh/resource-policy": keep 11 | labels: 12 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.helmReleaseUpgrader.name "tier" .Values.global.namespaceTier) | nindent 4 }} 13 | spec: 14 | schedule: {{ .Values.helmReleaseUpgrader.schedule | quote }} 15 | successfulJobsHistoryLimit: {{ .Values.helmReleaseUpgrader.successfulJobsHistoryLimit }} 16 | failedJobsHistoryLimit: {{ .Values.helmReleaseUpgrader.failedJobsHistoryLimit }} 17 | jobTemplate: 18 | spec: 19 | template: 20 | metadata: 21 | annotations: 22 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 12 }} 23 | labels: 24 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.helmReleaseUpgrader.name "tier" .Values.global.namespaceTier) | nindent 12 }} 25 | spec: 26 | serviceAccountName: {{ .Values.helmReleaseUpgrader.name }} 27 | securityContext: 28 | runAsNonRoot: true 29 | # User and Group IDs as defined in the Helm Release Upgrader image 30 | runAsUser: 1000 31 | runAsGroup: 1000 32 | fsGroup: 1000 33 | volumes: 34 | - name: "helm-scratch-data" 35 | emptyDir: 36 | sizeLimit: 500Mi 37 | containers: 38 | - name: {{ .Values.helmReleaseUpgrader.name }} 39 | image: {{ printf "%s:%s" .Values.helmReleaseUpgrader.image.repository .Values.helmReleaseUpgrader.image.tag | quote }} 40 | imagePullPolicy: {{ .Values.helmReleaseUpgrader.image.pullPolicy | quote }} 41 | securityContext: 42 | allowPrivilegeEscalation: false 43 | readOnlyRootFilesystem: true 44 | volumeMounts: 45 | - name: "helm-scratch-data" 46 | mountPath: /data/helm-scratch-data 47 | env: 48 | - name: "HELM_CACHE_HOME" 49 | value: "/data/helm-scratch-data/.cache" 50 | - name: "HELM_CONFIG_HOME" 51 | value: "/data/helm-scratch-data/.config" 52 | - name: "HELM_DATA_HOME" 53 | value: "/data/helm-scratch-data/.data" 54 | resources: 55 | {{ toYaml .Values.helmReleaseUpgrader.resources | indent 14 }} 56 | restartPolicy: OnFailure 57 | nodeSelector: 58 | {{- if .Values.helmReleaseUpgrader.nodeSelector }} 59 | {{- toYaml .Values.helmReleaseUpgrader.nodeSelector | nindent 12 }} 60 | {{- else if .Values.customScheduling.nodeSelector }} 61 | {{- toYaml .Values.customScheduling.nodeSelector | nindent 12 }} 62 | {{- end }} 63 | affinity: 64 | {{- if .Values.helmReleaseUpgrader.affinity }} 65 | {{- toYaml .Values.helmReleaseUpgrader.affinity | nindent 12 }} 66 | {{- else if .Values.customScheduling.affinity }} 67 | {{- toYaml .Values.customScheduling.affinity | nindent 12 }} 68 | {{- end }} 69 | tolerations: 70 | {{- if .Values.helmReleaseUpgrader.tolerations }} 71 | {{- toYaml .Values.helmReleaseUpgrader.tolerations | nindent 12 }} 72 | {{- else if .Values.customScheduling.tolerations }} 73 | {{- toYaml .Values.customScheduling.tolerations | nindent 12 }} 74 | {{- end }} 75 | {{ end }} 76 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/autoupdater/networkpolicy.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if and .Values.global.networkPolicy.enabled .Values.global.networkPolicy.createEgressRules $components.autoUpdater.enabled }} 3 | apiVersion: networking.k8s.io/v1 4 | kind: NetworkPolicy 5 | metadata: 6 | name: {{ .Values.helmReleaseUpgrader.name }} 7 | namespace: {{ .Values.ksNamespace }} 8 | labels: 9 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.helmReleaseUpgrader.name "tier" .Values.global.namespaceTier) | nindent 4 }} 10 | spec: 11 | podSelector: 12 | matchLabels: 13 | {{- include "kubescape-operator.selectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.helmReleaseUpgrader.name) | nindent 6 }} 14 | policyTypes: 15 | - Egress 16 | egress: 17 | {{ tpl (.Files.Get "assets/common-egress-rules.yaml") . | indent 4 }} 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/autoupdater/rbac.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.autoUpdater.enabled }} 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: ClusterRole 5 | metadata: 6 | name: {{ .Values.helmReleaseUpgrader.name }} 7 | annotations: 8 | "helm.sh/resource-policy": keep 9 | labels: 10 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.helmReleaseUpgrader.name "tier" .Values.global.namespaceTier) | nindent 4 }} 11 | rules: 12 | - apiGroups: ["*"] 13 | resources: ["*"] 14 | verbs: ["*"] 15 | --- 16 | apiVersion: rbac.authorization.k8s.io/v1 17 | kind: ClusterRoleBinding 18 | metadata: 19 | name: {{ .Values.helmReleaseUpgrader.name }} 20 | annotations: 21 | "helm.sh/resource-policy": keep 22 | labels: 23 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.helmReleaseUpgrader.name "tier" .Values.global.namespaceTier) | nindent 4 }} 24 | subjects: 25 | - kind: ServiceAccount 26 | name: {{ .Values.helmReleaseUpgrader.name }} 27 | namespace: {{ .Values.ksNamespace }} 28 | roleRef: 29 | apiGroup: "rbac.authorization.k8s.io" 30 | kind: ClusterRole 31 | name: {{ .Values.helmReleaseUpgrader.name }} 32 | {{ end }} 33 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/autoupdater/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.autoUpdater.enabled }} 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | namespace: {{ .Values.ksNamespace }} 7 | name: {{ .Values.helmReleaseUpgrader.name }} 8 | annotations: 9 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 10 | "helm.sh/resource-policy": keep 11 | labels: 12 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.helmReleaseUpgrader.name "tier" .Values.global.namespaceTier) | nindent 4 }} 13 | {{ end }} 14 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/configs/cloud-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.cloudSecret.create }} 3 | kind: Secret 4 | apiVersion: v1 5 | metadata: 6 | name: {{ $components.cloudSecret.name }} 7 | namespace: {{ .Values.ksNamespace }} 8 | annotations: 9 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 10 | labels: 11 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" $components.cloudSecret.name "tier" .Values.global.namespaceTier) | nindent 4 }} 12 | kubescape.io/infra: credentials 13 | type: Opaque 14 | data: 15 | account: "{{ .Values.account | default "" | b64enc }}" 16 | accessKey: "{{ .Values.accessKey | default "" | b64enc }}" 17 | {{- end }} 18 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/configs/cloudapi-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- $configurations := fromYaml (include "configurations" .) }} 3 | kind: ConfigMap 4 | apiVersion: v1 5 | metadata: 6 | name: {{ .Values.global.cloudConfig }} 7 | namespace: {{ .Values.ksNamespace }} 8 | annotations: 9 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 10 | {{- if $components.serviceDiscovery.enabled }} 11 | "argocd.argoproj.io/sync-options": Delete=false 12 | "helm.sh/hook": pre-install,pre-upgrade 13 | "helm.sh/hook-weight": "0" 14 | "helm.sh/hook-delete-policy": before-hook-creation 15 | "helm.sh/resource-policy": keep 16 | {{- end }} 17 | labels: 18 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.global.cloudConfig "tier" .Values.global.namespaceTier) | nindent 4 }} 19 | kubescape.io/tier: "core" 20 | kubescape.io/infra: config 21 | data: 22 | {{- if $components.serviceDiscovery.enabled }} 23 | metrics: '{{ .Values.serviceDiscovery.metrics }}' 24 | services: '{{ .Values.serviceDiscovery.services }}' 25 | {{- end }} 26 | clusterData: | 27 | { 28 | "serviceDiscovery": {{ $components.serviceDiscovery.enabled }}, 29 | "vulnScanURL": "{{ .Values.kubevuln.name }}:{{ .Values.kubevuln.service.port }}", 30 | "kubevulnURL": "{{ .Values.kubevuln.name }}:{{ .Values.kubevuln.service.port }}", 31 | "kubescapeURL": "{{ .Values.kubescape.name }}:{{ .Values.kubescape.service.port }}", 32 | "clusterName": "{{ regexReplaceAll "\\W+" .Values.clusterName "-" }}", 33 | "storage": {{ $components.storage.enabled }}, 34 | "relevantImageVulnerabilitiesEnabled": {{ eq .Values.capabilities.relevancy "enable" }}, 35 | "namespace": "{{ .Values.ksNamespace }}", 36 | "imageVulnerabilitiesScanningEnabled": {{ $components.kubevuln.enabled }}, 37 | "postureScanEnabled": {{ $components.kubescape.enabled }}, 38 | "otelCollector": {{ $components.otelCollector.enabled }}, 39 | "nodeAgent": "{{ $components.nodeAgent.enabled }}", 40 | "maxImageSize": {{ .Values.kubevuln.config.maxImageSize }}, 41 | "maxSBOMSize": {{ .Values.kubevuln.config.maxSBOMSize }}, 42 | "keepLocal": {{ not $components.serviceDiscovery.enabled }}, 43 | "scanTimeout": "{{ .Values.kubevuln.config.scanTimeout }}", 44 | "scanEmbeddedSBOMs": {{ eq .Values.capabilities.scanEmbeddedSBOMs "enable" }}, 45 | "vexGeneration": {{ eq .Values.capabilities.vexGeneration "enable" }}, 46 | "useDefaultMatchers": {{ .Values.kubevuln.config.useDefaultMatchers }}, 47 | "storeFilteredSbom": {{ or .Values.kubevuln.config.storeFilteredSboms (eq .Values.capabilities.syncSBOM "enable") }}, 48 | "continuousPostureScan": {{ $configurations.continuousScan }}, 49 | {{- if not (empty .Values.kubevuln.config.grypeDbListingURL) }} 50 | "listingURL": "{{ .Values.kubevuln.config.grypeDbListingURL }}", 51 | {{- end }} 52 | {{- if .Values.grypeOfflineDB.enabled }} 53 | "listingURL": "http://{{ .Values.grypeOfflineDB.name }}:80/listing.json", 54 | {{- end }} 55 | "relevantImageVulnerabilitiesConfiguration": "{{ .Values.capabilities.relevancy }}" 56 | } 57 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/configs/components-configmap.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: ks-capabilities 5 | namespace: {{ .Values.ksNamespace }} 6 | annotations: 7 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 8 | labels: 9 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" "ks-capabilities" "tier" .Values.global.namespaceTier) | nindent 4 }} 10 | kubescape.io/tier: "core" 11 | data: 12 | capabilities: | 13 | { 14 | "capabilities": {{- .Values.capabilities | toJson }}, 15 | "components": {{- include "components" . | fromYaml | toJson }}, 16 | "configurations": {{- .Values.configurations | toJson }} , 17 | "serviceScanConfig" : {{- .Values.serviceScanConfig | toJson }} 18 | } 19 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/configs/custom-ca-certificates.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if .Values.global.overrideDefaultCaCertificates.enabled }} 3 | kind: Secret 4 | apiVersion: v1 5 | metadata: 6 | name: {{ $components.customCaCertificates.name }} 7 | namespace: {{ .Values.ksNamespace }} 8 | annotations: 9 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 10 | labels: 11 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" $components.customCaCertificates.name "tier" .Values.global.namespaceTier) | nindent 4 }} 12 | kubescape.io/infra: credentials 13 | type: Opaque 14 | data: 15 | ca-certificates.crt: "{{ .Values.global.overrideDefaultCaCertificates.caCertificates | default "" | b64enc }}" 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/configs/image-pull-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.imagePullSecrets .Values.imagePullSecret.server }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ .Values.imagePullSecrets }} 6 | namespace: {{ .Values.ksNamespace }} 7 | type: kubernetes.io/dockerconfigjson 8 | data: 9 | .dockerconfigjson: {{ printf "{\"auths\":{\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"email\":\"%s\",\"auth\":\"%s\"}}}" 10 | .Values.imagePullSecret.server 11 | .Values.imagePullSecret.username 12 | .Values.imagePullSecret.password 13 | .Values.imagePullSecret.email 14 | (printf "%s:%s" .Values.imagePullSecret.username .Values.imagePullSecret.password | b64enc) | b64enc }} 15 | {{- end }} -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/configs/matchingRules-configmap.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: {{ .Values.continuousScanning.configMapName }} 5 | namespace: {{ .Values.ksNamespace }} 6 | annotations: 7 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 8 | labels: 9 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.ksLabel "tier" .Values.global.namespaceTier) | nindent 4 }} 10 | kubescape.io/tier: "core" 11 | data: 12 | matchingRules.json: | 13 | {{ mustToJson .Values.continuousScanning.matchingRules }} 14 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/configs/priority-class.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.configurations.priorityClass.enabled }} 2 | apiVersion: scheduling.k8s.io/v1 3 | kind: PriorityClass 4 | metadata: 5 | name: kubescape-critical 6 | annotations: 7 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 8 | labels: 9 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" "kubescape-critical" "tier" .Values.global.namespaceTier) | nindent 4 }} 10 | value: {{ .Values.configurations.priorityClass.daemonset }} 11 | globalDefault: false 12 | description: "This priority class is for node-agent daemonset pods" 13 | {{- end }} 14 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/configs/private-registries-creds-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if gt (len (.Values.imageScanning.privateRegistries.credentials | default list)) 0 }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | # Secret name must start with 'kubescape-registry-scan' for the operator to pick it up, change at your own risk 6 | name: kubescape-registry-scan-secrets 7 | namespace: {{ .Values.ksNamespace }} 8 | annotations: 9 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 10 | labels: 11 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" "kubescape-registry-scan-secrets" "tier" .Values.global.namespaceTier) | nindent 4 }} 12 | type: Opaque 13 | stringData: 14 | registriesAuth: | 15 | [ 16 | {{- range $index, $cred := .Values.imageScanning.privateRegistries.credentials }} 17 | { 18 | "registry": "{{ $cred.registry }}", 19 | "username": "{{ $cred.username }}", 20 | "password": "{{ $cred.password }}", 21 | {{- if $cred.skipTlsVerify }} 22 | "skipTLSVerify": true, 23 | {{- end }} 24 | {{- if $cred.insecure }} 25 | "http": true, 26 | {{- end }} 27 | "auth_method": "credentials" 28 | }{{ if ne $index (sub (len $.Values.imageScanning.privateRegistries.credentials) 1) }},{{ end }} 29 | {{- end }} 30 | ] 31 | {{- end }} 32 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/grype-offline-db/cronjob.yaml: -------------------------------------------------------------------------------- 1 | {{- if not (.Capabilities.APIVersions.Has "batch/v1") }} 2 | {{- fail "`batch/v1 not supported`" }} 3 | {{- end }} 4 | {{- if and .Values.grypeOfflineDB.enabled (eq .Values.grypeOfflineDB.image.tag "latest") }} 5 | apiVersion: batch/v1 6 | kind: CronJob 7 | metadata: 8 | name: {{ .Values.grypeOfflineDB.name }} 9 | namespace: {{ .Values.ksNamespace }} 10 | annotations: 11 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 12 | labels: 13 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.grypeOfflineDB.name "tier" .Values.global.namespaceTier) | nindent 4 }} 14 | armo.tier: "vuln-scan" 15 | kubescape.io/tier: "core" 16 | spec: 17 | schedule: "5 0 * * *" 18 | successfulJobsHistoryLimit: 3 19 | failedJobsHistoryLimit: 1 20 | jobTemplate: 21 | spec: 22 | template: 23 | metadata: 24 | annotations: 25 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 12 }} 26 | {{- with .Values.grypeOfflineDB.podAnnotations }}{{- toYaml . | nindent 12 }}{{- end }} 27 | labels: 28 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.grypeOfflineDB.name "tier" .Values.global.namespaceTier) | nindent 12 }} 29 | {{- with .Values.grypeOfflineDB.podLabels }}{{- toYaml . | nindent 12 }}{{- end }} 30 | armo.tier: "vuln-scan" 31 | kubescape.io/tier: "core" 32 | spec: 33 | securityContext: 34 | seccompProfile: 35 | type: RuntimeDefault 36 | {{- if .Values.imagePullSecrets }} 37 | imagePullSecrets: 38 | {{- if kindIs "string" .Values.imagePullSecrets }} 39 | - name: {{ .Values.imagePullSecrets }} 40 | {{- else }} 41 | {{- range .Values.imagePullSecrets }} 42 | - name: {{ . }} 43 | {{- end }} 44 | {{- end }} 45 | {{- end }} 46 | containers: 47 | - name: {{ .Values.grypeOfflineDB.name }} 48 | image: "{{ .Values.serviceDiscovery.configMapUpdate.image.repository }}:{{ .Values.serviceDiscovery.configMapUpdate.image.tag }}" 49 | imagePullPolicy: IfNotPresent 50 | resources: 51 | {{ toYaml .Values.serviceDiscovery.resources | indent 14 }} 52 | securityContext: 53 | allowPrivilegeEscalation: false 54 | readOnlyRootFilesystem: true 55 | runAsNonRoot: true 56 | runAsUser: 100 57 | command: ["/bin/sh", "-c"] 58 | args: 59 | - | 60 | kubectl rollout restart deployment -n {{ .Values.ksNamespace }} {{ .Values.grypeOfflineDB.name }} 61 | {{- if .Values.volumeMounts }} 62 | {{ toYaml .Values.volumeMounts | indent 14 }} 63 | {{- end }} 64 | {{- if .Values.grypeOfflineDB.volumeMounts }} 65 | {{ toYaml .Values.grypeOfflineDB.volumeMounts | indent 14 }} 66 | {{- end }} 67 | restartPolicy: Never 68 | serviceAccountName: {{ .Values.grypeOfflineDB.name }} 69 | automountServiceAccountToken: true 70 | nodeSelector: 71 | {{- if .Values.grypeOfflineDB.nodeSelector }} 72 | {{- toYaml .Values.grypeOfflineDB.nodeSelector | nindent 12 }} 73 | {{- else if .Values.customScheduling.nodeSelector }} 74 | {{- toYaml .Values.customScheduling.nodeSelector | nindent 12 }} 75 | {{- end }} 76 | affinity: 77 | {{- if .Values.grypeOfflineDB.affinity }} 78 | {{- toYaml .Values.grypeOfflineDB.affinity | nindent 12 }} 79 | {{- else if .Values.customScheduling.affinity }} 80 | {{- toYaml .Values.customScheduling.affinity | nindent 12 }} 81 | {{- end }} 82 | tolerations: 83 | {{- if .Values.grypeOfflineDB.tolerations }} 84 | {{- toYaml .Values.grypeOfflineDB.tolerations | nindent 12 }} 85 | {{- else if .Values.customScheduling.tolerations }} 86 | {{- toYaml .Values.customScheduling.tolerations | nindent 12 }} 87 | {{- end }} 88 | {{- if .Values.volumes }} 89 | {{ toYaml .Values.volumes | indent 10 }} 90 | {{- end }} 91 | {{- if .Values.grypeOfflineDB.volumes }} 92 | {{ toYaml .Values.grypeOfflineDB.volumes | indent 10 }} 93 | {{- end }} 94 | {{- end }} 95 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/grype-offline-db/deployment.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.grypeOfflineDB.enabled }} 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: {{ .Values.grypeOfflineDB.name }} 6 | namespace: {{ .Values.ksNamespace }} 7 | annotations: 8 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 9 | labels: 10 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.grypeOfflineDB.name "tier" .Values.global.namespaceTier) | nindent 4 }} 11 | kubescape.io/tier: "core" 12 | spec: 13 | replicas: 1 14 | revisionHistoryLimit: 2 15 | strategy: 16 | rollingUpdate: 17 | maxSurge: 0% 18 | maxUnavailable: 100% 19 | type: RollingUpdate 20 | selector: 21 | matchLabels: 22 | {{- include "kubescape-operator.selectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.grypeOfflineDB.name) | nindent 6 }} 23 | template: 24 | metadata: 25 | annotations: 26 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 8 }} 27 | {{- with .Values.grypeOfflineDB.podAnnotations }}{{- toYaml . | nindent 8 }}{{- end }} 28 | labels: 29 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.grypeOfflineDB.name "tier" .Values.global.namespaceTier) | nindent 8 }} 30 | {{- with .Values.grypeOfflineDB.podLabels }}{{- toYaml . | nindent 8 }}{{- end }} 31 | kubescape.io/tier: "core" 32 | spec: 33 | securityContext: 34 | seccompProfile: 35 | type: RuntimeDefault 36 | {{- if .Values.imagePullSecrets }} 37 | imagePullSecrets: 38 | {{- if kindIs "string" .Values.imagePullSecrets }} 39 | - name: {{ .Values.imagePullSecrets }} 40 | {{- else }} 41 | {{- range .Values.imagePullSecrets }} 42 | - name: {{ . }} 43 | {{- end }} 44 | {{- end }} 45 | {{- end }} 46 | containers: 47 | - name: {{ .Values.grypeOfflineDB.name }} 48 | image: "{{ .Values.grypeOfflineDB.image.repository }}{{ if .Values.grypeOfflineDB.image.tag }}:{{ .Values.grypeOfflineDB.image.tag }}{{ else }}@{{ .Values.grypeOfflineDB.image.sha }}{{ end }}" 49 | imagePullPolicy: {{ .Values.grypeOfflineDB.image.pullPolicy }} 50 | securityContext: 51 | allowPrivilegeEscalation: false 52 | runAsNonRoot: true 53 | ports: 54 | - containerPort: 8080 55 | protocol: TCP 56 | resources: 57 | {{ toYaml .Values.grypeOfflineDB.resources | indent 12 }} 58 | nodeSelector: 59 | {{- if .Values.grypeOfflineDB.nodeSelector }} 60 | {{- toYaml .Values.grypeOfflineDB.nodeSelector | nindent 8 }} 61 | {{- else if .Values.customScheduling.nodeSelector }} 62 | {{- toYaml .Values.customScheduling.nodeSelector | nindent 8 }} 63 | {{- end }} 64 | affinity: 65 | {{- if .Values.grypeOfflineDB.affinity }} 66 | {{- toYaml .Values.grypeOfflineDB.affinity | nindent 8 }} 67 | {{- else if .Values.customScheduling.affinity }} 68 | {{- toYaml .Values.customScheduling.affinity | nindent 8 }} 69 | {{- end }} 70 | tolerations: 71 | {{- if .Values.grypeOfflineDB.tolerations }} 72 | {{- toYaml .Values.grypeOfflineDB.tolerations | nindent 8 }} 73 | {{- else if .Values.customScheduling.tolerations }} 74 | {{- toYaml .Values.customScheduling.tolerations | nindent 8 }} 75 | {{- end }} 76 | {{- end }} 77 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/grype-offline-db/networkpolicy.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.grypeOfflineDB.enabled }} 2 | apiVersion: networking.k8s.io/v1 3 | kind: NetworkPolicy 4 | metadata: 5 | name: {{ .Values.grypeOfflineDB.name }} 6 | namespace: {{ .Values.ksNamespace }} 7 | labels: 8 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.grypeOfflineDB.name "tier" .Values.global.namespaceTier) | nindent 4 }} 9 | spec: 10 | podSelector: 11 | matchLabels: 12 | {{- include "kubescape-operator.selectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.grypeOfflineDB.name) | nindent 6 }} 13 | policyTypes: 14 | - Ingress 15 | ingress: 16 | - from: 17 | - podSelector: 18 | matchLabels: 19 | {{- include "kubescape-operator.selectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.kubevuln.name) | nindent 14 }} 20 | ports: 21 | - port: 8080 22 | protocol: TCP 23 | {{- end }} 24 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/grype-offline-db/role.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.grypeOfflineDB.enabled (eq .Values.grypeOfflineDB.image.tag "latest") }} 2 | kind: Role 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ .Values.grypeOfflineDB.name }} 6 | namespace: {{ .Values.ksNamespace }} 7 | labels: 8 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.grypeOfflineDB.name "tier" .Values.global.namespaceTier) | nindent 4 }} 9 | rules: 10 | - apiGroups: ["apps"] 11 | resources: [ "deployments"] 12 | verbs: ["get", "patch"] 13 | {{- end }} 14 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/grype-offline-db/rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.grypeOfflineDB.enabled (eq .Values.grypeOfflineDB.image.tag "latest") }} 2 | kind: RoleBinding 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ .Values.grypeOfflineDB.name }} 6 | namespace: {{ .Values.ksNamespace }} 7 | labels: 8 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.grypeOfflineDB.name "tier" .Values.global.namespaceTier) | nindent 4 }} 9 | roleRef: 10 | apiGroup: rbac.authorization.k8s.io 11 | kind: Role 12 | name: {{ .Values.grypeOfflineDB.name }} 13 | subjects: 14 | - kind: ServiceAccount 15 | name: {{ .Values.grypeOfflineDB.name }} 16 | namespace: {{ .Values.ksNamespace }} 17 | {{- end }} 18 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/grype-offline-db/service.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.grypeOfflineDB.enabled }} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: {{ .Values.grypeOfflineDB.name }} 6 | namespace: {{ .Values.ksNamespace }} 7 | labels: 8 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.grypeOfflineDB.name "tier" .Values.global.namespaceTier) | nindent 4 }} 9 | spec: 10 | type: ClusterIP 11 | ports: 12 | - port: 80 13 | targetPort: 8080 14 | protocol: TCP 15 | selector: 16 | {{- include "kubescape-operator.selectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.grypeOfflineDB.name) | nindent 4 }} 17 | {{- end }} 18 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/grype-offline-db/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.grypeOfflineDB.enabled (eq .Values.grypeOfflineDB.image.tag "latest") }} 2 | kind: ServiceAccount 3 | apiVersion: v1 4 | metadata: 5 | {{- if .Values.cloudProviderMetadata.awsIamRoleArn }} 6 | annotations: 7 | eks.amazonaws.com/role-arn: {{ .Values.cloudProviderMetadata.awsIamRoleArn }} 8 | {{- else if .Values.cloudProviderMetadata.gkeServiceAccount }} 9 | annotations: 10 | iam.gke.io/gcp-service-account: {{ .Values.cloudProviderMetadata.gkeServiceAccount }} 11 | {{- end }} 12 | labels: 13 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.grypeOfflineDB.name "tier" .Values.global.namespaceTier) | nindent 4 }} 14 | name: {{ .Values.grypeOfflineDB.name }} 15 | namespace: {{ .Values.ksNamespace }} 16 | automountServiceAccountToken: false 17 | {{- end }} 18 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/kubescape-scheduler/configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.kubescapeScheduler.enabled }} 3 | kind: ConfigMap 4 | apiVersion: v1 5 | metadata: 6 | name: {{ .Values.kubescapeScheduler.name }} 7 | namespace: {{ .Values.ksNamespace }} 8 | annotations: 9 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 10 | labels: 11 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.kubescapeScheduler.name "tier" .Values.global.namespaceTier) | nindent 4 }} 12 | kubescape.io/tier: "core" 13 | data: 14 | request-body.json: |- 15 | {{- .Values.kubescapeScheduler.requestBody | toJson | nindent 4 }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/kubescape-scheduler/networkpolicy.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if and .Values.global.networkPolicy.enabled .Values.global.networkPolicy.createEgressRules $components.kubescapeScheduler.enabled }} 3 | apiVersion: networking.k8s.io/v1 4 | kind: NetworkPolicy 5 | metadata: 6 | name: {{ .Values.kubescapeScheduler.name }} 7 | namespace: {{ .Values.ksNamespace }} 8 | labels: 9 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.kubescapeScheduler.name "tier" .Values.global.namespaceTier) | nindent 4 }} 10 | spec: 11 | podSelector: 12 | matchLabels: 13 | {{- include "kubescape-operator.selectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.kubescapeScheduler.name) | nindent 6 }} 14 | policyTypes: 15 | - Egress 16 | egress: 17 | {{ tpl (.Files.Get "assets/common-egress-rules.yaml") . | indent 4 }} 18 | - ports: 19 | - protocol: TCP 20 | port: 4002 21 | to: 22 | - podSelector: 23 | matchLabels: 24 | {{- include "kubescape-operator.selectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.operator.name) | nindent 14 }} 25 | {{- end }} 26 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/kubescape/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.kubescape.enabled }} 3 | kind: ClusterRole 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | metadata: 6 | name: {{ .Values.kubescape.name }} 7 | annotations: 8 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 9 | labels: 10 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.kubescape.name "tier" .Values.global.namespaceTier) | nindent 4 }} 11 | rules: 12 | - apiGroups: [""] 13 | resources: ["pods", "pods/proxy", "namespaces", "nodes", "configmaps", "services", "serviceaccounts", "endpoints", "persistentvolumeclaims", "persistentvolumes", "limitranges", "replicationcontrollers", "podtemplates", "resourcequotas", "events"] 14 | verbs: ["get", "watch", "list"] 15 | {{- if .Values.global.enableClusterWideSecretAccess }} 16 | - apiGroups: [""] 17 | resources: ["secrets"] 18 | verbs: ["get", "watch", "list"] 19 | {{- end }} 20 | - apiGroups: ["admissionregistration.k8s.io"] 21 | resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] 22 | verbs: ["get", "watch", "list"] 23 | - apiGroups: ["apiregistration.k8s.io"] 24 | resources: ["apiservices"] 25 | verbs: ["get", "watch", "list"] 26 | - apiGroups: ["apps"] 27 | resources: ["deployments", "statefulsets", "daemonsets", "replicasets", "controllerrevisions"] 28 | verbs: ["get", "watch", "list"] 29 | - apiGroups: ["autoscaling"] 30 | resources: ["horizontalpodautoscalers"] 31 | verbs: ["get", "watch", "list"] 32 | - apiGroups: ["batch"] 33 | resources: ["jobs", "cronjobs"] 34 | verbs: ["get", "watch", "list"] 35 | - apiGroups: ["coordination.k8s.io"] 36 | resources: ["leases"] 37 | verbs: ["get", "watch", "list"] 38 | - apiGroups: ["discovery.k8s.io"] 39 | resources: ["endpointslices"] 40 | verbs: ["get", "watch", "list"] 41 | - apiGroups: ["events.k8s.io"] 42 | resources: ["events"] 43 | verbs: ["get", "watch", "list"] 44 | - apiGroups: ["hostdata.kubescape.cloud"] 45 | resources: ["APIServerInfo", "ControlPlaneInfo"] 46 | verbs: ["get", "watch", "list"] 47 | - apiGroups: ["networking.k8s.io"] 48 | resources: ["networkpolicies", "Ingress"] 49 | verbs: ["get", "watch", "list"] 50 | - apiGroups: ["cilium.io"] 51 | resources: ["ciliumnetworkpolicies"] 52 | verbs: ["get", "list", "watch"] 53 | - apiGroups: ["projectcalico.org"] 54 | resources: ["networkpolicies"] 55 | verbs: ["get", "list", "watch"] 56 | - apiGroups: ["networking.istio.io"] 57 | resources: ["gateways", "virtualservices"] 58 | verbs: ["get", "list", "watch"] 59 | - apiGroups: ["security.istio.io"] 60 | resources: ["authorizationpolicies"] 61 | verbs: ["get", "list", "watch"] 62 | - apiGroups: ["policy"] 63 | resources: ["poddisruptionbudgets", "podsecuritypolicies", "PodSecurityPolicy"] 64 | verbs: ["get", "watch", "list"] 65 | - apiGroups: ["rbac.authorization.k8s.io"] 66 | resources: ["clusterroles", "clusterrolebindings", "roles", "rolebindings"] 67 | verbs: ["get", "watch", "list"] 68 | - apiGroups: ["storage.k8s.io"] 69 | resources: ["csistoragecapacities", "storageclasses"] 70 | verbs: ["get", "watch", "list"] 71 | - apiGroups: ["networking.k8s.io"] 72 | resources: ["ingresses"] 73 | verbs: ["get", "watch", "list"] 74 | - apiGroups: ["extensions"] 75 | resources: ["Ingress"] 76 | verbs: ["get", "watch", "list"] 77 | - apiGroups: ["gateway.networking.k8s.io"] 78 | resources: ["httproutes","gateways","gatewayclasses","tcproutes","tlsroutes","udproutes"] 79 | verbs: ["get", "watch", "list"] 80 | - apiGroups: [""] 81 | resources: ["namespaces"] 82 | verbs: ["update"] 83 | - apiGroups: ["spdx.softwarecomposition.kubescape.io"] 84 | resources: ["workloadconfigurationscans", "workloadconfigurationscansummaries"] 85 | verbs: ["create", "get", "update", "patch"] 86 | - apiGroups: ["kubescape.io"] 87 | resources: ["servicesscanresults"] 88 | verbs: ["get", "watch", "list"] 89 | {{ end }} 90 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/kubescape/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.kubescape.enabled }} 3 | kind: ClusterRoleBinding 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | metadata: 6 | name: {{ .Values.kubescape.name }} 7 | annotations: 8 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 9 | labels: 10 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.kubescape.name "tier" .Values.global.namespaceTier) | nindent 4 }} 11 | roleRef: 12 | apiGroup: rbac.authorization.k8s.io 13 | kind: ClusterRole 14 | name: {{ .Values.kubescape.name }} 15 | subjects: 16 | - kind: ServiceAccount 17 | name: {{ .Values.kubescape.name }} 18 | namespace: {{ .Values.ksNamespace }} 19 | {{ end }} 20 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/kubescape/host-scanner-definition-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.kubescape.enabled }} 3 | kind: ConfigMap 4 | apiVersion: v1 5 | metadata: 6 | name: host-scanner-definition 7 | namespace: {{ .Values.ksNamespace }} 8 | annotations: 9 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 10 | labels: 11 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.global.cloudConfig "tier" .Values.global.namespaceTier) | nindent 4 }} 12 | kubescape.io/tier: "core" 13 | data: 14 | host-scanner-yaml: |- 15 | {{ tpl (.Files.Get "assets/host-scanner-definition.yaml") . | indent 4 }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/kubescape/networkpolicy.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if and .Values.global.networkPolicy.enabled $components.kubescape.enabled }} 3 | apiVersion: networking.k8s.io/v1 4 | kind: NetworkPolicy 5 | metadata: 6 | name: {{ .Values.kubescape.name }} 7 | namespace: {{ .Values.ksNamespace }} 8 | annotations: 9 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 10 | labels: 11 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.kubescape.name "tier" .Values.global.namespaceTier) | nindent 4 }} 12 | spec: 13 | podSelector: 14 | matchLabels: 15 | {{- include "kubescape-operator.selectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.kubescape.name) | nindent 6 }} 16 | policyTypes: 17 | - Ingress 18 | {{- if .Values.global.networkPolicy.createEgressRules }} 19 | - Egress 20 | egress: 21 | # - backend api server 22 | # - GitRegoStore (https://github.com/kubescape/regolibrary/releases/) 23 | - ports: 24 | - port: 443 25 | protocol: TCP 26 | # Cloud Vendor detection (Instance Metadata Services) 27 | - ports: 28 | - port: 80 29 | protocol: TCP 30 | to: 31 | - ipBlock: 32 | cidr: 169.254.169.254/32 33 | {{ tpl (.Files.Get "assets/api-server-egress-rules.yaml") . | indent 4 }} 34 | {{ tpl (.Files.Get "assets/common-egress-rules.yaml") . | indent 4 }} 35 | {{- end }} 36 | ingress: 37 | - from: 38 | - podSelector: 39 | matchLabels: 40 | {{- include "kubescape-operator.selectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.operator.name) | nindent 14 }} 41 | ports: 42 | - port: http 43 | protocol: TCP 44 | {{ end }} 45 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/kubescape/role.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.kubescape.enabled }} 3 | kind: Role 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | metadata: 6 | name: {{ .Values.kubescape.name }} 7 | namespace: {{ .Values.ksNamespace }} 8 | annotations: 9 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 10 | labels: 11 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.kubescape.name "tier" .Values.global.namespaceTier) | nindent 4 }} 12 | rules: 13 | - apiGroups: ["apps"] 14 | resources: ["daemonsets"] 15 | verbs: ["create", "get", "update", "watch", "list", "patch", "delete"] 16 | {{ end }} 17 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/kubescape/rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.kubescape.enabled }} 3 | kind: RoleBinding 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | metadata: 6 | name: {{ .Values.kubescape.name }} 7 | namespace: {{ .Values.ksNamespace }} 8 | annotations: 9 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 10 | labels: 11 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.kubescape.name "tier" .Values.global.namespaceTier) | nindent 4 }} 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: Role 15 | name: {{ .Values.kubescape.name }} 16 | subjects: 17 | - kind: ServiceAccount 18 | name: {{ .Values.kubescape.name }} 19 | namespace: {{ .Values.ksNamespace }} 20 | {{ end }} 21 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/kubescape/scc-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if and $components.kubescape.enabled .Values.global.openshift.scc.enabled }} 3 | kind: RoleBinding 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | metadata: 6 | name: {{ printf "%s-scc" .Values.kubescape.name }} 7 | namespace: {{ .Values.ksNamespace }} 8 | annotations: 9 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 10 | labels: 11 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.kubescape.name "tier" .Values.global.namespaceTier) | nindent 4 }} 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: ClusterRole 15 | name: system:openshift:scc:nonroot-v2 16 | subjects: 17 | - kind: ServiceAccount 18 | name: {{ .Values.kubescape.name }} 19 | namespace: {{ .Values.ksNamespace }} 20 | {{ end }} 21 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/kubescape/service.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.kubescape.enabled }} 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | name: {{ .Values.kubescape.name }} 7 | namespace: {{ .Values.ksNamespace }} 8 | annotations: 9 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 10 | labels: 11 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.kubescape.name "tier" .Values.global.namespaceTier) | nindent 4 }} 12 | spec: 13 | type: {{ .Values.kubescape.service.type }} 14 | ports: 15 | - name: http 16 | port: {{ .Values.kubescape.service.port }} 17 | targetPort: 8080 18 | protocol: TCP 19 | selector: 20 | {{- include "kubescape-operator.selectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.kubescape.name) | nindent 6 }} 21 | {{ end }} 22 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/kubescape/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.kubescape.enabled }} 3 | kind: ServiceAccount 4 | apiVersion: v1 5 | metadata: 6 | annotations: 7 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 8 | {{- if .Values.cloudProviderMetadata.awsIamRoleArn }} 9 | eks.amazonaws.com/role-arn: {{ .Values.cloudProviderMetadata.awsIamRoleArn }} 10 | {{- else if .Values.cloudProviderMetadata.gkeServiceAccount }} 11 | iam.gke.io/gcp-service-account: {{ .Values.cloudProviderMetadata.gkeServiceAccount }} 12 | {{- end }} 13 | labels: 14 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.kubescape.name "tier" .Values.global.namespaceTier) | nindent 4 }} 15 | name: {{ .Values.kubescape.name }} 16 | namespace: {{ .Values.ksNamespace }} 17 | automountServiceAccountToken: false 18 | {{ end }} 19 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/kubescape/servicemonitor.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{ if and .Values.kubescape.serviceMonitor.enabled $components.kubescape.enabled }} 3 | apiVersion: monitoring.coreos.com/v1 4 | kind: ServiceMonitor 5 | metadata: 6 | name: {{ .Values.kubescape.name }}-monitor 7 | namespace: {{ .Values.kubescape.serviceMonitor.namespace | default .Values.ksNamespace }} 8 | annotations: 9 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 10 | labels: 11 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.kubescape.name "tier" .Values.global.namespaceTier) | nindent 4 }} 12 | {{- with .Values.kubescape.serviceMonitor.additionalLabels }} 13 | {{- toYaml . | nindent 4 }} 14 | {{- end }} 15 | spec: 16 | namespaceSelector: 17 | matchNames: 18 | - {{ .Values.ksNamespace }} 19 | selector: 20 | matchLabels: 21 | {{- include "kubescape-operator.selectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.kubescape.name) | nindent 6 }} 22 | endpoints: 23 | - port: http 24 | path: /v1/metrics 25 | interval: {{ .Values.kubescape.serviceMonitor.interval }} 26 | scrapeTimeout: {{ .Values.kubescape.serviceMonitor.scrapeTimeout }} 27 | {{ end }} 28 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/kubevuln-scheduler/configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.kubevulnScheduler.enabled }} 3 | kind: ConfigMap 4 | apiVersion: v1 5 | metadata: 6 | name: {{ .Values.kubevulnScheduler.name }} 7 | namespace: {{ .Values.ksNamespace }} 8 | labels: 9 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.kubevulnScheduler.name "tier" .Values.global.namespaceTier) | nindent 4 }} 10 | kubescape.io/tier: "core" 11 | data: 12 | request-body.json: |- 13 | {"commands":[{"commandName":"scan","designators":[{"designatorType":"Attributes","attributes":{}}]}]} 14 | {{- end }} 15 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/kubevuln-scheduler/networkpolicy.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if and .Values.global.networkPolicy.enabled .Values.global.networkPolicy.createEgressRules $components.kubevulnScheduler.enabled }} 3 | apiVersion: networking.k8s.io/v1 4 | kind: NetworkPolicy 5 | metadata: 6 | name: {{ .Values.kubevulnScheduler.name }} 7 | namespace: {{ .Values.ksNamespace }} 8 | labels: 9 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.kubevulnScheduler.name "tier" .Values.global.namespaceTier) | nindent 4 }} 10 | spec: 11 | podSelector: 12 | matchLabels: 13 | {{- include "kubescape-operator.selectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.kubevulnScheduler.name) | nindent 6 }} 14 | policyTypes: 15 | - Egress 16 | egress: 17 | {{ tpl (.Files.Get "assets/common-egress-rules.yaml") . | indent 4 }} 18 | - ports: 19 | - protocol: TCP 20 | port: 4002 21 | to: 22 | - podSelector: 23 | matchLabels: 24 | {{- include "kubescape-operator.selectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.operator.name) | nindent 14 }} 25 | {{- end }} 26 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/kubevuln/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.kubevuln.enabled }} 3 | kind: ClusterRole 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | metadata: 6 | name: {{ .Values.kubevuln.name }} 7 | annotations: 8 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 9 | labels: 10 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.kubevuln.name "tier" .Values.global.namespaceTier) | nindent 4 }} 11 | rules: 12 | - apiGroups: ["spdx.softwarecomposition.kubescape.io"] 13 | resources: ["vulnerabilitymanifests", "vulnerabilitymanifestsummaries", "openvulnerabilityexchangecontainers", "sbomsyfts", "sbomsyftfiltereds"] 14 | verbs: ["create", "get", "update", "watch", "list", "patch"] 15 | - apiGroups: ["spdx.softwarecomposition.kubescape.io"] 16 | resources: ["applicationprofiles"] 17 | verbs: ["get", "watch", "list"] 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/kubevuln/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.kubevuln.enabled }} 3 | kind: ClusterRoleBinding 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | metadata: 6 | name: {{ .Values.kubevuln.name }} 7 | annotations: 8 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 9 | labels: 10 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.kubevuln.name "tier" .Values.global.namespaceTier) | nindent 4 }} 11 | roleRef: 12 | apiGroup: rbac.authorization.k8s.io 13 | kind: ClusterRole 14 | name: {{ .Values.kubevuln.name }} 15 | subjects: 16 | - kind: ServiceAccount 17 | name: {{ .Values.kubevuln.name }} 18 | namespace: {{ .Values.ksNamespace }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/kubevuln/networkpolicy.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if and .Values.global.networkPolicy.enabled $components.kubevuln.enabled }} 3 | apiVersion: networking.k8s.io/v1 4 | kind: NetworkPolicy 5 | metadata: 6 | name: {{ .Values.kubevuln.name }} 7 | namespace: {{ .Values.ksNamespace }} 8 | annotations: 9 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 10 | labels: 11 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.kubevuln.name "tier" .Values.global.namespaceTier) | nindent 4 }} 12 | spec: 13 | podSelector: 14 | matchLabels: 15 | {{- include "kubescape-operator.selectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.kubevuln.name) | nindent 6 }} 16 | policyTypes: 17 | - Ingress 18 | {{- if .Values.global.networkPolicy.createEgressRules }} 19 | - Egress 20 | egress: 21 | # - eventReceiverHttpUrl ({{ .Values.eventReceiverHttpUrl }}/k8s/sysreport) 22 | # - Grype's update-url (https://toolbox-data.anchore.io/grype/databases/listing.json) 23 | # - All container registries 24 | - ports: 25 | - port: 443 26 | protocol: TCP 27 | {{ tpl (.Files.Get "assets/common-egress-rules.yaml") . | indent 4 }} 28 | {{- end }} 29 | ingress: 30 | - from: 31 | - podSelector: 32 | matchLabels: 33 | {{- include "kubescape-operator.selectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.operator.name) | nindent 14 }} 34 | ports: 35 | - port: {{ .Values.kubevuln.service.port }} 36 | protocol: TCP 37 | {{- end }} 38 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/kubevuln/pvc.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if and $components.kubevuln.enabled .Values.kubevuln.config.grypeDbPersistence }} 3 | apiVersion: v1 4 | kind: PersistentVolumeClaim 5 | metadata: 6 | name: kubescape-{{ .Values.kubevuln.name }} 7 | namespace: {{ .Values.ksNamespace }} 8 | annotations: 9 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 10 | labels: 11 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.kubevuln.name "tier" .Values.global.namespaceTier) | nindent 4 }} 12 | spec: 13 | accessModes: 14 | - {{ .Values.persistence.accessMode }} 15 | resources: 16 | requests: 17 | storage: {{ .Values.persistence.size.backingStorage }} 18 | {{- if ne .Values.persistence.storageClass "-" }} 19 | storageClassName: {{ .Values.persistence.storageClass | quote }} 20 | {{- end }} 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/kubevuln/scc-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if and $components.kubevuln.enabled .Values.global.openshift.scc.enabled }} 3 | kind: RoleBinding 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | metadata: 6 | name: {{ printf "%s-scc" .Values.kubevuln.name }} 7 | namespace: {{ .Values.ksNamespace }} 8 | annotations: 9 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 10 | labels: 11 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.kubevuln.name "tier" .Values.global.namespaceTier) | nindent 4 }} 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: ClusterRole 15 | name: system:openshift:scc:nonroot-v2 16 | subjects: 17 | - kind: ServiceAccount 18 | name: {{ .Values.kubevuln.name }} 19 | namespace: {{ .Values.ksNamespace }} 20 | {{ end }} 21 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/kubevuln/service.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.kubevuln.enabled }} 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | name: {{ .Values.kubevuln.name }} 7 | namespace: {{ .Values.ksNamespace }} 8 | annotations: 9 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 10 | labels: 11 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.kubevuln.name "tier" .Values.global.namespaceTier) | nindent 4 }} 12 | spec: 13 | type: {{ .Values.kubevuln.service.type }} 14 | ports: 15 | - port: {{ .Values.kubevuln.service.port }} 16 | targetPort: {{ .Values.kubevuln.service.targetPort }} 17 | protocol: {{ .Values.kubevuln.service.protocol }} 18 | selector: 19 | {{- include "kubescape-operator.selectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.kubevuln.name) | nindent 4 }} 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/kubevuln/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.kubevuln.enabled }} 3 | kind: ServiceAccount 4 | apiVersion: v1 5 | metadata: 6 | annotations: 7 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 8 | {{- if .Values.cloudProviderMetadata.awsIamRoleArn }} 9 | eks.amazonaws.com/role-arn: {{ .Values.cloudProviderMetadata.awsIamRoleArn }} 10 | {{- else if .Values.cloudProviderMetadata.gkeServiceAccount }} 11 | iam.gke.io/gcp-service-account: {{ .Values.cloudProviderMetadata.gkeServiceAccount }} 12 | {{- end }} 13 | labels: 14 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.kubevuln.name "tier" .Values.global.namespaceTier) | nindent 4 }} 15 | name: {{ .Values.kubevuln.name }} 16 | namespace: {{ .Values.ksNamespace }} 17 | automountServiceAccountToken: false 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/node-agent/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.nodeAgent.enabled }} 3 | kind: ClusterRole 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | metadata: 6 | name: {{ .Values.nodeAgent.name }} 7 | annotations: 8 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 9 | labels: 10 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.nodeAgent.name "tier" .Values.global.namespaceTier) | nindent 4 }} 11 | rules: 12 | - apiGroups: [""] 13 | resources: ["nodes", "nodes/proxy", "services", "endpoints", "namespaces", "configmaps"] 14 | verbs: ["get", "watch", "list"] 15 | - apiGroups: [""] 16 | resources: ["pods"] 17 | verbs: ["get", "watch", "list", "delete"] 18 | - apiGroups: [""] 19 | resources: ["events"] 20 | verbs: ["get", "watch", "list"] 21 | - apiGroups: ["batch"] 22 | resources: ["jobs", "cronjobs"] 23 | verbs: ["get", "watch", "list"] 24 | - apiGroups: ["apps"] 25 | resources: ["deployments", "daemonsets", "statefulsets", "replicasets"] 26 | verbs: ["get", "watch", "list"] 27 | - apiGroups: ["spdx.softwarecomposition.kubescape.io"] 28 | resources: ["seccompprofiles"] 29 | verbs: ["get", "watch", "list"] 30 | - apiGroups: ["spdx.softwarecomposition.kubescape.io"] 31 | resources: ["applicationprofiles", "networkneighborhoods", "sbomsyfts"] 32 | verbs: ["create", "get", "update", "watch", "list", "patch"] 33 | - apiGroups: ["kubescape.io"] 34 | resources: ["runtimerulealertbindings"] 35 | verbs: ["list", "watch"] 36 | - apiGroups: ["kubescape.io"] 37 | resources: ["operatorcommands"] 38 | verbs: ["get", "watch", "list"] 39 | - apiGroups: ["kubescape.io"] 40 | resources: ["operatorcommands/status"] 41 | verbs: ["get", "watch", "list", "update", "patch"] 42 | - apiGroups: ["events.k8s.io"] 43 | resources: ["events"] 44 | verbs: ["create", "patch", "get"] 45 | {{- end }} 46 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/node-agent/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.nodeAgent.enabled }} 3 | kind: ClusterRoleBinding 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | metadata: 6 | name: {{ .Values.nodeAgent.name }} 7 | annotations: 8 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 9 | labels: 10 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.nodeAgent.name "tier" .Values.global.namespaceTier) | nindent 4 }} 11 | subjects: 12 | - kind: ServiceAccount 13 | name: {{ .Values.nodeAgent.name }} 14 | namespace: {{ .Values.ksNamespace }} 15 | roleRef: 16 | apiGroup: rbac.authorization.k8s.io 17 | kind: ClusterRole 18 | name: {{ .Values.nodeAgent.name }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/node-agent/configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- $configurations := fromYaml (include "configurations" .) }} 3 | {{- if $components.nodeAgent.enabled }} 4 | {{/* validate that either alertCRD.scopeClustered or alertCRD.scopeNamespaced defined when the capability enabled */}} 5 | {{- if eq .Values.capabilities.runtimeDetection "enable" }} 6 | {{- if and (not .Values.alertCRD.scopeNamespaced) (not .Values.alertCRD.scopeClustered) }} 7 | {{- fail "Runtime detection is enabled, but the Runtime rule alert binding CRD is not configured to be created neither in the cluster scope nor namespace scope (set alertCRD.scopeClustered or alertCRD.scopeNamepaced)" }} 8 | {{- end }} 9 | {{- end }} 10 | apiVersion: v1 11 | kind: ConfigMap 12 | metadata: 13 | name: {{ .Values.nodeAgent.name }} 14 | namespace: {{ .Values.ksNamespace }} 15 | annotations: 16 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 17 | labels: 18 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.nodeAgent.name "tier" .Values.global.namespaceTier) | nindent 4 }} 19 | kubescape.io/tier: "core" 20 | data: 21 | config.json: | 22 | { 23 | "applicationProfileServiceEnabled": {{ or $configurations.runtimeObservability (eq .Values.capabilities.relevancy "enable") }}, 24 | "prometheusExporterEnabled": {{ eq .Values.nodeAgent.config.prometheusExporter "enable" }}, 25 | "runtimeDetectionEnabled": {{ eq .Values.capabilities.runtimeDetection "enable" }}, 26 | "httpDetectionEnabled": {{ and (eq .Values.capabilities.httpDetection "enable") (eq .Values.capabilities.runtimeDetection "enable") }}, 27 | "networkServiceEnabled": {{ eq .Values.capabilities.networkPolicyService "enable" }}, 28 | "malwareDetectionEnabled": {{ eq .Values.capabilities.malwareDetection "enable" }}, 29 | "hostMalwareSensorEnabled": {{ eq .Values.nodeAgent.config.hostMalwareSensor "enable" }}, 30 | "hostNetworkSensorEnabled": {{ eq .Values.nodeAgent.config.hostNetworkSensor "enable" }}, 31 | "nodeProfileServiceEnabled": {{ and $components.synchronizer.enabled (eq .Values.capabilities.nodeProfileService "enable") }}, 32 | "networkStreamingEnabled": {{ eq .Values.capabilities.networkEventsStreaming "enable" }}, 33 | "maxImageSize": {{ .Values.kubevuln.config.maxImageSize }}, 34 | "maxSBOMSize": {{ .Values.kubevuln.config.maxSBOMSize }}, 35 | "sbomGenerationEnabled": {{ eq .Values.capabilities.nodeSbomGeneration "enable" }}, 36 | "enableEmbeddedSBOMs": {{ eq .Values.capabilities.scanEmbeddedSBOMs "enable" }}, 37 | "seccompServiceEnabled": {{ eq .Values.capabilities.seccompProfileService "enable" }}, 38 | "initialDelay": "{{ .Values.nodeAgent.config.learningPeriod }}", 39 | "updateDataPeriod": "{{ .Values.nodeAgent.config.updatePeriod }}", 40 | "nodeProfileInterval": "{{ .Values.nodeAgent.config.nodeProfileInterval }}", 41 | "networkStreamingInterval": "{{ .Values.nodeAgent.config.networkStreamingInterval }}", 42 | "maxSniffingTimePerContainer": "{{ .Values.nodeAgent.config.maxLearningPeriod }}", 43 | {{- if ne .Values.includeNamespaces "" }} 44 | "includeNamespaces": "{{ .Values.includeNamespaces }}", 45 | {{- else if ne .Values.excludeNamespaces "" }} 46 | "excludeNamespaces": "{{ .Values.excludeNamespaces }}", 47 | {{- end }} 48 | "excludeLabels": {{- .Values.excludeLabels | toJson }}, 49 | "exporters": { 50 | {{- if $components.synchronizer.enabled }} 51 | "httpExporterConfig": {{- .Values.nodeAgent.config.httpExporterConfig | toJson }}, 52 | {{- end }} 53 | "alertManagerExporterUrls": {{- .Values.nodeAgent.config.alertManagerExporterUrls | toJson }}, 54 | "stdoutExporter": {{- .Values.nodeAgent.config.stdoutExporter }}, 55 | "syslogExporterURL": "{{- .Values.nodeAgent.config.syslogExporterURL }}" 56 | }, 57 | "excludeJsonPaths": {{- .Values.configurations.excludeJsonPaths | toJson }}, 58 | "ruleCooldown": { 59 | "ruleCooldownDuration": "{{ .Values.nodeAgent.config.ruleCooldown.ruleCooldownDuration }}", 60 | "ruleCooldownAfterCount": {{ .Values.nodeAgent.config.ruleCooldown.ruleCooldownAfterCount }}, 61 | "ruleCooldownOnProfileFailure": {{ .Values.nodeAgent.config.ruleCooldown.ruleCooldownOnProfileFailure }}, 62 | "ruleCooldownMaxSize": {{ .Values.nodeAgent.config.ruleCooldown.ruleCooldownMaxSize }} 63 | } 64 | } 65 | --- 66 | {{- if $components.clamAV.enabled }} 67 | apiVersion: v1 68 | kind: ConfigMap 69 | metadata: 70 | name: {{ .Values.clamav.name }} 71 | namespace: {{ .Values.ksNamespace }} 72 | data: 73 | clamd.conf: |- 74 | {{ .Files.Get "clamav/clamd.conf" | indent 4 }} 75 | freshclam.conf: |- 76 | {{ .Files.Get "clamav/freshclam.conf" | indent 4 }} 77 | {{- end}} 78 | {{- end }} 79 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/node-agent/default-rule-binding-namespaced.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.alertCRD.installDefault .Values.alertCRD.scopeNamespaced }} 2 | apiVersion: kubescape.io/v1 3 | kind: RuntimeRuleAlertBinding 4 | metadata: 5 | name: all-rules-default-namespace 6 | namespace: {{ .Values.ksNamespace }} 7 | annotations: 8 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 9 | labels: 10 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.nodeAgent.name "tier" .Values.global.namespaceTier) | nindent 4 }} 11 | spec: 12 | rules: 13 | - ruleName: "Unexpected process launched" 14 | - ruleName: "Unexpected file access" 15 | parameters: 16 | ignoreMounts: true 17 | ignorePrefixes: ["/proc", "/run/secrets/kubernetes.io/serviceaccount", "/var/run/secrets/kubernetes.io/serviceaccount", "/tmp"] 18 | includePrefixes: [ "/etc", "/var/spool/cron/", "/var/log/", "/var/run/", "/dev/shm/", "/run/", "/var/www/", "/var/lib/docker/", "/opt/", "/usr/local/", "/app/", "/.dockerenv", "/proc/self/environ", "/var/lib/kubelet/", "/etc/cni/net.d/", "/var/run/secrets/kubernetes.io/", "/var/run/secrets/kubernetes.io/serviceaccount/", "/run/containerd/", "/run/flannel/", "/run/calico/"] 19 | - ruleName: "Unexpected system call" 20 | - ruleName: "Unexpected capability used" 21 | - ruleName: "Unexpected domain request" 22 | - ruleName: "Unexpected Service Account Token Access" 23 | - ruleName: "Kubernetes Client Executed" 24 | - ruleName: "Exec from malicious source" 25 | - ruleName: "Kernel Module Load" 26 | - ruleName: "Exec Binary Not In Base Image" 27 | # - ruleName: "Malicious SSH Connection" 28 | - ruleName: "Fileless Execution" 29 | - ruleName: "XMR Crypto Mining Detection" 30 | - ruleName: "Exec from mount" 31 | - ruleName: "Crypto Mining Related Port Communication" 32 | - ruleName: "Crypto Mining Domain Communication" 33 | - ruleName: "Read Environment Variables from procfs" 34 | - ruleName: "eBPF Program Load" 35 | - ruleName: "Symlink Created Over Sensitive File" 36 | - ruleName: "Unexpected Sensitive File Access" 37 | - ruleName: "Hardlink Created Over Sensitive File" 38 | - ruleName: "Exec to pod" 39 | - ruleName: "Port forward" 40 | # - ruleName: "Unexpected Egress Network Traffic" 41 | - ruleName: "Malicious Ptrace Usage" 42 | - ruleName: "Cross-Site Scripting (XSS) Attempt" 43 | - ruleName: "SQL Injection Attempt" 44 | - ruleName: "Server-Side Request Forgery Attack Attempt" 45 | - ruleName: "Remote File Inclusion Attack Attempt" 46 | - ruleName: "Local File Inclusion Attempt" 47 | - ruleName: "XML External Entity Attack Attempt" 48 | - ruleName: "Server-Side Template Injection Attack" 49 | - ruleName: "Command Injection Attempt" 50 | - ruleName: "Unexpected Exec Source" 51 | - ruleName: "Unexpected Open Source" 52 | - ruleName: "Unexpected Symlink Source" 53 | - ruleName: "Unexpected Hardlink Source" 54 | - ruleName: "Unexpected io_uring Operation Detected" 55 | - ruleName: "ReDoS Attack" 56 | - ruleName: "Prototype Pollution Attack" 57 | - ruleName: "Execution of base64 Encoded Command" 58 | - ruleName: "Execution of interpreter command" 59 | - ruleName: "Code Sharing Site Access" 60 | - ruleName: "Web Application File Write Access" 61 | - ruleName: "Cron Job File Created or Modified" 62 | - ruleName: "Hidden File Created" 63 | - ruleName: "Reverse Shell Patterens Detected" 64 | - ruleName: "Unauthorized IMDS Connection Attempt" 65 | - ruleName: "Credentials Detection Attempts" 66 | - ruleName: "HTTP Request Smuggling Attempt" 67 | - ruleName: "P2P Tracker Connection Created" 68 | {{- end }} 69 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/node-agent/default-rule-binding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.alertCRD.installDefault .Values.alertCRD.scopeClustered }} 2 | apiVersion: kubescape.io/v1 3 | kind: RuntimeRuleAlertBinding 4 | metadata: 5 | name: all-rules-all-pods 6 | annotations: 7 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 8 | labels: 9 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.nodeAgent.name "tier" .Values.global.namespaceTier) | nindent 4 }} 10 | spec: 11 | namespaceSelector: 12 | matchExpressions: 13 | {{- if ne .Values.includeNamespaces "" }} 14 | - key: "kubernetes.io/metadata.name" 15 | operator: "In" 16 | values: 17 | {{- $namespaces := split "," .Values.includeNamespaces }} 18 | {{- range $namespaces }} 19 | - {{ . | quote }} 20 | {{- end }} 21 | {{- else if ne .Values.excludeNamespaces "" }} 22 | - key: "kubernetes.io/metadata.name" 23 | operator: "NotIn" 24 | values: 25 | {{- $namespaces := split "," .Values.excludeNamespaces }} 26 | {{- range $namespaces }} 27 | - {{ . | quote }} 28 | {{- end }} 29 | {{- end }} 30 | rules: 31 | - ruleName: "Unexpected process launched" 32 | - ruleName: "Unexpected file access" 33 | parameters: 34 | ignoreMounts: true 35 | ignorePrefixes: ["/proc", "/run/secrets/kubernetes.io/serviceaccount", "/var/run/secrets/kubernetes.io/serviceaccount", "/tmp"] 36 | includePrefixes: [ "/etc", "/var/spool/cron/", "/var/log/", "/var/run/", "/dev/shm/", "/run/", "/var/www/", "/var/lib/docker/", "/opt/", "/usr/local/", "/app/", "/.dockerenv", "/proc/self/environ", "/var/lib/kubelet/", "/etc/cni/net.d/", "/var/run/secrets/kubernetes.io/", "/var/run/secrets/kubernetes.io/serviceaccount/", "/run/containerd/", "/run/flannel/", "/run/calico/"] 37 | - ruleName: "Unexpected system call" 38 | - ruleName: "Unexpected capability used" 39 | - ruleName: "Unexpected domain request" 40 | - ruleName: "Unexpected Service Account Token Access" 41 | - ruleName: "Kubernetes Client Executed" 42 | - ruleName: "Exec from malicious source" 43 | - ruleName: "Kernel Module Load" 44 | - ruleName: "Exec Binary Not In Base Image" 45 | # - ruleName: "Malicious SSH Connection" 46 | - ruleName: "Fileless Execution" 47 | - ruleName: "XMR Crypto Mining Detection" 48 | - ruleName: "Exec from mount" 49 | - ruleName: "Crypto Mining Related Port Communication" 50 | - ruleName: "Crypto Mining Domain Communication" 51 | - ruleName: "Read Environment Variables from procfs" 52 | - ruleName: "eBPF Program Load" 53 | - ruleName: "Symlink Created Over Sensitive File" 54 | - ruleName: "Unexpected Sensitive File Access" 55 | - ruleName: "Hardlink Created Over Sensitive File" 56 | - ruleName: "Exec to pod" 57 | - ruleName: "Port forward" 58 | # - ruleName: "Unexpected Egress Network Traffic" 59 | - ruleName: "Malicious Ptrace Usage" 60 | - ruleName: "Cross-Site Scripting (XSS) Attempt" 61 | - ruleName: "SQL Injection Attempt" 62 | - ruleName: "Server-Side Request Forgery Attack Attempt" 63 | - ruleName: "Remote File Inclusion Attack Attempt" 64 | - ruleName: "Local File Inclusion Attempt" 65 | - ruleName: "XML External Entity Attack Attempt" 66 | - ruleName: "Server-Side Template Injection Attack" 67 | - ruleName: "Command Injection Attempt" 68 | - ruleName: "Unexpected Exec Source" 69 | - ruleName: "Unexpected Open Source" 70 | - ruleName: "Unexpected Symlink Source" 71 | - ruleName: "Unexpected Hardlink Source" 72 | - ruleName: "Unexpected io_uring Operation Detected" 73 | - ruleName: "ReDoS Attack" 74 | - ruleName: "Prototype Pollution Attack" 75 | - ruleName: "Execution of base64 Encoded Command" 76 | - ruleName: "Execution of interpreter command" 77 | - ruleName: "Code Sharing Site Access" 78 | - ruleName: "Web Application File Write Access" 79 | - ruleName: "Cron Job File Created or Modified" 80 | - ruleName: "Hidden File Created" 81 | - ruleName: "Reverse Shell Patterens Detected" 82 | - ruleName: "Unauthorized IMDS Connection Attempt" 83 | - ruleName: "Credentials Detection Attempts" 84 | - ruleName: "HTTP Request Smuggling Attempt" 85 | - ruleName: "P2P Tracker Connection Created" 86 | {{- end }} 87 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/node-agent/networkpolicy.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if and .Values.global.networkPolicy.enabled .Values.global.networkPolicy.createEgressRules $components.nodeAgent.enabled }} 3 | apiVersion: networking.k8s.io/v1 4 | kind: NetworkPolicy 5 | metadata: 6 | name: {{ .Values.nodeAgent.name }} 7 | namespace: {{ .Values.ksNamespace }} 8 | annotations: 9 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 10 | labels: 11 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.nodeAgent.name "tier" .Values.global.namespaceTier) | nindent 4 }} 12 | spec: 13 | podSelector: 14 | matchLabels: 15 | {{- include "kubescape-operator.selectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.nodeAgent.name) | nindent 6 }} 16 | policyTypes: 17 | - Egress 18 | egress: 19 | {{ tpl (.Files.Get "assets/api-server-egress-rules.yaml") . | indent 4 }} 20 | {{ tpl (.Files.Get "assets/common-egress-rules.yaml") . | indent 4 }} 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/node-agent/scc-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if and $components.nodeAgent.enabled .Values.global.openshift.scc.enabled }} 3 | kind: RoleBinding 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | metadata: 6 | name: {{ printf "%s-scc" .Values.nodeAgent.name }} 7 | namespace: {{ .Values.ksNamespace }} 8 | annotations: 9 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 10 | labels: 11 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.nodeAgent.name "tier" .Values.global.namespaceTier) | nindent 4 }} 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: ClusterRole 15 | name: system:openshift:scc:privileged 16 | subjects: 17 | - kind: ServiceAccount 18 | name: {{ .Values.nodeAgent.name }} 19 | namespace: {{ .Values.ksNamespace }} 20 | {{ end }} 21 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/node-agent/service.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.nodeAgent.enabled }} 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | name: {{ .Values.nodeAgent.name }} 7 | namespace: {{ .Values.ksNamespace }} 8 | annotations: 9 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 10 | labels: 11 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.nodeAgent.name "tier" .Values.global.namespaceTier) | nindent 4 }} 12 | spec: 13 | ports: 14 | - name: prometheus 15 | port: 8080 16 | targetPort: 8080 17 | protocol: TCP 18 | selector: 19 | {{- include "kubescape-operator.selectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.nodeAgent.name) | nindent 4 }} 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/node-agent/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.nodeAgent.enabled }} 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: {{ .Values.nodeAgent.name }} 7 | namespace: {{ .Values.ksNamespace }} 8 | annotations: 9 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 10 | labels: 11 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.nodeAgent.name "tier" .Values.global.namespaceTier) | nindent 4 }} 12 | {{- end }} 13 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/node-agent/servicemonitor.yaml: -------------------------------------------------------------------------------- 1 | # If prometheus enabled, add prometheus exporter 2 | {{- if .Values.nodeAgent.serviceMonitor.enabled }} 3 | apiVersion: monitoring.coreos.com/v1 4 | kind: ServiceMonitor 5 | metadata: 6 | name: runtime-monitor 7 | namespace: {{ .Values.ksNamespace }} 8 | annotations: 9 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 10 | labels: 11 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" "runtime-monitor" "tier" .Values.global.namespaceTier) | nindent 4 }} 12 | {{- with .Values.nodeAgent.serviceMonitor.additionalLabels }} 13 | {{- toYaml . | nindent 4 }} 14 | {{- end }} 15 | spec: 16 | namespaceSelector: 17 | matchNames: 18 | - {{ .Values.ksNamespace }} 19 | selector: 20 | matchLabels: 21 | {{- include "kubescape-operator.selectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.nodeAgent.name) | nindent 6 }} 22 | endpoints: 23 | - port: prometheus 24 | path: /metrics 25 | scheme: http 26 | interval: {{ .Values.nodeAgent.serviceMonitor.interval }} 27 | scrapeTimeout: {{ .Values.nodeAgent.serviceMonitor.scrapeTimeout }} 28 | {{ end }} 29 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/operator/admission-service.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.operator.enabled }} 3 | {{- if eq .Values.capabilities.admissionController "enable" }} 4 | apiVersion: v1 5 | kind: Service 6 | metadata: 7 | name: "kubescape-admission-webhook" 8 | namespace: {{ .Values.ksNamespace }} 9 | annotations: 10 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 11 | labels: 12 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.operator.name "tier" .Values.global.namespaceTier) | nindent 4 }} 13 | spec: 14 | ports: 15 | - port: 443 16 | targetPort: 8443 17 | selector: 18 | {{- include "kubescape-operator.selectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.operator.name) | nindent 6 }} 19 | type: ClusterIP # Or use LoadBalancer or NodePort if needed 20 | {{- end }} 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/operator/admission-webhook.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.operator.enabled }} 3 | {{- if eq .Values.capabilities.admissionController "enable" }} 4 | {{- $svcName := (printf "kubescape-admission-webhook.%s.svc" .Values.ksNamespace) -}} 5 | {{- $certData := fromYaml (include "admission-certificates" .) -}} 6 | {{- $ca := $certData.ca -}} 7 | {{- $cert := $certData.cert -}} 8 | --- 9 | apiVersion: v1 10 | kind: Secret 11 | metadata: 12 | name: {{ $svcName }}-kubescape-tls-pair 13 | namespace: {{ .Values.ksNamespace }} 14 | annotations: 15 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 16 | labels: 17 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.operator.name "tier" .Values.global.namespaceTier) | nindent 4 }} 18 | type: kubernetes.io/tls 19 | data: 20 | tls.key: {{ $cert.Key | b64enc }} 21 | tls.crt: {{ $cert.Cert | b64enc }} 22 | --- 23 | apiVersion: admissionregistration.k8s.io/v1 24 | kind: ValidatingWebhookConfiguration 25 | metadata: 26 | name: validation 27 | annotations: 28 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 29 | labels: 30 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.operator.name "tier" .Values.global.namespaceTier) | nindent 4 }} 31 | webhooks: 32 | - name: validation.kubescape.admission 33 | clientConfig: 34 | service: 35 | name: kubescape-admission-webhook 36 | namespace: {{ .Values.ksNamespace }} 37 | path: /validate 38 | port: 443 39 | caBundle: {{ $ca.Cert | b64enc }} 40 | admissionReviewVersions: ["v1"] 41 | sideEffects: None 42 | rules: 43 | - operations: ["CREATE", "UPDATE", "DELETE", "CONNECT"] 44 | apiGroups: ["*"] 45 | apiVersions: ["v1"] 46 | resources: ["pods", "pods/exec", "pods/portforward", "pods/attach", "clusterrolebindings", "rolebindings"] 47 | scope: "*" 48 | failurePolicy: Ignore 49 | {{- end }} 50 | {{- end }} 51 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/operator/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.operator.enabled }} 3 | kind: ClusterRole 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | metadata: 6 | name: {{ .Values.operator.name }} 7 | annotations: 8 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 9 | labels: 10 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.operator.name "tier" .Values.global.namespaceTier) | nindent 4 }} 11 | rules: 12 | - apiGroups: [""] 13 | resources: ["pods", "nodes", "namespaces", "configmaps", "services"] 14 | verbs: ["get", "watch", "list"] 15 | {{- if .Values.global.enableClusterWideSecretAccess }} 16 | - apiGroups: [""] 17 | resources: ["secrets"] 18 | verbs: ["get", "watch", "list"] 19 | {{- end }} 20 | - apiGroups: ["batch"] 21 | resources: ["jobs", "cronjobs"] 22 | verbs: ["get", "watch", "list", "create", "update", "delete" ,"patch"] 23 | - apiGroups: ["apps"] 24 | resources: ["deployments", "daemonsets", "statefulsets", "replicasets"] 25 | verbs: ["get", "watch", "list"] 26 | - apiGroups: ["spdx.softwarecomposition.kubescape.io"] 27 | resources: ["vulnerabilitymanifests", "vulnerabilitymanifestsummaries", "workloadconfigurationscans", "workloadconfigurationscansummaries", "openvulnerabilityexchangecontainers", "applicationprofiles", "sbomsyfts"] 28 | verbs: ["get", "watch", "list", "delete"] 29 | - apiGroups: ["kubescape.io"] 30 | resources: ["runtimerulealertbindings"] 31 | verbs: ["list", "watch", "get"] 32 | - apiGroups: ["kubescape.io"] 33 | resources: ["servicesscanresults"] 34 | verbs: ["get", "watch", "list", "create", "update", "delete" ,"patch"] 35 | - apiGroups: ["kubescape.io"] 36 | resources: ["operatorcommands"] 37 | verbs: ["get", "watch", "list"] 38 | - apiGroups: ["kubescape.io"] 39 | resources: ["operatorcommands/status"] 40 | verbs: ["get", "watch", "list", "update", "patch"] 41 | {{- end }} 42 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/operator/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.operator.enabled }} 3 | kind: ClusterRoleBinding 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | metadata: 6 | name: {{ .Values.operator.name }} 7 | annotations: 8 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 9 | labels: 10 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.operator.name "tier" .Values.global.namespaceTier) | nindent 4 }} 11 | subjects: 12 | - kind: ServiceAccount 13 | name: {{ .Values.operator.name }} 14 | namespace: {{ .Values.ksNamespace }} 15 | roleRef: 16 | apiGroup: rbac.authorization.k8s.io 17 | kind: ClusterRole 18 | name: {{ .Values.operator.name }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/operator/configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.operator.enabled }} 3 | apiVersion: v1 4 | kind: ConfigMap 5 | metadata: 6 | name: {{ .Values.operator.name }} 7 | namespace: {{ .Values.ksNamespace }} 8 | annotations: 9 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 10 | labels: 11 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.operator.name "tier" .Values.global.namespaceTier) | nindent 4 }} 12 | kubescape.io/tier: "core" 13 | data: 14 | config.json: | 15 | { 16 | {{- if ne .Values.includeNamespaces "" }} 17 | "includeNamespaces": "{{ .Values.includeNamespaces }}", 18 | {{- else if ne .Values.excludeNamespaces "" }} 19 | "excludeNamespaces": "{{ .Values.excludeNamespaces }}", 20 | {{- end }} 21 | "namespace": "{{ .Values.ksNamespace }}", 22 | "triggersecurityframework": {{ .Values.operator.triggerSecurityFramework }}, 23 | "podScanGuardTime": "{{ .Values.operator.podScanGuardTime }}", 24 | "excludeJsonPaths": {{- .Values.configurations.excludeJsonPaths | toJson }}, 25 | "httpExporterConfig": {{- .Values.nodeAgent.config.httpExporterConfig | toJson }} 26 | {{- if and .Values.imageScanning.privateRegistries.credentials (gt (len .Values.imageScanning.privateRegistries.credentials) 0) }} 27 | {{- $cred := index .Values.imageScanning.privateRegistries.credentials 0 }} 28 | {{- if $cred.skipTlsVerify }}, 29 | "registryScanningSkipTlsVerify": {{ $cred.skipTlsVerify }} 30 | {{- end }} 31 | {{- if $cred.insecure }}, 32 | "registryScanningInsecure": {{ $cred.insecure }} 33 | {{- end }} 34 | {{- end }} 35 | } 36 | {{- end }} 37 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/operator/ks-recurring-cronjob-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.operator.enabled }} 3 | {{- if not (.Capabilities.APIVersions.Has "batch/v1") }} 4 | {{- fail "`batch/v1 not supported`" }} 5 | {{- end }} 6 | kind: ConfigMap 7 | apiVersion: v1 8 | metadata: 9 | name: kubescape-cronjob-template 10 | namespace: {{ .Values.ksNamespace }} 11 | annotations: 12 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 13 | labels: 14 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.global.cloudConfig "tier" .Values.global.namespaceTier) | nindent 4 }} 15 | kubescape.io/tier: "core" 16 | data: 17 | cronjobTemplate: |- 18 | {{ tpl (.Files.Get "assets/kubescape-cronjob-full.yaml") . }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/operator/kv-recurring-cronjob-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.operator.enabled }} 3 | {{- if not (.Capabilities.APIVersions.Has "batch/v1") }} 4 | {{- fail "`batch/v1 not supported`" }} 5 | {{- end }} 6 | kind: ConfigMap 7 | apiVersion: v1 8 | metadata: 9 | name: kubevuln-cronjob-template # TODO: update template name 10 | namespace: {{ .Values.ksNamespace }} 11 | annotations: 12 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 13 | labels: 14 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.global.cloudConfig "tier" .Values.global.namespaceTier) | nindent 4 }} 15 | kubescape.io/tier: "core" 16 | data: 17 | cronjobTemplate: |- 18 | {{ tpl (.Files.Get "assets/kubevuln-cronjob-full.yaml") . }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/operator/networkpolicy.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if and .Values.global.networkPolicy.enabled $components.operator.enabled }} 3 | apiVersion: networking.k8s.io/v1 4 | kind: NetworkPolicy 5 | metadata: 6 | name: {{ .Values.operator.name }} 7 | namespace: {{ .Values.ksNamespace }} 8 | annotations: 9 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 10 | labels: 11 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.operator.name "tier" .Values.global.namespaceTier) | nindent 4 }} 12 | spec: 13 | podSelector: 14 | matchLabels: 15 | {{- include "kubescape-operator.selectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.operator.name) | nindent 6 }} 16 | policyTypes: 17 | - Ingress 18 | {{- if .Values.global.networkPolicy.createEgressRules }} 19 | - Egress 20 | egress: 21 | # Container registries 22 | - ports: 23 | - port: 443 24 | protocol: TCP 25 | # Cloud Vendor detection (Instance Metadata Services) 26 | - ports: 27 | - port: 80 28 | protocol: TCP 29 | to: 30 | - ipBlock: 31 | cidr: 169.254.169.254/32 32 | - ports: 33 | - protocol: TCP 34 | port: 8080 35 | to: 36 | - podSelector: 37 | matchLabels: 38 | {{- include "kubescape-operator.selectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.kubescape.name) | nindent 14 }} 39 | - ports: 40 | - protocol: TCP 41 | port: 8080 42 | to: 43 | - podSelector: 44 | matchLabels: 45 | {{- include "kubescape-operator.selectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.kubevuln.name) | nindent 14 }} 46 | {{ tpl (.Files.Get "assets/api-server-egress-rules.yaml") . | indent 4 }} 47 | {{ tpl (.Files.Get "assets/common-egress-rules.yaml") . | indent 4 }} 48 | {{- end }} 49 | ingress: 50 | {{- if eq .Values.capabilities.admissionController "enable" }} 51 | - ports: 52 | - port: admission-port 53 | protocol: TCP 54 | {{- end }} 55 | - from: 56 | - podSelector: 57 | matchLabels: 58 | armo.tier: kubescape-scan 59 | - podSelector: 60 | matchLabels: 61 | armo.tier: vuln-scan 62 | ports: 63 | - port: trigger-port 64 | protocol: TCP 65 | {{- end }} 66 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/operator/registry-scan-recurring-cronjob-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.operator.enabled }} 3 | {{- if not (.Capabilities.APIVersions.Has "batch/v1") }} 4 | {{- fail "`batch/v1 not supported`" }} 5 | {{- end }} 6 | apiVersion: v1 7 | kind: ConfigMap 8 | metadata: 9 | namespace: {{ .Values.ksNamespace }} 10 | annotations: 11 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 12 | labels: 13 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.global.cloudConfig "tier" .Values.global.namespaceTier) | nindent 4 }} 14 | kubescape.io/tier: "core" 15 | name: registry-scan-cronjob-template 16 | data: 17 | cronjobTemplate: |- 18 | {{ tpl (.Files.Get "assets/registry-scan-cronjob-full.yaml") . }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/operator/role.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.operator.enabled }} 3 | kind: Role 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | metadata: 6 | name: {{ .Values.operator.name }} 7 | namespace: {{ .Values.ksNamespace }} 8 | annotations: 9 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 10 | labels: 11 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.operator.name "tier" .Values.global.namespaceTier) | nindent 4 }} 12 | rules: 13 | - apiGroups: [""] 14 | resources: ["configmaps", "secrets"] 15 | verbs: ["create", "get", "update", "watch", "list", "patch", "delete"] 16 | - apiGroups: ["batch"] 17 | resources: ["cronjobs"] 18 | verbs: ["create", "get", "update", "watch", "list", "patch", "delete"] 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/operator/rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.operator.enabled }} 3 | kind: RoleBinding 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | metadata: 6 | name: {{ .Values.operator.name }} 7 | namespace: {{ .Values.ksNamespace }} 8 | annotations: 9 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 10 | labels: 11 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.operator.name "tier" .Values.global.namespaceTier) | nindent 4 }} 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: Role 15 | name: {{ .Values.operator.name }} 16 | subjects: 17 | - kind: ServiceAccount 18 | name: {{ .Values.operator.name }} 19 | namespace: {{ .Values.ksNamespace }} 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/operator/scc-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if and $components.operator.enabled .Values.global.openshift.scc.enabled }} 3 | kind: RoleBinding 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | metadata: 6 | name: {{ printf "%s-scc" .Values.operator.name }} 7 | namespace: {{ .Values.ksNamespace }} 8 | annotations: 9 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 10 | labels: 11 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.operator.name "tier" .Values.global.namespaceTier) | nindent 4 }} 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: ClusterRole 15 | name: system:openshift:scc:nonroot-v2 16 | subjects: 17 | - kind: ServiceAccount 18 | name: {{ .Values.operator.name }} 19 | namespace: {{ .Values.ksNamespace }} 20 | {{ end }} 21 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/operator/service.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.operator.enabled }} 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | name: {{ .Values.operator.name }} 7 | namespace: {{ .Values.ksNamespace }} 8 | annotations: 9 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 10 | labels: 11 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.operator.name "tier" .Values.global.namespaceTier) | nindent 4 }} 12 | spec: 13 | type: {{ .Values.operator.service.type }} 14 | ports: 15 | - port: {{ .Values.operator.service.port }} 16 | targetPort: {{ .Values.operator.service.targetPort }} 17 | protocol: {{ .Values.operator.service.protocol }} 18 | selector: 19 | {{- include "kubescape-operator.selectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.operator.name) | nindent 6 }} 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/operator/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.operator.enabled }} 3 | kind: ServiceAccount 4 | apiVersion: v1 5 | metadata: 6 | annotations: 7 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 8 | {{- if .Values.cloudProviderMetadata.awsIamRoleArn }} 9 | eks.amazonaws.com/role-arn: {{ .Values.cloudProviderMetadata.awsIamRoleArn }} 10 | {{- else if .Values.cloudProviderMetadata.gkeServiceAccount }} 11 | iam.gke.io/gcp-service-account: {{ .Values.cloudProviderMetadata.gkeServiceAccount }} 12 | {{- end }} 13 | labels: 14 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.operator.name "tier" .Values.global.namespaceTier) | nindent 4 }} 15 | name: {{ .Values.operator.name }} 16 | namespace: {{ .Values.ksNamespace }} 17 | automountServiceAccountToken: false 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/otel-collector/configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.otelCollector.enabled }} 3 | kind: ConfigMap 4 | apiVersion: v1 5 | metadata: 6 | name: otel-collector-config 7 | namespace: {{ .Values.ksNamespace }} 8 | annotations: 9 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 10 | labels: 11 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.global.cloudConfig "tier" .Values.global.namespaceTier) | nindent 4 }} 12 | kubescape.io/tier: "core" 13 | data: 14 | otel-collector-config.yaml: |- 15 | {{ tpl (.Files.Get "assets/otel-collector-config.yaml") . | indent 4 }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/otel-collector/networkpolicy.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- $configurations := fromYaml (include "configurations" .) }} 3 | {{- if and .Values.global.networkPolicy.enabled $components.otelCollector.enabled }} 4 | apiVersion: networking.k8s.io/v1 5 | kind: NetworkPolicy 6 | metadata: 7 | name: {{ .Values.otelCollector.name }} 8 | namespace: {{ .Values.ksNamespace }} 9 | labels: 10 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.otelCollector.name "tier" .Values.global.namespaceTier) | nindent 4 }} 11 | spec: 12 | podSelector: 13 | matchLabels: 14 | {{- include "kubescape-operator.selectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.otelCollector.name) | nindent 6 }} 15 | policyTypes: 16 | - Ingress 17 | {{- if .Values.global.networkPolicy.createEgressRules }} 18 | - Egress 19 | egress: 20 | # - otel backend 21 | - ports: 22 | - port: 443 23 | protocol: TCP 24 | {{- if $configurations.otel }} 25 | - port: {{ $configurations.otelPort }} 26 | protocol: TCP 27 | {{- end }} 28 | {{ tpl (.Files.Get "assets/common-egress-rules.yaml") . | indent 4 }} 29 | {{- end }} 30 | ingress: 31 | - from: 32 | - podSelector: 33 | matchLabels: 34 | otel: enabled 35 | ports: 36 | - port: otlp 37 | protocol: TCP 38 | - port: otlp-http 39 | protocol: TCP 40 | {{- end }} 41 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/otel-collector/scc-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if and $components.otelCollector.enabled .Values.global.openshift.scc.enabled }} 3 | kind: RoleBinding 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | metadata: 6 | name: {{ printf "%s-scc" .Values.otelCollector.name }} 7 | namespace: {{ .Values.ksNamespace }} 8 | labels: 9 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.otelCollector.name "tier" .Values.global.namespaceTier) | nindent 4 }} 10 | roleRef: 11 | apiGroup: rbac.authorization.k8s.io 12 | kind: ClusterRole 13 | name: system:openshift:scc:nonroot-v2 14 | subjects: 15 | - kind: ServiceAccount 16 | name: {{ .Values.otelCollector.name }} 17 | namespace: {{ .Values.ksNamespace }} 18 | {{ end }} 19 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/otel-collector/service.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.otelCollector.enabled }} 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | name: {{ .Values.otelCollector.name }} 7 | namespace: {{ .Values.ksNamespace }} 8 | labels: 9 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.otelCollector.name "tier" .Values.global.namespaceTier) | nindent 4 }} 10 | spec: 11 | type: ClusterIP 12 | ports: 13 | - name: otlp 14 | port: 4317 15 | targetPort: 4317 16 | protocol: TCP 17 | - name: otlp-http 18 | port: 4318 19 | targetPort: 4318 20 | protocol: TCP 21 | selector: 22 | {{- include "kubescape-operator.selectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.otelCollector.name) | nindent 4 }} 23 | {{ end }} 24 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/otel-collector/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.otelCollector.enabled }} 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: {{ .Values.otelCollector.name }} 7 | namespace: {{ .Values.ksNamespace }} 8 | labels: 9 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.otelCollector.name "tier" .Values.global.namespaceTier) | nindent 4 }} 10 | {{- end }} 11 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/prometheus-exporter/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.prometheusExporter.enabled }} 3 | kind: ClusterRole 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | metadata: 6 | name: {{ .Values.prometheusExporter.name }} 7 | labels: 8 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.prometheusExporter.name "tier" .Values.global.namespaceTier) | nindent 4 }} 9 | rules: 10 | - apiGroups: ["spdx.softwarecomposition.kubescape.io"] 11 | resources: 12 | - configurationscansummaries 13 | - vulnerabilitysummaries 14 | {{- if .Values.prometheusExporter.enableWorkloadMetrics }} 15 | - workloadconfigurationscansummaries 16 | - vulnerabilitymanifestsummaries 17 | {{- end }} 18 | verbs: ["get", "watch", "list"] 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/prometheus-exporter/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.prometheusExporter.enabled }} 3 | kind: ClusterRoleBinding 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | metadata: 6 | name: {{ .Values.prometheusExporter.name }} 7 | labels: 8 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.prometheusExporter.name "tier" .Values.global.namespaceTier) | nindent 4 }} 9 | subjects: 10 | - kind: ServiceAccount 11 | name: {{ .Values.prometheusExporter.name }} 12 | namespace: {{ .Values.ksNamespace }} 13 | roleRef: 14 | apiGroup: rbac.authorization.k8s.io 15 | kind: ClusterRole 16 | name: {{ .Values.prometheusExporter.name }} 17 | {{- end }} 18 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/prometheus-exporter/networkpolicy.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if and .Values.global.networkPolicy.enabled $components.prometheusExporter.enabled }} 3 | apiVersion: networking.k8s.io/v1 4 | kind: NetworkPolicy 5 | metadata: 6 | name: {{ .Values.prometheusExporter.name }} 7 | namespace: {{ .Values.ksNamespace }} 8 | labels: 9 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.prometheusExporter.name "tier" .Values.global.namespaceTier) | nindent 4 }} 10 | spec: 11 | podSelector: 12 | matchLabels: 13 | {{- include "kubescape-operator.selectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.prometheusExporter.name) | nindent 6 }} 14 | policyTypes: 15 | - Ingress 16 | ingress: 17 | - ports: 18 | - port: {{ .Values.prometheusExporter.service.port }} 19 | protocol: TCP 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/prometheus-exporter/service.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.prometheusExporter.enabled }} 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | name: {{ .Values.prometheusExporter.name }} 7 | namespace: {{ .Values.ksNamespace }} 8 | labels: 9 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.prometheusExporter.name "tier" .Values.global.namespaceTier) | nindent 4 }} 10 | spec: 11 | type: {{ .Values.prometheusExporter.service.type }} 12 | ports: 13 | - port: {{ .Values.prometheusExporter.service.port }} 14 | targetPort: {{ .Values.prometheusExporter.service.targetPort }} 15 | protocol: {{ .Values.prometheusExporter.service.protocol }} 16 | selector: 17 | {{- include "kubescape-operator.selectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.prometheusExporter.name) | nindent 4 }} 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/prometheus-exporter/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.prometheusExporter.enabled }} 3 | kind: ServiceAccount 4 | apiVersion: v1 5 | metadata: 6 | {{- if .Values.cloudProviderMetadata.awsIamRoleArn }} 7 | annotations: 8 | eks.amazonaws.com/role-arn: {{ .Values.cloudProviderMetadata.awsIamRoleArn }} 9 | {{- else if .Values.cloudProviderMetadata.gkeServiceAccount }} 10 | annotations: 11 | iam.gke.io/gcp-service-account: {{ .Values.cloudProviderMetadata.gkeServiceAccount }} 12 | {{- end }} 13 | labels: 14 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.prometheusExporter.name "tier" .Values.global.namespaceTier) | nindent 4 }} 15 | name: {{ .Values.prometheusExporter.name }} 16 | namespace: {{ .Values.ksNamespace }} 17 | automountServiceAccountToken: false 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/prometheus-exporter/servicemonitor.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if and .Values.kubescape.serviceMonitor.enabled $components.prometheusExporter.enabled }} 3 | apiVersion: monitoring.coreos.com/v1 4 | kind: ServiceMonitor 5 | metadata: 6 | name: {{ .Values.prometheusExporter.name }} 7 | namespace: {{ .Values.ksNamespace }} 8 | annotations: 9 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 10 | labels: 11 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.prometheusExporter.name "tier" .Values.global.namespaceTier) | nindent 4 }} 12 | {{- with .Values.kubescape.serviceMonitor.additionalLabels }} 13 | {{- toYaml . | nindent 4 }} 14 | {{- end }} 15 | spec: 16 | endpoints: 17 | - interval: 60s 18 | path: /metrics 19 | targetPort: 8080 20 | namespaceSelector: 21 | matchNames: 22 | - {{ .Values.ksNamespace }} 23 | selector: 24 | matchLabels: 25 | {{- include "kubescape-operator.selectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.prometheusExporter.name) | nindent 6 }} 26 | {{ end }} 27 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/proxy-support/_noproxy_list.tpl: -------------------------------------------------------------------------------- 1 | {{- define "no_proxy_envar_list" -}} 2 | {{ $api_server_ip := "127.0.0.1" }} 3 | {{- $api_server_service := (lookup "v1" "Service" "default" "kubernetes") -}} 4 | {{- if $api_server_service -}} 5 | {{ $api_server_ip = $api_server_service.spec.clusterIP }} 6 | {{- end -}} 7 | {{ .Values.kubescape.name }},{{ .Values.kubevuln.name }},{{ .Values.nodeAgent.name }},{{ .Values.operator.name }},otel-collector,kubernetes.default.svc.*,{{ $api_server_ip }} 8 | {{- if ne .Values.global.noProxy "" -}} 9 | ,{{- .Values.global.noProxy -}} 10 | {{- end -}} 11 | {{- end -}} 12 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/proxy-support/proxy-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if ne .Values.global.proxySecretFile "" }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ .Values.global.proxySecretName }} 6 | namespace: {{ .Values.ksNamespace }} 7 | labels: 8 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.global.proxySecretName "tier" .Values.global.namespaceTier) | nindent 4 }} 9 | annotations: 10 | "helm.sh/hook": pre-install,pre-upgrade 11 | "helm.sh/hook-delete-policy": before-hook-creation 12 | "helm.sh/hook-weight": "0" 13 | type: Opaque 14 | data: 15 | proxy.crt: {{ .Values.global.proxySecretFile | quote }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/servicediscovery/role.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.serviceDiscovery.enabled }} 3 | kind: Role 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | metadata: 6 | name: {{ .Values.serviceDiscovery.name }} 7 | namespace: {{ .Values.ksNamespace }} 8 | annotations: 9 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 10 | "helm.sh/hook": pre-install,pre-upgrade 11 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded 12 | "helm.sh/hook-weight": "0" 13 | labels: 14 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.serviceDiscovery.name "tier" .Values.global.namespaceTier) | nindent 4 }} 15 | rules: 16 | - apiGroups: [""] 17 | resources: [ "configmaps"] 18 | verbs: ["update", "create", "patch", "get", "list"] 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/servicediscovery/rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.serviceDiscovery.enabled }} 3 | kind: RoleBinding 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | metadata: 6 | name: {{ .Values.serviceDiscovery.name }} 7 | namespace: {{ .Values.ksNamespace }} 8 | annotations: 9 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 10 | "helm.sh/hook": pre-install,pre-upgrade 11 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded 12 | "helm.sh/hook-weight": "0" 13 | labels: 14 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.serviceDiscovery.name "tier" .Values.global.namespaceTier) | nindent 4 }} 15 | subjects: 16 | - kind: ServiceAccount 17 | name: {{ .Values.serviceDiscovery.name }} 18 | namespace: {{ .Values.ksNamespace }} 19 | roleRef: 20 | apiGroup: rbac.authorization.k8s.io 21 | kind: Role 22 | name: {{ .Values.serviceDiscovery.name }} 23 | {{- end }} 24 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/servicediscovery/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.serviceDiscovery.enabled }} 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: {{ .Values.serviceDiscovery.name }} 7 | namespace: {{ .Values.ksNamespace }} 8 | annotations: 9 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 10 | "helm.sh/hook": pre-install,pre-upgrade 11 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded 12 | "helm.sh/hook-weight": "0" 13 | labels: 14 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.serviceDiscovery.name "tier" .Values.global.namespaceTier) | nindent 4 }} 15 | {{- end }} 16 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/storage/_helpersKubescapeStorage.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Create the name of the Kubescape Storage Auth Reader RoleBinding to use 3 | */}} 4 | {{- define "storage.authReaderRoleBindingName" -}} 5 | {{- .Values.storage.name | printf "%s-auth-reader" }} 6 | {{- end }} 7 | 8 | {{/* 9 | Create the name of the Kubescape Storage Auth Reader ClusterRoleBinding to use 10 | */}} 11 | {{- define "storage.authDelegatorClusterRoleBindingName" -}} 12 | {{- .Values.storage.name | printf "%s:system:auth-delegator" }} 13 | {{- end }} 14 | 15 | {{/* 16 | Generate a private key and certificate pair for mTLS 17 | */}} 18 | {{- define "storage.generateCerts.ca" -}} 19 | {{- if not .Values.global.storageCA -}} 20 | {{- if .Values.unittest }} 21 | {{- $ca := dict "Key" "mock-ca-key" "Cert" "mock-ca-cert" -}} 22 | {{- $_ := set .Values.global "storageCA" $ca -}} 23 | {{- else }} 24 | {{- $cn := printf "%s-%s" .Values.storage.name (randAlphaNum 10) -}} 25 | {{- $ca := genCA (printf "%s-ca" $cn) (int .Values.storage.mtls.certificateValidityInDays) -}} 26 | {{- $_ := set .Values.global "storageCA" $ca -}} 27 | {{- end -}} 28 | {{- end -}} 29 | {{- .Values.global.storageCA | toJson -}} 30 | {{- end -}} 31 | 32 | {{- define "storage.generateCerts.cert" -}} 33 | {{- if .Values.unittest }} 34 | {{- $cert := dict "Key" "mock-cert-key" "Cert" "mock-cert-cert" -}} 35 | {{- $cert | toJson -}} 36 | {{- else }} 37 | {{- $cn := printf "%s.%s.svc-%s" .Values.storage.name .Values.ksNamespace (randAlphaNum 10) -}} 38 | {{- $dnsNames := list (printf "%s.%s.svc" .Values.storage.name .Values.ksNamespace) (printf "%s.%s.svc.cluster.local" .Values.storage.name .Values.ksNamespace) -}} 39 | {{- $cert := genSignedCert $cn nil $dnsNames (int .Values.storage.mtls.certificateValidityInDays) .Values.global.storageCA -}} 40 | {{- $cert | toJson -}} 41 | {{- end -}} 42 | {{- end -}} 43 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/storage/apiservice.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.storage.enabled }} 3 | apiVersion: apiregistration.k8s.io/v1 4 | kind: APIService 5 | metadata: 6 | name: "v1beta1.spdx.softwarecomposition.kubescape.io" 7 | annotations: 8 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 9 | labels: 10 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.storage.name "tier" .Values.global.namespaceTier) | nindent 4 }} 11 | spec: 12 | group: "spdx.softwarecomposition.kubescape.io" 13 | groupPriorityMinimum: 1000 14 | versionPriority: 15 15 | version: "v1beta1" 16 | service: 17 | name: {{ .Values.storage.name }} 18 | namespace: {{ .Values.ksNamespace }} 19 | {{- if .Values.storage.mtls.enabled }} 20 | caBundle: {{ .Values.global.storageCA.Cert | b64enc }} 21 | {{- else }} 22 | insecureSkipTLSVerify: true 23 | {{- end }} 24 | {{- end }} 25 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/storage/ca-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.storage.mtls.enabled }} 2 | {{- $ca := include "storage.generateCerts.ca" . | fromJson }} 3 | {{- $cert := include "storage.generateCerts.cert" . | fromJson }} 4 | apiVersion: v1 5 | kind: Secret 6 | metadata: 7 | name: {{ .Values.storage.name }}-ca 8 | namespace: {{ .Values.ksNamespace }} 9 | annotations: 10 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 11 | labels: 12 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.storage.name "tier" .Values.global.namespaceTier) | nindent 4 }} 13 | type: kubernetes.io/tls 14 | data: 15 | tls.crt: {{ $cert.Cert | b64enc }} 16 | tls.key: {{ $cert.Key | b64enc }} 17 | ca.crt: {{ $ca.Cert | b64enc }} 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/storage/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.storage.enabled }} 3 | kind: ClusterRole 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | metadata: 6 | name: {{ .Values.storage.name }} 7 | annotations: 8 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 9 | labels: 10 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.storage.name "tier" .Values.global.namespaceTier) | nindent 4 }} 11 | rules: 12 | - apiGroups: [""] 13 | resources: ["namespaces", "pods", "services"] 14 | verbs: [ "get", "watch", "list" ] 15 | - apiGroups: [ "admissionregistration.k8s.io" ] 16 | resources: [ "mutatingwebhookconfigurations", "validatingwebhookconfigurations" ] 17 | verbs: [ "get", "watch", "list" ] 18 | - apiGroups: ["apps"] 19 | resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] 20 | verbs: ["get", "watch", "list"] 21 | - apiGroups: ["batch"] 22 | resources: ["cronjobs", "jobs"] 23 | verbs: ["get", "watch", "list"] 24 | - apiGroups: ["flowcontrol.apiserver.k8s.io"] 25 | resources: ["prioritylevelconfigurations", "flowschemas"] 26 | verbs: ["get", "watch", "list"] 27 | {{- end }} 28 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/storage/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.storage.enabled }} 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: ClusterRoleBinding 5 | metadata: 6 | name: {{ include "storage.authDelegatorClusterRoleBindingName" . | quote }} 7 | annotations: 8 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 9 | labels: 10 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.storage.name "tier" .Values.global.namespaceTier) | nindent 4 }} 11 | roleRef: 12 | apiGroup: rbac.authorization.k8s.io 13 | kind: ClusterRole 14 | name: system:auth-delegator 15 | subjects: 16 | - kind: ServiceAccount 17 | name: {{ .Values.storage.name }} 18 | namespace: {{ .Values.ksNamespace }} 19 | --- 20 | apiVersion: rbac.authorization.k8s.io/v1 21 | kind: ClusterRoleBinding 22 | metadata: 23 | name: {{ .Values.storage.name }} 24 | annotations: 25 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 26 | labels: 27 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.storage.name "tier" .Values.global.namespaceTier) | nindent 4 }} 28 | roleRef: 29 | apiGroup: rbac.authorization.k8s.io 30 | kind: ClusterRole 31 | name: {{ .Values.storage.name }} 32 | subjects: 33 | - kind: ServiceAccount 34 | name: {{ .Values.storage.name }} 35 | namespace: {{ .Values.ksNamespace }} 36 | {{- end }} 37 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/storage/configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- $configurations := fromYaml (include "configurations" .) }} 3 | {{- if $components.storage.enabled }} 4 | apiVersion: v1 5 | kind: ConfigMap 6 | metadata: 7 | name: {{ .Values.storage.name }} 8 | namespace: {{ .Values.ksNamespace }} 9 | labels: 10 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.storage.name "tier" .Values.global.namespaceTier) | nindent 4 }} 11 | kubescape.io/tier: "core" 12 | data: 13 | config.json: | 14 | { 15 | "cleanupInterval": "{{ .Values.storage.cleanupInterval }}", 16 | "disableVirtualCRDs": {{ not $configurations.virtualCrds }}, 17 | "excludeJsonPaths": {{ .Values.configurations.excludeJsonPaths | toJson }}, 18 | {{- if .Values.storage.mtls.enabled }} 19 | "tlsClientCaFile": "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt", 20 | "tlsServerCertFile": "/etc/storage-ca-certificates/tls.crt", 21 | "tlsServerKeyFile": "/etc/storage-ca-certificates/tls.key", 22 | {{- end }} 23 | "serverBindPort": "{{ .Values.storage.serverPort }}" 24 | } 25 | {{- end }} 26 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/storage/networkpolicy.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if and .Values.global.networkPolicy.enabled .Values.global.networkPolicy.createEgressRules $components.storage.enabled }} 3 | apiVersion: networking.k8s.io/v1 4 | kind: NetworkPolicy 5 | metadata: 6 | name: {{ .Values.storage.name }} 7 | namespace: {{ .Values.ksNamespace }} 8 | annotations: 9 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 10 | labels: 11 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.storage.name "tier" .Values.global.namespaceTier) | nindent 4 }} 12 | spec: 13 | podSelector: 14 | matchLabels: 15 | {{- include "kubescape-operator.selectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.storage.name) | nindent 6 }} 16 | policyTypes: 17 | - Egress 18 | egress: 19 | {{ tpl (.Files.Get "assets/api-server-egress-rules.yaml") . | indent 4 }} 20 | {{ tpl (.Files.Get "assets/common-egress-rules.yaml") . | indent 4 }} 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/storage/pvc.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if and $components.storage.enabled (eq .Values.configurations.persistence "enable") }} 3 | apiVersion: v1 4 | kind: PersistentVolumeClaim 5 | metadata: 6 | name: kubescape-{{ .Values.storage.name }} 7 | namespace: {{ .Values.ksNamespace }} 8 | annotations: 9 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 10 | labels: 11 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.storage.name "tier" .Values.global.namespaceTier) | nindent 4 }} 12 | spec: 13 | accessModes: 14 | - {{ .Values.persistence.accessMode }} 15 | resources: 16 | requests: 17 | storage: {{ .Values.persistence.size.backingStorage }} 18 | {{- if ne .Values.persistence.storageClass "-" }} 19 | storageClassName: {{ .Values.persistence.storageClass | quote }} 20 | {{- end }} 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/storage/rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.storage.enabled }} 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: RoleBinding 5 | metadata: 6 | name: {{ include "storage.authReaderRoleBindingName" . | quote }} 7 | namespace: kube-system 8 | annotations: 9 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 10 | labels: 11 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.storage.name "tier" .Values.global.namespaceTier) | nindent 4 }} 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: Role 15 | # This is a default role name provided by K8s and should not be templated or changed 16 | name: "extension-apiserver-authentication-reader" 17 | subjects: 18 | - kind: ServiceAccount 19 | name: {{ .Values.storage.name }} 20 | namespace: {{ .Values.ksNamespace }} 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/storage/scc-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if and $components.storage.enabled .Values.global.openshift.scc.enabled }} 3 | kind: RoleBinding 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | metadata: 6 | name: {{ printf "%s-scc" .Values.storage.name }} 7 | namespace: {{ .Values.ksNamespace }} 8 | annotations: 9 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 10 | labels: 11 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.storage.name "tier" .Values.global.namespaceTier) | nindent 4 }} 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: ClusterRole 15 | name: system:openshift:scc:nonroot-v2 16 | subjects: 17 | - kind: ServiceAccount 18 | name: {{ .Values.storage.name }} 19 | namespace: {{ .Values.ksNamespace }} 20 | {{ end }} 21 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/storage/service.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.storage.enabled }} 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | name: {{ .Values.storage.name }} 7 | namespace: {{ .Values.ksNamespace }} 8 | annotations: 9 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 10 | labels: 11 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.storage.name "tier" .Values.global.namespaceTier) | nindent 4 }} 12 | spec: 13 | ports: 14 | - port: 443 15 | protocol: TCP 16 | targetPort: {{ .Values.storage.serverPort }} 17 | name: https 18 | selector: 19 | {{- include "kubescape-operator.selectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.storage.name) | nindent 6 }} 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/storage/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.storage.enabled }} 3 | kind: ServiceAccount 4 | apiVersion: v1 5 | metadata: 6 | name: {{ .Values.storage.name }} 7 | namespace: {{ .Values.ksNamespace }} 8 | annotations: 9 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 10 | labels: 11 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.storage.name "tier" .Values.global.namespaceTier) | nindent 4 }} 12 | {{- end }} 13 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/storage/tests/test-connection.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: "{{ .Values.storage.name }}-test-connection" 5 | annotations: 6 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 7 | "helm.sh/hook": test 8 | labels: 9 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.storage.name "tier" .Values.global.namespaceTier) | nindent 4 }} 10 | spec: 11 | containers: 12 | - name: wget 13 | image: docker.io/busybox 14 | command: ['wget'] 15 | args: ['{{ .Values.storage.name }}:80'] 16 | restartPolicy: Never 17 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/synchronizer/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.synchronizer.enabled }} 3 | kind: ClusterRole 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | metadata: 6 | name: {{ .Values.synchronizer.name }} 7 | annotations: 8 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 9 | labels: 10 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.synchronizer.name "tier" .Values.global.namespaceTier) | nindent 4 }} 11 | rules: 12 | - apiGroups: ["storage.k8s.io"] 13 | resources: ["storageclasses"] 14 | verbs: ["get", "list", "watch"] 15 | - apiGroups: ["rbac.authorization.k8s.io"] 16 | resources: ["rolebindings", "clusterrolebindings", "roles", "clusterroles"] 17 | verbs: ["get", "list", "watch"] 18 | - apiGroups: [""] 19 | resources: ["pods", "namespaces", "nodes", "configmaps", "persistentvolumes", "services"] 20 | verbs: ["get", "list", "watch"] 21 | - apiGroups: ["apps"] 22 | resources: ["deployments", "statefulsets", "daemonsets", "replicasets"] 23 | verbs: ["get", "list", "watch"] 24 | - apiGroups: ["batch"] 25 | resources: ["jobs", "cronjobs"] 26 | verbs: ["get", "list", "watch"] 27 | - apiGroups: ["networking.k8s.io"] 28 | resources: ["networkpolicies", "ingresses"] 29 | verbs: ["get", "list", "watch"] 30 | - apiGroups: ["spdx.softwarecomposition.kubescape.io"] 31 | resources: ["applicationprofiles", "networkneighborhoods"] 32 | verbs: ["get", "watch", "list", "create", "update", "patch", "delete"] 33 | - apiGroups: ["spdx.softwarecomposition.kubescape.io"] 34 | resources: ["knownservers"] 35 | verbs: ["get", "watch", "list", "create", "update", "patch", "delete"] 36 | - apiGroups: ["cilium.io"] 37 | resources: ["ciliumnetworkpolicies"] 38 | verbs: ["get", "list", "watch"] 39 | - apiGroups: ["projectcalico.org"] 40 | resources: ["networkpolicies"] 41 | verbs: ["get", "list", "watch"] 42 | - apiGroups: ["networking.istio.io"] 43 | resources: ["gateways", "virtualservices"] 44 | verbs: ["get", "list", "watch"] 45 | - apiGroups: ["security.istio.io"] 46 | resources: ["authorizationpolicies"] 47 | verbs: ["get", "list", "watch"] 48 | - apiGroups: ["gateway.networking.k8s.io"] 49 | resources: ["httproutes", "tcproutes","udproutes"] 50 | verbs: ["get", "list", "watch"] 51 | - apiGroups: ["kubescape.io"] 52 | resources: ["servicesscanresults"] 53 | verbs: ["get", "watch", "list"] 54 | - apiGroups: ["kubescape.io"] 55 | resources: ["operatorcommands"] 56 | verbs: ["get", "watch", "list", "create", "update", "patch", "delete"] 57 | {{- if eq .Values.capabilities.syncSBOM "enable" }} 58 | - apiGroups: ["spdx.softwarecomposition.kubescape.io"] 59 | resources: ["sbomsyfts", "sbomsyftfiltereds"] 60 | verbs: [ "get", "watch", "list"] 61 | {{- end }} 62 | {{- if eq .Values.capabilities.manageWorkloads "enable" }} 63 | - apiGroups: ["spdx.softwarecomposition.kubescape.io"] 64 | resources: ["seccompprofiles"] 65 | verbs: ["get", "watch", "list", "create", "update", "patch"] 66 | - apiGroups: ["networking.k8s.io"] 67 | resources: ["networkpolicies"] 68 | verbs: ["create", "update", "patch"] 69 | - apiGroups: ["cilium.io"] 70 | resources: ["ciliumnetworkpolicies"] 71 | verbs: ["create", "update", "patch"] 72 | - apiGroups: ["projectcalico.org"] 73 | resources: ["networkpolicies"] 74 | verbs: ["create", "update", "patch"] 75 | - apiGroups: ["apps"] 76 | resources: ["deployments", "statefulsets", "daemonsets", "replicasets"] 77 | verbs: ["update", "patch"] 78 | - apiGroups: ["batch"] 79 | resources: ["jobs", "cronjobs"] 80 | verbs: ["update", "patch"] 81 | - apiGroups: [""] 82 | resources: ["pods"] 83 | verbs: ["update", "patch"] 84 | {{- end }} 85 | {{- end }} 86 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/synchronizer/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.synchronizer.enabled }} 3 | kind: ClusterRoleBinding 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | metadata: 6 | name: {{ .Values.synchronizer.name }} 7 | labels: 8 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.synchronizer.name "tier" .Values.global.namespaceTier) | nindent 4 }} 9 | roleRef: 10 | apiGroup: rbac.authorization.k8s.io 11 | kind: ClusterRole 12 | name: {{ .Values.synchronizer.name }} 13 | subjects: 14 | - kind: ServiceAccount 15 | name: {{ .Values.synchronizer.name }} 16 | namespace: {{ .Values.ksNamespace }} 17 | {{- end }} 18 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/synchronizer/networkpolicy.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if and .Values.global.networkPolicy.enabled $components.synchronizer.enabled }} 3 | apiVersion: networking.k8s.io/v1 4 | kind: NetworkPolicy 5 | metadata: 6 | name: {{ .Values.synchronizer.name }} 7 | namespace: {{ .Values.ksNamespace }} 8 | annotations: 9 | {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} 10 | labels: 11 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.synchronizer.name "tier" .Values.global.namespaceTier) | nindent 4 }} 12 | spec: 13 | podSelector: 14 | matchLabels: 15 | {{- include "kubescape-operator.selectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.synchronizer.name) | nindent 14 }} 16 | policyTypes: 17 | - Ingress 18 | {{- if .Values.global.networkPolicy.createEgressRules }} 19 | - Egress 20 | egress: 21 | # - synchronizer server 22 | - ports: 23 | - port: 443 24 | protocol: TCP 25 | {{ tpl (.Files.Get "assets/api-server-egress-rules.yaml") . | indent 4 }} 26 | {{ tpl (.Files.Get "assets/common-egress-rules.yaml") . | indent 4 }} 27 | {{- end }} 28 | ingress: 29 | - from: 30 | - podSelector: 31 | matchLabels: 32 | {{- include "kubescape-operator.selectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.nodeAgent.name) | nindent 14 }} 33 | ports: 34 | - port: {{ .Values.synchronizer.service.port }} 35 | protocol: TCP 36 | {{- end }} 37 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/synchronizer/role.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.synchronizer.enabled }} 3 | kind: Role 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | metadata: 6 | name: {{ .Values.synchronizer.name }} 7 | namespace: {{ .Values.ksNamespace }} 8 | labels: 9 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.synchronizer.name "tier" .Values.global.namespaceTier) | nindent 4 }} 10 | rules: 11 | - apiGroups: [""] 12 | resources: ["configmaps", "secrets"] 13 | verbs: ["create", "get", "update", "watch", "list", "patch", "delete"] 14 | - apiGroups: ["batch"] 15 | resources: ["cronjobs"] 16 | verbs: ["create", "get", "update", "watch", "list", "patch", "delete"] 17 | {{- end }} 18 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/synchronizer/rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.synchronizer.enabled }} 3 | kind: RoleBinding 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | metadata: 6 | name: {{ .Values.synchronizer.name }} 7 | namespace: {{ .Values.ksNamespace }} 8 | labels: 9 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.synchronizer.name "tier" .Values.global.namespaceTier) | nindent 4 }} 10 | roleRef: 11 | apiGroup: rbac.authorization.k8s.io 12 | kind: Role 13 | name: {{ .Values.synchronizer.name }} 14 | subjects: 15 | - kind: ServiceAccount 16 | name: {{ .Values.synchronizer.name }} 17 | namespace: {{ .Values.ksNamespace }} 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/synchronizer/scc-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if and $components.synchronizer.enabled .Values.global.openshift.scc.enabled }} 3 | kind: RoleBinding 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | metadata: 6 | name: {{ printf "%s-scc" .Values.synchronizer.name }} 7 | namespace: {{ .Values.ksNamespace }} 8 | labels: 9 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.synchronizer.name "tier" .Values.global.namespaceTier) | nindent 4 }} 10 | roleRef: 11 | apiGroup: rbac.authorization.k8s.io 12 | kind: ClusterRole 13 | name: system:openshift:scc:nonroot-v2 14 | subjects: 15 | - kind: ServiceAccount 16 | name: {{ .Values.synchronizer.name }} 17 | namespace: {{ .Values.ksNamespace }} 18 | {{ end }} 19 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/synchronizer/service.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.synchronizer.enabled }} 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | name: {{ .Values.synchronizer.name }} 7 | namespace: {{ .Values.ksNamespace }} 8 | labels: 9 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.synchronizer.name "tier" .Values.global.namespaceTier) | nindent 4 }} 10 | spec: 11 | type: {{ .Values.synchronizer.service.type }} 12 | ports: 13 | - port: {{ .Values.synchronizer.service.port }} 14 | targetPort: {{ .Values.synchronizer.service.targetPort }} 15 | protocol: {{ .Values.synchronizer.service.protocol }} 16 | selector: 17 | {{- include "kubescape-operator.selectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.synchronizer.name) | nindent 4 }} 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /charts/kubescape-operator/templates/synchronizer/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- $components := fromYaml (include "components" .) }} 2 | {{- if $components.synchronizer.enabled }} 3 | kind: ServiceAccount 4 | apiVersion: v1 5 | metadata: 6 | {{- if .Values.cloudProviderMetadata.awsIamRoleArn }} 7 | annotations: 8 | eks.amazonaws.com/role-arn: {{ .Values.cloudProviderMetadata.awsIamRoleArn }} 9 | {{- else if .Values.cloudProviderMetadata.gkeServiceAccount }} 10 | annotations: 11 | iam.gke.io/gcp-service-account: {{ .Values.cloudProviderMetadata.gkeServiceAccount }} 12 | {{- end }} 13 | labels: 14 | {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.synchronizer.name "tier" .Values.global.namespaceTier) | nindent 4 }} 15 | name: {{ .Values.synchronizer.name }} 16 | namespace: {{ .Values.ksNamespace }} 17 | automountServiceAccountToken: false 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /charts/kubescape-operator/tests/README.md: -------------------------------------------------------------------------------- 1 | # UnitTests 2 | 3 | 1. Install 4 | ``` 5 | helm plugin install https://github.com/helm-unittest/helm-unittest.git 6 | ``` 7 | 2. Run 8 | ``` 9 | helm unittest charts/kubescape-operator/ 10 | ``` 11 | 12 | ## Update 13 | ``` 14 | helm unittest -u charts/kubescape-operator/ 15 | ``` 16 | --------------------------------------------------------------------------------