├── charts ├── common │ ├── values.yaml │ ├── RELEASE-NOTES.md │ ├── .helmignore │ ├── templates │ │ └── _agent_tags.tpl │ └── Chart.yaml ├── rapid-response │ ├── templates │ │ ├── NOTES.txt │ │ ├── serviceaccount.yaml │ │ ├── configmap.yaml │ │ ├── securitycontextconstraint.yaml │ │ └── secrets.yaml │ ├── RELEASE-NOTES.md │ ├── .helmignore │ ├── ci │ │ └── test-values.yaml.template │ └── tests │ │ ├── custom_resources.yaml │ │ └── golden_template_test.yaml ├── node-analyzer │ ├── .helmignore │ ├── ci │ │ ├── test-values.yaml.template │ │ ├── test-values-ssl.yaml.template │ │ └── test-values-new-runtime.yaml.template │ ├── tests │ │ ├── default_required_values.yaml │ │ ├── readme_command_test.yaml │ │ └── agent_tags_test.yaml │ ├── RELEASE-NOTES.md │ ├── templates │ │ ├── serviceaccount-node-analyzer.yaml │ │ ├── priorityclass.yaml │ │ ├── clusterrolebinding-node-analyzer.yaml │ │ ├── psp.yaml │ │ ├── runtimeScanner │ │ │ ├── eveconnector-api-service.yaml │ │ │ └── sysdig-eve-secret.yaml │ │ ├── tests │ │ │ └── test-rollout.yaml │ │ ├── secrets.yaml │ │ ├── NOTES.txt │ │ └── securitycontextconstraint.yaml │ └── Chart.yaml ├── sysdig-mcm-navmenu │ ├── ci │ │ ├── onprem.yam │ │ ├── saas.yaml │ │ └── required-values-notest.yaml │ ├── templates │ │ ├── NOTES.txt │ │ ├── _helpers.tpl │ │ ├── scc.yaml │ │ ├── ingress.yaml │ │ ├── configmap.yaml │ │ ├── service-secure.yaml │ │ ├── service-monitor.yaml │ │ └── deployment.yaml │ ├── Chart.yaml │ ├── .helmignore │ ├── RELEASE-NOTES.md │ ├── values.yaml │ ├── README.md │ └── CHANGELOG.md ├── cluster-scanner │ ├── Makefile │ ├── tests │ │ ├── values.required.yaml │ │ ├── serviceaccount_test.yaml │ │ ├── service_test.yaml │ │ ├── clusterrolebinding_test.yaml │ │ ├── rolebinding_test.yaml │ │ ├── clusterrole_test.yaml │ │ └── existing-secret_test.yaml │ ├── ci │ │ └── test-values.yaml.template │ ├── RELEASE-NOTES.md │ ├── Chart.yaml │ ├── templates │ │ ├── clusterrolebinding.yaml │ │ ├── serviceaccount.yaml │ │ ├── clusterrole.yaml │ │ ├── rolebinding.yaml │ │ ├── registrymirror.yaml │ │ ├── service.yaml │ │ ├── NOTES.txt │ │ └── role.yaml │ ├── .helmignore │ └── doc.yaml ├── agent │ ├── ci │ │ └── test-values.yaml.template │ ├── templates │ │ ├── serviceaccount.yaml │ │ ├── role.yaml │ │ ├── configmap-local-forwarder.yaml │ │ ├── rolebinding.yaml │ │ ├── service.yaml │ │ ├── clusterrolebinding.yaml │ │ ├── priorityclass.yaml │ │ ├── psp.yaml │ │ ├── auditsink.yaml │ │ └── tests │ │ │ └── test-rollout.yaml │ ├── RELEASE-NOTES.md │ ├── tests │ │ ├── captures_test.yaml │ │ ├── dns_policy_test.yaml │ │ ├── prometheus_file_test.yaml │ │ └── psp_test.yaml │ ├── .helmignore │ ├── Chart.yaml │ └── README-AWS.md ├── sysdig-stackdriver-bridge │ ├── ci │ │ └── test-values.yaml │ ├── OWNERS │ ├── RELEASE-NOTES.md │ ├── templates │ │ └── secret.yaml │ ├── .helmignore │ ├── Chart.yaml │ └── values.yaml ├── cloud-connector │ ├── ci │ │ └── required-values.yaml.template │ ├── Chart.yaml │ ├── RELEASE-NOTES.md │ ├── templates │ │ ├── serviceaccount.yaml │ │ ├── tests │ │ │ └── test-connection.yaml │ │ ├── service.yaml │ │ ├── configmap.yaml │ │ ├── secret.yaml │ │ └── NOTES.txt │ ├── .helmignore │ └── doc.yaml ├── sysdig │ ├── OWNERS │ ├── ci │ │ └── test-values.yaml.template │ ├── scripts │ │ └── appchecks2helm │ ├── templates │ │ ├── serviceaccount.yaml │ │ ├── kspmCollector │ │ │ ├── serviceaccount-kspm-collector.yaml │ │ │ ├── clusterrolebinding-kspm-collector.yaml │ │ │ ├── configmap-kspm-collector.yaml │ │ │ └── clusterrole-kspm-collector.yaml │ │ ├── serviceaccount-node-analyzer.yaml │ │ ├── configmap-custom-app-checks.yaml │ │ ├── service.yaml │ │ ├── clusterrolebinding.yaml │ │ ├── clusterrolebinding-node-analyzer.yaml │ │ ├── runtimeScanner │ │ │ ├── sysdig-eve-secret.yaml │ │ │ ├── eveconnector-api-service.yaml │ │ │ └── eveconnector-api-configmap.yaml │ │ ├── psp.yaml │ │ ├── configmap-kspm-analyzer.yaml │ │ ├── secrets.yaml │ │ ├── psp-node-analyzer.yaml │ │ ├── auditsink.yaml │ │ ├── configmap-benchmark-runner.yaml │ │ ├── NOTES.txt │ │ └── securitycontextconstraint.yaml │ ├── RELEASE-NOTES.md │ ├── Chart.yaml │ ├── tests │ │ └── psp_test.yaml │ └── README-AWS.md ├── harbor-scanner-sysdig-secure │ ├── ci │ │ └── required-values.yaml.template │ ├── templates │ │ ├── configmap.yaml │ │ ├── serviceaccount.yaml │ │ ├── NOTES.txt │ │ ├── secret.yaml │ │ ├── service.yaml │ │ ├── tests │ │ │ └── test-connection.yaml │ │ ├── rolebinding.yaml │ │ └── role.yaml │ ├── .helmignore │ ├── Chart.yaml │ └── RELEASE-NOTES.md ├── admission-controller │ ├── ci │ │ ├── required-values.yaml.template │ │ ├── with-specific-url.yaml.template │ │ ├── deployment-with-port-on-443.template │ │ └── custom-ca-values.yaml.template │ ├── RELEASE-NOTES.md │ ├── .helmignore │ ├── Chart.yaml │ ├── templates │ │ ├── webhook │ │ │ ├── admissioncontrollerconfigmap.yaml │ │ │ ├── serviceaccount.yaml │ │ │ ├── clusterrolebinding.yaml │ │ │ ├── autoscaler.yaml │ │ │ ├── podmonitor.yaml │ │ │ ├── service.yaml │ │ │ ├── clusterrole.yaml │ │ │ └── securitycontextconstraint.yaml │ │ ├── scanner │ │ │ ├── serviceaccount.yaml │ │ │ ├── role.yaml │ │ │ ├── service.yaml │ │ │ ├── rolebinding.yaml │ │ │ ├── configmap.yaml │ │ │ ├── podmonitor.yaml │ │ │ └── psp.yaml │ │ └── NOTES.txt │ └── doc.yaml ├── cloud-scanning │ ├── ci │ │ └── required-values.yaml.template │ ├── RELEASE-NOTES.md │ ├── Chart.yaml │ ├── templates │ │ ├── serviceaccount.yaml │ │ ├── service.yaml │ │ ├── tests │ │ │ └── test-connection.yaml │ │ ├── secret.yaml │ │ └── NOTES.txt │ ├── .helmignore │ └── CHANGELOG.md ├── registry-scanner │ ├── tests │ │ └── ocp_test_values.yaml │ ├── Chart.yaml │ ├── templates │ │ ├── clusterrole.yaml │ │ ├── role.yaml │ │ ├── serviceaccount.yaml │ │ ├── rolebinding.yaml │ │ ├── job.yaml │ │ ├── clusterrolebinding.yaml │ │ ├── cronjob.yaml │ │ └── NOTES.txt │ ├── RELEASE-NOTES.md │ ├── .helmignore │ ├── ci │ │ ├── test-aws-org-values.yaml.template.disabled │ │ ├── test-jfrog-saas-values.yaml.template.disabled │ │ ├── test-aws-single-values.yaml.template │ │ └── test-aws-org-values.yaml.template │ └── doc.yaml ├── kspm-collector │ ├── ci │ │ └── test-values.yaml.template │ ├── RELEASE-NOTES.md │ ├── templates │ │ ├── serviceaccount.yaml │ │ ├── clusterrolebinding.yaml │ │ ├── psp.yaml │ │ ├── secret.yaml │ │ ├── tests │ │ │ └── test-rollout.yaml │ │ └── securitycontextconstraint.yaml │ ├── tests │ │ ├── conditional_flag_test.yaml │ │ ├── golden_template_test.yaml │ │ ├── cert_validation_test.yaml │ │ ├── deployment_annotation_test.yaml │ │ ├── nodeselector_test.yaml │ │ ├── pod_annotation_test.yaml │ │ ├── psp_test.yaml │ │ └── agent_tags_test.yaml │ ├── .helmignore │ └── Chart.yaml ├── cloud-bench │ ├── ci │ │ └── required-values.yaml.template │ ├── templates │ │ ├── serviceaccount.yaml │ │ ├── service.yaml │ │ ├── tests │ │ │ └── test-connection.yaml │ │ ├── configmap.yaml │ │ ├── secret.yaml │ │ ├── hpa.yaml │ │ └── ingress.yaml │ ├── Chart.yaml │ ├── RELEASE-NOTES.md │ └── CHANGELOG.md ├── cluster-shield │ ├── ci │ │ ├── region-values.yaml │ │ ├── base-values.yaml │ │ └── existing_secrets-values.yaml │ ├── templates │ │ ├── configmap.yaml │ │ ├── priorityclass.yaml │ │ ├── clusterrolebinding.yaml │ │ ├── rolebinding.yaml │ │ ├── serviceaccount.yaml │ │ ├── service-cluster-scanner.yaml │ │ ├── service.yaml │ │ ├── role.yaml │ │ └── openshift_securitycontextconstraint.yaml │ ├── RELEASE-NOTES.md │ ├── .helmignore │ ├── Chart.yaml │ ├── doc.yaml │ └── tests │ │ ├── serviceaccount_test.yaml │ │ ├── openshift_securitycontextconstraint_test.yaml │ │ ├── rolebinding_test.yaml │ │ ├── clusterrolebinding_test.yaml │ │ ├── image_pull_secrets_test.yaml │ │ └── service-cluster-scanner_test.yaml └── sysdig-deploy │ ├── ci │ ├── test-values.yaml.template │ ├── test-default-saas-values.yaml.template │ └── test-enable-all-subcharts-values.yaml.template │ ├── RELEASE-NOTES.md │ ├── .helmignore │ └── templates │ └── cluster-scanner-runtime-scanner-check.yaml ├── cr.yaml ├── Justfile ├── scripts ├── cluster-scanner │ ├── README.md │ └── cluster-scanner-resources.yaml ├── chart-version-bump.sh └── sysdig │ └── image-version-bump.sh ├── .github ├── labeler.yml ├── dependabot.yml ├── workflows │ ├── labeler.yml │ ├── kubectl-update.yaml │ ├── pr-lint.yaml │ ├── agent-release.yaml │ ├── stale.yml │ ├── greeting.yaml │ └── update-tanzu.yaml ├── CODEOWNERS └── PULL_REQUEST_TEMPLATE.md ├── .chglog ├── config-release.yml ├── config-changelog.yml ├── CHANGELOG.tpl.md └── RELEASE.tpl.md ├── .pre-commit-config.yaml └── Makefile /charts/common/values.yaml: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /charts/rapid-response/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /charts/node-analyzer/.helmignore: -------------------------------------------------------------------------------- 1 | /tests/ 2 | -------------------------------------------------------------------------------- /charts/sysdig-mcm-navmenu/ci/onprem.yam: -------------------------------------------------------------------------------- 1 | saas: false 2 | -------------------------------------------------------------------------------- /charts/sysdig-mcm-navmenu/ci/saas.yaml: -------------------------------------------------------------------------------- 1 | companyName: testCompany 2 | -------------------------------------------------------------------------------- /charts/sysdig-mcm-navmenu/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | Navigation menu items added! 2 | -------------------------------------------------------------------------------- /charts/cluster-scanner/Makefile: -------------------------------------------------------------------------------- 1 | .PHONY: test 2 | test: 3 | helm unittest . 4 | -------------------------------------------------------------------------------- /charts/sysdig-mcm-navmenu/ci/required-values-notest.yaml: -------------------------------------------------------------------------------- 1 | companyName: testCompany 2 | -------------------------------------------------------------------------------- /cr.yaml: -------------------------------------------------------------------------------- 1 | release-notes-file: RELEASE-NOTES.md 2 | skip-existing: true 3 | sign: true 4 | -------------------------------------------------------------------------------- /charts/agent/ci/test-values.yaml.template: -------------------------------------------------------------------------------- 1 | sysdig: 2 | accessKey: ${SECURE_AGENT_TOKEN} 3 | -------------------------------------------------------------------------------- /charts/sysdig-stackdriver-bridge/ci/test-values.yaml: -------------------------------------------------------------------------------- 1 | secret: 2 | create: true 3 | data: foobar 4 | -------------------------------------------------------------------------------- /charts/cluster-scanner/tests/values.required.yaml: -------------------------------------------------------------------------------- 1 | global: 2 | sysdig: 3 | accessKey: "testkey" 4 | -------------------------------------------------------------------------------- /charts/cloud-connector/ci/required-values.yaml.template: -------------------------------------------------------------------------------- 1 | sysdig: 2 | secureAPIToken: ${SECURE_API_TOKEN} 3 | -------------------------------------------------------------------------------- /charts/sysdig/OWNERS: -------------------------------------------------------------------------------- 1 | approvers: 2 | - bencer 3 | - nestorsalceda 4 | reviewers: 5 | - bencer 6 | - nestorsalceda 7 | -------------------------------------------------------------------------------- /Justfile: -------------------------------------------------------------------------------- 1 | @default: 2 | just --list 3 | 4 | docs: 5 | make docs 6 | 7 | unit-test-rs: 8 | make unit-test-rs 9 | -------------------------------------------------------------------------------- /charts/harbor-scanner-sysdig-secure/ci/required-values.yaml.template: -------------------------------------------------------------------------------- 1 | sysdig: 2 | secure: 3 | apiToken: ${SECURE_API_TOKEN} 4 | -------------------------------------------------------------------------------- /charts/sysdig-stackdriver-bridge/OWNERS: -------------------------------------------------------------------------------- 1 | approvers: 2 | - bencer 3 | - nestorsalceda 4 | reviewers: 5 | - bencer 6 | - nestorsalceda 7 | -------------------------------------------------------------------------------- /charts/admission-controller/ci/required-values.yaml.template: -------------------------------------------------------------------------------- 1 | sysdig: 2 | secureAPIToken: ${SECURE_API_TOKEN} 3 | clusterName: CI-Cluster 4 | -------------------------------------------------------------------------------- /charts/cloud-scanning/ci/required-values.yaml.template: -------------------------------------------------------------------------------- 1 | sysdig: 2 | secureAPIToken: ${SECURE_API_TOKEN} 3 | 4 | image: 5 | tag: master 6 | -------------------------------------------------------------------------------- /charts/registry-scanner/tests/ocp_test_values.yaml: -------------------------------------------------------------------------------- 1 | config: 2 | secureAPIToken: 11111111-2222-3333-4444-555555555555 3 | registryType: ocp 4 | -------------------------------------------------------------------------------- /charts/sysdig/ci/test-values.yaml.template: -------------------------------------------------------------------------------- 1 | sysdig: 2 | accessKey: ${SECURE_AGENT_TOKEN} 3 | 4 | nodeAnalyzer: 5 | apiEndpoint: secure.sysdig.com 6 | -------------------------------------------------------------------------------- /charts/kspm-collector/ci/test-values.yaml.template: -------------------------------------------------------------------------------- 1 | sysdig: 2 | accessKey: ${SECURE_AGENT_TOKEN} 3 | apiEndpoint: secure.sysdig.com 4 | clusterName: test 5 | -------------------------------------------------------------------------------- /charts/node-analyzer/ci/test-values.yaml.template: -------------------------------------------------------------------------------- 1 | sysdig: 2 | accessKey: ${SECURE_AGENT_TOKEN} 3 | nodeAnalyzer: 4 | apiEndpoint: secure.sysdig.com 5 | -------------------------------------------------------------------------------- /charts/node-analyzer/tests/default_required_values.yaml: -------------------------------------------------------------------------------- 1 | global: 2 | sysdig: 3 | accessKey: "AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE" 4 | clusterName: "test" 5 | -------------------------------------------------------------------------------- /charts/cluster-scanner/ci/test-values.yaml.template: -------------------------------------------------------------------------------- 1 | global: 2 | clusterConfig: 3 | name: "test-cluster" 4 | sysdig: 5 | accessKey: ${SECURE_AGENT_TOKEN} 6 | -------------------------------------------------------------------------------- /charts/cloud-scanning/RELEASE-NOTES.md: -------------------------------------------------------------------------------- 1 | # What's Changed 2 | 3 | #### Full diff: https://github.com/sysdiglabs/charts/compare/cloud-scanning-0.4.0...cloud-scanning-0.4.1 4 | -------------------------------------------------------------------------------- /scripts/cluster-scanner/README.md: -------------------------------------------------------------------------------- 1 | # Cluster Scanner Scripts 2 | 3 | The folder contains scripts used to configure the Cluster Scanner to be used in 4 | `multi` mode. 5 | -------------------------------------------------------------------------------- /charts/admission-controller/ci/with-specific-url.yaml.template: -------------------------------------------------------------------------------- 1 | sysdig: 2 | secureAPIToken: ${SECURE_API_TOKEN} 3 | url: "https://secure.sysdig.com" 4 | clusterName: CI-Cluster 5 | -------------------------------------------------------------------------------- /charts/admission-controller/ci/deployment-with-port-on-443.template: -------------------------------------------------------------------------------- 1 | sysdig: 2 | secureAPIToken: ${SECURE_API_TOKEN} 3 | clusterName: CI-Cluster 4 | webhook: 5 | http: 6 | port: 443 7 | -------------------------------------------------------------------------------- /charts/cloud-bench/ci/required-values.yaml.template: -------------------------------------------------------------------------------- 1 | aws: 2 | access_key_id: foo 3 | secret_access_key: bar 4 | region: us-east-1 5 | sysdig: 6 | secureApiToken: ${SECURE_API_TOKEN} 7 | -------------------------------------------------------------------------------- /charts/node-analyzer/ci/test-values-ssl.yaml.template: -------------------------------------------------------------------------------- 1 | sysdig: 2 | accessKey: ${SECURE_AGENT_TOKEN} 3 | nodeAnalyzer: 4 | apiEndpoint: secure.sysdig.com 5 | sslVerifyCertificate: false 6 | -------------------------------------------------------------------------------- /charts/sysdig-stackdriver-bridge/RELEASE-NOTES.md: -------------------------------------------------------------------------------- 1 | # What's Changed 2 | 3 | #### Full diff: https://github.com/sysdiglabs/charts/compare/sysdig-stackdriver-bridge-1.2.0...sysdig-stackdriver-bridge-1.2.1 4 | -------------------------------------------------------------------------------- /.github/labeler.yml: -------------------------------------------------------------------------------- 1 | no-tests: 2 | - any: 3 | - 'charts/*/templates/**/*' 4 | - '!charts/**/*.md' 5 | - '!charts/**/*.txt' 6 | - '!charts/**/README.tpl' 7 | all: 8 | - '!charts/**/tests/*.yaml' 9 | -------------------------------------------------------------------------------- /charts/cluster-shield/ci/region-values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | cluster_shield: 3 | cluster_config: 4 | name: "lint-cluster" 5 | sysdig_endpoint: 6 | access_key: "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" 7 | region: "us1" 8 | -------------------------------------------------------------------------------- /charts/node-analyzer/ci/test-values-new-runtime.yaml.template: -------------------------------------------------------------------------------- 1 | sysdig: 2 | accessKey: ${SECURE_AGENT_TOKEN} 3 | nodeAnalyzer: 4 | apiEndpoint: secure.sysdig.com 5 | runtimeScanner: 6 | deploy: true 7 | hostScanner: 8 | deploy: true 9 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | updates: 3 | - package-ecosystem: "github-actions" 4 | directory: "/" 5 | schedule: 6 | interval: "daily" 7 | reviewers: 8 | - "draios/team-tools-agent" 9 | labels: 10 | - "dependencies" 11 | -------------------------------------------------------------------------------- /charts/sysdig/scripts/appchecks2helm: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | echo "customAppChecks:" 4 | for app_check in "$@" 5 | do 6 | echo -e " $(basename $app_check): |-" 7 | while IFS= read -r line 8 | do 9 | echo -e " $line" 10 | done <"$app_check" 11 | done 12 | -------------------------------------------------------------------------------- /charts/sysdig/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ template "sysdig.serviceAccountName" .}} 6 | labels: 7 | {{ include "sysdig.labels" . | indent 4 }} 8 | {{- end }} 9 | -------------------------------------------------------------------------------- /charts/cluster-shield/ci/base-values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | cluster_shield: 3 | cluster_config: 4 | name: "lint-cluster" 5 | sysdig_endpoint: 6 | access_key: "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" 7 | api_url: "https://www.example.org" 8 | collector: "example.com:6443" 9 | -------------------------------------------------------------------------------- /charts/cloud-connector/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: cloud-connector 3 | description: Sysdig Cloud Connector 4 | 5 | type: application 6 | version: 0.8.8 7 | appVersion: 0.16.48 8 | home: https://sysdiglabs.github.io/cloud-connector 9 | 10 | maintainers: 11 | - name: sysdiglabs 12 | -------------------------------------------------------------------------------- /charts/sysdig-deploy/ci/test-values.yaml.template: -------------------------------------------------------------------------------- 1 | global: 2 | clusterConfig: 3 | namespace: "" 4 | sysdig: 5 | accessKey: ${SECURE_AGENT_TOKEN} 6 | secureAPIToken: ${SECURE_API_TOKEN} 7 | nodeAnalyzer: 8 | nodeAnalyzer: 9 | benchmarkRunner: 10 | deploy: false 11 | -------------------------------------------------------------------------------- /charts/cluster-shield/ci/existing_secrets-values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | global: 3 | sysdig: 4 | accessKeySecret: "a-fake-secret-name" 5 | cluster_shield: 6 | cluster_config: 7 | name: "lint-cluster" 8 | sysdig_endpoint: 9 | api_url: "https://www.example.org" 10 | collector: "example.com:6443" 11 | -------------------------------------------------------------------------------- /charts/agent/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ template "agent.serviceAccountName" .}} 6 | namespace: {{ include "agent.namespace" . }} 7 | labels: 8 | {{ include "agent.labels" . | indent 4 }} 9 | {{- end }} 10 | -------------------------------------------------------------------------------- /charts/registry-scanner/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: registry-scanner 3 | description: Sysdig Registry Scanner 4 | type: application 5 | home: https://www.sysdig.com/ 6 | icon: https://avatars.githubusercontent.com/u/5068817?s=200&v=4 7 | version: 1.4.0 8 | appVersion: 0.5.0 9 | maintainers: 10 | - name: sysdiglabs 11 | -------------------------------------------------------------------------------- /charts/sysdig/templates/kspmCollector/serviceaccount-kspm-collector.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.serviceAccount.create .Values.kspm.deploy }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ template "sysdig.serviceAccountName" .}}-kspm-collector 6 | labels: 7 | {{ include "sysdig.labels" . | indent 4 }} 8 | {{- end }} 9 | -------------------------------------------------------------------------------- /charts/sysdig/templates/serviceaccount-node-analyzer.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (include "deploy-na" .) .Values.nodeAnalyzer.serviceAccount.create }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ template "sysdig.nodeAnalyzer.serviceAccountName" .}} 6 | labels: 7 | {{ include "sysdig.labels" . | indent 4 }} 8 | {{- end }} 9 | -------------------------------------------------------------------------------- /charts/rapid-response/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rapidResponse.serviceAccount.create }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ template "rapidResponse.serviceAccountName" .}} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | {{ include "rapidResponse.labels" . | indent 4 }} 9 | {{- end }} 10 | -------------------------------------------------------------------------------- /charts/agent/RELEASE-NOTES.md: -------------------------------------------------------------------------------- 1 | # What's Changed 2 | 3 | ### Chores 4 | - **ci** [e222f21d](https://github.com/sysdiglabs/charts/commit/e222f21de483926259c9574e4c2d9679681b9ddb): bump bitnami/kubectl image references ([#1892](https://github.com/sysdiglabs/charts/issues/1892)) 5 | #### Full diff: https://github.com/sysdiglabs/charts/compare/agent-1.29.1...agent-1.29.2 6 | -------------------------------------------------------------------------------- /charts/sysdig-stackdriver-bridge/templates/secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.secret.create -}} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ .Values.secret.name }} 6 | labels: 7 | {{ include "sysdig-stackdriver-bridge.labels" . | indent 4 }} 8 | type: Opaque 9 | data: 10 | key.json: {{ .Values.secret.data | b64enc | quote }} 11 | {{- end }} 12 | -------------------------------------------------------------------------------- /charts/registry-scanner/templates/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if eq .Values.config.registryType "ocp" }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | namespace: {{ .Release.Namespace }} 6 | name: token-requestor 7 | rules: 8 | - apiGroups: [""] 9 | resources: ["serviceaccounts/token"] 10 | verbs: ["create"] 11 | {{- end }} 12 | -------------------------------------------------------------------------------- /charts/registry-scanner/templates/role.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: Role 3 | metadata: 4 | name: {{ include "registry-scanner.fullname" . }} 5 | rules: 6 | - apiGroups: ["batch"] 7 | resources: ["jobs"] 8 | verbs: ["create", "get", "delete", "watch"] 9 | - apiGroups: [""] 10 | resources: ["pods", "pods/log"] 11 | verbs: ["get", "list"] 12 | -------------------------------------------------------------------------------- /charts/cluster-shield/templates/configmap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: {{ include "cluster-shield.configmapName" . }} 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | {{- include "cluster-shield.labels" . | nindent 4 }} 8 | data: 9 | cluster-shield.yaml: | 10 | {{- include "cluster-shield.configMap" . | nindent 4 }} 11 | -------------------------------------------------------------------------------- /charts/registry-scanner/RELEASE-NOTES.md: -------------------------------------------------------------------------------- 1 | # What's Changed 2 | 3 | ### Chores 4 | - **registry-scanner** [8aadffd0](https://github.com/sysdiglabs/charts/commit/8aadffd0460d8633d402a645ad4f3b4ac3f2c059): Update to v0.5.0 ([#1925](https://github.com/sysdiglabs/charts/issues/1925)) 5 | #### Full diff: https://github.com/sysdiglabs/charts/compare/registry-scanner-1.3.5...registry-scanner-1.4.0 6 | -------------------------------------------------------------------------------- /.github/workflows/labeler.yml: -------------------------------------------------------------------------------- 1 | name: PR Labeler 2 | 3 | on: 4 | pull_request_target: 5 | branches: [main] 6 | 7 | jobs: 8 | pr-label: 9 | permissions: 10 | contents: read 11 | pull-requests: write 12 | runs-on: ubuntu-latest 13 | steps: 14 | - uses: actions/labeler@v5.0.0 15 | with: 16 | repo-token: "${{ secrets.GITHUB_TOKEN }}" 17 | -------------------------------------------------------------------------------- /charts/cluster-shield/RELEASE-NOTES.md: -------------------------------------------------------------------------------- 1 | # What's Changed 2 | 3 | ### Chores 4 | - **cluster-shield** [c37ba855](https://github.com/sysdiglabs/charts/commit/c37ba8559c34eb3029b99f0b51aa6571d9538e22): Automatic bump to version 1.3.1 ([#1928](https://github.com/sysdiglabs/charts/issues/1928)) 5 | #### Full diff: https://github.com/sysdiglabs/charts/compare/cluster-shield-1.3.0...cluster-shield-1.3.1 6 | -------------------------------------------------------------------------------- /charts/kspm-collector/RELEASE-NOTES.md: -------------------------------------------------------------------------------- 1 | # What's Changed 2 | 3 | ### Chores 4 | - **ci** [e222f21d](https://github.com/sysdiglabs/charts/commit/e222f21de483926259c9574e4c2d9679681b9ddb): bump bitnami/kubectl image references ([#1892](https://github.com/sysdiglabs/charts/issues/1892)) 5 | #### Full diff: https://github.com/sysdiglabs/charts/compare/kspm-collector-0.16.0...kspm-collector-0.16.1 6 | -------------------------------------------------------------------------------- /charts/kspm-collector/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.serviceAccount.create .Values.global.kspm.deploy }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ template "kspmCollector.serviceAccountName" .}} 6 | namespace: {{ include "kspmCollector.namespace" . }} 7 | labels: 8 | {{ include "kspmCollector.labels" . | indent 4 }} 9 | {{- end }} 10 | -------------------------------------------------------------------------------- /scripts/chart-version-bump.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env sh 2 | 3 | set -e 4 | 5 | awk ' 6 | { 7 | if ($0 ~ /^version:/) 8 | { 9 | l = split($NF, v, "."); 10 | v[l]++; 11 | for (i=1; i Chart.yaml.2 18 | 19 | mv Chart.yaml.2 Chart.yaml 20 | -------------------------------------------------------------------------------- /charts/rapid-response/RELEASE-NOTES.md: -------------------------------------------------------------------------------- 1 | # What's Changed 2 | 3 | ### Chores 4 | - **rapid-response** [8595fe2d](https://github.com/sysdiglabs/charts/commit/8595fe2d91b52c9f041a9d50b0c9a5b0b9440ae4): bump rapid-response version to 0.4.7 ([#1931](https://github.com/sysdiglabs/charts/issues/1931)) 5 | #### Full diff: https://github.com/sysdiglabs/charts/compare/rapid-response-0.9.8...rapid-response-0.9.9 6 | -------------------------------------------------------------------------------- /charts/cloud-scanning/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: cloud-scanning 3 | description: Sysdig Cloud Scanning 4 | 5 | type: application 6 | version: 0.4.1 7 | appVersion: 0.11.3 8 | home: https://sysdiglabs.github.io/cloud-connector 9 | 10 | maintainers: 11 | - name: airadier 12 | email: alvaro.iradier@sysdig.com 13 | - name: nestorsalceda 14 | email: nestor.salceda@sysdig.com 15 | -------------------------------------------------------------------------------- /charts/cluster-scanner/RELEASE-NOTES.md: -------------------------------------------------------------------------------- 1 | # What's Changed 2 | 3 | ### Chores 4 | - **cluster-scanner** [58b07db7](https://github.com/sysdiglabs/charts/commit/58b07db717d86d676979717da0018e9479d5f929): Update cluster scanner to v0.9.3 ([#1880](https://github.com/sysdiglabs/charts/issues/1880)) 5 | #### Full diff: https://github.com/sysdiglabs/charts/compare/cluster-scanner-0.14.1...cluster-scanner-0.14.2 6 | -------------------------------------------------------------------------------- /charts/harbor-scanner-sysdig-secure/templates/configmap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: {{ include "harbor-scanner-sysdig-secure.fullname" . }} 5 | labels: 6 | {{- include "harbor-scanner-sysdig-secure.labels" . | nindent 4 }} 7 | data: 8 | sysdig_secure_url: {{ .Values.sysdig.secure.url }} 9 | async_mode_enabled: {{ .Values.asyncMode.enabled | quote }} 10 | -------------------------------------------------------------------------------- /charts/admission-controller/RELEASE-NOTES.md: -------------------------------------------------------------------------------- 1 | # What's Changed 2 | 3 | ### Chores 4 | - **admission-controller** [cb767c33](https://github.com/sysdiglabs/charts/commit/cb767c33699478121191eb221fe3a451706f41c1): Update to v3.9.47 ([#1866](https://github.com/sysdiglabs/charts/issues/1866)) 5 | #### Full diff: https://github.com/sysdiglabs/charts/compare/admission-controller-0.16.5...admission-controller-0.16.6 6 | -------------------------------------------------------------------------------- /charts/cluster-shield/templates/priorityclass.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.createPriorityClass }} 2 | apiVersion: scheduling.k8s.io/v1 3 | kind: PriorityClass 4 | metadata: 5 | name: {{ include "cluster-shield.priorityClassName" . }} 6 | value: {{ .Values.priorityClassValue }} 7 | preemptionPolicy: PreemptLowerPriority 8 | globalDefault: false 9 | description: "Sysdig cluster-shield priority" 10 | {{- end }} 11 | -------------------------------------------------------------------------------- /charts/cloud-connector/RELEASE-NOTES.md: -------------------------------------------------------------------------------- 1 | # What's Changed 2 | 3 | ### New Features 4 | - **sysdig-deploy** [49fe006f](https://github.com/sysdiglabs/charts/commit/49fe006fb0ff206c7b566a45bfa5f71713d5ad0a): Add prerequisite information on the chart ([#1468](https://github.com/sysdiglabs/charts/issues/1468)) 5 | #### Full diff: https://github.com/sysdiglabs/charts/compare/cloud-connector-0.8.7...cloud-connector-0.8.8 6 | -------------------------------------------------------------------------------- /charts/sysdig-deploy/RELEASE-NOTES.md: -------------------------------------------------------------------------------- 1 | # What's Changed 2 | 3 | ### Chores 4 | - **sysdig-deploy** [63370aef](https://github.com/sysdiglabs/charts/commit/63370aef336d83b237db98f0471e8856c074bdaa): Automatic version bump due to updated dependencies ([#1932](https://github.com/sysdiglabs/charts/issues/1932)) 5 | #### Full diff: https://github.com/sysdiglabs/charts/compare/sysdig-deploy-1.64.7...sysdig-deploy-1.64.8 6 | -------------------------------------------------------------------------------- /charts/sysdig-mcm-navmenu/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | description: Sysdig IBM MCM Nav Menu integration 3 | name: sysdig-mcm-navmenu 4 | version: 1.2.0 5 | appVersion: 1.0.0 6 | home: https://www.sysdig.com/ 7 | icon: https://478h5m1yrfsa3bbe262u7muv-wpengine.netdna-ssl.com/wp-content/uploads/2019/02/Shovel_600px.png 8 | maintainers: 9 | - name: airadier 10 | email: alvaro.iradier@sysdig.com 11 | -------------------------------------------------------------------------------- /charts/cloud-bench/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "cloud-bench.serviceAccountName" . }} 6 | labels: 7 | {{- include "cloud-bench.labels" . | nindent 4 }} 8 | {{- with .Values.serviceAccount.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- end }} 13 | -------------------------------------------------------------------------------- /charts/cluster-scanner/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: cluster-scanner 3 | description: Sysdig Cluster Scanner 4 | 5 | type: application 6 | version: 0.14.2 7 | appVersion: "0.1.0" 8 | home: https://www.sysdig.com/ 9 | 10 | maintainers: 11 | - name: sysdiglabs 12 | dependencies: 13 | - name: common 14 | # repository: https://charts.sysdig.com 15 | repository: file://../common 16 | version: ~1.3.1 17 | -------------------------------------------------------------------------------- /charts/kspm-collector/tests/conditional_flag_test.yaml: -------------------------------------------------------------------------------- 1 | suite: Test conditional flags and its dependent changes 2 | templates: 3 | - serviceaccount.yaml 4 | tests: 5 | - it: check global kspm deploy 6 | set: 7 | global: 8 | kspm: 9 | deploy: true 10 | clusterName: test-cluster 11 | asserts: 12 | - containsDocument: 13 | kind: ServiceAccount 14 | apiVersion: v1 15 | -------------------------------------------------------------------------------- /charts/node-analyzer/RELEASE-NOTES.md: -------------------------------------------------------------------------------- 1 | # What's Changed 2 | 3 | ### Bug Fixes 4 | - **node-analyzer** [f6252060](https://github.com/sysdiglabs/charts/commit/f62520608ef424b423b5aeaf9df60b5b82de6d42): enable eve-integration when eveConnector is deployed [SSPROD-18967] ([#1927](https://github.com/sysdiglabs/charts/issues/1927)) 5 | #### Full diff: https://github.com/sysdiglabs/charts/compare/node-analyzer-1.31.5...node-analyzer-1.31.6 6 | -------------------------------------------------------------------------------- /charts/rapid-response/templates/configmap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: {{ template "rapidResponse.fullname" . }}-config 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | {{ include "rapidResponse.labels" . | indent 4 }} 8 | data: 9 | api_endpoint: https://{{ include "rapidResponse.apiEndpoint" . }} 10 | skip_tls_check: "{{ include "rapidResponse.certificateValidation" . }}" 11 | -------------------------------------------------------------------------------- /charts/sysdig/templates/configmap-custom-app-checks.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.customAppChecks }} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: {{ template "sysdig.fullname" . }}-custom-app-checks 6 | labels: 7 | {{ include "sysdig.labels" . | indent 4 }} 8 | data: 9 | {{- range $file, $content := .Values.customAppChecks }} 10 | {{ $file }}: |- 11 | {{ $content | indent 4}} 12 | {{- end }} 13 | {{- end }} 14 | -------------------------------------------------------------------------------- /charts/agent/tests/captures_test.yaml: -------------------------------------------------------------------------------- 1 | suite: Test captures settings 2 | templates: 3 | - templates/configmap.yaml 4 | tests: 5 | - it: Checking disabling captures 6 | set: 7 | sysdig: 8 | disableCaptures: true 9 | asserts: 10 | - matchRegex: 11 | path: data['dragent.yaml'] 12 | pattern: | 13 | sysdig_capture_enabled: false 14 | template: templates/configmap.yaml 15 | -------------------------------------------------------------------------------- /charts/cloud-scanning/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "cloud-scanning.serviceAccountName" . }} 6 | labels: 7 | {{- include "cloud-scanning.labels" . | nindent 4 }} 8 | {{- with .Values.serviceAccount.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- end }} 13 | -------------------------------------------------------------------------------- /charts/sysdig/RELEASE-NOTES.md: -------------------------------------------------------------------------------- 1 | # What's Changed 2 | 3 | ### New Features 4 | - **sysdig,hostAnalyzer** [a8e1124b](https://github.com/sysdiglabs/charts/commit/a8e1124bfb668e9f9d04095c26d6ada0235cda04): Update legacy engine HostAnalyzer to v0.1.19 components with security updates ([#1601](https://github.com/sysdiglabs/charts/issues/1601)) 5 | #### Full diff: https://github.com/sysdiglabs/charts/compare/sysdig-deploy-1.37.15...sysdig-1.16.25 6 | -------------------------------------------------------------------------------- /charts/cloud-connector/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "cloud-connector.serviceAccountName" . }} 6 | labels: 7 | {{- include "cloud-connector.labels" . | nindent 4 }} 8 | {{- with .Values.serviceAccount.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- end }} 13 | -------------------------------------------------------------------------------- /charts/registry-scanner/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "registry-scanner.serviceAccountName" . }} 6 | labels: 7 | {{- include "registry-scanner.labels" . | nindent 4 }} 8 | {{- with .Values.serviceAccount.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- end }} 13 | -------------------------------------------------------------------------------- /charts/agent/templates/role.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.create }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: Role 4 | metadata: 5 | name: {{ include "agent.fullname" . }} 6 | namespace: {{ include "agent.namespace" . }} 7 | rules: 8 | - apiGroups: 9 | - coordination.k8s.io 10 | resources: 11 | - leases 12 | verbs: 13 | - create 14 | - get 15 | - list 16 | - update 17 | - watch 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /charts/common/RELEASE-NOTES.md: -------------------------------------------------------------------------------- 1 | # What's Changed 2 | 3 | ### New Features 4 | - **common,admission-controller,agent,cluster-scanner,kspm-collector,node-analyzer,rapid-response** [07abc204](https://github.com/sysdiglabs/charts/commit/07abc204fd61e4692b48cf36babf0eecae6d154b): Add support for the in1 region ([#1847](https://github.com/sysdiglabs/charts/issues/1847)) 5 | #### Full diff: https://github.com/sysdiglabs/charts/compare/common-1.3.0...common-1.3.1 6 | -------------------------------------------------------------------------------- /charts/registry-scanner/templates/rolebinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: RoleBinding 3 | metadata: 4 | name: {{ include "registry-scanner.fullname" .}} 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: Role 8 | name: {{ include "registry-scanner.fullname" . }} 9 | subjects: 10 | - kind: ServiceAccount 11 | name: {{ include "registry-scanner.serviceAccountName" . }} 12 | namespace: {{ .Release.Namespace }} 13 | -------------------------------------------------------------------------------- /charts/sysdig-mcm-navmenu/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | -------------------------------------------------------------------------------- /charts/cloud-bench/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: cloud-bench 3 | description: Sysdig Cloud Bench 4 | 5 | type: application 6 | version: 0.3.0 7 | appVersion: 0.1.0 8 | home: https://sysdig.com 9 | icon: https://478h5m1yrfsa3bbe262u7muv-wpengine.netdna-ssl.com/wp-content/uploads/2019/02/Shovel_600px.png 10 | 11 | maintainers: 12 | - name: yathi-sysdig 13 | email: yathindra.naik@sysdig.com 14 | - name: airadier 15 | email: alvaro.iradier@sysdig.com 16 | -------------------------------------------------------------------------------- /charts/admission-controller/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | .vscode/ 23 | -------------------------------------------------------------------------------- /charts/cloud-bench/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "cloud-bench.fullname" . }} 5 | labels: 6 | {{- include "cloud-bench.labels" . | nindent 4 }} 7 | spec: 8 | type: {{ .Values.service.type }} 9 | ports: 10 | - port: {{ .Values.service.port }} 11 | targetPort: http 12 | protocol: TCP 13 | name: http 14 | selector: 15 | {{- include "cloud-bench.selectorLabels" . | nindent 4 }} 16 | -------------------------------------------------------------------------------- /charts/common/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /charts/harbor-scanner-sysdig-secure/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "harbor-scanner-sysdig-secure.serviceAccountName" . }} 6 | labels: 7 | {{- include "harbor-scanner-sysdig-secure.labels" . | nindent 4 }} 8 | {{- with .Values.serviceAccount.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- end -}} 13 | -------------------------------------------------------------------------------- /charts/agent/templates/configmap-local-forwarder.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.localForwarder.enabled }} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: {{ include "agent.localForwarderConfigMapName" . }} 6 | namespace: {{ include "agent.namespace" . }} 7 | labels: 8 | {{ (include "agent.labels" .) | indent 4 }} 9 | data: 10 | local_forwarder_config.yaml: | 11 | integrations: 12 | {{- toYaml .Values.localForwarder.integrations | nindent 6 }} 13 | {{- end }} 14 | -------------------------------------------------------------------------------- /charts/cloud-scanning/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /charts/cluster-shield/templates/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: {{ include "cluster-shield.fullname" . }} 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: ClusterRole 8 | name: {{ include "cluster-shield.fullname" . }} 9 | subjects: 10 | - kind: ServiceAccount 11 | namespace: {{ .Release.Namespace }} 12 | name: {{ include "cluster-shield.serviceAccountName" . }} 13 | -------------------------------------------------------------------------------- /charts/kspm-collector/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /charts/node-analyzer/templates/serviceaccount-node-analyzer.yaml: -------------------------------------------------------------------------------- 1 | {{- if not (include "nodeAnalyzer.gke.autopilot" .) }} 2 | {{- if and (include "deploy-na" .) .Values.nodeAnalyzer.serviceAccount.create }} 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: {{ template "nodeAnalyzer.serviceAccountName" .}} 7 | namespace: {{ include "nodeAnalyzer.namespace" . }} 8 | labels: 9 | {{ include "nodeAnalyzer.labels" . | indent 4 }} 10 | {{- end }} 11 | {{- end }} 12 | -------------------------------------------------------------------------------- /charts/rapid-response/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /charts/rapid-response/ci/test-values.yaml.template: -------------------------------------------------------------------------------- 1 | sysdig: 2 | accessKey: ${SECURE_AGENT_TOKEN} 3 | rapidResponse: 4 | apiEndpoint: secure.sysdig.com 5 | passphrase: "test-passphrase" 6 | tests: 7 | rbac: 8 | # true here enables creation of rbac resources 9 | create: true 10 | serviceAccount: 11 | # true here enables creation of service account 12 | create: true 13 | # Use this value as kspmCollectorServiceAccountName 14 | name: "rapid-response" 15 | -------------------------------------------------------------------------------- /charts/sysdig/templates/service.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.auditLog.enabled }} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: {{ template "sysdig.fullname" . }} 6 | labels: 7 | {{ include "sysdig.labels" . | indent 4 }} 8 | spec: 9 | selector: 10 | app.kubernetes.io/name: {{ include "sysdig.name" . }} 11 | app.kubernetes.io/instance: {{ .Release.Name }} 12 | ports: 13 | - protocol: TCP 14 | port: {{ .Values.auditLog.auditServerPort }} 15 | {{- end }} 16 | -------------------------------------------------------------------------------- /charts/cloud-connector/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /charts/cloud-scanning/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "cloud-scanning.fullname" . }} 5 | labels: 6 | {{- include "cloud-scanning.labels" . | nindent 4 }} 7 | spec: 8 | type: {{ .Values.service.type }} 9 | ports: 10 | - port: {{ .Values.service.port }} 11 | targetPort: http 12 | protocol: TCP 13 | name: http 14 | selector: 15 | {{- include "cloud-scanning.selectorLabels" . | nindent 4 }} 16 | -------------------------------------------------------------------------------- /charts/cluster-scanner/templates/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: {{ include "cluster-scanner.fullname" . }} 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: ClusterRole 8 | name: {{ include "cluster-scanner.fullname" . }} 9 | subjects: 10 | - kind: ServiceAccount 11 | namespace: {{ .Release.Namespace }} 12 | name: {{ include "cluster-scanner.serviceAccountName" . }} 13 | -------------------------------------------------------------------------------- /charts/registry-scanner/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /charts/harbor-scanner-sysdig-secure/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | 1. Get the application URL by running these commands: 2 | 3 | export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "harbor-scanner-sysdig-secure.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") 4 | echo "Visit http://127.0.0.1:5000 to use your application" 5 | kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 5000:5000 6 | -------------------------------------------------------------------------------- /charts/registry-scanner/ci/test-aws-org-values.yaml.template.disabled: -------------------------------------------------------------------------------- 1 | config: 2 | secureAPIToken: ${SECURE_API_TOKEN} 3 | registryType: artifactory 4 | registryURL: ${SYSDIG_JFROG_SAAS_QA_URL} 5 | registryApiUrl: ${SYSDIG_JFROG_SAAS_QA_API_URL} 6 | registryUser: ${SYSDIG_JFROG_SAAS_QA_USER} 7 | registryPassword: ${SYSDIG_JFROG_SAAS_QA_TOKEN} 8 | filter: 9 | include: 'alpine:3.1' 10 | exclude: '.*' 11 | scanOnStart: 12 | enabled: true 13 | asPostInstallHook: true 14 | -------------------------------------------------------------------------------- /charts/cluster-scanner/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "cluster-scanner.serviceAccountName" . }} 6 | namespace: {{ include "cluster-scanner.namespace" . }} 7 | labels: 8 | {{- include "cluster-scanner.labels" . | nindent 4 }} 9 | {{- with .Values.serviceAccount.annotations }} 10 | annotations: 11 | {{- toYaml . | nindent 4 }} 12 | {{- end }} 13 | {{- end }} 14 | -------------------------------------------------------------------------------- /charts/harbor-scanner-sysdig-secure/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /charts/harbor-scanner-sysdig-secure/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: harbor-scanner-sysdig-secure 3 | description: Harbor Scanner for Sysdig Secure 4 | type: application 5 | version: 0.8.0 6 | appVersion: 0.8.0 7 | home: https://github.com/sysdiglabs/harbor-scanner-sysdig-secure 8 | icon: https://avatars.githubusercontent.com/u/5068817?s=200&v=4 9 | maintainers: 10 | - name: aaronm-sysdig 11 | email: aaron.miles@sysdig.com 12 | - name: Jujuyeh 13 | email: paul.hodgetts@sysdig.com 14 | -------------------------------------------------------------------------------- /charts/harbor-scanner-sysdig-secure/templates/secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.sysdig.secure.apiToken }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ include "harbor-scanner-sysdig-secure.fullname" . }} 6 | labels: 7 | {{- include "harbor-scanner-sysdig-secure.labels" . | nindent 4 }} 8 | type: Opaque 9 | data: 10 | sysdig_secure_api_token: {{ required "A valid .Values.sysdig.secure.apiToken is required" .Values.sysdig.secure.apiToken | b64enc | quote }} 11 | {{- end }} 12 | -------------------------------------------------------------------------------- /charts/registry-scanner/ci/test-jfrog-saas-values.yaml.template.disabled: -------------------------------------------------------------------------------- 1 | config: 2 | secureAPIToken: ${SECURE_API_TOKEN} 3 | registryType: artifactory 4 | registryURL: ${SYSDIG_JFROG_SAAS_QA_URL} 5 | registryApiUrl: ${SYSDIG_JFROG_SAAS_QA_API_URL} 6 | registryUser: ${SYSDIG_JFROG_SAAS_QA_USER} 7 | registryPassword: ${SYSDIG_JFROG_SAAS_QA_TOKEN} 8 | filter: 9 | include: 'alpine:3.1' 10 | exclude: '.*' 11 | scanOnStart: 12 | enabled: true 13 | asPostInstallHook: true 14 | -------------------------------------------------------------------------------- /charts/sysdig-stackdriver-bridge/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /charts/sysdig/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | appVersion: 12.17.1 3 | deprecated: true 4 | description: Sysdig Monitor and Secure agent 5 | home: https://www.sysdig.com/ 6 | icon: https://avatars.githubusercontent.com/u/5068817?s=200&v=4 7 | keywords: 8 | - monitoring 9 | - security 10 | - alerting 11 | - metric 12 | - troubleshooting 13 | - run-time 14 | name: sysdig 15 | sources: 16 | - https://app.sysdigcloud.com/#/settings/user 17 | - https://github.com/draios/sysdig 18 | version: 1.16.25 19 | -------------------------------------------------------------------------------- /charts/cluster-shield/templates/rolebinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: RoleBinding 3 | metadata: 4 | name: {{ include "cluster-shield.fullname" . }} 5 | namespace: {{ .Release.Namespace }} 6 | roleRef: 7 | apiGroup: rbac.authorization.k8s.io 8 | kind: Role 9 | name: {{ include "cluster-shield.fullname" . }} 10 | subjects: 11 | - kind: ServiceAccount 12 | namespace: {{ .Release.Namespace }} 13 | name: {{ include "cluster-shield.serviceAccountName" . }} 14 | -------------------------------------------------------------------------------- /charts/cluster-shield/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | ci/ 25 | tests/ 26 | -------------------------------------------------------------------------------- /charts/harbor-scanner-sysdig-secure/RELEASE-NOTES.md: -------------------------------------------------------------------------------- 1 | # What's Changed 2 | 3 | ### New Features 4 | - **harbor-scanner-sysdig-secure** [79e4c75a](https://github.com/sysdiglabs/charts/commit/79e4c75a2b891425fe63ca98707798fdb6983d53): Pump Harbor scanner version ([#1751](https://github.com/sysdiglabs/charts/issues/1751)) ([#1752](https://github.com/sysdiglabs/charts/issues/1752)) 5 | #### Full diff: https://github.com/sysdiglabs/charts/compare/harbor-scanner-sysdig-secure-0.5.1...harbor-scanner-sysdig-secure-0.8.0 6 | -------------------------------------------------------------------------------- /charts/admission-controller/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: admission-controller 3 | description: Sysdig Admission Controller using Sysdig Secure inline image scanner 4 | type: application 5 | version: 0.16.6 6 | appVersion: 3.9.47 7 | home: https://sysdiglabs.github.io/admission-controller/ 8 | icon: https://avatars.githubusercontent.com/u/5068817?s=200&v=4 9 | maintainers: 10 | - name: sysdiglabs 11 | dependencies: 12 | - name: common 13 | repository: file://../common 14 | version: ~1.3.1 15 | -------------------------------------------------------------------------------- /charts/admission-controller/templates/webhook/admissioncontrollerconfigmap.yaml: -------------------------------------------------------------------------------- 1 | # Warning! This file is for internal tests only. 2 | {{- if .Values.webhook.acConfig }} 3 | apiVersion: v1 4 | kind: ConfigMap 5 | metadata: 6 | name: admissioncontrollerconfigmap 7 | namespace: {{ include "admissionController.namespace" . }} 8 | labels: 9 | {{ include "admissionController.webhook.labels" . | nindent 4 }} 10 | data: 11 | acConfig: | 12 | {{ .Values.webhook.acConfig | nindent 4 }} 13 | {{- end }} 14 | -------------------------------------------------------------------------------- /charts/agent/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | #Sysdig Specific 25 | /tests/ 26 | -------------------------------------------------------------------------------- /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | # request review from agent team members for changes to sysdig chart 2 | /charts/sysdig/ @sysdiglabs/team-tools-agent 3 | /charts/agent/ @sysdiglabs/team-tools-agent 4 | /charts/sysdig-deploy/ @sysdiglabs/team-tools-agent 5 | 6 | /charts/admission-controller @sysdiglabs/cloud-native 7 | /charts/cloud-connector @sysdiglabs/cloud-native 8 | /charts/cloud-scanning @sysdiglabs/cloud-native 9 | /charts/registry-scanner @sysdiglabs/cloud-native @sysdiglabs/vm-scanners 10 | -------------------------------------------------------------------------------- /charts/sysdig-deploy/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | # Sysdig Specific 25 | /tests/ 26 | -------------------------------------------------------------------------------- /charts/cloud-bench/templates/tests/test-connection.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: "{{ include "cloud-bench.fullname" . }}-test-connection" 5 | labels: 6 | {{- include "cloud-bench.labels" . | nindent 4 }} 7 | annotations: 8 | "helm.sh/hook": test-success 9 | spec: 10 | containers: 11 | - name: wget 12 | image: busybox 13 | command: ['wget'] 14 | args: ['{{ include "cloud-bench.fullname" . }}:{{ .Values.service.port }}/health'] 15 | restartPolicy: Never 16 | -------------------------------------------------------------------------------- /charts/cluster-scanner/templates/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: {{ include "cluster-scanner.fullname" . }} 5 | rules: 6 | - apiGroups: ["", "apps", "batch", "extensions"] 7 | resources: 8 | - "deployments" 9 | - "replicasets" 10 | - "daemonsets" 11 | - "statefulsets" 12 | - "pods" 13 | - "cronjobs" 14 | - "jobs" 15 | - "nodes" 16 | - "namespaces" 17 | - "secrets" 18 | verbs: ["get", "list", "watch"] 19 | -------------------------------------------------------------------------------- /charts/agent/templates/rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.create }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: RoleBinding 4 | metadata: 5 | name: {{ include "agent.fullname" .}} 6 | namespace: {{ include "agent.namespace" . }} 7 | roleRef: 8 | apiGroup: rbac.authorization.k8s.io 9 | kind: Role 10 | name: {{ include "agent.fullname" . }} 11 | subjects: 12 | - kind: ServiceAccount 13 | name: {{ include "agent.serviceAccountName" . }} 14 | namespace: {{ .Release.Namespace }} 15 | {{- end }} 16 | -------------------------------------------------------------------------------- /charts/agent/templates/service.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.auditLog.enabled }} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: {{ template "agent.fullname" . }} 6 | namespace: {{ include "agent.namespace" . }} 7 | labels: 8 | {{ include "agent.labels" . | indent 4 }} 9 | spec: 10 | selector: 11 | app.kubernetes.io/name: {{ include "agent.name" . }} 12 | app.kubernetes.io/instance: {{ .Release.Name }} 13 | ports: 14 | - protocol: TCP 15 | port: {{ .Values.auditLog.auditServerPort }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /charts/cluster-scanner/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | # Unittests and CI 25 | ci/ 26 | tests/ 27 | -------------------------------------------------------------------------------- /charts/cloud-connector/templates/tests/test-connection.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: "{{ include "cloud-connector.fullname" . }}-test-connection" 5 | labels: 6 | {{- include "cloud-connector.labels" . | nindent 4 }} 7 | annotations: 8 | "helm.sh/hook": test-success 9 | spec: 10 | containers: 11 | - name: wget 12 | image: busybox 13 | command: ['wget'] 14 | args: ['{{ include "cloud-connector.fullname" . }}:{{ .Values.service.port }}/health'] 15 | restartPolicy: Never 16 | -------------------------------------------------------------------------------- /charts/cloud-scanning/templates/tests/test-connection.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: "{{ include "cloud-scanning.fullname" . }}-test-connection" 5 | labels: 6 | {{- include "cloud-scanning.labels" . | nindent 4 }} 7 | annotations: 8 | "helm.sh/hook": test-success 9 | spec: 10 | containers: 11 | - name: wget 12 | image: busybox 13 | command: ['wget'] 14 | args: ['{{ include "cloud-scanning.fullname" . }}:{{ .Values.service.port }}/health'] 15 | restartPolicy: Never 16 | -------------------------------------------------------------------------------- /charts/harbor-scanner-sysdig-secure/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "harbor-scanner-sysdig-secure.fullname" . }} 5 | labels: 6 | {{- include "harbor-scanner-sysdig-secure.labels" . | nindent 4 }} 7 | spec: 8 | type: {{ .Values.service.type }} 9 | ports: 10 | - port: {{ .Values.service.port }} 11 | targetPort: http 12 | protocol: TCP 13 | name: http 14 | selector: 15 | {{- include "harbor-scanner-sysdig-secure.selectorLabels" . | nindent 4 }} 16 | -------------------------------------------------------------------------------- /charts/cluster-scanner/templates/rolebinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: RoleBinding 3 | metadata: 4 | name: {{ include "cluster-scanner.fullname" . }} 5 | namespace: {{ include "cluster-scanner.namespace" . }} 6 | roleRef: 7 | apiGroup: rbac.authorization.k8s.io 8 | kind: Role 9 | name: {{ include "cluster-scanner.fullname" . }} 10 | subjects: 11 | - kind: ServiceAccount 12 | namespace: {{ include "cluster-scanner.namespace" . }} 13 | name: {{ include "cluster-scanner.serviceAccountName" . }} 14 | -------------------------------------------------------------------------------- /charts/registry-scanner/templates/job.yaml: -------------------------------------------------------------------------------- 1 | {{- if eq .Values.scanOnStart.enabled true }} 2 | apiVersion: batch/v1 3 | kind: Job 4 | metadata: 5 | name: "{{ .Values.scanOnStart.jobName }}" 6 | labels: 7 | {{ include "registry-scanner.labels" . | indent 4 }} 8 | {{- include "registry-scanner.customLabels" . | nindent 4 }} 9 | {{- if .Values.scanOnStart.asPostInstallHook}} 10 | annotations: 11 | "helm.sh/hook": post-install 12 | {{- end }} 13 | spec: 14 | {{- include "registry-scanner.jobTemplate" . | indent 2}} 15 | {{- end }} 16 | -------------------------------------------------------------------------------- /charts/admission-controller/templates/webhook/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccounts.webhook.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "admissionController.webhook.serviceAccountName" . }} 6 | namespace: {{ include "admissionController.namespace" . }} 7 | labels: 8 | {{ include "admissionController.webhook.labels" . | nindent 4 }} 9 | {{- with .Values.serviceAccounts.webhook.annotations }} 10 | annotations: 11 | {{- toYaml . | nindent 4 }} 12 | {{- end }} 13 | {{- end }} 14 | -------------------------------------------------------------------------------- /charts/cluster-shield/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: cluster-shield 3 | description: Cluster Shield Helm Chart for Kubernetes 4 | type: application 5 | version: 1.3.1 6 | appVersion: "1.3.1" 7 | maintainers: 8 | - name: AlbertoBarba 9 | email: alberto.barba@sysdig.com 10 | - name: aroberts87 11 | email: adam.roberts@sysdig.com 12 | - name: francesco-furlan 13 | email: francesco.furlan@sysdig.com 14 | - name: iurly 15 | email: gerlando.falauto@sysdig.com 16 | - name: mavimo 17 | email: marcovito.moscaritolo@sysdig.com 18 | -------------------------------------------------------------------------------- /charts/registry-scanner/ci/test-aws-single-values.yaml.template: -------------------------------------------------------------------------------- 1 | config: 2 | secureAPIToken: ${SECURE_API_TOKEN} 3 | registryType: ecr 4 | registryURL: ${SYSDIG_AWS_QA_TARGET_ACCOUNT_ID}.dkr.ecr.us-east-1.amazonaws.com 5 | aws: 6 | region: us-east-1 7 | accessKeyId: ${SYSDIG_AWS_QA_CNT_ACCOUNT_ACCESS_KEY_ID} 8 | secretAccessKey: ${SYSDIG_AWS_QA_CNT_ACCOUNT_SECRET_ACCESS_KEY} 9 | filter: 10 | include: 'do-not-delete-reg-scanner-1:latest' 11 | exclude: '.*' 12 | scanOnStart: 13 | enabled: true 14 | asPostInstallHook: true 15 | -------------------------------------------------------------------------------- /charts/cloud-bench/templates/configmap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: {{ include "cloud-bench.fullname" . }} 5 | labels: 6 | {{- include "cloud-bench.labels" . | nindent 4 }} 7 | data: 8 | cloud-bench.yaml: | 9 | secureURL: {{ toYaml .Values.secureURL }} 10 | logLevel: {{ toYaml .Values.logLevel }} 11 | schedule: {{ toYaml .Values.schedule }} 12 | bechmarkType: {{ toYaml .Values.benchmarkType }} 13 | outputDir: {{ toYaml .Values.outputDir }} 14 | policyFile: {{ toYaml .Values.policyFile }} 15 | -------------------------------------------------------------------------------- /charts/sysdig/templates/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.create }} 2 | kind: ClusterRoleBinding 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ template "sysdig.fullname" .}} 6 | labels: 7 | {{ include "sysdig.labels" . | indent 4 }} 8 | subjects: 9 | - kind: ServiceAccount 10 | name: {{ template "sysdig.serviceAccountName" .}} 11 | namespace: {{ .Release.Namespace }} 12 | roleRef: 13 | kind: ClusterRole 14 | name: {{ template "sysdig.fullname" .}} 15 | apiGroup: rbac.authorization.k8s.io 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /charts/agent/templates/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.create }} 2 | kind: ClusterRoleBinding 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ template "agent.fullname" .}} 6 | labels: 7 | {{ include "agent.labels" . | indent 4 }} 8 | subjects: 9 | - kind: ServiceAccount 10 | name: {{ template "agent.serviceAccountName" .}} 11 | namespace: {{ include "agent.namespace" . }} 12 | roleRef: 13 | kind: ClusterRole 14 | name: {{ template "agent.fullname" .}} 15 | apiGroup: rbac.authorization.k8s.io 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /charts/cluster-scanner/doc.yaml: -------------------------------------------------------------------------------- 1 | project: 2 | name: Sysdig Cluster Scanner 3 | shortName: Cluster Scanner 4 | url: https://docs.sysdig.com/en/docs/sysdig-secure/scanning 5 | description: This chart deploys the Sysdig Cluster Scanner in your Kubernetes cluster. 6 | app: the Sysdig Cluster Scanner 7 | repository: 8 | url: https://charts.sysdig.com 9 | name: sysdig 10 | chart: 11 | name: admission-controller 12 | prerequisites: 13 | - "Helm 3.6" 14 | - "Sysdig AccessKey" 15 | 16 | release: 17 | name: cluster-scanner 18 | namespace: sysdig 19 | -------------------------------------------------------------------------------- /charts/cluster-shield/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "cluster-shield.serviceAccountName" . }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | {{- include "cluster-shield.labels" . | nindent 4 }} 9 | {{- with .Values.serviceAccount.labels }} 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- with .Values.serviceAccount.annotations }} 13 | annotations: 14 | {{- toYaml . | nindent 4 }} 15 | {{- end }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /charts/node-analyzer/templates/priorityclass.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.nodeAnalyzer.createPriorityClass }} 2 | apiVersion: scheduling.k8s.io/v1 3 | kind: PriorityClass 4 | metadata: 5 | name: {{ required "priorityClassName is required when specifying createPriorityClass" .Values.nodeAnalyzer.priorityClassName }} 6 | value: {{ required "priorityClassValue is required when specifying createPriorityClass" .Values.nodeAnalyzer.priorityClassValue }} 7 | preemptionPolicy: PreemptLowerPriority 8 | globalDefault: false 9 | description: "Sysdig Node Analyzer DaemonSet PriorityClass" 10 | {{- end }} 11 | -------------------------------------------------------------------------------- /charts/cloud-connector/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "cloud-connector.fullname" . }} 5 | labels: 6 | {{- include "cloud-connector.labels" . | nindent 4 }} 7 | {{- with .Values.service.labels }} 8 | {{- toYaml . | nindent 4 }} 9 | {{- end }} 10 | spec: 11 | type: {{ .Values.service.type }} 12 | ports: 13 | - port: {{ .Values.service.port }} 14 | targetPort: http 15 | protocol: TCP 16 | name: http 17 | selector: 18 | {{- include "cloud-connector.selectorLabels" . | nindent 4 }} 19 | -------------------------------------------------------------------------------- /charts/kspm-collector/templates/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.rbac.create }} 2 | kind: ClusterRoleBinding 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ template "kspmCollector.fullname" .}} 6 | labels: 7 | {{ include "kspmCollector.labels" . | indent 4 }} 8 | subjects: 9 | - kind: ServiceAccount 10 | name: {{ template "kspmCollector.serviceAccountName" .}} 11 | namespace: {{ .Release.Namespace }} 12 | roleRef: 13 | kind: ClusterRole 14 | name: {{ template "kspmCollector.fullname" .}} 15 | apiGroup: rbac.authorization.k8s.io 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /charts/registry-scanner/ci/test-aws-org-values.yaml.template: -------------------------------------------------------------------------------- 1 | config: 2 | secureAPIToken: ${SECURE_API_TOKEN} 3 | registryType: ecr 4 | aws: 5 | accessKeyId: ${SYSDIG_AWS_QA_CNT_ACCOUNT_ACCESS_KEY_ID} 6 | secretAccessKey: ${SYSDIG_AWS_QA_CNT_ACCOUNT_SECRET_ACCESS_KEY} 7 | managementAccountRoleARN: ${SYSDIG_AWS_QA_REG_MANAGEMENT_ROLE_ARN} 8 | allowListMemberAccountIDs: 9 | - ${SYSDIG_AWS_QA_TARGET_ACCOUNT_ID}' 10 | filter: 11 | include: 'do-not-delete-reg-scanner-1:latest' 12 | exclude: '.*' 13 | scanOnStart: 14 | enabled: true 15 | asPostInstallHook: true 16 | -------------------------------------------------------------------------------- /charts/admission-controller/templates/scanner/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.scanner.enabled -}} 2 | {{- if .Values.serviceAccounts.scanner.create -}} 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: {{ include "admissionController.scanner.serviceAccountName" . }} 7 | namespace: {{ include "admissionController.namespace" . }} 8 | labels: 9 | {{- include "admissionController.scanner.labels" . | nindent 4 }} 10 | {{- with .Values.serviceAccounts.scanner.annotations }} 11 | annotations: 12 | {{- toYaml . | nindent 4 }} 13 | {{- end }} 14 | {{- end }} 15 | {{- end }} 16 | -------------------------------------------------------------------------------- /charts/admission-controller/templates/webhook/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.webhook.rbac.create }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: {{ include "admissionController.webhook.fullname" . }} 6 | roleRef: 7 | apiGroup: rbac.authorization.k8s.io 8 | kind: ClusterRole 9 | name: {{ include "admissionController.webhook.fullname" . }} 10 | subjects: 11 | - kind: ServiceAccount 12 | name: {{ include "admissionController.webhook.serviceAccountName" . }} 13 | namespace: {{ include "admissionController.namespace" . }} 14 | {{- end }} 15 | -------------------------------------------------------------------------------- /charts/agent/templates/priorityclass.yaml: -------------------------------------------------------------------------------- 1 | {{- if or .Values.createPriorityClass .Values.gke.createPriorityClass }} 2 | apiVersion: scheduling.k8s.io/v1 3 | kind: PriorityClass 4 | metadata: 5 | {{- if and (or .Values.gke.createPriorityClass .Values.createPriorityClass) (not .Values.priorityClassName) }} 6 | {{ $_ := set .Values "priorityClassName" "sysdig-daemonset-priority" }} 7 | {{- end }} 8 | name: {{ .Values.priorityClassName }} 9 | value: {{ .Values.priorityClassValue }} 10 | preemptionPolicy: PreemptLowerPriority 11 | globalDefault: false 12 | description: "Sysdig DaemonSet priority" 13 | {{- end }} 14 | -------------------------------------------------------------------------------- /charts/cloud-bench/RELEASE-NOTES.md: -------------------------------------------------------------------------------- 1 | # What's Changed 2 | 3 | ### New Features 4 | - **admission-controller,agent,cloud-bench,cloud-connector,cloud-scanning,harbor-scanner-sysdig-secure,kspm-collector,node-analyzer,rapid-response,registry-scanner,sysdig,sysdig-deploy,sysdig-mcm-navmenu,sysdig-stackdriver-bridge** [5d99a03d](https://github.com/sysdiglabs/charts/commit/5d99a03dced132b4771dde1ce5b90b63c518b408): use a PGP private key to sign charts on release ([#1170](https://github.com/sysdiglabs/charts/issues/1170)) 5 | 6 | #### Full diff: https://github.com/sysdiglabs/charts/compare/cloud-bench-0.2.3...cloud-bench-0.3.0 7 | -------------------------------------------------------------------------------- /charts/admission-controller/templates/scanner/role.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.scanner.psp.create (include "admissionController.kubeVersionLessThan" (dict "root" . "major" 1 "minor" 25)) }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: Role 4 | metadata: 5 | name: {{ include "admissionController.scanner.fullname" . }} 6 | namespace: {{ include "admissionController.namespace" . }} 7 | rules: 8 | - apiGroups: 9 | - policy 10 | resourceNames: 11 | - {{ include "admissionController.scanner.fullname" . }} 12 | resources: 13 | - podsecuritypolicies 14 | verbs: 15 | - use 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /charts/harbor-scanner-sysdig-secure/templates/tests/test-connection.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: "{{ include "harbor-scanner-sysdig-secure.fullname" . }}-test-connection" 5 | labels: 6 | {{- include "harbor-scanner-sysdig-secure.labels" . | nindent 4 }} 7 | annotations: 8 | "helm.sh/hook": test-success 9 | spec: 10 | containers: 11 | - name: wget 12 | image: busybox 13 | command: ['wget'] 14 | args: ['{{ include "harbor-scanner-sysdig-secure.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.service.port }}/health'] 15 | restartPolicy: Never 16 | -------------------------------------------------------------------------------- /charts/sysdig-mcm-navmenu/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | {{/* 3 | Expand the name of the chart. 4 | */}} 5 | {{- define "name" -}} 6 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} 7 | {{- end -}} 8 | 9 | {{/* 10 | Create a default fully qualified app name. 11 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 12 | */}} 13 | {{- define "fullname" -}} 14 | {{- $name := default .Chart.Name .Values.nameOverride -}} 15 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} 16 | {{- end -}} 17 | -------------------------------------------------------------------------------- /charts/sysdig-mcm-navmenu/RELEASE-NOTES.md: -------------------------------------------------------------------------------- 1 | # What's Changed 2 | 3 | ### New Features 4 | - **admission-controller,agent,cloud-bench,cloud-connector,cloud-scanning,harbor-scanner-sysdig-secure,kspm-collector,node-analyzer,rapid-response,registry-scanner,sysdig,sysdig-deploy,sysdig-mcm-navmenu,sysdig-stackdriver-bridge** [5d99a03d](https://github.com/sysdiglabs/charts/commit/5d99a03dced132b4771dde1ce5b90b63c518b408): use a PGP private key to sign charts on release ([#1170](https://github.com/sysdiglabs/charts/issues/1170)) 5 | 6 | #### Full diff: https://github.com/sysdiglabs/charts/compare/sysdig-mcm-navmenu-1.0.4...sysdig-mcm-navmenu-1.2.0 7 | -------------------------------------------------------------------------------- /charts/sysdig/templates/clusterrolebinding-node-analyzer.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (include "deploy-na" .) .Values.rbac.create }} 2 | kind: ClusterRoleBinding 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ template "sysdig.fullname" .}}-node-analyzer 6 | labels: 7 | {{ include "sysdig.labels" . | indent 4 }} 8 | subjects: 9 | - kind: ServiceAccount 10 | name: {{ template "sysdig.nodeAnalyzer.serviceAccountName" .}} 11 | namespace: {{ .Release.Namespace }} 12 | roleRef: 13 | kind: ClusterRole 14 | name: {{ template "sysdig.fullname" .}}-node-analyzer 15 | apiGroup: rbac.authorization.k8s.io 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /charts/harbor-scanner-sysdig-secure/templates/rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.create }} 2 | kind: RoleBinding 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ include "harbor-scanner-sysdig-secure.fullname" . }} 6 | labels: 7 | {{- include "harbor-scanner-sysdig-secure.labels" . | nindent 4 }} 8 | subjects: 9 | - kind: ServiceAccount 10 | name: {{ include "harbor-scanner-sysdig-secure.serviceAccountName" . }} 11 | namespace: {{ .Release.Namespace }} 12 | roleRef: 13 | kind: Role 14 | name: {{ include "harbor-scanner-sysdig-secure.fullname" . }} 15 | apiGroup: rbac.authorization.k8s.io 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /charts/sysdig/templates/runtimeScanner/sysdig-eve-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (not (include "deploy-nia" .)) .Values.nodeAnalyzer.deploy (not .Values.gke.autopilot) (or .Values.nodeAnalyzer.runtimeScanner.deploy .Values.secure.vulnerabilityManagement.newEngineOnly) .Values.nodeAnalyzer.runtimeScanner.eveConnector.deploy }} 2 | --- 3 | apiVersion: v1 4 | kind: Secret 5 | metadata: 6 | name: sysdig-eve-secret 7 | labels: 8 | {{ include "sysdig.labels" . | indent 4 }} 9 | type: Opaque 10 | data: 11 | endpoint: {{ include "eveconnector.host" . | printf "https://%s" | b64enc | quote }} 12 | token: {{ include "eveconnector.token" . }} 13 | {{- end }} 14 | -------------------------------------------------------------------------------- /charts/cluster-scanner/templates/registrymirror.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.imageSbomExtractor.mirrors -}} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: {{ include "cluster-scanner.fullname" . }}-registry-mirrors 6 | namespace: {{ include "cluster-scanner.namespace" . }} 7 | labels: 8 | {{- include "cluster-scanner.labels" . | nindent 4 }} 9 | data: 10 | daemon.json: |- 11 | { 12 | "registry-mirrors": {{ .Values.imageSbomExtractor.mirrors.registryMirrors | default list | toJson }}, 13 | "insecure-registries": {{ .Values.imageSbomExtractor.mirrors.insecureRegistries | default list | toJson }} 14 | } 15 | {{- end -}} 16 | -------------------------------------------------------------------------------- /charts/sysdig-mcm-navmenu/values.yaml: -------------------------------------------------------------------------------- 1 | replicaCount: 1 2 | 3 | image: 4 | repository: nginx 5 | tag: 1.17-alpine 6 | pullPolicy: IfNotPresent 7 | 8 | service: 9 | name: sysdig-navmenu-proxy 10 | type: ClusterIP 11 | externalPort: 8080 12 | internalPort: 80 13 | secureMenuId: administer-mcm 14 | monitorMenuId: monitor 15 | 16 | # Set to true if using Sysdig Secure and Monitor SaaS 17 | saas: true 18 | # If saas is false, set your on-prem base URL (omit trailing slash) 19 | sysdigURL: https://HOSTNAME 20 | # Provide the companyName used in Sysdig platform (ask your admin or sales for this value) for OpenID Connect SSO 21 | companyName: "" 22 | -------------------------------------------------------------------------------- /charts/sysdig/templates/kspmCollector/clusterrolebinding-kspm-collector.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.rbac.create .Values.kspm.deploy }} 2 | kind: ClusterRoleBinding 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ template "sysdig.fullname" .}}-kspm-collector 6 | labels: 7 | {{ include "sysdig.labels" . | indent 4 }} 8 | subjects: 9 | - kind: ServiceAccount 10 | name: {{ template "sysdig.serviceAccountName" .}}-kspm-collector 11 | namespace: {{ .Release.Namespace }} 12 | roleRef: 13 | kind: ClusterRole 14 | name: {{ template "sysdig.fullname" .}}-kspm-collector 15 | apiGroup: rbac.authorization.k8s.io 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /charts/sysdig/templates/psp.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.psp.create (include "sysdig.kubeVersionLessThan" (dict "root" . "major" 1 "minor" 25)) }} 2 | apiVersion: policy/v1beta1 3 | kind: PodSecurityPolicy 4 | metadata: 5 | name: {{ template "sysdig.fullname" . }} 6 | spec: 7 | allowedCapabilities: 8 | - '*' 9 | fsGroup: 10 | rule: RunAsAny 11 | hostIPC: true 12 | hostNetwork: true 13 | hostPID: true 14 | hostPorts: 15 | - max: 65536 16 | min: 1 17 | privileged: true 18 | runAsUser: 19 | rule: RunAsAny 20 | seLinux: 21 | rule: RunAsAny 22 | supplementalGroups: 23 | rule: RunAsAny 24 | volumes: 25 | - '*' 26 | {{- end }} 27 | -------------------------------------------------------------------------------- /charts/sysdig/templates/configmap-kspm-analyzer.yaml: -------------------------------------------------------------------------------- 1 | {{ if .Values.kspm.deploy }} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: {{ template "sysdig.fullname" . }}-kspm-analyzer 6 | labels: 7 | {{ include "sysdig.labels" . | indent 4 }} 8 | data: 9 | {{- $env := "PRODUCTION" -}} 10 | {{ if .Values.nodeAnalyzer.kspmAnalyzer.debug }} 11 | {{- $env = "DEVELOPMENT" -}} 12 | {{ end}} 13 | environment: {{ $env }} 14 | external_nats_url: {{ include "sysdig.natsUrl" . }} 15 | cluster_name: {{ required "A valid .Values.clusterName is required" .Values.clusterName }} 16 | agent_app_name: {{ include "sysdig.name" . }}-node-analyzer 17 | {{- end -}} 18 | -------------------------------------------------------------------------------- /charts/admission-controller/templates/scanner/service.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.scanner.enabled -}} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: {{ include "admissionController.scanner.fullname" . }} 6 | namespace: {{ include "admissionController.namespace" . }} 7 | labels: 8 | {{- include "admissionController.scanner.labels" . | nindent 4 }} 9 | spec: 10 | type: {{ .Values.scanner.service.type }} 11 | ports: 12 | - name: https 13 | port: {{ .Values.scanner.service.port }} 14 | targetPort: http 15 | protocol: TCP 16 | selector: 17 | {{- include "admissionController.scanner.selectorLabels" . | nindent 4 }} 18 | {{- end -}} 19 | -------------------------------------------------------------------------------- /charts/cluster-scanner/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "cluster-scanner.fullname" . }} 5 | namespace: {{ include "cluster-scanner.namespace" . }} 6 | labels: 7 | {{- include "cluster-scanner.labels" . | nindent 4 }} 8 | spec: 9 | type: ClusterIP 10 | ports: 11 | - port: 4222 12 | targetPort: 4222 13 | protocol: TCP 14 | name: nats 15 | - port: 9999 16 | targetPort: 9999 17 | protocol: TCP 18 | name: grpc 19 | # NOTE: selector is intentionally left empty, the RSI component will implement a controller to handle the Endpoints resource associated with this service 20 | -------------------------------------------------------------------------------- /charts/cluster-scanner/tests/serviceaccount_test.yaml: -------------------------------------------------------------------------------- 1 | suite: serviceaccount 2 | templates: 3 | - ../templates/serviceaccount.yaml 4 | values: 5 | - ../values.yaml 6 | release: 7 | name: test-release 8 | namespace: test-ns 9 | 10 | tests: 11 | - it: "has correct name and namespace" 12 | asserts: 13 | - equal: 14 | path: metadata.name 15 | value: test-release-cluster-scanner 16 | - equal: 17 | path: metadata.namespace 18 | value: test-ns 19 | 20 | - it: "generates a serviceaccount resource" 21 | set: 22 | global.sysdigAccessKey: "secret" 23 | asserts: 24 | - isKind: 25 | of: ServiceAccount 26 | -------------------------------------------------------------------------------- /charts/sysdig/templates/secrets.yaml: -------------------------------------------------------------------------------- 1 | {{- if not .Values.sysdig.existingAccessKeySecret }} 2 | --- 3 | apiVersion: v1 4 | kind: Secret 5 | metadata: 6 | name: {{ template "sysdig.fullname" . }} 7 | labels: 8 | {{ include "sysdig.labels" . | indent 4 }} 9 | type: Opaque 10 | data: 11 | access-key: {{ required "A valid .Values.sysdig.accessKey is required" .Values.sysdig.accessKey | b64enc | quote }} 12 | {{- end }} 13 | {{- range .Values.extraSecrets }} 14 | --- 15 | apiVersion: v1 16 | kind: Secret 17 | metadata: 18 | name: {{ .name }} 19 | labels: 20 | {{ include "sysdig.labels" $ | indent 4 }} 21 | type: Opaque 22 | data: 23 | {{ toYaml .data | indent 2 }} 24 | {{- end }} 25 | -------------------------------------------------------------------------------- /charts/cluster-shield/templates/service-cluster-scanner.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "cluster-shield.clusterScannerServiceName" . }} 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | {{- include "cluster-shield.labels" . | nindent 4 }} 8 | spec: 9 | type: ClusterIP 10 | ports: 11 | - port: 4222 12 | targetPort: 4222 13 | protocol: TCP 14 | name: nats 15 | - port: 9999 16 | targetPort: 9999 17 | protocol: TCP 18 | name: grpc 19 | # NOTE: selector is intentionally left empty, the RSI component will implement a controller to handle the Endpoints resource associated with this service 20 | -------------------------------------------------------------------------------- /charts/node-analyzer/templates/clusterrolebinding-node-analyzer.yaml: -------------------------------------------------------------------------------- 1 | {{- if not (include "nodeAnalyzer.gke.autopilot" .) }} 2 | {{- if and (include "deploy-na" .) .Values.rbac.create }} 3 | kind: ClusterRoleBinding 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | metadata: 6 | name: {{ .Release.Name }}-node-analyzer 7 | labels: 8 | {{ include "nodeAnalyzer.labels" . | indent 4 }} 9 | subjects: 10 | - kind: ServiceAccount 11 | name: {{ template "nodeAnalyzer.serviceAccountName" .}} 12 | namespace: {{ .Release.Namespace }} 13 | roleRef: 14 | kind: ClusterRole 15 | name: {{ .Release.Name }}-node-analyzer 16 | apiGroup: rbac.authorization.k8s.io 17 | {{- end }} 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /charts/sysdig/templates/psp-node-analyzer.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.psp.create (include "sysdig.kubeVersionLessThan" (dict "root" . "major" 1 "minor" 25)) }} 2 | apiVersion: policy/v1beta1 3 | kind: PodSecurityPolicy 4 | metadata: 5 | name: {{ template "sysdig.fullname" . }}-node-analyzer 6 | spec: 7 | allowedCapabilities: 8 | - '*' 9 | fsGroup: 10 | rule: RunAsAny 11 | hostIPC: true 12 | hostNetwork: true 13 | hostPID: true 14 | hostPorts: 15 | - max: 65536 16 | min: 1 17 | privileged: true 18 | runAsUser: 19 | rule: RunAsAny 20 | seLinux: 21 | rule: RunAsAny 22 | supplementalGroups: 23 | rule: RunAsAny 24 | volumes: 25 | - '*' 26 | {{- end }} 27 | -------------------------------------------------------------------------------- /charts/cloud-connector/templates/configmap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: {{ include "cloud-connector.fullname" . }} 5 | labels: 6 | {{- include "cloud-connector.labels" . | nindent 4 }} 7 | data: 8 | cloud-connector.yaml: | 9 | logging: info 10 | bruteForceDetection: 11 | enabled: {{ .Values.bruteForceDetection.enabled }} 12 | duration: {{ .Values.bruteForceDetection.duration }} 13 | maximumTries: {{ .Values.bruteForceDetection.maximumTries }} 14 | rules: 15 | {{ toYaml .Values.rules | indent 6 }} 16 | ingestors: 17 | {{ toYaml .Values.ingestors | indent 6 }} 18 | scanners: 19 | {{ toYaml .Values.scanners | indent 6 }} 20 | -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | ## What this PR does / why we need it: 2 | 3 | ## Checklist 4 | 5 | 6 | 7 | - [ ] Title of the PR starts with type and scope, (e.g. `feat(agent,node-analyzer,sysdig-deploy):`) 8 | - [ ] Chart Version bumped for the respective charts 9 | - [ ] Variables are documented in the README.md (or README.tpl in some charts) 10 | - [ ] Check GithubAction checks (like lint) to avoid merge-check stoppers 11 | - [ ] All test files are added in the tests folder of their respective chart and have a "_test" suffix 12 | 13 | 14 | -------------------------------------------------------------------------------- /charts/agent/templates/psp.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.psp.create (include "agent.kubeVersionLessThan" (dict "root" . "major" 1 "minor" 25)) }} 2 | apiVersion: policy/v1beta1 3 | kind: PodSecurityPolicy 4 | metadata: 5 | name: {{ template "agent.fullname" . }} 6 | namespace: {{ include "agent.namespace" . }} 7 | spec: 8 | allowedCapabilities: 9 | - '*' 10 | fsGroup: 11 | rule: RunAsAny 12 | hostIPC: true 13 | hostNetwork: true 14 | hostPID: true 15 | hostPorts: 16 | - max: 65536 17 | min: 1 18 | privileged: true 19 | runAsUser: 20 | rule: RunAsAny 21 | seLinux: 22 | rule: RunAsAny 23 | supplementalGroups: 24 | rule: RunAsAny 25 | volumes: 26 | - '*' 27 | {{- end }} 28 | -------------------------------------------------------------------------------- /charts/sysdig-deploy/templates/cluster-scanner-runtime-scanner-check.yaml: -------------------------------------------------------------------------------- 1 | {{- $nodeAnalyzerEnabled := default false .Values.nodeAnalyzer.enabled -}} 2 | {{- $runtimeScannerDeploy := false -}} 3 | 4 | {{- if $nodeAnalyzerEnabled -}} 5 | {{- if and (default dict .Values.nodeAnalyzer).nodeAnalyzer (default dict .Values.nodeAnalyzer.nodeAnalyzer).runtimeScanner -}} 6 | {{- $runtimeScannerDeploy = default false .Values.nodeAnalyzer.nodeAnalyzer.runtimeScanner.deploy -}} 7 | {{- end -}} 8 | {{- end -}} 9 | 10 | {{- if and $nodeAnalyzerEnabled $runtimeScannerDeploy .Values.clusterScanner.enabled -}} 11 | {{ fail "Cannot enable both the Runtime Scanner and the Cluster Scanner at the same time" }} 12 | {{- end -}} 13 | -------------------------------------------------------------------------------- /charts/admission-controller/templates/webhook/autoscaler.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.webhook.autoscaling.enabled }} 2 | apiVersion: autoscaling/v1 3 | kind: HorizontalPodAutoscaler 4 | metadata: 5 | name: {{ include "admissionController.webhook.fullname" . }} 6 | namespace: {{ include "admissionController.namespace" . }} 7 | spec: 8 | maxReplicas: {{ .Values.webhook.autoscaling.maxReplicas }} 9 | minReplicas: {{ .Values.webhook.autoscaling.minReplicas }} 10 | scaleTargetRef: 11 | apiVersion: apps/v1 12 | kind: Deployment 13 | name: {{ include "admissionController.webhook.fullname" . }} 14 | targetCPUUtilizationPercentage: {{ .Values.webhook.autoscaling.targetCPUUtilizationPercentage }} 15 | {{- end }} 16 | -------------------------------------------------------------------------------- /charts/cluster-shield/doc.yaml: -------------------------------------------------------------------------------- 1 | project: 2 | name: Sysdig Cluster Shield 3 | shortName: Cluster Shield 4 | url: https://docs.sysdig.com/en/docs/installation/sysdig-secure/install-agent-components/kubernetes/cluster-shield/ 5 | description: This chart deploys the Sysdig Cluster Shield in your Kubernetes cluster. 6 | app: the Sysdig Cluster Shield 7 | repository: 8 | url: https://charts.sysdig.com 9 | name: sysdig 10 | chart: 11 | name: cluster-shield 12 | prerequisites: 13 | - "Helm 3.6" 14 | - "Sysdig AccessKey" 15 | - "Sysdig Secure API Token" 16 | - "Sysdig Secure API URL" 17 | - "Sysdig Secure Collector" 18 | 19 | release: 20 | name: sysdig-cluster-shield 21 | namespace: sysdig-agent 22 | -------------------------------------------------------------------------------- /charts/cloud-scanning/templates/secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if not .Values.existingSecretName }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ include "cloud-scanning.fullname" . }} 6 | labels: 7 | {{- include "cloud-scanning.labels" . | nindent 4 }} 8 | type: Opaque 9 | data: 10 | aws_access_key_id: {{ .Values.aws.accessKeyId | b64enc | quote }} 11 | aws_secret_access_key: {{ .Values.aws.secretAccessKey | b64enc | quote }} 12 | aws_region: {{ .Values.aws.region | b64enc | quote }} 13 | gcp_credentials: {{ .Values.gcpCredentials | b64enc | quote }} 14 | secure_api_token: {{ required "value 'sysdig.secureAPIToken' is required, but is not set" .Values.sysdig.secureAPIToken | b64enc | quote }} 15 | {{- end }} 16 | -------------------------------------------------------------------------------- /charts/sysdig-stackdriver-bridge/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: sysdig-stackdriver-bridge 3 | version: 1.2.1 4 | appVersion: 0.0.7 5 | description: Sysdig Monitor and Secure agent 6 | keywords: 7 | - monitoring 8 | - security 9 | - alerting 10 | - metric 11 | - troubleshooting 12 | - run-time 13 | home: https://www.sysdig.com/ 14 | icon: https://avatars.githubusercontent.com/u/5068817?s=200&v=4 15 | sources: 16 | - https://app.sysdigcloud.com/#/settings/user 17 | - https://github.com/draios/sysdig 18 | maintainers: 19 | - name: bencer 20 | email: jorge.salamero@sysdig.com 21 | - name: nestorsalceda 22 | email: nestor.salceda@sysdig.com 23 | - name: echoboomer 24 | email: scott@echoboomer.net 25 | -------------------------------------------------------------------------------- /.github/workflows/kubectl-update.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Update bitnami/kubectl image reference for Helm tests 3 | 4 | on: 5 | schedule: 6 | - cron: '0 0 * * *' 7 | 8 | permissions: 9 | contents: read 10 | pull-requests: write 11 | 12 | jobs: 13 | kubectl-update: 14 | runs-on: ubuntu-latest 15 | steps: 16 | - name: Checkout 17 | uses: actions/checkout@v4 18 | 19 | - name: Install Updatecli in the runner 20 | uses: updatecli/updatecli-action@v2.67.0 21 | 22 | - name: Run Updatecli 23 | run: "updatecli apply --config .github/updatecli.d/config-update-bitnami-kubectl-image.yaml" 24 | env: 25 | GITHUB_TOKEN: "${{ secrets.TOOLS_JENKINS_ADMIN_ACCESS_GITHUB_TOKEN }}" 26 | -------------------------------------------------------------------------------- /charts/kspm-collector/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: kspm-collector 3 | description: Sysdig KSPM collector 4 | version: 0.16.1 5 | appVersion: 1.39.3 6 | keywords: 7 | - monitoring 8 | - security 9 | - alerting 10 | - metric 11 | - troubleshooting 12 | - run-time 13 | home: https://www.sysdig.com/ 14 | icon: https://avatars.githubusercontent.com/u/5068817?s=200&v=4 15 | sources: 16 | - https://app.sysdigcloud.com/#/settings/user 17 | - https://github.com/draios/sysdig 18 | maintainers: 19 | - name: chen-shmilovich-sysdig 20 | email: chen.shmilovich@sysdig.com 21 | dependencies: 22 | - name: common 23 | # repository: https://charts.sysdig.com 24 | repository: file://../common 25 | version: ~1.3.1 26 | -------------------------------------------------------------------------------- /charts/admission-controller/templates/scanner/rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.scanner.psp.create (include "admissionController.kubeVersionLessThan" (dict "root" . "major" 1 "minor" 25)) }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: RoleBinding 4 | metadata: 5 | name: {{ include "admissionController.scanner.fullname" . }} 6 | namespace: {{ include "admissionController.namespace" . }} 7 | roleRef: 8 | apiGroup: rbac.authorization.k8s.io 9 | kind: Role 10 | name: {{ include "admissionController.scanner.fullname" . }} 11 | subjects: 12 | - kind: ServiceAccount 13 | name: {{ include "admissionController.scanner.serviceAccountName" . }} 14 | namespace: {{ include "admissionController.namespace" . }} 15 | {{- end }} 16 | -------------------------------------------------------------------------------- /charts/kspm-collector/templates/psp.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.psp.create (include "kspmCollector.kubeVersionLessThan" (dict "root" . "major" 1 "minor" 25)) }} 2 | apiVersion: policy/v1beta1 3 | kind: PodSecurityPolicy 4 | metadata: 5 | name: {{ template "kspmCollector.fullname" . }} 6 | namespace: {{ include "kspmCollector.namespace" . }} 7 | spec: 8 | allowedCapabilities: [] 9 | fsGroup: 10 | rule: RunAsAny 11 | hostIPC: false 12 | hostNetwork: false 13 | hostPID: false 14 | privileged: false 15 | runAsUser: 16 | rule: RunAsAny 17 | seLinux: 18 | rule: RunAsAny 19 | supplementalGroups: 20 | rule: RunAsAny 21 | volumes: 22 | - emptyDir 23 | - secret 24 | - configMap 25 | - downwardAPI 26 | {{- end }} 27 | -------------------------------------------------------------------------------- /charts/cloud-bench/templates/secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if not .Values.existingSecretName }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ include "cloud-bench.fullname" . }} 6 | labels: 7 | {{- include "cloud-bench.labels" . | nindent 4 }} 8 | type: Opaque 9 | data: 10 | aws_access_key_id: {{ required "A valid .Values.aws.access_key_id is required" .Values.aws.access_key_id | b64enc | quote }} 11 | aws_secret_access_key: {{ required "A valid .Values.aws.secret_access_key is required" .Values.aws.secret_access_key | b64enc | quote }} 12 | aws_region: {{ required "A valid .Values.aws.region is required" .Values.aws.region | b64enc | quote }} 13 | secure_api_token: {{ .Values.sysdig.secureApiToken | b64enc | quote }} 14 | {{- end }} 15 | -------------------------------------------------------------------------------- /charts/kspm-collector/tests/golden_template_test.yaml: -------------------------------------------------------------------------------- 1 | suite: Testing pre-generated values and best-known edge cases 2 | templates: 3 | - deployment.yaml 4 | - configmap.yaml 5 | tests: 6 | - it: check normal install testcase 7 | set: 8 | sysdig: 9 | accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE 10 | clusterName: test-k8s 11 | asserts: 12 | - containsDocument: 13 | kind: Deployment 14 | apiVersion: apps/v1 15 | template: deployment.yaml 16 | - containsDocument: 17 | kind: ConfigMap 18 | apiVersion: v1 19 | template: configmap.yaml 20 | - equal: 21 | path: data.cluster_name 22 | value: test-k8s 23 | template: configmap.yaml 24 | -------------------------------------------------------------------------------- /charts/sysdig/templates/auditsink.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.auditLog.enabled .Values.auditLog.dynamicBackend.enabled }} 2 | apiVersion: auditregistration.k8s.io/v1alpha1 3 | kind: AuditSink 4 | metadata: 5 | name: {{ template "sysdig.fullname" . }} 6 | labels: 7 | {{ include "sysdig.labels" . | indent 4 }} 8 | spec: 9 | policy: 10 | level: RequestResponse 11 | stages: 12 | - ResponseComplete 13 | - ResponseStarted 14 | webhook: 15 | throttle: 16 | qps: 10 17 | burst: 15 18 | clientConfig: 19 | service: 20 | namespace: {{ .Release.Namespace }} 21 | name: {{ template "sysdig.fullname" . }} 22 | port: {{ .Values.auditLog.auditServerPort }} 23 | path: /k8s_audit 24 | {{- end }} 25 | -------------------------------------------------------------------------------- /charts/cluster-scanner/tests/service_test.yaml: -------------------------------------------------------------------------------- 1 | suite: service 2 | templates: 3 | - ../templates/service.yaml 4 | values: 5 | - ../values.yaml 6 | release: 7 | name: test-release 8 | namespace: test-ns 9 | 10 | tests: 11 | - it: "has not selector" 12 | asserts: 13 | - isNull: 14 | path: spec.selector 15 | 16 | - it: "has correct name and namespace" 17 | asserts: 18 | - equal: 19 | path: metadata.name 20 | value: test-release-cluster-scanner 21 | - equal: 22 | path: metadata.namespace 23 | value: test-ns 24 | 25 | - it: "generates a service resource" 26 | set: 27 | global.sysdigAccessKey: "secret" 28 | asserts: 29 | - isKind: 30 | of: Service 31 | -------------------------------------------------------------------------------- /charts/admission-controller/templates/scanner/configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.scanner.enabled -}} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: {{ include "admissionController.scanner.fullname" . }} 6 | namespace: {{ include "admissionController.namespace" . }} 7 | labels: 8 | {{ include "admissionController.scanner.labels" . | nindent 4 }} 9 | data: 10 | SECURE_BASE_URL: "{{ .Values.sysdig.url | default (printf "https://%s" (include "admissionController.apiEndpoint" .)) }}" 11 | SECURE_SKIP_TLS: "{{ not .Values.verifySSL }}" 12 | REGISTRY_SKIP_TLS: "{{ not .Values.scanner.verifyRegistryTLS }}" 13 | {{- if .Values.scanner.dockerCfgSecretName }} 14 | REGISTRY_DOCKERCFG_PATH: /dockerauth/.dockercfg 15 | {{- end }} 16 | {{- end -}} 17 | -------------------------------------------------------------------------------- /charts/admission-controller/templates/webhook/podmonitor.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.podMonitors.webhook.enabled }} 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: PodMonitor 4 | metadata: 5 | annotations: {{ .Values.podMonitors.webhook.annotations | toYaml | nindent 4 }} 6 | labels: {{ .Values.podMonitors.webhook.labels | toYaml | nindent 4 }} 7 | name: admission-controller-webhook 8 | namespace: {{ include "admissionController.namespace" . }} 9 | spec: 10 | selector: 11 | matchLabels: 12 | {{- include "admissionController.webhook.selectorLabels" . | nindent 6 }} 13 | podMetricsEndpoints: 14 | - targetPort: {{ .Values.webhook.http.port }} 15 | path: "/metrics" 16 | scheme: https 17 | tlsConfig: 18 | insecureSkipVerify: true 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /charts/admission-controller/templates/scanner/podmonitor.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.podMonitors.scanner.enabled }} 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: PodMonitor 4 | metadata: 5 | annotations: {{ .Values.podMonitors.scanner.annotations | toYaml | nindent 4 }} 6 | labels: {{ .Values.podMonitors.scanner.labels | toYaml | nindent 4 }} 7 | name: admission-controller-scanner 8 | namespace: {{ include "admissionController.namespace" . }} 9 | spec: 10 | selector: 11 | matchLabels: 12 | {{- include "admissionController.scanner.selectorLabels" . | nindent 6 }} 13 | podMetricsEndpoints: 14 | - targetPort: {{ .Values.scanner.service.port }} 15 | path: "/metrics" 16 | scheme: https 17 | tlsConfig: 18 | insecureSkipVerify: true 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /charts/rapid-response/tests/custom_resources.yaml: -------------------------------------------------------------------------------- 1 | suite: Testing pre-generated values and best-known edge cases 2 | templates: 3 | - daemonset.yaml 4 | tests: 5 | - it: Test cpu resources overrides 6 | set: 7 | rapidResponse: 8 | resources: 9 | requests: 10 | cpu: 2500m 11 | memory: 1500Mi 12 | limits: 13 | cpu: 5000m 14 | memory: 2500Mi 15 | asserts: 16 | - contains: 17 | path: spec.template.spec.containers 18 | content: 19 | resources: 20 | limits: 21 | cpu: 5000m 22 | memory: 2500Mi 23 | requests: 24 | cpu: 2500m 25 | memory: 1500Mi 26 | any: true 27 | count: 1 28 | -------------------------------------------------------------------------------- /charts/node-analyzer/templates/psp.yaml: -------------------------------------------------------------------------------- 1 | {{- if not (include "nodeAnalyzer.gke.autopilot" .) }} 2 | {{- if and .Values.psp.create (include "nodeAnalyzer.kubeVersionLessThan" (dict "root" . "major" 1 "minor" 25)) }} 3 | apiVersion: policy/v1beta1 4 | kind: PodSecurityPolicy 5 | metadata: 6 | name: {{ .Release.Name }}-node-analyzer 7 | namespace: {{ include "nodeAnalyzer.namespace" . }} 8 | spec: 9 | allowedCapabilities: 10 | - '*' 11 | fsGroup: 12 | rule: RunAsAny 13 | hostIPC: true 14 | hostNetwork: true 15 | hostPID: true 16 | hostPorts: 17 | - max: 65536 18 | min: 1 19 | privileged: true 20 | runAsUser: 21 | rule: RunAsAny 22 | seLinux: 23 | rule: RunAsAny 24 | supplementalGroups: 25 | rule: RunAsAny 26 | volumes: 27 | - '*' 28 | {{- end }} 29 | {{- end }} 30 | -------------------------------------------------------------------------------- /charts/agent/templates/auditsink.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.auditLog.enabled .Values.auditLog.dynamicBackend.enabled }} 2 | apiVersion: auditregistration.k8s.io/v1alpha1 3 | kind: AuditSink 4 | metadata: 5 | name: {{ template "agent.fullname" . }} 6 | namespace: {{ include "agent.namespace" . }} 7 | labels: 8 | {{ include "agent.labels" . | indent 4 }} 9 | spec: 10 | policy: 11 | level: RequestResponse 12 | stages: 13 | - ResponseComplete 14 | - ResponseStarted 15 | webhook: 16 | throttle: 17 | qps: 10 18 | burst: 15 19 | clientConfig: 20 | service: 21 | namespace: {{ include "agent.namespace" . }} 22 | name: {{ template "agent.fullname" . }} 23 | port: {{ .Values.auditLog.auditServerPort }} 24 | path: /k8s_audit 25 | {{- end }} 26 | -------------------------------------------------------------------------------- /charts/cloud-connector/doc.yaml: -------------------------------------------------------------------------------- 1 | project: 2 | name: Cloud Connector 3 | shortName: Cloud Connector 4 | url: https://docs.sysdig.com/en/docs/installation/sysdig-secure-for-cloud/ 5 | description: | 6 | This chart deploys Sysdig Cloud Connector on your Kubernetes cluster, enabling Threat Detection and Image Scanning for the AWS, GCP, and Azure Cloud providers. 7 | app: the Sysdig Cloud Connector 8 | repository: 9 | url: https://charts.sysdig.com 10 | name: sysdig 11 | chart: 12 | name: cloud-connector 13 | # version: v0.9.0-rc.0 14 | # values: "-- generate from values file --" 15 | valuesExample: "sysdig.secureAPIToken=" 16 | prerequisites: 17 | - "Helm v3.6" 18 | - "Sysdig Secure API Token" 19 | 20 | release: 21 | name: cloud-connector 22 | namespace: cloud-connector 23 | -------------------------------------------------------------------------------- /charts/node-analyzer/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: node-analyzer 3 | description: Sysdig Node Analyzer 4 | # currently matching Sysdig's appVersion 1.14.34 5 | version: 1.31.6 6 | appVersion: 12.9.0 7 | keywords: 8 | - monitoring 9 | - security 10 | - alerting 11 | - metric 12 | - troubleshooting 13 | - run-time 14 | home: https://www.sysdig.com/ 15 | icon: https://avatars.githubusercontent.com/u/5068817?s=200&v=4 16 | sources: 17 | - https://app.sysdigcloud.com/#/settings/user 18 | - https://github.com/draios/sysdig 19 | maintainers: 20 | - name: chen-shmilovich-sysdig 21 | email: chen.shmilovich@sysdig.com 22 | - name: sysdiglabs 23 | dependencies: 24 | - name: common 25 | # repository: https://charts.sysdig.com 26 | repository: file://../common 27 | version: ~1.3.1 28 | -------------------------------------------------------------------------------- /charts/sysdig-mcm-navmenu/templates/scc.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" }} 2 | apiVersion: security.openshift.io/v1 3 | kind: SecurityContextConstraints 4 | metadata: 5 | name: {{ template "fullname" . }}-scc 6 | allowHostDirVolumePlugin: false 7 | allowHostIPC: false 8 | allowHostNetwork: false 9 | allowHostPID: false 10 | allowHostPorts: false 11 | allowPrivilegeEscalation: false 12 | allowPrivilegedContainer: false 13 | allowedCapabilities: [] 14 | defaultAddCapabilities: [] 15 | priority: 1 16 | readOnlyRootFilesystem: false 17 | requiredDropCapabilities: [] 18 | runAsUser: 19 | type: RunAsAny 20 | seLinuxContext: 21 | type: RunAsAny 22 | volumes: 23 | - configMap 24 | - secret 25 | users: 26 | - system:serviceaccount:{{ .Release.Namespace }}:default 27 | {{ end -}} 28 | -------------------------------------------------------------------------------- /.chglog/config-release.yml: -------------------------------------------------------------------------------- 1 | style: github 2 | template: RELEASE.tpl.md 3 | info: 4 | title: RELEASE 5 | repository_url: https://github.com/sysdiglabs/charts 6 | options: 7 | commits: 8 | filters: 9 | Type: 10 | - feat 11 | - fix 12 | - refactor 13 | - chore 14 | - docs 15 | - github_actions_ci 16 | commit_groups: 17 | title_maps: 18 | feat: New Features 19 | fix: Bug Fixes 20 | refactor: Code Refactoring 21 | chore: Chores 22 | docs: Documentation 23 | github_actions_ci: Ignored 24 | header: 25 | pattern: "^(\\w*)(?:\\(([\\w\\$\\.\\,\\-\\*\\s]*)\\))?\\:\\s?(.*)$" 26 | pattern_maps: 27 | - Type 28 | - Scope 29 | - Subject 30 | notes: 31 | keywords: 32 | - Extended Changelog 33 | -------------------------------------------------------------------------------- /charts/cluster-scanner/tests/clusterrolebinding_test.yaml: -------------------------------------------------------------------------------- 1 | suite: deployment 2 | templates: 3 | - ../templates/clusterrolebinding.yaml 4 | values: 5 | - ../values.yaml 6 | release: 7 | name: test-release 8 | namespace: test-ns 9 | 10 | tests: 11 | - it: "generates correct ClusterRoleBinding" 12 | asserts: 13 | - equal: 14 | path: metadata.name 15 | value: test-release-cluster-scanner 16 | - equal: 17 | path: roleRef.name 18 | value: test-release-cluster-scanner 19 | - equal: 20 | path: subjects[0].namespace 21 | value: test-ns 22 | - equal: 23 | path: subjects[0].name 24 | value: test-release-cluster-scanner 25 | - equal: 26 | path: subjects[0].kind 27 | value: ServiceAccount 28 | -------------------------------------------------------------------------------- /.chglog/config-changelog.yml: -------------------------------------------------------------------------------- 1 | style: github 2 | template: CHANGELOG.tpl.md 3 | info: 4 | title: CHANGELOG 5 | repository_url: https://github.com/sysdiglabs/charts 6 | options: 7 | commits: 8 | filters: 9 | Type: 10 | - feat 11 | - fix 12 | - refactor 13 | - chore 14 | - docs 15 | - github_actions_ci 16 | commit_groups: 17 | title_maps: 18 | feat: New Features 19 | fix: Bug Fixes 20 | refactor: Code Refactoring 21 | chore: Chores 22 | docs: Documentation 23 | github_actions_ci: Ignored 24 | header: 25 | pattern: "^(\\w*)(?:\\(([\\w\\$\\.\\,\\-\\*\\s]*)\\))?\\:\\s?(.*)$" 26 | pattern_maps: 27 | - Type 28 | - Scope 29 | - Subject 30 | notes: 31 | keywords: 32 | - Extended Changelog 33 | -------------------------------------------------------------------------------- /charts/sysdig/templates/runtimeScanner/eveconnector-api-service.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (not (include "deploy-nia" .)) .Values.nodeAnalyzer.deploy (not .Values.gke.autopilot) (or .Values.nodeAnalyzer.runtimeScanner.deploy .Values.secure.vulnerabilityManagement.newEngineOnly) .Values.nodeAnalyzer.runtimeScanner.eveConnector.deploy }} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: {{ template "sysdig.fullname" . }}-eveconnector 6 | labels: 7 | app.kubernetes.io/name: {{ include "sysdig.name" . }}-eveconnector 8 | {{ include "sysdig.labels" . | indent 4 }} 9 | spec: 10 | selector: 11 | app.kubernetes.io/name: {{ include "sysdig.name" . }}-eveconnector 12 | app.kubernetes.io/instance: {{ .Release.Name }} 13 | ports: 14 | - protocol: TCP 15 | port: 443 16 | targetPort: 7000 17 | {{- end }} 18 | -------------------------------------------------------------------------------- /charts/cluster-scanner/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | The Cluster Scanner component is being executed. 2 | 3 | It consists of the Runtime Status Integrator and Image Sbom Extractor components. 4 | 5 | After successful installation you can access the Cluster Scanner features as follows: 6 | 7 | Log in to Sysdig Secure (at the URL: {{- if (not (or (hasPrefix "https://" (include "cluster-scanner.apiHost" .)) (hasPrefix "http://" (include "cluster-scanner.apiHost" .)))) -}}https://{{- end -}}{{ include "cluster-scanner.apiHost" . }}) and check that the features are working as expected. 8 | 1. Select Scanning > Image Results. 9 | 2. Check for scanned container image results that originate with the Sysdig Cluster Scanner. 10 | 11 | Please note that the first results will be available at least 15 minutes after Cluster Scanner has started. 12 | -------------------------------------------------------------------------------- /charts/harbor-scanner-sysdig-secure/templates/role.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.create -}} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: Role 4 | metadata: 5 | name: {{ include "harbor-scanner-sysdig-secure.fullname" . }} 6 | labels: 7 | {{- include "harbor-scanner-sysdig-secure.labels" . | nindent 4 }} 8 | rules: 9 | - apiGroups: 10 | - "" 11 | resources: 12 | - secrets 13 | verbs: 14 | - get 15 | - list 16 | - watch 17 | - create 18 | - apiGroups: 19 | - batch 20 | resources: 21 | - jobs 22 | verbs: 23 | - get 24 | - list 25 | - watch 26 | - create 27 | - delete 28 | - apiGroups: 29 | - "" 30 | resources: 31 | - pods 32 | - pods/log 33 | verbs: 34 | - get 35 | - list 36 | {{- end -}} 37 | -------------------------------------------------------------------------------- /.github/workflows/pr-lint.yaml: -------------------------------------------------------------------------------- 1 | name: PR Lint 2 | 3 | on: 4 | pull_request_target: 5 | types: [opened, edited, reopened, synchronize] 6 | branches: [main] 7 | 8 | jobs: 9 | pr-lint: 10 | permissions: 11 | pull-requests: write 12 | runs-on: ubuntu-latest 13 | steps: 14 | - uses: morrisoncole/pr-lint-action@v1.7.1 15 | with: 16 | repo-token: "${{ secrets.GITHUB_TOKEN }}" 17 | title-regex: "^(\\w*)(?:\\(([\\w\\$\\.\\,\\-\\*\\s]*)\\))?\\:\\s?(.*)$" 18 | on-failed-regex-fail-action: false 19 | on-failed-regex-create-review: true 20 | on-failed-regex-request-changes: true 21 | on-failed-regex-comment: "PR title does not comply with regex: `%regex%`!
Check PR guidelines at https://github.com/sysdiglabs/charts/blob/main/README.md#pull-requests" 22 | -------------------------------------------------------------------------------- /charts/agent/tests/dns_policy_test.yaml: -------------------------------------------------------------------------------- 1 | suite: Test setting DNS Policy 2 | templates: 3 | - daemonset.yaml 4 | kubernetesProvider: 5 | scheme: 6 | "v1/Node": 7 | gvr: 8 | version: "v1" 9 | resource: "nodes" 10 | namespaced: false 11 | objects: 12 | - apiVersion: v1 13 | kind: Node 14 | metadata: 15 | name: fakenode 16 | status: 17 | nodeInfo: 18 | osImage: fake-os-image 19 | tests: 20 | - it: Checking default dnsPolicy 21 | asserts: 22 | - equal: 23 | path: spec.template.spec.dnsPolicy 24 | value: ClusterFirstWithHostNet 25 | 26 | - it: Checking setting different dnsPolicy 27 | set: 28 | dnsPolicy: ClusterFirst 29 | asserts: 30 | - equal: 31 | path: spec.template.spec.dnsPolicy 32 | value: ClusterFirst 33 | -------------------------------------------------------------------------------- /.github/workflows/agent-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Update charts for Agent release 3 | 4 | on: 5 | workflow_dispatch: 6 | inputs: 7 | release: 8 | description: 'Agent Version' 9 | required: true 10 | 11 | permissions: 12 | contents: read 13 | pull-requests: write 14 | 15 | jobs: 16 | agent-release: 17 | runs-on: ubuntu-latest 18 | steps: 19 | - name: Checkout 20 | uses: actions/checkout@v4 21 | 22 | - name: Install Updatecli in the runner 23 | uses: updatecli/updatecli-action@v2.67.0 24 | 25 | - name: Run Updatecli in apply mode 26 | run: "updatecli apply --config .github/updatecli.d/config-agent-release.yaml" 27 | env: 28 | AGENT_RELEASE: "${{ inputs.release }}" 29 | GITHUB_TOKEN: "${{ secrets.TOOLS_JENKINS_ADMIN_ACCESS_GITHUB_TOKEN }}" 30 | -------------------------------------------------------------------------------- /.github/workflows/stale.yml: -------------------------------------------------------------------------------- 1 | name: Mark stale issues and pull requests 2 | 3 | on: 4 | schedule: 5 | - cron: "30 1 * * *" 6 | 7 | jobs: 8 | stale: 9 | runs-on: ubuntu-latest 10 | steps: 11 | - uses: actions/stale@v9 12 | with: 13 | repo-token: ${{ secrets.GITHUB_TOKEN }} 14 | stale-issue-message: 'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days' 15 | stale-pr-message: 'This PR is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days' 16 | stale-issue-label: 'stale' 17 | stale-pr-label: 'stale' 18 | close-issue-message: 'This issue has been closed due to inactivity.' 19 | close-pr-message: 'This PR has been closed due to inactivity.' 20 | -------------------------------------------------------------------------------- /charts/sysdig-stackdriver-bridge/values.yaml: -------------------------------------------------------------------------------- 1 | # Default values for Sysdig Stackdriver Bridge. 2 | 3 | image: 4 | repository: sysdiglabs/stackdriver-webhook-bridge 5 | pullPolicy: IfNotPresent 6 | tag: v0.0.7-a4d6ade 7 | 8 | secret: 9 | # If this is true, the chart will create the Secret and pass in secret.data as key.json. 10 | create: false 11 | data: '' 12 | # Secret name that contains GCP SA creds for the stackdriver Service Account. 13 | name: stackdriver-webhook-bridge 14 | 15 | settings: 16 | # Settings for ConfigMap 17 | forwardURL: http://sysdig-agent.sysdig-agent.svc.cluster.local:7765/k8s_audit 18 | projectID: 19 | clusterID: 20 | logFile: 21 | outFile: 22 | pollInterval: 5s 23 | lagInterval: 30s 24 | logLevel: info 25 | 26 | nodeSelector: {} 27 | 28 | affinity: {} 29 | 30 | annotations: {} 31 | 32 | tolerations: [] 33 | -------------------------------------------------------------------------------- /charts/sysdig-deploy/ci/test-default-saas-values.yaml.template: -------------------------------------------------------------------------------- 1 | global: 2 | clusterConfig: 3 | name: "test-cluster" 4 | namespace: "" 5 | sysdig: 6 | accessKey: ${SECURE_AGENT_TOKEN} 7 | secureAPIToken: ${SECURE_API_TOKEN} 8 | kspm: 9 | deploy: true 10 | agent: 11 | resources: 12 | requests: 13 | cpu: 25m 14 | memory: 200Mi 15 | kspmCollector: 16 | resources: 17 | requests: 18 | cpu: 25m 19 | memory: 200Mi 20 | nodeAnalyzer: 21 | secure: 22 | vulnerabilityManagement: 23 | newEngineOnly: true 24 | nodeAnalyzer: 25 | benchmarkRunner: 26 | deploy: false 27 | imageAnalyzer: 28 | resources: 29 | requests: 30 | cpu: 25m 31 | memory: 200Mi 32 | hostAnalyzer: 33 | resources: 34 | requests: 35 | cpu: 25m 36 | memory: 200Mi 37 | -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | repos: 2 | - repo: local 3 | hooks: 4 | - id: docgen 5 | pass_filenames: false 6 | name: Generate documentation 7 | entry: make docs 8 | language: system 9 | - id: lint 10 | pass_filenames: false 11 | name: Lint charts 12 | entry: make lint 13 | language: system 14 | - id: unit-test 15 | pass_filenames: false 16 | name: Unit test charts 17 | entry: make unittest 18 | language: system 19 | - repo: https://github.com/pre-commit/pre-commit-hooks 20 | rev: v4.2.0 21 | hooks: 22 | - id: trailing-whitespace 23 | - id: end-of-file-fixer 24 | - id: check-added-large-files 25 | - id: check-merge-conflict 26 | - id: check-symlinks 27 | - id: detect-private-key 28 | exclude: charts/.*/ci/.* 29 | - id: check-yaml 30 | args: ["-m"] 31 | exclude: charts/.*/templates/.* 32 | -------------------------------------------------------------------------------- /charts/cluster-scanner/tests/rolebinding_test.yaml: -------------------------------------------------------------------------------- 1 | suite: deployment 2 | templates: 3 | - ../templates/rolebinding.yaml 4 | values: 5 | - ../values.yaml 6 | release: 7 | name: test-release 8 | namespace: test-ns 9 | 10 | tests: 11 | - it: "generates correct RoleBinding" 12 | asserts: 13 | - equal: 14 | path: metadata.name 15 | value: test-release-cluster-scanner 16 | - equal: 17 | path: metadata.namespace 18 | value: test-ns 19 | - equal: 20 | path: roleRef.name 21 | value: test-release-cluster-scanner 22 | - equal: 23 | path: subjects[0].namespace 24 | value: test-ns 25 | - equal: 26 | path: subjects[0].name 27 | value: test-release-cluster-scanner 28 | - equal: 29 | path: subjects[0].kind 30 | value: ServiceAccount 31 | -------------------------------------------------------------------------------- /charts/node-analyzer/templates/runtimeScanner/eveconnector-api-service.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.nodeAnalyzer.deploy (not (include "nodeAnalyzer.gke.autopilot" .)) (or .Values.nodeAnalyzer.runtimeScanner.deploy .Values.secure.vulnerabilityManagement.newEngineOnly) .Values.nodeAnalyzer.runtimeScanner.eveConnector.deploy }} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: {{ template "nodeAnalyzer.fullname" . }}-eveconnector 6 | namespace: {{ include "nodeAnalyzer.namespace" . }} 7 | labels: 8 | app.kubernetes.io/name: {{ include "nodeAnalyzer.name" . }}-eveconnector 9 | {{ include "nodeAnalyzer.labels" . | indent 4 }} 10 | spec: 11 | selector: 12 | app.kubernetes.io/name: {{ include "nodeAnalyzer.name" . }}-eveconnector 13 | app.kubernetes.io/instance: {{ .Release.Name }} 14 | ports: 15 | - protocol: TCP 16 | port: 443 17 | targetPort: 7000 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /charts/admission-controller/templates/webhook/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "admissionController.webhook.fullname" . }} 5 | namespace: {{ include "admissionController.namespace" . }} 6 | labels: 7 | {{- include "admissionController.webhook.labels" . | nindent 4 }} 8 | spec: 9 | type: {{ .Values.webhook.service.type }} 10 | ports: 11 | {{- if .Values.features.kspmAdmissionController }} 12 | - name: vac 13 | port: {{ .Values.webhook.v2.service.port }} 14 | targetPort: vac 15 | {{- end }} 16 | {{- if (or .Values.features.k8sAuditDetections .Values.scanner.enabled .Values.webhook.acConfig) }} 17 | - name: http 18 | port: {{ .Values.webhook.service.port }} 19 | targetPort: http 20 | protocol: TCP 21 | {{- end }} 22 | selector: 23 | {{- include "admissionController.webhook.selectorLabels" . | nindent 4 }} 24 | -------------------------------------------------------------------------------- /.chglog/CHANGELOG.tpl.md: -------------------------------------------------------------------------------- 1 | {{ if .Versions -}} 2 | {{ range .Versions -}} 3 | {{- $chartName := regexReplaceAll "((?:[A-Za-z]*(?:\\-[A-Za-z]*)*))\\-(?:.*)" .Tag.Name "${1}" -}} 4 | {{- $chartversion := regexReplaceAll "(?:[A-Za-z]*(?:\\-[A-Za-z]*)*)\\-(.*)" .Tag.Name "v${1}" -}} 5 | # {{ $chartversion }} 6 | {{ range .CommitGroups -}} 7 | {{- if not (eq "Ignored" .Title ) -}} 8 | ### {{ .Title }} 9 | {{ range .Commits -}} 10 | * {{ if .Scope }}**{{ .Scope }}** {{ end }}[{{.Hash.Short}}]({{ $.Info.RepositoryURL }}/commit/{{ .Hash.Long }}): {{ .Subject }} 11 | {{ if .Notes -}} 12 | {{ range .Notes }} 13 | * {{ .Body }} 14 | {{ end -}} 15 | {{ end -}} 16 | {{ end -}} 17 | {{ end -}} 18 | {{ end -}} 19 | 20 | {{- if .OtherCommits -}} 21 | ### Others 22 | {{ range .OtherCommits -}} 23 | * [{{.Hash.Short}}]({{ $.Info.RepositoryURL }}/commit/{{ .Hash.Long }}) 24 | {{ end -}} 25 | {{ end -}} 26 | {{ end -}} 27 | {{ end -}} 28 | -------------------------------------------------------------------------------- /.chglog/RELEASE.tpl.md: -------------------------------------------------------------------------------- 1 | # What's Changed 2 | {{ if .Versions -}} 3 | {{ range .Versions }} 4 | {{ range .CommitGroups -}} 5 | {{ if not (eq "Ignored" .Title ) -}} 6 | ### {{ .Title }} 7 | {{ range .Commits -}} 8 | - {{ if .Scope }}**{{ .Scope }}** {{ end }}[{{.Hash.Short}}]({{ $.Info.RepositoryURL }}/commit/{{ .Hash.Long }}): {{ .Subject }} 9 | {{ if .Notes -}} 10 | {{ range .Notes }} 11 | * {{ .Body }} 12 | {{ end -}} 13 | {{ end -}} 14 | {{ end -}} 15 | {{ end -}} 16 | {{ end -}} 17 | {{ if .OtherCommits -}} 18 | ### Others 19 | {{- range .OtherCommits -}} 20 | - [{{.Hash.Short}}]({{ $.Info.RepositoryURL }}/commit/{{ .Hash.Long }}) 21 | {{ end -}} 22 | {{ end -}} 23 | {{ end -}} 24 | {{- if .Versions }} 25 | {{- range .Versions -}} 26 | {{ if .Tag.Previous -}} 27 | #### Full diff: {{ $.Info.RepositoryURL }}/compare/{{ .Tag.Previous.Name }}...{{ .Tag.Name }} 28 | {{ end -}} 29 | {{ end -}} 30 | {{ end -}} 31 | {{ end -}} 32 | -------------------------------------------------------------------------------- /charts/agent/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | appVersion: 13.4.0 3 | dependencies: 4 | - name: common 5 | repository: file://../common 6 | version: ~1.3.1 7 | description: Sysdig Monitor and Secure agent 8 | home: https://www.sysdig.com/ 9 | icon: https://avatars.githubusercontent.com/u/5068817?s=200&v=4 10 | keywords: 11 | - monitoring 12 | - security 13 | - alerting 14 | - metric 15 | - troubleshooting 16 | - run-time 17 | maintainers: 18 | - email: alberto.barba@sysdig.com 19 | name: AlbertoBarba 20 | - email: adam.roberts@sysdig.com 21 | name: aroberts87 22 | - email: francesco.furlan@sysdig.com 23 | name: francesco-furlan 24 | - email: gerlando.falauto@sysdig.com 25 | name: iurly 26 | - email: marcovito.moscaritolo@sysdig.com 27 | name: mavimo 28 | name: agent 29 | sources: 30 | - https://app.sysdigcloud.com/#/settings/user 31 | - https://github.com/draios/sysdig 32 | type: application 33 | version: 1.29.2 34 | -------------------------------------------------------------------------------- /.github/workflows/greeting.yaml: -------------------------------------------------------------------------------- 1 | name: Greeting 2 | on: 3 | pull_request_target: 4 | types: [opened] 5 | branches: [main] 6 | 7 | jobs: 8 | greeting: 9 | permissions: 10 | pull-requests: write 11 | name: Greeting comment upon PR from fork 12 | runs-on: ubuntu-latest 13 | if: github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != 'sysdiglabs/charts' 14 | steps: 15 | - name: Issue the greeting comment 16 | uses: peter-evans/create-or-update-comment@v4 17 | with: 18 | token: ${{ secrets.GITHUB_TOKEN }} 19 | issue-number: ${{ github.event.pull_request.number }} 20 | body: | 21 | Hi @${{ github.event.pull_request.user.login }}. Thanks for your PR. 22 | 23 | After inspecting your changes someone with write access to this repo needs 24 | to approve and run the workflow. 25 | -------------------------------------------------------------------------------- /charts/admission-controller/templates/scanner/psp.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.scanner.psp.create (include "admissionController.kubeVersionLessThan" (dict "root" . "major" 1 "minor" 25)) }} 2 | apiVersion: policy/v1beta1 3 | kind: PodSecurityPolicy 4 | metadata: 5 | name: {{ include "admissionController.scanner.fullname" . }} 6 | namespace: {{ include "admissionController.namespace" . }} 7 | spec: 8 | allowPrivilegeEscalation: false 9 | fsGroup: 10 | ranges: 11 | - max: 65535 12 | min: 1 13 | rule: MustRunAs 14 | readOnlyRootFilesystem: true 15 | requiredDropCapabilities: 16 | - ALL 17 | runAsUser: 18 | rule: MustRunAsNonRoot 19 | seLinux: 20 | rule: RunAsAny 21 | supplementalGroups: 22 | ranges: 23 | - max: 65535 24 | min: 1 25 | rule: MustRunAs 26 | volumes: 27 | - configMap 28 | - downwardAPI 29 | - emptyDir 30 | - secret 31 | - projected 32 | {{- end }} 33 | -------------------------------------------------------------------------------- /charts/cluster-scanner/tests/clusterrole_test.yaml: -------------------------------------------------------------------------------- 1 | suite: deployment 2 | templates: 3 | - ../templates/clusterrole.yaml 4 | values: 5 | - ../values.yaml 6 | release: 7 | name: test-release 8 | namespace: test-ns 9 | 10 | tests: 11 | - it: "generates correct ClusterRole" 12 | asserts: 13 | - equal: 14 | path: metadata.name 15 | value: test-release-cluster-scanner 16 | - isSubset: 17 | path: rules[0] 18 | content: 19 | apiGroups: ["", "apps", "batch", "extensions"] 20 | resources: 21 | - "deployments" 22 | - "replicasets" 23 | - "daemonsets" 24 | - "statefulsets" 25 | - "pods" 26 | - "cronjobs" 27 | - "jobs" 28 | - "nodes" 29 | - "namespaces" 30 | - "secrets" 31 | verbs: ["get", "list", "watch"] 32 | -------------------------------------------------------------------------------- /charts/registry-scanner/doc.yaml: -------------------------------------------------------------------------------- 1 | project: 2 | name: Sysdig Registry Scanner 3 | shortName: Registry Scanner 4 | url: https://docs.sysdig.com/en/docs/sysdig-secure/scanning/registry-scanner/ 5 | description: This chart deploys the Sysdig Registry Scanner as a scheduled Cronjob in your Kubernetes cluster and allows you to integrate Sysdig Secure with different image registries. 6 | app: the Sysdig Registry Scanner 7 | repository: 8 | url: https://charts.sysdig.com 9 | name: sysdig 10 | chart: 11 | name: registry-scanner 12 | # version: v0.9.0-rc.0 13 | # values: "-- generate from values file --" 14 | valuesExample: "config.secureAPIToken=YOUR-KEY-HERE,config.secureBaseURL=SECURE_URL" 15 | prerequisites: 16 | - "Helm 3.6" 17 | - "Kubernetes v1.16+" 18 | - "Unique name to identify your Kubernetes cluster" 19 | - "Sysdig Secure API Token" 20 | 21 | release: 22 | name: registry-scanner 23 | namespace: sysdig-registry-scanner 24 | -------------------------------------------------------------------------------- /charts/admission-controller/doc.yaml: -------------------------------------------------------------------------------- 1 | project: 2 | name: Sysdig Admission Controller 3 | shortName: Admission Controller 4 | url: https://docs.sysdig.com/en/docs/installation/sysdig-secure/install-agent-components/kubernetes/install-kubernetes-audit-logging/ 5 | description: This chart deploys the Sysdig Admission Controller in your Kubernetes cluster. 6 | app: the Sysdig Admission Controller 7 | repository: 8 | url: https://charts.sysdig.com 9 | name: sysdig 10 | chart: 11 | name: admission-controller 12 | # version: v0.9.0-rc.0 13 | # values: "-- generate from values file --" 14 | valuesExample: "sysdig.secureAPIToken=YOUR-KEY-HERE,clusterName=YOUR-CLUSTER-NAME" 15 | prerequisites: 16 | - "Helm 3.6" 17 | - "Kubernetes v1.16+" 18 | - "Cluster Name (pick one to identify your Kubernetes Cluster)" 19 | - "Sysdig Secure API Token" 20 | 21 | release: 22 | name: admission-controller 23 | namespace: sysdig-admission-controller 24 | -------------------------------------------------------------------------------- /charts/sysdig-mcm-navmenu/templates/ingress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: extensions/v1beta1 2 | kind: Ingress 3 | metadata: 4 | name: {{ template "fullname" . }} 5 | labels: 6 | app: {{ template "name" . }} 7 | chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} 8 | release: {{ .Release.Name }} 9 | inmenu: "true" 10 | annotations: # NavMenu: add annotations from values.yaml 11 | icp.management.ibm.com/auth-type: access-token 12 | kubernetes.io/ingress.class: ibm-icp-management 13 | spec: 14 | rules: 15 | - http: 16 | paths: 17 | - path: /sysdig-secure 18 | backend: 19 | serviceName: {{ template "fullname" . }}-secure 20 | servicePort: {{ .Values.service.externalPort }} 21 | - path: /sysdig-monitor 22 | backend: 23 | serviceName: {{ template "fullname" . }}-monitor 24 | servicePort: {{ .Values.service.externalPort }} 25 | -------------------------------------------------------------------------------- /charts/sysdig-mcm-navmenu/templates/configmap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: {{ template "fullname" . }}-config 5 | data: 6 | {{- if eq (default false .Values.saas) true }}{{- if eq (default "" .Values.companyName) "" }}{{ fail "value 'companyName' is mandatory, but it is not set"}}{{ end }}{{ end }} 7 | default.conf: | 8 | server { 9 | listen {{ .Values.service.internalPort }}; 10 | server_name localhost; 11 | 12 | location /sysdig-secure { 13 | rewrite ^/sysdig-secure(.*)$ {{ if .Values.saas }}https://secure.sysdig.com/api/oauth/openid/{{ .Values.companyName }}{{ else }}{{.Values.sysdigURL}}/api/oauth/openid{{ end }}?product=SDS permanent; 14 | } 15 | location /sysdig-monitor { 16 | rewrite ^/sysdig-monitor(.*)$ {{ if .Values.saas }}https://app.sysdigcloud.com/api/oauth/openid/{{ .Values.companyName }}{{ else }}{{.Values.sysdigURL}}/api/oauth/openid{{ end }} permanent; 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /charts/admission-controller/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | {{- if .Values.features.kspmAdmissionController }} 2 | {{- if include "admissionController.validAccessKeyConfig" . }}{{- end}} 3 | {{- end }} 4 | {{- if (or .Values.features.k8sAuditDetections .Values.scanner.enabled .Values.webhook.acConfig) }} 5 | {{- if include "admissionController.validTokenConfig" . }}{{- end }} 6 | {{- end }} 7 | Sysdig Admission Controller is now installed! 8 | 9 | Confirm its working status: 10 | https://docs.sysdig.com/en/docs/installation/sysdig-secure/install-agent-components/kubernetes/install-kubernetes-audit-logging/#verify-the-installation 11 | ================================================================================================ 12 | 13 | {{- if .Values.scanner.enabled }} 14 | The Scanner also needs the AUTH_BEARER_TOKEN environment variable configured with the valid 15 | Secure API Token. 16 | ================================================================================================ 17 | {{- end }} 18 | -------------------------------------------------------------------------------- /charts/registry-scanner/templates/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if eq .Values.config.registryType "ocp" }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: {{ include "registry-scanner.fullname" . }}-crb-registry-viewer 6 | roleRef: 7 | apiGroup: rbac.authorization.k8s.io 8 | kind: ClusterRole 9 | name: registry-viewer 10 | subjects: 11 | - kind: ServiceAccount 12 | name: {{ include "registry-scanner.serviceAccountName" . }} 13 | namespace: {{ .Release.Namespace }} 14 | --- 15 | apiVersion: rbac.authorization.k8s.io/v1 16 | kind: ClusterRoleBinding 17 | metadata: 18 | name: {{ include "registry-scanner.fullname" . }}-crb-token-requestor 19 | namespace: {{ .Release.Namespace }} 20 | roleRef: 21 | apiGroup: rbac.authorization.k8s.io 22 | kind: ClusterRole 23 | name: token-requestor 24 | subjects: 25 | - kind: ServiceAccount 26 | name: {{ include "registry-scanner.serviceAccountName" . }} 27 | namespace: {{ .Release.Namespace }} 28 | {{- end }} 29 | -------------------------------------------------------------------------------- /charts/cluster-shield/tests/serviceaccount_test.yaml: -------------------------------------------------------------------------------- 1 | suite: Test ServiceAccount 2 | templates: 3 | - templates/serviceaccount.yaml 4 | values: 5 | - ../ci/base-values.yaml 6 | release: 7 | name: shield-release 8 | namespace: shield-namespace 9 | tests: 10 | - it: Test default 11 | asserts: 12 | - hasDocuments: 13 | count: 1 14 | - containsDocument: 15 | apiVersion: v1 16 | kind: ServiceAccount 17 | name: shield-release-cluster-shield 18 | 19 | - it: Test with custom service account name 20 | set: 21 | serviceAccount: 22 | name: "custom-service-account" 23 | asserts: 24 | - hasDocuments: 25 | count: 1 26 | - containsDocument: 27 | apiVersion: v1 28 | kind: ServiceAccount 29 | name: custom-service-account 30 | 31 | - it: Test with disabled creation 32 | set: 33 | serviceAccount: 34 | create: false 35 | asserts: 36 | - hasDocuments: 37 | count: 0 38 | -------------------------------------------------------------------------------- /charts/sysdig-mcm-navmenu/templates/service-secure.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ template "fullname" . }}-secure 5 | labels: 6 | app: {{ template "name" . }}-secure 7 | chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} 8 | release: {{ .Release.Name }} 9 | inmenu: "true" 10 | target: sysdig-secure 11 | annotations: 12 | name: Sysdig Secure # NavMenu: the display name that will show in the menu 13 | id: {{ .Values.service.secureMenuId }} # NavMenu: The id of the top-level menu item to attach to 14 | roles: ClusterAdministrator,Administrator,Operator,Viewer # NavMenu: A list of roles you want to be able to view TA in the menu 15 | spec: 16 | type: ClusterIP 17 | ports: 18 | - port: {{ .Values.service.externalPort }} 19 | targetPort: {{ .Values.service.internalPort }} 20 | protocol: TCP 21 | name: {{ .Values.service.name }} 22 | selector: 23 | app: {{ template "name" . }} 24 | release: {{ .Release.Name }} 25 | -------------------------------------------------------------------------------- /charts/sysdig-mcm-navmenu/templates/service-monitor.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ template "fullname" . }}-monitor 5 | labels: 6 | app: {{ template "name" . }}-monitor 7 | chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} 8 | release: {{ .Release.Name }} 9 | inmenu: "true" 10 | target: sysdig-monitor 11 | annotations: 12 | name: Sysdig Monitor # NavMenu: the display name that will show in the menu 13 | id: {{ .Values.service.monitorMenuId }} # NavMenu: The id of the top-level menu item to attach to 14 | roles: ClusterAdministrator,Administrator,Operator,Viewer # NavMenu: A list of roles you want to be able to view TA in the menu 15 | spec: 16 | type: ClusterIP 17 | ports: 18 | - port: {{ .Values.service.externalPort }} 19 | targetPort: {{ .Values.service.internalPort }} 20 | protocol: TCP 21 | name: {{ .Values.service.name }} 22 | selector: 23 | app: {{ template "name" . }} 24 | release: {{ .Release.Name }} 25 | -------------------------------------------------------------------------------- /charts/common/templates/_agent_tags.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Flatten tags dict recursively 3 | */}} 4 | {{- define "dict.flatten" -}} 5 | {{- $map := first . -}} 6 | {{- $label := last . -}} 7 | {{- $fields := list -}} 8 | {{- range $key, $val := $map -}} 9 | {{- $sublabel := list $label $key | join "." -}} 10 | {{- if $label | eq "" -}} 11 | {{ $sublabel = $key }} 12 | {{- end -}} 13 | {{- if kindOf $val | eq "map" -}} 14 | {{- $fields = (list $val $sublabel | include "dict.flatten") | append $fields }} 15 | {{- else -}} 16 | {{- $fields = (printf "%s:%s" $sublabel $val) | append $fields -}} 17 | {{- end -}} 18 | {{- end -}} 19 | {{- join "," $fields -}} 20 | {{- end -}} 21 | 22 | {{/* 23 | Use global sysdig tags for agent 24 | */}} 25 | {{- define "agent.tags" -}} 26 | {{- if .Values.global.sysdig.tags -}} 27 | {{- $args := list .Values.global.sysdig.tags ""}} 28 | {{- include "dict.flatten" $args }} 29 | {{- end -}} 30 | {{- end -}} 31 | -------------------------------------------------------------------------------- /charts/cluster-shield/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "cluster-shield.fullname" . }} 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | {{- include "cluster-shield.labels" . | nindent 4 }} 8 | spec: 9 | type: {{ .Values.service.type }} 10 | ports: 11 | - port: {{ include "cluster-shield.serviceMonitoringPort" . }} 12 | targetPort: monitoring 13 | protocol: TCP 14 | name: monitoring 15 | {{- if and .Values.cluster_shield.features.admission_control.enabled }} 16 | - port: {{ include "cluster-shield.serviceAdmissionControlPort" . }} 17 | targetPort: admission 18 | protocol: TCP 19 | name: admission 20 | {{- end }} 21 | {{- if .Values.cluster_shield.features.audit.enabled }} 22 | - port: {{ include "cluster-shield.serviceAuditPort" . }} 23 | targetPort: audit 24 | protocol: TCP 25 | name: audit 26 | {{- end }} 27 | selector: 28 | {{- include "cluster-shield.selectorLabels" . | nindent 4 }} 29 | -------------------------------------------------------------------------------- /charts/cluster-scanner/templates/role.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: Role 3 | metadata: 4 | name: {{ include "cluster-scanner.fullname" . }} 5 | namespace: {{ include "cluster-scanner.namespace" . }} 6 | rules: 7 | - apiGroups: ["", "coordination.k8s.io"] 8 | resources: 9 | - "leases" 10 | resourceNames: 11 | - {{ .Values.runtimeStatusIntegrator.leaderElectionLeaseNameOverride | default (include "cluster-scanner.fullname" .) }} 12 | verbs: ["*"] 13 | - apiGroups: ["", "coordination.k8s.io"] 14 | resources: 15 | - "leases" 16 | verbs: ["create"] 17 | - apiGroups: ["*"] 18 | resources: 19 | - "endpoints" 20 | verbs: ["get", "watch", "list"] 21 | - apiGroups: ["*"] 22 | resources: 23 | - "endpoints" 24 | # Following is required for OpenShift. See https://docs.openshift.com/container-platform/3.11/architecture/core_concepts/pods_and_services.html#endpoints 25 | - "endpoints/restricted" 26 | resourceNames: 27 | - {{ include "cluster-scanner.fullname" . }} 28 | verbs: ["*"] 29 | -------------------------------------------------------------------------------- /charts/agent/templates/tests/test-rollout.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: "{{ include "agent.fullname" . }}-test-rollout" 5 | namespace: {{ include "agent.namespace" . }} 6 | labels: 7 | helm.sh/chart: {{ include "agent.chart" . }} 8 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 9 | app.kubernetes.io/managed-by: {{ .Release.Service }} 10 | annotations: 11 | "helm.sh/hook": test 12 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded 13 | spec: 14 | serviceAccountName: {{ include "agent.serviceAccountName" . }} 15 | containers: 16 | - name: kubectl 17 | image: {{ .Values.tests.image.repo }}:{{ .Values.tests.image.tag }} 18 | imagePullPolicy: IfNotPresent 19 | command: 20 | - kubectl 21 | args: 22 | - rollout 23 | - status 24 | - daemonset/{{ include "agent.fullname" . }} 25 | - -n 26 | - {{ include "agent.namespace" . }} 27 | - -w 28 | - --timeout={{ .Values.tests.timeout }} 29 | restartPolicy: Never 30 | -------------------------------------------------------------------------------- /charts/agent/tests/prometheus_file_test.yaml: -------------------------------------------------------------------------------- 1 | suite: Test Prometheus file injection 2 | templates: 3 | - templates/configmap.yaml 4 | - templates/configmap-deployment.yaml 5 | tests: 6 | - it: Check customizing Prometheus parameters 7 | set: 8 | prometheus: 9 | file: true 10 | yaml: 11 | custom: content 12 | is: here 13 | asserts: 14 | - isKind: 15 | of: ConfigMap 16 | - equal: 17 | path: data['prometheus.yaml'] 18 | value: | 19 | custom: content 20 | is: here 21 | template: configmap.yaml 22 | 23 | - it: Check customizing Prometheus parameters in Delegated Agent mode 24 | set: 25 | delegatedAgentDeployment: 26 | enabled: true 27 | prometheus: 28 | file: true 29 | yaml: 30 | custom: content 31 | is: here 32 | asserts: 33 | - isKind: 34 | of: ConfigMap 35 | - isNull: 36 | path: data['prometheus.yaml'] 37 | template: configmap-deployment.yaml 38 | -------------------------------------------------------------------------------- /charts/cloud-bench/templates/hpa.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.autoscaling.enabled }} 2 | apiVersion: autoscaling/v2beta1 3 | kind: HorizontalPodAutoscaler 4 | metadata: 5 | name: {{ include "cloud-bench.fullname" . }} 6 | labels: 7 | {{- include "cloud-bench.labels" . | nindent 4 }} 8 | spec: 9 | scaleTargetRef: 10 | apiVersion: apps/v1 11 | kind: Deployment 12 | name: {{ include "cloud-bench.fullname" . }} 13 | minReplicas: {{ .Values.autoscaling.minReplicas }} 14 | maxReplicas: {{ .Values.autoscaling.maxReplicas }} 15 | metrics: 16 | {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} 17 | - type: Resource 18 | resource: 19 | name: cpu 20 | targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} 21 | {{- end }} 22 | {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} 23 | - type: Resource 24 | resource: 25 | name: memory 26 | targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} 27 | {{- end }} 28 | {{- end }} 29 | -------------------------------------------------------------------------------- /charts/sysdig/templates/runtimeScanner/eveconnector-api-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (not (include "deploy-nia" .)) .Values.nodeAnalyzer.deploy (not .Values.gke.autopilot) (or .Values.nodeAnalyzer.runtimeScanner.deploy .Values.secure.vulnerabilityManagement.newEngineOnly) .Values.nodeAnalyzer.runtimeScanner.eveConnector.deploy }} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: {{ template "sysdig.fullname" . }}-eveconnector 6 | labels: 7 | {{ include "sysdig.labels" . | indent 4 }} 8 | data: 9 | api_endpoint: https://{{ required "A valid .Values.nodeAnalyzer.apiEndpoint is required" .Values.nodeAnalyzer.apiEndpoint }} 10 | cluster_name: {{ required "A valid .Values.clusterName is required" .Values.clusterName }} 11 | {{- if hasKey .Values.nodeAnalyzer "sslVerifyCertificate" }} 12 | ssl_verify_certificate: "{{ .Values.nodeAnalyzer.sslVerifyCertificate }}" 13 | {{- end }} 14 | {{- if hasKey .Values.nodeAnalyzer.runtimeScanner "eveConnector" }} 15 | cert_dns_name: {{ include "eveconnector.host" . | quote }} 16 | {{- end }} 17 | {{- end }} 18 | -------------------------------------------------------------------------------- /charts/sysdig/templates/kspmCollector/configmap-kspm-collector.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.kspm.deploy }} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: {{ template "sysdig.fullname" . }}-kspm-collector 6 | labels: 7 | {{ include "sysdig.labels" . | indent 4 }} 8 | data: 9 | {{- $env := "PRODUCTION" -}} 10 | {{ if .Values.kspmCollector.debug }} 11 | {{- $env = "DEVELOPMENT" -}} 12 | {{ end}} 13 | environment: {{ $env }} 14 | included_namespaces: {{ .Values.kspmCollector.settings.namespaces.included | quote}} 15 | excluded_namespaces: {{ .Values.kspmCollector.settings.namespaces.excluded | quote }} 16 | included_workloads: {{ .Values.kspmCollector.settings.workloads.included | quote }} 17 | excluded_workloads: {{ .Values.kspmCollector.settings.workloads.excluded | quote }} 18 | health_interval_minutes: {{ .Values.kspmCollector.settings.healthIntervalMin | default 5 | quote }} 19 | external_nats_url: {{ include "sysdig.natsUrl" . }} 20 | cluster_name: {{ required "A valid .Values.clusterName is required" .Values.clusterName }} 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /charts/cluster-shield/templates/role.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: Role 3 | metadata: 4 | name: {{ include "cluster-shield.fullname" . }} 5 | namespace: {{ .Release.Namespace }} 6 | rules: 7 | {{- if eq "true" (include "cluster-shield.containerVulnerabilityManagementEnabled" .) }} 8 | - apiGroups: ["", "coordination.k8s.io"] 9 | resources: 10 | - "leases" 11 | resourceNames: 12 | - {{ include "cluster-shield.clusterScannerLockName" . }} 13 | verbs: ["*"] 14 | - apiGroups: ["", "coordination.k8s.io"] 15 | resources: 16 | - "leases" 17 | verbs: ["create"] 18 | - apiGroups: ["*"] 19 | resources: 20 | - "endpoints" 21 | verbs: ["get", "watch", "list"] 22 | - apiGroups: ["*"] 23 | resources: 24 | - "endpoints" 25 | # Following is required for OpenShift. See https://docs.openshift.com/container-platform/3.11/architecture/core_concepts/pods_and_services.html#endpoints 26 | - "endpoints/restricted" 27 | resourceNames: 28 | - {{ include "cluster-shield.clusterScannerServiceName" . }} 29 | verbs: ["*"] 30 | {{- end }} 31 | -------------------------------------------------------------------------------- /charts/node-analyzer/templates/tests/test-rollout.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: "{{ include "nodeAnalyzer.fullname" . }}-test-rollout" 5 | namespace: {{ include "nodeAnalyzer.namespace" . }} 6 | labels: 7 | helm.sh/chart: {{ include "nodeAnalyzer.chart" . }} 8 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 9 | app.kubernetes.io/managed-by: {{ .Release.Service }} 10 | annotations: 11 | "helm.sh/hook": test 12 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded 13 | spec: 14 | serviceAccountName: {{ include "nodeAnalyzer.serviceAccountName" . }} 15 | containers: 16 | - name: kubectl 17 | image: {{ .Values.tests.image.repo }}:{{ .Values.tests.image.tag }} 18 | imagePullPolicy: IfNotPresent 19 | command: 20 | - kubectl 21 | args: 22 | - rollout 23 | - status 24 | - daemonset/{{ .Release.Name }}-node-analyzer 25 | - -n 26 | - {{ .Release.Namespace }} 27 | - -w 28 | - --timeout={{ .Values.tests.timeout }} 29 | restartPolicy: Never 30 | -------------------------------------------------------------------------------- /charts/registry-scanner/templates/cronjob.yaml: -------------------------------------------------------------------------------- 1 | {{- include "registry-scanner.validateTimeZone" . }} 2 | {{- if (include "registry-scanner.kubeVersionLessThan" (dict "root" . "major" 1 "minor" 21)) }} 3 | apiVersion: batch/v1beta1 4 | {{- else }} 5 | apiVersion: batch/v1 6 | {{- end }} 7 | kind: CronJob 8 | metadata: 9 | name: {{ include "registry-scanner.fullname" . }} 10 | labels: 11 | {{ include "registry-scanner.labels" . | indent 4 }} 12 | {{- include "registry-scanner.customLabels" . | nindent 4 }} 13 | spec: 14 | schedule: {{ .Values.cronjob.schedule | quote }} 15 | {{- if .Values.cronjob.timeZone }} 16 | timeZone: {{ .Values.cronjob.timeZone | quote }} 17 | {{- end }} 18 | failedJobsHistoryLimit: {{ .Values.cronjob.failedJobsHistoryLimit }} 19 | successfulJobsHistoryLimit: {{ .Values.cronjob.successfulJobsHistoryLimit }} 20 | concurrencyPolicy: Forbid 21 | jobTemplate: 22 | metadata: 23 | labels: 24 | {{- include "registry-scanner.customLabels" . | nindent 8 }} 25 | spec: 26 | {{- include "registry-scanner.jobTemplate" . | indent 6}} 27 | -------------------------------------------------------------------------------- /charts/kspm-collector/templates/secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if not ( include "kspmCollector.accessKeySecret" . ) }} 2 | --- 3 | apiVersion: v1 4 | kind: Secret 5 | metadata: 6 | name: {{ template "kspmCollector.fullname" . }} 7 | namespace: {{ include "kspmCollector.namespace" . }} 8 | labels: 9 | {{ include "kspmCollector.labels" . | indent 4 }} 10 | type: Opaque 11 | data: 12 | access-key: {{ include "kspmCollector.accessKey" . | b64enc | quote }} 13 | {{- end }} 14 | {{- if eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.ssl)) "true" }} 15 | --- 16 | apiVersion: v1 17 | kind: Secret 18 | metadata: 19 | name: {{ include "kspmCollector.fullname" . }}-ca 20 | namespace: {{ include "kspmCollector.namespace" . }} 21 | labels: 22 | {{ include "kspmCollector.labels" . | indent 4 }} 23 | data: 24 | {{ include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.ssl) }}: {{ include "sysdig.custom_ca.cert" (dict "global" .Values.global.ssl "component" .Values.ssl "Files" .Subcharts.common.Files) | b64enc | quote }} 25 | {{- end }} 26 | -------------------------------------------------------------------------------- /charts/node-analyzer/tests/readme_command_test.yaml: -------------------------------------------------------------------------------- 1 | suite: Testing install commands in Readme 2 | templates: 3 | - secrets.yaml 4 | - configmap-benchmark-runner.yaml 5 | tests: 6 | - it: check Readme install command titled "Installing the Chart" 7 | set: 8 | sysdig: 9 | accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE 10 | nodeAnalyzer: 11 | apiEndpoint: secure.sysdig.com 12 | asserts: 13 | - equal: 14 | path: data.access-key 15 | value: QUFBQUFBQUEtQkJCQi1DQ0NDLUREREQtRUVFRUVFRUVFRUVF 16 | template: secrets.yaml 17 | - equal: 18 | path: data.collector_endpoint 19 | value: https://secure.sysdig.com 20 | template: configmap-benchmark-runner.yaml 21 | 22 | - it: check Readme install command showing options usage example 23 | set: 24 | sysdig: 25 | accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE 26 | asserts: 27 | - equal: 28 | path: data.access-key 29 | value: QUFBQUFBQUEtQkJCQi1DQ0NDLUREREQtRUVFRUVFRUVFRUVF 30 | template: secrets.yaml 31 | -------------------------------------------------------------------------------- /charts/sysdig-mcm-navmenu/README.md: -------------------------------------------------------------------------------- 1 | # Sysdig MCM Nav Menu integration 2 | 3 | These helm charts deploy a couple of services and an Ingress with the labels and annotations that are required to create links in the MCM top-left Burger menu. 4 | 5 | * "Sysdig Secure" menu entry is created inside "Administer" menu 6 | * "Sysdig Monitor" entry is created inside "Monitor health" 7 | 8 | The ingress entry does not seem to work for ExternalService (unable to resolve service), so a nginx pod is deployed with a couple of redirect rules to redirect the user to Secure or Monitor SaaS URLs. 9 | 10 | ## Verify the integrity and origin 11 | Sysdig Helm Charts are signed so users can verify the integrity and origin of each chart, the steps are as follows: 12 | 13 | ### Import the Public Key 14 | 15 | ```console 16 | $ curl -o "/tmp/sysdig_public.gpg" "https://charts.sysdig.com/public.gpg" 17 | $ gpg --import /tmp/sysdig_public.gpg 18 | ``` 19 | 20 | ### Verify the chart 21 | 22 | To check the integrity and the origin of the charts you can now append the `--verify` flag to the `install`, `upgrade` and `pull` helm commands. 23 | -------------------------------------------------------------------------------- /charts/kspm-collector/templates/tests/test-rollout.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: "{{ include "kspmCollector.fullname" . }}-test-rollout" 5 | namespace: {{ include "kspmCollector.namespace" . }} 6 | labels: 7 | helm.sh/chart: {{ include "kspmCollector.chart" . }} 8 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 9 | app.kubernetes.io/managed-by: {{ .Release.Service }} 10 | annotations: 11 | "helm.sh/hook": test 12 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded 13 | spec: 14 | serviceAccountName: {{ include "kspmCollector.serviceAccountName" . }} 15 | containers: 16 | - name: kubectl 17 | image: {{ .Values.tests.image.repo }}:{{ .Values.tests.image.tag }} 18 | imagePullPolicy: IfNotPresent 19 | command: 20 | - kubectl 21 | args: 22 | - rollout 23 | - status 24 | - deployment/{{ include "kspmCollector.fullname" . }} 25 | - -n 26 | - {{ include "kspmCollector.namespace" . }} 27 | - -w 28 | - --timeout={{ .Values.tests.timeout }} 29 | restartPolicy: Never 30 | -------------------------------------------------------------------------------- /charts/admission-controller/templates/webhook/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.webhook.rbac.create }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: {{ include "admissionController.webhook.fullname" . }} 6 | rules: 7 | - apiGroups: 8 | - "" 9 | resourceNames: 10 | - kube-system 11 | resources: 12 | - namespaces 13 | verbs: 14 | - get 15 | - apiGroups: 16 | - "" 17 | resources: 18 | - pods 19 | {{- if .Values.webhook.acConfig }} 20 | - configmaps 21 | {{- end }} 22 | {{- if or .Values.webhook.acConfig (.Values.webhook.vm).enabled }} 23 | - secrets 24 | {{- end }} 25 | {{- if (.Values.webhook.vm).enabled }} 26 | - serviceaccounts 27 | - namespaces 28 | {{- end }} 29 | verbs: 30 | - get 31 | {{- if .Values.webhook.acConfig }} 32 | - apiGroups: 33 | - "batch" 34 | resources: 35 | - jobs 36 | verbs: 37 | - create 38 | - get 39 | - delete 40 | - watch 41 | {{- end }} 42 | - apiGroups: 43 | - "apps" 44 | resources: 45 | - deployments 46 | - replicasets 47 | - statefulsets 48 | - daemonsets 49 | verbs: 50 | - get 51 | {{- end }} 52 | -------------------------------------------------------------------------------- /charts/sysdig/templates/configmap-benchmark-runner.yaml: -------------------------------------------------------------------------------- 1 | {{- if not .Values.gke.autopilot }} 2 | {{- if and (not (include "deploy-nia" .)) .Values.nodeAnalyzer.deploy (include "nodeAnalyzer.deployBenchmarkRunner" .) }} 3 | apiVersion: v1 4 | kind: ConfigMap 5 | metadata: 6 | name: {{ template "sysdig.fullname" . }}-benchmark-runner 7 | labels: 8 | {{ include "sysdig.labels" . | indent 4 }} 9 | data: 10 | collector_endpoint: https://{{ .Values.nodeAnalyzer.apiEndpoint | default .Values.nodeAnalyzer.collectorEndpoint }} 11 | {{- if hasKey .Values.nodeAnalyzer "sslVerifyCertificate" }} 12 | ssl_verify_certificate: "{{ .Values.nodeAnalyzer.sslVerifyCertificate }}" 13 | {{- end }} 14 | debug: "{{ .Values.nodeAnalyzer.debug | default false }}" 15 | {{- if .Values.nodeAnalyzer.httpProxy }} 16 | http_proxy: {{ .Values.nodeAnalyzer.httpProxy }} 17 | {{- end -}} 18 | {{- if .Values.nodeAnalyzer.httpsProxy }} 19 | https_proxy: {{ .Values.nodeAnalyzer.httpsProxy }} 20 | {{- end -}} 21 | {{- if .Values.nodeAnalyzer.noProxy }} 22 | no_proxy: {{ .Values.nodeAnalyzer.noProxy }} 23 | {{- end -}} 24 | {{- end }} 25 | {{- end }} 26 | -------------------------------------------------------------------------------- /charts/sysdig/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | The agent for Sysdig Secure DevOps Platform is spinning up on each node in your 2 | cluster. After a few seconds, you should see your hosts appearing in the 3 | Sysdig Agent Health & Status Dashboard: 4 | 5 | COLLECTOR_URL: This value is region-dependent in SaaS and is auto-completed in install snippets in the UI. (It is a custom value in on-prem installations.) 6 | API_ENDPOINT: This is the base URL (region-dependent) for Sysdig Secure and is auto-completed in install snippets in the UI. E.g. secure.sysdig.com, us2.app.sysdig.com, eu1.app.sysdig.com. 7 | 8 | These are few example links (valid for us-east only): 9 | 10 | https://app.sysdigcloud.com/#/dashboard-template/view.sysdig.agents?last=10 11 | 12 | https://secure.sysdig.com/#/events/l:600/*/*?viewAs=list 13 | 14 | 15 | ------------------- 16 | DEPRECATION WARNING 17 | ------------------- 18 | 19 | This chart is being deprecated on 2023-01-01, at which point it will no longer 20 | receive any updates. Please migrate to https://charts.sysdig.com/charts/sysdig-deploy 21 | as soon as possible for new features, security updates, and continued support. 22 | -------------------------------------------------------------------------------- /charts/node-analyzer/templates/secrets.yaml: -------------------------------------------------------------------------------- 1 | {{- if not (include "nodeAnalyzer.gke.autopilot" .) }} 2 | {{- if not (include "nodeAnalyzer.accessKeySecret" .) }} 3 | --- 4 | apiVersion: v1 5 | kind: Secret 6 | metadata: 7 | name: {{ template "nodeAnalyzer.fullname" . }} 8 | namespace: {{ include "nodeAnalyzer.namespace" . }} 9 | labels: 10 | {{ include "nodeAnalyzer.labels" . | indent 4 }} 11 | type: Opaque 12 | data: 13 | access-key: {{ include "nodeAnalyzer.accessKey" . | b64enc | quote }} 14 | {{- end }} 15 | {{- end }} 16 | {{- if eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.nodeAnalyzer.ssl)) "true" }} 17 | --- 18 | apiVersion: v1 19 | kind: Secret 20 | metadata: 21 | name: {{ include "nodeAnalyzer.fullname" . }}-ca 22 | namespace: {{ include "nodeAnalyzer.namespace" . }} 23 | labels: 24 | {{ include "nodeAnalyzer.labels" . | indent 4 }} 25 | data: 26 | {{ include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.nodeAnalyzer.ssl) }}: {{ include "sysdig.custom_ca.cert" (dict "global" .Values.global.ssl "component" .Values.nodeAnalyzer.ssl "Files" .Subcharts.common.Files) | b64enc | quote }} 27 | {{- end }} 28 | -------------------------------------------------------------------------------- /charts/kspm-collector/tests/cert_validation_test.yaml: -------------------------------------------------------------------------------- 1 | suite: KSPM Collector Skip certificate tests 2 | templates: 3 | - templates/configmap.yaml 4 | tests: 5 | - it: "SSL certificate validation enabled" 6 | set: 7 | clusterName: "test" 8 | global: 9 | kspm: 10 | deploy: true 11 | templates: 12 | - templates/configmap.yaml 13 | asserts: 14 | - equal: 15 | path: data.nats_insecure 16 | value: "false" 17 | 18 | - it: "Global SSL certificate validation disabled" 19 | set: 20 | clusterName: "test" 21 | global: 22 | kspm: 23 | deploy: true 24 | sslVerifyCertificate: false 25 | templates: 26 | - templates/configmap.yaml 27 | asserts: 28 | - equal: 29 | path: data.nats_insecure 30 | value: "true" 31 | 32 | - it: "SSL certificate validation disabled" 33 | set: 34 | clusterName: "test" 35 | global: 36 | kspm: 37 | deploy: true 38 | sslVerifyCertificate: false 39 | templates: 40 | - templates/configmap.yaml 41 | asserts: 42 | - equal: 43 | path: data.nats_insecure 44 | value: "true" 45 | -------------------------------------------------------------------------------- /charts/kspm-collector/tests/deployment_annotation_test.yaml: -------------------------------------------------------------------------------- 1 | suite: Deployment annotation test 2 | templates: 3 | - deployment.yaml 4 | tests: 5 | - it: check that the deployment do not have any custom annotation if not specified 6 | set: 7 | sysdig: 8 | accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE 9 | asserts: 10 | - isNull: 11 | path: metadata.annotations 12 | 13 | - it: check that the deployment include the annotation 14 | set: 15 | sysdig: 16 | accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE 17 | annotations: 18 | my-annotation: my-value 19 | asserts: 20 | - exists: 21 | path: metadata.annotations 22 | 23 | - it: check that the deployment include the annotation match the value we specified 24 | set: 25 | sysdig: 26 | accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE 27 | annotations: 28 | my-annotation-1: my-value-1 29 | my-annotation-2: my-value-2 30 | asserts: 31 | - equal: 32 | path: metadata.annotations['my-annotation-1'] 33 | value: my-value-1 34 | 35 | - equal: 36 | path: metadata.annotations['my-annotation-2'] 37 | value: my-value-2 38 | -------------------------------------------------------------------------------- /charts/cloud-connector/templates/secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if not .Values.existingSecretName }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ include "cloud-connector.fullname" . }} 6 | labels: 7 | {{- include "cloud-connector.labels" . | nindent 4 }} 8 | type: Opaque 9 | data: 10 | aws_access_key_id: {{ .Values.aws.accessKeyId | b64enc | quote }} 11 | aws_secret_access_key: {{ .Values.aws.secretAccessKey | b64enc | quote }} 12 | aws_region: {{ .Values.aws.region | b64enc | quote }} 13 | gcp_credentials: {{ .Values.gcpCredentials | b64enc | quote }} 14 | azure_event_hub_connection_string: {{ .Values.azure.eventHubConnectionString | b64enc | quote }} 15 | azure_event_grid_event_hub_connection_string: {{ .Values.azure.eventGridEventHubConnectionString | b64enc | quote }} 16 | azure_tenantId: {{ .Values.azure.tenantId | b64enc | quote }} 17 | azure_clientId: {{ .Values.azure.clientId | b64enc | quote }} 18 | azure_clientSecret: {{ .Values.azure.clientSecret | b64enc | quote }} 19 | azure_region: {{ .Values.azure.region | b64enc | quote }} 20 | secure_api_token: {{ required "value 'sysdig.secureAPIToken' is required, but is not set" .Values.sysdig.secureAPIToken | b64enc | quote }} 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /charts/node-analyzer/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | The node analyzer for Sysdig Secure DevOps Platform is spinning up on each node in your 2 | cluster. 3 | 4 | Each node analyzer pod consists of image analyzer, benchmark runner and host analyzer. 5 | 6 | After successful installation you can access the Node analyzer features as follows: 7 | 8 | Log in to Sysdig Secure and check that the features are working as expected. 9 | 10 | Confirm Image analyzer 11 | 1. Select Scanning > Image Results. 12 | 2. Check for scanned container image results that originate with the Sysdig Node Image Analyzer. 13 | 14 | Use Host Scanning 15 | Check vulnerabilities in hosts or nodes, both for operation system packages (e.g. rpm, dpkg) and non-operating system packages (e.g. Java packages, Ruby gems). 16 | 1. Select Scanning > Hosts. 17 | 2. Review the Host vulnerabilities listed. 18 | Your active team scope is applied when loading host scanning results. Log in with the broadest team and user credentials to see the full report. 19 | 20 | Use Benchmarks (Legacy Feature) 21 | 3. Select Benchmarks, Tasks. 22 | 4. Either configure a new task or review your upgraded tasks. Click a line item to see the associated benchmark report. 23 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | .PHONY: unittest 2 | 3 | deps-docs: 4 | go install kubepack.dev/chart-doc-gen@v0.4.7 5 | 6 | docs: deps-docs 7 | find . -name "doc.yaml" | \ 8 | xargs -L1 dirname | \ 9 | xargs -I% sh -c \ 10 | "chart-doc-gen -c %/Chart.yaml -v %/values.yaml -d %/doc.yaml -t %/README.tpl > %/README.md" 11 | 12 | lint: 13 | find . -name "Chart.lock" -type f -delete 14 | docker run --rm -e CT_VALIDATE_MAINTAINERS=false -u $(shell id -u) -v $(PWD):/charts quay.io/helmpack/chart-testing:latest sh -c "cd /charts; ct lint --target-branch=main --all" 15 | 16 | deps-unittest: 17 | @helm plugin install https://github.com/helm-unittest/helm-unittest --version=0.6.1 || true 18 | 19 | unittest: deps-unittest 20 | find ./charts -name "Chart.yaml" | \ 21 | xargs -L1 dirname | \ 22 | xargs -I% sh -c \ 23 | "helm dependency build % ; helm unittest --strict -f "tests/**/*_test.yaml" %" 24 | 25 | unit-test-rs: deps-unittest 26 | find ./charts/registry-scanner -name "Chart.yaml" | \ 27 | xargs -L1 dirname | \ 28 | xargs -I% sh -c \ 29 | "helm dependency build % ; helm unittest --strict %" 30 | 31 | deps: 32 | find ./charts -name "Chart.yaml" | \ 33 | xargs -L1 dirname | \ 34 | xargs -I% sh -c \ 35 | "helm dependency build %" 36 | -------------------------------------------------------------------------------- /charts/cloud-bench/CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Chart: Cloud Bench 2 | 3 | All notable changes to this chart will be documented in this file. 4 | 5 | The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), 6 | and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). 7 | 8 | Please note that it's automatically updated vía github actions. 9 | Manual edits are supported only below '## Change Log' and should be used 10 | exclusively to fix incorrect entries and not to add new ones. 11 | 12 | ## Change Log 13 | # v0.3.0 14 | ### New Features 15 | * **admission-controller,agent,cloud-bench,cloud-connector,cloud-scanning,harbor-scanner-sysdig-secure,kspm-collector,node-analyzer,rapid-response,registry-scanner,sysdig,sysdig-deploy,sysdig-mcm-navmenu,sysdig-stackdriver-bridge** [5d99a03d](https://github.com/sysdiglabs/charts/commit/5d99a03dced132b4771dde1ce5b90b63c518b408): use a PGP private key to sign charts on release ([#1170](https://github.com/sysdiglabs/charts/issues/1170)) 16 | # v0.2.3 17 | # v0.2.2 18 | ### New Features 19 | * [f4cb189](https://github.com/sysdiglabs/charts/commit/f4cb189afba6833fd458f99dcfcc0121f9d9dfa2)]: unify changelog headers ([#787](https://github.com/sysdiglabs/charts/issues/787)) 20 | -------------------------------------------------------------------------------- /charts/kspm-collector/tests/nodeselector_test.yaml: -------------------------------------------------------------------------------- 1 | suite: Testing that nodeSelector is applied correctly 2 | templates: 3 | - deployment.yaml 4 | tests: 5 | - it: check application of kspm collector nodeSelector 6 | set: 7 | sysdig: 8 | accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE 9 | nodeSelector: 10 | instancetype: cpuoptimized 11 | asserts: 12 | - equal: 13 | path: spec.template.spec.nodeSelector.instancetype 14 | value: cpuoptimized 15 | 16 | - it: check application of incorrect kspm collector nodeSelector with yaml 17 | set: 18 | sysdig: 19 | accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE 20 | nodeSelector: 21 | instancetype:cpuoptimized 22 | asserts: 23 | - failedTemplate: 24 | errorMessage: "nodeSelector does not seem to be of the type key:[space]value" 25 | 26 | - it: check application of incorrect kspm collector nodeSelector with yaml key is empty 27 | set: 28 | sysdig: 29 | accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE 30 | nodeSelector: 31 | ":testnodeselector" 32 | asserts: 33 | - failedTemplate: 34 | errorMessage: "nodeSelector does not seem to be of the type key:[space]value" 35 | -------------------------------------------------------------------------------- /charts/sysdig/tests/psp_test.yaml: -------------------------------------------------------------------------------- 1 | suite: PSP create tests 2 | templates: 3 | - templates/psp.yaml 4 | - templates/psp-node-analyzer.yaml 5 | tests: 6 | - it: Ensure PSPs are created on k8s <1.25 7 | capabilities: 8 | majorVersion: 1 9 | minorVersion: 24 10 | set: 11 | psp: 12 | create: true 13 | asserts: 14 | - containsDocument: 15 | apiVersion: policy/v1beta1 16 | kind: PodSecurityPolicy 17 | 18 | - it: Ensure PSP is not created on k8s >=1.25 19 | capabilities: 20 | majorVersion: 1 21 | minorVersion: 25 22 | asserts: 23 | - hasDocuments: 24 | count: 0 25 | 26 | - it: Ensure PSPs are created on k8s <1.25 with '+' character in minor version 27 | capabilities: 28 | majorVersion: 1 29 | minorVersion: "24+" 30 | set: 31 | psp: 32 | create: true 33 | asserts: 34 | - containsDocument: 35 | apiVersion: policy/v1beta1 36 | kind: PodSecurityPolicy 37 | 38 | - it: Ensure PSP is not created on k8s >=1.25 with '+' character in minor version 39 | capabilities: 40 | majorVersion: 1 41 | minorVersion: "25+" 42 | asserts: 43 | - hasDocuments: 44 | count: 0 45 | -------------------------------------------------------------------------------- /charts/cluster-scanner/tests/existing-secret_test.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | suite: existing-secret 3 | templates: 4 | - ../templates/deployment.yaml 5 | - ../templates/clusterrole.yaml 6 | - ../templates/clusterrolebinding.yaml 7 | - ../templates/role.yaml 8 | - ../templates/rolebinding.yaml 9 | - ../templates/configmap.yaml 10 | - ../templates/secret.yaml 11 | values: 12 | - ../values.yaml 13 | release: 14 | name: test-release 15 | namespace: test-ns 16 | tests: 17 | - it: "External secret env is set" 18 | templates: 19 | - ../templates/deployment.yaml 20 | set: 21 | global.sysdig.accessKeySecret: "secret" 22 | asserts: 23 | - equal: 24 | path: spec.template.spec.containers[0].env[?(@.name == "SYSDIG_ACCESS_KEY")] 25 | value: 26 | name: SYSDIG_ACCESS_KEY 27 | valueFrom: 28 | secretKeyRef: 29 | key: access-key 30 | name: secret 31 | - equal: 32 | path: spec.template.spec.containers[1].env[?(@.name == "SYSDIG_ACCESS_KEY")] 33 | value: 34 | name: SYSDIG_ACCESS_KEY 35 | valueFrom: 36 | secretKeyRef: 37 | key: access-key 38 | name: secret 39 | -------------------------------------------------------------------------------- /charts/sysdig-mcm-navmenu/CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Chart: sysdig-mcm-navmenu 2 | 3 | All notable changes to this chart will be documented in this file. 4 | 5 | The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), 6 | and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). 7 | 8 | Please note that it's automatically updated vía github actions. 9 | Manual edits are supported only below '## Change Log' and should be used 10 | exclusively to fix incorrect entries and not to add new ones. 11 | 12 | ## Change Log 13 | # v1.2.0 14 | ### New Features 15 | * **admission-controller,agent,cloud-bench,cloud-connector,cloud-scanning,harbor-scanner-sysdig-secure,kspm-collector,node-analyzer,rapid-response,registry-scanner,sysdig,sysdig-deploy,sysdig-mcm-navmenu,sysdig-stackdriver-bridge** [5d99a03d](https://github.com/sysdiglabs/charts/commit/5d99a03dced132b4771dde1ce5b90b63c518b408): use a PGP private key to sign charts on release ([#1170](https://github.com/sysdiglabs/charts/issues/1170)) 16 | # v1.0.4 17 | # v1.0.3 18 | ### New Features 19 | * [f4cb189](https://github.com/sysdiglabs/charts/commit/f4cb189afba6833fd458f99dcfcc0121f9d9dfa2)]: unify changelog headers ([#787](https://github.com/sysdiglabs/charts/issues/787)) 20 | -------------------------------------------------------------------------------- /charts/cloud-scanning/CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Chart: Cloud Scanning 2 | 3 | All notable changes to this chart will be documented in this file. 4 | 5 | The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), 6 | and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). 7 | 8 | Please note that it's automatically updated vía github actions. 9 | Manual edits are supported only below '## Change Log' and should be used 10 | exclusively to fix incorrect entries and not to add new ones. 11 | 12 | ## Change Log 13 | # v0.4.1 14 | # v0.4.0 15 | ### New Features 16 | * **admission-controller,agent,cloud-bench,cloud-connector,cloud-scanning,harbor-scanner-sysdig-secure,kspm-collector,node-analyzer,rapid-response,registry-scanner,sysdig,sysdig-deploy,sysdig-mcm-navmenu,sysdig-stackdriver-bridge** [5d99a03d](https://github.com/sysdiglabs/charts/commit/5d99a03dced132b4771dde1ce5b90b63c518b408): use a PGP private key to sign charts on release ([#1170](https://github.com/sysdiglabs/charts/issues/1170)) 17 | # v0.3.3 18 | # v0.3.2 19 | ### New Features 20 | * [f4cb189](https://github.com/sysdiglabs/charts/commit/f4cb189afba6833fd458f99dcfcc0121f9d9dfa2)]: unify changelog headers ([#787](https://github.com/sysdiglabs/charts/issues/787)) 21 | -------------------------------------------------------------------------------- /charts/sysdig-mcm-navmenu/templates/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: {{ template "fullname" . }} 5 | labels: 6 | app: {{ template "name" . }} 7 | chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} 8 | release: {{ .Release.Name }} 9 | spec: 10 | replicas: {{ .Values.replicaCount }} 11 | selector: 12 | matchLabels: 13 | app: {{ template "name" . }} 14 | template: 15 | metadata: 16 | labels: 17 | app: {{ template "name" . }} 18 | release: {{ .Release.Name }} 19 | spec: 20 | containers: 21 | - name: {{ .Chart.Name }} 22 | image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" 23 | imagePullPolicy: {{ .Values.image.pullPolicy }} 24 | ports: 25 | - containerPort: {{ .Values.service.internalPort }} 26 | securityContext: 27 | runAsUser: 0 28 | resources: 29 | {{ toYaml .Values.resources | indent 12 }} 30 | volumeMounts: 31 | - name: nginx-configs 32 | mountPath: /etc/nginx/conf.d 33 | restartPolicy: Always 34 | volumes: 35 | - name: nginx-configs 36 | configMap: 37 | name: {{ template "fullname" . }}-config 38 | -------------------------------------------------------------------------------- /charts/cloud-bench/templates/ingress.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.ingress.enabled -}} 2 | {{- $fullName := include "cloud-bench.fullname" . -}} 3 | {{- $svcPort := .Values.service.port -}} 4 | {{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} 5 | apiVersion: networking.k8s.io/v1beta1 6 | {{- else -}} 7 | apiVersion: extensions/v1beta1 8 | {{- end }} 9 | kind: Ingress 10 | metadata: 11 | name: {{ $fullName }} 12 | labels: 13 | {{- include "cloud-bench.labels" . | nindent 4 }} 14 | {{- with .Values.ingress.annotations }} 15 | annotations: 16 | {{- toYaml . | nindent 4 }} 17 | {{- end }} 18 | spec: 19 | {{- if .Values.ingress.tls }} 20 | tls: 21 | {{- range .Values.ingress.tls }} 22 | - hosts: 23 | {{- range .hosts }} 24 | - {{ . | quote }} 25 | {{- end }} 26 | secretName: {{ .secretName }} 27 | {{- end }} 28 | {{- end }} 29 | rules: 30 | {{- range .Values.ingress.hosts }} 31 | - host: {{ .host | quote }} 32 | http: 33 | paths: 34 | {{- range .paths }} 35 | - path: {{ . }} 36 | backend: 37 | serviceName: {{ $fullName }} 38 | servicePort: {{ $svcPort }} 39 | {{- end }} 40 | {{- end }} 41 | {{- end }} 42 | -------------------------------------------------------------------------------- /charts/kspm-collector/tests/pod_annotation_test.yaml: -------------------------------------------------------------------------------- 1 | suite: Pod annotation test 2 | templates: 3 | - deployment.yaml 4 | tests: 5 | - it: check that the deployment do not have any custom annotation in the pod if not specified 6 | set: 7 | sysdig: 8 | accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE 9 | asserts: 10 | - isNull: 11 | path: spec.template.metadata.annotations 12 | 13 | - it: check that the deployment include the pod annotation 14 | set: 15 | sysdig: 16 | accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE 17 | podAnnotations: 18 | my-annotation: my-value 19 | asserts: 20 | - exists: 21 | path: spec.template.metadata.annotations 22 | 23 | - it: check that the deployment include the pod annotation match the value we specified 24 | set: 25 | sysdig: 26 | accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE 27 | podAnnotations: 28 | my-annotation-1: my-value-1 29 | my-annotation-2: my-value-2 30 | asserts: 31 | - equal: 32 | path: spec.template.metadata.annotations['my-annotation-1'] 33 | value: my-value-1 34 | 35 | - equal: 36 | path: spec.template.metadata.annotations['my-annotation-2'] 37 | value: my-value-2 38 | -------------------------------------------------------------------------------- /charts/common/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: common 3 | description: Library Chart for Sysdig components to share common data 4 | 5 | 6 | # A chart can be either an 'application' or a 'library' chart. 7 | # 8 | # Application charts are a collection of templates that can be packaged into versioned archives 9 | # to be deployed. 10 | # 11 | # Library charts provide useful utilities or functions for the chart developer. They're included as 12 | # a dependency of application charts to inject those utilities and functions into the rendering 13 | # pipeline. Library charts do not define any templates and therefore cannot be deployed. 14 | type: library 15 | 16 | # This is the chart version. This version number should be incremented each time you make changes 17 | # to the chart and its templates, including the app version. 18 | # Versions are expected to follow Semantic Versioning (https://semver.org/) 19 | version: 1.3.1 20 | 21 | maintainers: 22 | - name: AlbertoBarba 23 | email: alberto.barba@sysdig.com 24 | - name: aroberts87 25 | email: adam.roberts@sysdig.com 26 | - name: francesco-furlan 27 | email: francesco.furlan@sysdig.com 28 | - name: iurly 29 | email: gerlando.falauto@sysdig.com 30 | - name: mavimo 31 | email: marcovito.moscaritolo@sysdig.com 32 | -------------------------------------------------------------------------------- /charts/cluster-shield/tests/openshift_securitycontextconstraint_test.yaml: -------------------------------------------------------------------------------- 1 | suite: Test Openshift SecurityContextConstraints 2 | templates: 3 | - templates/openshift_securitycontextconstraint.yaml 4 | values: 5 | - ../ci/base-values.yaml 6 | release: 7 | name: shield-release 8 | namespace: shield-namespace 9 | capabilities: 10 | apiVersions: 11 | - security.openshift.io/v1 12 | tests: 13 | - it: Test run-all-namespaced mode 14 | set: 15 | run_command: "run-all-namespaced" 16 | asserts: 17 | - isKind: 18 | of: SecurityContextConstraints 19 | - contains: 20 | path: users 21 | content: "system:serviceaccount:shield-namespace:shield-release-cluster-shield" 22 | 23 | - it: Test run-all-namespaced mode with custom service account name 24 | set: 25 | run_command: "run-all-namespaced" 26 | serviceAccount: 27 | name: "custom-service-account" 28 | asserts: 29 | - isKind: 30 | of: SecurityContextConstraints 31 | - contains: 32 | path: users 33 | content: "system:serviceaccount:shield-namespace:custom-service-account" 34 | 35 | - it: Test run-all mode 36 | set: 37 | run_command: "run-all" 38 | asserts: 39 | - hasDocuments: 40 | count: 0 41 | -------------------------------------------------------------------------------- /charts/cluster-shield/tests/rolebinding_test.yaml: -------------------------------------------------------------------------------- 1 | suite: Test RoleBinding 2 | templates: 3 | - templates/rolebinding.yaml 4 | values: 5 | - ../ci/base-values.yaml 6 | release: 7 | name: shield-release 8 | namespace: shield-namespace 9 | tests: 10 | - it: Test default 11 | asserts: 12 | - hasDocuments: 13 | count: 1 14 | - containsDocument: 15 | apiVersion: rbac.authorization.k8s.io/v1 16 | kind: RoleBinding 17 | name: shield-release-cluster-shield 18 | - contains: 19 | path: subjects 20 | content: 21 | kind: ServiceAccount 22 | namespace: shield-namespace 23 | name: shield-release-cluster-shield 24 | 25 | - it: Test with custom service account name 26 | set: 27 | serviceAccount: 28 | name: "custom-service-account" 29 | asserts: 30 | - hasDocuments: 31 | count: 1 32 | - containsDocument: 33 | apiVersion: rbac.authorization.k8s.io/v1 34 | kind: RoleBinding 35 | name: shield-release-cluster-shield 36 | - contains: 37 | path: subjects 38 | content: 39 | kind: ServiceAccount 40 | namespace: shield-namespace 41 | name: custom-service-account 42 | -------------------------------------------------------------------------------- /charts/rapid-response/tests/golden_template_test.yaml: -------------------------------------------------------------------------------- 1 | suite: Testing pre-generated values and best-known edge cases 2 | templates: 3 | - daemonset.yaml 4 | - configmap.yaml 5 | - secrets.yaml 6 | tests: 7 | - it: check normal install testcase 8 | set: 9 | sysdig: 10 | accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE 11 | clusterName: test-k8s 12 | rapidResponse: 13 | passphrase: testphrase 14 | asserts: 15 | - containsDocument: 16 | kind: DaemonSet 17 | apiVersion: apps/v1 18 | template: daemonset.yaml 19 | - containsDocument: 20 | kind: ConfigMap 21 | apiVersion: v1 22 | template: configmap.yaml 23 | - containsDocument: 24 | kind: Secret 25 | apiVersion: v1 26 | template: secrets.yaml 27 | - equal: 28 | path: data.access-key 29 | value: QUFBQUFBQUEtQkJCQi1DQ0NDLUREREQtRUVFRUVFRUVFRUVF 30 | documentIndex: 0 31 | template: secrets.yaml 32 | - containsDocument: 33 | kind: Secret 34 | apiVersion: v1 35 | template: secrets.yaml 36 | - equal: 37 | path: data.passphrase 38 | value: dGVzdHBocmFzZQ== 39 | documentIndex: 1 40 | template: secrets.yaml 41 | -------------------------------------------------------------------------------- /charts/agent/tests/psp_test.yaml: -------------------------------------------------------------------------------- 1 | suite: PSP create test 2 | templates: 3 | - templates/psp.yaml 4 | tests: 5 | - it: Ensure PSP is created on k8s <1.25 6 | capabilities: 7 | majorVersion: 1 8 | minorVersion: 24 9 | set: 10 | psp: 11 | create: true 12 | asserts: 13 | - containsDocument: 14 | apiVersion: policy/v1beta1 15 | kind: PodSecurityPolicy 16 | 17 | - it: Ensure PSP is not created on k8s >=1.25 18 | capabilities: 19 | majorVersion: 1 20 | minorVersion: 25 21 | set: 22 | psp: 23 | create: true 24 | asserts: 25 | - hasDocuments: 26 | count: 0 27 | 28 | - it: Ensure PSP is created on k8s <1.25 with '+' character in minor version 29 | capabilities: 30 | majorVersion: 1 31 | minorVersion: "24+" 32 | set: 33 | psp: 34 | create: true 35 | asserts: 36 | - containsDocument: 37 | apiVersion: policy/v1beta1 38 | kind: PodSecurityPolicy 39 | 40 | - it: Ensure PSP is not created on k8s >=1.25 with '+' character in minor version 41 | capabilities: 42 | majorVersion: 1 43 | minorVersion: "25+" 44 | set: 45 | psp: 46 | create: true 47 | asserts: 48 | - hasDocuments: 49 | count: 0 50 | -------------------------------------------------------------------------------- /charts/kspm-collector/templates/securitycontextconstraint.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.scc.create (.Capabilities.APIVersions.Has "security.openshift.io/v1") }} 2 | apiVersion: security.openshift.io/v1 3 | kind: SecurityContextConstraints 4 | metadata: 5 | annotations: 6 | kubernetes.io/description: | 7 | This provides the minimum requirements to the Sysdig kspmCollector to run in the Openshift. 8 | name: {{ template "kspmCollector.fullname" . }} 9 | labels: 10 | {{ include "kspmCollector.labels" . | indent 4 }} 11 | allowHostDirVolumePlugin: false 12 | allowHostIPC: false 13 | allowHostNetwork: false 14 | allowHostPID: false 15 | allowHostPorts: false 16 | allowPrivilegeEscalation: false 17 | allowPrivilegedContainer: false 18 | allowedCapabilities: [] 19 | allowedUnsafeSysctls: [] 20 | defaultAddCapabilities: [] 21 | fsGroup: 22 | type: RunAsAny 23 | groups: [] 24 | priority: 0 25 | readOnlyRootFilesystem: false 26 | requiredDropCapabilities: [] 27 | runAsUser: 28 | type: RunAsAny 29 | seLinuxContext: 30 | type: RunAsAny 31 | seccompProfiles: 32 | - '*' 33 | supplementalGroups: 34 | type: RunAsAny 35 | users: 36 | - system:serviceaccount:{{ .Release.Namespace }}:{{ template "kspmCollector.serviceAccountName" .}} 37 | volumes: 38 | - emptyDir 39 | - secret 40 | - configMap 41 | - downwardAPI 42 | {{- end }} 43 | -------------------------------------------------------------------------------- /charts/cluster-shield/tests/clusterrolebinding_test.yaml: -------------------------------------------------------------------------------- 1 | suite: Test ClusterRoleBinding 2 | templates: 3 | - templates/clusterrolebinding.yaml 4 | values: 5 | - ../ci/base-values.yaml 6 | release: 7 | name: shield-release 8 | namespace: shield-namespace 9 | tests: 10 | - it: Test default 11 | asserts: 12 | - hasDocuments: 13 | count: 1 14 | - containsDocument: 15 | apiVersion: rbac.authorization.k8s.io/v1 16 | kind: ClusterRoleBinding 17 | name: shield-release-cluster-shield 18 | - contains: 19 | path: subjects 20 | content: 21 | kind: ServiceAccount 22 | namespace: shield-namespace 23 | name: shield-release-cluster-shield 24 | 25 | - it: Test with custom service account name 26 | set: 27 | serviceAccount: 28 | name: "custom-service-account" 29 | asserts: 30 | - hasDocuments: 31 | count: 1 32 | - containsDocument: 33 | apiVersion: rbac.authorization.k8s.io/v1 34 | kind: ClusterRoleBinding 35 | name: shield-release-cluster-shield 36 | - contains: 37 | path: subjects 38 | content: 39 | kind: ServiceAccount 40 | namespace: shield-namespace 41 | name: custom-service-account 42 | -------------------------------------------------------------------------------- /charts/node-analyzer/templates/securitycontextconstraint.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.scc.create (.Capabilities.APIVersions.Has "security.openshift.io/v1") }} 2 | apiVersion: security.openshift.io/v1 3 | kind: SecurityContextConstraints 4 | metadata: 5 | annotations: 6 | kubernetes.io/description: | 7 | This provides the minimum requirements to the Sysdig nodeAnalyzer to run in the Openshift. 8 | name: {{ template "nodeAnalyzer.fullname" . }} 9 | labels: 10 | {{ include "nodeAnalyzer.labels" . | indent 4 }} 11 | allowHostDirVolumePlugin: true 12 | allowHostIPC: false 13 | allowHostNetwork: true 14 | allowHostPID: true 15 | allowHostPorts: false 16 | allowPrivilegeEscalation: true 17 | allowPrivilegedContainer: true 18 | allowedCapabilities: [] 19 | allowedUnsafeSysctls: [] 20 | defaultAddCapabilities: [] 21 | fsGroup: 22 | type: RunAsAny 23 | groups: [] 24 | priority: 0 25 | readOnlyRootFilesystem: false 26 | requiredDropCapabilities: [] 27 | runAsUser: 28 | type: RunAsAny 29 | seLinuxContext: 30 | type: RunAsAny 31 | seccompProfiles: 32 | - '*' 33 | supplementalGroups: 34 | type: RunAsAny 35 | users: 36 | - system:serviceaccount:{{ .Release.Namespace }}:{{ template "nodeAnalyzer.serviceAccountName" .}} 37 | volumes: 38 | - hostPath 39 | - emptyDir 40 | - secret 41 | - configMap 42 | - downwardAPI 43 | {{- end }} 44 | -------------------------------------------------------------------------------- /charts/rapid-response/templates/securitycontextconstraint.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.rapidResponse.scc.create (.Capabilities.APIVersions.Has "security.openshift.io/v1") }} 2 | apiVersion: security.openshift.io/v1 3 | kind: SecurityContextConstraints 4 | metadata: 5 | annotations: 6 | kubernetes.io/description: | 7 | This provides the minimum requirements to the Sysdig rapidResponse to run in the Openshift. 8 | name: {{ template "rapidResponse.fullname" . }} 9 | labels: 10 | {{ include "rapidResponse.labels" . | indent 4 }} 11 | allowHostDirVolumePlugin: true 12 | allowHostIPC: false 13 | allowHostNetwork: true 14 | allowHostPID: false 15 | allowHostPorts: false 16 | allowPrivilegeEscalation: false 17 | allowPrivilegedContainer: false 18 | allowedCapabilities: [] 19 | allowedUnsafeSysctls: [] 20 | defaultAddCapabilities: [] 21 | fsGroup: 22 | type: RunAsAny 23 | groups: [] 24 | priority: 0 25 | readOnlyRootFilesystem: false 26 | requiredDropCapabilities: [] 27 | runAsUser: 28 | type: RunAsAny 29 | seLinuxContext: 30 | type: RunAsAny 31 | seccompProfiles: 32 | - '*' 33 | supplementalGroups: 34 | type: RunAsAny 35 | users: 36 | - system:serviceaccount:{{ .Release.Namespace }}:{{ template "rapidResponse.serviceAccountName" .}} 37 | volumes: 38 | - hostPath 39 | - emptyDir 40 | - secret 41 | - configMap 42 | - downwardAPI 43 | {{- end }} 44 | -------------------------------------------------------------------------------- /scripts/cluster-scanner/cluster-scanner-resources.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: sysdig-cluster-scanner 5 | --- 6 | apiVersion: v1 7 | kind: ServiceAccount 8 | metadata: 9 | name: sysdig-cluster-scanner 10 | namespace: sysdig-cluster-scanner 11 | --- 12 | apiVersion: v1 13 | kind: Secret 14 | metadata: 15 | name: sysdig-cluster-scanner 16 | namespace: sysdig-cluster-scanner 17 | annotations: 18 | kubernetes.io/service-account.name: sysdig-cluster-scanner 19 | type: kubernetes.io/service-account-token 20 | --- 21 | apiVersion: rbac.authorization.k8s.io/v1 22 | kind: ClusterRole 23 | metadata: 24 | name: sysdig-cluster-scanner 25 | rules: 26 | - apiGroups: ["", "apps", "batch", "extensions"] 27 | resources: 28 | - "namespaces" 29 | - "deployments" 30 | - "replicasets" 31 | - "daemonsets" 32 | - "statefulsets" 33 | - "pods" 34 | - "cronjobs" 35 | - "jobs" 36 | - "nodes" 37 | - "secrets" 38 | verbs: ["get", "list", "watch"] 39 | --- 40 | apiVersion: rbac.authorization.k8s.io/v1 41 | kind: ClusterRoleBinding 42 | metadata: 43 | name: sysdig-cluster-scanner 44 | roleRef: 45 | apiGroup: rbac.authorization.k8s.io 46 | kind: ClusterRole 47 | name: sysdig-cluster-scanner 48 | subjects: 49 | - kind: ServiceAccount 50 | name: sysdig-cluster-scanner 51 | namespace: sysdig-cluster-scanner 52 | -------------------------------------------------------------------------------- /charts/cluster-shield/templates/openshift_securitycontextconstraint.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (.Capabilities.APIVersions.Has "security.openshift.io/v1") (ne "true" (include "cluster-shield.isSingleProcess" .)) }} 2 | apiVersion: security.openshift.io/v1 3 | kind: SecurityContextConstraints 4 | metadata: 5 | annotations: 6 | kubernetes.io/description: | 7 | This provides the minimum requirements to the Sysdig cluster-shield to run in the Openshift. 8 | name: {{ include "cluster-shield.fullname" . }} 9 | labels: 10 | {{- include "cluster-shield.labels" . | nindent 4 }} 11 | allowHostDirVolumePlugin: true 12 | allowHostIPC: false 13 | allowHostNetwork: true 14 | allowHostPID: true 15 | allowHostPorts: false 16 | allowPrivilegeEscalation: true 17 | allowPrivilegedContainer: true 18 | allowedCapabilities: [] 19 | allowedUnsafeSysctls: [] 20 | defaultAddCapabilities: [] 21 | fsGroup: 22 | type: RunAsAny 23 | groups: [] 24 | priority: 0 25 | readOnlyRootFilesystem: false 26 | requiredDropCapabilities: [] 27 | runAsUser: 28 | type: RunAsAny 29 | seLinuxContext: 30 | type: RunAsAny 31 | seccompProfiles: 32 | - '*' 33 | supplementalGroups: 34 | type: RunAsAny 35 | users: 36 | - system:serviceaccount:{{ .Release.Namespace }}:{{ include "cluster-shield.serviceAccountName" . }} 37 | volumes: 38 | - configMap 39 | - downwardAPI 40 | - emptyDir 41 | - hostPath 42 | - secret 43 | {{- end }} 44 | -------------------------------------------------------------------------------- /charts/node-analyzer/templates/runtimeScanner/sysdig-eve-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.nodeAnalyzer.deploy (not (include "nodeAnalyzer.gke.autopilot" .)) (or .Values.nodeAnalyzer.runtimeScanner.deploy .Values.secure.vulnerabilityManagement.newEngineOnly) .Values.nodeAnalyzer.runtimeScanner.eveConnector.deploy }} 2 | --- 3 | apiVersion: v1 4 | kind: Secret 5 | metadata: 6 | name: sysdig-eve-secret 7 | namespace: {{ include "nodeAnalyzer.namespace" . }} 8 | labels: 9 | {{ include "nodeAnalyzer.labels" . | indent 4 }} 10 | type: Opaque 11 | data: 12 | endpoint: {{ include "eveconnector.host" . | printf "https://%s" | b64enc | quote }} 13 | token: {{ include "eveconnector.token" . }} 14 | {{- end }} 15 | {{- if eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.nodeAnalyzer.ssl)) "true" }} 16 | --- 17 | apiVersion: v1 18 | kind: Secret 19 | metadata: 20 | name: {{ include "nodeAnalyzer.fullname" . }}-eveconnector-ca 21 | namespace: {{ include "nodeAnalyzer.namespace" . }} 22 | labels: 23 | {{ include "nodeAnalyzer.labels" . | indent 4 }} 24 | data: 25 | {{ include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.nodeAnalyzer.ssl) }}: {{ include "sysdig.custom_ca.cert" (dict "global" .Values.global.ssl "component" .Values.nodeAnalyzer.ssl "Files" .Subcharts.common.Files) | b64enc | quote }} 26 | {{- end }} 27 | -------------------------------------------------------------------------------- /charts/admission-controller/templates/webhook/securitycontextconstraint.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.scc.create (.Capabilities.APIVersions.Has "security.openshift.io/v1") }} 2 | apiVersion: security.openshift.io/v1 3 | kind: SecurityContextConstraints 4 | metadata: 5 | annotations: 6 | kubernetes.io/description: | 7 | This provides the minimum requirements to the Sysdig agent to run in the Openshift. 8 | name: {{ include "admissionController.webhook.fullname" . }} 9 | labels: {{- include "admissionController.webhook.labels" . | nindent 4 }} 10 | allowHostDirVolumePlugin: true 11 | allowHostIPC: false 12 | allowHostNetwork: true 13 | allowHostPID: true 14 | allowHostPorts: false 15 | allowPrivilegeEscalation: true 16 | allowPrivilegedContainer: true 17 | allowedCapabilities: [] 18 | allowedUnsafeSysctls: [] 19 | defaultAddCapabilities: [] 20 | fsGroup: 21 | type: RunAsAny 22 | groups: [] 23 | priority: 0 24 | readOnlyRootFilesystem: false 25 | requiredDropCapabilities: [] 26 | runAsUser: 27 | type: RunAsAny 28 | seLinuxContext: 29 | type: RunAsAny 30 | seccompProfiles: 31 | - '*' 32 | supplementalGroups: 33 | type: RunAsAny 34 | users: 35 | - system:serviceaccount:{{ include "admissionController.namespace" . }}:{{ include "admissionController.webhook.serviceAccountName" . }} 36 | volumes: 37 | - hostPath 38 | - emptyDir 39 | - secret 40 | - configMap 41 | - downwardAPI 42 | {{- end }} 43 | -------------------------------------------------------------------------------- /charts/registry-scanner/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | # ============================================================================================ 2 | # Info: Chart version {{ .Chart.Version }} has been installed with Registry Scanner {{ .Chart.AppVersion }}. 3 | # 4 | # The chart version follows SemVer (https://semver.org/), you can pin 5 | # the chart version with --version=1, --version=1.0, --version=1.0.0, etc. 6 | # Using --version=1 will ensure that you get the latest 1.x.x version, but 7 | # you don't get any breaking changes when updating. 8 | # 9 | # For more information, or you are still using the legacy scanning engine, 10 | # please check the documentation: 11 | # > https://docs.sysdig.com/en/docs/installation/container-registry-scanner/ 12 | # ============================================================================================ 13 | # 14 | {{- if eq .Values.scanOnStart.enabled true }} 15 | # Because 'scanOnStart:true' job '{{ .Values.scanOnStart.jobName }}' has been launched to perform an initial scan. 16 | {{- end }} 17 | # Cronjob '{{ include "registry-scanner.fullname" . }}' with schedule: {{ .Values.cronjob.schedule | quote }} has been created to perform a periodical scan. 18 | # For troubleshooting, check the status of the jobs and logs of the '{{ include "registry-scanner.fullname" . }}' pods that are created on every execution. 19 | # 20 | -------------------------------------------------------------------------------- /charts/sysdig/templates/securitycontextconstraint.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.scc.create (.Capabilities.APIVersions.Has "security.openshift.io/v1") }} 2 | apiVersion: security.openshift.io/v1 3 | kind: SecurityContextConstraints 4 | metadata: 5 | annotations: 6 | kubernetes.io/description: | 7 | This provides the minimum requirements to the Sysdig agent to run in the Openshift. 8 | name: {{ template "sysdig.fullname" . }} 9 | labels: 10 | {{ include "sysdig.labels" . | indent 4 }} 11 | allowHostDirVolumePlugin: true 12 | allowHostIPC: false 13 | allowHostNetwork: true 14 | allowHostPID: true 15 | allowHostPorts: false 16 | allowPrivilegeEscalation: true 17 | allowPrivilegedContainer: true 18 | allowedCapabilities: [] 19 | allowedUnsafeSysctls: [] 20 | defaultAddCapabilities: [] 21 | fsGroup: 22 | type: RunAsAny 23 | groups: [] 24 | priority: 0 25 | readOnlyRootFilesystem: false 26 | requiredDropCapabilities: [] 27 | runAsUser: 28 | type: RunAsAny 29 | seLinuxContext: 30 | type: RunAsAny 31 | seccompProfiles: 32 | - '*' 33 | supplementalGroups: 34 | type: RunAsAny 35 | users: 36 | - system:serviceaccount:{{ .Release.Namespace }}:{{ template "sysdig.serviceAccountName" .}} 37 | - system:serviceaccount:{{ .Release.Namespace }}:{{ template "sysdig.nodeAnalyzer.serviceAccountName" .}} 38 | volumes: 39 | - hostPath 40 | - emptyDir 41 | - secret 42 | - configMap 43 | - downwardAPI 44 | {{- end }} 45 | -------------------------------------------------------------------------------- /.github/workflows/update-tanzu.yaml: -------------------------------------------------------------------------------- 1 | name: Publish Sysdig-deploy to VM 2 | 3 | on: 4 | push: 5 | tags: 6 | - 'sysdig-deploy*' 7 | 8 | env: 9 | MKPCLI_VERSION: 0.14.1 10 | 11 | jobs: 12 | publish-chart: 13 | runs-on: ubuntu-latest 14 | steps: 15 | - name: Get name from tag 16 | id: tag_name 17 | env: 18 | TAG_REF: ${{ github.ref }} 19 | run: | 20 | echo "::set-output name=name::${TAG_REF#refs/tags/}" 21 | echo "::set-output name=version::${TAG_REF#refs/tags/sysdig-deploy-}" 22 | 23 | - name: Set up mkpcli 24 | run: | 25 | curl -LO https://github.com/vmware-labs/marketplace-cli/releases/download/v${MKPCLI_VERSION}/mkpcli-linux-amd64.tgz 26 | tar xvf mkpcli-linux-amd64.tgz 27 | chmod +x mkpcli 28 | 29 | - name: Publish chart version 30 | env: 31 | TAG_NAME: ${{ steps.tag_name.outputs.name }} 32 | VERSION: ${{ steps.tag_name.outputs.version }} 33 | CSP_API_TOKEN: ${{ secrets.CSP_API_TOKEN }} 34 | run: | 35 | ./mkpcli attach chart \ 36 | -p sysdig-agent-helm-chart \ 37 | -c https://github.com/sysdiglabs/charts/releases/download/${TAG_NAME}/${TAG_NAME}.tgz \ 38 | -v ${VERSION} \ 39 | --create-version \ 40 | --instructions "https://charts.sysdig.com/charts/sysdig-deploy/" \ 41 | --csp-api-token ${CSP_API_TOKEN} 42 | -------------------------------------------------------------------------------- /charts/node-analyzer/tests/agent_tags_test.yaml: -------------------------------------------------------------------------------- 1 | suite: Test node-analyzer Agent Tags 2 | templates: 3 | - daemonset-node-analyzer.yaml 4 | # For checksums 5 | - clusterrole-node-analyzer.yaml 6 | - clusterrolebinding-node-analyzer.yaml 7 | - configmap-benchmark-runner.yaml 8 | - configmap-host-analyzer.yaml 9 | - configmap-host-scanner.yaml 10 | - configmap-image-analyzer.yaml 11 | - configmap-kspm-analyzer.yaml 12 | - secrets.yaml 13 | - serviceaccount-node-analyzer.yaml 14 | values: 15 | - ./default_required_values.yaml 16 | 17 | tests: 18 | - it: Check agent tags are set from global.settings.tags 19 | set: 20 | global: 21 | sysdig: 22 | tags: 23 | tag: value 24 | kspm: 25 | deploy: true 26 | clusterName: "test" 27 | asserts: 28 | - contains: 29 | path: spec.template.spec.containers[0].env 30 | content: 31 | name: TAGS 32 | value: tag:value 33 | template: daemonset-node-analyzer.yaml 34 | - it: Check agent tags are not set 35 | documentIndex: 0 36 | set: 37 | global: 38 | kspm: 39 | deploy: true 40 | clusterName: "test" 41 | asserts: 42 | - notContains: 43 | path: spec.template.spec.containers[0].env 44 | content: 45 | name: TAGS 46 | template: daemonset-node-analyzer.yaml 47 | -------------------------------------------------------------------------------- /charts/cluster-shield/tests/image_pull_secrets_test.yaml: -------------------------------------------------------------------------------- 1 | suite: Test image pull secrets 2 | templates: 3 | - templates/deployment.yaml 4 | values: 5 | - ../ci/base-values.yaml 6 | release: 7 | name: shield-release 8 | namespace: shield-namespace 9 | tests: 10 | - it: Test without image pull secrets 11 | asserts: 12 | - isNull: 13 | path: spec.template.spec.imagePullSecrets 14 | 15 | - it: Test with specific secrets 16 | set: 17 | imagePullSecrets: 18 | - name: existing-specific-secret 19 | asserts: 20 | - equal: 21 | path: spec.template.spec.imagePullSecrets 22 | value: 23 | - name: existing-specific-secret 24 | 25 | - it: Test with global secrets 26 | set: 27 | global: 28 | image: 29 | pullSecrets: 30 | - name: existing-global-secret 31 | asserts: 32 | - equal: 33 | path: spec.template.spec.imagePullSecrets 34 | value: 35 | - name: existing-global-secret 36 | 37 | - it: Test with global and specific secrets 38 | set: 39 | global: 40 | image: 41 | pullSecrets: 42 | - name: existing-global-secret 43 | imagePullSecrets: 44 | - name: existing-specific-secret 45 | asserts: 46 | - equal: 47 | path: spec.template.spec.imagePullSecrets 48 | value: 49 | - name: existing-specific-secret 50 | -------------------------------------------------------------------------------- /charts/admission-controller/ci/custom-ca-values.yaml.template: -------------------------------------------------------------------------------- 1 | sysdig: 2 | secureAPIToken: ${SECURE_API_TOKEN} 3 | clusterName: CI-Cluster 4 | webhook: 5 | ssl: 6 | ca: 7 | cert: | 8 | -----BEGIN CERTIFICATE----- 9 | MIIC5zCCAc+gAwIBAgIJAPzgoOe8gf7eMA0GCSqGSIb3DQEBBQUAMCAxHjAcBgNV 10 | BAMTFXN5c2RpZy1leGFtcGxlLWNoYXJ0czAeFw0yMjAxMjEwOTQxMzVaFw0zMjAx 11 | MTkwOTQxMzVaMCAxHjAcBgNVBAMTFXN5c2RpZy1leGFtcGxlLWNoYXJ0czCCASIw 12 | DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMhqr9oTv+AD7wP1RoBu3RPdthYK 13 | 4BEizy4+Eh2lSCNnbSWTy172V181I7mEcDvnddTWz895BkVTRrSwyjCh25/pNxJJ 14 | 7mKAT4Xo11X5d8gbKXJoR8kutFVoAsY0bHi5TQ1uCIC6w67GQVsphmaSanfrD06z 15 | dYbyuRmGuHaffECp7RvOrAuaxyG4jOgDRk7e9SV38Rs4knv7cDT9C91kpVlZEEDv 16 | 7wCOgLPEdxddClLB1OCRNQERXaAHfz18yWtUQW5ZWS8PuCTlNhC8g5PghqHDobhf 17 | Fc9zD6BoK+YO8TSVWNOIll+1RlOEBtEsCGHZ3RcvXNDu+wBaYP1MqtG2vFUCAwEA 18 | AaMkMCIwIAYDVR0RBBkwF4IVc3lzZGlnLWV4YW1wbGUtY2hhcnRzMA0GCSqGSIb3 19 | DQEBBQUAA4IBAQC3DHjxyWKwtqzU2KfJc+wVqsTPdyzc/fQUpvkkD84avNycmiZP 20 | mJALph/IMlZ8leYi+kbH4egMHmRutmpLV2cOjozYKEBeqBhPesKbFSxRHW2iNJSr 21 | l4lFyg1Y8TTMdr9wjxu8TkIzP9p4NQgajPLD8VsxSKSe5azRA5i3oUzk5Edn13Yj 22 | WirNI49DZYXaxrx5xGkKLZ6++IFwQFXOit7yvE1eQQIsZrDAEyU/KXp9kbyxlQwZ 23 | gfE2elzgom9LZuSB33qIPASwtunelTHnKJPadBbYL3V7W33+DtGl2NhK1pGn07w2 24 | HKqPVSj3/vnCWV/miAs8BgJz+RrphtegNnAd 25 | -----END CERTIFICATE----- 26 | -------------------------------------------------------------------------------- /charts/kspm-collector/tests/psp_test.yaml: -------------------------------------------------------------------------------- 1 | suite: PSP create test 2 | templates: 3 | - templates/psp.yaml 4 | tests: 5 | - it: Ensure PSP is created on k8s <1.25 6 | capabilities: 7 | majorVersion: 1 8 | minorVersion: 24 9 | set: 10 | psp: 11 | create: true 12 | asserts: 13 | - containsDocument: 14 | apiVersion: policy/v1beta1 15 | kind: PodSecurityPolicy 16 | 17 | - it: Ensure PSP is not created on k8s >=1.25 18 | capabilities: 19 | majorVersion: 1 20 | minorVersion: 25 21 | asserts: 22 | - hasDocuments: 23 | count: 0 24 | 25 | - it: Ensure PSP is created on k8s <1.25 with '+' character in minor version 26 | capabilities: 27 | majorVersion: 1 28 | minorVersion: "24+" 29 | set: 30 | psp: 31 | create: true 32 | asserts: 33 | - containsDocument: 34 | apiVersion: policy/v1beta1 35 | kind: PodSecurityPolicy 36 | 37 | - it: Ensure PSP is not created on k8s >=1.25 with '+' character in minor version 38 | capabilities: 39 | majorVersion: 1 40 | minorVersion: "25+" 41 | asserts: 42 | - hasDocuments: 43 | count: 0 44 | 45 | - it: Ensure PSP is not created when disabled 46 | capabilities: 47 | majorVersion: 1 48 | minorVersion: 24 49 | set: 50 | psp: 51 | create: false 52 | asserts: 53 | - hasDocuments: 54 | count: 0 55 | -------------------------------------------------------------------------------- /charts/cluster-shield/tests/service-cluster-scanner_test.yaml: -------------------------------------------------------------------------------- 1 | suite: Test Cluster Scanner Dedicated Service 2 | templates: 3 | - templates/service-cluster-scanner.yaml 4 | values: 5 | - ../ci/base-values.yaml 6 | release: 7 | name: shield-release 8 | namespace: shield-namespace 9 | tests: 10 | - it: Contains a Service resource 11 | asserts: 12 | - isKind: 13 | of: Service 14 | - equal: 15 | path: metadata.name 16 | value: shield-release-cluster-shield-cluster-scanner 17 | - equal: 18 | path: metadata.namespace 19 | value: shield-namespace 20 | - lengthEqual: 21 | path: spec.ports 22 | count: 2 23 | - isNotNull: 24 | path: .spec.ports[?(@.name == "nats")] 25 | - equal: 26 | path: spec.ports[?(@.name == "nats")].port 27 | value: 4222 28 | - equal: 29 | path: spec.ports[?(@.name == "nats")].targetPort 30 | value: 4222 31 | - equal: 32 | path: spec.ports[?(@.name == "nats")].protocol 33 | value: TCP 34 | - isNotNull: 35 | path: .spec.ports[?(@.name == "grpc")] 36 | - equal: 37 | path: spec.ports[?(@.name == "grpc")].port 38 | value: 9999 39 | - equal: 40 | path: spec.ports[?(@.name == "grpc")].targetPort 41 | value: 9999 42 | - equal: 43 | path: spec.ports[?(@.name == "grpc")].protocol 44 | value: TCP 45 | -------------------------------------------------------------------------------- /scripts/sysdig/image-version-bump.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -e 4 | 5 | # not checking input format, just ensuring there's any 6 | if [[ -z "$@" ]]; then 7 | >&2 echo "At least a param has to be passed." 8 | >&2 echo "Example usage:" 9 | >&2 echo "# cd charts/sysdig; ../../scripts/sysdig/image-version-bump.sh -v AGENT_VERSION=1.2.3 -v HOST_ANALYZER_VERSION=4.5.6" 10 | exit 1 11 | fi 12 | 13 | awk $@ ' 14 | BEGIN { 15 | if (AGENT_VERSION) 16 | version["sysdig/agent"] = AGENT_VERSION 17 | if (IMAGE_ANALYZER_VERSION) 18 | version["sysdig/node-image-analyzer"] = IMAGE_ANALYZER_VERSION 19 | if (HOST_ANALYZER_VERSION) 20 | version["sysdig/host-analyzer"] = HOST_ANALYZER_VERSION 21 | if (BENCHMARK_RUNNER_VERSION) 22 | version["sysdig/compliance-benchmark-runner"] = BENCHMARK_RUNNER_VERSION 23 | 24 | if (length(version) == 0) 25 | exit 1 26 | } 27 | 28 | { 29 | if ($1 == "repository:") { 30 | repository = $NF 31 | print 32 | 33 | # we assume tag to be right after 34 | getline 35 | 36 | if (repository in version) 37 | sub(/:.*/, ": "version[repository]) 38 | } 39 | print 40 | } 41 | ' values.yaml > values.yaml.2 42 | mv values.yaml.2 values.yaml 43 | 44 | 45 | awk $@ ' 46 | { 47 | if (AGENT_VERSION && $1 ~ /^appVersion:/) 48 | sub(/:.*/, ": "AGENT_VERSION) 49 | 50 | print 51 | } 52 | ' Chart.yaml > Chart.yaml.2 53 | mv Chart.yaml.2 Chart.yaml 54 | -------------------------------------------------------------------------------- /charts/cloud-scanning/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | 1. Get the application URL by running these commands: 2 | {{- if contains "NodePort" .Values.service.type }} 3 | export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "cloud-scanning.fullname" . }}) 4 | export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") 5 | echo http://$NODE_IP:$NODE_PORT 6 | {{- else if contains "LoadBalancer" .Values.service.type }} 7 | NOTE: It may take a few minutes for the LoadBalancer IP to be available. 8 | You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "cloud-scanning.fullname" . }}' 9 | export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "cloud-scanning.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") 10 | echo http://$SERVICE_IP:{{ .Values.service.port }} 11 | {{- else if contains "ClusterIP" .Values.service.type }} 12 | export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "cloud-scanning.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") 13 | echo "Visit http://127.0.0.1:8080 to use your application" 14 | kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:{{ .Values.service.port }} 15 | {{- end }} 16 | -------------------------------------------------------------------------------- /charts/cloud-connector/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | 1. Get the application URL by running these commands: 2 | {{- if contains "NodePort" .Values.service.type }} 3 | export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "cloud-connector.fullname" . }}) 4 | export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") 5 | echo http://$NODE_IP:$NODE_PORT 6 | {{- else if contains "LoadBalancer" .Values.service.type }} 7 | NOTE: It may take a few minutes for the LoadBalancer IP to be available. 8 | You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "cloud-connector.fullname" . }}' 9 | export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "cloud-connector.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") 10 | echo http://$SERVICE_IP:{{ .Values.service.port }} 11 | {{- else if contains "ClusterIP" .Values.service.type }} 12 | export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "cloud-connector.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") 13 | echo "Visit http://127.0.0.1:8080 to use your application" 14 | kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:{{ .Values.service.port }} 15 | {{- end }} 16 | -------------------------------------------------------------------------------- /charts/sysdig-deploy/ci/test-enable-all-subcharts-values.yaml.template: -------------------------------------------------------------------------------- 1 | global: 2 | clusterConfig: 3 | name: "test-cluster" 4 | namespace: "" 5 | sysdig: 6 | accessKey: ${SECURE_AGENT_TOKEN} 7 | secureAPIToken: ${SECURE_API_TOKEN} 8 | kspm: 9 | deploy: true 10 | admissionController: 11 | enabled: true 12 | webhook: 13 | resources: 14 | requests: 15 | cpu: 25m 16 | memory: 200Mi 17 | agent: 18 | resources: 19 | requests: 20 | cpu: 25m 21 | memory: 200Mi 22 | clusterScanner: 23 | enabled: true 24 | imageSbomExtractor: 25 | resources: 26 | requests: 27 | cpu: 25m 28 | memory: 200Mi 29 | runtimeStatusIntegrator: 30 | resources: 31 | requests: 32 | cpu: 25m 33 | memory: 200Mi 34 | kspmCollector: 35 | resources: 36 | requests: 37 | cpu: 25m 38 | memory: 200Mi 39 | nodeAnalyzer: 40 | nodeAnalyzer: 41 | benchmarkRunner: 42 | deploy: false 43 | imageAnalyzer: 44 | resources: 45 | requests: 46 | cpu: 25m 47 | memory: 200Mi 48 | hostAnalyzer: 49 | resources: 50 | requests: 51 | cpu: 25m 52 | memory: 200Mi 53 | kspmAnalyzer: 54 | resources: 55 | requests: 56 | cpu: 25m 57 | memory: 200Mi 58 | rapidResponse: 59 | enabled: true 60 | rapidResponse: 61 | passphrase: "abcd" 62 | resources: 63 | requests: 64 | cpu: 25m 65 | memory: 200Mi 66 | -------------------------------------------------------------------------------- /charts/agent/README-AWS.md: -------------------------------------------------------------------------------- 1 | # Chart: Sysdig 2 | 3 | ## Deploying the AWS Marketplace Sysdig agent image 4 | 5 | This is an use case similar to pulling images from a private registry. First you 6 | need to get the authorization token for the AWS Marketplace ECS image registry: 7 | 8 | ```bash 9 | aws ecr --region=us-east-1 get-authorization-token --output text --query authorizationData[].authorizationToken | base64 -d | cut -d: -f2 10 | ``` 11 | 12 | And then use it to create the Secret. Don't forget to replace TOKEN and EMAIL 13 | with your own values: 14 | 15 | ```bash 16 | kubectl create secret docker-registry aws-marketplace-credentials \ 17 | --docker-server=217273820646.dkr.ecr.us-east-1.amazonaws.com \ 18 | --docker-username=AWS \ 19 | --docker-password="TOKEN" \ 20 | --docker-email="EMAIL" 21 | ``` 22 | 23 | Next you need to create a values YAML file to pass the specific ECS registry 24 | configuration (you will find these values when you activate the software from 25 | the AWS Marketplace): 26 | 27 | ```yaml 28 | sysdig: 29 | accessKey: XxxXXxXXxXXxxx 30 | 31 | image: 32 | registry: 217273820646.dkr.ecr.us-east-1.amazonaws.com 33 | repository: 2df5da52-6fa2-46f6-b164-5b879e86fd85/cg-3361214151/agent 34 | tag: 0.85.1-latest 35 | pullSecrets: 36 | - name: aws-marketplace-credentials 37 | ``` 38 | 39 | Finally, set the accessKey value and you are ready to deploy the Sysdig agent 40 | using the Helm chart: 41 | 42 | ```bash 43 | helm install sysdig-agent -f aws-marketplace-values.yaml stable/sysdig 44 | ``` 45 | -------------------------------------------------------------------------------- /charts/sysdig/README-AWS.md: -------------------------------------------------------------------------------- 1 | # Chart: Sysdig 2 | 3 | ## Deploying the AWS Marketplace Sysdig agent image 4 | 5 | This is an use case similar to pulling images from a private registry. First you 6 | need to get the authorization token for the AWS Marketplace ECS image registry: 7 | 8 | ```bash 9 | aws ecr --region=us-east-1 get-authorization-token --output text --query authorizationData[].authorizationToken | base64 -d | cut -d: -f2 10 | ``` 11 | 12 | And then use it to create the Secret. Don't forget to replace TOKEN and EMAIL 13 | with your own values: 14 | 15 | ```bash 16 | kubectl create secret docker-registry aws-marketplace-credentials \ 17 | --docker-server=217273820646.dkr.ecr.us-east-1.amazonaws.com \ 18 | --docker-username=AWS \ 19 | --docker-password="TOKEN" \ 20 | --docker-email="EMAIL" 21 | ``` 22 | 23 | Next you need to create a values YAML file to pass the specific ECS registry 24 | configuration (you will find these values when you activate the software from 25 | the AWS Marketplace): 26 | 27 | ```yaml 28 | sysdig: 29 | accessKey: XxxXXxXXxXXxxx 30 | 31 | image: 32 | registry: 217273820646.dkr.ecr.us-east-1.amazonaws.com 33 | repository: 2df5da52-6fa2-46f6-b164-5b879e86fd85/cg-3361214151/agent 34 | tag: 0.85.1-latest 35 | pullSecrets: 36 | - name: aws-marketplace-credentials 37 | ``` 38 | 39 | Finally, set the accessKey value and you are ready to deploy the Sysdig agent 40 | using the Helm chart: 41 | 42 | ```bash 43 | helm install sysdig-agent -f aws-marketplace-values.yaml stable/sysdig 44 | ``` 45 | -------------------------------------------------------------------------------- /charts/rapid-response/templates/secrets.yaml: -------------------------------------------------------------------------------- 1 | {{- if not ( include "rapidResponse.accessKeySecret" . ) }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ template "rapidResponse.fullname" . }}-access-key 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | {{ include "rapidResponse.labels" . | indent 4 }} 9 | type: Opaque 10 | data: 11 | access-key: {{ include "rapidResponse.accessKey" . | b64enc | quote }} 12 | {{- end }} 13 | {{- if not ( include "rapidResponse.passphraseSecret" . ) }} 14 | --- 15 | apiVersion: v1 16 | kind: Secret 17 | metadata: 18 | name: {{ template "rapidResponse.fullname" . }}-passphrase 19 | namespace: {{ .Release.Namespace }} 20 | labels: 21 | {{ include "rapidResponse.labels" . | indent 4 }} 22 | type: Opaque 23 | data: 24 | passphrase: {{ include "rapidResponse.passphrase" . | b64enc | quote }} 25 | {{- end }} 26 | {{- if eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.rapidResponse.ssl)) "true" }} 27 | --- 28 | apiVersion: v1 29 | kind: Secret 30 | metadata: 31 | name: {{ template "rapidResponse.fullname" . }}-ca 32 | namespace: {{ .Release.Namespace }} 33 | labels: 34 | {{ include "rapidResponse.labels" . | indent 4 }} 35 | type: Opaque 36 | data: 37 | {{ include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.rapidResponse.ssl) }}: {{ include "sysdig.custom_ca.cert" (dict "global" .Values.global.ssl "component" .Values.rapidResponse.ssl "Files" .Subcharts.common.Files) | b64enc | quote }} 38 | {{- end }} 39 | -------------------------------------------------------------------------------- /charts/sysdig/templates/kspmCollector/clusterrole-kspm-collector.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.rbac.create .Values.kspm.deploy }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: {{ template "sysdig.fullname" .}}-kspm-collector 6 | labels: 7 | {{ include "sysdig.labels" . | indent 4 }} 8 | rules: 9 | - apiGroups: 10 | - '' 11 | - 'rbac.authorization.k8s.io' 12 | - 'extensions' 13 | - 'apps' 14 | - 'batch' 15 | - 'networking.k8s.io' 16 | - 'autoscaling' 17 | - 'policy' 18 | - 'storage.k8s.io' 19 | resources: 20 | - 'pods' 21 | - 'pods/log' 22 | - 'namespaces' 23 | - 'deployments' 24 | - 'daemonsets' 25 | - 'statefulsets' 26 | - 'jobs' 27 | - 'cronjobs' 28 | - 'clusterroles' 29 | - 'clusterrolebindings' 30 | - 'roles' 31 | - 'rolebindings' 32 | - 'services' 33 | - 'serviceaccounts' 34 | - 'nodes' 35 | - 'ingresses' 36 | - 'ingressclasses' 37 | - 'networkpolicies' 38 | - 'replicasets' 39 | - 'configmaps' 40 | - 'events' 41 | - 'limitranges' 42 | - 'persistentvolumes' 43 | - 'persistentvolumeclaims' 44 | - 'replicationcontrollers' 45 | - 'resourcequotas' 46 | - 'controllerrevisions' 47 | - 'horizontalpodautoscalers' 48 | - 'podsecuritypolicies' 49 | - 'storageclasses' 50 | - 'volumeattachments' 51 | verbs: 52 | - 'get' 53 | - 'list' 54 | - 'watch' 55 | {{- end }} 56 | -------------------------------------------------------------------------------- /charts/kspm-collector/tests/agent_tags_test.yaml: -------------------------------------------------------------------------------- 1 | suite: Test kspm-collector Agent Tags 2 | templates: 3 | - deployment.yaml 4 | tests: 5 | - it: Check agent tags are set from global.sysdig.tags 6 | set: 7 | clusterName: "test-k8s" 8 | sysdig: 9 | accessKey: standard-key 10 | secureAPIToken: standard-token 11 | global: 12 | sysdig: 13 | tags: 14 | tag: value 15 | asserts: 16 | - contains: 17 | path: spec.template.spec.containers[0].env 18 | content: 19 | name: TAGS 20 | value: tag:value 21 | 22 | - it: Check nested agent tags are set from global.sysdig.tags 23 | set: 24 | clusterName: "test-k8s" 25 | sysdig: 26 | accessKey: standard-key 27 | secureAPIToken: standard-token 28 | global: 29 | sysdig: 30 | tags: 31 | nested: 32 | value: 33 | level: two 34 | asserts: 35 | - contains: 36 | path: spec.template.spec.containers[0].env 37 | content: 38 | name: TAGS 39 | value: nested.value.level:two 40 | template: deployment.yaml 41 | - it: Check agent tags are not set 42 | set: 43 | clusterName: "test-k8s" 44 | sysdig: 45 | accessKey: standard-key 46 | secureAPIToken: standard-token 47 | asserts: 48 | - notContains: 49 | path: spec.template.spec.containers[0].env 50 | content: 51 | name: TAGS 52 | template: deployment.yaml 53 | --------------------------------------------------------------------------------