├── .chglog
├── CHANGELOG.tpl.md
├── RELEASE.tpl.md
├── config-changelog.yml
└── config-release.yml
├── .github
├── CODEOWNERS
├── PULL_REQUEST_TEMPLATE.md
├── dependabot.yml
├── labeler.yml
├── updatecli.d
│ ├── config-agent-release.yaml
│ └── config-update-bitnami-kubectl-image.yaml
└── workflows
│ ├── agent-release.yaml
│ ├── greeting.yaml
│ ├── helm-unit-test.yaml
│ ├── k8s-apis-deprecation.yml
│ ├── kubectl-update.yaml
│ ├── labeler.yml
│ ├── lint-test.yaml
│ ├── pr-lint.yaml
│ ├── release-rh-shield-operator.yaml
│ ├── release.yaml
│ ├── stale.yml
│ ├── update-sysdig-deploy-chart.yaml
│ └── update-tanzu.yaml
├── .gitignore
├── .pre-commit-config.yaml
├── Justfile
├── Makefile
├── README.md
├── charts
├── admission-controller
│ ├── .helmignore
│ ├── CHANGELOG.md
│ ├── Chart.yaml
│ ├── README.md
│ ├── README.tpl
│ ├── RELEASE-NOTES.md
│ ├── ci
│ │ ├── custom-ca-values.yaml.template
│ │ ├── deployment-with-port-on-443.template
│ │ ├── required-values.yaml.template
│ │ └── with-specific-url.yaml.template
│ ├── doc.yaml
│ ├── templates
│ │ ├── NOTES.txt
│ │ ├── _helpers.tpl
│ │ ├── scanner
│ │ │ ├── configmap.yaml
│ │ │ ├── deployment.yaml
│ │ │ ├── podmonitor.yaml
│ │ │ ├── psp.yaml
│ │ │ ├── role.yaml
│ │ │ ├── rolebinding.yaml
│ │ │ ├── secret.yaml
│ │ │ ├── service.yaml
│ │ │ └── serviceaccount.yaml
│ │ └── webhook
│ │ │ ├── admissioncontrollerconfigmap.yaml
│ │ │ ├── admissionregistration.yaml
│ │ │ ├── autoscaler.yaml
│ │ │ ├── clusterrole.yaml
│ │ │ ├── clusterrolebinding.yaml
│ │ │ ├── configmap.yaml
│ │ │ ├── deployment.yaml
│ │ │ ├── poddisruptionbudget.yaml
│ │ │ ├── podmonitor.yaml
│ │ │ ├── secret.yaml
│ │ │ ├── securitycontextconstraint.yaml
│ │ │ ├── service.yaml
│ │ │ └── serviceaccount.yaml
│ ├── tests
│ │ ├── admissioncontrollerconfigmap_test.yaml
│ │ ├── ca_cert_test.yaml
│ │ ├── conditional_flag_test.yaml
│ │ ├── configmap_test.yaml
│ │ ├── global_overrides_test.yaml
│ │ ├── golden_template_test.yaml
│ │ ├── label_test.yaml
│ │ └── psp_test.yaml
│ └── values.yaml
├── agent
│ ├── .helmignore
│ ├── CHANGELOG.md
│ ├── Chart.yaml
│ ├── README-AWS.md
│ ├── README.md
│ ├── RELEASE-NOTES.md
│ ├── ci
│ │ └── test-values.yaml.template
│ ├── templates
│ │ ├── NOTES.txt
│ │ ├── _helpers.tpl
│ │ ├── auditsink.yaml
│ │ ├── clusterrole.yaml
│ │ ├── clusterrolebinding-cluster-monitoring-view.yaml
│ │ ├── clusterrolebinding.yaml
│ │ ├── configmap-deployment.yaml
│ │ ├── configmap-local-forwarder.yaml
│ │ ├── configmap.yaml
│ │ ├── daemonset-windows.yaml
│ │ ├── daemonset.yaml
│ │ ├── deployment.yaml
│ │ ├── priorityclass.yaml
│ │ ├── psp.yaml
│ │ ├── role.yaml
│ │ ├── rolebinding.yaml
│ │ ├── secrets.yaml
│ │ ├── securitycontextconstraint.yaml
│ │ ├── service.yaml
│ │ ├── serviceaccount.yaml
│ │ └── tests
│ │ │ └── test-rollout.yaml
│ ├── tests
│ │ ├── api_endpoint_region_test.yaml
│ │ ├── ca_cert_test.yaml
│ │ ├── captures_test.yaml
│ │ ├── clusterrole_test.yaml
│ │ ├── clusterrolebinding-cluster-monitoring-view-exist_test.yaml
│ │ ├── clusterrolebinding-cluster-monitoring-view-not-exist_test.yaml
│ │ ├── conditional_flag_test.yaml
│ │ ├── custom_settings_test.yaml
│ │ ├── daemonset_metrics_ports_test.yaml
│ │ ├── daemonset_update_strategy_test.yaml
│ │ ├── delegated_agent_deployment_test.yaml
│ │ ├── dns_policy_test.yaml
│ │ ├── drift_prevention_test.yaml
│ │ ├── gke_autopilot_volumes_test.yaml
│ │ ├── gke_test.yaml
│ │ ├── global_overrides_test.yaml
│ │ ├── golden_template_test.yaml
│ │ ├── k8s_coldstart_test.yaml
│ │ ├── kspm_analyzer_test.yaml
│ │ ├── label_test.yaml
│ │ ├── local_forwarder_test.yaml
│ │ ├── log_priority_test.yaml
│ │ ├── monitor_enable_test.yaml
│ │ ├── node_selector_labels_test.yaml
│ │ ├── notes_test.yaml
│ │ ├── priorityclass_test.yaml
│ │ ├── prometheus_file_test.yaml
│ │ ├── psp_test.yaml
│ │ ├── readiness_probe_test.yaml
│ │ ├── readiness_probe_windows_test.yaml
│ │ ├── readme_command_test.yaml
│ │ ├── role_test.yaml
│ │ ├── secrets_test.yaml
│ │ ├── secure_enable_test.yaml
│ │ ├── secure_light_config_test.yaml
│ │ ├── security_context_constraints_test.yaml
│ │ ├── security_context_test.yaml
│ │ ├── service_account_test.yaml
│ │ ├── test_test.yaml
│ │ ├── universal_ebpf_test.yaml
│ │ └── volumes_test.yaml
│ ├── values.schema.json
│ └── values.yaml
├── cloud-bench
│ ├── CHANGELOG.md
│ ├── Chart.yaml
│ ├── README.md
│ ├── RELEASE-NOTES.md
│ ├── ci
│ │ └── required-values.yaml.template
│ ├── templates
│ │ ├── NOTES.txt
│ │ ├── _helpers.tpl
│ │ ├── configmap.yaml
│ │ ├── deployment.yaml
│ │ ├── hpa.yaml
│ │ ├── ingress.yaml
│ │ ├── secret.yaml
│ │ ├── service.yaml
│ │ ├── serviceaccount.yaml
│ │ └── tests
│ │ │ └── test-connection.yaml
│ └── values.yaml
├── cloud-connector
│ ├── .helmignore
│ ├── CHANGELOG.md
│ ├── Chart.yaml
│ ├── README.md
│ ├── README.tpl
│ ├── RELEASE-NOTES.md
│ ├── ci
│ │ └── required-values.yaml.template
│ ├── doc.yaml
│ ├── templates
│ │ ├── NOTES.txt
│ │ ├── _helpers.tpl
│ │ ├── configmap.yaml
│ │ ├── deployment.yaml
│ │ ├── secret.yaml
│ │ ├── service.yaml
│ │ ├── serviceaccount.yaml
│ │ └── tests
│ │ │ └── test-connection.yaml
│ └── values.yaml
├── cloud-scanning
│ ├── .helmignore
│ ├── CHANGELOG.md
│ ├── Chart.yaml
│ ├── README.md
│ ├── RELEASE-NOTES.md
│ ├── ci
│ │ └── required-values.yaml.template
│ ├── templates
│ │ ├── NOTES.txt
│ │ ├── _helpers.tpl
│ │ ├── deployment.yaml
│ │ ├── secret.yaml
│ │ ├── service.yaml
│ │ ├── serviceaccount.yaml
│ │ └── tests
│ │ │ └── test-connection.yaml
│ └── values.yaml
├── cluster-scanner
│ ├── .helmignore
│ ├── CHANGELOG.md
│ ├── Chart.yaml
│ ├── Makefile
│ ├── README.md
│ ├── README.tpl
│ ├── RELEASE-NOTES.md
│ ├── ci
│ │ └── test-values.yaml.template
│ ├── doc.yaml
│ ├── templates
│ │ ├── NOTES.txt
│ │ ├── _helpers.tpl
│ │ ├── clusterrole.yaml
│ │ ├── clusterrolebinding.yaml
│ │ ├── configmap.yaml
│ │ ├── deployment.yaml
│ │ ├── registrymirror.yaml
│ │ ├── role.yaml
│ │ ├── rolebinding.yaml
│ │ ├── secret.yaml
│ │ ├── service.yaml
│ │ └── serviceaccount.yaml
│ ├── tests
│ │ ├── clusterrole_test.yaml
│ │ ├── clusterrolebinding_test.yaml
│ │ ├── configmap_test.yaml
│ │ ├── deployment_test.yaml
│ │ ├── existing-secret_test.yaml
│ │ ├── label_test.yaml
│ │ ├── notes_test.yaml
│ │ ├── registrymirror_test.yaml
│ │ ├── role_test.yaml
│ │ ├── rolebinding_test.yaml
│ │ ├── secret_test.yaml
│ │ ├── service_test.yaml
│ │ ├── serviceaccount_test.yaml
│ │ └── values.required.yaml
│ ├── values.schema.json
│ └── values.yaml
├── cluster-shield
│ ├── .helmignore
│ ├── CHANGELOG.md
│ ├── Chart.yaml
│ ├── README.md
│ ├── README.tpl
│ ├── RELEASE-NOTES.md
│ ├── ci
│ │ ├── base-values.yaml
│ │ ├── existing_secrets-values.yaml
│ │ └── region-values.yaml
│ ├── doc.yaml
│ ├── templates
│ │ ├── _helpers.tpl
│ │ ├── clusterrole.yaml
│ │ ├── clusterrolebinding.yaml
│ │ ├── configmap.yaml
│ │ ├── deployment.yaml
│ │ ├── openshift_securitycontextconstraint.yaml
│ │ ├── priorityclass.yaml
│ │ ├── role.yaml
│ │ ├── rolebinding.yaml
│ │ ├── secrets.yaml
│ │ ├── service-cluster-scanner.yaml
│ │ ├── service.yaml
│ │ ├── serviceaccount.yaml
│ │ └── validatingwebhookconfiguration.yaml
│ ├── tests
│ │ ├── clusterrole_test.yaml
│ │ ├── clusterrolebinding_test.yaml
│ │ ├── configmap_test.yaml
│ │ ├── custom_ca_test.yaml
│ │ ├── deployment_test.yaml
│ │ ├── global_settings_test.yaml
│ │ ├── image_pull_secrets_test.yaml
│ │ ├── openshift_securitycontextconstraint_test.yaml
│ │ ├── priorityclass_test.yaml
│ │ ├── proxy_settings_test.yaml
│ │ ├── rolebinding_test.yaml
│ │ ├── schema_test.yaml
│ │ ├── secret_test.yaml
│ │ ├── service-cluster-scanner_test.yaml
│ │ ├── service_test.yaml
│ │ ├── serviceaccount_test.yaml
│ │ ├── validatingwebhookconfiguration_existing_secret_test.yaml
│ │ └── validatingwebhookconfiguration_test.yaml
│ ├── values.schema.json
│ └── values.yaml
├── common
│ ├── .helmignore
│ ├── CHANGELOG.md
│ ├── Chart.yaml
│ ├── RELEASE-NOTES.md
│ ├── sysdig_ca.toml
│ ├── templates
│ │ ├── _agent_tags.tpl
│ │ ├── _custom_ca.tpl
│ │ └── _regions.tpl
│ └── values.yaml
├── harbor-scanner-sysdig-secure
│ ├── .helmignore
│ ├── CHANGELOG.md
│ ├── Chart.yaml
│ ├── README.md
│ ├── RELEASE-NOTES.md
│ ├── ci
│ │ └── required-values.yaml.template
│ ├── templates
│ │ ├── NOTES.txt
│ │ ├── _helpers.tpl
│ │ ├── configmap.yaml
│ │ ├── deployment.yaml
│ │ ├── role.yaml
│ │ ├── rolebinding.yaml
│ │ ├── secret.yaml
│ │ ├── service.yaml
│ │ ├── serviceaccount.yaml
│ │ └── tests
│ │ │ └── test-connection.yaml
│ ├── tests
│ │ └── secret_test.yaml
│ └── values.yaml
├── kspm-collector
│ ├── .helmignore
│ ├── CHANGELOG.md
│ ├── Chart.yaml
│ ├── README.md
│ ├── RELEASE-NOTES.md
│ ├── ci
│ │ └── test-values.yaml.template
│ ├── templates
│ │ ├── _helpers.tpl
│ │ ├── clusterrole.yaml
│ │ ├── clusterrolebinding.yaml
│ │ ├── configmap.yaml
│ │ ├── deployment.yaml
│ │ ├── psp.yaml
│ │ ├── role.yaml
│ │ ├── rolebinding.yaml
│ │ ├── secret.yaml
│ │ ├── securitycontextconstraint.yaml
│ │ ├── serviceaccount.yaml
│ │ └── tests
│ │ │ └── test-rollout.yaml
│ ├── tests
│ │ ├── agent_tags_test.yaml
│ │ ├── ca_cert_test.yaml
│ │ ├── cert_validation_test.yaml
│ │ ├── clusterrole_test.yaml
│ │ ├── conditional_flag_test.yaml
│ │ ├── configmap_test.yaml
│ │ ├── deployment_affinity_test.yaml
│ │ ├── deployment_annotation_test.yaml
│ │ ├── deployment_envvars_test.yaml
│ │ ├── deployment_labels_test.yaml
│ │ ├── global_overrides_test.yaml
│ │ ├── golden_template_test.yaml
│ │ ├── label_test.yaml
│ │ ├── nodeselector_test.yaml
│ │ ├── pod_annotation_test.yaml
│ │ ├── proxy_test.yaml
│ │ ├── psp_test.yaml
│ │ ├── role_test.yaml
│ │ ├── taint_toleration_test.yaml
│ │ └── test_test.yaml
│ └── values.yaml
├── node-analyzer
│ ├── .helmignore
│ ├── CHANGELOG.md
│ ├── Chart.yaml
│ ├── README.md
│ ├── RELEASE-NOTES.md
│ ├── ci
│ │ ├── test-values-new-runtime.yaml.template
│ │ ├── test-values-ssl.yaml.template
│ │ └── test-values.yaml.template
│ ├── templates
│ │ ├── NOTES.txt
│ │ ├── _helpers.tpl
│ │ ├── clusterrole-node-analyzer.yaml
│ │ ├── clusterrolebinding-node-analyzer.yaml
│ │ ├── configmap-benchmark-runner.yaml
│ │ ├── configmap-host-analyzer.yaml
│ │ ├── configmap-host-scanner.yaml
│ │ ├── configmap-image-analyzer.yaml
│ │ ├── configmap-kspm-analyzer.yaml
│ │ ├── daemonset-node-analyzer.yaml
│ │ ├── priorityclass.yaml
│ │ ├── psp.yaml
│ │ ├── role-node-analyzer.yaml
│ │ ├── rolebinding-node-analyzer.yaml
│ │ ├── runtimeScanner
│ │ │ ├── eveconnector-api-configmap.yaml
│ │ │ ├── eveconnector-api-deployment.yaml
│ │ │ ├── eveconnector-api-service.yaml
│ │ │ ├── runtime-scanner-configmap.yaml
│ │ │ └── sysdig-eve-secret.yaml
│ │ ├── secrets.yaml
│ │ ├── securitycontextconstraint.yaml
│ │ ├── serviceaccount-node-analyzer.yaml
│ │ └── tests
│ │ │ └── test-rollout.yaml
│ ├── tests
│ │ ├── agent_tags_test.yaml
│ │ ├── annotations_test.yaml
│ │ ├── botllerocket_test.yaml
│ │ ├── ca_cert_test.yaml
│ │ ├── cert_validation_benchmarkrunner_test.yaml
│ │ ├── cert_validation_hostanalyzer_test.yaml
│ │ ├── cert_validation_hostscanner_test.yaml
│ │ ├── cert_validation_imageanalyzer_test.yaml
│ │ ├── cert_validation_kspm_test.yaml
│ │ ├── cert_validation_runtimescanner_test.yaml
│ │ ├── clusterrole_test.yaml
│ │ ├── collector_endpoint_region_test.yaml
│ │ ├── conditional_flag_test.yaml
│ │ ├── configmap_kspm_analyzer_test.yaml
│ │ ├── daemonset_affinity_test.yaml
│ │ ├── daemonset_probes_test.yaml
│ │ ├── daemonset_update_strategy_test.yaml
│ │ ├── debug_override_test.yaml
│ │ ├── default_required_values.yaml
│ │ ├── global_overrides_test.yaml
│ │ ├── golden_template_test.yaml
│ │ ├── host_network_and_dns_policy_test.yaml
│ │ ├── hostscanner_test.yaml
│ │ ├── label_test.yaml
│ │ ├── priorityclass_test.yaml
│ │ ├── proxy_test.yaml
│ │ ├── psp_test.yaml
│ │ ├── readme_command_test.yaml
│ │ ├── role_test.yaml
│ │ ├── runtimescanner_test.yaml
│ │ └── test_test.yaml
│ └── values.yaml
├── rapid-response
│ ├── .helmignore
│ ├── CHANGELOG.md
│ ├── Chart.yaml
│ ├── README.md
│ ├── RELEASE-NOTES.md
│ ├── ci
│ │ └── test-values.yaml.template
│ ├── templates
│ │ ├── NOTES.txt
│ │ ├── _helpers.tpl
│ │ ├── configmap.yaml
│ │ ├── daemonset.yaml
│ │ ├── secrets.yaml
│ │ ├── securitycontextconstraint.yaml
│ │ ├── serviceaccount.yaml
│ │ └── tests
│ │ │ └── test-rollout.yaml
│ ├── tests
│ │ ├── api_endpoint_region_test.yaml
│ │ ├── ca_cert_test.yaml
│ │ ├── custom_image_test.yaml
│ │ ├── custom_resources.yaml
│ │ ├── global_overrides_test.yaml
│ │ ├── golden_template_test.yaml
│ │ ├── label_test.yaml
│ │ └── node_selector_labels_test.yaml
│ └── values.yaml
├── registry-scanner
│ ├── .helmignore
│ ├── CHANGELOG.md
│ ├── Chart.yaml
│ ├── README.md
│ ├── README.tpl
│ ├── RELEASE-NOTES.md
│ ├── ci
│ │ ├── test-aws-org-values.yaml.template
│ │ ├── test-aws-org-values.yaml.template.disabled
│ │ ├── test-aws-single-values.yaml.template
│ │ ├── test-jfrog-saas-values-with-custom-ca.yaml.template.disabled
│ │ └── test-jfrog-saas-values.yaml.template.disabled
│ ├── doc.yaml
│ ├── templates
│ │ ├── NOTES.txt
│ │ ├── _helpers.tpl
│ │ ├── _job.tpl
│ │ ├── clusterrole.yaml
│ │ ├── clusterrolebinding.yaml
│ │ ├── configmap.yaml
│ │ ├── cronjob.yaml
│ │ ├── job.yaml
│ │ ├── role.yaml
│ │ ├── rolebinding.yaml
│ │ ├── secret.yaml
│ │ └── serviceaccount.yaml
│ ├── tests
│ │ ├── configmap_job_test.yaml
│ │ ├── configmap_test.yaml
│ │ ├── cronjob_test.yaml
│ │ ├── job_test.yaml
│ │ ├── ocp_test.yaml
│ │ └── ocp_test_values.yaml
│ └── values.yaml
├── shield
│ ├── .editorconfig
│ ├── .helmignore
│ ├── CHANGELOG.md
│ ├── Chart.yaml
│ ├── README.md
│ ├── README.tpl
│ ├── RELEASE-NOTES.md
│ ├── ci
│ │ └── test-values.yaml
│ ├── doc.yaml
│ ├── templates
│ │ ├── NOTES.txt
│ │ ├── _helpers.tpl
│ │ ├── cluster
│ │ │ ├── _annotations.tpl
│ │ │ ├── _config.tpl
│ │ │ ├── _helpers.tpl
│ │ │ ├── _labels.tpl
│ │ │ ├── _secret.tpl
│ │ │ ├── _tls.tpl
│ │ │ ├── clusterrole.yaml
│ │ │ ├── clusterrolebinding.yaml
│ │ │ ├── configmap.yaml
│ │ │ ├── deployment.yaml
│ │ │ ├── lease-container-vulnerability-management.yaml
│ │ │ ├── openshift-securitycontextconstraint.yaml
│ │ │ ├── priorityclass.yaml
│ │ │ ├── role.yaml
│ │ │ ├── rolebinding.yaml
│ │ │ ├── secret.yaml
│ │ │ ├── service-container-vulnerability-management.yaml
│ │ │ ├── service.yaml
│ │ │ ├── serviceaccount.yaml
│ │ │ └── tls-certificates-admissionregistration.yaml
│ │ ├── common
│ │ │ ├── _cluster_type.tpl
│ │ │ ├── _credentials.tpl
│ │ │ ├── _custom_ca.tpl
│ │ │ ├── _helpers.tpl
│ │ │ ├── _proxy.tpl
│ │ │ ├── _regions.tpl
│ │ │ ├── _semver.tpl
│ │ │ ├── credentials-secret.yaml
│ │ │ ├── custom-ca-secret.yaml
│ │ │ └── proxy-secret.yaml
│ │ └── host
│ │ │ ├── _annotations.tpl
│ │ │ ├── _configmap_helpers.tpl
│ │ │ ├── _helpers.tpl
│ │ │ ├── _labels.tpl
│ │ │ ├── _secrets.tpl
│ │ │ ├── _windows_annotations.tpl
│ │ │ ├── _windows_configmap_helpers.tpl
│ │ │ ├── _windows_helpers.tpl
│ │ │ ├── _windows_labels.tpl
│ │ │ ├── clusterrole.yaml
│ │ │ ├── clusterrolebinding.yaml
│ │ │ ├── configmap-windows.yaml
│ │ │ ├── configmap.yaml
│ │ │ ├── daemonset-windows.yaml
│ │ │ ├── daemonset.yaml
│ │ │ ├── gke-allowlist-synchronizer.yaml
│ │ │ ├── openshift-clusterrolebinding-monitor.yaml
│ │ │ ├── openshift-securitycontextconstraint.yaml
│ │ │ ├── priorityclass.yaml
│ │ │ ├── role.yaml
│ │ │ ├── rolebinding.yaml
│ │ │ ├── secrets.yaml
│ │ │ ├── service.yaml
│ │ │ └── serviceaccount.yaml
│ ├── tests
│ │ ├── cluster
│ │ │ ├── clusterrole_test.yaml
│ │ │ ├── configmap_test.yaml
│ │ │ ├── deployment_test.yaml
│ │ │ ├── lease-container-vulnerability-management_test.yaml
│ │ │ ├── openshift-securitycontextconstraint_test.yaml
│ │ │ ├── role_test.yaml
│ │ │ ├── secret_test.yaml
│ │ │ ├── security_context_test.yaml
│ │ │ ├── service-container-vulnerability-management_test.yaml
│ │ │ ├── service_test.yaml
│ │ │ └── tls-certificates-admissionregistration_test.yaml
│ │ ├── common
│ │ │ ├── credentials-secret_test.yaml
│ │ │ ├── custom-ca-secret_test.yaml
│ │ │ ├── proxy-secret_test.yaml
│ │ │ └── regions_test.yaml
│ │ ├── host
│ │ │ ├── configmap-dragent-yaml_test.yaml
│ │ │ ├── configmap-host-shield-config_test.yaml
│ │ │ ├── configmap-local-forwarder_test.yaml
│ │ │ ├── configmap-windows-dragent-yaml_test.yaml
│ │ │ ├── configmap-windows-host-shield-config_test.yaml
│ │ │ ├── daemonset-windows_test.yaml
│ │ │ ├── daemonset_test.yaml
│ │ │ ├── gke-allowlist-synchronizer_test.yaml
│ │ │ ├── openshift-clusterrolebinding-monitor_norole_test.yaml
│ │ │ ├── openshift-clusterrolebinding-monitor_test.yaml
│ │ │ ├── openshift-securitycontextconstraint_test.yaml
│ │ │ ├── priorityclass_test.yaml
│ │ │ ├── role_test.yaml
│ │ │ ├── secrets_test.yaml
│ │ │ ├── security_context_test.yaml
│ │ │ └── service_test.yaml
│ │ └── values
│ │ │ ├── base.yaml
│ │ │ ├── gke-autopilot.yaml
│ │ │ ├── windows.yaml
│ │ │ └── windows_dragent.yaml
│ ├── values.schema.json
│ └── values.yaml
├── sysdig-deploy
│ ├── .helmignore
│ ├── CHANGELOG.md
│ ├── Chart.yaml
│ ├── README.md
│ ├── RELEASE-NOTES.md
│ ├── ci
│ │ ├── test-default-saas-values.yaml.template
│ │ ├── test-enable-all-subcharts-values.yaml.template
│ │ └── test-values.yaml.template
│ ├── scripts
│ │ └── migrate_values.py
│ ├── templates
│ │ ├── NOTES.txt
│ │ ├── _helpers.tpl
│ │ ├── cluster-scanner-runtime-scanner-check.yaml
│ │ └── cluster-shield-check.yaml
│ ├── tests
│ │ ├── cluster_shield_constraint_test.yaml
│ │ ├── golden_template_test.yaml
│ │ ├── notes_test.yaml
│ │ ├── readme_command_test.yaml
│ │ └── scannerconstraint_test.yaml
│ └── values.yaml
├── sysdig-mcm-navmenu
│ ├── .helmignore
│ ├── CHANGELOG.md
│ ├── Chart.yaml
│ ├── README.md
│ ├── RELEASE-NOTES.md
│ ├── ci
│ │ ├── onprem.yam
│ │ ├── required-values-notest.yaml
│ │ └── saas.yaml
│ ├── templates
│ │ ├── NOTES.txt
│ │ ├── _helpers.tpl
│ │ ├── configmap.yaml
│ │ ├── deployment.yaml
│ │ ├── ingress.yaml
│ │ ├── scc.yaml
│ │ ├── service-monitor.yaml
│ │ └── service-secure.yaml
│ └── values.yaml
├── sysdig-stackdriver-bridge
│ ├── .helmignore
│ ├── CHANGELOG.md
│ ├── Chart.yaml
│ ├── OWNERS
│ ├── README.md
│ ├── RELEASE-NOTES.md
│ ├── ci
│ │ └── test-values.yaml
│ ├── templates
│ │ ├── _helpers.tpl
│ │ ├── configmap.yaml
│ │ ├── deployment.yaml
│ │ └── secret.yaml
│ └── values.yaml
└── sysdig
│ ├── CHANGELOG.md
│ ├── Chart.yaml
│ ├── DESIGN.md
│ ├── OWNERS
│ ├── README-AWS.md
│ ├── README.md
│ ├── RELEASE-NOTES.md
│ ├── ci
│ └── test-values.yaml.template
│ ├── scripts
│ └── appchecks2helm
│ ├── templates
│ ├── NOTES.txt
│ ├── _helpers.tpl
│ ├── auditsink.yaml
│ ├── clusterrole-node-analyzer.yaml
│ ├── clusterrole.yaml
│ ├── clusterrolebinding-node-analyzer.yaml
│ ├── clusterrolebinding.yaml
│ ├── configmap-benchmark-runner.yaml
│ ├── configmap-custom-app-checks.yaml
│ ├── configmap-host-analyzer.yaml
│ ├── configmap-image-analyzer.yaml
│ ├── configmap-kspm-analyzer.yaml
│ ├── configmap.yaml
│ ├── daemonset-image-analyzer.yaml
│ ├── daemonset-node-analyzer.yaml
│ ├── daemonset.yaml
│ ├── kspmCollector
│ │ ├── clusterrole-kspm-collector.yaml
│ │ ├── clusterrolebinding-kspm-collector.yaml
│ │ ├── configmap-kspm-collector.yaml
│ │ ├── deployment-kspm-collector.yaml
│ │ └── serviceaccount-kspm-collector.yaml
│ ├── psp-node-analyzer.yaml
│ ├── psp.yaml
│ ├── runtimeScanner
│ │ ├── eveconnector-api-configmap.yaml
│ │ ├── eveconnector-api-deployment.yaml
│ │ ├── eveconnector-api-service.yaml
│ │ ├── runtime-scanner-configmap.yaml
│ │ └── sysdig-eve-secret.yaml
│ ├── secrets.yaml
│ ├── securitycontextconstraint.yaml
│ ├── service.yaml
│ ├── serviceaccount-node-analyzer.yaml
│ └── serviceaccount.yaml
│ ├── tests
│ ├── psp_test.yaml
│ └── volumes_test.yaml
│ └── values.yaml
├── cr.yaml
├── rh-shield-operator
├── Dockerfile
├── LICENSE
├── Makefile
├── PROJECT
├── bundle.Dockerfile
├── bundle
│ ├── manifests
│ │ ├── rh-shield-operator-controller-manager-metrics-service_v1_service.yaml
│ │ ├── rh-shield-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml
│ │ ├── rh-shield-operator-shield-editor-role_rbac.authorization.k8s.io_v1_clusterrole.yaml
│ │ ├── rh-shield-operator-shield-viewer-role_rbac.authorization.k8s.io_v1_clusterrole.yaml
│ │ ├── rh-shield-operator.clusterserviceversion.yaml
│ │ └── shield.sysdig.com_shields.yaml
│ ├── metadata
│ │ └── annotations.yaml
│ └── tests
│ │ └── scorecard
│ │ └── config.yaml
├── config
│ ├── crd
│ │ ├── bases
│ │ │ └── shield.sysdig.com_shields.yaml
│ │ └── kustomization.yaml
│ ├── default
│ │ ├── kustomization.yaml
│ │ ├── manager_metrics_patch.yaml
│ │ └── metrics_service.yaml
│ ├── manager
│ │ ├── kustomization.yaml
│ │ └── manager.yaml
│ ├── manifests
│ │ ├── bases
│ │ │ └── rh-shield-operator.clusterserviceversion.yaml
│ │ └── kustomization.yaml
│ ├── prometheus
│ │ ├── kustomization.yaml
│ │ └── monitor.yaml
│ ├── rbac
│ │ ├── kustomization.yaml
│ │ ├── leader_election_role.yaml
│ │ ├── leader_election_role_binding.yaml
│ │ ├── metrics_auth_role.yaml
│ │ ├── metrics_auth_role_binding.yaml
│ │ ├── metrics_reader_role.yaml
│ │ ├── role.yaml
│ │ ├── role_binding.yaml
│ │ ├── service_account.yaml
│ │ ├── shield_editor_role.yaml
│ │ └── shield_viewer_role.yaml
│ ├── samples
│ │ ├── kustomization.yaml
│ │ └── shield_v1alpha1_shield.yaml
│ └── scorecard
│ │ ├── bases
│ │ └── config.yaml
│ │ ├── kustomization.yaml
│ │ └── patches
│ │ ├── basic.config.yaml
│ │ └── olm.config.yaml
├── helm-charts
│ └── shield
└── watches.yaml
└── scripts
├── chart-version-bump.sh
├── cluster-scanner
├── README.md
├── cluster-scanner-resources.yaml
└── generate_kubeconfig.sh
├── docs-links-checker
├── README.mdx
└── check_docs_links.py
├── sysdig-deploy
└── update-sysdig-deploy.sh
└── sysdig
└── image-version-bump.sh
/.chglog/CHANGELOG.tpl.md:
--------------------------------------------------------------------------------
1 | {{ if .Versions -}}
2 | {{ range .Versions -}}
3 | {{- $chartName := regexReplaceAll "((?:[A-Za-z]*(?:\\-[A-Za-z]*)*))\\-(?:.*)" .Tag.Name "${1}" -}}
4 | {{- $chartversion := regexReplaceAll "(?:[A-Za-z]*(?:\\-[A-Za-z]*)*)\\-(.*)" .Tag.Name "v${1}" -}}
5 | # {{ $chartversion }}
6 | {{ range .CommitGroups -}}
7 | {{- if not (eq "Ignored" .Title ) -}}
8 | ### {{ .Title }}
9 | {{ range .Commits -}}
10 | * {{ if .Scope }}**{{ .Scope }}** {{ end }}[{{.Hash.Short}}]({{ $.Info.RepositoryURL }}/commit/{{ .Hash.Long }}): {{ .Subject }}
11 | {{ if .Notes -}}
12 | {{ range .Notes }}
13 | * {{ .Body }}
14 | {{ end -}}
15 | {{ end -}}
16 | {{ end -}}
17 | {{ end -}}
18 | {{ end -}}
19 |
20 | {{- if .OtherCommits -}}
21 | ### Others
22 | {{ range .OtherCommits -}}
23 | * [{{.Hash.Short}}]({{ $.Info.RepositoryURL }}/commit/{{ .Hash.Long }})
24 | {{ end -}}
25 | {{ end -}}
26 | {{ end -}}
27 | {{ end -}}
28 |
--------------------------------------------------------------------------------
/.chglog/RELEASE.tpl.md:
--------------------------------------------------------------------------------
1 | # What's Changed
2 | {{ if .Versions -}}
3 | {{ range .Versions }}
4 | {{ range .CommitGroups -}}
5 | {{ if not (eq "Ignored" .Title ) -}}
6 | ### {{ .Title }}
7 | {{ range .Commits -}}
8 | - {{ if .Scope }}**{{ .Scope }}** {{ end }}[{{.Hash.Short}}]({{ $.Info.RepositoryURL }}/commit/{{ .Hash.Long }}): {{ .Subject }}
9 | {{ if .Notes -}}
10 | {{ range .Notes }}
11 | * {{ .Body }}
12 | {{ end -}}
13 | {{ end -}}
14 | {{ end -}}
15 | {{ end -}}
16 | {{ end -}}
17 | {{ if .OtherCommits -}}
18 | ### Others
19 | {{- range .OtherCommits -}}
20 | - [{{.Hash.Short}}]({{ $.Info.RepositoryURL }}/commit/{{ .Hash.Long }})
21 | {{ end -}}
22 | {{ end -}}
23 | {{ end -}}
24 | {{- if .Versions }}
25 | {{- range .Versions -}}
26 | {{ if .Tag.Previous -}}
27 | #### Full diff: {{ $.Info.RepositoryURL }}/compare/{{ .Tag.Previous.Name }}...{{ .Tag.Name }}
28 | {{ end -}}
29 | {{ end -}}
30 | {{ end -}}
31 | {{ end -}}
32 |
--------------------------------------------------------------------------------
/.chglog/config-changelog.yml:
--------------------------------------------------------------------------------
1 | style: github
2 | template: CHANGELOG.tpl.md
3 | info:
4 | title: CHANGELOG
5 | repository_url: https://github.com/sysdiglabs/charts
6 | options:
7 | commits:
8 | filters:
9 | Type:
10 | - feat
11 | - fix
12 | - refactor
13 | - chore
14 | - docs
15 | - github_actions_ci
16 | commit_groups:
17 | title_maps:
18 | feat: New Features
19 | fix: Bug Fixes
20 | refactor: Code Refactoring
21 | chore: Chores
22 | docs: Documentation
23 | github_actions_ci: Ignored
24 | header:
25 | pattern: "^(\\w*)(?:\\(([\\w\\$\\.\\,\\-\\*\\s]*)\\))?\\:\\s?(.*)$"
26 | pattern_maps:
27 | - Type
28 | - Scope
29 | - Subject
30 | notes:
31 | keywords:
32 | - Extended Changelog
33 |
--------------------------------------------------------------------------------
/.chglog/config-release.yml:
--------------------------------------------------------------------------------
1 | style: github
2 | template: RELEASE.tpl.md
3 | info:
4 | title: RELEASE
5 | repository_url: https://github.com/sysdiglabs/charts
6 | options:
7 | commits:
8 | filters:
9 | Type:
10 | - feat
11 | - fix
12 | - refactor
13 | - chore
14 | - docs
15 | - github_actions_ci
16 | commit_groups:
17 | title_maps:
18 | feat: New Features
19 | fix: Bug Fixes
20 | refactor: Code Refactoring
21 | chore: Chores
22 | docs: Documentation
23 | github_actions_ci: Ignored
24 | header:
25 | pattern: "^(\\w*)(?:\\(([\\w\\$\\.\\,\\-\\*\\s]*)\\))?\\:\\s?(.*)$"
26 | pattern_maps:
27 | - Type
28 | - Scope
29 | - Subject
30 | notes:
31 | keywords:
32 | - Extended Changelog
33 |
--------------------------------------------------------------------------------
/.github/CODEOWNERS:
--------------------------------------------------------------------------------
1 | # request review from agent team members for changes to sysdig chart
2 | /charts/agent/ @sysdiglabs/team-tools-agent
3 | /charts/cluster-shield/ @sysdiglabs/team-tools-agent
4 | /charts/common/ @sysdiglabs/team-tools-agent
5 | /charts/shield/ @sysdiglabs/team-tools-agent
6 | /charts/sysdig-deploy/ @sysdiglabs/team-tools-agent
7 | /charts/sysdig/ @sysdiglabs/team-tools-agent
8 |
9 | /charts/admission-controller @sysdiglabs/cloud-native
10 | /charts/cloud-connector @sysdiglabs/cloud-native
11 | /charts/cloud-scanning @sysdiglabs/cloud-native
12 | /charts/registry-scanner @sysdiglabs/cloud-native @sysdiglabs/vm-scanners
13 |
14 | /rh-shield-operator/ @sysdiglabs/team-tools-agent
15 |
--------------------------------------------------------------------------------
/.github/PULL_REQUEST_TEMPLATE.md:
--------------------------------------------------------------------------------
1 | ## What this PR does / why we need it:
2 |
3 | ## Checklist
4 |
5 |
6 |
7 | - [ ] Title of the PR starts with type and scope, (e.g. `feat(agent,node-analyzer,sysdig-deploy):`)
8 | - [ ] Chart Version bumped for the respective charts
9 | - [ ] Variables are documented in the README.md (or README.tpl in some charts)
10 | - [ ] Check GithubAction checks (like lint) to avoid merge-check stoppers
11 | - [ ] All test files are added in the tests folder of their respective chart and have a "_test" suffix
12 |
13 |
14 |
--------------------------------------------------------------------------------
/.github/dependabot.yml:
--------------------------------------------------------------------------------
1 | version: 2
2 | updates:
3 | - package-ecosystem: "github-actions"
4 | directory: "/"
5 | schedule:
6 | interval: "daily"
7 | reviewers:
8 | - "draios/team-tools-agent"
9 | labels:
10 | - "dependencies"
11 |
--------------------------------------------------------------------------------
/.github/labeler.yml:
--------------------------------------------------------------------------------
1 | no-tests:
2 | - any:
3 | - 'charts/*/templates/**/*'
4 | - '!charts/**/*.md'
5 | - '!charts/**/*.txt'
6 | - '!charts/**/README.tpl'
7 | all:
8 | - '!charts/**/tests/*.yaml'
9 |
--------------------------------------------------------------------------------
/.github/workflows/agent-release.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | name: Update charts for Agent release
3 |
4 | on:
5 | workflow_dispatch:
6 | inputs:
7 | release:
8 | description: 'Agent Version'
9 | required: true
10 |
11 | permissions:
12 | contents: read
13 | pull-requests: write
14 |
15 | jobs:
16 | agent-release:
17 | runs-on: ubuntu-latest
18 | steps:
19 | - name: Checkout
20 | uses: actions/checkout@v4
21 |
22 | - name: Install Updatecli in the runner
23 | uses: updatecli/updatecli-action@v2.84.0
24 |
25 | - name: Run Updatecli in apply mode
26 | run: "updatecli apply --config .github/updatecli.d/config-agent-release.yaml"
27 | env:
28 | AGENT_RELEASE: "${{ inputs.release }}"
29 | GITHUB_TOKEN: "${{ secrets.TOOLS_JENKINS_ADMIN_ACCESS_GITHUB_TOKEN }}"
30 |
--------------------------------------------------------------------------------
/.github/workflows/greeting.yaml:
--------------------------------------------------------------------------------
1 | name: Greeting
2 | on:
3 | pull_request_target:
4 | types: [opened]
5 | branches: [main]
6 |
7 | jobs:
8 | greeting:
9 | permissions:
10 | pull-requests: write
11 | name: Greeting comment upon PR from fork
12 | runs-on: ubuntu-latest
13 | if: github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != 'sysdiglabs/charts'
14 | steps:
15 | - name: Issue the greeting comment
16 | uses: peter-evans/create-or-update-comment@v4
17 | with:
18 | token: ${{ secrets.GITHUB_TOKEN }}
19 | issue-number: ${{ github.event.pull_request.number }}
20 | body: |
21 | Hi @${{ github.event.pull_request.user.login }}. Thanks for your PR.
22 |
23 | After inspecting your changes someone with write access to this repo needs
24 | to approve and run the workflow.
25 |
--------------------------------------------------------------------------------
/.github/workflows/kubectl-update.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | name: Update bitnami/kubectl image reference for Helm tests
3 |
4 | on:
5 | schedule:
6 | - cron: '0 0 * * *'
7 |
8 | permissions:
9 | contents: read
10 | pull-requests: write
11 |
12 | jobs:
13 | kubectl-update:
14 | runs-on: ubuntu-latest
15 | steps:
16 | - name: Checkout
17 | uses: actions/checkout@v4
18 |
19 | - name: Install Updatecli in the runner
20 | uses: updatecli/updatecli-action@v2.84.0
21 |
22 | - name: Run Updatecli
23 | run: "updatecli apply --config .github/updatecli.d/config-update-bitnami-kubectl-image.yaml"
24 | env:
25 | GITHUB_TOKEN: "${{ secrets.TOOLS_JENKINS_ADMIN_ACCESS_GITHUB_TOKEN }}"
26 |
--------------------------------------------------------------------------------
/.github/workflows/labeler.yml:
--------------------------------------------------------------------------------
1 | name: PR Labeler
2 |
3 | on:
4 | pull_request_target:
5 | branches: [main]
6 |
7 | jobs:
8 | pr-label:
9 | permissions:
10 | contents: read
11 | pull-requests: write
12 | runs-on: ubuntu-latest
13 | steps:
14 | - uses: actions/labeler@v5.0.0
15 | with:
16 | repo-token: "${{ secrets.GITHUB_TOKEN }}"
17 |
--------------------------------------------------------------------------------
/.github/workflows/pr-lint.yaml:
--------------------------------------------------------------------------------
1 | name: PR Lint
2 |
3 | on:
4 | pull_request_target:
5 | types: [opened, edited, reopened, synchronize]
6 | branches: [main]
7 |
8 | jobs:
9 | pr-lint:
10 | permissions:
11 | pull-requests: write
12 | runs-on: ubuntu-latest
13 | steps:
14 | - uses: morrisoncole/pr-lint-action@v1.7.1
15 | with:
16 | repo-token: "${{ secrets.GITHUB_TOKEN }}"
17 | title-regex: "^(\\w*)(?:\\(([\\w\\$\\.\\,\\-\\*\\s]*)\\))?\\:\\s?(.*)$"
18 | on-failed-regex-fail-action: false
19 | on-failed-regex-create-review: true
20 | on-failed-regex-request-changes: true
21 | on-failed-regex-comment: "PR title does not comply with regex: `%regex%`!
Check PR guidelines at https://github.com/sysdiglabs/charts/blob/main/README.md#pull-requests"
22 |
--------------------------------------------------------------------------------
/.github/workflows/release-rh-shield-operator.yaml:
--------------------------------------------------------------------------------
1 | name: Release the Shield Operator
2 |
3 | on:
4 | workflow_dispatch:
5 | inputs:
6 | release_version:
7 | description: 'The version of the operator to release'
8 | required: true
9 | type: string
10 | jobs:
11 | build-and-push:
12 | name: Build and Push the Operator Images
13 | runs-on: ubuntu-latest
14 | steps:
15 | - name: Checkout
16 | uses: actions/checkout@v4
17 | with:
18 | fetch-depth: '1'
19 |
20 | - name: Login to Docker registry
21 | uses: docker/login-action@v3
22 | with:
23 | registry: quay.io
24 | username: ${{ secrets.QUAY_RH_SHIELD_OPERATOR_USERNAME }}
25 | password: ${{ secrets.QUAY_RH_SHIELD_OPERATOR_PASSWORD }}
26 |
27 | - name: Build and Push Operator and Bundle Images
28 | env:
29 | IMAGE_TAG_BASE: ${{ secrets.QUAY_RH_SHIELD_OPERATOR_IMAGE_TAG_BASE }}
30 | VERSION: ${{ github.event.inputs.release_version }}
31 | run: |
32 | make docker-build docker-push bundle-build bundle-push
33 | working-directory: rh-shield-operator
34 |
--------------------------------------------------------------------------------
/.github/workflows/stale.yml:
--------------------------------------------------------------------------------
1 | name: Mark stale issues and pull requests
2 |
3 | on:
4 | schedule:
5 | - cron: "30 1 * * *"
6 |
7 | jobs:
8 | stale:
9 | runs-on: ubuntu-latest
10 | steps:
11 | - uses: actions/stale@v9
12 | with:
13 | repo-token: ${{ secrets.GITHUB_TOKEN }}
14 | stale-issue-message: 'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days'
15 | stale-pr-message: 'This PR is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days'
16 | stale-issue-label: 'stale'
17 | stale-pr-label: 'stale'
18 | close-issue-message: 'This issue has been closed due to inactivity.'
19 | close-pr-message: 'This PR has been closed due to inactivity.'
20 |
--------------------------------------------------------------------------------
/.pre-commit-config.yaml:
--------------------------------------------------------------------------------
1 | repos:
2 | - repo: local
3 | hooks:
4 | - id: docgen
5 | pass_filenames: false
6 | name: Generate documentation
7 | entry: make docs
8 | language: system
9 | - id: lint
10 | pass_filenames: false
11 | name: Lint charts
12 | entry: make lint
13 | language: system
14 | - id: unit-test
15 | pass_filenames: false
16 | name: Unit test charts
17 | entry: make unittest
18 | language: system
19 | - repo: https://github.com/pre-commit/pre-commit-hooks
20 | rev: v5.0.0
21 | hooks:
22 | - id: trailing-whitespace
23 | - id: end-of-file-fixer
24 | - id: check-added-large-files
25 | - id: check-merge-conflict
26 | - id: check-symlinks
27 | - id: detect-private-key
28 | exclude: charts/.*/ci/.*
29 | - id: check-yaml
30 | args: ["-m"]
31 | exclude: charts/.*/templates/.*
32 |
--------------------------------------------------------------------------------
/Justfile:
--------------------------------------------------------------------------------
1 | @default:
2 | just --list
3 |
4 | docs:
5 | make docs
6 |
7 | unit-test-rs:
8 | make unit-test-rs
9 |
--------------------------------------------------------------------------------
/charts/admission-controller/.helmignore:
--------------------------------------------------------------------------------
1 | # Patterns to ignore when building packages.
2 | # This supports shell glob matching, relative path matching, and
3 | # negation (prefixed with !). Only one pattern per line.
4 | .DS_Store
5 | # Common VCS dirs
6 | .git/
7 | .gitignore
8 | .bzr/
9 | .bzrignore
10 | .hg/
11 | .hgignore
12 | .svn/
13 | # Common backup files
14 | *.swp
15 | *.bak
16 | *.tmp
17 | *~
18 | # Various IDEs
19 | .project
20 | .idea/
21 | *.tmproj
22 | .vscode/
23 |
--------------------------------------------------------------------------------
/charts/admission-controller/Chart.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v2
2 | name: admission-controller
3 | description: Sysdig Admission Controller using Sysdig Secure inline image scanner
4 | type: application
5 | version: 0.16.10
6 | appVersion: 3.9.50
7 | home: https://sysdiglabs.github.io/admission-controller/
8 | icon: https://avatars.githubusercontent.com/u/5068817?s=200&v=4
9 | maintainers:
10 | - name: sysdiglabs
11 | dependencies:
12 | - name: common
13 | repository: file://../common
14 | version: ~1.3.1
15 |
--------------------------------------------------------------------------------
/charts/admission-controller/RELEASE-NOTES.md:
--------------------------------------------------------------------------------
1 | # What's Changed
2 |
3 | ### New Features
4 | - **admission-controller** [121520c3](https://github.com/sysdiglabs/charts/commit/121520c380dc7c53983e442bbf36c64c32afc4ad): add PDB, enable HPA and deprecate scanning ([#2174](https://github.com/sysdiglabs/charts/issues/2174))
5 | #### Full diff: https://github.com/sysdiglabs/charts/compare/admission-controller-0.16.9...admission-controller-0.16.10
6 |
--------------------------------------------------------------------------------
/charts/admission-controller/ci/deployment-with-port-on-443.template:
--------------------------------------------------------------------------------
1 | sysdig:
2 | secureAPIToken: ${SECURE_API_TOKEN}
3 | clusterName: CI-Cluster
4 | webhook:
5 | http:
6 | port: 443
7 |
--------------------------------------------------------------------------------
/charts/admission-controller/ci/required-values.yaml.template:
--------------------------------------------------------------------------------
1 | sysdig:
2 | secureAPIToken: ${SECURE_API_TOKEN}
3 | clusterName: CI-Cluster
4 |
--------------------------------------------------------------------------------
/charts/admission-controller/ci/with-specific-url.yaml.template:
--------------------------------------------------------------------------------
1 | sysdig:
2 | secureAPIToken: ${SECURE_API_TOKEN}
3 | url: "https://secure.sysdig.com"
4 | clusterName: CI-Cluster
5 |
--------------------------------------------------------------------------------
/charts/admission-controller/doc.yaml:
--------------------------------------------------------------------------------
1 | project:
2 | name: Sysdig Admission Controller
3 | shortName: Admission Controller
4 | url: https://docs.sysdig.com/en/docs/installation/sysdig-secure/install-agent-components/kubernetes/install-kubernetes-audit-logging/
5 | description: This chart deploys the Sysdig Admission Controller in your Kubernetes cluster.
6 | app: the Sysdig Admission Controller
7 | repository:
8 | url: https://charts.sysdig.com
9 | name: sysdig
10 | chart:
11 | name: admission-controller
12 | # version: v0.9.0-rc.0
13 | # values: "-- generate from values file --"
14 | valuesExample: "sysdig.secureAPIToken=YOUR-KEY-HERE,clusterName=YOUR-CLUSTER-NAME"
15 | prerequisites:
16 | - "Helm 3.6"
17 | - "Kubernetes v1.16+"
18 | - "Cluster Name (pick one to identify your Kubernetes Cluster)"
19 | - "Sysdig Secure API Token"
20 |
21 | release:
22 | name: admission-controller
23 | namespace: sysdig-admission-controller
24 |
--------------------------------------------------------------------------------
/charts/admission-controller/templates/NOTES.txt:
--------------------------------------------------------------------------------
1 | {{- if .Values.features.kspmAdmissionController }}
2 | {{- if include "admissionController.validAccessKeyConfig" . }}{{- end}}
3 | {{- end }}
4 | {{- if (or .Values.features.k8sAuditDetections .Values.scanner.enabled .Values.webhook.acConfig) }}
5 | {{- if include "admissionController.validTokenConfig" . }}{{- end }}
6 | {{- end }}
7 | Sysdig Admission Controller is now installed!
8 |
9 | Confirm its working status:
10 | https://docs.sysdig.com/en/docs/installation/sysdig-secure/install-agent-components/kubernetes/install-kubernetes-audit-logging/#verify-the-installation
11 | ================================================================================================
12 |
13 | {{- if .Values.scanner.enabled }}
14 | The Scanner also needs the AUTH_BEARER_TOKEN environment variable configured with the valid
15 | Secure API Token.
16 | ================================================================================================
17 | {{- end }}
18 |
--------------------------------------------------------------------------------
/charts/admission-controller/templates/scanner/configmap.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.scanner.enabled -}}
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: {{ include "admissionController.scanner.fullname" . }}
6 | namespace: {{ include "admissionController.namespace" . }}
7 | labels:
8 | {{ include "admissionController.scanner.labels" . | nindent 4 }}
9 | data:
10 | SECURE_BASE_URL: "{{ .Values.sysdig.url | default (printf "https://%s" (include "admissionController.apiEndpoint" .)) }}"
11 | SECURE_SKIP_TLS: "{{ not .Values.verifySSL }}"
12 | REGISTRY_SKIP_TLS: "{{ not .Values.scanner.verifyRegistryTLS }}"
13 | {{- if .Values.scanner.dockerCfgSecretName }}
14 | REGISTRY_DOCKERCFG_PATH: /dockerauth/.dockercfg
15 | {{- end }}
16 | {{- end -}}
17 |
--------------------------------------------------------------------------------
/charts/admission-controller/templates/scanner/podmonitor.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.podMonitors.scanner.enabled }}
2 | apiVersion: monitoring.coreos.com/v1
3 | kind: PodMonitor
4 | metadata:
5 | annotations: {{ .Values.podMonitors.scanner.annotations | toYaml | nindent 4 }}
6 | labels: {{ .Values.podMonitors.scanner.labels | toYaml | nindent 4 }}
7 | name: admission-controller-scanner
8 | namespace: {{ include "admissionController.namespace" . }}
9 | spec:
10 | selector:
11 | matchLabels:
12 | {{- include "admissionController.scanner.selectorLabels" . | nindent 6 }}
13 | podMetricsEndpoints:
14 | - targetPort: {{ .Values.scanner.service.port }}
15 | path: "/metrics"
16 | scheme: https
17 | tlsConfig:
18 | insecureSkipVerify: true
19 | {{- end }}
20 |
--------------------------------------------------------------------------------
/charts/admission-controller/templates/scanner/psp.yaml:
--------------------------------------------------------------------------------
1 | {{- if and .Values.scanner.psp.create (include "admissionController.kubeVersionLessThan" (dict "root" . "major" 1 "minor" 25)) }}
2 | apiVersion: policy/v1beta1
3 | kind: PodSecurityPolicy
4 | metadata:
5 | name: {{ include "admissionController.scanner.fullname" . }}
6 | namespace: {{ include "admissionController.namespace" . }}
7 | spec:
8 | allowPrivilegeEscalation: false
9 | fsGroup:
10 | ranges:
11 | - max: 65535
12 | min: 1
13 | rule: MustRunAs
14 | readOnlyRootFilesystem: true
15 | requiredDropCapabilities:
16 | - ALL
17 | runAsUser:
18 | rule: MustRunAsNonRoot
19 | seLinux:
20 | rule: RunAsAny
21 | supplementalGroups:
22 | ranges:
23 | - max: 65535
24 | min: 1
25 | rule: MustRunAs
26 | volumes:
27 | - configMap
28 | - downwardAPI
29 | - emptyDir
30 | - secret
31 | - projected
32 | {{- end }}
33 |
--------------------------------------------------------------------------------
/charts/admission-controller/templates/scanner/role.yaml:
--------------------------------------------------------------------------------
1 | {{- if and .Values.scanner.psp.create (include "admissionController.kubeVersionLessThan" (dict "root" . "major" 1 "minor" 25)) }}
2 | apiVersion: rbac.authorization.k8s.io/v1
3 | kind: Role
4 | metadata:
5 | name: {{ include "admissionController.scanner.fullname" . }}
6 | namespace: {{ include "admissionController.namespace" . }}
7 | rules:
8 | - apiGroups:
9 | - policy
10 | resourceNames:
11 | - {{ include "admissionController.scanner.fullname" . }}
12 | resources:
13 | - podsecuritypolicies
14 | verbs:
15 | - use
16 | {{- end }}
17 |
--------------------------------------------------------------------------------
/charts/admission-controller/templates/scanner/rolebinding.yaml:
--------------------------------------------------------------------------------
1 | {{- if and .Values.scanner.psp.create (include "admissionController.kubeVersionLessThan" (dict "root" . "major" 1 "minor" 25)) }}
2 | apiVersion: rbac.authorization.k8s.io/v1
3 | kind: RoleBinding
4 | metadata:
5 | name: {{ include "admissionController.scanner.fullname" . }}
6 | namespace: {{ include "admissionController.namespace" . }}
7 | roleRef:
8 | apiGroup: rbac.authorization.k8s.io
9 | kind: Role
10 | name: {{ include "admissionController.scanner.fullname" . }}
11 | subjects:
12 | - kind: ServiceAccount
13 | name: {{ include "admissionController.scanner.serviceAccountName" . }}
14 | namespace: {{ include "admissionController.namespace" . }}
15 | {{- end }}
16 |
--------------------------------------------------------------------------------
/charts/admission-controller/templates/scanner/service.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.scanner.enabled -}}
2 | apiVersion: v1
3 | kind: Service
4 | metadata:
5 | name: {{ include "admissionController.scanner.fullname" . }}
6 | namespace: {{ include "admissionController.namespace" . }}
7 | labels:
8 | {{- include "admissionController.scanner.labels" . | nindent 4 }}
9 | spec:
10 | type: {{ .Values.scanner.service.type }}
11 | ports:
12 | - name: https
13 | port: {{ .Values.scanner.service.port }}
14 | targetPort: http
15 | protocol: TCP
16 | selector:
17 | {{- include "admissionController.scanner.selectorLabels" . | nindent 4 }}
18 | {{- end -}}
19 |
--------------------------------------------------------------------------------
/charts/admission-controller/templates/scanner/serviceaccount.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.scanner.enabled -}}
2 | {{- if .Values.serviceAccounts.scanner.create -}}
3 | apiVersion: v1
4 | kind: ServiceAccount
5 | metadata:
6 | name: {{ include "admissionController.scanner.serviceAccountName" . }}
7 | namespace: {{ include "admissionController.namespace" . }}
8 | labels:
9 | {{- include "admissionController.scanner.labels" . | nindent 4 }}
10 | {{- with .Values.serviceAccounts.scanner.annotations }}
11 | annotations:
12 | {{- toYaml . | nindent 4 }}
13 | {{- end }}
14 | {{- end }}
15 | {{- end }}
16 |
--------------------------------------------------------------------------------
/charts/admission-controller/templates/webhook/admissioncontrollerconfigmap.yaml:
--------------------------------------------------------------------------------
1 | # Warning! This file is for internal tests only.
2 | {{- if .Values.webhook.acConfig }}
3 | apiVersion: v1
4 | kind: ConfigMap
5 | metadata:
6 | name: admissioncontrollerconfigmap
7 | namespace: {{ include "admissionController.namespace" . }}
8 | labels:
9 | {{ include "admissionController.webhook.labels" . | nindent 4 }}
10 | data:
11 | acConfig: |
12 | {{ .Values.webhook.acConfig | nindent 4 }}
13 | {{- end }}
14 |
--------------------------------------------------------------------------------
/charts/admission-controller/templates/webhook/autoscaler.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.webhook.autoscaling.enabled }}
2 | apiVersion: autoscaling/v1
3 | kind: HorizontalPodAutoscaler
4 | metadata:
5 | name: {{ include "admissionController.webhook.fullname" . }}
6 | namespace: {{ include "admissionController.namespace" . }}
7 | spec:
8 | maxReplicas: {{ .Values.webhook.autoscaling.maxReplicas }}
9 | minReplicas: {{ .Values.webhook.autoscaling.minReplicas }}
10 | scaleTargetRef:
11 | apiVersion: apps/v1
12 | kind: Deployment
13 | name: {{ include "admissionController.webhook.fullname" . }}
14 | targetCPUUtilizationPercentage: {{ .Values.webhook.autoscaling.targetCPUUtilizationPercentage }}
15 | {{- end }}
16 |
--------------------------------------------------------------------------------
/charts/admission-controller/templates/webhook/clusterrole.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.webhook.rbac.create }}
2 | apiVersion: rbac.authorization.k8s.io/v1
3 | kind: ClusterRole
4 | metadata:
5 | name: {{ include "admissionController.webhook.fullname" . }}
6 | rules:
7 | - apiGroups:
8 | - ""
9 | resourceNames:
10 | - kube-system
11 | resources:
12 | - namespaces
13 | verbs:
14 | - get
15 | - apiGroups:
16 | - ""
17 | resources:
18 | - pods
19 | {{- if .Values.webhook.acConfig }}
20 | - configmaps
21 | {{- end }}
22 | {{- if or .Values.webhook.acConfig (.Values.webhook.vm).enabled }}
23 | - secrets
24 | {{- end }}
25 | {{- if (.Values.webhook.vm).enabled }}
26 | - serviceaccounts
27 | - namespaces
28 | {{- end }}
29 | verbs:
30 | - get
31 | {{- if .Values.webhook.acConfig }}
32 | - apiGroups:
33 | - "batch"
34 | resources:
35 | - jobs
36 | verbs:
37 | - create
38 | - get
39 | - delete
40 | - watch
41 | {{- end }}
42 | - apiGroups:
43 | - "apps"
44 | resources:
45 | - deployments
46 | - replicasets
47 | - statefulsets
48 | - daemonsets
49 | verbs:
50 | - get
51 | {{- end }}
52 |
--------------------------------------------------------------------------------
/charts/admission-controller/templates/webhook/clusterrolebinding.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.webhook.rbac.create }}
2 | apiVersion: rbac.authorization.k8s.io/v1
3 | kind: ClusterRoleBinding
4 | metadata:
5 | name: {{ include "admissionController.webhook.fullname" . }}
6 | roleRef:
7 | apiGroup: rbac.authorization.k8s.io
8 | kind: ClusterRole
9 | name: {{ include "admissionController.webhook.fullname" . }}
10 | subjects:
11 | - kind: ServiceAccount
12 | name: {{ include "admissionController.webhook.serviceAccountName" . }}
13 | namespace: {{ include "admissionController.namespace" . }}
14 | {{- end }}
15 |
--------------------------------------------------------------------------------
/charts/admission-controller/templates/webhook/poddisruptionbudget.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: policy/v1
2 | kind: PodDisruptionBudget
3 | metadata:
4 | name: {{ include "admissionController.webhook.fullname" . }}-pdb
5 | namespace: {{ include "admissionController.namespace" . }}
6 | spec:
7 | minAvailable: {{ .Values.webhook.pdb.minAvailable }}
8 | selector:
9 | matchLabels:
10 | {{- include "admissionController.webhook.selectorLabels" . | nindent 6 }}
11 |
--------------------------------------------------------------------------------
/charts/admission-controller/templates/webhook/podmonitor.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.podMonitors.webhook.enabled }}
2 | apiVersion: monitoring.coreos.com/v1
3 | kind: PodMonitor
4 | metadata:
5 | annotations: {{ .Values.podMonitors.webhook.annotations | toYaml | nindent 4 }}
6 | labels: {{ .Values.podMonitors.webhook.labels | toYaml | nindent 4 }}
7 | name: admission-controller-webhook
8 | namespace: {{ include "admissionController.namespace" . }}
9 | spec:
10 | selector:
11 | matchLabels:
12 | {{- include "admissionController.webhook.selectorLabels" . | nindent 6 }}
13 | podMetricsEndpoints:
14 | - targetPort: {{ .Values.webhook.http.port }}
15 | path: "/metrics"
16 | scheme: https
17 | tlsConfig:
18 | insecureSkipVerify: true
19 | {{- end }}
20 |
--------------------------------------------------------------------------------
/charts/admission-controller/templates/webhook/service.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: {{ include "admissionController.webhook.fullname" . }}
5 | namespace: {{ include "admissionController.namespace" . }}
6 | labels:
7 | {{- include "admissionController.webhook.labels" . | nindent 4 }}
8 | spec:
9 | type: {{ .Values.webhook.service.type }}
10 | ports:
11 | {{- if .Values.features.kspmAdmissionController }}
12 | - name: vac
13 | port: {{ .Values.webhook.v2.service.port }}
14 | targetPort: vac
15 | {{- end }}
16 | {{- if (or .Values.features.k8sAuditDetections .Values.scanner.enabled .Values.webhook.acConfig) }}
17 | - name: http
18 | port: {{ .Values.webhook.service.port }}
19 | targetPort: http
20 | protocol: TCP
21 | {{- end }}
22 | selector:
23 | {{- include "admissionController.webhook.selectorLabels" . | nindent 4 }}
24 |
--------------------------------------------------------------------------------
/charts/admission-controller/templates/webhook/serviceaccount.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.serviceAccounts.webhook.create -}}
2 | apiVersion: v1
3 | kind: ServiceAccount
4 | metadata:
5 | name: {{ include "admissionController.webhook.serviceAccountName" . }}
6 | namespace: {{ include "admissionController.namespace" . }}
7 | labels:
8 | {{ include "admissionController.webhook.labels" . | nindent 4 }}
9 | {{- with .Values.serviceAccounts.webhook.annotations }}
10 | annotations:
11 | {{- toYaml . | nindent 4 }}
12 | {{- end }}
13 | {{- end }}
14 |
--------------------------------------------------------------------------------
/charts/agent/.helmignore:
--------------------------------------------------------------------------------
1 | # Patterns to ignore when building packages.
2 | # This supports shell glob matching, relative path matching, and
3 | # negation (prefixed with !). Only one pattern per line.
4 | .DS_Store
5 | # Common VCS dirs
6 | .git/
7 | .gitignore
8 | .bzr/
9 | .bzrignore
10 | .hg/
11 | .hgignore
12 | .svn/
13 | # Common backup files
14 | *.swp
15 | *.bak
16 | *.tmp
17 | *.orig
18 | *~
19 | # Various IDEs
20 | .project
21 | .idea/
22 | *.tmproj
23 | .vscode/
24 | #Sysdig Specific
25 | /tests/
26 |
--------------------------------------------------------------------------------
/charts/agent/Chart.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v2
2 | appVersion: 13.9.2
3 | dependencies:
4 | - name: common
5 | repository: file://../common
6 | version: ~1.3.1
7 | description: Sysdig Monitor and Secure agent
8 | home: https://www.sysdig.com/
9 | icon: https://avatars.githubusercontent.com/u/5068817?s=200&v=4
10 | keywords:
11 | - monitoring
12 | - security
13 | - alerting
14 | - metric
15 | - troubleshooting
16 | - run-time
17 | maintainers:
18 | - email: alberto.barba@sysdig.com
19 | name: AlbertoBarba
20 | - email: adam.roberts@sysdig.com
21 | name: aroberts87
22 | - email: francesco.furlan@sysdig.com
23 | name: francesco-furlan
24 | - email: gerlando.falauto@sysdig.com
25 | name: iurly
26 | - email: marcovito.moscaritolo@sysdig.com
27 | name: mavimo
28 | name: agent
29 | sources:
30 | - https://app.sysdigcloud.com/#/settings/user
31 | - https://github.com/draios/sysdig
32 | type: application
33 | version: 1.38.2
34 |
--------------------------------------------------------------------------------
/charts/agent/RELEASE-NOTES.md:
--------------------------------------------------------------------------------
1 | # What's Changed
2 |
3 | ### New Features
4 | - **agent,shield,sysdig-deploy** [a32a879d](https://github.com/sysdiglabs/charts/commit/a32a879d1122dbc533817035b114bb94395876b1): release agent 13.9.2 ([#2264](https://github.com/sysdiglabs/charts/issues/2264))
5 | #### Full diff: https://github.com/sysdiglabs/charts/compare/agent-1.38.1...agent-1.38.2
6 |
--------------------------------------------------------------------------------
/charts/agent/ci/test-values.yaml.template:
--------------------------------------------------------------------------------
1 | sysdig:
2 | accessKey: ${SECURE_AGENT_TOKEN}
3 |
--------------------------------------------------------------------------------
/charts/agent/templates/auditsink.yaml:
--------------------------------------------------------------------------------
1 | {{- if and .Values.auditLog.enabled .Values.auditLog.dynamicBackend.enabled }}
2 | apiVersion: auditregistration.k8s.io/v1alpha1
3 | kind: AuditSink
4 | metadata:
5 | name: {{ template "agent.fullname" . }}
6 | namespace: {{ include "agent.namespace" . }}
7 | labels:
8 | {{ include "agent.labels" . | indent 4 }}
9 | spec:
10 | policy:
11 | level: RequestResponse
12 | stages:
13 | - ResponseComplete
14 | - ResponseStarted
15 | webhook:
16 | throttle:
17 | qps: 10
18 | burst: 15
19 | clientConfig:
20 | service:
21 | namespace: {{ include "agent.namespace" . }}
22 | name: {{ template "agent.fullname" . }}
23 | port: {{ .Values.auditLog.auditServerPort }}
24 | path: /k8s_audit
25 | {{- end }}
26 |
--------------------------------------------------------------------------------
/charts/agent/templates/clusterrolebinding-cluster-monitoring-view.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Capabilities.APIVersions.Has "monitoring.openshift.io/v1" }}
2 | {{- $clusterRole := lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "cluster-monitoring-view" -}}
3 | {{- if and .Values.rbac.create $clusterRole }}
4 | kind: ClusterRoleBinding
5 | apiVersion: rbac.authorization.k8s.io/v1
6 | metadata:
7 | name: {{ template "agent.fullname" .}}-cluster-monitoring-view
8 | labels:
9 | {{ include "agent.labels" . | indent 4 }}
10 | subjects:
11 | - kind: ServiceAccount
12 | name: {{ template "agent.serviceAccountName" .}}
13 | namespace: {{ include "agent.namespace" . }}
14 | roleRef:
15 | kind: ClusterRole
16 | name: cluster-monitoring-view
17 | apiGroup: rbac.authorization.k8s.io
18 | {{- end }}
19 | {{- end }}
20 |
--------------------------------------------------------------------------------
/charts/agent/templates/clusterrolebinding.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.rbac.create }}
2 | kind: ClusterRoleBinding
3 | apiVersion: rbac.authorization.k8s.io/v1
4 | metadata:
5 | name: {{ template "agent.fullname" .}}
6 | labels:
7 | {{ include "agent.labels" . | indent 4 }}
8 | subjects:
9 | - kind: ServiceAccount
10 | name: {{ template "agent.serviceAccountName" .}}
11 | namespace: {{ include "agent.namespace" . }}
12 | roleRef:
13 | kind: ClusterRole
14 | name: {{ template "agent.fullname" .}}
15 | apiGroup: rbac.authorization.k8s.io
16 | {{- end }}
17 |
--------------------------------------------------------------------------------
/charts/agent/templates/configmap-local-forwarder.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.localForwarder.enabled }}
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: {{ include "agent.localForwarderConfigMapName" . }}
6 | namespace: {{ include "agent.namespace" . }}
7 | labels:
8 | {{ (include "agent.labels" .) | indent 4 }}
9 | data:
10 | local_forwarder_config.yaml: |
11 | integrations:
12 | {{- toYaml .Values.localForwarder.integrations | nindent 6 }}
13 | {{- end }}
14 |
--------------------------------------------------------------------------------
/charts/agent/templates/priorityclass.yaml:
--------------------------------------------------------------------------------
1 | {{- if or .Values.createPriorityClass .Values.gke.createPriorityClass }}
2 | apiVersion: scheduling.k8s.io/v1
3 | kind: PriorityClass
4 | metadata:
5 | {{- if and (or .Values.gke.createPriorityClass .Values.createPriorityClass) (not .Values.priorityClassName) }}
6 | {{ $_ := set .Values "priorityClassName" "sysdig-daemonset-priority" }}
7 | {{- end }}
8 | name: {{ .Values.priorityClassName }}
9 | value: {{ .Values.priorityClassValue }}
10 | preemptionPolicy: PreemptLowerPriority
11 | globalDefault: false
12 | description: "Sysdig DaemonSet priority"
13 | {{- end }}
14 |
--------------------------------------------------------------------------------
/charts/agent/templates/psp.yaml:
--------------------------------------------------------------------------------
1 | {{- if and .Values.psp.create (include "agent.kubeVersionLessThan" (dict "root" . "major" 1 "minor" 25)) }}
2 | apiVersion: policy/v1beta1
3 | kind: PodSecurityPolicy
4 | metadata:
5 | name: {{ template "agent.fullname" . }}
6 | namespace: {{ include "agent.namespace" . }}
7 | spec:
8 | allowedCapabilities:
9 | - '*'
10 | fsGroup:
11 | rule: RunAsAny
12 | hostIPC: true
13 | hostNetwork: true
14 | hostPID: true
15 | hostPorts:
16 | - max: 65536
17 | min: 1
18 | privileged: true
19 | runAsUser:
20 | rule: RunAsAny
21 | seLinux:
22 | rule: RunAsAny
23 | supplementalGroups:
24 | rule: RunAsAny
25 | volumes:
26 | - '*'
27 | {{- end }}
28 |
--------------------------------------------------------------------------------
/charts/agent/templates/role.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.rbac.create }}
2 | apiVersion: rbac.authorization.k8s.io/v1
3 | kind: Role
4 | metadata:
5 | name: {{ include "agent.fullname" . }}
6 | namespace: {{ include "agent.namespace" . }}
7 | rules:
8 | - apiGroups:
9 | - coordination.k8s.io
10 | resources:
11 | - leases
12 | verbs:
13 | - create
14 | - get
15 | - list
16 | - update
17 | - watch
18 | {{- end }}
19 |
--------------------------------------------------------------------------------
/charts/agent/templates/rolebinding.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.rbac.create }}
2 | apiVersion: rbac.authorization.k8s.io/v1
3 | kind: RoleBinding
4 | metadata:
5 | name: {{ include "agent.fullname" .}}
6 | namespace: {{ include "agent.namespace" . }}
7 | roleRef:
8 | apiGroup: rbac.authorization.k8s.io
9 | kind: Role
10 | name: {{ include "agent.fullname" . }}
11 | subjects:
12 | - kind: ServiceAccount
13 | name: {{ include "agent.serviceAccountName" . }}
14 | namespace: {{ .Release.Namespace }}
15 | {{- end }}
16 |
--------------------------------------------------------------------------------
/charts/agent/templates/service.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.auditLog.enabled }}
2 | apiVersion: v1
3 | kind: Service
4 | metadata:
5 | name: {{ template "agent.fullname" . }}
6 | namespace: {{ include "agent.namespace" . }}
7 | labels:
8 | {{ include "agent.labels" . | indent 4 }}
9 | spec:
10 | selector:
11 | app.kubernetes.io/name: {{ include "agent.name" . }}
12 | app.kubernetes.io/instance: {{ .Release.Name }}
13 | ports:
14 | - protocol: TCP
15 | port: {{ .Values.auditLog.auditServerPort }}
16 | {{- end }}
17 |
--------------------------------------------------------------------------------
/charts/agent/templates/serviceaccount.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.serviceAccount.create }}
2 | apiVersion: v1
3 | kind: ServiceAccount
4 | metadata:
5 | name: {{ template "agent.serviceAccountName" .}}
6 | namespace: {{ include "agent.namespace" . }}
7 | labels:
8 | {{ include "agent.labels" . | indent 4 }}
9 | {{- end }}
10 |
--------------------------------------------------------------------------------
/charts/agent/templates/tests/test-rollout.yaml:
--------------------------------------------------------------------------------
1 | {{- if not .Values.tests.skip }}
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: "{{ include "agent.fullname" . }}-test-rollout"
6 | namespace: {{ include "agent.namespace" . }}
7 | labels:
8 | helm.sh/chart: {{ include "agent.chart" . }}
9 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
10 | app.kubernetes.io/managed-by: {{ .Release.Service }}
11 | annotations:
12 | "helm.sh/hook": test
13 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
14 | spec:
15 | serviceAccountName: {{ include "agent.serviceAccountName" . }}
16 | containers:
17 | - name: kubectl
18 | image: {{ .Values.tests.image.repo }}:{{ .Values.tests.image.tag }}
19 | imagePullPolicy: IfNotPresent
20 | command:
21 | - kubectl
22 | args:
23 | - rollout
24 | - status
25 | - daemonset/{{ include "agent.fullname" . }}
26 | - -n
27 | - {{ include "agent.namespace" . }}
28 | - -w
29 | - --timeout={{ .Values.tests.timeout }}
30 | restartPolicy: Never
31 | {{- end }}
32 |
--------------------------------------------------------------------------------
/charts/agent/tests/captures_test.yaml:
--------------------------------------------------------------------------------
1 | suite: Test captures settings
2 | templates:
3 | - templates/configmap.yaml
4 | tests:
5 | - it: Checking disabling captures
6 | set:
7 | sysdig:
8 | disableCaptures: true
9 | asserts:
10 | - matchRegex:
11 | path: data['dragent.yaml']
12 | pattern: |
13 | sysdig_capture_enabled: false
14 | template: templates/configmap.yaml
15 |
--------------------------------------------------------------------------------
/charts/agent/tests/clusterrolebinding-cluster-monitoring-view-not-exist_test.yaml:
--------------------------------------------------------------------------------
1 | suite: Agent Cluster Role Binding cluster-monitoring-view (not exist)
2 | templates:
3 | - templates/clusterrolebinding-cluster-monitoring-view.yaml
4 | tests:
5 | - it: Does not create the ClusterRoleBinding if the ClusterRole does not exist and monitoring.openshift.io/v1 is supported
6 | capabilities:
7 | apiVersions:
8 | - security.openshift.io/v1
9 | asserts:
10 | - hasDocuments:
11 | count: 0
12 |
--------------------------------------------------------------------------------
/charts/agent/tests/dns_policy_test.yaml:
--------------------------------------------------------------------------------
1 | suite: Test setting DNS Policy
2 | templates:
3 | - daemonset.yaml
4 | kubernetesProvider:
5 | scheme:
6 | "v1/Node":
7 | gvr:
8 | version: "v1"
9 | resource: "nodes"
10 | namespaced: false
11 | objects:
12 | - apiVersion: v1
13 | kind: Node
14 | metadata:
15 | name: fakenode
16 | status:
17 | nodeInfo:
18 | osImage: fake-os-image
19 | tests:
20 | - it: Checking default dnsPolicy
21 | asserts:
22 | - equal:
23 | path: spec.template.spec.dnsPolicy
24 | value: ClusterFirstWithHostNet
25 |
26 | - it: Checking setting different dnsPolicy
27 | set:
28 | dnsPolicy: ClusterFirst
29 | asserts:
30 | - equal:
31 | path: spec.template.spec.dnsPolicy
32 | value: ClusterFirst
33 |
--------------------------------------------------------------------------------
/charts/agent/tests/prometheus_file_test.yaml:
--------------------------------------------------------------------------------
1 | suite: Test Prometheus file injection
2 | templates:
3 | - templates/configmap.yaml
4 | - templates/configmap-deployment.yaml
5 | tests:
6 | - it: Check customizing Prometheus parameters
7 | set:
8 | prometheus:
9 | file: true
10 | yaml:
11 | custom: content
12 | is: here
13 | asserts:
14 | - isKind:
15 | of: ConfigMap
16 | - equal:
17 | path: data['prometheus.yaml']
18 | value: |
19 | custom: content
20 | is: here
21 | template: configmap.yaml
22 |
23 | - it: Check customizing Prometheus parameters in Delegated Agent mode
24 | set:
25 | delegatedAgentDeployment:
26 | enabled: true
27 | prometheus:
28 | file: true
29 | yaml:
30 | custom: content
31 | is: here
32 | asserts:
33 | - isKind:
34 | of: ConfigMap
35 | - isNull:
36 | path: data['prometheus.yaml']
37 | template: configmap-deployment.yaml
38 |
--------------------------------------------------------------------------------
/charts/agent/tests/test_test.yaml:
--------------------------------------------------------------------------------
1 | suite: Test Agent tests
2 | templates:
3 | - tests/test-rollout.yaml
4 |
5 | tests:
6 | - it: "Check that test are executed by deafult"
7 | asserts:
8 | - hasDocuments:
9 | count: 1
10 | - isKind:
11 | of: Pod
12 |
13 | - it: "Check that test are not included when skip is set"
14 | set:
15 | tests:
16 | skip: true
17 | asserts:
18 | - hasDocuments:
19 | count: 0
20 |
--------------------------------------------------------------------------------
/charts/cloud-bench/Chart.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v2
2 | name: cloud-bench
3 | description: Sysdig Cloud Bench
4 |
5 | type: application
6 | version: 0.3.0
7 | appVersion: 0.1.0
8 | home: https://sysdig.com
9 | icon: https://478h5m1yrfsa3bbe262u7muv-wpengine.netdna-ssl.com/wp-content/uploads/2019/02/Shovel_600px.png
10 |
11 | maintainers:
12 | - name: yathi-sysdig
13 | email: yathindra.naik@sysdig.com
14 | - name: airadier
15 | email: alvaro.iradier@sysdig.com
16 |
--------------------------------------------------------------------------------
/charts/cloud-bench/RELEASE-NOTES.md:
--------------------------------------------------------------------------------
1 | # What's Changed
2 |
3 | ### New Features
4 | - **admission-controller,agent,cloud-bench,cloud-connector,cloud-scanning,harbor-scanner-sysdig-secure,kspm-collector,node-analyzer,rapid-response,registry-scanner,sysdig,sysdig-deploy,sysdig-mcm-navmenu,sysdig-stackdriver-bridge** [5d99a03d](https://github.com/sysdiglabs/charts/commit/5d99a03dced132b4771dde1ce5b90b63c518b408): use a PGP private key to sign charts on release ([#1170](https://github.com/sysdiglabs/charts/issues/1170))
5 |
6 | #### Full diff: https://github.com/sysdiglabs/charts/compare/cloud-bench-0.2.3...cloud-bench-0.3.0
7 |
--------------------------------------------------------------------------------
/charts/cloud-bench/ci/required-values.yaml.template:
--------------------------------------------------------------------------------
1 | aws:
2 | access_key_id: foo
3 | secret_access_key: bar
4 | region: us-east-1
5 | sysdig:
6 | secureApiToken: ${SECURE_API_TOKEN}
7 |
--------------------------------------------------------------------------------
/charts/cloud-bench/templates/configmap.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ConfigMap
3 | metadata:
4 | name: {{ include "cloud-bench.fullname" . }}
5 | labels:
6 | {{- include "cloud-bench.labels" . | nindent 4 }}
7 | data:
8 | cloud-bench.yaml: |
9 | secureURL: {{ toYaml .Values.secureURL }}
10 | logLevel: {{ toYaml .Values.logLevel }}
11 | schedule: {{ toYaml .Values.schedule }}
12 | bechmarkType: {{ toYaml .Values.benchmarkType }}
13 | outputDir: {{ toYaml .Values.outputDir }}
14 | policyFile: {{ toYaml .Values.policyFile }}
15 |
--------------------------------------------------------------------------------
/charts/cloud-bench/templates/hpa.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.autoscaling.enabled }}
2 | apiVersion: autoscaling/v2beta1
3 | kind: HorizontalPodAutoscaler
4 | metadata:
5 | name: {{ include "cloud-bench.fullname" . }}
6 | labels:
7 | {{- include "cloud-bench.labels" . | nindent 4 }}
8 | spec:
9 | scaleTargetRef:
10 | apiVersion: apps/v1
11 | kind: Deployment
12 | name: {{ include "cloud-bench.fullname" . }}
13 | minReplicas: {{ .Values.autoscaling.minReplicas }}
14 | maxReplicas: {{ .Values.autoscaling.maxReplicas }}
15 | metrics:
16 | {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
17 | - type: Resource
18 | resource:
19 | name: cpu
20 | targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
21 | {{- end }}
22 | {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
23 | - type: Resource
24 | resource:
25 | name: memory
26 | targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
27 | {{- end }}
28 | {{- end }}
29 |
--------------------------------------------------------------------------------
/charts/cloud-bench/templates/secret.yaml:
--------------------------------------------------------------------------------
1 | {{- if not .Values.existingSecretName }}
2 | apiVersion: v1
3 | kind: Secret
4 | metadata:
5 | name: {{ include "cloud-bench.fullname" . }}
6 | labels:
7 | {{- include "cloud-bench.labels" . | nindent 4 }}
8 | type: Opaque
9 | data:
10 | aws_access_key_id: {{ required "A valid .Values.aws.access_key_id is required" .Values.aws.access_key_id | b64enc | quote }}
11 | aws_secret_access_key: {{ required "A valid .Values.aws.secret_access_key is required" .Values.aws.secret_access_key | b64enc | quote }}
12 | aws_region: {{ required "A valid .Values.aws.region is required" .Values.aws.region | b64enc | quote }}
13 | secure_api_token: {{ .Values.sysdig.secureApiToken | b64enc | quote }}
14 | {{- end }}
15 |
--------------------------------------------------------------------------------
/charts/cloud-bench/templates/service.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: {{ include "cloud-bench.fullname" . }}
5 | labels:
6 | {{- include "cloud-bench.labels" . | nindent 4 }}
7 | spec:
8 | type: {{ .Values.service.type }}
9 | ports:
10 | - port: {{ .Values.service.port }}
11 | targetPort: http
12 | protocol: TCP
13 | name: http
14 | selector:
15 | {{- include "cloud-bench.selectorLabels" . | nindent 4 }}
16 |
--------------------------------------------------------------------------------
/charts/cloud-bench/templates/serviceaccount.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.serviceAccount.create -}}
2 | apiVersion: v1
3 | kind: ServiceAccount
4 | metadata:
5 | name: {{ include "cloud-bench.serviceAccountName" . }}
6 | labels:
7 | {{- include "cloud-bench.labels" . | nindent 4 }}
8 | {{- with .Values.serviceAccount.annotations }}
9 | annotations:
10 | {{- toYaml . | nindent 4 }}
11 | {{- end }}
12 | {{- end }}
13 |
--------------------------------------------------------------------------------
/charts/cloud-bench/templates/tests/test-connection.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: "{{ include "cloud-bench.fullname" . }}-test-connection"
5 | labels:
6 | {{- include "cloud-bench.labels" . | nindent 4 }}
7 | annotations:
8 | "helm.sh/hook": test-success
9 | spec:
10 | containers:
11 | - name: wget
12 | image: busybox
13 | command: ['wget']
14 | args: ['{{ include "cloud-bench.fullname" . }}:{{ .Values.service.port }}/health']
15 | restartPolicy: Never
16 |
--------------------------------------------------------------------------------
/charts/cloud-connector/.helmignore:
--------------------------------------------------------------------------------
1 | # Patterns to ignore when building packages.
2 | # This supports shell glob matching, relative path matching, and
3 | # negation (prefixed with !). Only one pattern per line.
4 | .DS_Store
5 | # Common VCS dirs
6 | .git/
7 | .gitignore
8 | .bzr/
9 | .bzrignore
10 | .hg/
11 | .hgignore
12 | .svn/
13 | # Common backup files
14 | *.swp
15 | *.bak
16 | *.tmp
17 | *.orig
18 | *~
19 | # Various IDEs
20 | .project
21 | .idea/
22 | *.tmproj
23 | .vscode/
24 |
--------------------------------------------------------------------------------
/charts/cloud-connector/Chart.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v2
2 | name: cloud-connector
3 | description: Sysdig Cloud Connector
4 |
5 | type: application
6 | version: 0.8.8
7 | appVersion: 0.16.48
8 | home: https://sysdiglabs.github.io/cloud-connector
9 |
10 | maintainers:
11 | - name: sysdiglabs
12 |
--------------------------------------------------------------------------------
/charts/cloud-connector/RELEASE-NOTES.md:
--------------------------------------------------------------------------------
1 | # What's Changed
2 |
3 | ### New Features
4 | - **sysdig-deploy** [49fe006f](https://github.com/sysdiglabs/charts/commit/49fe006fb0ff206c7b566a45bfa5f71713d5ad0a): Add prerequisite information on the chart ([#1468](https://github.com/sysdiglabs/charts/issues/1468))
5 | #### Full diff: https://github.com/sysdiglabs/charts/compare/cloud-connector-0.8.7...cloud-connector-0.8.8
6 |
--------------------------------------------------------------------------------
/charts/cloud-connector/ci/required-values.yaml.template:
--------------------------------------------------------------------------------
1 | sysdig:
2 | secureAPIToken: ${SECURE_API_TOKEN}
3 |
--------------------------------------------------------------------------------
/charts/cloud-connector/doc.yaml:
--------------------------------------------------------------------------------
1 | project:
2 | name: Cloud Connector
3 | shortName: Cloud Connector
4 | url: https://docs.sysdig.com/en/docs/installation/sysdig-secure-for-cloud/
5 | description: |
6 | This chart deploys Sysdig Cloud Connector on your Kubernetes cluster, enabling Threat Detection and Image Scanning for the AWS, GCP, and Azure Cloud providers.
7 | app: the Sysdig Cloud Connector
8 | repository:
9 | url: https://charts.sysdig.com
10 | name: sysdig
11 | chart:
12 | name: cloud-connector
13 | # version: v0.9.0-rc.0
14 | # values: "-- generate from values file --"
15 | valuesExample: "sysdig.secureAPIToken="
16 | prerequisites:
17 | - "Helm v3.6"
18 | - "Sysdig Secure API Token"
19 |
20 | release:
21 | name: cloud-connector
22 | namespace: cloud-connector
23 |
--------------------------------------------------------------------------------
/charts/cloud-connector/templates/configmap.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ConfigMap
3 | metadata:
4 | name: {{ include "cloud-connector.fullname" . }}
5 | labels:
6 | {{- include "cloud-connector.labels" . | nindent 4 }}
7 | data:
8 | cloud-connector.yaml: |
9 | logging: info
10 | bruteForceDetection:
11 | enabled: {{ .Values.bruteForceDetection.enabled }}
12 | duration: {{ .Values.bruteForceDetection.duration }}
13 | maximumTries: {{ .Values.bruteForceDetection.maximumTries }}
14 | rules:
15 | {{ toYaml .Values.rules | indent 6 }}
16 | ingestors:
17 | {{ toYaml .Values.ingestors | indent 6 }}
18 | scanners:
19 | {{ toYaml .Values.scanners | indent 6 }}
20 |
--------------------------------------------------------------------------------
/charts/cloud-connector/templates/service.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: {{ include "cloud-connector.fullname" . }}
5 | labels:
6 | {{- include "cloud-connector.labels" . | nindent 4 }}
7 | {{- with .Values.service.labels }}
8 | {{- toYaml . | nindent 4 }}
9 | {{- end }}
10 | spec:
11 | type: {{ .Values.service.type }}
12 | ports:
13 | - port: {{ .Values.service.port }}
14 | targetPort: http
15 | protocol: TCP
16 | name: http
17 | selector:
18 | {{- include "cloud-connector.selectorLabels" . | nindent 4 }}
19 |
--------------------------------------------------------------------------------
/charts/cloud-connector/templates/serviceaccount.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.serviceAccount.create -}}
2 | apiVersion: v1
3 | kind: ServiceAccount
4 | metadata:
5 | name: {{ include "cloud-connector.serviceAccountName" . }}
6 | labels:
7 | {{- include "cloud-connector.labels" . | nindent 4 }}
8 | {{- with .Values.serviceAccount.annotations }}
9 | annotations:
10 | {{- toYaml . | nindent 4 }}
11 | {{- end }}
12 | {{- end }}
13 |
--------------------------------------------------------------------------------
/charts/cloud-connector/templates/tests/test-connection.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: "{{ include "cloud-connector.fullname" . }}-test-connection"
5 | labels:
6 | {{- include "cloud-connector.labels" . | nindent 4 }}
7 | annotations:
8 | "helm.sh/hook": test-success
9 | spec:
10 | containers:
11 | - name: wget
12 | image: busybox
13 | command: ['wget']
14 | args: ['{{ include "cloud-connector.fullname" . }}:{{ .Values.service.port }}/health']
15 | restartPolicy: Never
16 |
--------------------------------------------------------------------------------
/charts/cloud-scanning/.helmignore:
--------------------------------------------------------------------------------
1 | # Patterns to ignore when building packages.
2 | # This supports shell glob matching, relative path matching, and
3 | # negation (prefixed with !). Only one pattern per line.
4 | .DS_Store
5 | # Common VCS dirs
6 | .git/
7 | .gitignore
8 | .bzr/
9 | .bzrignore
10 | .hg/
11 | .hgignore
12 | .svn/
13 | # Common backup files
14 | *.swp
15 | *.bak
16 | *.tmp
17 | *.orig
18 | *~
19 | # Various IDEs
20 | .project
21 | .idea/
22 | *.tmproj
23 | .vscode/
24 |
--------------------------------------------------------------------------------
/charts/cloud-scanning/Chart.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v2
2 | name: cloud-scanning
3 | description: Sysdig Cloud Scanning
4 |
5 | type: application
6 | version: 0.4.1
7 | appVersion: 0.11.3
8 | home: https://sysdiglabs.github.io/cloud-connector
9 |
10 | maintainers:
11 | - name: airadier
12 | email: alvaro.iradier@sysdig.com
13 | - name: nestorsalceda
14 | email: nestor.salceda@sysdig.com
15 |
--------------------------------------------------------------------------------
/charts/cloud-scanning/RELEASE-NOTES.md:
--------------------------------------------------------------------------------
1 | # What's Changed
2 |
3 | #### Full diff: https://github.com/sysdiglabs/charts/compare/cloud-scanning-0.4.0...cloud-scanning-0.4.1
4 |
--------------------------------------------------------------------------------
/charts/cloud-scanning/ci/required-values.yaml.template:
--------------------------------------------------------------------------------
1 | sysdig:
2 | secureAPIToken: ${SECURE_API_TOKEN}
3 |
4 | image:
5 | tag: master
6 |
--------------------------------------------------------------------------------
/charts/cloud-scanning/templates/secret.yaml:
--------------------------------------------------------------------------------
1 | {{- if not .Values.existingSecretName }}
2 | apiVersion: v1
3 | kind: Secret
4 | metadata:
5 | name: {{ include "cloud-scanning.fullname" . }}
6 | labels:
7 | {{- include "cloud-scanning.labels" . | nindent 4 }}
8 | type: Opaque
9 | data:
10 | aws_access_key_id: {{ .Values.aws.accessKeyId | b64enc | quote }}
11 | aws_secret_access_key: {{ .Values.aws.secretAccessKey | b64enc | quote }}
12 | aws_region: {{ .Values.aws.region | b64enc | quote }}
13 | gcp_credentials: {{ .Values.gcpCredentials | b64enc | quote }}
14 | secure_api_token: {{ required "value 'sysdig.secureAPIToken' is required, but is not set" .Values.sysdig.secureAPIToken | b64enc | quote }}
15 | {{- end }}
16 |
--------------------------------------------------------------------------------
/charts/cloud-scanning/templates/service.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: {{ include "cloud-scanning.fullname" . }}
5 | labels:
6 | {{- include "cloud-scanning.labels" . | nindent 4 }}
7 | spec:
8 | type: {{ .Values.service.type }}
9 | ports:
10 | - port: {{ .Values.service.port }}
11 | targetPort: http
12 | protocol: TCP
13 | name: http
14 | selector:
15 | {{- include "cloud-scanning.selectorLabels" . | nindent 4 }}
16 |
--------------------------------------------------------------------------------
/charts/cloud-scanning/templates/serviceaccount.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.serviceAccount.create -}}
2 | apiVersion: v1
3 | kind: ServiceAccount
4 | metadata:
5 | name: {{ include "cloud-scanning.serviceAccountName" . }}
6 | labels:
7 | {{- include "cloud-scanning.labels" . | nindent 4 }}
8 | {{- with .Values.serviceAccount.annotations }}
9 | annotations:
10 | {{- toYaml . | nindent 4 }}
11 | {{- end }}
12 | {{- end }}
13 |
--------------------------------------------------------------------------------
/charts/cloud-scanning/templates/tests/test-connection.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: "{{ include "cloud-scanning.fullname" . }}-test-connection"
5 | labels:
6 | {{- include "cloud-scanning.labels" . | nindent 4 }}
7 | annotations:
8 | "helm.sh/hook": test-success
9 | spec:
10 | containers:
11 | - name: wget
12 | image: busybox
13 | command: ['wget']
14 | args: ['{{ include "cloud-scanning.fullname" . }}:{{ .Values.service.port }}/health']
15 | restartPolicy: Never
16 |
--------------------------------------------------------------------------------
/charts/cluster-scanner/.helmignore:
--------------------------------------------------------------------------------
1 | # Patterns to ignore when building packages.
2 | # This supports shell glob matching, relative path matching, and
3 | # negation (prefixed with !). Only one pattern per line.
4 | .DS_Store
5 | # Common VCS dirs
6 | .git/
7 | .gitignore
8 | .bzr/
9 | .bzrignore
10 | .hg/
11 | .hgignore
12 | .svn/
13 | # Common backup files
14 | *.swp
15 | *.bak
16 | *.tmp
17 | *.orig
18 | *~
19 | # Various IDEs
20 | .project
21 | .idea/
22 | *.tmproj
23 | .vscode/
24 | # Unittests and CI
25 | ci/
26 | tests/
27 |
--------------------------------------------------------------------------------
/charts/cluster-scanner/Chart.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v2
2 | name: cluster-scanner
3 | description: Sysdig Cluster Scanner
4 |
5 | type: application
6 | version: 0.14.2
7 | appVersion: "0.1.0"
8 | home: https://www.sysdig.com/
9 |
10 | maintainers:
11 | - name: sysdiglabs
12 | dependencies:
13 | - name: common
14 | # repository: https://charts.sysdig.com
15 | repository: file://../common
16 | version: ~1.3.1
17 |
--------------------------------------------------------------------------------
/charts/cluster-scanner/Makefile:
--------------------------------------------------------------------------------
1 | .PHONY: test
2 | test:
3 | helm unittest .
4 |
--------------------------------------------------------------------------------
/charts/cluster-scanner/RELEASE-NOTES.md:
--------------------------------------------------------------------------------
1 | # What's Changed
2 |
3 | ### Chores
4 | - **cluster-scanner** [58b07db7](https://github.com/sysdiglabs/charts/commit/58b07db717d86d676979717da0018e9479d5f929): Update cluster scanner to v0.9.3 ([#1880](https://github.com/sysdiglabs/charts/issues/1880))
5 | #### Full diff: https://github.com/sysdiglabs/charts/compare/cluster-scanner-0.14.1...cluster-scanner-0.14.2
6 |
--------------------------------------------------------------------------------
/charts/cluster-scanner/ci/test-values.yaml.template:
--------------------------------------------------------------------------------
1 | global:
2 | clusterConfig:
3 | name: "test-cluster"
4 | sysdig:
5 | accessKey: ${SECURE_AGENT_TOKEN}
6 |
--------------------------------------------------------------------------------
/charts/cluster-scanner/doc.yaml:
--------------------------------------------------------------------------------
1 | project:
2 | name: Sysdig Cluster Scanner
3 | shortName: Cluster Scanner
4 | url: https://docs.sysdig.com/en/docs/sysdig-secure/scanning
5 | description: This chart deploys the Sysdig Cluster Scanner in your Kubernetes cluster.
6 | app: the Sysdig Cluster Scanner
7 | repository:
8 | url: https://charts.sysdig.com
9 | name: sysdig
10 | chart:
11 | name: admission-controller
12 | prerequisites:
13 | - "Helm 3.6"
14 | - "Sysdig AccessKey"
15 |
16 | release:
17 | name: cluster-scanner
18 | namespace: sysdig
19 |
--------------------------------------------------------------------------------
/charts/cluster-scanner/templates/NOTES.txt:
--------------------------------------------------------------------------------
1 | The Cluster Scanner component is being executed.
2 |
3 | It consists of the Runtime Status Integrator and Image Sbom Extractor components.
4 |
5 | After successful installation you can access the Cluster Scanner features as follows:
6 |
7 | Log in to Sysdig Secure (at the URL: {{- if (not (or (hasPrefix "https://" (include "cluster-scanner.apiHost" .)) (hasPrefix "http://" (include "cluster-scanner.apiHost" .)))) -}}https://{{- end -}}{{ include "cluster-scanner.apiHost" . }}) and check that the features are working as expected.
8 | 1. Select Scanning > Image Results.
9 | 2. Check for scanned container image results that originate with the Sysdig Cluster Scanner.
10 |
11 | Please note that the first results will be available at least 15 minutes after Cluster Scanner has started.
12 |
--------------------------------------------------------------------------------
/charts/cluster-scanner/templates/clusterrole.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: rbac.authorization.k8s.io/v1
2 | kind: ClusterRole
3 | metadata:
4 | name: {{ include "cluster-scanner.fullname" . }}
5 | rules:
6 | - apiGroups: ["", "apps", "batch", "extensions"]
7 | resources:
8 | - "deployments"
9 | - "replicasets"
10 | - "daemonsets"
11 | - "statefulsets"
12 | - "pods"
13 | - "cronjobs"
14 | - "jobs"
15 | - "nodes"
16 | - "namespaces"
17 | - "secrets"
18 | verbs: ["get", "list", "watch"]
19 |
--------------------------------------------------------------------------------
/charts/cluster-scanner/templates/clusterrolebinding.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: rbac.authorization.k8s.io/v1
2 | kind: ClusterRoleBinding
3 | metadata:
4 | name: {{ include "cluster-scanner.fullname" . }}
5 | roleRef:
6 | apiGroup: rbac.authorization.k8s.io
7 | kind: ClusterRole
8 | name: {{ include "cluster-scanner.fullname" . }}
9 | subjects:
10 | - kind: ServiceAccount
11 | namespace: {{ .Release.Namespace }}
12 | name: {{ include "cluster-scanner.serviceAccountName" . }}
13 |
--------------------------------------------------------------------------------
/charts/cluster-scanner/templates/registrymirror.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.imageSbomExtractor.mirrors -}}
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: {{ include "cluster-scanner.fullname" . }}-registry-mirrors
6 | namespace: {{ include "cluster-scanner.namespace" . }}
7 | labels:
8 | {{- include "cluster-scanner.labels" . | nindent 4 }}
9 | data:
10 | daemon.json: |-
11 | {
12 | "registry-mirrors": {{ .Values.imageSbomExtractor.mirrors.registryMirrors | default list | toJson }},
13 | "insecure-registries": {{ .Values.imageSbomExtractor.mirrors.insecureRegistries | default list | toJson }}
14 | }
15 | {{- end -}}
16 |
--------------------------------------------------------------------------------
/charts/cluster-scanner/templates/role.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: rbac.authorization.k8s.io/v1
2 | kind: Role
3 | metadata:
4 | name: {{ include "cluster-scanner.fullname" . }}
5 | namespace: {{ include "cluster-scanner.namespace" . }}
6 | rules:
7 | - apiGroups: ["", "coordination.k8s.io"]
8 | resources:
9 | - "leases"
10 | resourceNames:
11 | - {{ .Values.runtimeStatusIntegrator.leaderElectionLeaseNameOverride | default (include "cluster-scanner.fullname" .) }}
12 | verbs: ["*"]
13 | - apiGroups: ["", "coordination.k8s.io"]
14 | resources:
15 | - "leases"
16 | verbs: ["create"]
17 | - apiGroups: ["*"]
18 | resources:
19 | - "endpoints"
20 | verbs: ["get", "watch", "list"]
21 | - apiGroups: ["*"]
22 | resources:
23 | - "endpoints"
24 | # Following is required for OpenShift. See https://docs.openshift.com/container-platform/3.11/architecture/core_concepts/pods_and_services.html#endpoints
25 | - "endpoints/restricted"
26 | resourceNames:
27 | - {{ include "cluster-scanner.fullname" . }}
28 | verbs: ["*"]
29 |
--------------------------------------------------------------------------------
/charts/cluster-scanner/templates/rolebinding.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: rbac.authorization.k8s.io/v1
2 | kind: RoleBinding
3 | metadata:
4 | name: {{ include "cluster-scanner.fullname" . }}
5 | namespace: {{ include "cluster-scanner.namespace" . }}
6 | roleRef:
7 | apiGroup: rbac.authorization.k8s.io
8 | kind: Role
9 | name: {{ include "cluster-scanner.fullname" . }}
10 | subjects:
11 | - kind: ServiceAccount
12 | namespace: {{ include "cluster-scanner.namespace" . }}
13 | name: {{ include "cluster-scanner.serviceAccountName" . }}
14 |
--------------------------------------------------------------------------------
/charts/cluster-scanner/templates/service.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: {{ include "cluster-scanner.fullname" . }}
5 | namespace: {{ include "cluster-scanner.namespace" . }}
6 | labels:
7 | {{- include "cluster-scanner.labels" . | nindent 4 }}
8 | spec:
9 | type: ClusterIP
10 | ports:
11 | - port: 4222
12 | targetPort: 4222
13 | protocol: TCP
14 | name: nats
15 | - port: 9999
16 | targetPort: 9999
17 | protocol: TCP
18 | name: grpc
19 | # NOTE: selector is intentionally left empty, the RSI component will implement a controller to handle the Endpoints resource associated with this service
20 |
--------------------------------------------------------------------------------
/charts/cluster-scanner/templates/serviceaccount.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.serviceAccount.create -}}
2 | apiVersion: v1
3 | kind: ServiceAccount
4 | metadata:
5 | name: {{ include "cluster-scanner.serviceAccountName" . }}
6 | namespace: {{ include "cluster-scanner.namespace" . }}
7 | labels:
8 | {{- include "cluster-scanner.labels" . | nindent 4 }}
9 | {{- with .Values.serviceAccount.annotations }}
10 | annotations:
11 | {{- toYaml . | nindent 4 }}
12 | {{- end }}
13 | {{- end }}
14 |
--------------------------------------------------------------------------------
/charts/cluster-scanner/tests/clusterrole_test.yaml:
--------------------------------------------------------------------------------
1 | suite: deployment
2 | templates:
3 | - ../templates/clusterrole.yaml
4 | values:
5 | - ../values.yaml
6 | release:
7 | name: test-release
8 | namespace: test-ns
9 |
10 | tests:
11 | - it: "generates correct ClusterRole"
12 | asserts:
13 | - equal:
14 | path: metadata.name
15 | value: test-release-cluster-scanner
16 | - isSubset:
17 | path: rules[0]
18 | content:
19 | apiGroups: ["", "apps", "batch", "extensions"]
20 | resources:
21 | - "deployments"
22 | - "replicasets"
23 | - "daemonsets"
24 | - "statefulsets"
25 | - "pods"
26 | - "cronjobs"
27 | - "jobs"
28 | - "nodes"
29 | - "namespaces"
30 | - "secrets"
31 | verbs: ["get", "list", "watch"]
32 |
--------------------------------------------------------------------------------
/charts/cluster-scanner/tests/clusterrolebinding_test.yaml:
--------------------------------------------------------------------------------
1 | suite: deployment
2 | templates:
3 | - ../templates/clusterrolebinding.yaml
4 | values:
5 | - ../values.yaml
6 | release:
7 | name: test-release
8 | namespace: test-ns
9 |
10 | tests:
11 | - it: "generates correct ClusterRoleBinding"
12 | asserts:
13 | - equal:
14 | path: metadata.name
15 | value: test-release-cluster-scanner
16 | - equal:
17 | path: roleRef.name
18 | value: test-release-cluster-scanner
19 | - equal:
20 | path: subjects[0].namespace
21 | value: test-ns
22 | - equal:
23 | path: subjects[0].name
24 | value: test-release-cluster-scanner
25 | - equal:
26 | path: subjects[0].kind
27 | value: ServiceAccount
28 |
--------------------------------------------------------------------------------
/charts/cluster-scanner/tests/rolebinding_test.yaml:
--------------------------------------------------------------------------------
1 | suite: deployment
2 | templates:
3 | - ../templates/rolebinding.yaml
4 | values:
5 | - ../values.yaml
6 | release:
7 | name: test-release
8 | namespace: test-ns
9 |
10 | tests:
11 | - it: "generates correct RoleBinding"
12 | asserts:
13 | - equal:
14 | path: metadata.name
15 | value: test-release-cluster-scanner
16 | - equal:
17 | path: metadata.namespace
18 | value: test-ns
19 | - equal:
20 | path: roleRef.name
21 | value: test-release-cluster-scanner
22 | - equal:
23 | path: subjects[0].namespace
24 | value: test-ns
25 | - equal:
26 | path: subjects[0].name
27 | value: test-release-cluster-scanner
28 | - equal:
29 | path: subjects[0].kind
30 | value: ServiceAccount
31 |
--------------------------------------------------------------------------------
/charts/cluster-scanner/tests/service_test.yaml:
--------------------------------------------------------------------------------
1 | suite: service
2 | templates:
3 | - ../templates/service.yaml
4 | values:
5 | - ../values.yaml
6 | release:
7 | name: test-release
8 | namespace: test-ns
9 |
10 | tests:
11 | - it: "has not selector"
12 | asserts:
13 | - isNull:
14 | path: spec.selector
15 |
16 | - it: "has correct name and namespace"
17 | asserts:
18 | - equal:
19 | path: metadata.name
20 | value: test-release-cluster-scanner
21 | - equal:
22 | path: metadata.namespace
23 | value: test-ns
24 |
25 | - it: "generates a service resource"
26 | set:
27 | global.sysdigAccessKey: "secret"
28 | asserts:
29 | - isKind:
30 | of: Service
31 |
--------------------------------------------------------------------------------
/charts/cluster-scanner/tests/serviceaccount_test.yaml:
--------------------------------------------------------------------------------
1 | suite: serviceaccount
2 | templates:
3 | - ../templates/serviceaccount.yaml
4 | values:
5 | - ../values.yaml
6 | release:
7 | name: test-release
8 | namespace: test-ns
9 |
10 | tests:
11 | - it: "has correct name and namespace"
12 | asserts:
13 | - equal:
14 | path: metadata.name
15 | value: test-release-cluster-scanner
16 | - equal:
17 | path: metadata.namespace
18 | value: test-ns
19 |
20 | - it: "generates a serviceaccount resource"
21 | set:
22 | global.sysdigAccessKey: "secret"
23 | asserts:
24 | - isKind:
25 | of: ServiceAccount
26 |
--------------------------------------------------------------------------------
/charts/cluster-scanner/tests/values.required.yaml:
--------------------------------------------------------------------------------
1 | global:
2 | sysdig:
3 | accessKey: "testkey"
4 |
--------------------------------------------------------------------------------
/charts/cluster-shield/.helmignore:
--------------------------------------------------------------------------------
1 | # Patterns to ignore when building packages.
2 | # This supports shell glob matching, relative path matching, and
3 | # negation (prefixed with !). Only one pattern per line.
4 | .DS_Store
5 | # Common VCS dirs
6 | .git/
7 | .gitignore
8 | .bzr/
9 | .bzrignore
10 | .hg/
11 | .hgignore
12 | .svn/
13 | # Common backup files
14 | *.swp
15 | *.bak
16 | *.tmp
17 | *.orig
18 | *~
19 | # Various IDEs
20 | .project
21 | .idea/
22 | *.tmproj
23 | .vscode/
24 | ci/
25 | tests/
26 |
--------------------------------------------------------------------------------
/charts/cluster-shield/Chart.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v2
2 | name: cluster-shield
3 | description: Cluster Shield Helm Chart for Kubernetes
4 | type: application
5 | version: 1.11.0
6 | appVersion: "1.11.0"
7 | maintainers:
8 | - name: AlbertoBarba
9 | email: alberto.barba@sysdig.com
10 | - name: aroberts87
11 | email: adam.roberts@sysdig.com
12 | - name: francesco-furlan
13 | email: francesco.furlan@sysdig.com
14 | - name: iurly
15 | email: gerlando.falauto@sysdig.com
16 | - name: mavimo
17 | email: marcovito.moscaritolo@sysdig.com
18 |
--------------------------------------------------------------------------------
/charts/cluster-shield/RELEASE-NOTES.md:
--------------------------------------------------------------------------------
1 | # What's Changed
2 |
3 | ### Chores
4 | - **cluster-shield** [8df60680](https://github.com/sysdiglabs/charts/commit/8df60680c6ca6888277c60efbdac2fa2532f2810): Automatic bump to version 1.10.0 ([#2208](https://github.com/sysdiglabs/charts/issues/2208))
5 | #### Full diff: https://github.com/sysdiglabs/charts/compare/cluster-shield-1.9.1...cluster-shield-1.10.0
6 |
--------------------------------------------------------------------------------
/charts/cluster-shield/ci/base-values.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | cluster_shield:
3 | cluster_config:
4 | name: "lint-cluster"
5 | sysdig_endpoint:
6 | access_key: "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
7 | api_url: "https://www.example.org"
8 | collector: "example.com:6443"
9 |
--------------------------------------------------------------------------------
/charts/cluster-shield/ci/existing_secrets-values.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | global:
3 | sysdig:
4 | accessKeySecret: "a-fake-secret-name"
5 | cluster_shield:
6 | cluster_config:
7 | name: "lint-cluster"
8 | sysdig_endpoint:
9 | api_url: "https://www.example.org"
10 | collector: "example.com:6443"
11 |
--------------------------------------------------------------------------------
/charts/cluster-shield/ci/region-values.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | cluster_shield:
3 | cluster_config:
4 | name: "lint-cluster"
5 | sysdig_endpoint:
6 | access_key: "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
7 | region: "us1"
8 |
--------------------------------------------------------------------------------
/charts/cluster-shield/doc.yaml:
--------------------------------------------------------------------------------
1 | project:
2 | name: Sysdig Cluster Shield
3 | shortName: Cluster Shield
4 | url: https://docs.sysdig.com/en/docs/installation/sysdig-secure/install-agent-components/kubernetes/cluster-shield/
5 | description: This chart deploys the Sysdig Cluster Shield in your Kubernetes cluster.
6 | app: the Sysdig Cluster Shield
7 | repository:
8 | url: https://charts.sysdig.com
9 | name: sysdig
10 | chart:
11 | name: cluster-shield
12 | prerequisites:
13 | - "Helm 3.6"
14 | - "Sysdig AccessKey"
15 | - "Sysdig Secure API Token"
16 | - "Sysdig Secure API URL"
17 | - "Sysdig Secure Collector"
18 |
19 | release:
20 | name: sysdig-cluster-shield
21 | namespace: sysdig-agent
22 |
--------------------------------------------------------------------------------
/charts/cluster-shield/templates/clusterrolebinding.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: rbac.authorization.k8s.io/v1
2 | kind: ClusterRoleBinding
3 | metadata:
4 | name: {{ include "cluster-shield.fullname" . }}
5 | roleRef:
6 | apiGroup: rbac.authorization.k8s.io
7 | kind: ClusterRole
8 | name: {{ include "cluster-shield.fullname" . }}
9 | subjects:
10 | - kind: ServiceAccount
11 | namespace: {{ .Release.Namespace }}
12 | name: {{ include "cluster-shield.serviceAccountName" . }}
13 |
--------------------------------------------------------------------------------
/charts/cluster-shield/templates/configmap.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ConfigMap
3 | metadata:
4 | name: {{ include "cluster-shield.configmapName" . }}
5 | namespace: {{ .Release.Namespace }}
6 | labels:
7 | {{- include "cluster-shield.labels" . | nindent 4 }}
8 | data:
9 | cluster-shield.yaml: |
10 | {{- include "cluster-shield.configMap" . | nindent 4 }}
11 |
--------------------------------------------------------------------------------
/charts/cluster-shield/templates/priorityclass.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.createPriorityClass }}
2 | apiVersion: scheduling.k8s.io/v1
3 | kind: PriorityClass
4 | metadata:
5 | name: {{ include "cluster-shield.priorityClassName" . }}
6 | value: {{ .Values.priorityClassValue }}
7 | preemptionPolicy: PreemptLowerPriority
8 | globalDefault: false
9 | description: "Sysdig cluster-shield priority"
10 | {{- end }}
11 |
--------------------------------------------------------------------------------
/charts/cluster-shield/templates/role.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: rbac.authorization.k8s.io/v1
2 | kind: Role
3 | metadata:
4 | name: {{ include "cluster-shield.fullname" . }}
5 | namespace: {{ .Release.Namespace }}
6 | rules:
7 | {{- if eq "true" (include "cluster-shield.containerVulnerabilityManagementEnabled" .) }}
8 | - apiGroups: ["", "coordination.k8s.io"]
9 | resources:
10 | - "leases"
11 | resourceNames:
12 | - {{ include "cluster-shield.clusterScannerLockName" . }}
13 | verbs: ["*"]
14 | - apiGroups: ["", "coordination.k8s.io"]
15 | resources:
16 | - "leases"
17 | verbs: ["create"]
18 | - apiGroups: ["*"]
19 | resources:
20 | - "endpoints"
21 | verbs: ["get", "watch", "list"]
22 | - apiGroups: ["*"]
23 | resources:
24 | - "endpoints"
25 | # Following is required for OpenShift. See https://docs.openshift.com/container-platform/3.11/architecture/core_concepts/pods_and_services.html#endpoints
26 | - "endpoints/restricted"
27 | resourceNames:
28 | - {{ include "cluster-shield.clusterScannerServiceName" . }}
29 | verbs: ["*"]
30 | {{- end }}
31 |
--------------------------------------------------------------------------------
/charts/cluster-shield/templates/rolebinding.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: rbac.authorization.k8s.io/v1
2 | kind: RoleBinding
3 | metadata:
4 | name: {{ include "cluster-shield.fullname" . }}
5 | namespace: {{ .Release.Namespace }}
6 | roleRef:
7 | apiGroup: rbac.authorization.k8s.io
8 | kind: Role
9 | name: {{ include "cluster-shield.fullname" . }}
10 | subjects:
11 | - kind: ServiceAccount
12 | namespace: {{ .Release.Namespace }}
13 | name: {{ include "cluster-shield.serviceAccountName" . }}
14 |
--------------------------------------------------------------------------------
/charts/cluster-shield/templates/service-cluster-scanner.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: {{ include "cluster-shield.clusterScannerServiceName" . }}
5 | namespace: {{ .Release.Namespace }}
6 | labels:
7 | {{- include "cluster-shield.labels" . | nindent 4 }}
8 | {{- with .Values.service.labels }}
9 | {{- toYaml . | nindent 4 }}
10 | {{- end }}
11 | {{- if .Values.service.annotations }}
12 | annotations:
13 | {{- toYaml .Values.service.annotations | nindent 4 }}
14 | {{- end }}
15 | spec:
16 | type: ClusterIP
17 | ports:
18 | - port: 4222
19 | targetPort: 4222
20 | protocol: TCP
21 | name: nats
22 | - port: 9999
23 | targetPort: 9999
24 | protocol: TCP
25 | name: grpc
26 | # NOTE: selector is intentionally left empty, the RSI component will implement a controller to handle the Endpoints resource associated with this service
27 |
--------------------------------------------------------------------------------
/charts/cluster-shield/templates/serviceaccount.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.serviceAccount.create }}
2 | apiVersion: v1
3 | kind: ServiceAccount
4 | metadata:
5 | name: {{ include "cluster-shield.serviceAccountName" . }}
6 | namespace: {{ .Release.Namespace }}
7 | labels:
8 | {{- include "cluster-shield.labels" . | nindent 4 }}
9 | {{- with .Values.serviceAccount.labels }}
10 | {{- toYaml . | nindent 4 }}
11 | {{- end }}
12 | {{- with .Values.serviceAccount.annotations }}
13 | annotations:
14 | {{- toYaml . | nindent 4 }}
15 | {{- end }}
16 | {{- end }}
17 |
--------------------------------------------------------------------------------
/charts/cluster-shield/tests/serviceaccount_test.yaml:
--------------------------------------------------------------------------------
1 | suite: Test ServiceAccount
2 | templates:
3 | - templates/serviceaccount.yaml
4 | values:
5 | - ../ci/base-values.yaml
6 | release:
7 | name: shield-release
8 | namespace: shield-namespace
9 | tests:
10 | - it: Test default
11 | asserts:
12 | - hasDocuments:
13 | count: 1
14 | - containsDocument:
15 | apiVersion: v1
16 | kind: ServiceAccount
17 | name: shield-release-cluster-shield
18 |
19 | - it: Test with custom service account name
20 | set:
21 | serviceAccount:
22 | name: "custom-service-account"
23 | asserts:
24 | - hasDocuments:
25 | count: 1
26 | - containsDocument:
27 | apiVersion: v1
28 | kind: ServiceAccount
29 | name: custom-service-account
30 |
31 | - it: Test with disabled creation
32 | set:
33 | serviceAccount:
34 | create: false
35 | asserts:
36 | - hasDocuments:
37 | count: 0
38 |
--------------------------------------------------------------------------------
/charts/common/.helmignore:
--------------------------------------------------------------------------------
1 | # Patterns to ignore when building packages.
2 | # This supports shell glob matching, relative path matching, and
3 | # negation (prefixed with !). Only one pattern per line.
4 | .DS_Store
5 | # Common VCS dirs
6 | .git/
7 | .gitignore
8 | .bzr/
9 | .bzrignore
10 | .hg/
11 | .hgignore
12 | .svn/
13 | # Common backup files
14 | *.swp
15 | *.bak
16 | *.tmp
17 | *.orig
18 | *~
19 | # Various IDEs
20 | .project
21 | .idea/
22 | *.tmproj
23 | .vscode/
24 |
--------------------------------------------------------------------------------
/charts/common/RELEASE-NOTES.md:
--------------------------------------------------------------------------------
1 | # What's Changed
2 |
3 | ### New Features
4 | - **common,admission-controller,agent,cluster-scanner,kspm-collector,node-analyzer,rapid-response** [07abc204](https://github.com/sysdiglabs/charts/commit/07abc204fd61e4692b48cf36babf0eecae6d154b): Add support for the in1 region ([#1847](https://github.com/sysdiglabs/charts/issues/1847))
5 | #### Full diff: https://github.com/sysdiglabs/charts/compare/common-1.3.0...common-1.3.1
6 |
--------------------------------------------------------------------------------
/charts/common/templates/_agent_tags.tpl:
--------------------------------------------------------------------------------
1 | {{/*
2 | Flatten tags dict recursively
3 | */}}
4 | {{- define "dict.flatten" -}}
5 | {{- $map := first . -}}
6 | {{- $label := last . -}}
7 | {{- $fields := list -}}
8 | {{- range $key, $val := $map -}}
9 | {{- $sublabel := list $label $key | join "." -}}
10 | {{- if $label | eq "" -}}
11 | {{ $sublabel = $key }}
12 | {{- end -}}
13 | {{- if kindOf $val | eq "map" -}}
14 | {{- $fields = (list $val $sublabel | include "dict.flatten") | append $fields }}
15 | {{- else -}}
16 | {{- $fields = (printf "%s:%s" $sublabel $val) | append $fields -}}
17 | {{- end -}}
18 | {{- end -}}
19 | {{- join "," $fields -}}
20 | {{- end -}}
21 |
22 | {{/*
23 | Use global sysdig tags for agent
24 | */}}
25 | {{- define "agent.tags" -}}
26 | {{- if .Values.global.sysdig.tags -}}
27 | {{- $args := list .Values.global.sysdig.tags ""}}
28 | {{- include "dict.flatten" $args }}
29 | {{- end -}}
30 | {{- end -}}
31 |
--------------------------------------------------------------------------------
/charts/common/values.yaml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sysdiglabs/charts/cc4dfaf1fd453649b6e2f2ef1ad58996efe05010/charts/common/values.yaml
--------------------------------------------------------------------------------
/charts/harbor-scanner-sysdig-secure/.helmignore:
--------------------------------------------------------------------------------
1 | # Patterns to ignore when building packages.
2 | # This supports shell glob matching, relative path matching, and
3 | # negation (prefixed with !). Only one pattern per line.
4 | .DS_Store
5 | # Common VCS dirs
6 | .git/
7 | .gitignore
8 | .bzr/
9 | .bzrignore
10 | .hg/
11 | .hgignore
12 | .svn/
13 | # Common backup files
14 | *.swp
15 | *.bak
16 | *.tmp
17 | *.orig
18 | *~
19 | # Various IDEs
20 | .project
21 | .idea/
22 | *.tmproj
23 | .vscode/
24 |
--------------------------------------------------------------------------------
/charts/harbor-scanner-sysdig-secure/Chart.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v2
2 | name: harbor-scanner-sysdig-secure
3 | description: Harbor Scanner for Sysdig Secure
4 | type: application
5 | version: 0.9.0
6 | appVersion: 0.8.0
7 | home: https://github.com/sysdiglabs/harbor-scanner-sysdig-secure
8 | icon: https://avatars.githubusercontent.com/u/5068817?s=200&v=4
9 | maintainers:
10 | - name: aaronm-sysdig
11 | email: aaron.miles@sysdig.com
12 | - name: Jujuyeh
13 | email: paul.hodgetts@sysdig.com
14 |
--------------------------------------------------------------------------------
/charts/harbor-scanner-sysdig-secure/RELEASE-NOTES.md:
--------------------------------------------------------------------------------
1 | # What's Changed
2 |
3 | ### New Features
4 | - **harbor-scanner-sysdig-secure** [79e4c75a](https://github.com/sysdiglabs/charts/commit/79e4c75a2b891425fe63ca98707798fdb6983d53): Pump Harbor scanner version ([#1751](https://github.com/sysdiglabs/charts/issues/1751)) ([#1752](https://github.com/sysdiglabs/charts/issues/1752))
5 | #### Full diff: https://github.com/sysdiglabs/charts/compare/harbor-scanner-sysdig-secure-0.5.1...harbor-scanner-sysdig-secure-0.8.0
6 |
--------------------------------------------------------------------------------
/charts/harbor-scanner-sysdig-secure/ci/required-values.yaml.template:
--------------------------------------------------------------------------------
1 | sysdig:
2 | secure:
3 | apiToken: ${SECURE_API_TOKEN}
4 |
--------------------------------------------------------------------------------
/charts/harbor-scanner-sysdig-secure/templates/NOTES.txt:
--------------------------------------------------------------------------------
1 | 1. Get the application URL by running these commands:
2 |
3 | export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "harbor-scanner-sysdig-secure.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
4 | echo "Visit http://127.0.0.1:5000 to use your application"
5 | kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 5000:5000
6 |
--------------------------------------------------------------------------------
/charts/harbor-scanner-sysdig-secure/templates/configmap.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ConfigMap
3 | metadata:
4 | name: {{ include "harbor-scanner-sysdig-secure.fullname" . }}
5 | labels:
6 | {{- include "harbor-scanner-sysdig-secure.labels" . | nindent 4 }}
7 | data:
8 | sysdig_secure_url: {{ .Values.sysdig.secure.url }}
9 | async_mode_enabled: {{ .Values.asyncMode.enabled | quote }}
10 |
--------------------------------------------------------------------------------
/charts/harbor-scanner-sysdig-secure/templates/role.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.rbac.create -}}
2 | apiVersion: rbac.authorization.k8s.io/v1
3 | kind: Role
4 | metadata:
5 | name: {{ include "harbor-scanner-sysdig-secure.fullname" . }}
6 | labels:
7 | {{- include "harbor-scanner-sysdig-secure.labels" . | nindent 4 }}
8 | rules:
9 | - apiGroups:
10 | - ""
11 | resources:
12 | - secrets
13 | verbs:
14 | - get
15 | - list
16 | - watch
17 | - create
18 | - apiGroups:
19 | - batch
20 | resources:
21 | - jobs
22 | verbs:
23 | - get
24 | - list
25 | - watch
26 | - create
27 | - delete
28 | - apiGroups:
29 | - ""
30 | resources:
31 | - pods
32 | - pods/log
33 | verbs:
34 | - get
35 | - list
36 | {{- end -}}
37 |
--------------------------------------------------------------------------------
/charts/harbor-scanner-sysdig-secure/templates/rolebinding.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.rbac.create }}
2 | kind: RoleBinding
3 | apiVersion: rbac.authorization.k8s.io/v1
4 | metadata:
5 | name: {{ include "harbor-scanner-sysdig-secure.fullname" . }}
6 | labels:
7 | {{- include "harbor-scanner-sysdig-secure.labels" . | nindent 4 }}
8 | subjects:
9 | - kind: ServiceAccount
10 | name: {{ include "harbor-scanner-sysdig-secure.serviceAccountName" . }}
11 | namespace: {{ .Release.Namespace }}
12 | roleRef:
13 | kind: Role
14 | name: {{ include "harbor-scanner-sysdig-secure.fullname" . }}
15 | apiGroup: rbac.authorization.k8s.io
16 | {{- end }}
17 |
--------------------------------------------------------------------------------
/charts/harbor-scanner-sysdig-secure/templates/secret.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.sysdig.secure.apiToken }}
2 | apiVersion: v1
3 | kind: Secret
4 | metadata:
5 | name: {{ include "harbor-scanner-sysdig-secure.fullname" . }}
6 | labels:
7 | {{- include "harbor-scanner-sysdig-secure.labels" . | nindent 4 }}
8 | type: Opaque
9 | data:
10 | sysdig_secure_api_token: {{ required "A valid .Values.sysdig.secure.apiToken is required" .Values.sysdig.secure.apiToken | b64enc | quote }}
11 | {{- end }}
12 |
--------------------------------------------------------------------------------
/charts/harbor-scanner-sysdig-secure/templates/service.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: {{ include "harbor-scanner-sysdig-secure.fullname" . }}
5 | labels:
6 | {{- include "harbor-scanner-sysdig-secure.labels" . | nindent 4 }}
7 | spec:
8 | type: {{ .Values.service.type }}
9 | ports:
10 | - port: {{ .Values.service.port }}
11 | targetPort: http
12 | protocol: TCP
13 | name: http
14 | selector:
15 | {{- include "harbor-scanner-sysdig-secure.selectorLabels" . | nindent 4 }}
16 |
--------------------------------------------------------------------------------
/charts/harbor-scanner-sysdig-secure/templates/serviceaccount.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.serviceAccount.create -}}
2 | apiVersion: v1
3 | kind: ServiceAccount
4 | metadata:
5 | name: {{ include "harbor-scanner-sysdig-secure.serviceAccountName" . }}
6 | labels:
7 | {{- include "harbor-scanner-sysdig-secure.labels" . | nindent 4 }}
8 | {{- with .Values.serviceAccount.annotations }}
9 | annotations:
10 | {{- toYaml . | nindent 4 }}
11 | {{- end }}
12 | {{- end -}}
13 |
--------------------------------------------------------------------------------
/charts/harbor-scanner-sysdig-secure/templates/tests/test-connection.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: "{{ include "harbor-scanner-sysdig-secure.fullname" . }}-test-connection"
5 | labels:
6 | {{- include "harbor-scanner-sysdig-secure.labels" . | nindent 4 }}
7 | annotations:
8 | "helm.sh/hook": test-success
9 | spec:
10 | containers:
11 | - name: wget
12 | image: busybox
13 | command: ['wget']
14 | args: ['{{ include "harbor-scanner-sysdig-secure.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.service.port }}/health']
15 | restartPolicy: Never
16 |
--------------------------------------------------------------------------------
/charts/kspm-collector/.helmignore:
--------------------------------------------------------------------------------
1 | # Patterns to ignore when building packages.
2 | # This supports shell glob matching, relative path matching, and
3 | # negation (prefixed with !). Only one pattern per line.
4 | .DS_Store
5 | # Common VCS dirs
6 | .git/
7 | .gitignore
8 | .bzr/
9 | .bzrignore
10 | .hg/
11 | .hgignore
12 | .svn/
13 | # Common backup files
14 | *.swp
15 | *.bak
16 | *.tmp
17 | *.orig
18 | *~
19 | # Various IDEs
20 | .project
21 | .idea/
22 | *.tmproj
23 | .vscode/
24 |
--------------------------------------------------------------------------------
/charts/kspm-collector/Chart.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v2
2 | name: kspm-collector
3 | description: Sysdig KSPM collector
4 | version: 0.18.0
5 | appVersion: 1.39.12
6 | keywords:
7 | - monitoring
8 | - security
9 | - alerting
10 | - metric
11 | - troubleshooting
12 | - run-time
13 | home: https://www.sysdig.com/
14 | icon: https://avatars.githubusercontent.com/u/5068817?s=200&v=4
15 | sources:
16 | - https://app.sysdigcloud.com/#/settings/user
17 | - https://github.com/draios/sysdig
18 | maintainers:
19 | - name: chen-shmilovich-sysdig
20 | email: chen.shmilovich@sysdig.com
21 | dependencies:
22 | - name: common
23 | # repository: https://charts.sysdig.com
24 | repository: file://../common
25 | version: ~1.3.1
26 |
--------------------------------------------------------------------------------
/charts/kspm-collector/RELEASE-NOTES.md:
--------------------------------------------------------------------------------
1 | # What's Changed
2 |
3 | #### Full diff: https://github.com/sysdiglabs/charts/compare/kspm-collector-0.17.9...kspm-collector-0.18.0
4 |
--------------------------------------------------------------------------------
/charts/kspm-collector/ci/test-values.yaml.template:
--------------------------------------------------------------------------------
1 | sysdig:
2 | accessKey: ${SECURE_AGENT_TOKEN}
3 | apiEndpoint: secure.sysdig.com
4 | clusterName: test
5 |
--------------------------------------------------------------------------------
/charts/kspm-collector/templates/clusterrolebinding.yaml:
--------------------------------------------------------------------------------
1 | {{- if and .Values.rbac.create }}
2 | kind: ClusterRoleBinding
3 | apiVersion: rbac.authorization.k8s.io/v1
4 | metadata:
5 | name: {{ template "kspmCollector.fullname" .}}
6 | labels:
7 | {{ include "kspmCollector.labels" . | indent 4 }}
8 | subjects:
9 | - kind: ServiceAccount
10 | name: {{ template "kspmCollector.serviceAccountName" .}}
11 | namespace: {{ .Release.Namespace }}
12 | roleRef:
13 | kind: ClusterRole
14 | name: {{ template "kspmCollector.fullname" .}}
15 | apiGroup: rbac.authorization.k8s.io
16 | {{- end }}
17 |
--------------------------------------------------------------------------------
/charts/kspm-collector/templates/psp.yaml:
--------------------------------------------------------------------------------
1 | {{- if and .Values.psp.create (include "kspmCollector.kubeVersionLessThan" (dict "root" . "major" 1 "minor" 25)) }}
2 | apiVersion: policy/v1beta1
3 | kind: PodSecurityPolicy
4 | metadata:
5 | name: {{ template "kspmCollector.fullname" . }}
6 | namespace: {{ include "kspmCollector.namespace" . }}
7 | spec:
8 | allowedCapabilities: []
9 | fsGroup:
10 | rule: RunAsAny
11 | hostIPC: false
12 | hostNetwork: false
13 | hostPID: false
14 | privileged: false
15 | runAsUser:
16 | rule: RunAsAny
17 | seLinux:
18 | rule: RunAsAny
19 | supplementalGroups:
20 | rule: RunAsAny
21 | volumes:
22 | - emptyDir
23 | - secret
24 | - configMap
25 | - downwardAPI
26 | {{- end }}
27 |
--------------------------------------------------------------------------------
/charts/kspm-collector/templates/role.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.rbac.create }}
2 | kind: Role
3 | apiVersion: rbac.authorization.k8s.io/v1
4 | metadata:
5 | name: {{ template "kspmCollector.fullname" . }}
6 | namespace: {{ include "kspmCollector.namespace" . }}
7 | labels:
8 | {{ include "kspmCollector.labels" . | indent 4 }}
9 | rules:
10 | {{- if eq (include "kspmCollector.transportLayer" .) "http" }}
11 | - apiGroups: ["", "coordination.k8s.io"]
12 | resources:
13 | - "leases"
14 | resourceNames:
15 | - {{ include "kspmCollector.leaderElectionLeaseLockName" . }}
16 | verbs: ["*"]
17 | - apiGroups: ["", "coordination.k8s.io"]
18 | resources:
19 | - "leases"
20 | verbs: ["create"]
21 | {{- end }}
22 | {{- end }}
23 |
--------------------------------------------------------------------------------
/charts/kspm-collector/templates/rolebinding.yaml:
--------------------------------------------------------------------------------
1 | {{- if and .Values.rbac.create }}
2 | kind: RoleBinding
3 | apiVersion: rbac.authorization.k8s.io/v1
4 | metadata:
5 | name: {{ template "kspmCollector.fullname" .}}
6 | labels:
7 | {{ include "kspmCollector.labels" . | indent 4 }}
8 | subjects:
9 | - kind: ServiceAccount
10 | name: {{ template "kspmCollector.serviceAccountName" .}}
11 | namespace: {{ .Release.Namespace }}
12 | roleRef:
13 | kind: Role
14 | name: {{ template "kspmCollector.fullname" .}}
15 | apiGroup: rbac.authorization.k8s.io
16 | {{- end }}
17 |
--------------------------------------------------------------------------------
/charts/kspm-collector/templates/secret.yaml:
--------------------------------------------------------------------------------
1 | {{- if not ( include "kspmCollector.accessKeySecret" . ) }}
2 | ---
3 | apiVersion: v1
4 | kind: Secret
5 | metadata:
6 | name: {{ template "kspmCollector.fullname" . }}
7 | namespace: {{ include "kspmCollector.namespace" . }}
8 | labels:
9 | {{ include "kspmCollector.labels" . | indent 4 }}
10 | type: Opaque
11 | data:
12 | access-key: {{ include "kspmCollector.accessKey" . | b64enc | quote }}
13 | {{- end }}
14 | {{- if eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.ssl)) "true" }}
15 | ---
16 | apiVersion: v1
17 | kind: Secret
18 | metadata:
19 | name: {{ include "kspmCollector.fullname" . }}-ca
20 | namespace: {{ include "kspmCollector.namespace" . }}
21 | labels:
22 | {{ include "kspmCollector.labels" . | indent 4 }}
23 | data:
24 | {{ include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.ssl) }}: {{ include "sysdig.custom_ca.cert" (dict "global" .Values.global.ssl "component" .Values.ssl "Files" .Subcharts.common.Files) | b64enc | quote }}
25 | {{- end }}
26 |
--------------------------------------------------------------------------------
/charts/kspm-collector/templates/serviceaccount.yaml:
--------------------------------------------------------------------------------
1 | {{- if and .Values.serviceAccount.create .Values.global.kspm.deploy }}
2 | apiVersion: v1
3 | kind: ServiceAccount
4 | metadata:
5 | name: {{ template "kspmCollector.serviceAccountName" .}}
6 | namespace: {{ include "kspmCollector.namespace" . }}
7 | labels:
8 | {{ include "kspmCollector.labels" . | indent 4 }}
9 | {{- end }}
10 |
--------------------------------------------------------------------------------
/charts/kspm-collector/templates/tests/test-rollout.yaml:
--------------------------------------------------------------------------------
1 | {{- if not .Values.tests.skip }}
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: "{{ include "kspmCollector.fullname" . }}-test-rollout"
6 | namespace: {{ include "kspmCollector.namespace" . }}
7 | labels:
8 | helm.sh/chart: {{ include "kspmCollector.chart" . }}
9 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
10 | app.kubernetes.io/managed-by: {{ .Release.Service }}
11 | annotations:
12 | "helm.sh/hook": test
13 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
14 | spec:
15 | serviceAccountName: {{ include "kspmCollector.serviceAccountName" . }}
16 | containers:
17 | - name: kubectl
18 | image: {{ .Values.tests.image.repo }}:{{ .Values.tests.image.tag }}
19 | imagePullPolicy: IfNotPresent
20 | command:
21 | - kubectl
22 | args:
23 | - rollout
24 | - status
25 | - deployment/{{ include "kspmCollector.fullname" . }}
26 | - -n
27 | - {{ include "kspmCollector.namespace" . }}
28 | - -w
29 | - --timeout={{ .Values.tests.timeout }}
30 | restartPolicy: Never
31 | {{- end }}
32 |
--------------------------------------------------------------------------------
/charts/kspm-collector/tests/cert_validation_test.yaml:
--------------------------------------------------------------------------------
1 | suite: KSPM Collector Skip certificate tests
2 | templates:
3 | - templates/configmap.yaml
4 | tests:
5 | - it: "SSL certificate validation enabled"
6 | set:
7 | clusterName: "test"
8 | global:
9 | kspm:
10 | deploy: true
11 | templates:
12 | - templates/configmap.yaml
13 | asserts:
14 | - equal:
15 | path: data.nats_insecure
16 | value: "false"
17 |
18 | - it: "Global SSL certificate validation disabled"
19 | set:
20 | clusterName: "test"
21 | global:
22 | kspm:
23 | deploy: true
24 | sslVerifyCertificate: false
25 | templates:
26 | - templates/configmap.yaml
27 | asserts:
28 | - equal:
29 | path: data.nats_insecure
30 | value: "true"
31 |
32 | - it: "SSL certificate validation disabled"
33 | set:
34 | clusterName: "test"
35 | global:
36 | kspm:
37 | deploy: true
38 | sslVerifyCertificate: false
39 | templates:
40 | - templates/configmap.yaml
41 | asserts:
42 | - equal:
43 | path: data.nats_insecure
44 | value: "true"
45 |
--------------------------------------------------------------------------------
/charts/kspm-collector/tests/conditional_flag_test.yaml:
--------------------------------------------------------------------------------
1 | suite: Test conditional flags and its dependent changes
2 | templates:
3 | - serviceaccount.yaml
4 | tests:
5 | - it: check global kspm deploy
6 | set:
7 | global:
8 | kspm:
9 | deploy: true
10 | clusterName: test-cluster
11 | asserts:
12 | - containsDocument:
13 | kind: ServiceAccount
14 | apiVersion: v1
15 |
--------------------------------------------------------------------------------
/charts/kspm-collector/tests/deployment_envvars_test.yaml:
--------------------------------------------------------------------------------
1 | suite: KSPM Collector Deployment Env Var Tests
2 | templates:
3 | - deployment.yaml
4 | tests:
5 | - it: check that KUBE_POD_NAME is set with the name of the pod
6 | set:
7 | sysdig:
8 | accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE
9 | asserts:
10 | - contains:
11 | path: spec.template.spec.containers[?(@.name=="kspm-collector")].env
12 | content:
13 | name: KUBE_POD_NAME
14 | valueFrom:
15 | fieldRef:
16 | fieldPath: metadata.name
17 |
--------------------------------------------------------------------------------
/charts/kspm-collector/tests/golden_template_test.yaml:
--------------------------------------------------------------------------------
1 | suite: Testing pre-generated values and best-known edge cases
2 | templates:
3 | - deployment.yaml
4 | - configmap.yaml
5 | tests:
6 | - it: check normal install testcase
7 | set:
8 | sysdig:
9 | accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE
10 | clusterName: test-k8s
11 | asserts:
12 | - containsDocument:
13 | kind: Deployment
14 | apiVersion: apps/v1
15 | template: deployment.yaml
16 | - containsDocument:
17 | kind: ConfigMap
18 | apiVersion: v1
19 | template: configmap.yaml
20 | - equal:
21 | path: data.cluster_name
22 | value: test-k8s
23 | template: configmap.yaml
24 |
--------------------------------------------------------------------------------
/charts/kspm-collector/tests/test_test.yaml:
--------------------------------------------------------------------------------
1 | suite: Test KSPM Collector tests
2 | templates:
3 | - tests/test-rollout.yaml
4 |
5 | tests:
6 | - it: "Check that test are executed by deafult"
7 | asserts:
8 | - hasDocuments:
9 | count: 1
10 | - isKind:
11 | of: Pod
12 |
13 | - it: "Check that test are not included when skip is set"
14 | set:
15 | tests:
16 | skip: true
17 | asserts:
18 | - hasDocuments:
19 | count: 0
20 |
--------------------------------------------------------------------------------
/charts/node-analyzer/.helmignore:
--------------------------------------------------------------------------------
1 | /tests/
2 |
--------------------------------------------------------------------------------
/charts/node-analyzer/Chart.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v2
2 | name: node-analyzer
3 | description: Sysdig Node Analyzer
4 | # currently matching Sysdig's appVersion 1.14.34
5 | version: 1.35.7
6 | appVersion: 12.9.2
7 | keywords:
8 | - monitoring
9 | - security
10 | - alerting
11 | - metric
12 | - troubleshooting
13 | - run-time
14 | home: https://www.sysdig.com/
15 | icon: https://avatars.githubusercontent.com/u/5068817?s=200&v=4
16 | sources:
17 | - https://app.sysdigcloud.com/#/settings/user
18 | - https://github.com/draios/sysdig
19 | maintainers:
20 | - name: chen-shmilovich-sysdig
21 | email: chen.shmilovich@sysdig.com
22 | - name: sysdiglabs
23 | dependencies:
24 | - name: common
25 | # repository: https://charts.sysdig.com
26 | repository: file://../common
27 | version: ~1.3.1
28 |
--------------------------------------------------------------------------------
/charts/node-analyzer/RELEASE-NOTES.md:
--------------------------------------------------------------------------------
1 | # What's Changed
2 |
3 | ### Chores
4 | - **node-analyzer** [a2e0be9d](https://github.com/sysdiglabs/charts/commit/a2e0be9d672f2d0cb284b56fbc0af7321fc2560e): bump sysdig/vuln-runtime-scanner to v1.8.3 ([#2266](https://github.com/sysdiglabs/charts/issues/2266))
5 | #### Full diff: https://github.com/sysdiglabs/charts/compare/node-analyzer-1.35.6...node-analyzer-1.35.7
6 |
--------------------------------------------------------------------------------
/charts/node-analyzer/ci/test-values-new-runtime.yaml.template:
--------------------------------------------------------------------------------
1 | sysdig:
2 | accessKey: ${SECURE_AGENT_TOKEN}
3 | nodeAnalyzer:
4 | apiEndpoint: secure.sysdig.com
5 | runtimeScanner:
6 | deploy: true
7 | hostScanner:
8 | deploy: true
9 | benchmarkRunner:
10 | deploy: false
11 |
--------------------------------------------------------------------------------
/charts/node-analyzer/ci/test-values-ssl.yaml.template:
--------------------------------------------------------------------------------
1 | sysdig:
2 | accessKey: ${SECURE_AGENT_TOKEN}
3 | nodeAnalyzer:
4 | apiEndpoint: secure.sysdig.com
5 | sslVerifyCertificate: false
6 | benchmarkRunner:
7 | deploy: false
8 |
--------------------------------------------------------------------------------
/charts/node-analyzer/ci/test-values.yaml.template:
--------------------------------------------------------------------------------
1 | sysdig:
2 | accessKey: ${SECURE_AGENT_TOKEN}
3 | nodeAnalyzer:
4 | apiEndpoint: secure.sysdig.com
5 | benchmarkRunner:
6 | deploy: false
7 |
--------------------------------------------------------------------------------
/charts/node-analyzer/templates/clusterrolebinding-node-analyzer.yaml:
--------------------------------------------------------------------------------
1 | {{- if not (include "nodeAnalyzer.gke.autopilot" .) }}
2 | {{- if and (include "deploy-na" .) .Values.rbac.create }}
3 | kind: ClusterRoleBinding
4 | apiVersion: rbac.authorization.k8s.io/v1
5 | metadata:
6 | name: {{ .Release.Name }}-node-analyzer
7 | labels:
8 | {{ include "nodeAnalyzer.labels" . | indent 4 }}
9 | subjects:
10 | - kind: ServiceAccount
11 | name: {{ template "nodeAnalyzer.serviceAccountName" .}}
12 | namespace: {{ .Release.Namespace }}
13 | roleRef:
14 | kind: ClusterRole
15 | name: {{ .Release.Name }}-node-analyzer
16 | apiGroup: rbac.authorization.k8s.io
17 | {{- end }}
18 | {{- end }}
19 |
--------------------------------------------------------------------------------
/charts/node-analyzer/templates/priorityclass.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.nodeAnalyzer.createPriorityClass }}
2 | apiVersion: scheduling.k8s.io/v1
3 | kind: PriorityClass
4 | metadata:
5 | name: {{ required "priorityClassName is required when specifying createPriorityClass" .Values.nodeAnalyzer.priorityClassName }}
6 | value: {{ required "priorityClassValue is required when specifying createPriorityClass" .Values.nodeAnalyzer.priorityClassValue }}
7 | preemptionPolicy: PreemptLowerPriority
8 | globalDefault: false
9 | description: "Sysdig Node Analyzer DaemonSet PriorityClass"
10 | {{- end }}
11 |
--------------------------------------------------------------------------------
/charts/node-analyzer/templates/psp.yaml:
--------------------------------------------------------------------------------
1 | {{- if not (include "nodeAnalyzer.gke.autopilot" .) }}
2 | {{- if and .Values.psp.create (include "nodeAnalyzer.kubeVersionLessThan" (dict "root" . "major" 1 "minor" 25)) }}
3 | apiVersion: policy/v1beta1
4 | kind: PodSecurityPolicy
5 | metadata:
6 | name: {{ .Release.Name }}-node-analyzer
7 | namespace: {{ include "nodeAnalyzer.namespace" . }}
8 | spec:
9 | allowedCapabilities:
10 | - '*'
11 | fsGroup:
12 | rule: RunAsAny
13 | hostIPC: true
14 | hostNetwork: true
15 | hostPID: true
16 | hostPorts:
17 | - max: 65536
18 | min: 1
19 | privileged: true
20 | runAsUser:
21 | rule: RunAsAny
22 | seLinux:
23 | rule: RunAsAny
24 | supplementalGroups:
25 | rule: RunAsAny
26 | volumes:
27 | - '*'
28 | {{- end }}
29 | {{- end }}
30 |
--------------------------------------------------------------------------------
/charts/node-analyzer/templates/role-node-analyzer.yaml:
--------------------------------------------------------------------------------
1 | {{- if not (include "nodeAnalyzer.gke.autopilot" .) }}
2 | {{- if and (include "deploy-na" .) .Values.rbac.create }}
3 | apiVersion: rbac.authorization.k8s.io/v1
4 | kind: Role
5 | metadata:
6 | name: {{ .Release.Name }}-node-analyzer
7 | namespace: {{ include "nodeAnalyzer.namespace" . }}
8 | labels:
9 | {{ include "nodeAnalyzer.labels" . | indent 4 }}
10 | rules:
11 | {{- if and .Values.global.kspm.deploy (eq .Values.nodeAnalyzer.kspmAnalyzer.transportLayer "http") }}
12 | - apiGroups: ["", "coordination.k8s.io"]
13 | resources:
14 | - "leases"
15 | resourceNames:
16 | - "kspm-analyzer-leader-election"
17 | verbs: ["*"]
18 | - apiGroups: ["", "coordination.k8s.io"]
19 | resources:
20 | - "leases"
21 | verbs: ["create"]
22 | {{- end }}
23 | {{- end }}
24 | {{- end }}
25 |
--------------------------------------------------------------------------------
/charts/node-analyzer/templates/rolebinding-node-analyzer.yaml:
--------------------------------------------------------------------------------
1 | {{- if not (include "nodeAnalyzer.gke.autopilot" .) }}
2 | {{- if and (include "deploy-na" .) .Values.rbac.create }}
3 | kind: RoleBinding
4 | apiVersion: rbac.authorization.k8s.io/v1
5 | metadata:
6 | name: {{ .Release.Name }}-node-analyzer
7 | labels:
8 | {{ include "nodeAnalyzer.labels" . | indent 4 }}
9 | subjects:
10 | - kind: ServiceAccount
11 | name: {{ template "nodeAnalyzer.serviceAccountName" .}}
12 | namespace: {{ .Release.Namespace }}
13 | roleRef:
14 | kind: Role
15 | name: {{ .Release.Name }}-node-analyzer
16 | apiGroup: rbac.authorization.k8s.io
17 | {{- end }}
18 | {{- end }}
19 |
--------------------------------------------------------------------------------
/charts/node-analyzer/templates/runtimeScanner/eveconnector-api-service.yaml:
--------------------------------------------------------------------------------
1 | {{- if and .Values.nodeAnalyzer.deploy (not (include "nodeAnalyzer.gke.autopilot" .)) (or .Values.nodeAnalyzer.runtimeScanner.deploy .Values.secure.vulnerabilityManagement.newEngineOnly) .Values.nodeAnalyzer.runtimeScanner.eveConnector.deploy }}
2 | apiVersion: v1
3 | kind: Service
4 | metadata:
5 | name: {{ template "nodeAnalyzer.fullname" . }}-eveconnector
6 | namespace: {{ include "nodeAnalyzer.namespace" . }}
7 | labels:
8 | app.kubernetes.io/name: {{ include "nodeAnalyzer.name" . }}-eveconnector
9 | {{ include "nodeAnalyzer.labels" . | indent 4 }}
10 | spec:
11 | selector:
12 | app.kubernetes.io/name: {{ include "nodeAnalyzer.name" . }}-eveconnector
13 | app.kubernetes.io/instance: {{ .Release.Name }}
14 | ports:
15 | - protocol: TCP
16 | port: 443
17 | targetPort: 7000
18 | {{- end }}
19 |
--------------------------------------------------------------------------------
/charts/node-analyzer/templates/secrets.yaml:
--------------------------------------------------------------------------------
1 | {{- if not (include "nodeAnalyzer.gke.autopilot" .) }}
2 | {{- if not (include "nodeAnalyzer.accessKeySecret" .) }}
3 | ---
4 | apiVersion: v1
5 | kind: Secret
6 | metadata:
7 | name: {{ template "nodeAnalyzer.fullname" . }}
8 | namespace: {{ include "nodeAnalyzer.namespace" . }}
9 | labels:
10 | {{ include "nodeAnalyzer.labels" . | indent 4 }}
11 | type: Opaque
12 | data:
13 | access-key: {{ include "nodeAnalyzer.accessKey" . | b64enc | quote }}
14 | {{- end }}
15 | {{- end }}
16 | {{- if eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.nodeAnalyzer.ssl)) "true" }}
17 | ---
18 | apiVersion: v1
19 | kind: Secret
20 | metadata:
21 | name: {{ include "nodeAnalyzer.fullname" . }}-ca
22 | namespace: {{ include "nodeAnalyzer.namespace" . }}
23 | labels:
24 | {{ include "nodeAnalyzer.labels" . | indent 4 }}
25 | data:
26 | {{ include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.nodeAnalyzer.ssl) }}: {{ include "sysdig.custom_ca.cert" (dict "global" .Values.global.ssl "component" .Values.nodeAnalyzer.ssl "Files" .Subcharts.common.Files) | b64enc | quote }}
27 | {{- end }}
28 |
--------------------------------------------------------------------------------
/charts/node-analyzer/templates/serviceaccount-node-analyzer.yaml:
--------------------------------------------------------------------------------
1 | {{- if not (include "nodeAnalyzer.gke.autopilot" .) }}
2 | {{- if and (include "deploy-na" .) .Values.nodeAnalyzer.serviceAccount.create }}
3 | apiVersion: v1
4 | kind: ServiceAccount
5 | metadata:
6 | name: {{ template "nodeAnalyzer.serviceAccountName" .}}
7 | namespace: {{ include "nodeAnalyzer.namespace" . }}
8 | labels:
9 | {{ include "nodeAnalyzer.labels" . | indent 4 }}
10 | {{- end }}
11 | {{- end }}
12 |
--------------------------------------------------------------------------------
/charts/node-analyzer/templates/tests/test-rollout.yaml:
--------------------------------------------------------------------------------
1 | {{- if not .Values.tests.skip }}
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: "{{ include "nodeAnalyzer.fullname" . }}-test-rollout"
6 | namespace: {{ include "nodeAnalyzer.namespace" . }}
7 | labels:
8 | helm.sh/chart: {{ include "nodeAnalyzer.chart" . }}
9 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
10 | app.kubernetes.io/managed-by: {{ .Release.Service }}
11 | annotations:
12 | "helm.sh/hook": test
13 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
14 | spec:
15 | serviceAccountName: {{ include "nodeAnalyzer.serviceAccountName" . }}
16 | containers:
17 | - name: kubectl
18 | image: {{ .Values.tests.image.repo }}:{{ .Values.tests.image.tag }}
19 | imagePullPolicy: IfNotPresent
20 | command:
21 | - kubectl
22 | args:
23 | - rollout
24 | - status
25 | - daemonset/{{ .Release.Name }}-node-analyzer
26 | - -n
27 | - {{ .Release.Namespace }}
28 | - -w
29 | - --timeout={{ .Values.tests.timeout }}
30 | restartPolicy: Never
31 | {{- end }}
32 |
--------------------------------------------------------------------------------
/charts/node-analyzer/tests/default_required_values.yaml:
--------------------------------------------------------------------------------
1 | global:
2 | sysdig:
3 | accessKey: "AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE"
4 | clusterName: "test"
5 |
--------------------------------------------------------------------------------
/charts/node-analyzer/tests/readme_command_test.yaml:
--------------------------------------------------------------------------------
1 | suite: Testing install commands in Readme
2 | templates:
3 | - secrets.yaml
4 | - configmap-benchmark-runner.yaml
5 | tests:
6 | - it: check Readme install command titled "Installing the Chart"
7 | set:
8 | sysdig:
9 | accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE
10 | nodeAnalyzer:
11 | apiEndpoint: secure.sysdig.com
12 | asserts:
13 | - equal:
14 | path: data.access-key
15 | value: QUFBQUFBQUEtQkJCQi1DQ0NDLUREREQtRUVFRUVFRUVFRUVF
16 | template: secrets.yaml
17 | - equal:
18 | path: data.collector_endpoint
19 | value: https://secure.sysdig.com
20 | template: configmap-benchmark-runner.yaml
21 |
22 | - it: check Readme install command showing options usage example
23 | set:
24 | sysdig:
25 | accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE
26 | asserts:
27 | - equal:
28 | path: data.access-key
29 | value: QUFBQUFBQUEtQkJCQi1DQ0NDLUREREQtRUVFRUVFRUVFRUVF
30 | template: secrets.yaml
31 |
--------------------------------------------------------------------------------
/charts/node-analyzer/tests/test_test.yaml:
--------------------------------------------------------------------------------
1 | suite: Test RuntimeScanner configuration
2 | templates:
3 | - tests/test-rollout.yaml
4 | values:
5 | - ./default_required_values.yaml
6 |
7 | tests:
8 | - it: "Check that test are executed by deafult"
9 | asserts:
10 | - hasDocuments:
11 | count: 1
12 | - isKind:
13 | of: Pod
14 |
15 | - it: "Check that test are not included when skip is set"
16 | set:
17 | tests:
18 | skip: true
19 | asserts:
20 | - hasDocuments:
21 | count: 0
22 |
--------------------------------------------------------------------------------
/charts/rapid-response/.helmignore:
--------------------------------------------------------------------------------
1 | # Patterns to ignore when building packages.
2 | # This supports shell glob matching, relative path matching, and
3 | # negation (prefixed with !). Only one pattern per line.
4 | .DS_Store
5 | # Common VCS dirs
6 | .git/
7 | .gitignore
8 | .bzr/
9 | .bzrignore
10 | .hg/
11 | .hgignore
12 | .svn/
13 | # Common backup files
14 | *.swp
15 | *.bak
16 | *.tmp
17 | *.orig
18 | *~
19 | # Various IDEs
20 | .project
21 | .idea/
22 | *.tmproj
23 | .vscode/
24 |
--------------------------------------------------------------------------------
/charts/rapid-response/RELEASE-NOTES.md:
--------------------------------------------------------------------------------
1 | # What's Changed
2 |
3 | ### Chores
4 | - **rapid-response** [24fc9903](https://github.com/sysdiglabs/charts/commit/24fc9903c6318bd1c4234c9fb66d566885f04d17): bump rapid-response version to 0.5.5 ([#2217](https://github.com/sysdiglabs/charts/issues/2217))
5 | #### Full diff: https://github.com/sysdiglabs/charts/compare/rapid-response-0.9.20...rapid-response-0.9.21
6 |
--------------------------------------------------------------------------------
/charts/rapid-response/ci/test-values.yaml.template:
--------------------------------------------------------------------------------
1 | sysdig:
2 | accessKey: ${SECURE_AGENT_TOKEN}
3 | rapidResponse:
4 | apiEndpoint: secure.sysdig.com
5 | passphrase: "test-passphrase"
6 | tests:
7 | rbac:
8 | # true here enables creation of rbac resources
9 | create: true
10 | serviceAccount:
11 | # true here enables creation of service account
12 | create: true
13 | # Use this value as kspmCollectorServiceAccountName
14 | name: "rapid-response"
15 |
--------------------------------------------------------------------------------
/charts/rapid-response/templates/NOTES.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sysdiglabs/charts/cc4dfaf1fd453649b6e2f2ef1ad58996efe05010/charts/rapid-response/templates/NOTES.txt
--------------------------------------------------------------------------------
/charts/rapid-response/templates/configmap.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ConfigMap
3 | metadata:
4 | name: {{ template "rapidResponse.fullname" . }}-config
5 | namespace: {{ .Release.Namespace }}
6 | labels:
7 | {{ include "rapidResponse.labels" . | indent 4 }}
8 | data:
9 | api_endpoint: https://{{ include "rapidResponse.apiEndpoint" . }}
10 | skip_tls_check: "{{ include "rapidResponse.certificateValidation" . }}"
11 |
--------------------------------------------------------------------------------
/charts/rapid-response/templates/serviceaccount.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.rapidResponse.serviceAccount.create }}
2 | apiVersion: v1
3 | kind: ServiceAccount
4 | metadata:
5 | name: {{ template "rapidResponse.serviceAccountName" .}}
6 | namespace: {{ .Release.Namespace }}
7 | labels:
8 | {{ include "rapidResponse.labels" . | indent 4 }}
9 | {{- end }}
10 |
--------------------------------------------------------------------------------
/charts/rapid-response/tests/custom_resources.yaml:
--------------------------------------------------------------------------------
1 | suite: Testing pre-generated values and best-known edge cases
2 | templates:
3 | - daemonset.yaml
4 | tests:
5 | - it: Test cpu resources overrides
6 | set:
7 | rapidResponse:
8 | resources:
9 | requests:
10 | cpu: 2500m
11 | memory: 1500Mi
12 | limits:
13 | cpu: 5000m
14 | memory: 2500Mi
15 | asserts:
16 | - contains:
17 | path: spec.template.spec.containers
18 | content:
19 | resources:
20 | limits:
21 | cpu: 5000m
22 | memory: 2500Mi
23 | requests:
24 | cpu: 2500m
25 | memory: 1500Mi
26 | any: true
27 | count: 1
28 |
--------------------------------------------------------------------------------
/charts/registry-scanner/.helmignore:
--------------------------------------------------------------------------------
1 | # Patterns to ignore when building packages.
2 | # This supports shell glob matching, relative path matching, and
3 | # negation (prefixed with !). Only one pattern per line.
4 | .DS_Store
5 | # Common VCS dirs
6 | .git/
7 | .gitignore
8 | .bzr/
9 | .bzrignore
10 | .hg/
11 | .hgignore
12 | .svn/
13 | # Common backup files
14 | *.swp
15 | *.bak
16 | *.tmp
17 | *.orig
18 | *~
19 | # Various IDEs
20 | .project
21 | .idea/
22 | *.tmproj
23 | .vscode/
24 |
--------------------------------------------------------------------------------
/charts/registry-scanner/Chart.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v2
2 | name: registry-scanner
3 | description: Sysdig Registry Scanner
4 | type: application
5 | home: https://www.sysdig.com/
6 | icon: https://avatars.githubusercontent.com/u/5068817?s=200&v=4
7 | version: 1.7.3
8 | appVersion: 0.8.1
9 | maintainers:
10 | - name: sysdiglabs
11 |
--------------------------------------------------------------------------------
/charts/registry-scanner/RELEASE-NOTES.md:
--------------------------------------------------------------------------------
1 | # What's Changed
2 |
3 | ### Documentation
4 | - [9ae8ec50](https://github.com/sysdiglabs/charts/commit/9ae8ec50272fef3cac629ef67d1f1977ed8e49d8): improve include filter description ([#2263](https://github.com/sysdiglabs/charts/issues/2263))
5 | #### Full diff: https://github.com/sysdiglabs/charts/compare/registry-scanner-1.7.2...registry-scanner-1.7.3
6 |
--------------------------------------------------------------------------------
/charts/registry-scanner/ci/test-aws-org-values.yaml.template:
--------------------------------------------------------------------------------
1 | config:
2 | secureAPIToken: ${SECURE_API_TOKEN}
3 | registryType: ecr
4 | aws:
5 | accessKeyId: ${SYSDIG_AWS_QA_CNT_ACCOUNT_ACCESS_KEY_ID}
6 | secretAccessKey: ${SYSDIG_AWS_QA_CNT_ACCOUNT_SECRET_ACCESS_KEY}
7 | managementAccountRoleARN: ${SYSDIG_AWS_QA_REG_MANAGEMENT_ROLE_ARN}
8 | allowListMemberAccountIDs:
9 | - ${SYSDIG_AWS_QA_TARGET_ACCOUNT_ID}'
10 | filter:
11 | include: 'do-not-delete-reg-scanner-1:latest'
12 | exclude: '.*'
13 | scanOnStart:
14 | enabled: true
15 | asPostInstallHook: true
16 |
--------------------------------------------------------------------------------
/charts/registry-scanner/ci/test-aws-org-values.yaml.template.disabled:
--------------------------------------------------------------------------------
1 | config:
2 | secureAPIToken: ${SECURE_API_TOKEN}
3 | registryType: artifactory
4 | registryURL: ${SYSDIG_JFROG_SAAS_QA_URL}
5 | registryApiUrl: ${SYSDIG_JFROG_SAAS_QA_API_URL}
6 | registryUser: ${SYSDIG_JFROG_SAAS_QA_USER}
7 | registryPassword: ${SYSDIG_JFROG_SAAS_QA_TOKEN}
8 | filter:
9 | include: 'alpine:3.1'
10 | exclude: '.*'
11 | scanOnStart:
12 | enabled: true
13 | asPostInstallHook: true
14 |
--------------------------------------------------------------------------------
/charts/registry-scanner/ci/test-aws-single-values.yaml.template:
--------------------------------------------------------------------------------
1 | config:
2 | secureAPIToken: ${SECURE_API_TOKEN}
3 | registryType: ecr
4 | registryURL: ${SYSDIG_AWS_QA_TARGET_ACCOUNT_ID}.dkr.ecr.us-east-1.amazonaws.com
5 | aws:
6 | region: us-east-1
7 | accessKeyId: ${SYSDIG_AWS_QA_CNT_ACCOUNT_ACCESS_KEY_ID}
8 | secretAccessKey: ${SYSDIG_AWS_QA_CNT_ACCOUNT_SECRET_ACCESS_KEY}
9 | filter:
10 | include: 'do-not-delete-reg-scanner-1:latest'
11 | exclude: '.*'
12 | scanOnStart:
13 | enabled: true
14 | asPostInstallHook: true
15 |
--------------------------------------------------------------------------------
/charts/registry-scanner/ci/test-jfrog-saas-values.yaml.template.disabled:
--------------------------------------------------------------------------------
1 | config:
2 | secureAPIToken: ${SECURE_API_TOKEN}
3 | registryType: artifactory
4 | registryURL: ${SYSDIG_JFROG_SAAS_QA_URL}
5 | registryApiUrl: ${SYSDIG_JFROG_SAAS_QA_API_URL}
6 | registryUser: ${SYSDIG_JFROG_SAAS_QA_USER}
7 | registryPassword: ${SYSDIG_JFROG_SAAS_QA_TOKEN}
8 | filter:
9 | include: 'alpine:3.1'
10 | exclude: '.*'
11 | scanOnStart:
12 | enabled: true
13 | asPostInstallHook: true
14 |
--------------------------------------------------------------------------------
/charts/registry-scanner/doc.yaml:
--------------------------------------------------------------------------------
1 | project:
2 | name: Sysdig Registry Scanner
3 | shortName: Registry Scanner
4 | url: https://docs.sysdig.com/en/docs/sysdig-secure/vulnerabilities/findings/registry/
5 | description: This chart deploys the Sysdig Registry Scanner as a scheduled Cronjob in your Kubernetes cluster and allows you to integrate Sysdig Secure with different image registries.
6 | app: the Sysdig Registry Scanner
7 | repository:
8 | url: https://charts.sysdig.com
9 | name: sysdig
10 | chart:
11 | name: registry-scanner
12 | # version: v0.9.0-rc.0
13 | # values: "-- generate from values file --"
14 | valuesExample: "config.secureAPIToken=YOUR-KEY-HERE,config.secureBaseURL=SECURE_URL"
15 | prerequisites:
16 | - "Helm 3.6"
17 | - "Kubernetes v1.16+"
18 | - "Unique name to identify your Kubernetes cluster"
19 | - "Sysdig Secure API Token"
20 |
21 | release:
22 | name: registry-scanner
23 | namespace: sysdig-registry-scanner
24 |
--------------------------------------------------------------------------------
/charts/registry-scanner/templates/clusterrole.yaml:
--------------------------------------------------------------------------------
1 | {{- if eq .Values.config.registryType "ocp" }}
2 | apiVersion: rbac.authorization.k8s.io/v1
3 | kind: ClusterRole
4 | metadata:
5 | namespace: {{ .Release.Namespace }}
6 | name: token-requestor
7 | rules:
8 | - apiGroups: [""]
9 | resources: ["serviceaccounts/token"]
10 | verbs: ["create"]
11 | {{- end }}
12 |
--------------------------------------------------------------------------------
/charts/registry-scanner/templates/clusterrolebinding.yaml:
--------------------------------------------------------------------------------
1 | {{- if eq .Values.config.registryType "ocp" }}
2 | apiVersion: rbac.authorization.k8s.io/v1
3 | kind: ClusterRoleBinding
4 | metadata:
5 | name: {{ include "registry-scanner.fullname" . }}-crb-registry-viewer
6 | roleRef:
7 | apiGroup: rbac.authorization.k8s.io
8 | kind: ClusterRole
9 | name: registry-viewer
10 | subjects:
11 | - kind: ServiceAccount
12 | name: {{ include "registry-scanner.serviceAccountName" . }}
13 | namespace: {{ .Release.Namespace }}
14 | ---
15 | apiVersion: rbac.authorization.k8s.io/v1
16 | kind: ClusterRoleBinding
17 | metadata:
18 | name: {{ include "registry-scanner.fullname" . }}-crb-token-requestor
19 | namespace: {{ .Release.Namespace }}
20 | roleRef:
21 | apiGroup: rbac.authorization.k8s.io
22 | kind: ClusterRole
23 | name: token-requestor
24 | subjects:
25 | - kind: ServiceAccount
26 | name: {{ include "registry-scanner.serviceAccountName" . }}
27 | namespace: {{ .Release.Namespace }}
28 | {{- end }}
29 |
--------------------------------------------------------------------------------
/charts/registry-scanner/templates/cronjob.yaml:
--------------------------------------------------------------------------------
1 | {{- include "registry-scanner.checkCronSchedule" . }}
2 | {{- include "registry-scanner.validateTimeZone" . }}
3 | {{- if (include "registry-scanner.kubeVersionLessThan" (dict "root" . "major" 1 "minor" 21)) }}
4 | apiVersion: batch/v1beta1
5 | {{- else }}
6 | apiVersion: batch/v1
7 | {{- end }}
8 | kind: CronJob
9 | metadata:
10 | name: {{ include "registry-scanner.fullname" . }}
11 | labels:
12 | {{ include "registry-scanner.labels" . | indent 4 }}
13 | {{- include "registry-scanner.customLabels" . | nindent 4 }}
14 | spec:
15 | schedule: {{ .Values.cronjob.schedule | quote }}
16 | {{- if .Values.cronjob.timeZone }}
17 | timeZone: {{ .Values.cronjob.timeZone | quote }}
18 | {{- end }}
19 | failedJobsHistoryLimit: {{ .Values.cronjob.failedJobsHistoryLimit }}
20 | successfulJobsHistoryLimit: {{ .Values.cronjob.successfulJobsHistoryLimit }}
21 | concurrencyPolicy: Forbid
22 | jobTemplate:
23 | metadata:
24 | labels:
25 | {{- include "registry-scanner.customLabels" . | nindent 8 }}
26 | spec:
27 | {{- include "registry-scanner.jobTemplate" . | indent 6}}
28 |
--------------------------------------------------------------------------------
/charts/registry-scanner/templates/job.yaml:
--------------------------------------------------------------------------------
1 | {{- if eq .Values.scanOnStart.enabled true }}
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: "{{ .Values.scanOnStart.jobName }}"
6 | labels:
7 | {{ include "registry-scanner.labels" . | indent 4 }}
8 | {{- include "registry-scanner.customLabels" . | nindent 4 }}
9 | {{- if .Values.scanOnStart.asPostInstallHook}}
10 | annotations:
11 | "helm.sh/hook": post-install
12 | {{- end }}
13 | spec:
14 | {{- include "registry-scanner.jobTemplate" . | indent 2}}
15 | {{- end }}
16 |
--------------------------------------------------------------------------------
/charts/registry-scanner/templates/role.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: rbac.authorization.k8s.io/v1
2 | kind: Role
3 | metadata:
4 | name: {{ include "registry-scanner.fullname" . }}
5 | rules:
6 | - apiGroups: ["batch"]
7 | resources: ["jobs"]
8 | verbs: ["create", "get", "delete", "watch"]
9 | - apiGroups: [""]
10 | resources: ["pods", "pods/log"]
11 | verbs: ["get", "list"]
12 |
--------------------------------------------------------------------------------
/charts/registry-scanner/templates/rolebinding.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: rbac.authorization.k8s.io/v1
2 | kind: RoleBinding
3 | metadata:
4 | name: {{ include "registry-scanner.fullname" .}}
5 | roleRef:
6 | apiGroup: rbac.authorization.k8s.io
7 | kind: Role
8 | name: {{ include "registry-scanner.fullname" . }}
9 | subjects:
10 | - kind: ServiceAccount
11 | name: {{ include "registry-scanner.serviceAccountName" . }}
12 | namespace: {{ .Release.Namespace }}
13 |
--------------------------------------------------------------------------------
/charts/registry-scanner/templates/serviceaccount.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.serviceAccount.create -}}
2 | apiVersion: v1
3 | kind: ServiceAccount
4 | metadata:
5 | name: {{ include "registry-scanner.serviceAccountName" . }}
6 | labels:
7 | {{- include "registry-scanner.labels" . | nindent 4 }}
8 | {{- with .Values.serviceAccount.annotations }}
9 | annotations:
10 | {{- toYaml . | nindent 4 }}
11 | {{- end }}
12 | {{- end }}
13 |
--------------------------------------------------------------------------------
/charts/registry-scanner/tests/ocp_test_values.yaml:
--------------------------------------------------------------------------------
1 | config:
2 | secureAPIToken: 11111111-2222-3333-4444-555555555555
3 | registryType: ocp
4 |
--------------------------------------------------------------------------------
/charts/shield/.editorconfig:
--------------------------------------------------------------------------------
1 | # EditorConfig helps developers define and maintain consistent
2 | # coding styles between different editors and IDEs
3 | # editorconfig.org
4 |
5 | root = true
6 |
7 | [*]
8 | indent_style = space
9 | indent_size = 4
10 | end_of_line = lf
11 | charset = utf-8
12 | trim_trailing_whitespace = true
13 | insert_final_newline = true
14 |
15 | [*.{yml,yaml,json,tpl}]
16 | indent_size = 2
17 |
18 | [*.{yml,yaml,json}.dist]
19 | indent_size = 2
20 |
21 | [{Makefile,*.mk}]
22 | indent_style = tab
23 |
--------------------------------------------------------------------------------
/charts/shield/.helmignore:
--------------------------------------------------------------------------------
1 | # Patterns to ignore when building packages.
2 | # This supports shell glob matching, relative path matching, and
3 | # negation (prefixed with !). Only one pattern per line.
4 | .DS_Store
5 | # Common VCS dirs
6 | .git/
7 | .gitignore
8 | .bzr/
9 | .bzrignore
10 | .hg/
11 | .hgignore
12 | .svn/
13 | # Common backup files
14 | *.swp
15 | *.bak
16 | *.tmp
17 | *.orig
18 | *~
19 | # Various IDEs
20 | .project
21 | .idea/
22 | *.tmproj
23 | .vscode/
24 |
--------------------------------------------------------------------------------
/charts/shield/Chart.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v2
2 | name: shield
3 | description: A chart with various Sysdig components for Kubernetes
4 | maintainers:
5 | - name: AlbertoBarba
6 | email: alberto.barba@sysdig.com
7 | - name: aroberts87
8 | email: adam.roberts@sysdig.com
9 | - name: francesco-furlan
10 | email: francesco.furlan@sysdig.com
11 | - name: iurly
12 | email: gerlando.falauto@sysdig.com
13 | - name: mavimo
14 | email: marcovito.moscaritolo@sysdig.com
15 | type: application
16 | version: 1.7.1
17 | appVersion: "1.0.0"
18 |
--------------------------------------------------------------------------------
/charts/shield/RELEASE-NOTES.md:
--------------------------------------------------------------------------------
1 | # What's Changed
2 |
3 | #### Full diff: https://github.com/sysdiglabs/charts/compare/shield-1.7.0...shield-1.7.1
4 |
--------------------------------------------------------------------------------
/charts/shield/ci/test-values.yaml:
--------------------------------------------------------------------------------
1 | cluster_config:
2 | name: test-cluster
3 |
4 | sysdig_endpoint:
5 | region: custom
6 | access_key: 12345678-1234-1234-1234-123456789012
7 | api_url: https://www.example.com
8 | collector:
9 | host: example.com
10 | port: 6443
11 |
--------------------------------------------------------------------------------
/charts/shield/doc.yaml:
--------------------------------------------------------------------------------
1 | project:
2 | name: Sysdig Shield
3 | shortName: Shield
4 | url: https://docs.sysdig.com/
5 | description: This chart deploys the Sysdig Host & Cluster Shield in your Kubernetes cluster.
6 | app: the Sysdig Shield
7 | repository:
8 | url: https://charts.sysdig.com
9 | name: sysdig
10 | chart:
11 | name: shield
12 | prerequisites:
13 | - "Helm 3.6"
14 | - "Sysdig AccessKey"
15 | - "Sysdig Secure API Token"
16 | - "Sysdig Secure API URL"
17 | - "Sysdig Secure Collector"
18 |
19 | release:
20 | name: sysdig
21 | namespace: sysdig-agent
22 |
--------------------------------------------------------------------------------
/charts/shield/templates/NOTES.txt:
--------------------------------------------------------------------------------
1 | Cluster Labels
2 |
3 | {{ include "cluster.labels" . }}
4 |
5 | Cluster Selector Labels
6 |
7 | {{ include "cluster.selector_labels" . }}
8 |
9 | Host Labels
10 |
11 | {{ include "host.labels" . }}
12 |
13 | Host Selector Labels
14 |
15 | {{ include "host.selector_labels" . }}
16 |
--------------------------------------------------------------------------------
/charts/shield/templates/cluster/_annotations.tpl:
--------------------------------------------------------------------------------
1 | {{- define "cluster.workload_annotations" -}}
2 | {{- $workloadAnnotations := merge (dict) .Values.workload_annotations .Values.cluster.workload_annotations -}}
3 | {{- with $workloadAnnotations -}}
4 | {{- . | toYaml -}}
5 | {{- end -}}
6 | {{- end -}}
7 |
8 | {{- define "cluster.pod_annotations" -}}
9 | {{- $podAnnotations := merge (dict) .Values.pod_annotations .Values.cluster.pod_annotations -}}
10 | {{- with $podAnnotations -}}
11 | {{- . | toYaml -}}
12 | {{- end -}}
13 | {{- end -}}
14 |
--------------------------------------------------------------------------------
/charts/shield/templates/cluster/_secret.tpl:
--------------------------------------------------------------------------------
1 | {{- define "cluster.secret" -}}
2 | {{- $secret := dict -}}
3 | {{- if (include "cluster.container_vulnerability_management_enabled" .) -}}
4 | {{- $natsConfig := dig "cluster_scanner" "runtime_status_integrator" "nats_server" nil .Values.cluster.additional_settings -}}
5 | {{- if not (hasKey $natsConfig "password_existing_secret") -}}
6 | {{- $_ := set $secret "sysdig-cluster-nats-password" (default (randAlphaNum 32) (get $natsConfig "password")) -}}
7 | {{- end -}}
8 | {{- end -}}
9 | {{- range $index, $value := $secret }}
10 | {{- $_ := set $secret $index (b64enc $value) -}}
11 | {{- end -}}
12 | {{- $secret | toYaml -}}
13 | {{- end -}}
14 |
--------------------------------------------------------------------------------
/charts/shield/templates/cluster/clusterrolebinding.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.cluster.rbac.create }}
2 | apiVersion: rbac.authorization.k8s.io/v1
3 | kind: ClusterRoleBinding
4 | metadata:
5 | name: {{ include "cluster.fullname" . }}
6 | labels:
7 | {{- include "cluster.rbac_labels" . | nindent 4 }}
8 | {{- with .Values.cluster.rbac.annotations }}
9 | annotations:
10 | {{- toYaml . | nindent 4 }}
11 | {{- end }}
12 | roleRef:
13 | apiGroup: rbac.authorization.k8s.io
14 | kind: ClusterRole
15 | name: {{ include "cluster.fullname" . }}
16 | subjects:
17 | - kind: ServiceAccount
18 | namespace: {{ .Release.Namespace }}
19 | name: {{ include "cluster.service_account_name" . }}
20 | {{- end }}
21 |
--------------------------------------------------------------------------------
/charts/shield/templates/cluster/configmap.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ConfigMap
3 | metadata:
4 | name: {{ include "cluster.fullname" . }}
5 | namespace: {{ .Release.Namespace }}
6 | labels:
7 | {{- include "cluster.labels" . | nindent 4 }}
8 | data:
9 | cluster-shield.yaml: |
10 | {{- include "cluster.configmap" . | fromYaml | toYaml | nindent 4 }}
11 |
--------------------------------------------------------------------------------
/charts/shield/templates/cluster/lease-container-vulnerability-management.yaml:
--------------------------------------------------------------------------------
1 | {{- if (include "cluster.container_vulnerability_management_enabled" .) }}
2 | apiVersion: coordination.k8s.io/v1
3 | kind: Lease
4 | metadata:
5 | name: {{ include "cluster.container_vulnerability_management_lease_name" . }}
6 | namespace: {{ .Release.Namespace }}
7 | labels:
8 | {{- include "cluster.labels" . | nindent 4 }}
9 | spec:
10 | {{- $lease := lookup "coordination.k8s.io/v1" "Lease" .Release.Namespace (include "cluster.container_vulnerability_management_lease_name" .) -}}
11 | {{- if $lease -}}
12 | {{- $lease.spec | toYaml | nindent 2 -}}
13 | {{- end -}}
14 | {{- end -}}
15 |
--------------------------------------------------------------------------------
/charts/shield/templates/cluster/priorityclass.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.cluster.priority_class.create }}
2 | apiVersion: scheduling.k8s.io/v1
3 | kind: PriorityClass
4 | metadata:
5 | name: {{ include "cluster.priority_class_name" . }}
6 | value: {{ .Values.cluster.priority_class.value }}
7 | preemptionPolicy: PreemptLowerPriority
8 | globalDefault: false
9 | description: "Sysdig cluster-shield priority"
10 | {{- end }}
11 |
--------------------------------------------------------------------------------
/charts/shield/templates/cluster/rolebinding.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.cluster.rbac.create }}
2 | apiVersion: rbac.authorization.k8s.io/v1
3 | kind: RoleBinding
4 | metadata:
5 | name: {{ include "cluster.fullname" . }}
6 | namespace: {{ .Release.Namespace }}
7 | labels:
8 | {{- include "cluster.rbac_labels" . | nindent 4 }}
9 | {{- with .Values.cluster.rbac.annotations }}
10 | annotations:
11 | {{- toYaml . | nindent 4 }}
12 | {{- end }}
13 | roleRef:
14 | apiGroup: rbac.authorization.k8s.io
15 | kind: Role
16 | name: {{ include "cluster.fullname" . }}
17 | subjects:
18 | - kind: ServiceAccount
19 | namespace: {{ .Release.Namespace }}
20 | name: {{ include "cluster.service_account_name" . }}
21 | {{- end }}
22 |
--------------------------------------------------------------------------------
/charts/shield/templates/cluster/secret.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Secret
3 | metadata:
4 | name: {{ include "cluster.fullname" . }}
5 | namespace: {{ .Release.Namespace }}
6 | labels:
7 | {{- include "cluster.labels" . | nindent 4 }}
8 | type: Opaque
9 | data:
10 | {{- include "cluster.secret" . | nindent 2 }}
11 |
--------------------------------------------------------------------------------
/charts/shield/templates/cluster/serviceaccount.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.cluster.rbac.create }}
2 | apiVersion: v1
3 | kind: ServiceAccount
4 | metadata:
5 | name: {{ include "cluster.service_account_name" . }}
6 | namespace: {{ .Release.Namespace }}
7 | labels:
8 | {{- include "cluster.rbac_labels" . | nindent 4 }}
9 | {{- with .Values.cluster.rbac.annotations }}
10 | annotations:
11 | {{- toYaml . | nindent 4 }}
12 | {{- end }}
13 | {{- end }}
14 |
--------------------------------------------------------------------------------
/charts/shield/templates/common/_cluster_type.tpl:
--------------------------------------------------------------------------------
1 | {{/*
2 | Proxy Secret Name
3 | */}}
4 | {{- define "common.cluster_type.is_gke_autopilot" -}}
5 | {{- if eq "gke-autopilot" .Values.cluster_config.cluster_type -}}
6 | {{- true -}}
7 | {{- end -}}
8 | {{- end -}}
9 |
--------------------------------------------------------------------------------
/charts/shield/templates/common/_credentials.tpl:
--------------------------------------------------------------------------------
1 |
2 | {{/*
3 | Access Key Secret Name
4 | */}}
5 | {{- define "common.credentials.access_key_secret_name" -}}
6 | {{- if .Values.sysdig_endpoint.access_key_existing_secret }}
7 | {{- .Values.sysdig_endpoint.access_key_existing_secret }}
8 | {{- else }}
9 | {{- printf "%s-access-key" (include "common.fullname" .) }}
10 | {{- end}}
11 | {{- end -}}
12 |
13 | {{/*
14 | Secure Api Token Secret Name
15 | */}}
16 | {{- define "common.credentials.secure_api_token_secret_name" -}}
17 | {{- if .Values.sysdig_endpoint.secure_api_token_existing_secret }}
18 | {{- .Values.sysdig_endpoint.secure_api_token_existing_secret }}
19 | {{- else if .Values.sysdig_endpoint.secure_api_token }}
20 | {{- printf "%s-secure-api-token" (include "common.fullname" .) }}
21 | {{- end}}
22 | {{- end -}}
23 |
24 | {{/*
25 | Check if the Secure Api Token is provided
26 | */}}
27 | {{- define "common.credentials.has_secure_api_token" -}}
28 | {{- if or .Values.sysdig_endpoint.secure_api_token .Values.sysdig_endpoint.secure_api_token_existing_secret -}}
29 | {{- true -}}
30 | {{- end -}}
31 | {{- end -}}
32 |
--------------------------------------------------------------------------------
/charts/shield/templates/common/_helpers.tpl:
--------------------------------------------------------------------------------
1 | {{/*
2 | Create a default fully qualified app name.
3 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
4 | If release name contains chart name it will be used as a full name.
5 | */}}
6 | {{- define "common.fullname" -}}
7 | {{- printf "%s-common" (include "shield.fullname" . | trunc 48 | trimSuffix "-")}}
8 | {{- end }}
9 |
10 | {{/*
11 | Common labels
12 | */}}
13 | {{- define "common.labels" -}}
14 | {{- $labels := merge (dict) (include "common.self_labels" . | fromYaml) (include "shield.labels" . | fromYaml) }}
15 | {{- with $labels -}}
16 | {{- . | toYaml -}}
17 | {{- end -}}
18 | {{- end }}
19 |
20 | {{- define "common.self_labels" -}}
21 | {{ include "shield.component_labels" (dict "name" "common") }}
22 | {{- end }}
23 |
--------------------------------------------------------------------------------
/charts/shield/templates/common/_semver.tpl:
--------------------------------------------------------------------------------
1 | {{- define "common.semver.is_valid" -}}
2 | {{- if regexMatch "^v?([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?$" . -}}
3 | {{- true -}}
4 | {{- end -}}
5 | {{- end -}}
6 |
--------------------------------------------------------------------------------
/charts/shield/templates/common/credentials-secret.yaml:
--------------------------------------------------------------------------------
1 | {{- if and .Values.sysdig_endpoint.access_key (not .Values.sysdig_endpoint.access_key_existing_secret) }}
2 | ---
3 | apiVersion: v1
4 | kind: Secret
5 | metadata:
6 | name: {{ include "common.credentials.access_key_secret_name" . }}
7 | namespace: {{ .Release.Namespace }}
8 | labels:
9 | {{- include "common.labels" . | nindent 4 }}
10 | type: Opaque
11 | data:
12 | access-key: {{ .Values.sysdig_endpoint.access_key | b64enc | quote }}
13 | {{- end }}
14 | {{- if and .Values.sysdig_endpoint.secure_api_token (not .Values.sysdig_endpoint.secure_api_token_existing_secret) }}
15 | ---
16 | apiVersion: v1
17 | kind: Secret
18 | metadata:
19 | name: {{ include "common.credentials.secure_api_token_secret_name" . }}
20 | namespace: {{ .Release.Namespace }}
21 | labels:
22 | {{- include "common.labels" . | nindent 4 }}
23 | type: Opaque
24 | data:
25 | SECURE_API_TOKEN: {{ .Values.sysdig_endpoint.secure_api_token | b64enc | quote }}
26 | {{- end }}
27 |
--------------------------------------------------------------------------------
/charts/shield/templates/common/custom-ca-secret.yaml:
--------------------------------------------------------------------------------
1 | {{- if (include "common.custom_ca.use_values" .) }}
2 | apiVersion: v1
3 | kind: Secret
4 | metadata:
5 | name: {{ include "common.custom_ca.secret_name" . }}
6 | namespace: {{ .Release.Namespace }}
7 | labels:
8 | {{- include "common.labels" . | nindent 4 }}
9 | data:
10 | {{ include "common.custom_ca.key_name" . }}: {{ include "common.custom_ca.cert" . | b64enc | quote }}
11 | {{- end }}
12 |
--------------------------------------------------------------------------------
/charts/shield/templates/common/proxy-secret.yaml:
--------------------------------------------------------------------------------
1 | {{- if (include "common.proxy.create_proxy_secret" .) }}
2 | apiVersion: v1
3 | kind: Secret
4 | metadata:
5 | name: {{ include "common.proxy.secret_name" . }}
6 | namespace: {{ .Release.Namespace }}
7 | labels:
8 | {{- include "common.labels" . | nindent 4 }}
9 | data:
10 | {{- if and .Values.proxy.http_proxy (not .Values.proxy.http_proxy_existing_secret) }}
11 | http_proxy: {{ .Values.proxy.http_proxy | b64enc | quote }}
12 | {{- end }}
13 | {{- if and .Values.proxy.https_proxy (not .Values.proxy.https_proxy_existing_secret) }}
14 | https_proxy: {{ .Values.proxy.https_proxy | b64enc | quote }}
15 | {{- end }}
16 | {{- if not .Values.proxy.no_proxy_existing_secret }}
17 | no_proxy: {{ (include "common.proxy.no_proxy" .) | b64enc | quote }}
18 | {{- end }}
19 | {{- end }}
20 |
--------------------------------------------------------------------------------
/charts/shield/templates/host/_annotations.tpl:
--------------------------------------------------------------------------------
1 | {{- define "host.workload_annotations" -}}
2 | {{- $workloadAnnotations := merge (dict) .Values.workload_annotations .Values.host.workload_annotations -}}
3 | {{- with $workloadAnnotations -}}
4 | {{- . | toYaml -}}
5 | {{- end -}}
6 | {{- end -}}
7 |
8 | {{- define "host.pod_annotations" -}}
9 | {{- $podAnnotations := merge (dict) .Values.pod_annotations .Values.host.pod_annotations -}}
10 | {{- if (include "common.cluster_type.is_gke_autopilot" . ) -}}
11 | {{- $_ := set $podAnnotations "autopilot.gke.io/no-connect" "true" -}}
12 | {{- end -}}
13 | {{- if not .Values.host.privileged -}}
14 | {{- $_ := set $podAnnotations "container.apparmor.security.beta.kubernetes.io/sysdig-host-shield" "unconfined" -}}
15 | {{- end -}}
16 | {{- $podAnnotations | toYaml -}}
17 | {{- end -}}
18 |
--------------------------------------------------------------------------------
/charts/shield/templates/host/_secrets.tpl:
--------------------------------------------------------------------------------
1 | {{- define "host.rapid_response_secret" }}
2 | {{- printf "%s-host-rapid-response" (include "shield.fullname" . | trunc 43 | trimSuffix "-") }}
3 | {{- end }}
4 |
--------------------------------------------------------------------------------
/charts/shield/templates/host/_windows_annotations.tpl:
--------------------------------------------------------------------------------
1 | {{- define "host.windows.workload_annotations" -}}
2 | {{- $workloadAnnotations := merge (dict) .Values.workload_annotations .Values.host_windows.workload_annotations -}}
3 | {{- with $workloadAnnotations -}}
4 | {{- . | toYaml -}}
5 | {{- end -}}
6 | {{- end -}}
7 |
8 | {{- define "host.windows.pod_annotations" -}}
9 | {{- $podAnnotations := merge (dict) .Values.pod_annotations .Values.host_windows.pod_annotations -}}
10 | {{- $podAnnotations | toYaml -}}
11 | {{- end -}}
12 |
--------------------------------------------------------------------------------
/charts/shield/templates/host/clusterrolebinding.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.host.rbac.create }}
2 | apiVersion: rbac.authorization.k8s.io/v1
3 | kind: ClusterRoleBinding
4 | metadata:
5 | name: {{ include "host.fullname" . }}
6 | labels:
7 | {{- include "host.rbac_labels" . | nindent 4 }}
8 | {{- with .Values.host.rbac.annotations }}
9 | annotations:
10 | {{- toYaml . | nindent 4 }}
11 | {{- end }}
12 | roleRef:
13 | apiGroup: rbac.authorization.k8s.io
14 | kind: ClusterRole
15 | name: {{ include "host.fullname" . }}
16 | subjects:
17 | - kind: ServiceAccount
18 | namespace: {{ .Release.Namespace }}
19 | name: {{ include "host.service_account_name" . }}
20 | {{- end }}
21 |
--------------------------------------------------------------------------------
/charts/shield/templates/host/configmap-windows.yaml:
--------------------------------------------------------------------------------
1 | {{- if and .Values.host_windows .Values.host_windows.enabled }}
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: {{ include "host.windows.fullname" . }}
6 | namespace: {{ .Release.Namespace }}
7 | labels:
8 | {{- include "host.labels" . | nindent 4 }}
9 | data:
10 | host-shield.yaml: |
11 | {{- include "host.windows.host_shield_config" . | nindent 4 }}
12 | {{- if and (include "common.semver.is_valid" .Values.host_windows.image.tag) (semverCompare "< 0.8.0" .Values.host_windows.image.tag) }}
13 | dragent.yaml: |
14 | {{- include "host.windows.configmap" . | nindent 4 }}
15 | {{- end }}
16 | {{- end }}
17 |
--------------------------------------------------------------------------------
/charts/shield/templates/host/configmap.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ConfigMap
3 | metadata:
4 | name: {{ include "host.fullname" . }}
5 | namespace: {{ .Release.Namespace }}
6 | labels:
7 | {{- include "host.labels" . | nindent 4 }}
8 | data:
9 | host-shield.yaml: |
10 | {{- include "host.host_shield_config" . | nindent 4 }}
11 | dragent.yaml: |
12 | {{- include "host.configmap" . | nindent 4 }}
13 | {{- if .Values.features.investigations.event_forwarder.enabled }}
14 | local_forwarder_config.yaml: |
15 | integrations:
16 | {{- toYaml .Values.features.investigations.event_forwarder.integrations | nindent 6 }}
17 | {{- end }}
18 | {{- if (include "host.prometheus_enabled" .Values.features) }}
19 | prometheus.yaml: |
20 | {{- with .Values.features }}
21 | {{- toYaml (dig (include "host.monitor_key" .) "prometheus" "prometheus_yaml" list .) | nindent 4 }}
22 | {{- end }}
23 | {{- end }}
24 |
--------------------------------------------------------------------------------
/charts/shield/templates/host/gke-allowlist-synchronizer.yaml:
--------------------------------------------------------------------------------
1 | {{- if (include "common.cluster_type.is_gke_autopilot" .) -}}
2 | apiVersion: auto.gke.io/v1
3 | kind: AllowlistSynchronizer
4 | metadata:
5 | name: sysdig-agent-allowlist-synchronizer
6 | namespace: {{ .Release.Namespace }}
7 | annotations:
8 | helm.sh/hook: "pre-install,pre-upgrade"
9 | labels:
10 | {{- include "host.labels" . | nindent 4 }}
11 | spec:
12 | allowlistPaths:
13 | - "Sysdig/agent/*"
14 | {{- end -}}
15 |
--------------------------------------------------------------------------------
/charts/shield/templates/host/openshift-clusterrolebinding-monitor.yaml:
--------------------------------------------------------------------------------
1 | {{- if or (.Capabilities.APIVersions.Has "monitoring.openshift.io/v1") (has "monitoring.openshift.io/v1" .Values.extra_capabilities_api_versions) }}
2 | {{- $clusterRole := lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "cluster-monitoring-view" -}}
3 | {{- if and .Values.host.rbac.create $clusterRole }}
4 | kind: ClusterRoleBinding
5 | apiVersion: rbac.authorization.k8s.io/v1
6 | metadata:
7 | name: {{ include "host.fullname" . }}-cluster-monitoring-view
8 | labels:
9 | {{- include "host.rbac_labels" . | nindent 4 }}
10 | {{- with .Values.host.rbac.annotations }}
11 | annotations:
12 | {{- toYaml . | nindent 4 }}
13 | {{- end }}
14 | roleRef:
15 | kind: ClusterRole
16 | name: cluster-monitoring-view
17 | apiGroup: rbac.authorization.k8s.io
18 | subjects:
19 | - kind: ServiceAccount
20 | namespace: {{ .Release.Namespace }}
21 | name: {{ include "host.service_account_name" . }}
22 | {{- end }}
23 | {{- end }}
24 |
--------------------------------------------------------------------------------
/charts/shield/templates/host/priorityclass.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.host.priority_class.create }}
2 | apiVersion: scheduling.k8s.io/v1
3 | kind: PriorityClass
4 | metadata:
5 | name: {{ include "host.priority_class_name" . }}
6 | value: {{ .Values.host.priority_class.value }}
7 | preemptionPolicy: PreemptLowerPriority
8 | globalDefault: false
9 | description: "Sysdig host-shield priority"
10 | {{- end }}
11 |
--------------------------------------------------------------------------------
/charts/shield/templates/host/role.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.host.rbac.create }}
2 | apiVersion: rbac.authorization.k8s.io/v1
3 | kind: Role
4 | metadata:
5 | name: {{ include "host.fullname" . }}
6 | namespace: {{ .Release.Namespace }}
7 | labels:
8 | {{- include "host.rbac_labels" . | nindent 4 }}
9 | {{- with .Values.host.rbac.annotations }}
10 | annotations:
11 | {{- toYaml . | nindent 4 }}
12 | {{- end }}
13 | rules:
14 | - apiGroups:
15 | - coordination.k8s.io
16 | resources:
17 | - leases
18 | verbs:
19 | - create
20 | - get
21 | - list
22 | - update
23 | - watch
24 | {{- end }}
25 |
--------------------------------------------------------------------------------
/charts/shield/templates/host/rolebinding.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.host.rbac.create }}
2 | apiVersion: rbac.authorization.k8s.io/v1
3 | kind: RoleBinding
4 | metadata:
5 | name: {{ include "host.fullname" . }}
6 | namespace: {{ .Release.Namespace }}
7 | labels:
8 | {{- include "host.rbac_labels" . | nindent 4 }}
9 | {{- with .Values.host.rbac.annotations }}
10 | annotations:
11 | {{- toYaml . | nindent 4 }}
12 | {{- end }}
13 | roleRef:
14 | apiGroup: rbac.authorization.k8s.io
15 | kind: Role
16 | name: {{ include "host.fullname" . }}
17 | subjects:
18 | - kind: ServiceAccount
19 | namespace: {{ .Release.Namespace }}
20 | name: {{ include "host.service_account_name" . }}
21 | {{- end }}
22 |
--------------------------------------------------------------------------------
/charts/shield/templates/host/secrets.yaml:
--------------------------------------------------------------------------------
1 | {{- if (include "host.rapid_response_enabled" .) }}
2 | ---
3 | apiVersion: v1
4 | kind: Secret
5 | metadata:
6 | name: {{ include "host.rapid_response_secret" . }}
7 | namespace: {{ .Release.Namespace }}
8 | labels:
9 | {{- include "host.labels" . | nindent 4 }}
10 | type: Opaque
11 | data:
12 | password: {{ (include "host.rapid_response_password" .) | b64enc | quote }}
13 | {{- end }}
14 |
--------------------------------------------------------------------------------
/charts/shield/templates/host/service.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: {{ include "host.fullname" . }}
5 | namespace: {{ .Release.Namespace }}
6 | labels:
7 | {{- include "host.labels" . | nindent 4 }}
8 | spec:
9 | type: ClusterIP
10 | ports:
11 | - port: 8080
12 | targetPort: http
13 | protocol: TCP
14 | name: http
15 | selector:
16 | {{- include "host.selector_labels" . | nindent 4 }}
17 |
--------------------------------------------------------------------------------
/charts/shield/templates/host/serviceaccount.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.host.rbac.create }}
2 | apiVersion: v1
3 | kind: ServiceAccount
4 | metadata:
5 | name: {{ include "host.service_account_name" . }}
6 | namespace: {{ .Release.Namespace }}
7 | labels:
8 | {{- include "host.rbac_labels" . | nindent 4 }}
9 | {{- with .Values.host.rbac.annotations }}
10 | annotations:
11 | {{- toYaml . | nindent 4 }}
12 | {{- end }}
13 | {{- end }}
14 |
--------------------------------------------------------------------------------
/charts/shield/tests/cluster/security_context_test.yaml:
--------------------------------------------------------------------------------
1 | suite: Security Context tests
2 | templates:
3 | - templates/cluster/deployment.yaml
4 | - templates/cluster/tls-certificates-admissionregistration.yaml
5 | values:
6 | - ../values/base.yaml
7 | tests:
8 | - it: Validate the default security context
9 | asserts:
10 | - equal:
11 | path: spec.template.spec.securityContext
12 | value: {}
13 | template: templates/cluster/deployment.yaml
14 |
15 | - it: Validate the possibility to override the security context
16 | set:
17 | cluster:
18 | security_context:
19 | runAsUser: 1000
20 | runAsGroup: 1000
21 | fsGroup: 2000
22 | appArmorProfile:
23 | type: RuntimeDefault
24 | asserts:
25 | - equal:
26 | path: spec.template.spec.securityContext
27 | value:
28 | runAsUser: 1000
29 | runAsGroup: 1000
30 | fsGroup: 2000
31 | appArmorProfile:
32 | type: RuntimeDefault
33 | template: templates/cluster/deployment.yaml
34 |
--------------------------------------------------------------------------------
/charts/shield/tests/common/regions_test.yaml:
--------------------------------------------------------------------------------
1 | suite: Common - Regions
2 | templates:
3 | - templates/host/configmap.yaml
4 | release:
5 | name: release-name
6 | namespace: shield-namespace
7 | values:
8 | - ../values/base.yaml
9 | tests:
10 | - it: Sanity check for regions
11 | set:
12 | sysdig_endpoint:
13 | region: "eu1"
14 | asserts:
15 | - matchRegex:
16 | path: data["dragent.yaml"]
17 | pattern: |
18 | collector: ingest-eu1.app.sysdig.com
19 | collector_port: 6443
20 |
21 | - it: API endpoint validation
22 | set:
23 | sysdig_endpoint:
24 | region: "us1"
25 | asserts:
26 | - matchRegex:
27 | path: data["dragent.yaml"]
28 | pattern: |
29 | sysdig_api_endpoint: secure.sysdig.com
30 |
--------------------------------------------------------------------------------
/charts/shield/tests/host/gke-allowlist-synchronizer_test.yaml:
--------------------------------------------------------------------------------
1 | suite: Host - Service
2 | templates:
3 | - templates/host/gke-allowlist-synchronizer.yaml
4 | release:
5 | name: release-name
6 | namespace: shield-namespace
7 | values:
8 | - ../values/gke-autopilot.yaml
9 | tests:
10 | - it: Contains the agent GKE AllowlistSynchronizer resource
11 | asserts:
12 | - containsDocument:
13 | kind: AllowlistSynchronizer
14 | apiVersion: auto.gke.io/v1
15 | name: sysdig-agent-allowlist-synchronizer
16 | - equal:
17 | path: metadata.namespace
18 | value: shield-namespace
19 | - equal:
20 | path: metadata.annotations["helm.sh/hook"]
21 | value: pre-install,pre-upgrade
22 | - equal:
23 | path: spec.allowlistPaths
24 | value:
25 | - "Sysdig/agent/*"
26 |
--------------------------------------------------------------------------------
/charts/shield/tests/host/openshift-clusterrolebinding-monitor_norole_test.yaml:
--------------------------------------------------------------------------------
1 | suite: Host - OpenShift ClusterRoleBinding Monitor (Role does not exist)
2 | templates:
3 | - templates/host/openshift-clusterrolebinding-monitor.yaml
4 | release:
5 | name: release-name
6 | namespace: shield-namespace
7 | values:
8 | - ../values/base.yaml
9 | tests:
10 | - it: Does not create the ClusterRoleBinding if the ClusterRole does not exist and monitoring.openshift.io/v1 is supported
11 | capabilities:
12 | apiVersions:
13 | - security.openshift.io/v1
14 | asserts:
15 | - hasDocuments:
16 | count: 0
17 |
--------------------------------------------------------------------------------
/charts/shield/tests/host/priorityclass_test.yaml:
--------------------------------------------------------------------------------
1 | suite: Host - PriorityClass
2 | templates:
3 | - templates/host/priorityclass.yaml
4 | release:
5 | name: release-name
6 | namespace: shield-namespace
7 | values:
8 | - ../values/base.yaml
9 | tests:
10 | - it: Create the the PriorityClass when requested
11 | set:
12 | host:
13 | priority_class:
14 | create: true
15 | name: my-fancy-priority-class
16 | value: 1000
17 | asserts:
18 | - isKind:
19 | of: PriorityClass
20 | count: 1
21 | - equal:
22 | path: metadata.name
23 | value: my-fancy-priority-class
24 | - equal:
25 | path: value
26 | value: 1000
27 |
28 | - it: Ensure the PriorityClass is not created when not requested
29 | set:
30 | host:
31 | priority_class:
32 | create: false
33 | asserts:
34 | - hasDocuments:
35 | count: 0
36 |
37 | - it: Ensure we do not create a PriorityClass with the default chart values
38 | asserts:
39 | - hasDocuments:
40 | count: 0
41 |
--------------------------------------------------------------------------------
/charts/shield/tests/host/service_test.yaml:
--------------------------------------------------------------------------------
1 | suite: Host - Service
2 | templates:
3 | - templates/host/service.yaml
4 | release:
5 | name: release-name
6 | namespace: shield-namespace
7 | values:
8 | - ../values/base.yaml
9 | tests:
10 | - it: Contains a Service resource
11 | asserts:
12 | - containsDocument:
13 | kind: Service
14 | apiVersion: v1
15 | name: release-name-shield-host
16 | - equal:
17 | path: metadata.namespace
18 | value: shield-namespace
19 | - equal:
20 | path: spec.type
21 | value: ClusterIP
22 | - isNotNullOrEmpty:
23 | path: .spec.ports[?(@.name == "http")]
24 | - equal:
25 | path: spec.ports[?(@.name == "http")].port
26 | value: 8080
27 | - equal:
28 | path: spec.ports[?(@.name == "http")].protocol
29 | value: TCP
30 | - equal:
31 | path: spec.ports[?(@.name == "http")].targetPort
32 | value: http
33 | - lengthEqual:
34 | path: spec.ports
35 | count: 1
36 | - equal:
37 | path: metadata.labels["sysdig/component"]
38 | value: host
39 |
--------------------------------------------------------------------------------
/charts/shield/tests/values/base.yaml:
--------------------------------------------------------------------------------
1 | cluster_config:
2 | name: test-cluster
3 |
4 | sysdig_endpoint:
5 | region: custom
6 | access_key: 12345678-1234-1234-1234-123456789012
7 | api_url: https://www.example.com
8 | collector:
9 | host: example.com
10 | port: 6443
11 |
--------------------------------------------------------------------------------
/charts/shield/tests/values/gke-autopilot.yaml:
--------------------------------------------------------------------------------
1 | cluster_config:
2 | name: test-cluster
3 | cluster_type: gke-autopilot
4 |
5 | sysdig_endpoint:
6 | region: custom
7 | access_key: 12345678-1234-1234-1234-123456789012
8 | api_url: https://www.example.com
9 | collector:
10 | host: example.com
11 | port: 6443
12 |
--------------------------------------------------------------------------------
/charts/shield/tests/values/windows.yaml:
--------------------------------------------------------------------------------
1 | cluster_config:
2 | name: test-cluster
3 |
4 | sysdig_endpoint:
5 | region: custom
6 | access_key: 12345678-1234-1234-1234-123456789012
7 | api_url: https://www.example.com
8 | collector:
9 | host: example.com
10 | port: 6443
11 |
12 | host_windows:
13 | enabled: true
14 |
--------------------------------------------------------------------------------
/charts/shield/tests/values/windows_dragent.yaml:
--------------------------------------------------------------------------------
1 | cluster_config:
2 | name: test-cluster
3 |
4 | sysdig_endpoint:
5 | region: custom
6 | access_key: 12345678-1234-1234-1234-123456789012
7 | api_url: https://www.example.com
8 | collector:
9 | host: example.com
10 | port: 6443
11 |
12 | host_windows:
13 | image:
14 | tag: 0.7.1
15 | enabled: true
16 |
--------------------------------------------------------------------------------
/charts/sysdig-deploy/.helmignore:
--------------------------------------------------------------------------------
1 | # Patterns to ignore when building packages.
2 | # This supports shell glob matching, relative path matching, and
3 | # negation (prefixed with !). Only one pattern per line.
4 | .DS_Store
5 | # Common VCS dirs
6 | .git/
7 | .gitignore
8 | .bzr/
9 | .bzrignore
10 | .hg/
11 | .hgignore
12 | .svn/
13 | # Common backup files
14 | *.swp
15 | *.bak
16 | *.tmp
17 | *.orig
18 | *~
19 | # Various IDEs
20 | .project
21 | .idea/
22 | *.tmproj
23 | .vscode/
24 | # Sysdig Specific
25 | /tests/
26 |
--------------------------------------------------------------------------------
/charts/sysdig-deploy/RELEASE-NOTES.md:
--------------------------------------------------------------------------------
1 | # What's Changed
2 |
3 | ### Chores
4 | - **sysdig-deploy** [474cafa6](https://github.com/sysdiglabs/charts/commit/474cafa6d751b665da0926d93d2fd119864609f5): Automatic version bump due to updated dependencies ([#2267](https://github.com/sysdiglabs/charts/issues/2267))
5 | #### Full diff: https://github.com/sysdiglabs/charts/compare/sysdig-deploy-1.84.2...sysdig-deploy-1.84.3
6 |
--------------------------------------------------------------------------------
/charts/sysdig-deploy/ci/test-default-saas-values.yaml.template:
--------------------------------------------------------------------------------
1 | global:
2 | clusterConfig:
3 | name: "test-cluster"
4 | namespace: ""
5 | sysdig:
6 | accessKey: ${SECURE_AGENT_TOKEN}
7 | secureAPIToken: ${SECURE_API_TOKEN}
8 | kspm:
9 | deploy: true
10 | agent:
11 | resources:
12 | requests:
13 | cpu: 25m
14 | memory: 200Mi
15 | kspmCollector:
16 | resources:
17 | requests:
18 | cpu: 25m
19 | memory: 200Mi
20 | nodeAnalyzer:
21 | secure:
22 | vulnerabilityManagement:
23 | newEngineOnly: true
24 | nodeAnalyzer:
25 | benchmarkRunner:
26 | deploy: false
27 | imageAnalyzer:
28 | resources:
29 | requests:
30 | cpu: 25m
31 | memory: 200Mi
32 | hostAnalyzer:
33 | resources:
34 | requests:
35 | cpu: 25m
36 | memory: 200Mi
37 |
--------------------------------------------------------------------------------
/charts/sysdig-deploy/ci/test-values.yaml.template:
--------------------------------------------------------------------------------
1 | global:
2 | clusterConfig:
3 | namespace: ""
4 | sysdig:
5 | accessKey: ${SECURE_AGENT_TOKEN}
6 | secureAPIToken: ${SECURE_API_TOKEN}
7 | nodeAnalyzer:
8 | nodeAnalyzer:
9 | benchmarkRunner:
10 | deploy: false
11 |
--------------------------------------------------------------------------------
/charts/sysdig-deploy/templates/cluster-scanner-runtime-scanner-check.yaml:
--------------------------------------------------------------------------------
1 | {{- $nodeAnalyzerEnabled := default false .Values.nodeAnalyzer.enabled -}}
2 | {{- $runtimeScannerDeploy := false -}}
3 |
4 | {{- if $nodeAnalyzerEnabled -}}
5 | {{- if and (default dict .Values.nodeAnalyzer).nodeAnalyzer (default dict .Values.nodeAnalyzer.nodeAnalyzer).runtimeScanner -}}
6 | {{- $runtimeScannerDeploy = default false .Values.nodeAnalyzer.nodeAnalyzer.runtimeScanner.deploy -}}
7 | {{- end -}}
8 | {{- end -}}
9 |
10 | {{- if and $nodeAnalyzerEnabled $runtimeScannerDeploy .Values.clusterScanner.enabled -}}
11 | {{ fail "Cannot enable both the Runtime Scanner and the Cluster Scanner at the same time" }}
12 | {{- end -}}
13 |
--------------------------------------------------------------------------------
/charts/sysdig-mcm-navmenu/.helmignore:
--------------------------------------------------------------------------------
1 | # Patterns to ignore when building packages.
2 | # This supports shell glob matching, relative path matching, and
3 | # negation (prefixed with !). Only one pattern per line.
4 | .DS_Store
5 | # Common VCS dirs
6 | .git/
7 | .gitignore
8 | .bzr/
9 | .bzrignore
10 | .hg/
11 | .hgignore
12 | .svn/
13 | # Common backup files
14 | *.swp
15 | *.bak
16 | *.tmp
17 | *~
18 | # Various IDEs
19 | .project
20 | .idea/
21 | *.tmproj
22 |
--------------------------------------------------------------------------------
/charts/sysdig-mcm-navmenu/Chart.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | description: Sysdig IBM MCM Nav Menu integration
3 | name: sysdig-mcm-navmenu
4 | version: 1.2.0
5 | appVersion: 1.0.0
6 | home: https://www.sysdig.com/
7 | icon: https://478h5m1yrfsa3bbe262u7muv-wpengine.netdna-ssl.com/wp-content/uploads/2019/02/Shovel_600px.png
8 | maintainers:
9 | - name: airadier
10 | email: alvaro.iradier@sysdig.com
11 |
--------------------------------------------------------------------------------
/charts/sysdig-mcm-navmenu/README.md:
--------------------------------------------------------------------------------
1 | # Sysdig MCM Nav Menu integration
2 |
3 | These helm charts deploy a couple of services and an Ingress with the labels and annotations that are required to create links in the MCM top-left Burger menu.
4 |
5 | * "Sysdig Secure" menu entry is created inside "Administer" menu
6 | * "Sysdig Monitor" entry is created inside "Monitor health"
7 |
8 | The ingress entry does not seem to work for ExternalService (unable to resolve service), so a nginx pod is deployed with a couple of redirect rules to redirect the user to Secure or Monitor SaaS URLs.
9 |
10 | ## Verify the integrity and origin
11 | Sysdig Helm Charts are signed so users can verify the integrity and origin of each chart, the steps are as follows:
12 |
13 | ### Import the Public Key
14 |
15 | ```console
16 | $ curl -o "/tmp/sysdig_public.gpg" "https://charts.sysdig.com/public.gpg"
17 | $ gpg --import /tmp/sysdig_public.gpg
18 | ```
19 |
20 | ### Verify the chart
21 |
22 | To check the integrity and the origin of the charts you can now append the `--verify` flag to the `install`, `upgrade` and `pull` helm commands.
23 |
--------------------------------------------------------------------------------
/charts/sysdig-mcm-navmenu/RELEASE-NOTES.md:
--------------------------------------------------------------------------------
1 | # What's Changed
2 |
3 | ### New Features
4 | - **admission-controller,agent,cloud-bench,cloud-connector,cloud-scanning,harbor-scanner-sysdig-secure,kspm-collector,node-analyzer,rapid-response,registry-scanner,sysdig,sysdig-deploy,sysdig-mcm-navmenu,sysdig-stackdriver-bridge** [5d99a03d](https://github.com/sysdiglabs/charts/commit/5d99a03dced132b4771dde1ce5b90b63c518b408): use a PGP private key to sign charts on release ([#1170](https://github.com/sysdiglabs/charts/issues/1170))
5 |
6 | #### Full diff: https://github.com/sysdiglabs/charts/compare/sysdig-mcm-navmenu-1.0.4...sysdig-mcm-navmenu-1.2.0
7 |
--------------------------------------------------------------------------------
/charts/sysdig-mcm-navmenu/ci/onprem.yam:
--------------------------------------------------------------------------------
1 | saas: false
2 |
--------------------------------------------------------------------------------
/charts/sysdig-mcm-navmenu/ci/required-values-notest.yaml:
--------------------------------------------------------------------------------
1 | companyName: testCompany
2 |
--------------------------------------------------------------------------------
/charts/sysdig-mcm-navmenu/ci/saas.yaml:
--------------------------------------------------------------------------------
1 | companyName: testCompany
2 |
--------------------------------------------------------------------------------
/charts/sysdig-mcm-navmenu/templates/NOTES.txt:
--------------------------------------------------------------------------------
1 | Navigation menu items added!
2 |
--------------------------------------------------------------------------------
/charts/sysdig-mcm-navmenu/templates/_helpers.tpl:
--------------------------------------------------------------------------------
1 | {{/* vim: set filetype=mustache: */}}
2 | {{/*
3 | Expand the name of the chart.
4 | */}}
5 | {{- define "name" -}}
6 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
7 | {{- end -}}
8 |
9 | {{/*
10 | Create a default fully qualified app name.
11 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
12 | */}}
13 | {{- define "fullname" -}}
14 | {{- $name := default .Chart.Name .Values.nameOverride -}}
15 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
16 | {{- end -}}
17 |
--------------------------------------------------------------------------------
/charts/sysdig-mcm-navmenu/templates/configmap.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ConfigMap
3 | metadata:
4 | name: {{ template "fullname" . }}-config
5 | data:
6 | {{- if eq (default false .Values.saas) true }}{{- if eq (default "" .Values.companyName) "" }}{{ fail "value 'companyName' is mandatory, but it is not set"}}{{ end }}{{ end }}
7 | default.conf: |
8 | server {
9 | listen {{ .Values.service.internalPort }};
10 | server_name localhost;
11 |
12 | location /sysdig-secure {
13 | rewrite ^/sysdig-secure(.*)$ {{ if .Values.saas }}https://secure.sysdig.com/api/oauth/openid/{{ .Values.companyName }}{{ else }}{{.Values.sysdigURL}}/api/oauth/openid{{ end }}?product=SDS permanent;
14 | }
15 | location /sysdig-monitor {
16 | rewrite ^/sysdig-monitor(.*)$ {{ if .Values.saas }}https://app.sysdigcloud.com/api/oauth/openid/{{ .Values.companyName }}{{ else }}{{.Values.sysdigURL}}/api/oauth/openid{{ end }} permanent;
17 | }
18 | }
19 |
--------------------------------------------------------------------------------
/charts/sysdig-mcm-navmenu/templates/ingress.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: extensions/v1beta1
2 | kind: Ingress
3 | metadata:
4 | name: {{ template "fullname" . }}
5 | labels:
6 | app: {{ template "name" . }}
7 | chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
8 | release: {{ .Release.Name }}
9 | inmenu: "true"
10 | annotations: # NavMenu: add annotations from values.yaml
11 | icp.management.ibm.com/auth-type: access-token
12 | kubernetes.io/ingress.class: ibm-icp-management
13 | spec:
14 | rules:
15 | - http:
16 | paths:
17 | - path: /sysdig-secure
18 | backend:
19 | serviceName: {{ template "fullname" . }}-secure
20 | servicePort: {{ .Values.service.externalPort }}
21 | - path: /sysdig-monitor
22 | backend:
23 | serviceName: {{ template "fullname" . }}-monitor
24 | servicePort: {{ .Values.service.externalPort }}
25 |
--------------------------------------------------------------------------------
/charts/sysdig-mcm-navmenu/templates/scc.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" }}
2 | apiVersion: security.openshift.io/v1
3 | kind: SecurityContextConstraints
4 | metadata:
5 | name: {{ template "fullname" . }}-scc
6 | allowHostDirVolumePlugin: false
7 | allowHostIPC: false
8 | allowHostNetwork: false
9 | allowHostPID: false
10 | allowHostPorts: false
11 | allowPrivilegeEscalation: false
12 | allowPrivilegedContainer: false
13 | allowedCapabilities: []
14 | defaultAddCapabilities: []
15 | priority: 1
16 | readOnlyRootFilesystem: false
17 | requiredDropCapabilities: []
18 | runAsUser:
19 | type: RunAsAny
20 | seLinuxContext:
21 | type: RunAsAny
22 | volumes:
23 | - configMap
24 | - secret
25 | users:
26 | - system:serviceaccount:{{ .Release.Namespace }}:default
27 | {{ end -}}
28 |
--------------------------------------------------------------------------------
/charts/sysdig-mcm-navmenu/templates/service-monitor.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: {{ template "fullname" . }}-monitor
5 | labels:
6 | app: {{ template "name" . }}-monitor
7 | chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
8 | release: {{ .Release.Name }}
9 | inmenu: "true"
10 | target: sysdig-monitor
11 | annotations:
12 | name: Sysdig Monitor # NavMenu: the display name that will show in the menu
13 | id: {{ .Values.service.monitorMenuId }} # NavMenu: The id of the top-level menu item to attach to
14 | roles: ClusterAdministrator,Administrator,Operator,Viewer # NavMenu: A list of roles you want to be able to view TA in the menu
15 | spec:
16 | type: ClusterIP
17 | ports:
18 | - port: {{ .Values.service.externalPort }}
19 | targetPort: {{ .Values.service.internalPort }}
20 | protocol: TCP
21 | name: {{ .Values.service.name }}
22 | selector:
23 | app: {{ template "name" . }}
24 | release: {{ .Release.Name }}
25 |
--------------------------------------------------------------------------------
/charts/sysdig-mcm-navmenu/templates/service-secure.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: {{ template "fullname" . }}-secure
5 | labels:
6 | app: {{ template "name" . }}-secure
7 | chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
8 | release: {{ .Release.Name }}
9 | inmenu: "true"
10 | target: sysdig-secure
11 | annotations:
12 | name: Sysdig Secure # NavMenu: the display name that will show in the menu
13 | id: {{ .Values.service.secureMenuId }} # NavMenu: The id of the top-level menu item to attach to
14 | roles: ClusterAdministrator,Administrator,Operator,Viewer # NavMenu: A list of roles you want to be able to view TA in the menu
15 | spec:
16 | type: ClusterIP
17 | ports:
18 | - port: {{ .Values.service.externalPort }}
19 | targetPort: {{ .Values.service.internalPort }}
20 | protocol: TCP
21 | name: {{ .Values.service.name }}
22 | selector:
23 | app: {{ template "name" . }}
24 | release: {{ .Release.Name }}
25 |
--------------------------------------------------------------------------------
/charts/sysdig-mcm-navmenu/values.yaml:
--------------------------------------------------------------------------------
1 | replicaCount: 1
2 |
3 | image:
4 | repository: nginx
5 | tag: 1.17-alpine
6 | pullPolicy: IfNotPresent
7 |
8 | service:
9 | name: sysdig-navmenu-proxy
10 | type: ClusterIP
11 | externalPort: 8080
12 | internalPort: 80
13 | secureMenuId: administer-mcm
14 | monitorMenuId: monitor
15 |
16 | # Set to true if using Sysdig Secure and Monitor SaaS
17 | saas: true
18 | # If saas is false, set your on-prem base URL (omit trailing slash)
19 | sysdigURL: https://HOSTNAME
20 | # Provide the companyName used in Sysdig platform (ask your admin or sales for this value) for OpenID Connect SSO
21 | companyName: ""
22 |
--------------------------------------------------------------------------------
/charts/sysdig-stackdriver-bridge/.helmignore:
--------------------------------------------------------------------------------
1 | # Patterns to ignore when building packages.
2 | # This supports shell glob matching, relative path matching, and
3 | # negation (prefixed with !). Only one pattern per line.
4 | .DS_Store
5 | # Common VCS dirs
6 | .git/
7 | .gitignore
8 | .bzr/
9 | .bzrignore
10 | .hg/
11 | .hgignore
12 | .svn/
13 | # Common backup files
14 | *.swp
15 | *.bak
16 | *.tmp
17 | *.orig
18 | *~
19 | # Various IDEs
20 | .project
21 | .idea/
22 | *.tmproj
23 | .vscode/
24 |
--------------------------------------------------------------------------------
/charts/sysdig-stackdriver-bridge/Chart.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | name: sysdig-stackdriver-bridge
3 | version: 1.2.1
4 | appVersion: 0.0.7
5 | description: Sysdig Monitor and Secure agent
6 | keywords:
7 | - monitoring
8 | - security
9 | - alerting
10 | - metric
11 | - troubleshooting
12 | - run-time
13 | home: https://www.sysdig.com/
14 | icon: https://avatars.githubusercontent.com/u/5068817?s=200&v=4
15 | sources:
16 | - https://app.sysdigcloud.com/#/settings/user
17 | - https://github.com/draios/sysdig
18 | maintainers:
19 | - name: bencer
20 | email: jorge.salamero@sysdig.com
21 | - name: nestorsalceda
22 | email: nestor.salceda@sysdig.com
23 | - name: echoboomer
24 | email: scott@echoboomer.net
25 |
--------------------------------------------------------------------------------
/charts/sysdig-stackdriver-bridge/OWNERS:
--------------------------------------------------------------------------------
1 | approvers:
2 | - bencer
3 | - nestorsalceda
4 | reviewers:
5 | - bencer
6 | - nestorsalceda
7 |
--------------------------------------------------------------------------------
/charts/sysdig-stackdriver-bridge/RELEASE-NOTES.md:
--------------------------------------------------------------------------------
1 | # What's Changed
2 |
3 | #### Full diff: https://github.com/sysdiglabs/charts/compare/sysdig-stackdriver-bridge-1.2.0...sysdig-stackdriver-bridge-1.2.1
4 |
--------------------------------------------------------------------------------
/charts/sysdig-stackdriver-bridge/ci/test-values.yaml:
--------------------------------------------------------------------------------
1 | secret:
2 | create: true
3 | data: foobar
4 |
--------------------------------------------------------------------------------
/charts/sysdig-stackdriver-bridge/templates/secret.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.secret.create -}}
2 | apiVersion: v1
3 | kind: Secret
4 | metadata:
5 | name: {{ .Values.secret.name }}
6 | labels:
7 | {{ include "sysdig-stackdriver-bridge.labels" . | indent 4 }}
8 | type: Opaque
9 | data:
10 | key.json: {{ .Values.secret.data | b64enc | quote }}
11 | {{- end }}
12 |
--------------------------------------------------------------------------------
/charts/sysdig-stackdriver-bridge/values.yaml:
--------------------------------------------------------------------------------
1 | # Default values for Sysdig Stackdriver Bridge.
2 |
3 | image:
4 | repository: sysdiglabs/stackdriver-webhook-bridge
5 | pullPolicy: IfNotPresent
6 | tag: v0.0.7-a4d6ade
7 |
8 | secret:
9 | # If this is true, the chart will create the Secret and pass in secret.data as key.json.
10 | create: false
11 | data: ''
12 | # Secret name that contains GCP SA creds for the stackdriver Service Account.
13 | name: stackdriver-webhook-bridge
14 |
15 | settings:
16 | # Settings for ConfigMap
17 | forwardURL: http://sysdig-agent.sysdig-agent.svc.cluster.local:7765/k8s_audit
18 | projectID:
19 | clusterID:
20 | logFile:
21 | outFile:
22 | pollInterval: 5s
23 | lagInterval: 30s
24 | logLevel: info
25 |
26 | nodeSelector: {}
27 |
28 | affinity: {}
29 |
30 | annotations: {}
31 |
32 | tolerations: []
33 |
--------------------------------------------------------------------------------
/charts/sysdig/Chart.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | appVersion: 12.17.1
3 | deprecated: true
4 | description: Sysdig Monitor and Secure agent
5 | home: https://www.sysdig.com/
6 | icon: https://avatars.githubusercontent.com/u/5068817?s=200&v=4
7 | keywords:
8 | - monitoring
9 | - security
10 | - alerting
11 | - metric
12 | - troubleshooting
13 | - run-time
14 | name: sysdig
15 | sources:
16 | - https://app.sysdigcloud.com/#/settings/user
17 | - https://github.com/draios/sysdig
18 | version: 1.16.25
19 |
--------------------------------------------------------------------------------
/charts/sysdig/OWNERS:
--------------------------------------------------------------------------------
1 | approvers:
2 | - bencer
3 | - nestorsalceda
4 | reviewers:
5 | - bencer
6 | - nestorsalceda
7 |
--------------------------------------------------------------------------------
/charts/sysdig/RELEASE-NOTES.md:
--------------------------------------------------------------------------------
1 | # What's Changed
2 |
3 | ### New Features
4 | - **sysdig,hostAnalyzer** [a8e1124b](https://github.com/sysdiglabs/charts/commit/a8e1124bfb668e9f9d04095c26d6ada0235cda04): Update legacy engine HostAnalyzer to v0.1.19 components with security updates ([#1601](https://github.com/sysdiglabs/charts/issues/1601))
5 | #### Full diff: https://github.com/sysdiglabs/charts/compare/sysdig-deploy-1.37.15...sysdig-1.16.25
6 |
--------------------------------------------------------------------------------
/charts/sysdig/ci/test-values.yaml.template:
--------------------------------------------------------------------------------
1 | sysdig:
2 | accessKey: ${SECURE_AGENT_TOKEN}
3 |
4 | nodeAnalyzer:
5 | apiEndpoint: secure.sysdig.com
6 |
--------------------------------------------------------------------------------
/charts/sysdig/scripts/appchecks2helm:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | echo "customAppChecks:"
4 | for app_check in "$@"
5 | do
6 | echo -e " $(basename $app_check): |-"
7 | while IFS= read -r line
8 | do
9 | echo -e " $line"
10 | done <"$app_check"
11 | done
12 |
--------------------------------------------------------------------------------
/charts/sysdig/templates/NOTES.txt:
--------------------------------------------------------------------------------
1 | The agent for Sysdig Secure DevOps Platform is spinning up on each node in your
2 | cluster. After a few seconds, you should see your hosts appearing in the
3 | Sysdig Agent Health & Status Dashboard:
4 |
5 | COLLECTOR_URL: This value is region-dependent in SaaS and is auto-completed in install snippets in the UI. (It is a custom value in on-prem installations.)
6 | API_ENDPOINT: This is the base URL (region-dependent) for Sysdig Secure and is auto-completed in install snippets in the UI. E.g. secure.sysdig.com, us2.app.sysdig.com, eu1.app.sysdig.com.
7 |
8 | These are few example links (valid for us-east only):
9 |
10 | https://app.sysdigcloud.com/#/dashboard-template/view.sysdig.agents?last=10
11 |
12 | https://secure.sysdig.com/#/events/l:600/*/*?viewAs=list
13 |
14 |
15 | -------------------
16 | DEPRECATION WARNING
17 | -------------------
18 |
19 | This chart is being deprecated on 2023-01-01, at which point it will no longer
20 | receive any updates. Please migrate to https://charts.sysdig.com/charts/sysdig-deploy
21 | as soon as possible for new features, security updates, and continued support.
22 |
--------------------------------------------------------------------------------
/charts/sysdig/templates/auditsink.yaml:
--------------------------------------------------------------------------------
1 | {{- if and .Values.auditLog.enabled .Values.auditLog.dynamicBackend.enabled }}
2 | apiVersion: auditregistration.k8s.io/v1alpha1
3 | kind: AuditSink
4 | metadata:
5 | name: {{ template "sysdig.fullname" . }}
6 | labels:
7 | {{ include "sysdig.labels" . | indent 4 }}
8 | spec:
9 | policy:
10 | level: RequestResponse
11 | stages:
12 | - ResponseComplete
13 | - ResponseStarted
14 | webhook:
15 | throttle:
16 | qps: 10
17 | burst: 15
18 | clientConfig:
19 | service:
20 | namespace: {{ .Release.Namespace }}
21 | name: {{ template "sysdig.fullname" . }}
22 | port: {{ .Values.auditLog.auditServerPort }}
23 | path: /k8s_audit
24 | {{- end }}
25 |
--------------------------------------------------------------------------------
/charts/sysdig/templates/clusterrolebinding-node-analyzer.yaml:
--------------------------------------------------------------------------------
1 | {{- if and (include "deploy-na" .) .Values.rbac.create }}
2 | kind: ClusterRoleBinding
3 | apiVersion: rbac.authorization.k8s.io/v1
4 | metadata:
5 | name: {{ template "sysdig.fullname" .}}-node-analyzer
6 | labels:
7 | {{ include "sysdig.labels" . | indent 4 }}
8 | subjects:
9 | - kind: ServiceAccount
10 | name: {{ template "sysdig.nodeAnalyzer.serviceAccountName" .}}
11 | namespace: {{ .Release.Namespace }}
12 | roleRef:
13 | kind: ClusterRole
14 | name: {{ template "sysdig.fullname" .}}-node-analyzer
15 | apiGroup: rbac.authorization.k8s.io
16 | {{- end }}
17 |
--------------------------------------------------------------------------------
/charts/sysdig/templates/clusterrolebinding.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.rbac.create }}
2 | kind: ClusterRoleBinding
3 | apiVersion: rbac.authorization.k8s.io/v1
4 | metadata:
5 | name: {{ template "sysdig.fullname" .}}
6 | labels:
7 | {{ include "sysdig.labels" . | indent 4 }}
8 | subjects:
9 | - kind: ServiceAccount
10 | name: {{ template "sysdig.serviceAccountName" .}}
11 | namespace: {{ .Release.Namespace }}
12 | roleRef:
13 | kind: ClusterRole
14 | name: {{ template "sysdig.fullname" .}}
15 | apiGroup: rbac.authorization.k8s.io
16 | {{- end }}
17 |
--------------------------------------------------------------------------------
/charts/sysdig/templates/configmap-benchmark-runner.yaml:
--------------------------------------------------------------------------------
1 | {{- if not .Values.gke.autopilot }}
2 | {{- if and (not (include "deploy-nia" .)) .Values.nodeAnalyzer.deploy (include "nodeAnalyzer.deployBenchmarkRunner" .) }}
3 | apiVersion: v1
4 | kind: ConfigMap
5 | metadata:
6 | name: {{ template "sysdig.fullname" . }}-benchmark-runner
7 | labels:
8 | {{ include "sysdig.labels" . | indent 4 }}
9 | data:
10 | collector_endpoint: https://{{ .Values.nodeAnalyzer.apiEndpoint | default .Values.nodeAnalyzer.collectorEndpoint }}
11 | {{- if hasKey .Values.nodeAnalyzer "sslVerifyCertificate" }}
12 | ssl_verify_certificate: "{{ .Values.nodeAnalyzer.sslVerifyCertificate }}"
13 | {{- end }}
14 | debug: "{{ .Values.nodeAnalyzer.debug | default false }}"
15 | {{- if .Values.nodeAnalyzer.httpProxy }}
16 | http_proxy: {{ .Values.nodeAnalyzer.httpProxy }}
17 | {{- end -}}
18 | {{- if .Values.nodeAnalyzer.httpsProxy }}
19 | https_proxy: {{ .Values.nodeAnalyzer.httpsProxy }}
20 | {{- end -}}
21 | {{- if .Values.nodeAnalyzer.noProxy }}
22 | no_proxy: {{ .Values.nodeAnalyzer.noProxy }}
23 | {{- end -}}
24 | {{- end }}
25 | {{- end }}
26 |
--------------------------------------------------------------------------------
/charts/sysdig/templates/configmap-custom-app-checks.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.customAppChecks }}
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: {{ template "sysdig.fullname" . }}-custom-app-checks
6 | labels:
7 | {{ include "sysdig.labels" . | indent 4 }}
8 | data:
9 | {{- range $file, $content := .Values.customAppChecks }}
10 | {{ $file }}: |-
11 | {{ $content | indent 4}}
12 | {{- end }}
13 | {{- end }}
14 |
--------------------------------------------------------------------------------
/charts/sysdig/templates/configmap-kspm-analyzer.yaml:
--------------------------------------------------------------------------------
1 | {{ if .Values.kspm.deploy }}
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: {{ template "sysdig.fullname" . }}-kspm-analyzer
6 | labels:
7 | {{ include "sysdig.labels" . | indent 4 }}
8 | data:
9 | {{- $env := "PRODUCTION" -}}
10 | {{ if .Values.nodeAnalyzer.kspmAnalyzer.debug }}
11 | {{- $env = "DEVELOPMENT" -}}
12 | {{ end}}
13 | environment: {{ $env }}
14 | external_nats_url: {{ include "sysdig.natsUrl" . }}
15 | cluster_name: {{ required "A valid .Values.clusterName is required" .Values.clusterName }}
16 | agent_app_name: {{ include "sysdig.name" . }}-node-analyzer
17 | {{- end -}}
18 |
--------------------------------------------------------------------------------
/charts/sysdig/templates/kspmCollector/clusterrolebinding-kspm-collector.yaml:
--------------------------------------------------------------------------------
1 | {{- if and .Values.rbac.create .Values.kspm.deploy }}
2 | kind: ClusterRoleBinding
3 | apiVersion: rbac.authorization.k8s.io/v1
4 | metadata:
5 | name: {{ template "sysdig.fullname" .}}-kspm-collector
6 | labels:
7 | {{ include "sysdig.labels" . | indent 4 }}
8 | subjects:
9 | - kind: ServiceAccount
10 | name: {{ template "sysdig.serviceAccountName" .}}-kspm-collector
11 | namespace: {{ .Release.Namespace }}
12 | roleRef:
13 | kind: ClusterRole
14 | name: {{ template "sysdig.fullname" .}}-kspm-collector
15 | apiGroup: rbac.authorization.k8s.io
16 | {{- end }}
17 |
--------------------------------------------------------------------------------
/charts/sysdig/templates/kspmCollector/configmap-kspm-collector.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.kspm.deploy }}
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: {{ template "sysdig.fullname" . }}-kspm-collector
6 | labels:
7 | {{ include "sysdig.labels" . | indent 4 }}
8 | data:
9 | {{- $env := "PRODUCTION" -}}
10 | {{ if .Values.kspmCollector.debug }}
11 | {{- $env = "DEVELOPMENT" -}}
12 | {{ end}}
13 | environment: {{ $env }}
14 | included_namespaces: {{ .Values.kspmCollector.settings.namespaces.included | quote}}
15 | excluded_namespaces: {{ .Values.kspmCollector.settings.namespaces.excluded | quote }}
16 | included_workloads: {{ .Values.kspmCollector.settings.workloads.included | quote }}
17 | excluded_workloads: {{ .Values.kspmCollector.settings.workloads.excluded | quote }}
18 | health_interval_minutes: {{ .Values.kspmCollector.settings.healthIntervalMin | default 5 | quote }}
19 | external_nats_url: {{ include "sysdig.natsUrl" . }}
20 | cluster_name: {{ required "A valid .Values.clusterName is required" .Values.clusterName }}
21 | {{- end }}
22 |
--------------------------------------------------------------------------------
/charts/sysdig/templates/kspmCollector/serviceaccount-kspm-collector.yaml:
--------------------------------------------------------------------------------
1 | {{- if and .Values.serviceAccount.create .Values.kspm.deploy }}
2 | apiVersion: v1
3 | kind: ServiceAccount
4 | metadata:
5 | name: {{ template "sysdig.serviceAccountName" .}}-kspm-collector
6 | labels:
7 | {{ include "sysdig.labels" . | indent 4 }}
8 | {{- end }}
9 |
--------------------------------------------------------------------------------
/charts/sysdig/templates/psp-node-analyzer.yaml:
--------------------------------------------------------------------------------
1 | {{- if and .Values.psp.create (include "sysdig.kubeVersionLessThan" (dict "root" . "major" 1 "minor" 25)) }}
2 | apiVersion: policy/v1beta1
3 | kind: PodSecurityPolicy
4 | metadata:
5 | name: {{ template "sysdig.fullname" . }}-node-analyzer
6 | spec:
7 | allowedCapabilities:
8 | - '*'
9 | fsGroup:
10 | rule: RunAsAny
11 | hostIPC: true
12 | hostNetwork: true
13 | hostPID: true
14 | hostPorts:
15 | - max: 65536
16 | min: 1
17 | privileged: true
18 | runAsUser:
19 | rule: RunAsAny
20 | seLinux:
21 | rule: RunAsAny
22 | supplementalGroups:
23 | rule: RunAsAny
24 | volumes:
25 | - '*'
26 | {{- end }}
27 |
--------------------------------------------------------------------------------
/charts/sysdig/templates/psp.yaml:
--------------------------------------------------------------------------------
1 | {{- if and .Values.psp.create (include "sysdig.kubeVersionLessThan" (dict "root" . "major" 1 "minor" 25)) }}
2 | apiVersion: policy/v1beta1
3 | kind: PodSecurityPolicy
4 | metadata:
5 | name: {{ template "sysdig.fullname" . }}
6 | spec:
7 | allowedCapabilities:
8 | - '*'
9 | fsGroup:
10 | rule: RunAsAny
11 | hostIPC: true
12 | hostNetwork: true
13 | hostPID: true
14 | hostPorts:
15 | - max: 65536
16 | min: 1
17 | privileged: true
18 | runAsUser:
19 | rule: RunAsAny
20 | seLinux:
21 | rule: RunAsAny
22 | supplementalGroups:
23 | rule: RunAsAny
24 | volumes:
25 | - '*'
26 | {{- end }}
27 |
--------------------------------------------------------------------------------
/charts/sysdig/templates/runtimeScanner/eveconnector-api-configmap.yaml:
--------------------------------------------------------------------------------
1 | {{- if and (not (include "deploy-nia" .)) .Values.nodeAnalyzer.deploy (not .Values.gke.autopilot) (or .Values.nodeAnalyzer.runtimeScanner.deploy .Values.secure.vulnerabilityManagement.newEngineOnly) .Values.nodeAnalyzer.runtimeScanner.eveConnector.deploy }}
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: {{ template "sysdig.fullname" . }}-eveconnector
6 | labels:
7 | {{ include "sysdig.labels" . | indent 4 }}
8 | data:
9 | api_endpoint: https://{{ required "A valid .Values.nodeAnalyzer.apiEndpoint is required" .Values.nodeAnalyzer.apiEndpoint }}
10 | cluster_name: {{ required "A valid .Values.clusterName is required" .Values.clusterName }}
11 | {{- if hasKey .Values.nodeAnalyzer "sslVerifyCertificate" }}
12 | ssl_verify_certificate: "{{ .Values.nodeAnalyzer.sslVerifyCertificate }}"
13 | {{- end }}
14 | {{- if hasKey .Values.nodeAnalyzer.runtimeScanner "eveConnector" }}
15 | cert_dns_name: {{ include "eveconnector.host" . | quote }}
16 | {{- end }}
17 | {{- end }}
18 |
--------------------------------------------------------------------------------
/charts/sysdig/templates/runtimeScanner/eveconnector-api-service.yaml:
--------------------------------------------------------------------------------
1 | {{- if and (not (include "deploy-nia" .)) .Values.nodeAnalyzer.deploy (not .Values.gke.autopilot) (or .Values.nodeAnalyzer.runtimeScanner.deploy .Values.secure.vulnerabilityManagement.newEngineOnly) .Values.nodeAnalyzer.runtimeScanner.eveConnector.deploy }}
2 | apiVersion: v1
3 | kind: Service
4 | metadata:
5 | name: {{ template "sysdig.fullname" . }}-eveconnector
6 | labels:
7 | app.kubernetes.io/name: {{ include "sysdig.name" . }}-eveconnector
8 | {{ include "sysdig.labels" . | indent 4 }}
9 | spec:
10 | selector:
11 | app.kubernetes.io/name: {{ include "sysdig.name" . }}-eveconnector
12 | app.kubernetes.io/instance: {{ .Release.Name }}
13 | ports:
14 | - protocol: TCP
15 | port: 443
16 | targetPort: 7000
17 | {{- end }}
18 |
--------------------------------------------------------------------------------
/charts/sysdig/templates/runtimeScanner/sysdig-eve-secret.yaml:
--------------------------------------------------------------------------------
1 | {{- if and (not (include "deploy-nia" .)) .Values.nodeAnalyzer.deploy (not .Values.gke.autopilot) (or .Values.nodeAnalyzer.runtimeScanner.deploy .Values.secure.vulnerabilityManagement.newEngineOnly) .Values.nodeAnalyzer.runtimeScanner.eveConnector.deploy }}
2 | ---
3 | apiVersion: v1
4 | kind: Secret
5 | metadata:
6 | name: sysdig-eve-secret
7 | labels:
8 | {{ include "sysdig.labels" . | indent 4 }}
9 | type: Opaque
10 | data:
11 | endpoint: {{ include "eveconnector.host" . | printf "https://%s" | b64enc | quote }}
12 | token: {{ include "eveconnector.token" . }}
13 | {{- end }}
14 |
--------------------------------------------------------------------------------
/charts/sysdig/templates/secrets.yaml:
--------------------------------------------------------------------------------
1 | {{- if not .Values.sysdig.existingAccessKeySecret }}
2 | ---
3 | apiVersion: v1
4 | kind: Secret
5 | metadata:
6 | name: {{ template "sysdig.fullname" . }}
7 | labels:
8 | {{ include "sysdig.labels" . | indent 4 }}
9 | type: Opaque
10 | data:
11 | access-key: {{ required "A valid .Values.sysdig.accessKey is required" .Values.sysdig.accessKey | b64enc | quote }}
12 | {{- end }}
13 | {{- range .Values.extraSecrets }}
14 | ---
15 | apiVersion: v1
16 | kind: Secret
17 | metadata:
18 | name: {{ .name }}
19 | labels:
20 | {{ include "sysdig.labels" $ | indent 4 }}
21 | type: Opaque
22 | data:
23 | {{ toYaml .data | indent 2 }}
24 | {{- end }}
25 |
--------------------------------------------------------------------------------
/charts/sysdig/templates/service.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.auditLog.enabled }}
2 | apiVersion: v1
3 | kind: Service
4 | metadata:
5 | name: {{ template "sysdig.fullname" . }}
6 | labels:
7 | {{ include "sysdig.labels" . | indent 4 }}
8 | spec:
9 | selector:
10 | app.kubernetes.io/name: {{ include "sysdig.name" . }}
11 | app.kubernetes.io/instance: {{ .Release.Name }}
12 | ports:
13 | - protocol: TCP
14 | port: {{ .Values.auditLog.auditServerPort }}
15 | {{- end }}
16 |
--------------------------------------------------------------------------------
/charts/sysdig/templates/serviceaccount-node-analyzer.yaml:
--------------------------------------------------------------------------------
1 | {{- if and (include "deploy-na" .) .Values.nodeAnalyzer.serviceAccount.create }}
2 | apiVersion: v1
3 | kind: ServiceAccount
4 | metadata:
5 | name: {{ template "sysdig.nodeAnalyzer.serviceAccountName" .}}
6 | labels:
7 | {{ include "sysdig.labels" . | indent 4 }}
8 | {{- end }}
9 |
--------------------------------------------------------------------------------
/charts/sysdig/templates/serviceaccount.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.serviceAccount.create }}
2 | apiVersion: v1
3 | kind: ServiceAccount
4 | metadata:
5 | name: {{ template "sysdig.serviceAccountName" .}}
6 | labels:
7 | {{ include "sysdig.labels" . | indent 4 }}
8 | {{- end }}
9 |
--------------------------------------------------------------------------------
/cr.yaml:
--------------------------------------------------------------------------------
1 | release-notes-file: RELEASE-NOTES.md
2 | skip-existing: true
3 | sign: true
4 |
--------------------------------------------------------------------------------
/rh-shield-operator/Dockerfile:
--------------------------------------------------------------------------------
1 | # Build the manager binary
2 | FROM quay.io/operator-framework/helm-operator:v1.38.0
3 |
4 | ARG RELEASE_VERSION
5 |
6 | LABEL name="rh-shield-operator" \
7 | vendor="Sysdig" \
8 | maintainer="Sysdig" \
9 | version="${RELEASE_VERSION}" \
10 | release="1" \
11 | summary="Operator based on the shield chart by Sysdig" \
12 | description="Operator based on the shield Helm chart by Sysdig for the installation and management of the Cluster and Host Shield components."
13 | COPY LICENSE /licenses/
14 |
15 | ENV HOME=/opt/helm
16 | COPY watches.yaml ${HOME}/watches.yaml
17 | COPY helm-charts ${HOME}/helm-charts
18 | WORKDIR ${HOME}
19 |
--------------------------------------------------------------------------------
/rh-shield-operator/LICENSE:
--------------------------------------------------------------------------------
1 | Copyright (c) 2024, Sysdig. All Rights Reserved.
2 |
--------------------------------------------------------------------------------
/rh-shield-operator/PROJECT:
--------------------------------------------------------------------------------
1 | # Code generated by tool. DO NOT EDIT.
2 | # This file is used to track the info used to scaffold your project
3 | # and allow the plugins properly work.
4 | # More info: https://book.kubebuilder.io/reference/project-config.html
5 | domain: sysdig.com
6 | layout:
7 | - helm.sdk.operatorframework.io/v1
8 | plugins:
9 | manifests.sdk.operatorframework.io/v2: {}
10 | scorecard.sdk.operatorframework.io/v2: {}
11 | projectName: rh-shield-operator
12 | resources:
13 | - api:
14 | crdVersion: v1
15 | namespaced: true
16 | domain: sysdig.com
17 | group: shield
18 | kind: Shield
19 | version: v1alpha1
20 | version: "3"
21 |
--------------------------------------------------------------------------------
/rh-shield-operator/bundle.Dockerfile:
--------------------------------------------------------------------------------
1 | FROM scratch
2 |
3 | # Core bundle labels.
4 | LABEL operators.operatorframework.io.bundle.mediatype.v1=registry+v1
5 | LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/
6 | LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/
7 | LABEL operators.operatorframework.io.bundle.package.v1=rh-shield-operator
8 | LABEL operators.operatorframework.io.bundle.channels.v1=alpha
9 | LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.38.0
10 | LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1
11 | LABEL operators.operatorframework.io.metrics.project_layout=helm.sdk.operatorframework.io/v1
12 |
13 | # Labels for testing.
14 | LABEL operators.operatorframework.io.test.mediatype.v1=scorecard+v1
15 | LABEL operators.operatorframework.io.test.config.v1=tests/scorecard/
16 |
17 | # Copy files to locations specified by labels.
18 | COPY bundle/manifests /manifests/
19 | COPY bundle/metadata /metadata/
20 | COPY bundle/tests/scorecard /tests/scorecard/
21 |
--------------------------------------------------------------------------------
/rh-shield-operator/bundle/manifests/rh-shield-operator-controller-manager-metrics-service_v1_service.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app.kubernetes.io/managed-by: kustomize
7 | app.kubernetes.io/name: rh-shield-operator
8 | control-plane: controller-manager
9 | name: rh-shield-operator-controller-manager-metrics-service
10 | spec:
11 | ports:
12 | - name: https
13 | port: 8443
14 | protocol: TCP
15 | targetPort: 8443
16 | selector:
17 | control-plane: controller-manager
18 | status:
19 | loadBalancer: {}
20 |
--------------------------------------------------------------------------------
/rh-shield-operator/bundle/manifests/rh-shield-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: rbac.authorization.k8s.io/v1
2 | kind: ClusterRole
3 | metadata:
4 | creationTimestamp: null
5 | name: rh-shield-operator-metrics-reader
6 | rules:
7 | - nonResourceURLs:
8 | - /metrics
9 | verbs:
10 | - get
11 |
--------------------------------------------------------------------------------
/rh-shield-operator/bundle/manifests/rh-shield-operator-shield-editor-role_rbac.authorization.k8s.io_v1_clusterrole.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: rbac.authorization.k8s.io/v1
2 | kind: ClusterRole
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app.kubernetes.io/managed-by: kustomize
7 | app.kubernetes.io/name: rh-shield-operator
8 | name: rh-shield-operator-shield-editor-role
9 | rules:
10 | - apiGroups:
11 | - shield.sysdig.com
12 | resources:
13 | - shields
14 | verbs:
15 | - create
16 | - delete
17 | - get
18 | - list
19 | - patch
20 | - update
21 | - watch
22 | - apiGroups:
23 | - shield.sysdig.com
24 | resources:
25 | - shields/status
26 | verbs:
27 | - get
28 |
--------------------------------------------------------------------------------
/rh-shield-operator/bundle/manifests/rh-shield-operator-shield-viewer-role_rbac.authorization.k8s.io_v1_clusterrole.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: rbac.authorization.k8s.io/v1
2 | kind: ClusterRole
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app.kubernetes.io/managed-by: kustomize
7 | app.kubernetes.io/name: rh-shield-operator
8 | name: rh-shield-operator-shield-viewer-role
9 | rules:
10 | - apiGroups:
11 | - shield.sysdig.com
12 | resources:
13 | - shields
14 | verbs:
15 | - get
16 | - list
17 | - watch
18 | - apiGroups:
19 | - shield.sysdig.com
20 | resources:
21 | - shields/status
22 | verbs:
23 | - get
24 |
--------------------------------------------------------------------------------
/rh-shield-operator/bundle/metadata/annotations.yaml:
--------------------------------------------------------------------------------
1 | annotations:
2 | # Core bundle annotations.
3 | operators.operatorframework.io.bundle.mediatype.v1: registry+v1
4 | operators.operatorframework.io.bundle.manifests.v1: manifests/
5 | operators.operatorframework.io.bundle.metadata.v1: metadata/
6 | operators.operatorframework.io.bundle.package.v1: rh-shield-operator
7 | operators.operatorframework.io.bundle.channels.v1: alpha
8 | operators.operatorframework.io.metrics.builder: operator-sdk-v1.38.0
9 | operators.operatorframework.io.metrics.mediatype.v1: metrics+v1
10 | operators.operatorframework.io.metrics.project_layout: helm.sdk.operatorframework.io/v1
11 |
12 | # Annotations for testing.
13 | operators.operatorframework.io.test.mediatype.v1: scorecard+v1
14 | operators.operatorframework.io.test.config.v1: tests/scorecard/
15 |
--------------------------------------------------------------------------------
/rh-shield-operator/config/crd/kustomization.yaml:
--------------------------------------------------------------------------------
1 | # This kustomization.yaml is not intended to be run by itself,
2 | # since it depends on service name and namespace that are out of this kustomize package.
3 | # It should be run by config/default
4 | resources:
5 | - bases/shield.sysdig.com_shields.yaml
6 | #+kubebuilder:scaffold:crdkustomizeresource
7 |
--------------------------------------------------------------------------------
/rh-shield-operator/config/default/kustomization.yaml:
--------------------------------------------------------------------------------
1 | # Adds namespace to all resources.
2 | namespace: rh-shield-operator-system
3 |
4 | # Value of this field is prepended to the
5 | # names of all resources, e.g. a deployment named
6 | # "wordpress" becomes "alices-wordpress".
7 | # Note that it should also match with the prefix (text before '-') of the namespace
8 | # field above.
9 | namePrefix: rh-shield-operator-
10 |
11 | # Labels to add to all resources and selectors.
12 | #labels:
13 | #- includeSelectors: true
14 | # pairs:
15 | # someName: someValue
16 |
17 | resources:
18 | - ../crd
19 | - ../rbac
20 | - ../manager
21 | # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
22 | #- ../prometheus
23 | # [METRICS] Expose the controller manager metrics service.
24 | - metrics_service.yaml
25 |
26 | # Uncomment the patches line if you enable Metrics, and/or are using webhooks and cert-manager
27 | patches:
28 | # [METRICS] The following patch will enable the metrics endpoint using HTTPS and the port :8443.
29 | # More info: https://book.kubebuilder.io/reference/metrics
30 | - path: manager_metrics_patch.yaml
31 | target:
32 | kind: Deployment
33 |
--------------------------------------------------------------------------------
/rh-shield-operator/config/default/manager_metrics_patch.yaml:
--------------------------------------------------------------------------------
1 | # This patch adds the args to allow exposing the metrics endpoint using HTTPS
2 | - op: add
3 | path: /spec/template/spec/containers/0/args/0
4 | value: --metrics-bind-address=:8443
5 | # This patch adds the args to allow securing the metrics endpoint
6 | - op: add
7 | path: /spec/template/spec/containers/0/args/0
8 | value: --metrics-secure
9 | # This patch adds the args to allow RBAC-based authn/authz the metrics endpoint
10 | - op: add
11 | path: /spec/template/spec/containers/0/args/0
12 | value: --metrics-require-rbac
13 |
--------------------------------------------------------------------------------
/rh-shield-operator/config/default/metrics_service.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | labels:
5 | control-plane: controller-manager
6 | app.kubernetes.io/name: rh-shield-operator
7 | app.kubernetes.io/managed-by: kustomize
8 | name: controller-manager-metrics-service
9 | namespace: system
10 | spec:
11 | ports:
12 | - name: https
13 | port: 8443
14 | protocol: TCP
15 | targetPort: 8443
16 | selector:
17 | control-plane: controller-manager
18 |
--------------------------------------------------------------------------------
/rh-shield-operator/config/manager/kustomization.yaml:
--------------------------------------------------------------------------------
1 | resources:
2 | - manager.yaml
3 | apiVersion: kustomize.config.k8s.io/v1beta1
4 | kind: Kustomization
5 | images:
6 | - name: controller
7 | newName: quay.io/sysdig/rh-shield-operator
8 | newTag: v0.2.0
9 |
--------------------------------------------------------------------------------
/rh-shield-operator/config/manifests/kustomization.yaml:
--------------------------------------------------------------------------------
1 | # These resources constitute the fully configured set of manifests
2 | # used to generate the 'manifests/' directory in a bundle.
3 | resources:
4 | - bases/rh-shield-operator.clusterserviceversion.yaml
5 | - ../default
6 | - ../samples
7 | - ../scorecard
8 |
--------------------------------------------------------------------------------
/rh-shield-operator/config/prometheus/kustomization.yaml:
--------------------------------------------------------------------------------
1 | resources:
2 | - monitor.yaml
3 |
--------------------------------------------------------------------------------
/rh-shield-operator/config/prometheus/monitor.yaml:
--------------------------------------------------------------------------------
1 | # Prometheus Monitor Service (Metrics)
2 | apiVersion: monitoring.coreos.com/v1
3 | kind: ServiceMonitor
4 | metadata:
5 | labels:
6 | control-plane: controller-manager
7 | app.kubernetes.io/name: rh-shield-operator
8 | app.kubernetes.io/managed-by: kustomize
9 | name: controller-manager-metrics-monitor
10 | namespace: system
11 | spec:
12 | endpoints:
13 | - path: /metrics
14 | port: https # Ensure this is the name of the port that exposes HTTPS metrics
15 | scheme: https
16 | bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
17 | tlsConfig:
18 | caFile: /etc/metrics-certs/ca.crt
19 | certFile: /etc/metrics-certs/tls.crt
20 | keyFile: /etc/metrics-certs/tls.key
21 | selector:
22 | matchLabels:
23 | control-plane: controller-manager
24 |
--------------------------------------------------------------------------------
/rh-shield-operator/config/rbac/leader_election_role.yaml:
--------------------------------------------------------------------------------
1 | # permissions to do leader election.
2 | apiVersion: rbac.authorization.k8s.io/v1
3 | kind: Role
4 | metadata:
5 | labels:
6 | app.kubernetes.io/name: rh-shield-operator
7 | app.kubernetes.io/managed-by: kustomize
8 | name: leader-election-role
9 | rules:
10 | - apiGroups:
11 | - ""
12 | resources:
13 | - configmaps
14 | verbs:
15 | - get
16 | - list
17 | - watch
18 | - create
19 | - update
20 | - patch
21 | - delete
22 | - apiGroups:
23 | - coordination.k8s.io
24 | resources:
25 | - leases
26 | verbs:
27 | - get
28 | - list
29 | - watch
30 | - create
31 | - update
32 | - patch
33 | - delete
34 | - apiGroups:
35 | - ""
36 | resources:
37 | - events
38 | verbs:
39 | - create
40 | - patch
41 |
--------------------------------------------------------------------------------
/rh-shield-operator/config/rbac/leader_election_role_binding.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: rbac.authorization.k8s.io/v1
2 | kind: RoleBinding
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: rh-shield-operator
6 | app.kubernetes.io/managed-by: kustomize
7 | name: leader-election-rolebinding
8 | roleRef:
9 | apiGroup: rbac.authorization.k8s.io
10 | kind: Role
11 | name: leader-election-role
12 | subjects:
13 | - kind: ServiceAccount
14 | name: controller-manager
15 | namespace: system
16 |
--------------------------------------------------------------------------------
/rh-shield-operator/config/rbac/metrics_auth_role.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: rbac.authorization.k8s.io/v1
2 | kind: ClusterRole
3 | metadata:
4 | name: metrics-auth-role
5 | rules:
6 | - apiGroups:
7 | - authentication.k8s.io
8 | resources:
9 | - tokenreviews
10 | verbs:
11 | - create
12 | - apiGroups:
13 | - authorization.k8s.io
14 | resources:
15 | - subjectaccessreviews
16 | verbs:
17 | - create
18 |
--------------------------------------------------------------------------------
/rh-shield-operator/config/rbac/metrics_auth_role_binding.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: rbac.authorization.k8s.io/v1
2 | kind: ClusterRoleBinding
3 | metadata:
4 | name: metrics-auth-rolebinding
5 | roleRef:
6 | apiGroup: rbac.authorization.k8s.io
7 | kind: ClusterRole
8 | name: metrics-auth-role
9 | subjects:
10 | - kind: ServiceAccount
11 | name: controller-manager
12 | namespace: system
13 |
--------------------------------------------------------------------------------
/rh-shield-operator/config/rbac/metrics_reader_role.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: rbac.authorization.k8s.io/v1
2 | kind: ClusterRole
3 | metadata:
4 | name: metrics-reader
5 | rules:
6 | - nonResourceURLs:
7 | - "/metrics"
8 | verbs:
9 | - get
10 |
--------------------------------------------------------------------------------
/rh-shield-operator/config/rbac/role_binding.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: rbac.authorization.k8s.io/v1
2 | kind: ClusterRoleBinding
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: rh-shield-operator
6 | app.kubernetes.io/managed-by: kustomize
7 | name: manager-rolebinding
8 | roleRef:
9 | apiGroup: rbac.authorization.k8s.io
10 | kind: ClusterRole
11 | name: manager-role
12 | subjects:
13 | - kind: ServiceAccount
14 | name: controller-manager
15 | namespace: system
16 |
--------------------------------------------------------------------------------
/rh-shield-operator/config/rbac/service_account.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ServiceAccount
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: rh-shield-operator
6 | app.kubernetes.io/managed-by: kustomize
7 | name: controller-manager
8 | namespace: system
9 |
--------------------------------------------------------------------------------
/rh-shield-operator/config/rbac/shield_editor_role.yaml:
--------------------------------------------------------------------------------
1 | # permissions for end users to edit shields.
2 | apiVersion: rbac.authorization.k8s.io/v1
3 | kind: ClusterRole
4 | metadata:
5 | labels:
6 | app.kubernetes.io/name: rh-shield-operator
7 | app.kubernetes.io/managed-by: kustomize
8 | name: shield-editor-role
9 | rules:
10 | - apiGroups:
11 | - shield.sysdig.com
12 | resources:
13 | - shields
14 | verbs:
15 | - create
16 | - delete
17 | - get
18 | - list
19 | - patch
20 | - update
21 | - watch
22 | - apiGroups:
23 | - shield.sysdig.com
24 | resources:
25 | - shields/status
26 | verbs:
27 | - get
28 |
--------------------------------------------------------------------------------
/rh-shield-operator/config/rbac/shield_viewer_role.yaml:
--------------------------------------------------------------------------------
1 | # permissions for end users to view shields.
2 | apiVersion: rbac.authorization.k8s.io/v1
3 | kind: ClusterRole
4 | metadata:
5 | labels:
6 | app.kubernetes.io/name: rh-shield-operator
7 | app.kubernetes.io/managed-by: kustomize
8 | name: shield-viewer-role
9 | rules:
10 | - apiGroups:
11 | - shield.sysdig.com
12 | resources:
13 | - shields
14 | verbs:
15 | - get
16 | - list
17 | - watch
18 | - apiGroups:
19 | - shield.sysdig.com
20 | resources:
21 | - shields/status
22 | verbs:
23 | - get
24 |
--------------------------------------------------------------------------------
/rh-shield-operator/config/samples/kustomization.yaml:
--------------------------------------------------------------------------------
1 | ## Append samples of your project ##
2 | resources:
3 | - shield_v1alpha1_shield.yaml
4 | #+kubebuilder:scaffold:manifestskustomizesamples
5 |
--------------------------------------------------------------------------------
/rh-shield-operator/config/scorecard/bases/config.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: scorecard.operatorframework.io/v1alpha3
2 | kind: Configuration
3 | metadata:
4 | name: config
5 | stages:
6 | - parallel: true
7 | tests: []
8 |
--------------------------------------------------------------------------------
/rh-shield-operator/config/scorecard/kustomization.yaml:
--------------------------------------------------------------------------------
1 | resources:
2 | - bases/config.yaml
3 | patchesJson6902:
4 | - path: patches/basic.config.yaml
5 | target:
6 | group: scorecard.operatorframework.io
7 | version: v1alpha3
8 | kind: Configuration
9 | name: config
10 | - path: patches/olm.config.yaml
11 | target:
12 | group: scorecard.operatorframework.io
13 | version: v1alpha3
14 | kind: Configuration
15 | name: config
16 | #+kubebuilder:scaffold:patchesJson6902
17 |
--------------------------------------------------------------------------------
/rh-shield-operator/config/scorecard/patches/basic.config.yaml:
--------------------------------------------------------------------------------
1 | - op: add
2 | path: /stages/0/tests/-
3 | value:
4 | entrypoint:
5 | - scorecard-test
6 | - basic-check-spec
7 | image: quay.io/operator-framework/scorecard-test:v1.36.1
8 | labels:
9 | suite: basic
10 | test: basic-check-spec-test
11 |
--------------------------------------------------------------------------------
/rh-shield-operator/helm-charts/shield:
--------------------------------------------------------------------------------
1 | ../../charts/shield/
--------------------------------------------------------------------------------
/rh-shield-operator/watches.yaml:
--------------------------------------------------------------------------------
1 | # Use the 'create api' subcommand to add watches to this file.
2 | - group: shield.sysdig.com
3 | version: v1alpha1
4 | kind: Shield
5 | chart: helm-charts/shield
6 | #+kubebuilder:scaffold:watch
7 |
--------------------------------------------------------------------------------
/scripts/chart-version-bump.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env sh
2 |
3 | set -e
4 |
5 | awk '
6 | {
7 | if ($0 ~ /^version:/)
8 | {
9 | l = split($NF, v, ".");
10 | v[l]++;
11 | for (i=1; i Chart.yaml.2
18 |
19 | mv Chart.yaml.2 Chart.yaml
20 |
--------------------------------------------------------------------------------
/scripts/cluster-scanner/README.md:
--------------------------------------------------------------------------------
1 | # Cluster Scanner Scripts
2 |
3 | The folder contains scripts used to configure the Cluster Scanner to be used in
4 | `multi` mode.
5 |
--------------------------------------------------------------------------------