From 023b8ee4c84712d183a13d523427ab745d4a5c71 Mon Sep 17 00:00:00 2001
From: Federico Mengozzi <19249682+fedemengo@users.noreply.github.com>
Date: Tue, 19 Dec 2023 14:41:10 +0100
Subject: [PATCH] feat(registry-scanner): ovveride platform scanning logic
(#1496)
---
charts/registry-scanner/Chart.yaml | 4 ++--
charts/registry-scanner/README.md | 3 ++-
charts/registry-scanner/README.tpl | 2 +-
charts/registry-scanner/templates/_job.tpl | 2 ++
charts/registry-scanner/templates/configmap.yaml | 1 +
charts/registry-scanner/tests/configmap_test.yaml | 14 ++++++++++++++
charts/registry-scanner/values.yaml | 2 ++
7 files changed, 24 insertions(+), 4 deletions(-)
diff --git a/charts/registry-scanner/Chart.yaml b/charts/registry-scanner/Chart.yaml
index 0da670392..97892ccf9 100644
--- a/charts/registry-scanner/Chart.yaml
+++ b/charts/registry-scanner/Chart.yaml
@@ -4,7 +4,7 @@ description: Sysdig Registry Scanner
type: application
home: https://www.sysdig.com/
icon: https://avatars.githubusercontent.com/u/5068817?s=200&v=4
-version: 1.1.25
-appVersion: 0.2.60
+version: 1.1.26
+appVersion: 0.2.61
maintainers:
- name: sysdiglabs
diff --git a/charts/registry-scanner/README.md b/charts/registry-scanner/README.md
index bcd194828..bb5884b18 100644
--- a/charts/registry-scanner/README.md
+++ b/charts/registry-scanner/README.md
@@ -93,6 +93,7 @@ The following table lists the configurable parameters of the Sysdig Registry Sca
| config.scan.jobs.resources.requests.cpu | The CPU request for the scanner job. | 500m |
| config.scan.jobs.resources.limits.memory | The memory limit for the scanner job. | 2Gi |
| config.scan.jobs.temporaryVolumeSizeLimit | The size limit for the emptyDir volume used by the scanner job.
This volume is used to store both the vulnerability database and the image to scan. | 2Gi |
+| config.scan.disablePlatformScanning | Force the scan to happen on the client component rather than relying on backend scanning | false |
| config.parallelGoRoutines | Number of goroutines running in parallel in metadata phase for ECR Org setup. | 100 |
| ssl.ca.certs | For outbound connections.
List of PEM-encoded x509 certificate authority. | [] |
| customLabels | The additional labels to add to CronJob and Scanning Jobs. The custom labels to be added to kubernetes manifests of all the resources created. | {} |
@@ -129,7 +130,7 @@ Use the following command to deploy:
helm upgrade --install registry-scanner \
--namespace sysdig-agent \
--create-namespace \
- --version=1.1.25 \
+ --version=1.1.26 \
--set config.secureBaseURL= \
--set config.secureAPIToken= \
--set config.secureSkipTLS=true \
diff --git a/charts/registry-scanner/README.tpl b/charts/registry-scanner/README.tpl
index e1950db19..9e7c5616d 100644
--- a/charts/registry-scanner/README.tpl
+++ b/charts/registry-scanner/README.tpl
@@ -62,7 +62,7 @@ Use the following command to deploy:
helm upgrade --install registry-scanner \
--namespace sysdig-agent \
--create-namespace \
- {{ with .Chart.Version }}--version={{.}} {{ end }} \
+ {{ with .Chart.Version }}--version={{.}}{{ end }} \
--set config.secureBaseURL= \
--set config.secureAPIToken= \
--set config.secureSkipTLS=true \
diff --git a/charts/registry-scanner/templates/_job.tpl b/charts/registry-scanner/templates/_job.tpl
index 92cde2b68..157b305a8 100644
--- a/charts/registry-scanner/templates/_job.tpl
+++ b/charts/registry-scanner/templates/_job.tpl
@@ -128,6 +128,8 @@
- name: REGISTRYSCANNER_PROFILING_ENABLED
value: /profiling
{{- end }}
+ - name: REGISTRYSCANNER_CRONJOB_SCHEDULE
+ value: {{ .Values.cronjob.schedule | quote }}
{{- if .Values.extraEnvVars }}
{{- toYaml .Values.extraEnvVars | nindent 10 }}
{{- end }}
diff --git a/charts/registry-scanner/templates/configmap.yaml b/charts/registry-scanner/templates/configmap.yaml
index 7d460aa25..11d12a82f 100644
--- a/charts/registry-scanner/templates/configmap.yaml
+++ b/charts/registry-scanner/templates/configmap.yaml
@@ -54,6 +54,7 @@ data:
k8sInCluster: true
namespace: {{ .Release.Namespace }}
workers: {{ .Values.config.maxWorkers }}
+ disablePlatformScanning: {{ default false .Values.config.scan.disablePlatformScanning }}
jobs:
ttlSecondsAfterFinished: {{ .Values.config.scan.jobs.ttlSecondsAfterFinished }}
serviceAccountName: {{ include "registry-scanner.serviceAccountName" . }}
diff --git a/charts/registry-scanner/tests/configmap_test.yaml b/charts/registry-scanner/tests/configmap_test.yaml
index b66a4062a..14b24d8a6 100644
--- a/charts/registry-scanner/tests/configmap_test.yaml
+++ b/charts/registry-scanner/tests/configmap_test.yaml
@@ -139,3 +139,17 @@ tests:
- matchRegex:
path: data['config.yaml']
pattern: allowListMemberAccountIDs:\n\s*- 123456789
+ - it: platform scanning is not disable by default
+ asserts:
+ - matchRegex:
+ path: data['config.yaml']
+ pattern: scan:((.|\n)*)disablePlatformScanning:\s*false
+ - it: force scanning on the client component regardless of backend config
+ set:
+ config:
+ scan:
+ disablePlatformScanning: "true"
+ asserts:
+ - matchRegex:
+ path: data['config.yaml']
+ pattern: scan:((.|\n)*)disablePlatformScanning:\s*true
diff --git a/charts/registry-scanner/values.yaml b/charts/registry-scanner/values.yaml
index 43fe49795..0a32ef66c 100644
--- a/charts/registry-scanner/values.yaml
+++ b/charts/registry-scanner/values.yaml
@@ -105,6 +105,8 @@ config:
# The size limit for the emptyDir volume used by the scanner job.
# This volume is used to store both the vulnerability database and the image to scan.
temporaryVolumeSizeLimit: 2Gi
+ # Force the scan to happen on the client component rather than relying on backend scanning
+ disablePlatformScanning: false
# Number of goroutines running in parallel in metadata phase for ECR Org setup.
parallelGoRoutines: 100
ssl: