Skip to content

Commit

Permalink
feat(node-analyzer): bumped host-scanner to 0.7.0 to add container sc…
Browse files Browse the repository at this point in the history 
…anning support (#1538)

Co-authored-by: Federico Feresini <[email protected]>
  • Loading branch information
@michele-mangili @FedericoFeresini
michele-mangili and FedericoFeresini authored Dec 20, 2023
1 parent f4070c7 commit 1e512f9
Show file tree
Hide file tree
Showing 7 changed files with 100 additions and 5 deletions.
2 changes: 1 addition & 1 deletion charts/node-analyzer/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v2
name: node-analyzer
description: Sysdig Node Analyzer
# currently matching Sysdig's appVersion 1.14.34
version: 1.20.4
version: 1.21.0
appVersion: 12.9.0
keywords:
- monitoring
Expand Down
5 changes: 4 additions & 1 deletion charts/node-analyzer/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -195,7 +195,7 @@ The following table lists the configurable parameters of the Sysdig Node Analyze
| `nodeAnalyzer.hostScanner.additionalDirsToScan` | Sets the optional comma-separated list of directories in addition to the default ones. | ` ` |
| `nodeAnalyzer.hostScanner.env` | Specifies the extra environment variables that will be passed onto pods. | `{}` |
| `nodeAnalyzer.hostScanner.image.repository` | Specifies the image repository to pull the Host Scanner from. | `sysdig/vuln-host-scanner` |
| `nodeAnalyzer.hostScanner.image.tag` | Specifies the image tag to pull the Host Scanner. | `0.6.8` |
| `nodeAnalyzer.hostScanner.image.tag` | Specifies the image tag to pull the Host Scanner. | `0.7.0` |
| `nodeAnalyzer.hostScanner.image.digest` | Specifies the image digest to pull. | ` ` |
| `nodeAnalyzer.hostScanner.image.pullPolicy` | Specifies the image pull policy for the Host Scanner. | `""` |
| `nodeAnalyzer.hostScanner.http_proxy` | Sets `HTTP_PROXY` on the Host Scanner container. | `""` |
Expand All @@ -209,6 +209,9 @@ The following table lists the configurable parameters of the Sysdig Node Analyze
| `nodeAnalyzer.hostScanner.resources.limits.ephemeral-storage` | Specifies the Host Scanner Storage limit per node. | `1Gi` |
| `nodeAnalyzer.hostScanner.sslVerifyCertificate` | Set to `false` to allow insecure connections to the Sysdig backend, such as an On-Prem deployment. | |
| `nodeAnalyzer.hostScanner.probesPort` | Specifies the port where readiness and liveness probes are exposed. | `7001` |
| `nodeAnalyzer.hostScanner.scanContainers.enabled` | Set to `true` to scan containers | `false` |
| `nodeAnalyzer.hostScanner.scanContainers.dockerSocketPath` | Specifies the path to docker socket | `unix:///var/run/docker.sock` |
| `nodeAnalyzer.hostScanner.scanContainers.podmanSocketPath` | Specifies the path to podman socket | `unix:///var/run/podman.sock` |
| `nodeAnalyzer.runtimeScanner.debug` | Set to `true` to show debug logging, which is useful for troubleshooting. | `false` |
| `nodeAnalyzer.runtimeScanner.deploy` | Deploys the Runtime Scanner. | `false` |
| `nodeAnalyzer.runtimeScanner.extraMounts` | Specifies a container engine custom socket path (docker, containerd, CRI-O). | |
Expand Down
8 changes: 8 additions & 0 deletions charts/node-analyzer/templates/configmap-host-scanner.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,4 +39,12 @@ data:
{{- if .Values.nodeAnalyzer.hostScanner.vulnerabilityDBVersion }}
vuln_db_version: {{ .Values.nodeAnalyzer.hostScanner.vulnerabilityDBVersion | quote }}
{{- end }}
{{- if .Values.nodeAnalyzer.hostScanner.scanContainers.enabled }}
{{- if .Values.nodeAnalyzer.hostScanner.scanContainers.dockerSocketPath }}
docker_socket_path: {{ .Values.nodeAnalyzer.hostScanner.scanContainers.dockerSocketPath | quote}}
{{- end }}
{{- if .Values.nodeAnalyzer.hostScanner.scanContainers.podmanSocketPath }}
podman_socket_path: {{ .Values.nodeAnalyzer.hostScanner.scanContainers.podmanSocketPath | quote}}
{{- end }}
{{- end}}
{{- end }}
20 changes: 20 additions & 0 deletions charts/node-analyzer/templates/daemonset-node-analyzer.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -890,6 +890,26 @@ spec:
- name: "{{ $key }}"
value: "{{ $value }}"
{{- end }}

{{- if .Values.nodeAnalyzer.hostScanner.scanContainers.enabled }}
# Container scanner
- name: USE_COMBINED_SCANNER
value: "true"
- name: SCAN_CONTAINERS_ENABLED
value: "true"
- name: DOCKER_SOCKET_PATHS
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-host-scanner
key: docker_socket_path
optional: true
- name: PODMAN_SOCKET_PATHS
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-host-scanner
key: podman_socket_path
optional: true
{{- end }}
volumeMounts:
- mountPath: /tmp
name: tmp-vol
Expand Down
59 changes: 59 additions & 0 deletions charts/node-analyzer/tests/hostscanner_test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -168,3 +168,62 @@ tests:
of: ConfigMap
- isNull:
path: data.additional_dirs_to_scan

- it: "Container scanner is disabled by default"
set:
clusterName: "test"
nodeAnalyzer.hostScanner.deploy: true
templates:
- ../templates/daemonset-node-analyzer.yaml
asserts:
- isKind:
of: DaemonSet
- isNull:
path: spec.template.spec.containers[3].env[?(@.name == "USE_COMBINED_SCANNER")].value
- isNull:
path: spec.template.spec.containers[3].env[?(@.name == "SCAN_CONTAINERS_ENABLED")].value
- it: "Container scanner enabled - daemonset"
set:
clusterName: "test"
nodeAnalyzer.hostScanner.deploy: true
nodeAnalyzer.hostScanner.scanContainers.enabled: true
templates:
- ../templates/daemonset-node-analyzer.yaml
asserts:
- isKind:
of: DaemonSet
- equal:
path: spec.template.spec.containers[3].env[?(@.name == "USE_COMBINED_SCANNER")].value
value: "true"
- it: "Container scanner enabled and empty socket paths - configmap"
set:
clusterName: "test"
nodeAnalyzer.hostScanner.deploy: true
nodeAnalyzer.hostScanner.scanContainers.enabled: true
templates:
- ../templates/configmap-host-scanner.yaml
asserts:
- isKind:
of: ConfigMap
- isNull:
path: data.docker_socket_path
- isNull:
path: data.podman_socket_path
- it: "Container scanner enabled and not empty socket paths - configmap"
set:
clusterName: "test"
nodeAnalyzer.hostScanner.deploy: true
nodeAnalyzer.hostScanner.scanContainers.enabled: true
nodeAnalyzer.hostScanner.scanContainers.dockerSocketPath: "/docker/socket"
nodeAnalyzer.hostScanner.scanContainers.podmanSocketPath: "/podman/socket"
templates:
- ../templates/configmap-host-scanner.yaml
asserts:
- isKind:
of: ConfigMap
- equal:
path: data.docker_socket_path
value: "/docker/socket"
- equal:
path: data.podman_socket_path
value: "/podman/socket"
7 changes: 6 additions & 1 deletion charts/node-analyzer/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -392,7 +392,7 @@ nodeAnalyzer:

image:
repository: sysdig/vuln-host-scanner
tag: "0.6.8"
tag: "0.7.0"
digest:
pullPolicy:

Expand All @@ -416,6 +416,11 @@ nodeAnalyzer:
settings:
replicas: 1

scanContainers:
enabled: false
# dockerSocketPath: "unix:///var/run/docker.sock"
# podmanSocketPath: "unix:///var/run/podman.sock"

kspmAnalyzer:
debug: false
image:
Expand Down
4 changes: 2 additions & 2 deletions charts/sysdig-deploy/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v2
name: sysdig-deploy
description: A chart with various Sysdig components for Kubernetes
type: application
version: 1.34.9
version: 1.35.0
maintainers:
- name: AlbertoBarba
email: [email protected]
Expand Down Expand Up @@ -36,7 +36,7 @@ dependencies:
- name: node-analyzer
# repository: https://charts.sysdig.com
repository: file://../node-analyzer
version: ~1.20.4
version: ~1.21.0
alias: nodeAnalyzer
condition: nodeAnalyzer.enabled
- name: cluster-scanner
Expand Down

0 comments on commit 1e512f9

Please sign in to comment.