feat(admission-controller): Add KSPM Admission Controller to helm cha…

…rt (#1214)

Co-authored-by: Lior Alafi <[email protected]>

charts/admission-controller/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: admission-controller
 description: Sysdig Admission Controller using Sysdig Secure inline image scanner
 type: application
-version: 0.12.4
+version: 0.13.0
 appVersion: 3.9.26
 home: https://sysdiglabs.github.io/admission-controller/
 icon: https://avatars.githubusercontent.com/u/5068817?s=200&v=4

charts/admission-controller/templates/NOTES.txt

@@ -1,10 +1,13 @@
-Validating Admission Controller Secure API Token configuration:
-{{- if (include "admissionController.validTokenConfig" .) }}
-Success!
+{{- if .Values.features.kspmAdmissionController }}
+{{- if include "admissionController.validAccessKeyConfig" . }}{{- end}}
+{{- end }}
+{{- if (or .Values.features.k8sAuditDetections .Values.scanner.enabled) }}
+{{- if include "admissionController.validTokenConfig" . }}{{- end }}
 {{- end }}
-
 Sysdig Admission Controller is now installed!
-Confirm its working status https://charts.sysdig.com/charts/admission-controller/#confirm-working-status
+
+Confirm its working status:
+https://docs.sysdig.com/en/docs/installation/sysdig-secure/install-agent-components/kubernetes/install-kubernetes-audit-logging/#verify-the-installation
 ================================================================================================
 
 {{- if .Values.scanner.enabled }}

charts/admission-controller/templates/_helpers.tpl

@@ -121,6 +121,17 @@ Determine Secure endpoint based on provided region or .Values.sysdig.apiEndpoint
     {{- end -}}
 {{- end -}}
 
+{{/*
+Sysdig NATS service URL
+*/}}
+{{- define "admissionController.natsUrl" -}}
+{{- if .Values.webhook.v2.nats.url -}}
+    {{- .Values.webhook.v2.nats.url -}}
+{{- else -}}
+    wss://{{ include "admissionController.apiEndpoint" . }}:443
+{{- end -}}
+{{- end -}}
+
 
 {{/*
 Common labels
@@ -192,6 +203,19 @@ Allow overriding registry and repository for air-gapped environments
 {{- end -}}
 {{- end -}}
 
+{{- define "admissionController.kspm.image" -}}
+{{- if .Values.webhook.v2.image.overrideValue -}}
+    {{- .Values.webhook.v2.image.overrideValue -}}
+{{- else -}}
+    {{- $imageRegistry := .Values.webhook.v2.image.registry -}}
+    {{- $imageRepository := .Values.webhook.v2.image.repository -}}
+    {{- $imageTag := .Values.webhook.v2.image.tag -}}
+    {{- $imageDigest := .Values.webhook.v2.image.digest -}}
+    {{- $globalRegistry := (default .Values.global dict).imageRegistry -}}
+    {{- $globalRegistry | default $imageRegistry | default "docker.io" -}} / {{- $imageRepository -}} {{- if $imageDigest -}} @ {{- $imageDigest -}} {{- else -}} : {{- $imageTag -}} {{- end -}}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Inline Scanner Service
 */}}
@@ -265,6 +289,18 @@ Allow overriding registry and repository for air-gapped environments
 {{- end -}}
 {{- end -}}
 
+{{/*
+the following helper function designed to take the accessKey if specified locally and if it doesn't exist use the global one
+*/}}
+
+{{- define "sysdig.accessKey" -}}
+    {{- .Values.sysdig.accessKey | default .Values.global.sysdig.accessKey | default "" -}}
+{{- end -}}
+
+{{- define "sysdig.existingAccessKeySecret" -}}
+    {{- .Values.sysdig.existingAccessKeySecret | default .Values.global.sysdig.existingAccessKeySecret | default "" -}}
+{{- end -}}
+
 {{/*
 The following helper functions are all designed to use global values where
 possible, but accept overrides from the chart values.
@@ -316,6 +352,18 @@ an error if not.
     {{- required $errorMsg (or (include "sysdig.secureAPIToken" .) (include "sysdig.secureAPITokenSecret" .)) -}}
 {{- end -}}
 
+
+{{/*
+Validate Secure Access Key Config
+The follwoing named template is not used in the chart itself, it is used to
+check whether at least one of the required parameters was specified and return
+an error if not.
+*/}}
+{{- define "admissionController.validAccessKeyConfig" -}}
+{{- $errorMsg := "The Sysdig Secure Access Key was not provided with either the sysdig.accessKey or sysdig.existingAccessKeySecret values." -}}
+    {{- required $errorMsg (or (include "sysdig.accessKey" .) (include "sysdig.existingAccessKeySecret" .)) -}}
+{{- end -}}
+
 {{/* Returns string 'true' if the cluster's kubeVersion is less than the parameter provided, or nothing otherwise
      Use like: {{ include "admissionController.kubeVersionLessThan" (dict "root" . "major" <kube_major_to_compare> "minor" <kube_minor_to_compare>) }}
 

charts/admission-controller/templates/webhook/admissionregistration.yaml

@@ -30,6 +30,36 @@ metadata:
   labels:
     app.kubernetes.io/managed-by: Helm
 webhooks:
+{{- if .Values.features.kspmAdmissionController}}
+- name: vac.secure.sysdig.com
+  rules:
+  - apiGroups:
+    - ""
+    - apps
+    - batch
+    apiVersions: ["v1"]
+    operations: ["CREATE", "UPDATE"]
+    resources:
+    - "deployments"
+    - "replicasets"
+    - "statefulsets"
+    - "daemonsets"
+    - "jobs"
+    - "cronjobs"
+    scope: "Namespaced"
+  clientConfig:
+    service:
+      namespace: {{ include "admissionController.namespace" . }}
+      name: {{ include "admissionController.webhook.fullname" . }}
+      path: /validate
+      port:  {{ .Values.webhook.v2.service.port }}
+    caBundle: {{ $certList._2 }}
+
+  admissionReviewVersions: ["v1", "v1beta1"]
+  sideEffects: None
+  timeoutSeconds: {{ .Values.webhook.v2.timeoutSeconds }}
+  failurePolicy: Ignore
+{{- end }}
 {{- if or .Values.scanner.enabled .Values.webhook.acConfig }}
 - name: scanning.secure.sysdig.com
   matchPolicy: Equivalent
@@ -54,6 +84,7 @@ webhooks:
       namespace: {{ include "admissionController.namespace" . }}
       name: {{ include "admissionController.webhook.fullname" . }}
       path: /allow-pod
+      port:  {{ .Values.webhook.service.port }}
     caBundle: {{ $certList._2 }}
   admissionReviewVersions: ["v1", "v1beta1"]
   sideEffects: None
@@ -76,6 +107,7 @@ webhooks:
       namespace: {{ include "admissionController.namespace" . }}
       name: {{ include "admissionController.webhook.fullname" . }}
       path: /k8s-audit
+      port:  {{ .Values.webhook.service.port }}
     caBundle: {{ $certList._2 }}
   admissionReviewVersions: ["v1", "v1beta1"]
   sideEffects: None

charts/admission-controller/templates/webhook/configmap.yaml

@@ -17,5 +17,10 @@ data:
   VERIFY_SSL: "{{ .Values.verifySSL }}"
   K8S_AUDIT_DETECTIONS: "{{ .Values.features.k8sAuditDetections }}"
   DENY_ON_ERROR: "{{ .Values.webhook.denyOnError }}"
-  DRY_RUN: "{{ .Values.webhook.dryRun }}"
   HTTP_TIMEOUT: "{{ .Values.webhook.timeoutSeconds }}s"
+  {{- if .Values.features.kspmAdmissionController}}
+  SERVICE_PORT: "{{ .Values.webhook.v2.http.port }}"
+  CERT_LOCATION: /cert
+  EXTERNAL_NATS_URL:  {{ include "admissionController.natsUrl" . }}
+  NATS_INSECURE: "{{.Values.webhook.v2.nats.insecure}}"
+  {{- end}}

charts/admission-controller/templates/webhook/deployment.yaml

@@ -49,6 +49,48 @@ spec:
       hostNetwork: true
       {{- end }}
       containers:
+      {{- if .Values.features.kspmAdmissionController}}
+        - name: kspm-admission-controller
+          image: {{ include "admissionController.kspm.image" . }}
+          imagePullPolicy: {{ .Values.webhook.v2.image.pullPolicy | default .Values.global.image.pullPolicy }}
+          env:
+            - name: DRY_RUN
+              value: "true"
+            {{- if (or (include "webhook.httpProxy" .) (include "webhook.httpsProxy" .) (include "webhook.noProxy" .) )}}
+            - name: HTTP_PROXY
+              value: {{ include "webhook.httpProxy" . }}
+            - name: HTTPS_PROXY
+              value: {{ include "webhook.httpsProxy" . }}
+            - name: NO_PROXY
+              value: {{ include "webhook.noProxy" . }},{{ include "admissionController.scanner.fullname" . }}
+            {{- end }}
+            {{- if or .Values.webhook.ssl.ca.cert (eq (include "sysdig.custom_ca.enabled"  (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true") }}
+            - name: SSL_CERT_DIR
+              value: /ca-certs
+            {{- end }}
+          ports:
+            - containerPort: {{ .Values.webhook.v2.http.port }}
+              protocol: TCP
+              name: vac
+          envFrom:
+            - configMapRef:
+                name: {{ include "admissionController.webhook.fullname" . }}
+          volumeMounts:
+            - name: cert
+              mountPath: /cert
+              readOnly: true
+            - name: configs
+              mountPath: /configs
+              readOnly: true
+            {{- if or .Values.webhook.ssl.ca.cert (eq (include "sysdig.custom_ca.enabled"  (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true") }}
+            - name: ca-cert
+              mountPath: /ca-certs
+              readOnly: true
+            {{- end }}
+          resources:
+            {{- toYaml .Values.webhook.resources | nindent 12 }}
+      {{- end}}
+      {{- if (or .Values.features.k8sAuditDetections .Values.scanner.enabled) }}
         - name: admission-controller
           image: "{{ include "admissionController.webhook.image" . }}"
           {{- if .Values.webhook.customEntryPoint }}
@@ -130,7 +172,17 @@ spec:
             {{- end }}
           resources:
             {{- toYaml .Values.webhook.resources | nindent 12 }}
+      {{- end}}
       volumes:
+        {{- if .Values.features.kspmAdmissionController }}
+        - name: configs
+          secret:
+            {{- if (include "sysdig.accessKey" .) }}
+            secretName: {{ include "admissionController.webhook.fullname" . }}-access-key
+            {{- else }}
+            secretName: {{ include "sysdig.existingAccessKeySecret" . }}
+            {{- end}}
+        {{- end}}
         - name: cert
           secret:
             secretName: {{ include "admissionController.webhook.fullname" . }}-tls

charts/admission-controller/templates/webhook/secret.yaml

@@ -26,3 +26,15 @@ data:
   {{ include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl) }}: {{ include "sysdig.custom_ca.cert" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl "Files" .Subcharts.common.Files) | b64enc | quote }}
   {{- end }}
 {{- end }}
+---
+{{- if (and .Values.features.kspmAdmissionController (include "sysdig.accessKey" .)) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "admissionController.webhook.fullname" . }}-access-key
+  namespace: {{ include "admissionController.namespace" . }}
+  labels:
+    {{ include "admissionController.webhook.labels" . | nindent 4 }}
+data:
+  access-key: {{ include "sysdig.accessKey" . | b64enc | quote }}
+{{- end }}

charts/admission-controller/templates/webhook/service.yaml

@@ -8,6 +8,9 @@ metadata:
 spec:
   type: {{ .Values.webhook.service.type }}
   ports:
+  - name: vac
+    port: {{ .Values.webhook.v2.service.port }}
+    targetPort: vac
   - name: http
     port: {{ .Values.webhook.service.port }}
     targetPort: http