From b9ab5aee6521d95aaba8b004b17807c811117122 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81lvaro=20Iradier?= Date: Tue, 22 Aug 2023 12:17:02 +0200 Subject: [PATCH] feat(admission-controller): Add KSPM Admission Controller to helm chart (#1214) Co-authored-by: Lior Alafi --- charts/admission-controller/Chart.yaml | 2 +- charts/admission-controller/README.md | 29 ++- .../admission-controller/templates/NOTES.txt | 13 +- .../templates/_helpers.tpl | 48 ++++ .../webhook/admissionregistration.yaml | 32 +++ .../templates/webhook/configmap.yaml | 7 +- .../templates/webhook/deployment.yaml | 52 +++++ .../templates/webhook/secret.yaml | 12 + .../templates/webhook/service.yaml | 3 + .../tests/ca_cert_test.yaml | 217 ++++++++++++------ .../tests/conditional_flag_test.yaml | 17 ++ .../tests/global_overrides_test.yaml | 122 ++++++++++ charts/admission-controller/values.yaml | 53 ++++- charts/sysdig-deploy/Chart.yaml | 4 +- 14 files changed, 523 insertions(+), 88 deletions(-) diff --git a/charts/admission-controller/Chart.yaml b/charts/admission-controller/Chart.yaml index df3a7207a..a62409b0f 100644 --- a/charts/admission-controller/Chart.yaml +++ b/charts/admission-controller/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: admission-controller description: Sysdig Admission Controller using Sysdig Secure inline image scanner type: application -version: 0.12.4 +version: 0.13.0 appVersion: 3.9.26 home: https://sysdiglabs.github.io/admission-controller/ icon: https://avatars.githubusercontent.com/u/5068817?s=200&v=4 diff --git a/charts/admission-controller/README.md b/charts/admission-controller/README.md index 303ea0da3..b09586597 100644 --- a/charts/admission-controller/README.md +++ b/charts/admission-controller/README.md @@ -68,7 +68,7 @@ For example: ```bash helm upgrade --install admission-controller sysdig/admission-controller \ - --create-namespace -n sysdig-admission-controller --version=0.12.4 \ + --create-namespace -n sysdig-admission-controller --version=0.13.0 \ --set sysdig.secureAPIToken=YOUR-KEY-HERE,clusterName=YOUR-CLUSTER-NAME ``` @@ -80,7 +80,7 @@ For example: ```bash helm upgrade --install admission-controller sysdig/admission-controller \ - --create-namespace -n sysdig-admission-controller --version=0.12.4 \ + --create-namespace -n sysdig-admission-controller --version=0.13.0 \ --values values.yaml ``` @@ -98,6 +98,7 @@ The following table lists the configurable parameters of the `admission-controll | global.sysdig.secureAPIToken | The global API token to access Sysdig Secure. | "" | | global.sysdig.secureAPITokenSecret | The global secret with API Token to access Sysdig Secure. | "" | | global.sysdig.region | The global Sysdig Secure region. | "us1" | +| global.sysdig.accessKey | The global Access Key to access Sysdig Secure. | "" | | global.proxy | Global HTTP Proxy settings. | {} | | global.image.pullSecrets | | [] | | global.image.pullPolicy | | IfNotPresent | @@ -110,9 +111,12 @@ The following table lists the configurable parameters of the `admission-controll | clusterName | **required**
The cluster Name which appear on Secure UI | "" | | namespace | The namespace to install components. An optional field. If not specified, it will default to the release namespace.
IMPORTANT: Ensure that a namespace is already exist, otherwise installation will fail. | "" | | sysdig.secureAPIToken | **required**
The API Token to access Sysdig Secure.

If neither this value nor `sysdig.existingSecureAPITokenSecret` is configured, you are required to provide the deployment with the `SECURE_API_TOKEN` (and `AUTH_BEARER_TOKEN` if the scanner is enabled) environment variable. Overrides the `global.sysdig.secureAPIToken` parameter. | "" | -| sysdig.existingSecureAPITokenSecret | **required**
TheeExisting secret with API Token to access Sysdig Secure.
Alternatively, specify the name of a Kubernetes secret containing `SECURE_API_TOKEN` and `AUTH_BEARER_TOKEN` entry if you're also enabling scanner.
If neither this value nor `sysdig.secureAPIToken` is configured, you are required to provide the deployment with the `SECURE_API_TOKEN` (and `AUTH_BEARER_TOKEN` if the scanner is enabled) environment variable. | "" | +| sysdig.existingSecureAPITokenSecret | **required**
The existing secret with API Token to access Sysdig Secure.
Alternatively, specify the name of a Kubernetes secret containing `SECURE_API_TOKEN` and `AUTH_BEARER_TOKEN` entry if you're also enabling scanner.
If neither this value nor `sysdig.secureAPIToken` is configured, you are required to provide the deployment with the `SECURE_API_TOKEN` (and `AUTH_BEARER_TOKEN` if the scanner is enabled) environment variable. | "" | +| sysdig.accessKey | **required for KSPM Admission Controller**
Access Key to access Sysdig Secure.

Either this value or `sysdig.existingAccessKeySecret` is required Overrides `global.sysdig.accessKey` | "" | +| sysdig.existingAccessKeySecret | Alternatively, specify the name of a Kubernetes secret containing an 'access-key' entry. Overrides `global.sysdig.existingAccessKeySecret` | "" | | sysdig.apiEndpoint | Sysdig URL.
- The default for the us-east region is secure.sysdig.com.
- For us-west use us2.app.sysdig.com
- For European Union, use eu1.app.sysdig.com
- For APAC, use app.au1.sysdig.com
- For US4 (our west Google cloud region) use app.us4.sysdig.com
- For on-prem, your own enpoints
| "" | | features.k8sAuditDetections | Enable Kubernetes Audit detections with Falco rules. | true | +| features.kspmAdmissionController | Enable KSPM Admission Controller | false | | features.k8sAuditDetectionsRules | [Admission Webhook Configuration rules](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-rules) for the Audit Detections | [{"apiGroups":["","apps","autoscaling","batch","networking.k8s.io","rbac.authorization.k8s.io","extensions"],"apiVersions":["*"],"operations":["*"],"resources":["*/*"],"scope":"*"}] | | verifySSL | Used for outbound connections, such as Secure backend and proxy.
Specifies whether to verify SSL on HTTPS connections. | true | | nameOverride | The chart name override. | "" | @@ -130,13 +134,24 @@ The following table lists the configurable parameters of the `admission-controll | podMonitors.scanner.enabled | Enable the scanner PodMonitor to scrape metrics. | false | | podMonitors.scanner.labels | Specifies the labels on the scanner PodMonitor. | {} | | podMonitors.scanner.annotations | The annotatons on the scanner PodMonitor | {} | +| webhook.v2.timeoutSeconds | Number of seconds for the request to time out | 5 | +| webhook.v2.nats.insecure | Allow insecure TLS certificates in backend connection to NATS service | false | +| webhook.v2.nats.url | Override the NATS service connection URL | "" | +| webhook.v2.service.type | Use this type as webhook service | ClusterIP | +| webhook.v2.service.port | Configure port for the V2 webhook service | 7443 | +| webhook.v2.http.port | HTTP serve port where the requests will be served from | 7443 | +| webhook.v2.image.registry | The KSPM Admission Controller image registry | quay.io | +| webhook.v2.image.repository | The KSPM Admission Controller image repository | sysdig/secure-admission-controller | +| webhook.v2.image.tag | The KSPM Admission Controller image tag | 1.0.1 | +| webhook.v2.image.digest | Specifies the image digest value. If set, this value is used instead of the tag value | | +| webhook.v2.image.pullPolicy | The PullPolicy for KSPM Admission Controller image | | | webhook.name | The service name for Webhook deployment | webhook | | webhook.replicaCount | The number of replicas for webhook. **Deprecated**, use `webhook.autoscaling.minReplicas` and `webhook.autoscaling.maxReplicas` instead. | 1 | -| webhook.image.registry | The webhook image registry. | quay.io | -| webhook.image.repository | The webhook image registry. | sysdig/admission-controller | -| webhook.image.pullPolicy | The PullPolicy for Webhook image. | | +| webhook.image.registry | The webhook image registry | quay.io | +| webhook.image.repository | The webhook image repository | sysdig/admission-controller | +| webhook.image.pullPolicy | The PullPolicy for Webhook image | | | webhook.image.tag | Overrides the default image tag. If not specified, it defaults to appVersion in Chart.yaml | | -| webhook.image.digest | Specifies the image digest value. If set, this value is used instead of the tag value. | | +| webhook.image.digest | Specifies the image digest value. If set, this value is used instead of the tag value | | | webhook.labels | Specifies the additional labels; applies to webhook only. | {} | | webhook.service.type | Use this type as webhook service. | ClusterIP | | webhook.service.port | Configure port for the webhook service. | 443 | diff --git a/charts/admission-controller/templates/NOTES.txt b/charts/admission-controller/templates/NOTES.txt index 856885922..16d0b8d2d 100644 --- a/charts/admission-controller/templates/NOTES.txt +++ b/charts/admission-controller/templates/NOTES.txt @@ -1,10 +1,13 @@ -Validating Admission Controller Secure API Token configuration: -{{- if (include "admissionController.validTokenConfig" .) }} -Success! +{{- if .Values.features.kspmAdmissionController }} +{{- if include "admissionController.validAccessKeyConfig" . }}{{- end}} +{{- end }} +{{- if (or .Values.features.k8sAuditDetections .Values.scanner.enabled) }} +{{- if include "admissionController.validTokenConfig" . }}{{- end }} {{- end }} - Sysdig Admission Controller is now installed! -Confirm its working status https://charts.sysdig.com/charts/admission-controller/#confirm-working-status + +Confirm its working status: +https://docs.sysdig.com/en/docs/installation/sysdig-secure/install-agent-components/kubernetes/install-kubernetes-audit-logging/#verify-the-installation ================================================================================================ {{- if .Values.scanner.enabled }} diff --git a/charts/admission-controller/templates/_helpers.tpl b/charts/admission-controller/templates/_helpers.tpl index 7ff74cdf1..d966e1a83 100644 --- a/charts/admission-controller/templates/_helpers.tpl +++ b/charts/admission-controller/templates/_helpers.tpl @@ -121,6 +121,17 @@ Determine Secure endpoint based on provided region or .Values.sysdig.apiEndpoint {{- end -}} {{- end -}} +{{/* +Sysdig NATS service URL +*/}} +{{- define "admissionController.natsUrl" -}} +{{- if .Values.webhook.v2.nats.url -}} + {{- .Values.webhook.v2.nats.url -}} +{{- else -}} + wss://{{ include "admissionController.apiEndpoint" . }}:443 +{{- end -}} +{{- end -}} + {{/* Common labels @@ -192,6 +203,19 @@ Allow overriding registry and repository for air-gapped environments {{- end -}} {{- end -}} +{{- define "admissionController.kspm.image" -}} +{{- if .Values.webhook.v2.image.overrideValue -}} + {{- .Values.webhook.v2.image.overrideValue -}} +{{- else -}} + {{- $imageRegistry := .Values.webhook.v2.image.registry -}} + {{- $imageRepository := .Values.webhook.v2.image.repository -}} + {{- $imageTag := .Values.webhook.v2.image.tag -}} + {{- $imageDigest := .Values.webhook.v2.image.digest -}} + {{- $globalRegistry := (default .Values.global dict).imageRegistry -}} + {{- $globalRegistry | default $imageRegistry | default "docker.io" -}} / {{- $imageRepository -}} {{- if $imageDigest -}} @ {{- $imageDigest -}} {{- else -}} : {{- $imageTag -}} {{- end -}} +{{- end -}} +{{- end -}} + {{/* Inline Scanner Service */}} @@ -265,6 +289,18 @@ Allow overriding registry and repository for air-gapped environments {{- end -}} {{- end -}} +{{/* +the following helper function designed to take the accessKey if specified locally and if it doesn't exist use the global one +*/}} + +{{- define "sysdig.accessKey" -}} + {{- .Values.sysdig.accessKey | default .Values.global.sysdig.accessKey | default "" -}} +{{- end -}} + +{{- define "sysdig.existingAccessKeySecret" -}} + {{- .Values.sysdig.existingAccessKeySecret | default .Values.global.sysdig.existingAccessKeySecret | default "" -}} +{{- end -}} + {{/* The following helper functions are all designed to use global values where possible, but accept overrides from the chart values. @@ -316,6 +352,18 @@ an error if not. {{- required $errorMsg (or (include "sysdig.secureAPIToken" .) (include "sysdig.secureAPITokenSecret" .)) -}} {{- end -}} + +{{/* +Validate Secure Access Key Config +The follwoing named template is not used in the chart itself, it is used to +check whether at least one of the required parameters was specified and return +an error if not. +*/}} +{{- define "admissionController.validAccessKeyConfig" -}} +{{- $errorMsg := "The Sysdig Secure Access Key was not provided with either the sysdig.accessKey or sysdig.existingAccessKeySecret values." -}} + {{- required $errorMsg (or (include "sysdig.accessKey" .) (include "sysdig.existingAccessKeySecret" .)) -}} +{{- end -}} + {{/* Returns string 'true' if the cluster's kubeVersion is less than the parameter provided, or nothing otherwise Use like: {{ include "admissionController.kubeVersionLessThan" (dict "root" . "major" "minor" ) }} diff --git a/charts/admission-controller/templates/webhook/admissionregistration.yaml b/charts/admission-controller/templates/webhook/admissionregistration.yaml index 7a46d5dbd..07fb5c39c 100644 --- a/charts/admission-controller/templates/webhook/admissionregistration.yaml +++ b/charts/admission-controller/templates/webhook/admissionregistration.yaml @@ -30,6 +30,36 @@ metadata: labels: app.kubernetes.io/managed-by: Helm webhooks: +{{- if .Values.features.kspmAdmissionController}} +- name: vac.secure.sysdig.com + rules: + - apiGroups: + - "" + - apps + - batch + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE"] + resources: + - "deployments" + - "replicasets" + - "statefulsets" + - "daemonsets" + - "jobs" + - "cronjobs" + scope: "Namespaced" + clientConfig: + service: + namespace: {{ include "admissionController.namespace" . }} + name: {{ include "admissionController.webhook.fullname" . }} + path: /validate + port: {{ .Values.webhook.v2.service.port }} + caBundle: {{ $certList._2 }} + + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: {{ .Values.webhook.v2.timeoutSeconds }} + failurePolicy: Ignore +{{- end }} {{- if or .Values.scanner.enabled .Values.webhook.acConfig }} - name: scanning.secure.sysdig.com matchPolicy: Equivalent @@ -54,6 +84,7 @@ webhooks: namespace: {{ include "admissionController.namespace" . }} name: {{ include "admissionController.webhook.fullname" . }} path: /allow-pod + port: {{ .Values.webhook.service.port }} caBundle: {{ $certList._2 }} admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None @@ -76,6 +107,7 @@ webhooks: namespace: {{ include "admissionController.namespace" . }} name: {{ include "admissionController.webhook.fullname" . }} path: /k8s-audit + port: {{ .Values.webhook.service.port }} caBundle: {{ $certList._2 }} admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None diff --git a/charts/admission-controller/templates/webhook/configmap.yaml b/charts/admission-controller/templates/webhook/configmap.yaml index 4539ebb15..f6a9dbfeb 100644 --- a/charts/admission-controller/templates/webhook/configmap.yaml +++ b/charts/admission-controller/templates/webhook/configmap.yaml @@ -17,5 +17,10 @@ data: VERIFY_SSL: "{{ .Values.verifySSL }}" K8S_AUDIT_DETECTIONS: "{{ .Values.features.k8sAuditDetections }}" DENY_ON_ERROR: "{{ .Values.webhook.denyOnError }}" - DRY_RUN: "{{ .Values.webhook.dryRun }}" HTTP_TIMEOUT: "{{ .Values.webhook.timeoutSeconds }}s" + {{- if .Values.features.kspmAdmissionController}} + SERVICE_PORT: "{{ .Values.webhook.v2.http.port }}" + CERT_LOCATION: /cert + EXTERNAL_NATS_URL: {{ include "admissionController.natsUrl" . }} + NATS_INSECURE: "{{.Values.webhook.v2.nats.insecure}}" + {{- end}} diff --git a/charts/admission-controller/templates/webhook/deployment.yaml b/charts/admission-controller/templates/webhook/deployment.yaml index db831c3c4..f3b47c38f 100644 --- a/charts/admission-controller/templates/webhook/deployment.yaml +++ b/charts/admission-controller/templates/webhook/deployment.yaml @@ -49,6 +49,48 @@ spec: hostNetwork: true {{- end }} containers: + {{- if .Values.features.kspmAdmissionController}} + - name: kspm-admission-controller + image: {{ include "admissionController.kspm.image" . }} + imagePullPolicy: {{ .Values.webhook.v2.image.pullPolicy | default .Values.global.image.pullPolicy }} + env: + - name: DRY_RUN + value: "true" + {{- if (or (include "webhook.httpProxy" .) (include "webhook.httpsProxy" .) (include "webhook.noProxy" .) )}} + - name: HTTP_PROXY + value: {{ include "webhook.httpProxy" . }} + - name: HTTPS_PROXY + value: {{ include "webhook.httpsProxy" . }} + - name: NO_PROXY + value: {{ include "webhook.noProxy" . }},{{ include "admissionController.scanner.fullname" . }} + {{- end }} + {{- if or .Values.webhook.ssl.ca.cert (eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true") }} + - name: SSL_CERT_DIR + value: /ca-certs + {{- end }} + ports: + - containerPort: {{ .Values.webhook.v2.http.port }} + protocol: TCP + name: vac + envFrom: + - configMapRef: + name: {{ include "admissionController.webhook.fullname" . }} + volumeMounts: + - name: cert + mountPath: /cert + readOnly: true + - name: configs + mountPath: /configs + readOnly: true + {{- if or .Values.webhook.ssl.ca.cert (eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true") }} + - name: ca-cert + mountPath: /ca-certs + readOnly: true + {{- end }} + resources: + {{- toYaml .Values.webhook.resources | nindent 12 }} + {{- end}} + {{- if (or .Values.features.k8sAuditDetections .Values.scanner.enabled) }} - name: admission-controller image: "{{ include "admissionController.webhook.image" . }}" {{- if .Values.webhook.customEntryPoint }} @@ -130,7 +172,17 @@ spec: {{- end }} resources: {{- toYaml .Values.webhook.resources | nindent 12 }} + {{- end}} volumes: + {{- if .Values.features.kspmAdmissionController }} + - name: configs + secret: + {{- if (include "sysdig.accessKey" .) }} + secretName: {{ include "admissionController.webhook.fullname" . }}-access-key + {{- else }} + secretName: {{ include "sysdig.existingAccessKeySecret" . }} + {{- end}} + {{- end}} - name: cert secret: secretName: {{ include "admissionController.webhook.fullname" . }}-tls diff --git a/charts/admission-controller/templates/webhook/secret.yaml b/charts/admission-controller/templates/webhook/secret.yaml index f9473c78b..46a74f945 100644 --- a/charts/admission-controller/templates/webhook/secret.yaml +++ b/charts/admission-controller/templates/webhook/secret.yaml @@ -26,3 +26,15 @@ data: {{ include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl) }}: {{ include "sysdig.custom_ca.cert" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl "Files" .Subcharts.common.Files) | b64enc | quote }} {{- end }} {{- end }} +--- +{{- if (and .Values.features.kspmAdmissionController (include "sysdig.accessKey" .)) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "admissionController.webhook.fullname" . }}-access-key + namespace: {{ include "admissionController.namespace" . }} + labels: + {{ include "admissionController.webhook.labels" . | nindent 4 }} +data: + access-key: {{ include "sysdig.accessKey" . | b64enc | quote }} +{{- end }} diff --git a/charts/admission-controller/templates/webhook/service.yaml b/charts/admission-controller/templates/webhook/service.yaml index dba82671b..6ebd59abc 100644 --- a/charts/admission-controller/templates/webhook/service.yaml +++ b/charts/admission-controller/templates/webhook/service.yaml @@ -8,6 +8,9 @@ metadata: spec: type: {{ .Values.webhook.service.type }} ports: + - name: vac + port: {{ .Values.webhook.v2.service.port }} + targetPort: vac - name: http port: {{ .Values.webhook.service.port }} targetPort: http diff --git a/charts/admission-controller/tests/ca_cert_test.yaml b/charts/admission-controller/tests/ca_cert_test.yaml index e6047f7ec..6552c4294 100644 --- a/charts/admission-controller/tests/ca_cert_test.yaml +++ b/charts/admission-controller/tests/ca_cert_test.yaml @@ -13,38 +13,34 @@ templates: - webhook/admissionregistration.yaml - webhook/podmonitor.yaml tests: - - it: Check Custsom CA Cert Disabled + - it: Check Custom CA Cert Disabled documentIndex: 0 set: + features: + k8sAuditDetections: true + kspmAdmissionController: true clusterName: "test-k8s" scanner: enabled: true - webhook: - enabled: true sysdig: accessKey: standard-key secureAPIToken: standard-token asserts: - - notContains: - path: spec.template.spec.containers[0].env - content: - name: SSL_CERT_DIR - value: "/ca-certs" - template: webhook/deployment.yaml - notContains: path: spec.template.spec.volumes content: name: ca-cert secret: secretName: release-name-admission-controller-webhook-ca - template: webhook/deployment.yaml + template: scanner/deployment.yaml - notContains: - path: spec.template.spec.containers[0].volumeMounts + path: spec.template.spec.volumes content: name: ca-cert - mountPath: /ca-certs - readOnly: true + secret: + secretName: release-name-admission-controller-webhook-ca template: webhook/deployment.yaml + - notContains: path: spec.template.spec.containers[0].env content: @@ -52,11 +48,24 @@ tests: value: "/ca-certs" template: scanner/deployment.yaml - notContains: - path: spec.template.spec.volumes + path: spec.template.spec.containers[0].env + content: + name: SSL_CERT_DIR + value: "/ca-certs" + template: webhook/deployment.yaml + - notContains: + path: spec.template.spec.containers[1].env + content: + name: SSL_CERT_DIR + value: "/ca-certs" + template: webhook/deployment.yaml + + - notContains: + path: spec.template.spec.containers[0].volumeMounts content: name: ca-cert - secret: - secretName: release-name-admission-controller-scanner-ca + mountPath: /ca-certs + readOnly: true template: scanner/deployment.yaml - notContains: path: spec.template.spec.containers[0].volumeMounts @@ -64,16 +73,43 @@ tests: name: ca-cert mountPath: /ca-certs readOnly: true + template: webhook/deployment.yaml + - notContains: + path: spec.template.spec.containers[1].volumeMounts + content: + name: ca-cert + mountPath: /ca-certs + readOnly: true + template: webhook/deployment.yaml + + - notContains: + path: spec.template.spec.containers[0].env + content: + name: SSL_CERT_DIR + value: "/ca-certs" template: scanner/deployment.yaml + - notContains: + path: spec.template.spec.containers[0].env + content: + name: SSL_CERT_DIR + value: "/ca-certs" + template: webhook/deployment.yaml + - notContains: + path: spec.template.spec.containers[1].env + content: + name: SSL_CERT_DIR + value: "/ca-certs" + template: webhook/deployment.yaml - - it: Check Custsom CA Cert defined with Values + - it: Check Custom CA Cert defined with Values documentIndex: 0 set: + features: + k8sAuditDetections: true + kspmAdmissionController: true clusterName: "test-k8s" scanner: enabled: true - webhook: - enabled: true global: ssl: ca: @@ -88,11 +124,12 @@ tests: secureAPIToken: standard-token asserts: - contains: - path: spec.template.spec.containers[0].env + path: spec.template.spec.volumes content: - name: SSL_CERT_DIR - value: "/ca-certs" - template: webhook/deployment.yaml + name: ca-cert + secret: + secretName: release-name-admission-controller-scanner-ca + template: scanner/deployment.yaml - contains: path: spec.template.spec.volumes content: @@ -100,25 +137,32 @@ tests: secret: secretName: release-name-admission-controller-webhook-ca template: webhook/deployment.yaml + - contains: - path: spec.template.spec.containers[0].volumeMounts + path: spec.template.spec.containers[0].env content: - name: ca-cert - mountPath: /ca-certs - readOnly: true - template: webhook/deployment.yaml + name: SSL_CERT_DIR + value: "/ca-certs" + template: scanner/deployment.yaml - contains: path: spec.template.spec.containers[0].env content: name: SSL_CERT_DIR value: "/ca-certs" - template: scanner/deployment.yaml + template: webhook/deployment.yaml - contains: - path: spec.template.spec.volumes + path: spec.template.spec.containers[1].env + content: + name: SSL_CERT_DIR + value: "/ca-certs" + template: webhook/deployment.yaml + + - contains: + path: spec.template.spec.containers[0].volumeMounts content: name: ca-cert - secret: - secretName: release-name-admission-controller-scanner-ca + mountPath: /ca-certs + readOnly: true template: scanner/deployment.yaml - contains: path: spec.template.spec.containers[0].volumeMounts @@ -126,16 +170,24 @@ tests: name: ca-cert mountPath: /ca-certs readOnly: true - template: scanner/deployment.yaml + template: webhook/deployment.yaml + - contains: + path: spec.template.spec.containers[1].volumeMounts + content: + name: ca-cert + mountPath: /ca-certs + readOnly: true + template: webhook/deployment.yaml - - it: Check Custsom CA Cert defined with Existing Secret + - it: Check Custom CA Cert defined with Existing Secret documentIndex: 0 set: + features: + k8sAuditDetections: true + kspmAdmissionController: true clusterName: "test-k8s" scanner: enabled: true - webhook: - enabled: true global: ssl: ca: @@ -145,26 +197,21 @@ tests: accessKey: standard-key secureAPIToken: standard-token asserts: - - contains: - path: spec.template.spec.containers[0].env - content: - name: SSL_CERT_DIR - value: "/ca-certs" - template: webhook/deployment.yaml - contains: path: spec.template.spec.volumes content: name: ca-cert secret: secretName: test-fake-ca-secret-name - template: webhook/deployment.yaml + template: scanner/deployment.yaml - contains: - path: spec.template.spec.containers[0].volumeMounts + path: spec.template.spec.volumes content: name: ca-cert - mountPath: /ca-certs - readOnly: true + secret: + secretName: test-fake-ca-secret-name template: webhook/deployment.yaml + - contains: path: spec.template.spec.containers[0].env content: @@ -172,11 +219,24 @@ tests: value: "/ca-certs" template: scanner/deployment.yaml - contains: - path: spec.template.spec.volumes + path: spec.template.spec.containers[0].env + content: + name: SSL_CERT_DIR + value: "/ca-certs" + template: webhook/deployment.yaml + - contains: + path: spec.template.spec.containers[1].env + content: + name: SSL_CERT_DIR + value: "/ca-certs" + template: webhook/deployment.yaml + + - contains: + path: spec.template.spec.containers[0].volumeMounts content: name: ca-cert - secret: - secretName: test-fake-ca-secret-name + mountPath: /ca-certs + readOnly: true template: scanner/deployment.yaml - contains: path: spec.template.spec.containers[0].volumeMounts @@ -184,16 +244,24 @@ tests: name: ca-cert mountPath: /ca-certs readOnly: true - template: scanner/deployment.yaml + template: webhook/deployment.yaml + - contains: + path: spec.template.spec.containers[1].volumeMounts + content: + name: ca-cert + mountPath: /ca-certs + readOnly: true + template: webhook/deployment.yaml - - it: Check Custsom CA Cert defined with Existing ConfigMap + - it: Check Custom CA Cert defined with Existing ConfigMap documentIndex: 0 set: + features: + k8sAuditDetections: true + kspmAdmissionController: true clusterName: "test-k8s" scanner: enabled: true - webhook: - enabled: true global: ssl: ca: @@ -203,26 +271,21 @@ tests: accessKey: standard-key secureAPIToken: standard-token asserts: - - contains: - path: spec.template.spec.containers[0].env - content: - name: SSL_CERT_DIR - value: "/ca-certs" - template: webhook/deployment.yaml - contains: path: spec.template.spec.volumes content: name: ca-cert configMap: name: test-fake-ca-configmap-name - template: webhook/deployment.yaml + template: scanner/deployment.yaml - contains: - path: spec.template.spec.containers[0].volumeMounts + path: spec.template.spec.volumes content: name: ca-cert - mountPath: /ca-certs - readOnly: true + configMap: + name: test-fake-ca-configmap-name template: webhook/deployment.yaml + - contains: path: spec.template.spec.containers[0].env content: @@ -230,11 +293,24 @@ tests: value: "/ca-certs" template: scanner/deployment.yaml - contains: - path: spec.template.spec.volumes + path: spec.template.spec.containers[0].env + content: + name: SSL_CERT_DIR + value: "/ca-certs" + template: webhook/deployment.yaml + - contains: + path: spec.template.spec.containers[1].env + content: + name: SSL_CERT_DIR + value: "/ca-certs" + template: webhook/deployment.yaml + + - contains: + path: spec.template.spec.containers[0].volumeMounts content: name: ca-cert - configMap: - name: test-fake-ca-configmap-name + mountPath: /ca-certs + readOnly: true template: scanner/deployment.yaml - contains: path: spec.template.spec.containers[0].volumeMounts @@ -242,4 +318,11 @@ tests: name: ca-cert mountPath: /ca-certs readOnly: true - template: scanner/deployment.yaml + template: webhook/deployment.yaml + - contains: + path: spec.template.spec.containers[1].volumeMounts + content: + name: ca-cert + mountPath: /ca-certs + readOnly: true + template: webhook/deployment.yaml diff --git a/charts/admission-controller/tests/conditional_flag_test.yaml b/charts/admission-controller/tests/conditional_flag_test.yaml index 865e9df08..9b5cb098c 100644 --- a/charts/admission-controller/tests/conditional_flag_test.yaml +++ b/charts/admission-controller/tests/conditional_flag_test.yaml @@ -38,6 +38,23 @@ tests: apiVersion: v1 template: scanner/service.yaml + - it: Checking KSPM AC enabled + set: + features: + kspmAdmissionController: true + k8sAuditDetections: false + scanner: + enabled: false + clusterName: test-k8s + sysdig: + secureAPIToken: standard_token + accessKey: some_access_key + asserts: + - equal: + path: spec.template.spec.containers[0].name + value: kspm-admission-controller + template: webhook/deployment.yaml + - it: Checking podmonitors scanner enabled set: podMonitors: diff --git a/charts/admission-controller/tests/global_overrides_test.yaml b/charts/admission-controller/tests/global_overrides_test.yaml index 4691a6a02..a2b51c066 100644 --- a/charts/admission-controller/tests/global_overrides_test.yaml +++ b/charts/admission-controller/tests/global_overrides_test.yaml @@ -66,6 +66,64 @@ tests: value: override_token template: webhook/secret.yaml + - it: check value of Access Key without local chart override - local value provided + documentIndex: 0 + set: + sysdig: + accessKey: standard_key + url: secure.sysdigcloud.com + features: + kspmAdmissionController: true + k8sAuditDetections: false + clusterName: test-k8s + version: 0.7.3 + asserts: + - equal: + path: data.access-key + value: standard_key + decodeBase64: true + template: webhook/secret.yaml + + - it: check value of Access Key without local chart override - global value provided + documentIndex: 0 + set: + global: + sysdig: + accessKey: standard_key + sysdig: + url: secure.sysdigcloud.com + features: + kspmAdmissionController: true + k8sAuditDetections: false + clusterName: test-k8s + version: 0.7.3 + asserts: + - equal: + path: data.access-key + value: standard_key + decodeBase64: true + template: webhook/secret.yaml + + - it: check value of Access Key with local chart override + documentIndex: 0 + set: + global: + sysdig: + accessKey: standard_key + clusterName: test-k8s + sysdig: + url: secure_url.com + accessKey: override_key + features: + kspmAdmissionController: true + k8sAuditDetections: false + asserts: + - equal: + path: data.access-key + value: override_key + decodeBase64: true + template: webhook/secret.yaml + - it: check value of secureAPITokenSecret without local chart override - local value provided documentIndex: 0 set: @@ -122,13 +180,73 @@ tests: value: override_token template: webhook/deployment.yaml + - it: check value of existingAccessKeySecret without local chart override - local value provided + documentIndex: 0 + set: + sysdig: + existingAccessKeySecret: some-secret + url: secure.sysdigcloud.com + features: + kspmAdmissionController: true + k8sAuditDetections: false + clusterName: test-k8s + version: 0.7.3 + asserts: + - equal: + path: spec.template.spec.volumes[0].secret.secretName + value: some-secret + template: webhook/deployment.yaml + + - it: check value of existingAccessKeySecret without local chart override - global value provided + documentIndex: 0 + set: + global: + sysdig: + existingAccessKeySecret: some-secret + sysdig: + url: secure.sysdigcloud.com + existingAccessKeySecret: override-secret + features: + kspmAdmissionController: true + k8sAuditDetections: false + clusterName: test-k8s + version: 0.7.3 + asserts: + - equal: + path: spec.template.spec.volumes[0].secret.secretName + value: override-secret + template: webhook/deployment.yaml + + - it: check value of existingAccessKeySecret with local chart override + documentIndex: 0 + set: + global: + sysdig: + existingAccessKeySecret: some-secret + sysdig: + url: secure.sysdigcloud.com + features: + kspmAdmissionController: true + k8sAuditDetections: false + clusterName: test-k8s + version: 0.7.3 + asserts: + - equal: + path: spec.template.spec.volumes[0].secret.secretName + value: some-secret + template: webhook/deployment.yaml + - it: uses the specified region documentIndex: 0 set: global: sysdig: region: eu1 + sysdig: + accessKey: some_access_key clusterName: test-k8s + features: + kspmAdmissionController: true asserts: - equal: path: data.SECURE_BASE_URL @@ -138,6 +256,10 @@ tests: path: data.SECURE_URL value: https://eu1.app.sysdig.com template: webhook/configmap.yaml + - equal: + path: data.EXTERNAL_NATS_URL + value: wss://eu1.app.sysdig.com:443 + template: webhook/configmap.yaml - it: check imagePullSecrets with global documentIndex: 0 diff --git a/charts/admission-controller/values.yaml b/charts/admission-controller/values.yaml index b7beb7854..358def950 100644 --- a/charts/admission-controller/values.yaml +++ b/charts/admission-controller/values.yaml @@ -12,6 +12,8 @@ global: secureAPITokenSecret: "" # The global Sysdig Secure region. region: "us1" + # The global Access Key to access Sysdig Secure. + accessKey: "" # Global HTTP Proxy settings. proxy: {} # The global image settings. @@ -72,7 +74,7 @@ sysdig: secureAPIToken: "" # **required** - #
TheeExisting secret with API Token to access Sysdig Secure. + #
The existing secret with API Token to access Sysdig Secure. #
Alternatively, specify the name of a Kubernetes secret containing `SECURE_API_TOKEN` and # `AUTH_BEARER_TOKEN` entry if you're also enabling scanner. #
If neither this value nor `sysdig.secureAPIToken` is configured, you @@ -80,6 +82,16 @@ sysdig: # (and `AUTH_BEARER_TOKEN` if the scanner is enabled) environment variable. existingSecureAPITokenSecret: "" + # **required for KSPM Admission Controller** + #
Access Key to access Sysdig Secure. + #

Either this value or `sysdig.existingAccessKeySecret` is required + # Overrides `global.sysdig.accessKey` + accessKey: "" + + # Alternatively, specify the name of a Kubernetes secret containing an 'access-key' entry. + # Overrides `global.sysdig.existingAccessKeySecret` + existingAccessKeySecret: "" + # Sysdig URL.
# - The default for the us-east region is secure.sysdig.com.
# - For us-west use us2.app.sysdig.com
@@ -93,6 +105,9 @@ features: # Enable Kubernetes Audit detections with Falco rules. k8sAuditDetections: true + # Enable KSPM Admission Controller + kspmAdmissionController: false + # [Admission Webhook Configuration rules](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-rules) for the Audit Detections k8sAuditDetectionsRules: # +doc-gen:break - apiGroups: @@ -152,21 +167,49 @@ podMonitors: annotations: {} webhook: + v2: + # Number of seconds for the request to time out + timeoutSeconds: 5 + nats: + # Allow insecure TLS certificates in backend connection to NATS service + insecure: false + # Override the NATS service connection URL + url: "" + service: + # Use this type as webhook service + type: ClusterIP + # Configure port for the V2 webhook service + port: 7443 + http: + # HTTP serve port where the requests will be served from + port: 7443 + # KSPM Admission Controller container image + image: + # The KSPM Admission Controller image registry + registry: quay.io + # The KSPM Admission Controller image repository + repository: sysdig/secure-admission-controller + # The KSPM Admission Controller image tag + tag: 1.0.1 + # Specifies the image digest value. If set, this value is used instead of the tag value + digest: + # The PullPolicy for KSPM Admission Controller image + pullPolicy: # The service name for Webhook deployment name: webhook # The number of replicas for webhook. **Deprecated**, use `webhook.autoscaling.minReplicas` and `webhook.autoscaling.maxReplicas` instead. replicaCount: 1 image: - # The webhook image registry. + # The webhook image registry registry: quay.io - # The webhook image registry. + # The webhook image repository repository: sysdig/admission-controller - # The PullPolicy for Webhook image. + # The PullPolicy for Webhook image pullPolicy: # Overrides the default image tag. If not specified, it defaults to appVersion in Chart.yaml tag: - # Specifies the image digest value. If set, this value is used instead of the tag value. + # Specifies the image digest value. If set, this value is used instead of the tag value digest: # Specifies the additional labels; applies to webhook only. diff --git a/charts/sysdig-deploy/Chart.yaml b/charts/sysdig-deploy/Chart.yaml index 32ced602c..c2dc73c81 100644 --- a/charts/sysdig-deploy/Chart.yaml +++ b/charts/sysdig-deploy/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: sysdig-deploy description: A chart with various Sysdig components for Kubernetes type: application -version: 1.17.11 +version: 1.18.0 maintainers: - name: AlbertoBarba email: alberto.barba@sysdig.com @@ -20,7 +20,7 @@ dependencies: - name: admission-controller # repository: https://charts.sysdig.com repository: file://../admission-controller - version: ~0.12.4 + version: ~0.13.0 alias: admissionController condition: admissionController.enabled - name: agent