feat(hostScanner): Add container scanner feature [SSPROD-32268]

sysdiglabs · Nov 29, 2023 · e954d81 · e954d81
1 parent ad8a1b9
commit e954d81
Show file tree

Hide file tree

Showing 7 changed files with 261 additions and 161 deletions.
diff --git a/charts/node-analyzer/Chart.yaml b/charts/node-analyzer/Chart.yaml
@@ -3,7 +3,7 @@ name: node-analyzer
 description: Sysdig Node Analyzer
 
 # currently matching Sysdig's appVersion 1.14.34
-version: 1.18.8
+version: 1.18.9
 appVersion: 12.9.0
 keywords:
   - monitoring

diff --git a/charts/node-analyzer/README.md b/charts/node-analyzer/README.md
diff --git a/charts/node-analyzer/templates/configmap-host-scanner.yaml b/charts/node-analyzer/templates/configmap-host-scanner.yaml
@@ -39,4 +39,13 @@ data:
   {{- if .Values.nodeAnalyzer.hostScanner.vulnerabilityDBVersion }}
   vuln_db_version: {{ .Values.nodeAnalyzer.hostScanner.vulnerabilityDBVersion | quote }}
   {{- end }}
+  {{- if .Values.nodeAnalyzer.hostScanner.scanContainers.enabled }}
+  container_scan_enabled: {{ .Values.nodeAnalyzer.hostScanner.scanContainers.enabled | quote}}
+  {{- if .Values.nodeAnalyzer.hostScanner.scanContainers.dockerSocketPath }}
+  docker_socket_path: {{ .Values.nodeAnalyzer.hostScanner.scanContainers.dockerSocketPath | quote}}
+  {{- end }}
+  {{- if .Values.nodeAnalyzer.hostScanner.scanContainers.podmanSocketPath }}
+  podman_socket_path: {{ .Values.nodeAnalyzer.hostScanner.scanContainers.podmanSocketPath | quote}}
+  {{- end }}
+  {{- end}}
 {{- end }}
diff --git a/charts/node-analyzer/templates/daemonset-node-analyzer.yaml b/charts/node-analyzer/templates/daemonset-node-analyzer.yaml
@@ -878,6 +878,30 @@ spec:
           - name: "{{ $key }}"
             value: "{{ $value }}"
           {{- end }}
+
+          {{- if .Values.nodeAnalyzer.hostScanner.scanContainers.enabled }}
+          # Container scanner
+          - name: USE_COMBINED_SCANNER
+            value: "true"
+          - name: SCAN_CONTAINERS_ENABLED
+            valueFrom:
+              configMapKeyRef:
+                name: {{ .Release.Name }}-host-scanner
+                key: container_scan_enabled
+                optional: true
+          - name: DOCKER_SOCKET_PATHS
+            valueFrom:
+              configMapKeyRef:
+                name: {{ .Release.Name }}-host-scanner
+                key: docker_socket_path
+                optional: true
+          - name: PODMAN_SOCKET_PATHS
+            valueFrom:
+              configMapKeyRef:
+                name: {{ .Release.Name }}-host-scanner
+                key: podman_socket_path
+                optional: true
+          {{- end }}
         volumeMounts:
           - mountPath: /tmp
             name: tmp-vol

diff --git a/charts/node-analyzer/tests/hostscanner_test.yaml b/charts/node-analyzer/tests/hostscanner_test.yaml
@@ -156,3 +156,62 @@ tests:
           of: ConfigMap
       - isNull:
           path: data.additional_dirs_to_scan
+
+  - it: "Container scanner is disabled by default"
+    set:
+      clusterName: "test"
+      nodeAnalyzer.hostScanner.deploy: true
+    templates:
+      - ../templates/daemonset-node-analyzer.yaml
+    asserts:
+      - isKind:
+          of: DaemonSet
+      - isNull:
+          path: spec.template.spec.containers[3].env[?(@.name == "USE_COMBINED_SCANNER")].value
+      - isNull:
+          path: spec.template.spec.containers[3].env[?(@.name == "SCAN_CONTAINERS_ENABLED")].value
+  - it: "Container scanner enabled - daemonset"
+    set:
+      clusterName: "test"
+      nodeAnalyzer.hostScanner.deploy: true
+      nodeAnalyzer.hostScanner.scanContainers.enabled: true
+    templates:
+      - ../templates/daemonset-node-analyzer.yaml
+    asserts:
+      - isKind:
+            of: DaemonSet
+      - equal:
+          path: spec.template.spec.containers[3].env[?(@.name == "USE_COMBINED_SCANNER")].value
+          value: "true"
+  - it: "Container scanner enabled and empty socket paths - configmap"
+    set:
+      clusterName: "test"
+      nodeAnalyzer.hostScanner.deploy: true
+      nodeAnalyzer.hostScanner.scanContainers.enabled: true
+    templates:
+      - ../templates/configmap-host-scanner.yaml
+    asserts:
+      - isKind:
+          of: ConfigMap
+      - isNull:
+          path: data.docker_socket_path
+      - isNull:
+          path: data.podman_socket_path
+  - it: "Container scanner enabled and not empty socket paths - configmap"
+    set:
+      clusterName: "test"
+      nodeAnalyzer.hostScanner.deploy: true
+      nodeAnalyzer.hostScanner.scanContainers.enabled: true
+      nodeAnalyzer.hostScanner.scanContainers.dockerSocketPath: "/docker/socket"
+      nodeAnalyzer.hostScanner.scanContainers.podmanSocketPath: "/podman/socket"
+    templates:
+      - ../templates/configmap-host-scanner.yaml
+    asserts:
+      - isKind:
+          of: ConfigMap
+      - equal:
+          path: data.docker_socket_path
+          value: "/docker/socket"
+      - equal:
+          path: data.podman_socket_path
+          value: "/podman/socket"
diff --git a/charts/node-analyzer/values.yaml b/charts/node-analyzer/values.yaml
@@ -416,6 +416,11 @@ nodeAnalyzer:
     settings:
       replicas: 1
 
+    scanContainers:
+      enabled: false
+      # dockerSocketPath: "unix:///var/run/docker.sock"
+      # podmanSocketPath: "unix:///var/run/podman.sock"
+
   kspmAnalyzer:
     debug: false
     image:

diff --git a/charts/sysdig-deploy/Chart.yaml b/charts/sysdig-deploy/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: sysdig-deploy
 description: A chart with various Sysdig components for Kubernetes
 type: application
-version: 1.31.1
+version: 1.31.2
 maintainers:
   - name: AlbertoBarba
     email: [email protected]