From e954d812e7a53699b107ca38449afc9fab65a32c Mon Sep 17 00:00:00 2001 From: Federico Feresini Date: Wed, 29 Nov 2023 16:32:16 +0100 Subject: [PATCH] feat(hostScanner): Add container scanner feature [SSPROD-32268] --- charts/node-analyzer/Chart.yaml | 2 +- charts/node-analyzer/README.md | 321 +++++++++--------- .../templates/configmap-host-scanner.yaml | 9 + .../templates/daemonset-node-analyzer.yaml | 24 ++ .../node-analyzer/tests/hostscanner_test.yaml | 59 ++++ charts/node-analyzer/values.yaml | 5 + charts/sysdig-deploy/Chart.yaml | 2 +- 7 files changed, 261 insertions(+), 161 deletions(-) diff --git a/charts/node-analyzer/Chart.yaml b/charts/node-analyzer/Chart.yaml index c43010a15..1420f668f 100644 --- a/charts/node-analyzer/Chart.yaml +++ b/charts/node-analyzer/Chart.yaml @@ -3,7 +3,7 @@ name: node-analyzer description: Sysdig Node Analyzer # currently matching Sysdig's appVersion 1.14.34 -version: 1.18.8 +version: 1.18.9 appVersion: 12.9.0 keywords: - monitoring diff --git a/charts/node-analyzer/README.md b/charts/node-analyzer/README.md index 79cbaad08..aa969195d 100644 --- a/charts/node-analyzer/README.md +++ b/charts/node-analyzer/README.md @@ -98,163 +98,166 @@ To check the integrity and the origin of the charts, append the `--verify` flag The following table lists the configurable parameters of the Sysdig Node Analyzer chart and their default values. -| Parameter | Description | Default | -|----------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `global.sysdig.region` | The region where Sysdig Secure is deployed. Valid options are`us1`, `us2`, `us3`, `us4`, `eu1`, `au1`, `custom`. | `us1` | -| `global.sysdig.tags` | The list of custom tags to be assigned to the components. | `{}` | -| `global.proxy.httpProxy` | Sets `HTTP_PROXY` on the Node Analyzer containers. | `""` | -| `global.proxy.httpsProxy` | Sets `HTTPS_PROXY` on the Node Analyzer containers. | `""` | -| `global.proxy.noProxy` | Sets `NO_PROXY` on the Node Analyzer containers. | `""` | -| `global.kspm.deploy` | Enables Sysdig KSPM node analyzer and KSPM collector. | `false` | -| `global.gke.autopilot` | If true,the agent configuration will be overridden to run on GKE Autopilot clusters. | `false` | -| `global.image.pullSecrets` | Sets the global pull secrets. | [] | -| `global.image.pullPolicy` | Sets the global pull policy. | `IfNotPresent` | -| `image.registry` | Sets the Sysdig Agent image registry. | `quay.io` | -| `gke.autopilot` | If true, the agent configuration will be overridden to run on GKE Autopilot clusters. | `false` | -| `rbac.create` | If true, RBAC resources will be created and used. | `true` | -| `scc.create` | Creates OpenShift's Security Context constraint. | `true` | -| `psp.create` | Creates Pod Security Policy to allow the agent running in clusters with PSP enabled. | `true` | -| `clusterName` | Sets a unique cluster name which is used to identify events with the `kubernetes.cluster.name` tag. | ` ` | -| `namespace` | Overrides the global namespace setting and release namespace for components. | ` ` | -| `sysdig.accessKey` | Sets your Sysdig Agent Access Key. Either `accessKey` or `existingAccessKeySecret` is required. | | +| Parameter | Description | Default | +|----------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `global.sysdig.region` | The region where Sysdig Secure is deployed. Valid options are`us1`, `us2`, `us3`, `us4`, `eu1`, `au1`, `custom`. | `us1` | +| `global.sysdig.tags` | The list of custom tags to be assigned to the components. | `{}` | +| `global.proxy.httpProxy` | Sets `HTTP_PROXY` on the Node Analyzer containers. | `""` | +| `global.proxy.httpsProxy` | Sets `HTTPS_PROXY` on the Node Analyzer containers. | `""` | +| `global.proxy.noProxy` | Sets `NO_PROXY` on the Node Analyzer containers. | `""` | +| `global.kspm.deploy` | Enables Sysdig KSPM node analyzer and KSPM collector. | `false` | +| `global.gke.autopilot` | If true,the agent configuration will be overridden to run on GKE Autopilot clusters. | `false` | +| `global.image.pullSecrets` | Sets the global pull secrets. | [] | +| `global.image.pullPolicy` | Sets the global pull policy. | `IfNotPresent` | +| `image.registry` | Sets the Sysdig Agent image registry. | `quay.io` | +| `gke.autopilot` | If true, the agent configuration will be overridden to run on GKE Autopilot clusters. | `false` | +| `rbac.create` | If true, RBAC resources will be created and used. | `true` | +| `scc.create` | Creates OpenShift's Security Context constraint. | `true` | +| `psp.create` | Creates Pod Security Policy to allow the agent running in clusters with PSP enabled. | `true` | +| `clusterName` | Sets a unique cluster name which is used to identify events with the `kubernetes.cluster.name` tag. | ` ` | +| `namespace` | Overrides the global namespace setting and release namespace for components. | ` ` | +| `sysdig.accessKey` | Sets your Sysdig Agent Access Key. Either `accessKey` or `existingAccessKeySecret` is required. | | | `sysdig.existingAccessKeySecret` | An alternative to using the Sysdig Agent access key. Specify the name of a Kubernetes secret containing an `access-key` entry. Either `accessKey` or `existingAccessKeySecret` is required. | | -| `secure.enabled` | Enables Sysdig Secure. | `true` | -| `secure.vulnerabilityManagement.newEngineOnly` | Enables only the new vulnerability management engine. | `false` | -| `daemonset.annotations` | Sets custom annotations for the DaemonSet. | `{}` | -| `daemonset.labels` | Sets NodeAnalyzer-specific labels as a multi-line templated string map or as YAML. | `{}` | -| `daemonset.updateStrategy.type` | Sets the updateStrategy for updating the DaemonSet. | RollingUpdate | -| `daemonset.updateStrategy.rollingUpdate.maxUnavailable` | Sets the maximum number of pods that can be unavailable during the update process. | 1 | -| `daemonset.updateStrategy.rollingUpdate.maxSurge` | Sets the maximum number of nodes with an existing available DaemonSet pod that can have an updated DaemonSet pod during an update. | `` | -| `nodeAnalyzer.deploy` | Deploys the Node Analyzer. | `true` | -| `nodeAnalyzer.apiEndpoint` | Specifies the Sysdig secure API endpoint, without the protocol. `secure.sysdig.com` | ` ` | -| `nodeAnalyzer.sslVerifyCertificate` | Set to `false` to allow insecure connections to the Sysdig backend, such as an On-Prem deployment. | | -| `nodeAnalyzer.debug` | Set to `true` to show debug logging, which is useful for troubleshooting. | | -| `nodeAnalyzer.createPriorityClass` | Specify whether or not to create a priority class for the node analyzer components | `false` | -| `nodeAnalyzer.priorityClassName` | Sets the priority class name variable. | `` | -| `nodeAnalyzer.priorityClassValue` | Sets the priority class value for the node analyzer daemonset. | `` | -| `nodeAnalyzer.httpProxy` | Sets the HTTP proxy configuration variables. | | -| `nodeAnalyzer.httpsProxy` | Sets the HTTPS proxy configuration variables. | | -| `nodeAnalyzer.noProxy` | Sets `noProxy ` configuration variables. | | -| `nodeAnalyzer.natsMaxReconnect` | Sets `natsMaxReconnect ` configuration variables. Set to `-1` for unlimited reconnect attempts to NATS, or leave empty for default (60 attempts). | `0` | -| `nodeAnalyzer.pullSecrets` | Sets the image pull secrets for the Node Analyzer containers. | `nil` | -| `nodeAnalyzer.extraVolumes.volumes` | Specifies additional volumes to mount in the Node Analyzer. For example, docker socket. | `[]` | -| `nodeAnalyzer.imageAnalyzer.deploy` | Deploys the Image Analyzer. | `true` | -| `nodeAnalyzer.imageAnalyzer.image.repository` | Sets the image repository to pull the Node Image Analyzer from. | `sysdig/node-image-analyzer` | -| `nodeAnalyzer.imageAnalyzer.image.tag` | Sets the image tag for the Node Image Analyzer to be pulled. | `0.1.30` | -| `nodeAnalyzer.imageAnalyzer.image.digest` | Sets the image digest to pull. | ` ` | -| `nodeAnalyzer.imageAnalyzer.image.pullPolicy` | Sets the Image pull policy for the Node Image Analyzer. | `""` | -| `nodeAnalyzer.imageAnalyzer.http_proxy` | Sets `HTTP_PROXY` on the Image Analyzer container. | `""` | -| `nodeAnalyzer.imageAnalyzer.https_proxy` | Sets `HTTPS_PROXY` on the Image Analyzer container. | `""` | -| `nodeAnalyzer.imageAnalyzer.no_proxy` | Sets `NO_PROXY` on the Image Analyzer container. | `""` | -| `nodeAnalyzer.imageAnalyzer.dockerSocketPath` | Specifies the Docker socket path. | | -| `nodeAnalyzer.imageAnalyzer.criSocketPath` | Specifies the socket path to a CRI compatible runtime, such as CRI-O. | | -| `nodeAnalyzer.imageAnalyzer.containerdSocketPath` | Specifies the socket path to a CRI-Containerd daemon. | | -| `nodeAnalyzer.imageAnalyzer.extraVolumes.volumes` (Deprecated) | Specifies additional volumes to mount in the Node Image Analyzer. For example, docker socket. | `[]` | -| `nodeAnalyzer.imageAnalyzer.extraVolumes.mounts` | Specifies the mount points for additional volumes. | `[]` | -| `nodeAnalyzer.imageAnalyzer.resources.requests.cpu` | Specifies the Node Image Analyzer CPU requests per node. | `150m` | -| `nodeAnalyzer.imageAnalyzer.resources.requests.memory` | Specifies the Node Image Analyzer Memory requests per node. | `512Mi` | -| `nodeAnalyzer.imageAnalyzer.resources.limits.cpu` | Specifies the Node Image Analyzer CPU limit per node. | `500m` | -| `nodeAnalyzer.imageAnalyzer.resources.limits.memory` | Specifies the Node Image Analyzer Memory limit per node. | `1536Mi` | -| `nodeAnalyzer.imageAnalyzer.sslVerifyCertificate` | Set to `false` to allow insecure connections to the Sysdig backend, such as an On-Prem deployment. | | -| `nodeAnalyzer.imageAnalyzer.env` | Specifies the Extra environment variables that will be passed onto pods. | `{}` | -| `nodeAnalyzer.hostAnalyzer.deploy` | Deploys the Host Analyzer. | `true` | -| `nodeAnalyzer.hostAnalyzer.image.repository` | Specifies the image repository to pull the Host Analyzer from. | `sysdig/host-analyzer` | -| `nodeAnalyzer.hostAnalyzer.image.tag` | Set the image tag to pull the Host Analyzer. | `0.1.18` | -| `nodeAnalyzer.hostAnalyzer.image.digest` | Specifies the image digest to pull. | ` ` | -| `nodeAnalyzer.hostAnalyzer.image.pullPolicy` | Specifies the Image pull policy for the Host Analyzer. | `""` | -| `nodeAnalyzer.hostAnalyzer.http_proxy` | Sets `HTTP_PROXY` on the Host Analyzer container. | `""` | -| `nodeAnalyzer.hostAnalyzer.https_proxy` | Sets `HTTPS_PROXY` on the Host Analyzer container. | `""` | -| `nodeAnalyzer.hostAnalyzer.no_proxy` | Sets `NO_PROXY` on the Host Analyzer container. | `""` | -| `nodeAnalyzer.hostAnalyzer.schedule` | Specifies the scanning schedule specification for the host analyzer expressed as a crontab. | `@dailydefault` | -| `nodeAnalyzer.hostAnalyzer.dirsToScan` | Specifies the list of directories to inspect during the scan. | `/etc,/var/lib/dpkg,/usr/local,/usr/lib/sysimage/rpm,/var/lib/rpm,/lib/apk/db` | -| `nodeAnalyzer.hostAnalyzer.maxSendAttempts` | Specifies the number of times the analysis collector is allowed to retry sending results. | `3` | -| `nodeAnalyzer.hostAnalyzer.resources.requests.cpu` | Specifies the Host Analyzer CPU requests per node. | `150m` | -| `nodeAnalyzer.hostAnalyzer.resources.requests.memory` | Specifies the Host Analyzer Memory requests per node. | `512Mi` | -| `nodeAnalyzer.hostAnalyzer.resources.limits.cpu` | Specifies the Host Analyzer CPU limit per node. | `500m` | -| `nodeAnalyzer.hostAnalyzer.resources.limits.memory` | Specifies the Host Analyzer memory limit per node. | `1536Mi` | -| `nodeAnalyzer.hostAnalyzer.sslVerifyCertificate` | Set to `false` to allow insecure connections to the Sysdig backend, such as an On-Prem deployment. | | -| `nodeAnalyzer.hostAnalyzer.env` | Specifies the extra environment variables that will be passed onto pods. | `{}` | -| `nodeAnalyzer.benchmarkRunner.deploy` | Deploys the Benchmark Runner. | `true` | -| `nodeAnalyzer.benchmarkRunner.image.repository` | Specifies the image repository to pull the Benchmark Runner from. | `sysdig/compliance-benchmark-runner` | -| `nodeAnalyzer.benchmarkRunner.image.tag` | Specifies the image tag for the Benchmark Runner to be pulled. | `1.1.0.9` | -| `nodeAnalyzer.benchmarkRunner.image.digest` | Specifies the image digest to pull. | ` ` | -| `nodeAnalyzer.benchmarkRunner.image.pullPolicy` | Specifies the image pull policy for the Benchmark Runner. | `""` | -| `nodeAnalyzer.benchmarkRunner.http_proxy` | Sets `HTTP_PROXY` on the Benchmark Runner container. | `""` | -| `nodeAnalyzer.benchmarkRunner.https_proxy` | Sets `HTTPS_PROXY` on the Benchmark Runner container. | `""` | -| `nodeAnalyzer.benchmarkRunner.no_proxy` | Sets `NO_PROXY` on the Benchmark Runner container. | `""` | -| `nodeAnalyzer.benchmarkRunner.includeSensitivePermissions` | Grant the service account elevated permissions to run CIS Benchmark for OS4. | `false` | -| `nodeAnalyzer.benchmarkRunner.resources.requests.cpu` | Specifies the Benchmark Runner CPU requests per node. | `150m` | -| `nodeAnalyzer.benchmarkRunner.resources.requests.memory` | Specifies the Benchmark Runner memory requests per node. | `128Mi` | -| `nodeAnalyzer.benchmarkRunner.resources.limits.cpu` | Specifies the Benchmark Runner CPU limit per node. | `500m` | -| `nodeAnalyzer.benchmarkRunner.resources.limits.memory` | Specifies the Benchmark Runner memory limit per node. | `256Mi` | -| `nodeAnalyzer.benchmarkRunner.sslVerifyCertificate` | Set to `false` to allow insecure connections to the Sysdig backend, such as an On-Prem deployment. | | -| `nodeAnalyzer.benchmarkRunner.env` | Specifies the extra environment variables that will be passed onto pods. | `{}` | -| `nodeAnalyzer.hostScanner.debug` | Set to `true` to show debug logging, which is useful for troubleshooting. | `false` | -| `nodeAnalyzer.hostScanner.deploy` | Deploys the Host Scanner. | unset | -| `nodeAnalyzer.hostScanner.dirsToScan` | Specifies the list of directories to inspect during the scan. | `/etc,/var/lib/dpkg,/var/lib/rpm,/lib/apk/db,/bin,/sbin,/usr/bin,/usr/sbin,/usr/share,/usr/local,/usr/lib,/usr/lib64,/var/lib/google,/var/lib/toolbox,/var/lib/cloud` | -| `nodeAnalyzer.hostScanner.additionalDirsToScan` | Sets the optional comma-separated list of directories in addition to the default ones. | ` ` | -| `nodeAnalyzer.hostScanner.env` | Specifies the extra environment variables that will be passed onto pods. | `{}` | -| `nodeAnalyzer.hostScanner.image.repository` | Specifies the image repository to pull the Host Scanner from. | `sysdig/vuln-host-scanner` | -| `nodeAnalyzer.hostScanner.image.tag` | Specifies the image tag to pull the Host Scanner. | `0.6.8` | -| `nodeAnalyzer.hostScanner.image.digest` | Specifies the image digest to pull. | ` ` | -| `nodeAnalyzer.hostScanner.image.pullPolicy` | Specifies the image pull policy for the Host Scanner. | `""` | -| `nodeAnalyzer.hostScanner.http_proxy` | Sets `HTTP_PROXY` on the Host Scanner container. | `""` | -| `nodeAnalyzer.hostScanner.https_proxy` | Sets `HTTPS_PROXY` on the Host Scanner container. | `""` | -| `nodeAnalyzer.hostScanner.no_proxy` | Sets `NO_PROXY` on the Host Scanner container. b | `""` | -| `nodeAnalyzer.hostScanner.resources.requests.cpu` | Specifies the Host Scanner CPU requests per node. | `150m` | -| `nodeAnalyzer.hostScanner.resources.requests.memory` | Specifies the Host Scanner memory requests per node. | `512Mi` | -| `nodeAnalyzer.hostScanner.resources.requests.ephemeral-storage` | Specifies the Host Scanner Storage requests per node. | `512Mi` | -| `nodeAnalyzer.hostScanner.resources.limits.cpu` | Specifies the Host Scanner CPU limit per node. | `500m` | -| `nodeAnalyzer.hostScanner.resources.limits.memory` | Specifies the Host Scanner memory limit per node. | `1Gi` | -| `nodeAnalyzer.hostScanner.resources.limits.ephemeral-storage` | Specifies the Host Scanner Storage limit per node. | `1Gi` | -| `nodeAnalyzer.hostScanner.sslVerifyCertificate` | Set to `false` to allow insecure connections to the Sysdig backend, such as an On-Prem deployment. | | -| `nodeAnalyzer.hostScanner.probesPort` | Specifies the port where readiness and liveness probes are exposed. | `7001` | -| `nodeAnalyzer.runtimeScanner.debug` | Set to `true` to show debug logging, which is useful for troubleshooting. | `false` | -| `nodeAnalyzer.runtimeScanner.deploy` | Deploys the Runtime Scanner. | `false` | -| `nodeAnalyzer.runtimeScanner.extraMounts` | Specifies a container engine custom socket path (docker, containerd, CRI-O). | | -| `nodeAnalyzer.runtimeScanner.storageClassName` | Specifies the Runtime Scanner storage class to use instead of emptyDir for ephemeral storage. | `` | -| `nodeAnalyzer.runtimeScanner.image.repository` | Specifies the image repository to pull the Runtime Scanner from. | `sysdig/vuln-runtime-scanner` | -| `nodeAnalyzer.runtimeScanner.image.tag` | Specifies the image tag to pull the Runtime Scanner. | `1.6.4` | -| `nodeAnalyzer.runtimeScanner.image.digest` | Specifies the image digest to pull. | ` ` | -| `nodeAnalyzer.runtimeScanner.image.pullPolicy` | Specifies the image pull policy for the Runtime Scanner. | `""` | -| `nodeAnalyzer.runtimeScanner.http_proxy` | Sets `HTTP_PROXY` on the Runtime Scanner container. | `""` | -| `nodeAnalyzer.runtimeScanner.https_proxy` | Sets `HTTPS_PROXY` on the Runtime Scanner container. | `""` | -| `nodeAnalyzer.runtimeScanner.no_proxy` | Sets `NO_PROXY` on the Runtime Scanner container. | `""` | -| `nodeAnalyzer.runtimeScanner.resources.requests.cpu` | Specifies the Runtime Scanner CPU requests per node. | `150m` | -| `nodeAnalyzer.runtimeScanner.resources.requests.memory` | Specifies the Runtime Scanner Memory requests per node. | `512Mi` | -| `nodeAnalyzer.runtimeScanner.resources.requests.ephemeral-storage` | Specifies the Runtime Scanner Storage requests per node. | `2Gi` | -| `nodeAnalyzer.runtimeScanner.resources.limits.cpu` | Specifies the Runtime Scanner CPU limit per node. | `1000m` | -| `nodeAnalyzer.runtimeScanner.resources.limits.memory` | Specifies the Runtime Scanner memory limit per node. | `2Gi` | -| `nodeAnalyzer.runtimeScanner.resources.limits.ephemeral-storage` | Specifies the Runtime Scanner Storage limit per node. | `4Gi` | -| `nodeAnalyzer.runtimeScanner.sslVerifyCertificate` | Set to `false` to allow insecure connections to the Sysdig backend, such as an On-Prem deployment. | | -| `nodeAnalyzer.runtimeScanner.env` | Specifies the extra environment variables that will be passed onto pods. | `{}` | -| `nodeAnalyzer.runtimeScanner.settings.eveEnabled` | Enables Sysdig Eve | `false` | -| `nodeAnalyzer.runtimeScanner.eveConnector.image.repository` | Specifies the image repository to pull the Eve Connector from. | `sysdig/eveclient-api` | -| `nodeAnalyzer.runtimeScanner.eveConnector.image.tag` | Specifies the image tag for the Eve Connector to be pulled. | `1.1.0` | -| `nodeAnalyzer.runtimeScanner.eveConnector.deploy` | Enables Sysdig Eve Connector for third-party integrations. | `false` | -| `nodeAnalyzer.runtimeScanner.eveConnector.resources.requests.cpu` | Specifies the Eve Connector CPU requests per node. | `100m` | -| `nodeAnalyzer.runtimeScanner.eveConnector.resources.requests.memory` | Specifies the Eve Connector memory requests per node. | `128Mi` | -| `nodeAnalyzer.runtimeScanner.eveConnector.resources.limits.cpu` | Specifies the Eve Connector CPU limits per node. | `1000m` | -| `nodeAnalyzer.runtimeScanner.eveConnector.resources.limits.memory` | Specifies the Eve Connector Memory limits per node. | `512Mi` | -| `nodeAnalyzer.runtimeScanner.eveConnector.settings.replicas` | Specifies the Eve Connector deployment replicas. | `1` | -| `nodeAnalyzer.runtimeScanner.eveConnector.priorityClassName` | Specifies the name of an existing PriorityClass to use for the Eve Connector Deployment. | `{}` | -| `nodeAnalyzer.tolerations` | Specifies the tolerations for scheduling. | 
node-role.kubernetes.io/master:NoSchedule,
node-role.kubernetes.io/control-plane:NoSchedule
| -| `nodeAnalyzer.kspmAnalyzer.debug` | Set to true to show KSPM node analyzer debug logging, which is useful for troubleshooting. | `false` | -| `nodeAnalyzer.kspmAnalyzer.image.repository` | Specifies the image repository to pull the KSPM node analyzer from. | `sysdig/kspm-analyzer` | -| `nodeAnalyzer.kspmAnalyzer.image.tag` | Specifies the image tag for the KSPM node analyzer image to be pulled. | `1.36.0` | -| `nodeAnalyzer.kspmAnalyzer.image.digest` | Specifies the image digest to pull. | ` ` | -| `nodeAnalyzer.kspmAnalyzer.image.pullPolicy` | Specifies the The image pull policy for the KSPM node analyzer. | `""` | -| `nodeAnalyzer.kspmAnalyzer.http_proxy` | Sets `HTTP_PROXY` on the KSPM Analyzer container. | `""` | -| `nodeAnalyzer.kspmAnalyzer.https_proxy` | Sets `HTTPS_PROXY` on the KSPM Analyzer container. | `""` | -| `nodeAnalyzer.kspmAnalyzer.no_proxy` | Sets `NO_PROXY` on the KSPM Analyzer container. | `""` | -| `nodeAnalyzer.kspmAnalyzer.resources.requests.cpu` | Specifies the KSPM node analyzer CPU requests per node. | `150m` | -| `nodeAnalyzer.kspmAnalyzer.resources.requests.memory` | Specifies the KSPM node analyzer memory requests per node. | `256Mi` | -| `nodeAnalyzer.kspmAnalyzer.resources.limits.cpu` | Specifies the KSPM node analyzer CPU limits per node. | `500m` | -| `nodeAnalyzer.kspmAnalyzer.resources.limits.memory` | Specifies the KSPM node analyzer memory limits per node. | `1536Mi` | -| `nodeAnalyzer.kspmAnalyzer.port` | Specifies the KSPM node analyzer port for health checks and results API. | `12000` | -| `nodeAnalyzer.kspmAnalyzer.readinessProbe.enabled` | Specifies whether KSPM node analyzer readinessProbe is enabled or not. | `true` | -| `nodeAnalyzer.kspmAnalyzer.sslVerifyCertificate` | Set to `false` to allow insecure connections to the Sysdig backend, such as an On-Prem deployment. | | -| `nodeAnalyzer.kspmAnalyzer.livenessProbe.enabled` | Specifies whether the KSPM node analyzer livenessProbe is enabled or not. | `true` | -| `nodeAnalyzer.kspmAnalyzer.env` | Specifies the extra environment variables that will be passed onto pods. | `{}` | -| `nodeAnalyzer.nodeSelector` | Specifies the Node Selector. | `{}` | -| `nodeAnalyzer.affinity` | Specifies the Node affinities. | `schedule on amd64 and linux` | +| `secure.enabled` | Enables Sysdig Secure. | `true` | +| `secure.vulnerabilityManagement.newEngineOnly` | Enables only the new vulnerability management engine. | `false` | +| `daemonset.annotations` | Sets custom annotations for the DaemonSet. | `{}` | +| `daemonset.labels` | Sets NodeAnalyzer-specific labels as a multi-line templated string map or as YAML. | `{}` | +| `daemonset.updateStrategy.type` | Sets the updateStrategy for updating the DaemonSet. | RollingUpdate | +| `daemonset.updateStrategy.rollingUpdate.maxUnavailable` | Sets the maximum number of pods that can be unavailable during the update process. | 1 | +| `daemonset.updateStrategy.rollingUpdate.maxSurge` | Sets the maximum number of nodes with an existing available DaemonSet pod that can have an updated DaemonSet pod during an update. | `` | +| `nodeAnalyzer.deploy` | Deploys the Node Analyzer. | `true` | +| `nodeAnalyzer.apiEndpoint` | Specifies the Sysdig secure API endpoint, without the protocol. `secure.sysdig.com` | ` ` | +| `nodeAnalyzer.sslVerifyCertificate` | Set to `false` to allow insecure connections to the Sysdig backend, such as an On-Prem deployment. | | +| `nodeAnalyzer.debug` | Set to `true` to show debug logging, which is useful for troubleshooting. | | +| `nodeAnalyzer.createPriorityClass` | Specify whether or not to create a priority class for the node analyzer components | `false` | +| `nodeAnalyzer.priorityClassName` | Sets the priority class name variable. | `` | +| `nodeAnalyzer.priorityClassValue` | Sets the priority class value for the node analyzer daemonset. | `` | +| `nodeAnalyzer.httpProxy` | Sets the HTTP proxy configuration variables. | | +| `nodeAnalyzer.httpsProxy` | Sets the HTTPS proxy configuration variables. | | +| `nodeAnalyzer.noProxy` | Sets `noProxy ` configuration variables. | | +| `nodeAnalyzer.natsMaxReconnect` | Sets `natsMaxReconnect ` configuration variables. Set to `-1` for unlimited reconnect attempts to NATS, or leave empty for default (60 attempts). | `0` | +| `nodeAnalyzer.pullSecrets` | Sets the image pull secrets for the Node Analyzer containers. | `nil` | +| `nodeAnalyzer.extraVolumes.volumes` | Specifies additional volumes to mount in the Node Analyzer. For example, docker socket. | `[]` | +| `nodeAnalyzer.imageAnalyzer.deploy` | Deploys the Image Analyzer. | `true` | +| `nodeAnalyzer.imageAnalyzer.image.repository` | Sets the image repository to pull the Node Image Analyzer from. | `sysdig/node-image-analyzer` | +| `nodeAnalyzer.imageAnalyzer.image.tag` | Sets the image tag for the Node Image Analyzer to be pulled. | `0.1.30` | +| `nodeAnalyzer.imageAnalyzer.image.digest` | Sets the image digest to pull. | ` ` | +| `nodeAnalyzer.imageAnalyzer.image.pullPolicy` | Sets the Image pull policy for the Node Image Analyzer. | `""` | +| `nodeAnalyzer.imageAnalyzer.http_proxy` | Sets `HTTP_PROXY` on the Image Analyzer container. | `""` | +| `nodeAnalyzer.imageAnalyzer.https_proxy` | Sets `HTTPS_PROXY` on the Image Analyzer container. | `""` | +| `nodeAnalyzer.imageAnalyzer.no_proxy` | Sets `NO_PROXY` on the Image Analyzer container. | `""` | +| `nodeAnalyzer.imageAnalyzer.dockerSocketPath` | Specifies the Docker socket path. | | +| `nodeAnalyzer.imageAnalyzer.criSocketPath` | Specifies the socket path to a CRI compatible runtime, such as CRI-O. | | +| `nodeAnalyzer.imageAnalyzer.containerdSocketPath` | Specifies the socket path to a CRI-Containerd daemon. | | +| `nodeAnalyzer.imageAnalyzer.extraVolumes.volumes` (Deprecated) | Specifies additional volumes to mount in the Node Image Analyzer. For example, docker socket. | `[]` | +| `nodeAnalyzer.imageAnalyzer.extraVolumes.mounts` | Specifies the mount points for additional volumes. | `[]` | +| `nodeAnalyzer.imageAnalyzer.resources.requests.cpu` | Specifies the Node Image Analyzer CPU requests per node. | `150m` | +| `nodeAnalyzer.imageAnalyzer.resources.requests.memory` | Specifies the Node Image Analyzer Memory requests per node. | `512Mi` | +| `nodeAnalyzer.imageAnalyzer.resources.limits.cpu` | Specifies the Node Image Analyzer CPU limit per node. | `500m` | +| `nodeAnalyzer.imageAnalyzer.resources.limits.memory` | Specifies the Node Image Analyzer Memory limit per node. | `1536Mi` | +| `nodeAnalyzer.imageAnalyzer.sslVerifyCertificate` | Set to `false` to allow insecure connections to the Sysdig backend, such as an On-Prem deployment. | | +| `nodeAnalyzer.imageAnalyzer.env` | Specifies the Extra environment variables that will be passed onto pods. | `{}` | +| `nodeAnalyzer.hostAnalyzer.deploy` | Deploys the Host Analyzer. | `true` | +| `nodeAnalyzer.hostAnalyzer.image.repository` | Specifies the image repository to pull the Host Analyzer from. | `sysdig/host-analyzer` | +| `nodeAnalyzer.hostAnalyzer.image.tag` | Set the image tag to pull the Host Analyzer. | `0.1.18` | +| `nodeAnalyzer.hostAnalyzer.image.digest` | Specifies the image digest to pull. | ` ` | +| `nodeAnalyzer.hostAnalyzer.image.pullPolicy` | Specifies the Image pull policy for the Host Analyzer. | `""` | +| `nodeAnalyzer.hostAnalyzer.http_proxy` | Sets `HTTP_PROXY` on the Host Analyzer container. | `""` | +| `nodeAnalyzer.hostAnalyzer.https_proxy` | Sets `HTTPS_PROXY` on the Host Analyzer container. | `""` | +| `nodeAnalyzer.hostAnalyzer.no_proxy` | Sets `NO_PROXY` on the Host Analyzer container. | `""` | +| `nodeAnalyzer.hostAnalyzer.schedule` | Specifies the scanning schedule specification for the host analyzer expressed as a crontab. | `@dailydefault` | +| `nodeAnalyzer.hostAnalyzer.dirsToScan` | Specifies the list of directories to inspect during the scan. | `/etc,/var/lib/dpkg,/usr/local,/usr/lib/sysimage/rpm,/var/lib/rpm,/lib/apk/db` | +| `nodeAnalyzer.hostAnalyzer.maxSendAttempts` | Specifies the number of times the analysis collector is allowed to retry sending results. | `3` | +| `nodeAnalyzer.hostAnalyzer.resources.requests.cpu` | Specifies the Host Analyzer CPU requests per node. | `150m` | +| `nodeAnalyzer.hostAnalyzer.resources.requests.memory` | Specifies the Host Analyzer Memory requests per node. | `512Mi` | +| `nodeAnalyzer.hostAnalyzer.resources.limits.cpu` | Specifies the Host Analyzer CPU limit per node. | `500m` | +| `nodeAnalyzer.hostAnalyzer.resources.limits.memory` | Specifies the Host Analyzer memory limit per node. | `1536Mi` | +| `nodeAnalyzer.hostAnalyzer.sslVerifyCertificate` | Set to `false` to allow insecure connections to the Sysdig backend, such as an On-Prem deployment. | | +| `nodeAnalyzer.hostAnalyzer.env` | Specifies the extra environment variables that will be passed onto pods. | `{}` | +| `nodeAnalyzer.benchmarkRunner.deploy` | Deploys the Benchmark Runner. | `true` | +| `nodeAnalyzer.benchmarkRunner.image.repository` | Specifies the image repository to pull the Benchmark Runner from. | `sysdig/compliance-benchmark-runner` | +| `nodeAnalyzer.benchmarkRunner.image.tag` | Specifies the image tag for the Benchmark Runner to be pulled. | `1.1.0.9` | +| `nodeAnalyzer.benchmarkRunner.image.digest` | Specifies the image digest to pull. | ` ` | +| `nodeAnalyzer.benchmarkRunner.image.pullPolicy` | Specifies the image pull policy for the Benchmark Runner. | `""` | +| `nodeAnalyzer.benchmarkRunner.http_proxy` | Sets `HTTP_PROXY` on the Benchmark Runner container. | `""` | +| `nodeAnalyzer.benchmarkRunner.https_proxy` | Sets `HTTPS_PROXY` on the Benchmark Runner container. | `""` | +| `nodeAnalyzer.benchmarkRunner.no_proxy` | Sets `NO_PROXY` on the Benchmark Runner container. | `""` | +| `nodeAnalyzer.benchmarkRunner.includeSensitivePermissions` | Grant the service account elevated permissions to run CIS Benchmark for OS4. | `false` | +| `nodeAnalyzer.benchmarkRunner.resources.requests.cpu` | Specifies the Benchmark Runner CPU requests per node. | `150m` | +| `nodeAnalyzer.benchmarkRunner.resources.requests.memory` | Specifies the Benchmark Runner memory requests per node. | `128Mi` | +| `nodeAnalyzer.benchmarkRunner.resources.limits.cpu` | Specifies the Benchmark Runner CPU limit per node. | `500m` | +| `nodeAnalyzer.benchmarkRunner.resources.limits.memory` | Specifies the Benchmark Runner memory limit per node. | `256Mi` | +| `nodeAnalyzer.benchmarkRunner.sslVerifyCertificate` | Set to `false` to allow insecure connections to the Sysdig backend, such as an On-Prem deployment. | | +| `nodeAnalyzer.benchmarkRunner.env` | Specifies the extra environment variables that will be passed onto pods. | `{}` | +| `nodeAnalyzer.hostScanner.debug` | Set to `true` to show debug logging, which is useful for troubleshooting. | `false` | +| `nodeAnalyzer.hostScanner.deploy` | Deploys the Host Scanner. | unset | +| `nodeAnalyzer.hostScanner.dirsToScan` | Specifies the list of directories to inspect during the scan. | `/etc,/var/lib/dpkg,/var/lib/rpm,/lib/apk/db,/bin,/sbin,/usr/bin,/usr/sbin,/usr/share,/usr/local,/usr/lib,/usr/lib64,/var/lib/google,/var/lib/toolbox,/var/lib/cloud` | +| `nodeAnalyzer.hostScanner.additionalDirsToScan` | Sets the optional comma-separated list of directories in addition to the default ones. | ` ` | +| `nodeAnalyzer.hostScanner.env` | Specifies the extra environment variables that will be passed onto pods. | `{}` | +| `nodeAnalyzer.hostScanner.image.repository` | Specifies the image repository to pull the Host Scanner from. | `sysdig/vuln-host-scanner` | +| `nodeAnalyzer.hostScanner.image.tag` | Specifies the image tag to pull the Host Scanner. | `0.6.8` | +| `nodeAnalyzer.hostScanner.image.digest` | Specifies the image digest to pull. | ` ` | +| `nodeAnalyzer.hostScanner.image.pullPolicy` | Specifies the image pull policy for the Host Scanner. | `""` | +| `nodeAnalyzer.hostScanner.http_proxy` | Sets `HTTP_PROXY` on the Host Scanner container. | `""` | +| `nodeAnalyzer.hostScanner.https_proxy` | Sets `HTTPS_PROXY` on the Host Scanner container. | `""` | +| `nodeAnalyzer.hostScanner.no_proxy` | Sets `NO_PROXY` on the Host Scanner container. b | `""` | +| `nodeAnalyzer.hostScanner.resources.requests.cpu` | Specifies the Host Scanner CPU requests per node. | `150m` | +| `nodeAnalyzer.hostScanner.resources.requests.memory` | Specifies the Host Scanner memory requests per node. | `512Mi` | +| `nodeAnalyzer.hostScanner.resources.requests.ephemeral-storage` | Specifies the Host Scanner Storage requests per node. | `512Mi` | +| `nodeAnalyzer.hostScanner.resources.limits.cpu` | Specifies the Host Scanner CPU limit per node. | `500m` | +| `nodeAnalyzer.hostScanner.resources.limits.memory` | Specifies the Host Scanner memory limit per node. | `1Gi` | +| `nodeAnalyzer.hostScanner.resources.limits.ephemeral-storage` | Specifies the Host Scanner Storage limit per node. | `1Gi` | +| `nodeAnalyzer.hostScanner.sslVerifyCertificate` | Set to `false` to allow insecure connections to the Sysdig backend, such as an On-Prem deployment. | | +| `nodeAnalyzer.hostScanner.probesPort` | Specifies the port where readiness and liveness probes are exposed. | `7001` | +| `nodeAnalyzer.hostScanner.scanContainers.enabled` | Set to `true` to scan containers | `false` | +| `nodeAnalyzer.hostScanner.scanContainers.dockerSocketPath` | Specifies the path to docker socket | ` ` | +| `nodeAnalyzer.hostScanner.scanContainers.podmanSocketPath` | Specifies the path to podman socket | ` ` | +| `nodeAnalyzer.runtimeScanner.debug` | Set to `true` to show debug logging, which is useful for troubleshooting. | `false` | +| `nodeAnalyzer.runtimeScanner.deploy` | Deploys the Runtime Scanner. | `false` | +| `nodeAnalyzer.runtimeScanner.extraMounts` | Specifies a container engine custom socket path (docker, containerd, CRI-O). | | +| `nodeAnalyzer.runtimeScanner.storageClassName` | Specifies the Runtime Scanner storage class to use instead of emptyDir for ephemeral storage. | `` | +| `nodeAnalyzer.runtimeScanner.image.repository` | Specifies the image repository to pull the Runtime Scanner from. | `sysdig/vuln-runtime-scanner` | +| `nodeAnalyzer.runtimeScanner.image.tag` | Specifies the image tag to pull the Runtime Scanner. | `1.6.4` | +| `nodeAnalyzer.runtimeScanner.image.digest` | Specifies the image digest to pull. | ` ` | +| `nodeAnalyzer.runtimeScanner.image.pullPolicy` | Specifies the image pull policy for the Runtime Scanner. | `""` | +| `nodeAnalyzer.runtimeScanner.http_proxy` | Sets `HTTP_PROXY` on the Runtime Scanner container. | `""` | +| `nodeAnalyzer.runtimeScanner.https_proxy` | Sets `HTTPS_PROXY` on the Runtime Scanner container. | `""` | +| `nodeAnalyzer.runtimeScanner.no_proxy` | Sets `NO_PROXY` on the Runtime Scanner container. | `""` | +| `nodeAnalyzer.runtimeScanner.resources.requests.cpu` | Specifies the Runtime Scanner CPU requests per node. | `150m` | +| `nodeAnalyzer.runtimeScanner.resources.requests.memory` | Specifies the Runtime Scanner Memory requests per node. | `512Mi` | +| `nodeAnalyzer.runtimeScanner.resources.requests.ephemeral-storage` | Specifies the Runtime Scanner Storage requests per node. | `2Gi` | +| `nodeAnalyzer.runtimeScanner.resources.limits.cpu` | Specifies the Runtime Scanner CPU limit per node. | `1000m` | +| `nodeAnalyzer.runtimeScanner.resources.limits.memory` | Specifies the Runtime Scanner memory limit per node. | `2Gi` | +| `nodeAnalyzer.runtimeScanner.resources.limits.ephemeral-storage` | Specifies the Runtime Scanner Storage limit per node. | `4Gi` | +| `nodeAnalyzer.runtimeScanner.sslVerifyCertificate` | Set to `false` to allow insecure connections to the Sysdig backend, such as an On-Prem deployment. | | +| `nodeAnalyzer.runtimeScanner.env` | Specifies the extra environment variables that will be passed onto pods. | `{}` | +| `nodeAnalyzer.runtimeScanner.settings.eveEnabled` | Enables Sysdig Eve | `false` | +| `nodeAnalyzer.runtimeScanner.eveConnector.image.repository` | Specifies the image repository to pull the Eve Connector from. | `sysdig/eveclient-api` | +| `nodeAnalyzer.runtimeScanner.eveConnector.image.tag` | Specifies the image tag for the Eve Connector to be pulled. | `1.1.0` | +| `nodeAnalyzer.runtimeScanner.eveConnector.deploy` | Enables Sysdig Eve Connector for third-party integrations. | `false` | +| `nodeAnalyzer.runtimeScanner.eveConnector.resources.requests.cpu` | Specifies the Eve Connector CPU requests per node. | `100m` | +| `nodeAnalyzer.runtimeScanner.eveConnector.resources.requests.memory` | Specifies the Eve Connector memory requests per node. | `128Mi` | +| `nodeAnalyzer.runtimeScanner.eveConnector.resources.limits.cpu` | Specifies the Eve Connector CPU limits per node. | `1000m` | +| `nodeAnalyzer.runtimeScanner.eveConnector.resources.limits.memory` | Specifies the Eve Connector Memory limits per node. | `512Mi` | +| `nodeAnalyzer.runtimeScanner.eveConnector.settings.replicas` | Specifies the Eve Connector deployment replicas. | `1` | +| `nodeAnalyzer.runtimeScanner.eveConnector.priorityClassName` | Specifies the name of an existing PriorityClass to use for the Eve Connector Deployment. | `{}` | +| `nodeAnalyzer.tolerations` | Specifies the tolerations for scheduling. | 
node-role.kubernetes.io/master:NoSchedule,
node-role.kubernetes.io/control-plane:NoSchedule
| +| `nodeAnalyzer.kspmAnalyzer.debug` | Set to true to show KSPM node analyzer debug logging, which is useful for troubleshooting. | `false` | +| `nodeAnalyzer.kspmAnalyzer.image.repository` | Specifies the image repository to pull the KSPM node analyzer from. | `sysdig/kspm-analyzer` | +| `nodeAnalyzer.kspmAnalyzer.image.tag` | Specifies the image tag for the KSPM node analyzer image to be pulled. | `1.36.0` | +| `nodeAnalyzer.kspmAnalyzer.image.digest` | Specifies the image digest to pull. | ` ` | +| `nodeAnalyzer.kspmAnalyzer.image.pullPolicy` | Specifies the The image pull policy for the KSPM node analyzer. | `""` | +| `nodeAnalyzer.kspmAnalyzer.http_proxy` | Sets `HTTP_PROXY` on the KSPM Analyzer container. | `""` | +| `nodeAnalyzer.kspmAnalyzer.https_proxy` | Sets `HTTPS_PROXY` on the KSPM Analyzer container. | `""` | +| `nodeAnalyzer.kspmAnalyzer.no_proxy` | Sets `NO_PROXY` on the KSPM Analyzer container. | `""` | +| `nodeAnalyzer.kspmAnalyzer.resources.requests.cpu` | Specifies the KSPM node analyzer CPU requests per node. | `150m` | +| `nodeAnalyzer.kspmAnalyzer.resources.requests.memory` | Specifies the KSPM node analyzer memory requests per node. | `256Mi` | +| `nodeAnalyzer.kspmAnalyzer.resources.limits.cpu` | Specifies the KSPM node analyzer CPU limits per node. | `500m` | +| `nodeAnalyzer.kspmAnalyzer.resources.limits.memory` | Specifies the KSPM node analyzer memory limits per node. | `1536Mi` | +| `nodeAnalyzer.kspmAnalyzer.port` | Specifies the KSPM node analyzer port for health checks and results API. | `12000` | +| `nodeAnalyzer.kspmAnalyzer.readinessProbe.enabled` | Specifies whether KSPM node analyzer readinessProbe is enabled or not. | `true` | +| `nodeAnalyzer.kspmAnalyzer.sslVerifyCertificate` | Set to `false` to allow insecure connections to the Sysdig backend, such as an On-Prem deployment. | | +| `nodeAnalyzer.kspmAnalyzer.livenessProbe.enabled` | Specifies whether the KSPM node analyzer livenessProbe is enabled or not. | `true` | +| `nodeAnalyzer.kspmAnalyzer.env` | Specifies the extra environment variables that will be passed onto pods. | `{}` | +| `nodeAnalyzer.nodeSelector` | Specifies the Node Selector. | `{}` | +| `nodeAnalyzer.affinity` | Specifies the Node affinities. | `schedule on amd64 and linux` | diff --git a/charts/node-analyzer/templates/configmap-host-scanner.yaml b/charts/node-analyzer/templates/configmap-host-scanner.yaml index c9de12f5f..444fb5918 100644 --- a/charts/node-analyzer/templates/configmap-host-scanner.yaml +++ b/charts/node-analyzer/templates/configmap-host-scanner.yaml @@ -39,4 +39,13 @@ data: {{- if .Values.nodeAnalyzer.hostScanner.vulnerabilityDBVersion }} vuln_db_version: {{ .Values.nodeAnalyzer.hostScanner.vulnerabilityDBVersion | quote }} {{- end }} + {{- if .Values.nodeAnalyzer.hostScanner.scanContainers.enabled }} + container_scan_enabled: {{ .Values.nodeAnalyzer.hostScanner.scanContainers.enabled | quote}} + {{- if .Values.nodeAnalyzer.hostScanner.scanContainers.dockerSocketPath }} + docker_socket_path: {{ .Values.nodeAnalyzer.hostScanner.scanContainers.dockerSocketPath | quote}} + {{- end }} + {{- if .Values.nodeAnalyzer.hostScanner.scanContainers.podmanSocketPath }} + podman_socket_path: {{ .Values.nodeAnalyzer.hostScanner.scanContainers.podmanSocketPath | quote}} + {{- end }} + {{- end}} {{- end }} diff --git a/charts/node-analyzer/templates/daemonset-node-analyzer.yaml b/charts/node-analyzer/templates/daemonset-node-analyzer.yaml index 0f6ac844e..219e71eeb 100644 --- a/charts/node-analyzer/templates/daemonset-node-analyzer.yaml +++ b/charts/node-analyzer/templates/daemonset-node-analyzer.yaml @@ -878,6 +878,30 @@ spec: - name: "{{ $key }}" value: "{{ $value }}" {{- end }} + + {{- if .Values.nodeAnalyzer.hostScanner.scanContainers.enabled }} + # Container scanner + - name: USE_COMBINED_SCANNER + value: "true" + - name: SCAN_CONTAINERS_ENABLED + valueFrom: + configMapKeyRef: + name: {{ .Release.Name }}-host-scanner + key: container_scan_enabled + optional: true + - name: DOCKER_SOCKET_PATHS + valueFrom: + configMapKeyRef: + name: {{ .Release.Name }}-host-scanner + key: docker_socket_path + optional: true + - name: PODMAN_SOCKET_PATHS + valueFrom: + configMapKeyRef: + name: {{ .Release.Name }}-host-scanner + key: podman_socket_path + optional: true + {{- end }} volumeMounts: - mountPath: /tmp name: tmp-vol diff --git a/charts/node-analyzer/tests/hostscanner_test.yaml b/charts/node-analyzer/tests/hostscanner_test.yaml index 57d227a3f..7384e80a2 100644 --- a/charts/node-analyzer/tests/hostscanner_test.yaml +++ b/charts/node-analyzer/tests/hostscanner_test.yaml @@ -156,3 +156,62 @@ tests: of: ConfigMap - isNull: path: data.additional_dirs_to_scan + + - it: "Container scanner is disabled by default" + set: + clusterName: "test" + nodeAnalyzer.hostScanner.deploy: true + templates: + - ../templates/daemonset-node-analyzer.yaml + asserts: + - isKind: + of: DaemonSet + - isNull: + path: spec.template.spec.containers[3].env[?(@.name == "USE_COMBINED_SCANNER")].value + - isNull: + path: spec.template.spec.containers[3].env[?(@.name == "SCAN_CONTAINERS_ENABLED")].value + - it: "Container scanner enabled - daemonset" + set: + clusterName: "test" + nodeAnalyzer.hostScanner.deploy: true + nodeAnalyzer.hostScanner.scanContainers.enabled: true + templates: + - ../templates/daemonset-node-analyzer.yaml + asserts: + - isKind: + of: DaemonSet + - equal: + path: spec.template.spec.containers[3].env[?(@.name == "USE_COMBINED_SCANNER")].value + value: "true" + - it: "Container scanner enabled and empty socket paths - configmap" + set: + clusterName: "test" + nodeAnalyzer.hostScanner.deploy: true + nodeAnalyzer.hostScanner.scanContainers.enabled: true + templates: + - ../templates/configmap-host-scanner.yaml + asserts: + - isKind: + of: ConfigMap + - isNull: + path: data.docker_socket_path + - isNull: + path: data.podman_socket_path + - it: "Container scanner enabled and not empty socket paths - configmap" + set: + clusterName: "test" + nodeAnalyzer.hostScanner.deploy: true + nodeAnalyzer.hostScanner.scanContainers.enabled: true + nodeAnalyzer.hostScanner.scanContainers.dockerSocketPath: "/docker/socket" + nodeAnalyzer.hostScanner.scanContainers.podmanSocketPath: "/podman/socket" + templates: + - ../templates/configmap-host-scanner.yaml + asserts: + - isKind: + of: ConfigMap + - equal: + path: data.docker_socket_path + value: "/docker/socket" + - equal: + path: data.podman_socket_path + value: "/podman/socket" diff --git a/charts/node-analyzer/values.yaml b/charts/node-analyzer/values.yaml index 641d8cf1a..36b6f849d 100644 --- a/charts/node-analyzer/values.yaml +++ b/charts/node-analyzer/values.yaml @@ -416,6 +416,11 @@ nodeAnalyzer: settings: replicas: 1 + scanContainers: + enabled: false + # dockerSocketPath: "unix:///var/run/docker.sock" + # podmanSocketPath: "unix:///var/run/podman.sock" + kspmAnalyzer: debug: false image: diff --git a/charts/sysdig-deploy/Chart.yaml b/charts/sysdig-deploy/Chart.yaml index f0e7b993a..be206a463 100644 --- a/charts/sysdig-deploy/Chart.yaml +++ b/charts/sysdig-deploy/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: sysdig-deploy description: A chart with various Sysdig components for Kubernetes type: application -version: 1.31.1 +version: 1.31.2 maintainers: - name: AlbertoBarba email: alberto.barba@sysdig.com