Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(node-analyzer): bumped host-scanner to 0.7.0 to add container scanning support #1538

Merged
merged 2 commits into from
Dec 20, 2023
Merged

feat(node-analyzer): bumped host-scanner to 0.7.0 to add container scanning support #1538

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
87604b7
feat(hostScanner): Add container scanner feature [SSPROD-32268]
FedericoFeresini Nov 29, 2023
cc77d15
feat(node-analyzer): bumped host-scanner version
michele-mangili Dec 15, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion charts/node-analyzer/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v2
name: node-analyzer
description: Sysdig Node Analyzer
# currently matching Sysdig's appVersion 1.14.34
version: 1.20.4
version: 1.21.0
appVersion: 12.9.0
keywords:
- monitoring
Expand Down
5 changes: 4 additions & 1 deletion charts/node-analyzer/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -195,7 +195,7 @@ The following table lists the configurable parameters of the Sysdig Node Analyze
| `nodeAnalyzer.hostScanner.additionalDirsToScan` | Sets the optional comma-separated list of directories in addition to the default ones. | ` ` |
| `nodeAnalyzer.hostScanner.env` | Specifies the extra environment variables that will be passed onto pods. | `{}` |
| `nodeAnalyzer.hostScanner.image.repository` | Specifies the image repository to pull the Host Scanner from. | `sysdig/vuln-host-scanner` |
| `nodeAnalyzer.hostScanner.image.tag` | Specifies the image tag to pull the Host Scanner. | `0.6.8` |
| `nodeAnalyzer.hostScanner.image.tag` | Specifies the image tag to pull the Host Scanner. | `0.7.0` |
| `nodeAnalyzer.hostScanner.image.digest` | Specifies the image digest to pull. | ` ` |
| `nodeAnalyzer.hostScanner.image.pullPolicy` | Specifies the image pull policy for the Host Scanner. | `""` |
| `nodeAnalyzer.hostScanner.http_proxy` | Sets `HTTP_PROXY` on the Host Scanner container. | `""` |
Expand All @@ -209,6 +209,9 @@ The following table lists the configurable parameters of the Sysdig Node Analyze
| `nodeAnalyzer.hostScanner.resources.limits.ephemeral-storage` | Specifies the Host Scanner Storage limit per node. | `1Gi` |
| `nodeAnalyzer.hostScanner.sslVerifyCertificate` | Set to `false` to allow insecure connections to the Sysdig backend, such as an On-Prem deployment. | |
| `nodeAnalyzer.hostScanner.probesPort` | Specifies the port where readiness and liveness probes are exposed. | `7001` |
| `nodeAnalyzer.hostScanner.scanContainers.enabled` | Set to `true` to scan containers | `false` |
| `nodeAnalyzer.hostScanner.scanContainers.dockerSocketPath` | Specifies the path to docker socket | `unix:///var/run/docker.sock` |
AlbertoBarba marked this conversation as resolved.
Show resolved Hide resolved
| `nodeAnalyzer.hostScanner.scanContainers.podmanSocketPath` | Specifies the path to podman socket | `unix:///var/run/podman.sock` |
AlbertoBarba marked this conversation as resolved.
Show resolved Hide resolved
| `nodeAnalyzer.runtimeScanner.debug` | Set to `true` to show debug logging, which is useful for troubleshooting. | `false` |
| `nodeAnalyzer.runtimeScanner.deploy` | Deploys the Runtime Scanner. | `false` |
| `nodeAnalyzer.runtimeScanner.extraMounts` | Specifies a container engine custom socket path (docker, containerd, CRI-O). | |
Expand Down
8 changes: 8 additions & 0 deletions charts/node-analyzer/templates/configmap-host-scanner.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,4 +39,12 @@ data:
{{- if .Values.nodeAnalyzer.hostScanner.vulnerabilityDBVersion }}
vuln_db_version: {{ .Values.nodeAnalyzer.hostScanner.vulnerabilityDBVersion | quote }}
{{- end }}
{{- if .Values.nodeAnalyzer.hostScanner.scanContainers.enabled }}
{{- if .Values.nodeAnalyzer.hostScanner.scanContainers.dockerSocketPath }}
docker_socket_path: {{ .Values.nodeAnalyzer.hostScanner.scanContainers.dockerSocketPath | quote}}
{{- end }}
{{- if .Values.nodeAnalyzer.hostScanner.scanContainers.podmanSocketPath }}
podman_socket_path: {{ .Values.nodeAnalyzer.hostScanner.scanContainers.podmanSocketPath | quote}}
{{- end }}
{{- end}}
{{- end }}
20 changes: 20 additions & 0 deletions charts/node-analyzer/templates/daemonset-node-analyzer.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -890,6 +890,26 @@ spec:
- name: "{{ $key }}"
value: "{{ $value }}"
{{- end }}

{{- if .Values.nodeAnalyzer.hostScanner.scanContainers.enabled }}
# Container scanner
- name: USE_COMBINED_SCANNER
value: "true"
- name: SCAN_CONTAINERS_ENABLED
value: "true"
- name: DOCKER_SOCKET_PATHS
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-host-scanner
key: docker_socket_path
optional: true
- name: PODMAN_SOCKET_PATHS
valueFrom:
configMapKeyRef:
name: {{ .Release.Name }}-host-scanner
key: podman_socket_path
optional: true
{{- end }}
volumeMounts:
- mountPath: /tmp
name: tmp-vol
Expand Down
59 changes: 59 additions & 0 deletions charts/node-analyzer/tests/hostscanner_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -168,3 +168,62 @@ tests:
of: ConfigMap
- isNull:
path: data.additional_dirs_to_scan

- it: "Container scanner is disabled by default"
set:
clusterName: "test"
nodeAnalyzer.hostScanner.deploy: true
templates:
- ../templates/daemonset-node-analyzer.yaml
asserts:
- isKind:
of: DaemonSet
- isNull:
path: spec.template.spec.containers[3].env[?(@.name == "USE_COMBINED_SCANNER")].value
- isNull:
path: spec.template.spec.containers[3].env[?(@.name == "SCAN_CONTAINERS_ENABLED")].value
- it: "Container scanner enabled - daemonset"
set:
clusterName: "test"
nodeAnalyzer.hostScanner.deploy: true
nodeAnalyzer.hostScanner.scanContainers.enabled: true
templates:
- ../templates/daemonset-node-analyzer.yaml
asserts:
- isKind:
of: DaemonSet
- equal:
path: spec.template.spec.containers[3].env[?(@.name == "USE_COMBINED_SCANNER")].value
value: "true"
- it: "Container scanner enabled and empty socket paths - configmap"
set:
clusterName: "test"
nodeAnalyzer.hostScanner.deploy: true
nodeAnalyzer.hostScanner.scanContainers.enabled: true
templates:
- ../templates/configmap-host-scanner.yaml
asserts:
- isKind:
of: ConfigMap
- isNull:
path: data.docker_socket_path
- isNull:
path: data.podman_socket_path
- it: "Container scanner enabled and not empty socket paths - configmap"
set:
clusterName: "test"
nodeAnalyzer.hostScanner.deploy: true
nodeAnalyzer.hostScanner.scanContainers.enabled: true
nodeAnalyzer.hostScanner.scanContainers.dockerSocketPath: "/docker/socket"
nodeAnalyzer.hostScanner.scanContainers.podmanSocketPath: "/podman/socket"
templates:
- ../templates/configmap-host-scanner.yaml
asserts:
- isKind:
of: ConfigMap
- equal:
path: data.docker_socket_path
value: "/docker/socket"
- equal:
path: data.podman_socket_path
value: "/podman/socket"
7 changes: 6 additions & 1 deletion charts/node-analyzer/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -392,7 +392,7 @@ nodeAnalyzer:

image:
repository: sysdig/vuln-host-scanner
tag: "0.6.8"
tag: "0.7.0"
digest:
pullPolicy:

Expand All @@ -416,6 +416,11 @@ nodeAnalyzer:
settings:
replicas: 1

scanContainers:
enabled: false
# dockerSocketPath: "unix:///var/run/docker.sock"
# podmanSocketPath: "unix:///var/run/podman.sock"

kspmAnalyzer:
debug: false
image:
Expand Down
4 changes: 2 additions & 2 deletions charts/sysdig-deploy/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v2
name: sysdig-deploy
description: A chart with various Sysdig components for Kubernetes
type: application
version: 1.34.9
version: 1.35.0
maintainers:
- name: AlbertoBarba
email: [email protected]
Expand Down Expand Up @@ -36,7 +36,7 @@ dependencies:
- name: node-analyzer
# repository: https://charts.sysdig.com
repository: file://../node-analyzer
version: ~1.20.4
version: ~1.21.0
alias: nodeAnalyzer
condition: nodeAnalyzer.enabled
- name: cluster-scanner
Expand Down
Loading