diff --git a/charts/node-analyzer/Chart.yaml b/charts/node-analyzer/Chart.yaml index 21da53110..6d2fb7d65 100644 --- a/charts/node-analyzer/Chart.yaml +++ b/charts/node-analyzer/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: node-analyzer description: Sysdig Node Analyzer # currently matching Sysdig's appVersion 1.14.34 -version: 1.20.3 +version: 1.21.0 appVersion: 12.9.0 keywords: - monitoring diff --git a/charts/node-analyzer/README.md b/charts/node-analyzer/README.md index d5ce03d52..7caa3929f 100644 --- a/charts/node-analyzer/README.md +++ b/charts/node-analyzer/README.md @@ -195,7 +195,7 @@ The following table lists the configurable parameters of the Sysdig Node Analyze | `nodeAnalyzer.hostScanner.additionalDirsToScan` | Sets the optional comma-separated list of directories in addition to the default ones. | ` ` | | `nodeAnalyzer.hostScanner.env` | Specifies the extra environment variables that will be passed onto pods. | `{}` | | `nodeAnalyzer.hostScanner.image.repository` | Specifies the image repository to pull the Host Scanner from. | `sysdig/vuln-host-scanner` | -| `nodeAnalyzer.hostScanner.image.tag` | Specifies the image tag to pull the Host Scanner. | `0.6.8` | +| `nodeAnalyzer.hostScanner.image.tag` | Specifies the image tag to pull the Host Scanner. | `0.7.0-rc` | | `nodeAnalyzer.hostScanner.image.digest` | Specifies the image digest to pull. | ` ` | | `nodeAnalyzer.hostScanner.image.pullPolicy` | Specifies the image pull policy for the Host Scanner. | `""` | | `nodeAnalyzer.hostScanner.http_proxy` | Sets `HTTP_PROXY` on the Host Scanner container. | `""` | @@ -209,6 +209,9 @@ The following table lists the configurable parameters of the Sysdig Node Analyze | `nodeAnalyzer.hostScanner.resources.limits.ephemeral-storage` | Specifies the Host Scanner Storage limit per node. | `1Gi` | | `nodeAnalyzer.hostScanner.sslVerifyCertificate` | Set to `false` to allow insecure connections to the Sysdig backend, such as an On-Prem deployment. | | | `nodeAnalyzer.hostScanner.probesPort` | Specifies the port where readiness and liveness probes are exposed. | `7001` | +| `nodeAnalyzer.hostScanner.scanContainers.enabled` | Set to `true` to scan containers | `false` | +| `nodeAnalyzer.hostScanner.scanContainers.dockerSocketPath` | Specifies the path to docker socket | `unix:///var/run/docker.sock` | +| `nodeAnalyzer.hostScanner.scanContainers.podmanSocketPath` | Specifies the path to podman socket | `unix:///var/run/podman.sock` | | `nodeAnalyzer.runtimeScanner.debug` | Set to `true` to show debug logging, which is useful for troubleshooting. | `false` | | `nodeAnalyzer.runtimeScanner.deploy` | Deploys the Runtime Scanner. | `false` | | `nodeAnalyzer.runtimeScanner.extraMounts` | Specifies a container engine custom socket path (docker, containerd, CRI-O). | | diff --git a/charts/node-analyzer/templates/configmap-host-scanner.yaml b/charts/node-analyzer/templates/configmap-host-scanner.yaml index c9de12f5f..c8c186506 100644 --- a/charts/node-analyzer/templates/configmap-host-scanner.yaml +++ b/charts/node-analyzer/templates/configmap-host-scanner.yaml @@ -39,4 +39,12 @@ data: {{- if .Values.nodeAnalyzer.hostScanner.vulnerabilityDBVersion }} vuln_db_version: {{ .Values.nodeAnalyzer.hostScanner.vulnerabilityDBVersion | quote }} {{- end }} + {{- if .Values.nodeAnalyzer.hostScanner.scanContainers.enabled }} + {{- if .Values.nodeAnalyzer.hostScanner.scanContainers.dockerSocketPath }} + docker_socket_path: {{ .Values.nodeAnalyzer.hostScanner.scanContainers.dockerSocketPath | quote}} + {{- end }} + {{- if .Values.nodeAnalyzer.hostScanner.scanContainers.podmanSocketPath }} + podman_socket_path: {{ .Values.nodeAnalyzer.hostScanner.scanContainers.podmanSocketPath | quote}} + {{- end }} + {{- end}} {{- end }} diff --git a/charts/node-analyzer/templates/daemonset-node-analyzer.yaml b/charts/node-analyzer/templates/daemonset-node-analyzer.yaml index 9598a815b..6899e7b34 100644 --- a/charts/node-analyzer/templates/daemonset-node-analyzer.yaml +++ b/charts/node-analyzer/templates/daemonset-node-analyzer.yaml @@ -890,6 +890,26 @@ spec: - name: "{{ $key }}" value: "{{ $value }}" {{- end }} + + {{- if .Values.nodeAnalyzer.hostScanner.scanContainers.enabled }} + # Container scanner + - name: USE_COMBINED_SCANNER + value: "true" + - name: SCAN_CONTAINERS_ENABLED + value: "true" + - name: DOCKER_SOCKET_PATHS + valueFrom: + configMapKeyRef: + name: {{ .Release.Name }}-host-scanner + key: docker_socket_path + optional: true + - name: PODMAN_SOCKET_PATHS + valueFrom: + configMapKeyRef: + name: {{ .Release.Name }}-host-scanner + key: podman_socket_path + optional: true + {{- end }} volumeMounts: - mountPath: /tmp name: tmp-vol diff --git a/charts/node-analyzer/tests/hostscanner_test.yaml b/charts/node-analyzer/tests/hostscanner_test.yaml index 410146b43..d83506791 100644 --- a/charts/node-analyzer/tests/hostscanner_test.yaml +++ b/charts/node-analyzer/tests/hostscanner_test.yaml @@ -168,3 +168,62 @@ tests: of: ConfigMap - isNull: path: data.additional_dirs_to_scan + + - it: "Container scanner is disabled by default" + set: + clusterName: "test" + nodeAnalyzer.hostScanner.deploy: true + templates: + - ../templates/daemonset-node-analyzer.yaml + asserts: + - isKind: + of: DaemonSet + - isNull: + path: spec.template.spec.containers[3].env[?(@.name == "USE_COMBINED_SCANNER")].value + - isNull: + path: spec.template.spec.containers[3].env[?(@.name == "SCAN_CONTAINERS_ENABLED")].value + - it: "Container scanner enabled - daemonset" + set: + clusterName: "test" + nodeAnalyzer.hostScanner.deploy: true + nodeAnalyzer.hostScanner.scanContainers.enabled: true + templates: + - ../templates/daemonset-node-analyzer.yaml + asserts: + - isKind: + of: DaemonSet + - equal: + path: spec.template.spec.containers[3].env[?(@.name == "USE_COMBINED_SCANNER")].value + value: "true" + - it: "Container scanner enabled and empty socket paths - configmap" + set: + clusterName: "test" + nodeAnalyzer.hostScanner.deploy: true + nodeAnalyzer.hostScanner.scanContainers.enabled: true + templates: + - ../templates/configmap-host-scanner.yaml + asserts: + - isKind: + of: ConfigMap + - isNull: + path: data.docker_socket_path + - isNull: + path: data.podman_socket_path + - it: "Container scanner enabled and not empty socket paths - configmap" + set: + clusterName: "test" + nodeAnalyzer.hostScanner.deploy: true + nodeAnalyzer.hostScanner.scanContainers.enabled: true + nodeAnalyzer.hostScanner.scanContainers.dockerSocketPath: "/docker/socket" + nodeAnalyzer.hostScanner.scanContainers.podmanSocketPath: "/podman/socket" + templates: + - ../templates/configmap-host-scanner.yaml + asserts: + - isKind: + of: ConfigMap + - equal: + path: data.docker_socket_path + value: "/docker/socket" + - equal: + path: data.podman_socket_path + value: "/podman/socket" diff --git a/charts/node-analyzer/values.yaml b/charts/node-analyzer/values.yaml index 60260aae9..f13b7bfa6 100644 --- a/charts/node-analyzer/values.yaml +++ b/charts/node-analyzer/values.yaml @@ -392,7 +392,7 @@ nodeAnalyzer: image: repository: sysdig/vuln-host-scanner - tag: "0.6.8" + tag: "0.7.0-rc" digest: pullPolicy: @@ -416,6 +416,11 @@ nodeAnalyzer: settings: replicas: 1 + scanContainers: + enabled: false + # dockerSocketPath: "unix:///var/run/docker.sock" + # podmanSocketPath: "unix:///var/run/podman.sock" + kspmAnalyzer: debug: false image: diff --git a/charts/sysdig-deploy/Chart.yaml b/charts/sysdig-deploy/Chart.yaml index 9624541cf..154cf662e 100644 --- a/charts/sysdig-deploy/Chart.yaml +++ b/charts/sysdig-deploy/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: sysdig-deploy description: A chart with various Sysdig components for Kubernetes type: application -version: 1.34.8 +version: 1.35.0 maintainers: - name: AlbertoBarba email: alberto.barba@sysdig.com @@ -36,7 +36,7 @@ dependencies: - name: node-analyzer # repository: https://charts.sysdig.com repository: file://../node-analyzer - version: ~1.20.3 + version: ~1.21.0 alias: nodeAnalyzer condition: nodeAnalyzer.enabled - name: cluster-scanner