Skip to content

Commit

Permalink
feat(shield): enable kubernetes-metadata by default and decrease dele…
Browse files Browse the repository at this point in the history 
…gated nodes number to 0
  • Loading branch information
@AlbertoBarba
AlbertoBarba committed Nov 15, 2024
1 parent dae3cd7 commit 7d4bc27
Show file tree
Hide file tree
Showing 8 changed files with 217 additions and 22 deletions.
2 changes: 1 addition & 1 deletion charts/shield/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,5 +13,5 @@ maintainers:
- name: mavimo
email: [email protected]
type: application
version: 0.1.21
version: 0.1.22
appVersion: "1.0.0"
2 changes: 1 addition & 1 deletion charts/shield/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,7 @@ The following table lists the configurable parameters of the `shield` chart and
| features.admission_control.http_port | The port that will be used to expose admission control endpoints | <code>8443</code> |
| features.admission_control.excluded_namespaces | The list of namespaces that will be excluded from the admission control | <code>[]</code> |
| features.admission_control.container_vulnerability_management.enabled | Enable the container vulnerability management feature on the admission control | <code>false</code> |
| features.kubernetes_metadata.enabled | Enable the Kubernetes Metadata feature on cluster shield | <code>false</code> |
| features.kubernetes_metadata.enabled | Enable the Kubernetes Metadata feature on cluster shield | <code>true</code> |
| features.posture.host_posture.enabled | | <code>false</code> |
| features.posture.cluster_posture.enabled | Enable the posture feature on cluster shield | <code>false</code> |
| features.vulnerability_management.host_vulnerability_management.enabled | | <code>false</code> |
Expand Down
4 changes: 3 additions & 1 deletion charts/shield/templates/host/_configmap_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,9 @@ true
{{- $config := dict
"k8s_cluster_name" .Values.cluster_config.name
"collector" (include "common.collector_endpoint" .)
"collector_port" .Values.sysdig_endpoint.collector.port }}
"collector_port" .Values.sysdig_endpoint.collector.port
"k8s_delegated_nodes" (dig "k8s_delegated_nodes" 0 .Values.host.additional_settings)
}}
{{- $config = merge $config (dict "sysdig_api_endpoint" (include "common.secure_api_endpoint" .)) }}
{{- if (include "common.proxy.enabled" . ) }}
{{- $config := merge $config (dict "http_proxy" (include "host.proxy_config" . | fromYaml)) }}
Expand Down
125 changes: 123 additions & 2 deletions charts/shield/tests/cluster/clusterrole_test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,130 @@ tests:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
name: release-name-shield-cluster
- equal:
- contains:
path: rules
content:
apiGroups:
- ""
resources:
- pods
- replicationcontrollers
- services
- events
- limitranges
- namespaces
- nodes
- resourcequotas
- persistentvolumes
- persistentvolumeclaims
- configmaps
verbs:
- get
- list
- watch
- contains:
path: rules
content:
apiGroups:
- apps
resources:
- daemonsets
- deployments
- replicasets
- statefulsets
verbs:
- get
- list
- watch
- contains:
path: rules
content:
apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- get
- list
- watch
- contains:
path: rules
value:
content:
apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- get
- list
- watch
- contains:
path: rules
content:
apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- contains:
path: rules
content:
apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- get
- list
- watch
- contains:
path: rules
content:
apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests
verbs:
- get
- list
- watch
- contains:
path: rules
content:
apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- get
- list
- watch
- contains:
path: rules
content:
apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- contains:
path: rules
content:
apiGroups:
- events.k8s.io
resources:
- events
verbs:
- get
- list
- watch

- it: Audit
set:
Expand Down
66 changes: 59 additions & 7 deletions charts/shield/tests/cluster/configmap_test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ tests:
registry_ssl:
verify: true
kubernetes_metadata:
enabled: false
enabled: true
posture:
enabled: false
kubernetes:
Expand All @@ -95,6 +95,63 @@ tests:
collector: fake.collector.host:6443
region: custom
- it: Disable Kubernetes Metadata feature
set:
features:
kubernetes_metadata:
enabled: false
asserts:
- exists:
path: data["cluster-shield.yaml"]
- matchRegex:
path: data['cluster-shield.yaml']
pattern: |
features:
admission_control:
container_vulnerability_management:
enabled: false
deny_on_error: false
dry_run: true
enabled: false
excluded_namespaces: \[\]
http_port: 8443
timeout: 10
audit:
enabled: false
excluded_namespaces: \[\]
http_port: 6443
timeout: 10
webhook_rules:
- apiGroups:
- ""
- apps
- autoscaling
- batch
- networking.k8s.io
- rbac.authorization.k8s.io
- extensions
apiVersions:
- '\*'
operations:
- '\*'
resources:
- '\*/\*'
scope: '\*'
container_vulnerability_management:
enabled: false
in_use:
enabled: false
integration_enabled: false
local_cluster:
registry_secrets: \[\]
platform_services_enabled: true
registry_ssl:
verify: true
kubernetes_metadata:
enabled: false
posture:
enabled: false
- it: Sets NATS Url and Lock Name when Container Vulnerability Management is enabled
set:
cluster_config:
Expand Down Expand Up @@ -130,7 +187,7 @@ tests:
nats_url: nats://release-name-shield-cluster-container-vulnerability-management:4222
leader_election_lock_name: release-name-shield-cluster-container-vulnerability-management
- it: Sets t he GRPC Endpoint when Admission Control is enabled with Container Vulnerability Management
- it: Sets the GRPC Endpoint when Admission Control is enabled with Container Vulnerability Management
set:
cluster_config:
name: shield-cluster
Expand Down Expand Up @@ -165,11 +222,6 @@ tests:
image_sbom_extractor:
nats_url: nats://release-name-shield-cluster-container-vulnerability-management:4222
leader_election_lock_name: release-name-shield-cluster-container-vulnerability-management
- matchRegex:
path: data['cluster-shield.yaml']
pattern: |
admission_controller_secure:
rsi_grpc_endpoint: release-name-shield-cluster-container-vulnerability-management:9999
- it: Secure API Token - Fail if kubernetes audit is enabled with On Premise Versions < 6.12.0 and Secure API Token is not set
set:
Expand Down
16 changes: 7 additions & 9 deletions charts/shield/tests/cluster/deployment_test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1213,18 +1213,17 @@ tests:
template: templates/cluster/deployment.yaml

- it: Replicas with no feature enabled (default value)
set:
features:
kubernetes_metadata:
enabled: false
asserts:
- equal:
path: spec.replicas
value: 0
template: templates/cluster/deployment.yaml

- it: Replicas with feature enabled (default value)
set:
features:
detections:
kubernetes_audit:
enabled: true
asserts:
- equal:
path: spec.replicas
Expand All @@ -1236,6 +1235,9 @@ tests:
set:
cluster:
replica_count: 5
features:
kubernetes_metadata:
enabled: false
asserts:
- equal:
path: spec.replicas
Expand All @@ -1246,10 +1248,6 @@ tests:
set:
cluster:
replica_count: 5
features:
detections:
kubernetes_audit:
enabled: true
asserts:
- equal:
path: spec.replicas
Expand Down
22 changes: 22 additions & 0 deletions charts/shield/tests/host/configmap-dragent-yaml_test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1027,3 +1027,25 @@ tests:
pattern: |
feature:
mode: monitor
- it: Default Delegated Nodes Number
asserts:
- matchRegex:
path: data['dragent.yaml']
pattern: |
k8s_delegated_nodes: 0
- it: Manually specified Delegated Nodes Number
set:
features:
vulnerability_management:
host_vulnerability_management:
enabled: true
host:
additional_settings:
k8s_delegated_nodes: 1
asserts:
- matchRegex:
path: data['dragent.yaml']
pattern: |
k8s_delegated_nodes: 1
2 changes: 1 addition & 1 deletion charts/shield/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ features:

kubernetes_metadata:
# Enable the Kubernetes Metadata feature on cluster shield
enabled: false
enabled: true

posture:
host_posture:
Expand Down

0 comments on commit 7d4bc27

Please sign in to comment.