diff --git a/charts/shield/Chart.yaml b/charts/shield/Chart.yaml
index 90affc165..f63119785 100644
--- a/charts/shield/Chart.yaml
+++ b/charts/shield/Chart.yaml
@@ -13,5 +13,5 @@ maintainers:
- name: mavimo
email: marcovito.moscaritolo@sysdig.com
type: application
-version: 0.1.21
+version: 0.1.22
appVersion: "1.0.0"
diff --git a/charts/shield/README.md b/charts/shield/README.md
index 8d169ebc5..48d0a05d4 100644
--- a/charts/shield/README.md
+++ b/charts/shield/README.md
@@ -93,7 +93,7 @@ The following table lists the configurable parameters of the `shield` chart and
| features.admission_control.http_port | The port that will be used to expose admission control endpoints | 8443 |
| features.admission_control.excluded_namespaces | The list of namespaces that will be excluded from the admission control | [] |
| features.admission_control.container_vulnerability_management.enabled | Enable the container vulnerability management feature on the admission control | false |
-| features.kubernetes_metadata.enabled | Enable the Kubernetes Metadata feature on cluster shield | false |
+| features.kubernetes_metadata.enabled | Enable the Kubernetes Metadata feature on cluster shield | true |
| features.posture.host_posture.enabled | | false |
| features.posture.cluster_posture.enabled | Enable the posture feature on cluster shield | false |
| features.vulnerability_management.host_vulnerability_management.enabled | | false |
diff --git a/charts/shield/templates/host/_configmap_helpers.tpl b/charts/shield/templates/host/_configmap_helpers.tpl
index b1701659f..488585de0 100644
--- a/charts/shield/templates/host/_configmap_helpers.tpl
+++ b/charts/shield/templates/host/_configmap_helpers.tpl
@@ -100,7 +100,9 @@ true
{{- $config := dict
"k8s_cluster_name" .Values.cluster_config.name
"collector" (include "common.collector_endpoint" .)
- "collector_port" .Values.sysdig_endpoint.collector.port }}
+ "collector_port" .Values.sysdig_endpoint.collector.port
+ "k8s_delegated_nodes" (dig "k8s_delegated_nodes" 0 .Values.host.additional_settings)
+}}
{{- $config = merge $config (dict "sysdig_api_endpoint" (include "common.secure_api_endpoint" .)) }}
{{- if (include "common.proxy.enabled" . ) }}
{{- $config := merge $config (dict "http_proxy" (include "host.proxy_config" . | fromYaml)) }}
diff --git a/charts/shield/tests/cluster/clusterrole_test.yaml b/charts/shield/tests/cluster/clusterrole_test.yaml
index 410b9f735..6b7790459 100644
--- a/charts/shield/tests/cluster/clusterrole_test.yaml
+++ b/charts/shield/tests/cluster/clusterrole_test.yaml
@@ -13,9 +13,130 @@ tests:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
name: release-name-shield-cluster
- - equal:
+ - contains:
+ path: rules
+ content:
+ apiGroups:
+ - ""
+ resources:
+ - pods
+ - replicationcontrollers
+ - services
+ - events
+ - limitranges
+ - namespaces
+ - nodes
+ - resourcequotas
+ - persistentvolumes
+ - persistentvolumeclaims
+ - configmaps
+ verbs:
+ - get
+ - list
+ - watch
+ - contains:
+ path: rules
+ content:
+ apiGroups:
+ - apps
+ resources:
+ - daemonsets
+ - deployments
+ - replicasets
+ - statefulsets
+ verbs:
+ - get
+ - list
+ - watch
+ - contains:
+ path: rules
+ content:
+ apiGroups:
+ - autoscaling
+ resources:
+ - horizontalpodautoscalers
+ verbs:
+ - get
+ - list
+ - watch
+ - contains:
path: rules
- value:
+ content:
+ apiGroups:
+ - batch
+ resources:
+ - cronjobs
+ - jobs
+ verbs:
+ - get
+ - list
+ - watch
+ - contains:
+ path: rules
+ content:
+ apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - contains:
+ path: rules
+ content:
+ apiGroups:
+ - storage.k8s.io
+ resources:
+ - storageclasses
+ verbs:
+ - get
+ - list
+ - watch
+ - contains:
+ path: rules
+ content:
+ apiGroups:
+ - certificates.k8s.io
+ resources:
+ - certificatesigningrequests
+ verbs:
+ - get
+ - list
+ - watch
+ - contains:
+ path: rules
+ content:
+ apiGroups:
+ - policy
+ resources:
+ - poddisruptionbudgets
+ verbs:
+ - get
+ - list
+ - watch
+ - contains:
+ path: rules
+ content:
+ apiGroups:
+ - discovery.k8s.io
+ resources:
+ - endpointslices
+ verbs:
+ - get
+ - list
+ - watch
+ - contains:
+ path: rules
+ content:
+ apiGroups:
+ - events.k8s.io
+ resources:
+ - events
+ verbs:
+ - get
+ - list
+ - watch
- it: Audit
set:
diff --git a/charts/shield/tests/cluster/configmap_test.yaml b/charts/shield/tests/cluster/configmap_test.yaml
index 531498a4a..aabd1a61c 100644
--- a/charts/shield/tests/cluster/configmap_test.yaml
+++ b/charts/shield/tests/cluster/configmap_test.yaml
@@ -77,7 +77,7 @@ tests:
registry_ssl:
verify: true
kubernetes_metadata:
- enabled: false
+ enabled: true
posture:
enabled: false
kubernetes:
@@ -95,6 +95,63 @@ tests:
collector: fake.collector.host:6443
region: custom
+ - it: Disable Kubernetes Metadata feature
+ set:
+ features:
+ kubernetes_metadata:
+ enabled: false
+ asserts:
+ - exists:
+ path: data["cluster-shield.yaml"]
+ - matchRegex:
+ path: data['cluster-shield.yaml']
+ pattern: |
+ features:
+ admission_control:
+ container_vulnerability_management:
+ enabled: false
+ deny_on_error: false
+ dry_run: true
+ enabled: false
+ excluded_namespaces: \[\]
+ http_port: 8443
+ timeout: 10
+ audit:
+ enabled: false
+ excluded_namespaces: \[\]
+ http_port: 6443
+ timeout: 10
+ webhook_rules:
+ - apiGroups:
+ - ""
+ - apps
+ - autoscaling
+ - batch
+ - networking.k8s.io
+ - rbac.authorization.k8s.io
+ - extensions
+ apiVersions:
+ - '\*'
+ operations:
+ - '\*'
+ resources:
+ - '\*/\*'
+ scope: '\*'
+ container_vulnerability_management:
+ enabled: false
+ in_use:
+ enabled: false
+ integration_enabled: false
+ local_cluster:
+ registry_secrets: \[\]
+ platform_services_enabled: true
+ registry_ssl:
+ verify: true
+ kubernetes_metadata:
+ enabled: false
+ posture:
+ enabled: false
+
- it: Sets NATS Url and Lock Name when Container Vulnerability Management is enabled
set:
cluster_config:
@@ -130,7 +187,7 @@ tests:
nats_url: nats://release-name-shield-cluster-container-vulnerability-management:4222
leader_election_lock_name: release-name-shield-cluster-container-vulnerability-management
- - it: Sets t he GRPC Endpoint when Admission Control is enabled with Container Vulnerability Management
+ - it: Sets the GRPC Endpoint when Admission Control is enabled with Container Vulnerability Management
set:
cluster_config:
name: shield-cluster
@@ -165,11 +222,6 @@ tests:
image_sbom_extractor:
nats_url: nats://release-name-shield-cluster-container-vulnerability-management:4222
leader_election_lock_name: release-name-shield-cluster-container-vulnerability-management
- - matchRegex:
- path: data['cluster-shield.yaml']
- pattern: |
- admission_controller_secure:
- rsi_grpc_endpoint: release-name-shield-cluster-container-vulnerability-management:9999
- it: Secure API Token - Fail if kubernetes audit is enabled with On Premise Versions < 6.12.0 and Secure API Token is not set
set:
diff --git a/charts/shield/tests/cluster/deployment_test.yaml b/charts/shield/tests/cluster/deployment_test.yaml
index 64d6dc914..531fe4dde 100644
--- a/charts/shield/tests/cluster/deployment_test.yaml
+++ b/charts/shield/tests/cluster/deployment_test.yaml
@@ -1213,6 +1213,10 @@ tests:
template: templates/cluster/deployment.yaml
- it: Replicas with no feature enabled (default value)
+ set:
+ features:
+ kubernetes_metadata:
+ enabled: false
asserts:
- equal:
path: spec.replicas
@@ -1220,11 +1224,6 @@ tests:
template: templates/cluster/deployment.yaml
- it: Replicas with feature enabled (default value)
- set:
- features:
- detections:
- kubernetes_audit:
- enabled: true
asserts:
- equal:
path: spec.replicas
@@ -1236,6 +1235,9 @@ tests:
set:
cluster:
replica_count: 5
+ features:
+ kubernetes_metadata:
+ enabled: false
asserts:
- equal:
path: spec.replicas
@@ -1246,10 +1248,6 @@ tests:
set:
cluster:
replica_count: 5
- features:
- detections:
- kubernetes_audit:
- enabled: true
asserts:
- equal:
path: spec.replicas
diff --git a/charts/shield/tests/host/configmap-dragent-yaml_test.yaml b/charts/shield/tests/host/configmap-dragent-yaml_test.yaml
index 09ccf0de3..0ed743792 100644
--- a/charts/shield/tests/host/configmap-dragent-yaml_test.yaml
+++ b/charts/shield/tests/host/configmap-dragent-yaml_test.yaml
@@ -1027,3 +1027,25 @@ tests:
pattern: |
feature:
mode: monitor
+
+ - it: Default Delegated Nodes Number
+ asserts:
+ - matchRegex:
+ path: data['dragent.yaml']
+ pattern: |
+ k8s_delegated_nodes: 0
+
+ - it: Manually specified Delegated Nodes Number
+ set:
+ features:
+ vulnerability_management:
+ host_vulnerability_management:
+ enabled: true
+ host:
+ additional_settings:
+ k8s_delegated_nodes: 1
+ asserts:
+ - matchRegex:
+ path: data['dragent.yaml']
+ pattern: |
+ k8s_delegated_nodes: 1
diff --git a/charts/shield/values.yaml b/charts/shield/values.yaml
index 2c84d7c72..bf2f9be37 100644
--- a/charts/shield/values.yaml
+++ b/charts/shield/values.yaml
@@ -51,7 +51,7 @@ features:
kubernetes_metadata:
# Enable the Kubernetes Metadata feature on cluster shield
- enabled: false
+ enabled: true
posture:
host_posture: