diff --git a/README.md b/README.md index 178061b..2c53d96 100644 --- a/README.md +++ b/README.md @@ -43,7 +43,7 @@ helm upgrade --install armo armo/armo-cluster-components -n armo-system --creat | armoCollector.affinity | object | `{}` | Assign custom [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) rules to the StatefulSet | | armoCollector.enabled | bool | `true` | enable/disable the armoCollector | | armoCollector.env[0] | object | `{"name":"PRINT_REPORT","value":"false"}` | print in verbose mode (print all reported data) | -| armoCollector.image.repository | string | `"quay.io/armosec/cluster-collector"` | [source code](https://github.com/armosec/k8s-armo-collector) (private repo) | +| armoCollector.image.repository | string | `"quay.io/kubescape/kollector"` | [source code](https://github.com/kubescape/kollector) | | armoCollector.nodeSelector | object | `{}` | [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) | | armoCollector.volumes | object | `[]` | Additional volumes for the collector | | armoCollector.volumeMounts | object | `[]` | Additional volumeMounts for the collector | @@ -65,24 +65,24 @@ helm upgrade --install armo armo/armo-cluster-components -n armo-system --creat | armoKubescapeScanScheduler.volumeMounts | object | `[]` | Additional volumeMounts for scan scheduler | | armoNotificationService.affinity | object | `{}` | Assign custom [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) rules to the deployment | | armoNotificationService.enabled | bool | `true` | enable/disable passing notifications from ARMO SaaS to the armo-web-socket microservice. The notifications are the onDemand scanning and the scanning schedule settings | -| armoNotificationService.image.repository | string | `"quay.io/armosec/notification-server"` | [source code](https://github.com/armosec/capostman) (private repo) | +| armoNotificationService.image.repository | string | `"quay.io/kubescape/gateway"` | [source code](https://github.com/kubescape/gateway) | | armoNotificationService.nodeSelector | object | `{}` | [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) | | armoNotificationService.volumes | object | `[]` | Additional volumes for the notification service | | armoNotificationService.volumeMounts | object | `[]` | Additional volumeMounts for the notification service | -| armoScanScheduler.enabled | bool | `true` | enable/disable image vulnerability a schedule scan using a CronJob | -| armoScanScheduler.image.repository | string | `"curlimages/curl"` | image: curlimages/curl | -| armoScanScheduler.scanSchedule | string | `"0 0 * * *"` | scan schedule frequency | -| armoScanScheduler.volumes | object | `[]` | Additional volumes for scan scheduler | -| armoScanScheduler.volumeMounts | object | `[]` | Additional volumeMounts for scan scheduler | | armoVulnScanner.affinity | object | `{}` | Assign custom [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) rules to the deployment | | armoVulnScanner.enabled | bool | `true` | enable/disable image vulnerability scanning | -| armoVulnScanner.image.repository | string | `"quay.io/armosec/images-vulnerabilities-scan"` | [source code](https://github.com/armosec/ca-vuln-scan) (private repo) | +| armoVulnScanner.image.repository | string | `"quay.io/kubescape/kubevuln"` | [source code](https://github.com/kubescape/kubevuln) | | armoVulnScanner.nodeSelector | object | `{}` | [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) | | armoVulnScanner.volumes | object | `[]` | Additional volumes for the image vulnerability scanning | | armoVulnScanner.volumeMounts | object | `[]` | Additional volumeMounts for the image vulnerability scanning | +| armoVulnScanScheduler.enabled | bool | `true` | enable/disable a image vulnerability scheduled scan using a CronJob | +| armoVulnScanScheduler.image.repository | string | `"quay.io/armosec/http_request"` | [source code](https://github.com/armosec/http-request) (public repo) | +| armoVulnScanScheduler.scanSchedule | string | `"0 0 * * *"` | scan schedule frequency | +| armoVulnScanScheduler.volumes | object | `[]` | Additional volumes for scan scheduler | +| armoVulnScanScheduler.volumeMounts | object | `[]` | Additional volumeMounts for scan scheduler | | armoWebsocket.affinity | object | `{}` | Assign custom [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) rules to the deployment | | armoWebsocket.enabled | bool | `true` | enable/disable kubescape and image vulnerability scanning | -| armoWebsocket.image.repository | string | `"quay.io/armosec/action-trigger"` | [source code](https://github.com/armosec/k8s-ca-websocket) (private repo) | +| armoWebsocket.image.repository | string | `"quay.io/kubescape/kontroller"` | [source code](https://github.com/kubescape/kontroller) | | armoWebsocket.nodeSelector | object | `{}` | [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) | | armoWebsocket.volumes | object | `[]` | Additional volumes for the web socket | | armoWebsocket.volumeMounts | object | `[]` | Additional volumeMounts for the web socket | @@ -90,6 +90,7 @@ helm upgrade --install armo armo/armo-cluster-components -n armo-system --creat | armoKubescapeHostScanner.volumeMounts | object | `[]` | Additional volumeMounts for the host scanner | | aws_iam_role_arn | string | `nil` | AWS IAM arn role | | clientID | string | `""` | client ID, [read more](https://hub.armosec.io/docs/authentication) | +| addRevisionLabel | bool | `true` | Add revision label to the components. This will insure the components will restart when updating the helm | | cloudRegion | string | `nil` | cloud region | | cloud_provider_engine | string | `nil` | cloud provider engine | | gkeProject | string | `nil` | GKE project | diff --git a/charts/armo-components/Chart.yaml b/charts/armo-components/Chart.yaml index 9196fb1..735eba4 100644 --- a/charts/armo-components/Chart.yaml +++ b/charts/armo-components/Chart.yaml @@ -8,13 +8,13 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.7.17 +version: 1.7.18 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "v1.7.17" +appVersion: "v1.7.18" maintainers: - name: Ben Hirschberg diff --git a/charts/armo-components/assets/armo-kubescape-cronjob-full.yaml b/charts/armo-components/assets/armo-kubescape-cronjob-full.yaml index 9386e28..1d5b785 100644 --- a/charts/armo-components/assets/armo-kubescape-cronjob-full.yaml +++ b/charts/armo-components/assets/armo-kubescape-cronjob-full.yaml @@ -8,7 +8,7 @@ apiVersion: batch/v1 tier: {{ .Values.global.namespaceTier}} armo.tier: "kubescape-scan" spec: - schedule: "{{ .Values.armoScanScheduler.scanSchedule }}" + schedule: "{{ .Values.armoKubescapeScanScheduler.scanSchedule }}" jobTemplate: spec: template: @@ -26,10 +26,10 @@ apiVersion: batch/v1 - -host={{ .Values.armoWebsocket.name }}:{{ .Values.armoWebsocket.service.port }} - -path=v1/triggerAction - -headers="Content-Type:application/json" - - -path-body=/home/armo/request-body.json + - -path-body=/home/ks/request-body.json volumeMounts: - name: "request-body-volume" - mountPath: /home/armo/request-body.json + mountPath: /home/ks/request-body.json subPath: request-body.json readOnly: true {{- if .Values.volumeMounts }} diff --git a/charts/armo-components/assets/armo-registry-scan-cronjob-ful.yaml b/charts/armo-components/assets/armo-registry-scan-cronjob-ful.yaml index 80327c8..77154c3 100644 --- a/charts/armo-components/assets/armo-registry-scan-cronjob-ful.yaml +++ b/charts/armo-components/assets/armo-registry-scan-cronjob-ful.yaml @@ -26,10 +26,10 @@ apiVersion: batch/v1 - -host={{ .Values.armoWebsocket.name }}:{{ .Values.armoWebsocket.service.port }} - -path=v1/triggerAction - -headers="Content-Type:application/json" - - -path-body=/home/armo/request-body.json + - -path-body=/home/ks/request-body.json volumeMounts: - name: "request-body-volume" - mountPath: /home/armo/request-body.json + mountPath: /home/ks/request-body.json subPath: request-body.json readOnly: true {{- if .Values.volumeMounts }} diff --git a/charts/armo-components/assets/armo-vulnscan-cronjob-full.yaml b/charts/armo-components/assets/armo-vulnscan-cronjob-full.yaml index 1bc2178..5b41343 100644 --- a/charts/armo-components/assets/armo-vulnscan-cronjob-full.yaml +++ b/charts/armo-components/assets/armo-vulnscan-cronjob-full.yaml @@ -8,7 +8,7 @@ apiVersion: batch/v1 tier: {{ .Values.global.namespaceTier}} armo.tier: "vuln-scan" spec: - schedule: "{{ .Values.armoScanScheduler.scanSchedule }}" + schedule: "{{ .Values.armoVulnScanScheduler.scanSchedule }}" jobTemplate: spec: template: @@ -26,18 +26,28 @@ apiVersion: batch/v1 - -host={{ .Values.armoWebsocket.name }}:{{ .Values.armoWebsocket.service.port }} - -path=v1/triggerAction - -headers="Content-Type:application/json" - - -path-body=/home/armo/request-body.json + - -path-body=/home/ks/request-body.json volumeMounts: - name: "request-body-volume" - mountPath: /home/armo/request-body.json + mountPath: /home/ks/request-body.json subPath: request-body.json readOnly: true +{{- if .Values.volumeMounts }} +{{ toYaml .Values.volumeMounts | indent 18 }} +{{- end }} +{{- if .Values.armoVulnScanScheduler.volumeMounts }} +{{ toYaml .Values.armoVulnScanScheduler.volumeMounts | indent 18 }} +{{- end }} restartPolicy: Never automountServiceAccountToken: false volumes: - name: "request-body-volume" # placeholder configMap: name: {{ .Values.armoVulnScanScheduler.name }} - - +{{- if .Values.volumes }} +{{ toYaml .Values.volumes | indent 16 }} +{{- end }} +{{- if .Values.armoVulnScanScheduler.volumes }} +{{ toYaml .Values.armoVulnScanScheduler.volumes | indent 16 }} +{{- end }} \ No newline at end of file diff --git a/charts/armo-components/templates/armo-collector-statefulset.yaml b/charts/armo-components/templates/armo-collector-statefulset.yaml index 483c584..3ad2ca9 100644 --- a/charts/armo-components/templates/armo-collector-statefulset.yaml +++ b/charts/armo-components/templates/armo-collector-statefulset.yaml @@ -27,14 +27,17 @@ spec: tier: {{ .Values.global.namespaceTier}} app: {{ .Values.armoCollector.name }} helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + {{- if .Values.addRevisionLabel }} + helm.sh/revision: "{{ .Release.Revision }}" + {{- end }} spec: {{- if .Values.imagePullSecrets }} imagePullSecrets: - name: {{ toYaml .Values.imagePullSecrets }} {{- end }} initContainers: - - image: bitnami/kubectl:1.24 - name: disconnect-handle + - image: quay.io/armosec/kubectl:1.24 # https://github.com/armosec/bitnami-docker-kubectl + name: remove-old-deployments command: - bash args: @@ -42,8 +45,8 @@ spec: - set -xv; kubectl delete deployment armo-collector -n armo-system; dep_exist=$?; echo $dep_exist; while [ $dep_exist -eq 0 ]; do kubectl get deployment armo-collector -n armo-system; dep_exist=$?; echo $dep_exist; done resources: limits: - cpu: 10m - memory: 40Mi + cpu: 20m + memory: 100Mi requests: cpu: 10m memory: 40Mi @@ -66,13 +69,18 @@ spec: env: - name: ACTIVATE_CVE_SCAN_ON_NEW_IMAGE_FEATURE value: "{{ .Values.triggerNewImageScan }}" + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace {{- range .Values.armoCollector.env }} - name: {{ .name }} value: "{{ .value }}" {{- end }} args: - - -include-namespaces={{ .Values.armoNameSpace }} - - 2>&1 + - -alsologtostderr + - -v=4 + - 2>&1 volumeMounts: - name: {{ .Values.global.beConfig }} mountPath: /etc/config diff --git a/charts/armo-components/templates/armo-configmap.yaml b/charts/armo-components/templates/armo-configmap.yaml index f414fb3..167cbb3 100644 --- a/charts/armo-components/templates/armo-configmap.yaml +++ b/charts/armo-components/templates/armo-configmap.yaml @@ -11,37 +11,28 @@ metadata: data: clusterData: | { - "ociImageURL": "", - "notificationWSURL": "{{ .Values.armoNotificationService.name }}:{{ .Values.armoNotificationService.websocketService.port }}", - "notificationRestURL": "{{ .Values.armoNotificationService.name }}:{{ .Values.armoNotificationService.httpService.port }}", + "gatewayWebsocketURL": "{{ .Values.armoNotificationService.name }}:{{ .Values.armoNotificationService.websocketService.port }}", + "gatewayRestURL": "{{ .Values.armoNotificationService.name }}:{{ .Values.armoNotificationService.httpService.port }}", "vulnScanURL": "{{ .Values.armoVulnScanner.name }}:{{ .Values.armoVulnScanner.service.port }}", + "kubevulnURL": "{{ .Values.armoVulnScanner.name }}:{{ .Values.armoVulnScanner.service.port }}", "kubescapeURL": "{{ .Values.armoKubescape.name }}:{{ .Values.armoKubescape.service.port }}", - "oracleURL": "", "triggerNewImageScan": "{{ .Values.armoTriggerNewImageScan }}", + "accountID": "{{ .Values.accountGuid }}", + "clusterName": "{{ regexReplaceAll "\\W+" .Values.clusterName "-" | lower }}", {{- if eq .Values.environment "dev" }} "backendOpenAPI": "{{ .Values.devBackendOpenAPI }}", - "dashboard": "{{ .Values.devBackendOpenAPI }}", - "eventReceiverREST": "{{ .Values.devEventReceiverHttpUrl }}", - "postman": "wss://{{ .Values.devPostmanUrl }}", - "eventReceiverWS": "{{ .Values.devK8sReportUrl }}", - "masterNotificationServer": "wss://{{ .Values.devMasterNotificationService }}/v1/waitfornotification", + "eventReceiverRestURL": "{{ .Values.devEventReceiverHttpUrl }}", + "eventReceiverWebsocketURL": "{{ .Values.devK8sReportUrl }}", + "rootGatewayURL": "wss://{{ .Values.devGateway }}/v1/waitfornotification" {{- else if eq .Values.environment "staging" }} - "dashboard": "{{ .Values.stagingBackendOpenAPI }}", "backendOpenAPI": "{{ .Values.stagingBackendOpenAPI }}", - "eventReceiverREST": "{{ .Values.stagingEventReceiverHttpUrl }}", - "postman": "wss://{{ .Values.stagingPostmanUrl }}", - "eventReceiverWS": "{{ .Values.stagingK8sReportUrl }}", - "masterNotificationServer": "wss://{{ .Values.stagingMasterNotificationService }}/v1/waitfornotification", + "eventReceiverRestURL": "{{ .Values.stagingEventReceiverHttpUrl }}", + "eventReceiverWebsocketURL": "{{ .Values.stagingK8sReportUrl }}", + "rootGatewayURL": "wss://{{ .Values.stagingGateway }}/v1/waitfornotification" {{- else }} - "dashboard": "{{ .Values.backendOpenAPI }}", - "eventReceiverREST": "{{ .Values.eventReceiverHttpUrl }}", "backendOpenAPI": "{{ .Values.backendOpenAPI }}", - "postman": "wss://{{ .Values.postmanUrl }}", - "eventReceiverWS": "{{ .Values.k8sReportUrl }}", - "masterNotificationServer": "wss://{{ .Values.masterNotificationService }}/v1/waitfornotification", + "eventReceiverRestURL": "{{ .Values.eventReceiverHttpUrl }}", + "eventReceiverWebsocketURL": "{{ .Values.k8sReportUrl }}", + "rootGatewayURL": "wss://{{ .Values.gateway }}/v1/waitfornotification" {{- end }} - "portal": "", - "customerGUID": "{{ .Values.accountGuid }}", - "clusterGUID": "", - "clusterName": "{{ regexReplaceAll "\\W+" .Values.clusterName "-" | lower }}" } \ No newline at end of file diff --git a/charts/armo-components/templates/armo-kubescape-configmap.yaml b/charts/armo-components/templates/armo-kubescape-configmap.yaml index 5484008..767a677 100644 --- a/charts/armo-components/templates/armo-kubescape-configmap.yaml +++ b/charts/armo-components/templates/armo-kubescape-configmap.yaml @@ -10,7 +10,6 @@ metadata: app: {{ .Values.armoKubescape.name }}-config tier: {{ .Values.global.namespaceTier }} data: - clusterName: {{ regexReplaceAll "\\W+" .Values.clusterName "-" | lower }} # deprecate config.json: | { "accountID": "{{ .Values.accountGuid }}", diff --git a/charts/armo-components/templates/armo-kubescape-deployment.yaml b/charts/armo-components/templates/armo-kubescape-deployment.yaml index fd3ee2b..7ec19f2 100644 --- a/charts/armo-components/templates/armo-kubescape-deployment.yaml +++ b/charts/armo-components/templates/armo-kubescape-deployment.yaml @@ -30,6 +30,9 @@ spec: helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} tier: {{ .Values.global.namespaceTier}} app: {{ .Values.armoKubescape.name }} + {{- if .Values.addRevisionLabel }} + helm.sh/revision: "{{ .Release.Revision }}" + {{- end }} spec: containers: - name: kubescape @@ -57,7 +60,9 @@ spec: - name: KS_DEFAULT_CONFIGMAP_NAME value: "{{ .Values.armoKubescape.name }}-config" - name: KS_DEFAULT_CONFIGMAP_NAMESPACE - value: "{{ .Values.armoNameSpace }}" + valueFrom: + fieldRef: + fieldPath: metadata.namespace - name: KS_ENABLE_HOST_SCANNER value: "{{ .Values.armoKubescape.enableHostScan }}" - name: KS_SUBMIT @@ -90,10 +95,10 @@ spec: {{ toYaml .Values.armoKubescape.resources | indent 14 }} volumeMounts: - name: kubescape-config-volume - mountPath: /home/armo/.kubescape/config.json + mountPath: /home/ks/.kubescape/config.json subPath: config.json - name: host-scanner-definition - mountPath: /home/armo/.kubescape/host-scanner.yaml + mountPath: /home/ks/.kubescape/host-scanner.yaml subPath: host-scanner-yaml {{- if .Values.volumeMounts }} {{ toYaml .Values.volumeMounts | indent 8 }} diff --git a/charts/armo-components/templates/armo-kubescapeScanScheduler-cronjob.yaml b/charts/armo-components/templates/armo-kubescapeScanScheduler-cronjob.yaml index c3939bb..b19dc6c 100644 --- a/charts/armo-components/templates/armo-kubescapeScanScheduler-cronjob.yaml +++ b/charts/armo-components/templates/armo-kubescapeScanScheduler-cronjob.yaml @@ -31,10 +31,10 @@ spec: - -host={{ .Values.armoWebsocket.name }}:{{ .Values.armoWebsocket.service.port }} - -path=v1/triggerAction - -headers="Content-Type:application/json" - - -path-body=/home/armo/request-body.json + - -path-body=/home/ks/request-body.json volumeMounts: - name: {{ .Values.armoKubescapeScanScheduler.name }} - mountPath: /home/armo/request-body.json + mountPath: /home/ks/request-body.json subPath: request-body.json readOnly: true {{- if .Values.volumeMounts }} diff --git a/charts/armo-components/templates/armo-notification-service-deployment.yaml b/charts/armo-components/templates/armo-notification-service-deployment.yaml index fe7230e..cc4efa2 100644 --- a/charts/armo-components/templates/armo-notification-service-deployment.yaml +++ b/charts/armo-components/templates/armo-notification-service-deployment.yaml @@ -29,6 +29,9 @@ spec: helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} tier: {{ .Values.global.namespaceTier}} app: {{ .Values.armoNotificationService.name }} + {{- if .Values.addRevisionLabel }} + helm.sh/revision: "{{ .Release.Revision }}" + {{- end }} spec: {{- if .Values.imagePullSecrets }} imagePullSecrets: @@ -48,11 +51,9 @@ spec: resources: {{ toYaml .Values.armoNotificationService.resources | indent 12 }} env: - - name: MASTER_NOTIFICATION_SERVER_ATTRIBUTES - value: customerGUID - - name: CA_NOTIFICATION_SERVER_WS_PORT + - name: WEBSOCKET_PORT value: "{{ .Values.armoNotificationService.websocketService.port }}" - - name: CA_NOTIFICATION_SERVER_PORT + - name: HTTP_PORT value: "{{ .Values.armoNotificationService.httpService.port }}" {{- range .Values.armoNotificationService.env }} - name: {{ .name }} diff --git a/charts/armo-components/templates/armo-scanScheduler-configmap.yaml b/charts/armo-components/templates/armo-scanScheduler-configmap.yaml deleted file mode 100644 index cc86aad..0000000 --- a/charts/armo-components/templates/armo-scanScheduler-configmap.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if and .Values.armoScanScheduler.enabled .Values.armoVulnScanner.enabled .Values.armoKubescape.submit }} -kind: ConfigMap -apiVersion: v1 -metadata: - name: {{ .Values.armoScanScheduler.name }}-config - namespace: {{ .Values.armoNameSpace }} - labels: - app: {{ .Values.armoScanScheduler.name }} - tier: {{ .Values.global.namespaceTier }} -data: - trigger-script.sh: |- - #!/bin/sh - curl -X POST http://{{ .Values.armoWebsocket.name }}:{{ .Values.armoWebsocket.service.port }}/v1/triggerAction -H 'Content-Type: application/json' -d '{"commands":[{"CommandName": "scan", "WildWlid": "wlid://cluster-{{ regexReplaceAll "\\W+" .Values.clusterName "-" | lower }}"}]}' -{{- end }} diff --git a/charts/armo-components/templates/armo-scanScheduler-cronjob.yaml b/charts/armo-components/templates/armo-scanScheduler-cronjob.yaml deleted file mode 100644 index ae4cf3d..0000000 --- a/charts/armo-components/templates/armo-scanScheduler-cronjob.yaml +++ /dev/null @@ -1,57 +0,0 @@ -{{- if and .Values.armoScanScheduler.enabled .Values.armoVulnScanner.enabled .Values.armoKubescape.submit }} -{{- if .Capabilities.APIVersions.Has "batch/v1/CronJob" }} -apiVersion: batch/v1 -{{- else if .Capabilities.APIVersions.Has "batch/v1beta1/CronJob" }} -apiVersion: batch/v1beta1 -{{- else }} -apiVersion: batch/v1beta1 -{{- end }} -kind: CronJob -metadata: - name: {{ .Values.armoScanScheduler.name }} - namespace: {{ .Values.armoNameSpace }} - labels: - app: {{ .Values.armoScanScheduler.name }} - tier: {{ .Values.global.namespaceTier}} -spec: - schedule: "{{ .Values.armoScanScheduler.scanSchedule }}" - jobTemplate: - spec: - template: - spec: - containers: - - name: {{ .Values.armoScanScheduler.name }} - image: "{{ .Values.armoScanScheduler.image.repository }}:{{ .Values.armoScanScheduler.image.tag }}" - imagePullPolicy: {{ .Values.armoScanScheduler.image.pullPolicy }} - command: ["/bin/sh", "-c"] - args: - - echo Starting; - ls -ltr /home/curl_user/; - /bin/sh -x ./home/curl_user/trigger-script.sh; - sleep 30; - echo Done; - volumeMounts: - - name: {{ .Values.armoScanScheduler.name }}-volume - mountPath: /home/curl_user/trigger-script.sh - subPath: trigger-script.sh - readOnly: true -{{- if .Values.volumeMounts }} -{{ toYaml .Values.volumeMounts | indent 14 }} -{{- end }} -{{- if .Values.armoScanScheduler.volumeMounts }} -{{ toYaml .Values.armoScanScheduler.volumeMounts | indent 14 }} -{{- end }} - restartPolicy: Never - automountServiceAccountToken: false - volumes: - - name: {{ .Values.armoScanScheduler.name }}-volume - configMap: - defaultMode: 0777 - name: {{ .Values.armoScanScheduler.name }}-config -{{- if .Values.volumes }} -{{ toYaml .Values.volumes | indent 10 }} -{{- end }} -{{- if .Values.armoScanScheduler.volumes }} -{{ toYaml .Values.armoScanScheduler.volumes | indent 10 }} -{{- end }} -{{- end }} diff --git a/charts/armo-components/templates/armo-vuln-scanner-deployment.yaml b/charts/armo-components/templates/armo-vuln-scanner-deployment.yaml index 9ba1352..b78c348 100644 --- a/charts/armo-components/templates/armo-vuln-scanner-deployment.yaml +++ b/charts/armo-components/templates/armo-vuln-scanner-deployment.yaml @@ -30,6 +30,9 @@ spec: helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} tier: {{ .Values.global.namespaceTier}} app: {{ .Values.armoVulnScanner.name }} + {{- if .Values.addRevisionLabel }} + helm.sh/revision: "{{ .Release.Revision }}" + {{- end }} spec: {{- if .Values.imagePullSecrets }} imagePullSecrets: @@ -53,24 +56,8 @@ spec: resources: {{ toYaml .Values.armoVulnScanner.resources | indent 12 }} env: - - name: CA_CLUSTER_NAME - value: "{{ regexReplaceAll "\\W+" .Values.clusterName "-" | lower }}" - - name: CA_CUSTOMER_GUID - value: "{{ .Values.accountGuid }}" - - name: OCIMAGE_URL - value: "" - - name: EVENT_RECEIVER_URL - value: "{{ .Values.k8sReportUrl }}" - name: PRINT_POST_JSON value: "{{ .Values.armoVulnScanner.verbose }}" - - name: CA_EVENT_RECEIVER_HTTP -{{- if eq .Values.environment "dev" }} - value: "{{ .Values.devEventReceiverHttpUrl }}" -{{- else if eq .Values.environment "staging" }} - value: "{{ .Values.stagingEventReceiverHttpUrl }}" -{{- else }} - value: "{{ .Values.eventReceiverHttpUrl }}" -{{- end }} {{- range .Values.armoVulnScanner.env }} - name: {{ .name }} value: "{{ .value }}" diff --git a/charts/armo-components/templates/armo-vulnScanScheduler-configmap.yaml b/charts/armo-components/templates/armo-vulnScanScheduler-configmap.yaml new file mode 100644 index 0000000..0af4700 --- /dev/null +++ b/charts/armo-components/templates/armo-vulnScanScheduler-configmap.yaml @@ -0,0 +1,13 @@ +{{- if and .Values.armoVulnScanScheduler.enabled .Values.armoKubescape.submit }} +kind: ConfigMap +apiVersion: v1 +metadata: + name: {{ .Values.armoVulnScanScheduler.name }} + namespace: {{ .Values.armoNameSpace }} + labels: + app: {{ .Values.armoVulnScanScheduler.name }} + tier: {{ .Values.global.namespaceTier }} +data: + request-body.json: |- + {"commands":[{"commandName":"scan","designators":[{"designatorType":"Attributes","attributes":{}}]}]} +{{- end }} \ No newline at end of file diff --git a/charts/armo-components/templates/armo-vulnScanScheduler-cronjob.yaml b/charts/armo-components/templates/armo-vulnScanScheduler-cronjob.yaml new file mode 100644 index 0000000..f424b6a --- /dev/null +++ b/charts/armo-components/templates/armo-vulnScanScheduler-cronjob.yaml @@ -0,0 +1,58 @@ +{{- if and .Values.armoVulnScanScheduler.enabled .Values.armoKubescape.submit }} +{{- if .Capabilities.APIVersions.Has "batch/v1/CronJob" }} +apiVersion: batch/v1 +{{- else }} +apiVersion: batch/v1beta1 +{{- end }} +kind: CronJob +metadata: + name: {{ .Values.armoVulnScanScheduler.name }} + namespace: {{ .Values.armoNameSpace }} + labels: + app: {{ .Values.armoVulnScanScheduler.name }} + tier: {{ .Values.global.namespaceTier}} + armo.tier: "kubescape-scan" +spec: + schedule: "{{ .Values.armoVulnScanScheduler.scanSchedule }}" + jobTemplate: + spec: + template: + metadata: + labels: + armo.tier: "kubescape-scan" + spec: + containers: + - name: {{ .Values.armoVulnScanScheduler.name }} + image: "{{ .Values.armoVulnScanScheduler.image.repository }}:{{ .Values.armoVulnScanScheduler.image.tag }}" + imagePullPolicy: {{ .Values.armoVulnScanScheduler.image.pullPolicy }} + args: + - -method=post + - -scheme=http + - -host={{ .Values.armoWebsocket.name }}:{{ .Values.armoWebsocket.service.port }} + - -path=v1/triggerAction + - -headers="Content-Type:application/json" + - -path-body=/home/ks/request-body.json + volumeMounts: + - name: {{ .Values.armoVulnScanScheduler.name }} + mountPath: /home/ks/request-body.json + subPath: request-body.json + readOnly: true +{{- if .Values.volumeMounts }} +{{ toYaml .Values.volumeMounts | indent 14 }} +{{- end }} +{{- if .Values.armoVulnScanScheduler.volumeMounts }} +{{ toYaml .Values.armoVulnScanScheduler.volumeMounts | indent 14 }} +{{- end }} + restartPolicy: Never + automountServiceAccountToken: false + volumes: + - name: {{ .Values.armoVulnScanScheduler.name }} + configMap: + name: {{ .Values.armoVulnScanScheduler.name }} +{{- if .Values.volumes }} +{{ toYaml .Values.volumes | indent 10 }} +{{- end }} +{{- if .Values.armoVulnScanScheduler.volumes }} +{{ toYaml .Values.armoVulnScanScheduler.volumes | indent 10 }} +{{- end }} +{{- end }} diff --git a/charts/armo-components/templates/armo-websocket-deployment.yaml b/charts/armo-components/templates/armo-websocket-deployment.yaml index 1f1de0a..89ae748 100644 --- a/charts/armo-components/templates/armo-websocket-deployment.yaml +++ b/charts/armo-components/templates/armo-websocket-deployment.yaml @@ -28,6 +28,9 @@ spec: helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} tier: {{ .Values.global.namespaceTier}} app: {{ .Values.armoWebsocket.name }} + {{- if .Values.addRevisionLabel }} + helm.sh/revision: "{{ .Release.Revision }}" + {{- end }} spec: {{- if .Values.imagePullSecrets }} imagePullSecrets: @@ -53,10 +56,10 @@ spec: resources: {{ toYaml .Values.armoWebsocket.resources | indent 12 }} env: - - name: CA_NAMESPACE - value: "{{ .Values.armoNameSpace }}" - - name: CA_SYSTEM_MODE - value: "{{ .Values.global.armoSystemMode }}" + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace {{- range .Values.armoWebsocket.env }} - name: {{ .name }} value: "{{ .value }}" diff --git a/charts/armo-components/values.yaml b/charts/armo-components/values.yaml index d410d28..b3274b1 100644 --- a/charts/armo-components/values.yaml +++ b/charts/armo-components/values.yaml @@ -4,29 +4,27 @@ armoNameSpace: armo-system appLabel: armo-vuln-scanner -registrySecretName: armoregcred loginSecretName: armo-login createKubescapeServiceAccount: true +# -- enable/disable revision label +addRevisionLabel: true # ARMO BE URLs environment: "prod" eventReceiverHttpUrl: "https://report.armo.cloud" k8sReportUrl: "wss://report.armo.cloud" -postmanUrl: "postman.euprod1.cyberarmorsoft.com" -masterNotificationService: "ens.euprod1.cyberarmorsoft.com" +gateway: "ens.euprod1.cyberarmorsoft.com" backendOpenAPI: "https://api.armosec.io/api" # ARMO DEV BE URLs devEventReceiverHttpUrl: "https://report.eudev3.cyberarmorsoft.com" -devPostmanUrl: "postman.eudev3.cyberarmorsoft.com" devK8sReportUrl: "wss://report.eudev3.cyberarmorsoft.com" -devMasterNotificationService: "ens.eudev3.cyberarmorsoft.com" +devGateway: "ens.eudev3.cyberarmorsoft.com" devBackendOpenAPI: "https://api-dev.armosec.io/api" # ARMO STAGING BE URLs stagingEventReceiverHttpUrl: "https://report-ks.eustage2.cyberarmorsoft.com" -stagingPostmanUrl: "postman.eustage2.cyberarmorsoft.com" stagingK8sReportUrl: "wss://report.eustage2.cyberarmorsoft.com" -stagingMasterNotificationService: "ens.eustage2.cyberarmorsoft.com" +stagingGateway: "ens.eustage2.cyberarmorsoft.com" stagingBackendOpenAPI: "https://api-stage.armosec.io/api" # Customer Specific Data @@ -69,48 +67,11 @@ volumes: [] volumeMounts: [] global: - armoSystemMode: "SCAN" namespaceTier: armo-system-control-plane beConfig: armo-be-config armoServiceAccountName: armo-scanner-service-account armoKubescapeServiceAccountName: armo-kubescape-service-account -# image vulnerability scheduled scan using a CronJob -armoScanScheduler: - - # -- enable/disable image vulnerability a schedule scan using a CronJob - enabled: true - - # scan scheduler container name - name: armo-scan-scheduler - - # Frequency of running the scan - # ┌───────────── minute (0 - 59) - # │ ┌───────────── hour (0 - 23) - # │ │ ┌───────────── day of the month (1 - 31) - # │ │ │ ┌───────────── month (1 - 12) - # │ │ │ │ ┌───────────── day of the week (0 - 6) (Sunday to Saturday; - # │ │ │ │ │ 7 is also Sunday on some systems) - # │ │ │ │ │ - # │ │ │ │ │ - # * * * * * - # -- scan schedule frequency - scanSchedule: "0 0 * * *" - - image: - # -- image: curlimages/curl - repository: curlimages/curl - tag: latest - pullPolicy: IfNotPresent - - replicaCount: 1 - - # Additional volumes to be mounted on the scan scheduler - volumes: [] - - # Additional volumeMounts to be mounted on the scan scheduler - volumeMounts: [] - # kubescape scheduled scan using a CronJob armoKubescapeScanScheduler: @@ -131,12 +92,12 @@ armoKubescapeScanScheduler: # │ │ │ │ │ # * * * * * # -- scan schedule frequency - scanSchedule: "0 0 * * *" + scanSchedule: "0 8 * * *" image: # -- source code: https://github.com/armosec/http-request (public repo) repository: quay.io/armosec/http_request - tag: v0.0.6 + tag: v0.0.7 pullPolicy: IfNotPresent replicaCount: 1 @@ -158,7 +119,7 @@ armoKubescape: image: # -- source code: https://github.com/armosec/kubescape/tree/master/httphandler (public repo) repository: quay.io/armosec/kubescape - tag: v2.0.160 + tag: v2.0.165 pullPolicy: Always resources: @@ -214,9 +175,9 @@ armoWebsocket: name: armo-web-socket image: - # -- source code: https://github.com/armosec/k8s-ca-websocket (private repo) - repository: quay.io/armosec/action-trigger - tag: v0.0.45 + # -- source code: https://github.com/kubescape/kontroller + repository: quay.io/kubescape/kontroller + tag: v0.0.61 pullPolicy: Always service: @@ -266,11 +227,17 @@ armoVulnScanScheduler: image: # source code - https://github.com/armosec/http-request repository: quay.io/armosec/http_request - tag: v0.0.5 + tag: v0.0.7 pullPolicy: IfNotPresent replicaCount: 1 + # Additional volumes to be mounted on the vuln scan scheduler + volumes: [] + + # Additional volumeMounts to be mounted on the vuln scan scheduler + volumeMounts: [] + # image vulnerability scanning microservice armoVulnScanner: @@ -284,9 +251,9 @@ armoVulnScanner: name: armo-vuln-scan image: - # -- source code: https://github.com/armosec/ca-vuln-scan (private repo) - repository: quay.io/armosec/images-vulnerabilities-scan - tag: v0.0.19 + # -- source code: https://github.com/kubescape/kubevuln + repository: quay.io/kubescape/kubevuln + tag: v0.0.43 pullPolicy: Always replicaCount: 1 @@ -332,9 +299,9 @@ armoCollector: name: armo-collector image: - # -- source code: https://github.com/armosec/k8s-armo-collector (private repo) - repository: quay.io/armosec/cluster-collector - tag: v0.0.16 + # -- source code: https://github.com/kubescape/kollector + repository: quay.io/kubescape/kollector + tag: v0.0.27 pullPolicy: Always replicaCount: 1 @@ -384,9 +351,9 @@ armoNotificationService: protocol: TCP image: - # -- source code: https://github.com/armosec/capostman (private repo) - repository: quay.io/armosec/notification-server - tag: v0.0.5 + # -- source code: https://github.com/kubescape/gateway + repository: quay.io/kubescape/gateway + tag: v0.0.14 pullPolicy: Always replicaCount: 1 @@ -439,7 +406,7 @@ armoRegistryScanScheduler: image: # -- source code: https://github.com/armosec/http-request (public repo) repository: quay.io/armosec/http_request - tag: v0.0.6 + tag: v0.0.7 pullPolicy: IfNotPresent replicaCount: 1