Skip to content

Commit

Permalink
chore(cluster-shield,sysdig-deploy): Automatic bump to version 1.8.0 (#…
Browse files Browse the repository at this point in the history 
…2140)

Co-authored-by: francesco-furlan <[email protected]>
Co-authored-by: Francesco Furlan <[email protected]>
  • Loading branch information
@draios-jenkins @francesco-furlan
3 people authored Feb 4, 2025
1 parent 273dc9a commit 1305009
Show file tree
Hide file tree
Showing 9 changed files with 259 additions and 21 deletions.
4 changes: 2 additions & 2 deletions charts/cluster-shield/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@ apiVersion: v2
name: cluster-shield
description: Cluster Shield Helm Chart for Kubernetes
type: application
version: 1.7.1
appVersion: "1.7.1"
version: 1.8.0
appVersion: "1.8.0"
maintainers:
- name: AlbertoBarba
email: [email protected]
Expand Down
6 changes: 4 additions & 2 deletions charts/cluster-shield/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ Adds kubernetes related keys to the configuration.
{{- $_ := set $conf "cluster_scanner" (merge (include "cluster-shield.configurationClusterScanner" . | fromYaml) (.Values.cluster_shield.cluster_scanner | default dict)) -}}
{{- end -}}
{{- if and (.Values.cluster_shield.features.admission_control.enabled) (.Values.cluster_shield.features.admission_control.container_vulnerability_management.enabled)}}
{{- $_ := set $conf "admission_controller_secure" (include "cluster-shield.configurationAdmissionControllerSecure" . | fromYaml) -}}
{{- $_ := set $conf "admission_controller_secure" (merge (include "cluster-shield.configurationAdmissionControllerSecure" . | fromYaml) (.Values.cluster_shield.admission_controller_secure | default dict)) -}}
{{- end}}
{{- $_ := unset $conf.sysdig_endpoint "access_key" -}}
{{- $_ := unset $conf.sysdig_endpoint "secure_api_token" -}}
Expand Down Expand Up @@ -150,9 +150,11 @@ Cluster Scanner Lock Name

{{/*
Cluster Scanner Service Name
As per DNS naming spec, the length of a service name should be less than 63 characters;
so we truncate the fullname to 47 characters since we append "-cluster-scanner" to it.
*/}}
{{- define "cluster-shield.clusterScannerServiceName" -}}
{{- include "cluster-shield.fullname" . -}}-cluster-scanner
{{- (include "cluster-shield.fullname" .) | trunc 47 -}}-cluster-scanner
{{- end }}

{{/*
Expand Down
3 changes: 2 additions & 1 deletion charts/cluster-shield/templates/clusterrole.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -92,7 +92,7 @@ rules:
- secrets
verbs: ["get", "list", "watch"]
{{- end }}
{{- if .Values.cluster_shield.features.kubernetes_metadata.enabled }}
{{- if or .Values.cluster_shield.features.kubernetes_metadata.enabled (dig "investigations" "network_security" "enabled" false .Values.cluster_shield.features) }}
- apiGroups:
- ""
resources:
Expand Down Expand Up @@ -143,6 +143,7 @@ rules:
- networking.k8s.io
resources:
- ingresses
- networkpolicies
verbs:
- get
- list
Expand Down
2 changes: 1 addition & 1 deletion charts/cluster-shield/templates/validatingwebhookconfiguration.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ so the template is executed just once
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: {{ include "cluster-shield.fullname" . }}-audit
name: {{ include "cluster-shield.fullname" . }}
webhooks:
{{- if .Values.cluster_shield.features.audit.enabled }}
- name: audit.secure.sysdig.com
Expand Down
169 changes: 169 additions & 0 deletions charts/cluster-shield/tests/clusterrole_test.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,169 @@
suite: Test ClusterRole
templates:
- templates/clusterrole.yaml
values:
- ../ci/base-values.yaml
release:
name: shield-release
namespace: shield-namespace
tests:
- it: Test kubernetes_metadata enabled
set:
cluster_shield:
features:
kubernetes_metadata:
enabled: true
asserts:
- isKind:
of: ClusterRole
- isAPIVersion:
of: rbac.authorization.k8s.io/v1
- contains:
path: rules
content:
apiGroups:
- ""
resources:
- pods
- replicationcontrollers
- services
- events
- limitranges
- namespaces
- nodes
- resourcequotas
- persistentvolumes
- persistentvolumeclaims
- configmaps
verbs:
- get
- list
- watch
- contains:
path: rules
content:
apiGroups:
- apps
resources:
- daemonsets
- deployments
- replicasets
- statefulsets
verbs:
- get
- list
- watch
- contains:
path: rules
content:
apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- get
- list
- watch
- contains:
path: rules
content:
apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- get
- list
- watch
- contains:
path: rules
content:
apiGroups:
- networking.k8s.io
resources:
- ingresses
- networkpolicies
verbs:
- get
- list
- watch
- contains:
path: rules
content:
apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- get
- list
- watch
- contains:
path: rules
content:
apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests
verbs:
- get
- list
- watch
- contains:
path: rules
content:
apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- get
- list
- watch
- contains:
path: rules
content:
apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- contains:
path: rules
content:
apiGroups:
- events.k8s.io
resources:
- events
verbs:
- get
- list
- watch
- it: Test network_security enabled
set:
cluster_shield:
features:
investigations:
network_security:
enabled: true
asserts:
- isKind:
of: ClusterRole
- isAPIVersion:
of: rbac.authorization.k8s.io/v1
- contains:
path: rules
content:
apiGroups:
- networking.k8s.io
resources:
- ingresses
- networkpolicies
verbs:
- get
- list
- watch
6 changes: 3 additions & 3 deletions charts/cluster-shield/tests/validatingwebhookconfiguration_existing_secret_test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ tests:
- containsDocument:
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
name: shield-release-cluster-shield-audit
name: shield-release-cluster-shield
documentIndex: 0
- containsDocument:
kind: Secret
Expand Down Expand Up @@ -106,7 +106,7 @@ tests:
- containsDocument:
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
name: shield-release-cluster-shield-audit
name: shield-release-cluster-shield
- containsDocument:
kind: Secret
apiVersion: v1
Expand Down Expand Up @@ -140,7 +140,7 @@ tests:
- containsDocument:
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
name: shield-release-cluster-shield-audit
name: shield-release-cluster-shield
- containsDocument:
kind: Secret
apiVersion: v1
Expand Down
20 changes: 10 additions & 10 deletions charts/cluster-shield/tests/validatingwebhookconfiguration_test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ tests:
- containsDocument:
kind: ValidatingWebhookConfiguration
apiVersion: admissionregistration.k8s.io/v1
name: shield-release-cluster-shield-audit
name: shield-release-cluster-shield
- notExists:
path: metadata.namespace
- exists:
Expand Down Expand Up @@ -83,7 +83,7 @@ tests:
- containsDocument:
kind: ValidatingWebhookConfiguration
apiVersion: admissionregistration.k8s.io/v1
name: shield-release-cluster-shield-audit
name: shield-release-cluster-shield
- notExists:
path: metadata.namespace
- exists:
Expand Down Expand Up @@ -119,7 +119,7 @@ tests:
- containsDocument:
kind: ValidatingWebhookConfiguration
apiVersion: admissionregistration.k8s.io/v1
name: shield-release-cluster-shield-audit
name: shield-release-cluster-shield
- exists:
path: .webhooks[?(@.name == "audit.secure.sysdig.com")]
- notExists:
Expand Down Expand Up @@ -160,7 +160,7 @@ tests:
- containsDocument:
kind: ValidatingWebhookConfiguration
apiVersion: admissionregistration.k8s.io/v1
name: shield-release-cluster-shield-audit
name: shield-release-cluster-shield
- exists:
path: .webhooks[?(@.name == "vac.secure.sysdig.com")]
- exists:
Expand Down Expand Up @@ -263,7 +263,7 @@ tests:
- containsDocument:
kind: ValidatingWebhookConfiguration
apiVersion: admissionregistration.k8s.io/v1
name: shield-release-cluster-shield-audit
name: shield-release-cluster-shield
- exists:
path: .webhooks[?(@.name == "vac.secure.sysdig.com")]
- exists:
Expand Down Expand Up @@ -336,7 +336,7 @@ tests:
- containsDocument:
kind: ValidatingWebhookConfiguration
apiVersion: admissionregistration.k8s.io/v1
name: shield-release-cluster-shield-audit
name: shield-release-cluster-shield
not: true
- isNotNullOrEmpty:
path: data["tls.crt"]
Expand Down Expand Up @@ -364,7 +364,7 @@ tests:
- containsDocument:
kind: ValidatingWebhookConfiguration
apiVersion: admissionregistration.k8s.io/v1
name: shield-release-cluster-shield-audit
name: shield-release-cluster-shield
- exists:
path: .webhooks[?(@.name == "audit.secure.sysdig.com")]
- exists:
Expand Down Expand Up @@ -398,7 +398,7 @@ tests:
- containsDocument:
kind: ValidatingWebhookConfiguration
apiVersion: admissionregistration.k8s.io/v1
name: shield-release-cluster-shield-audit
name: shield-release-cluster-shield
- exists:
path: .webhooks[?(@.name == "vac.secure.sysdig.com")]
- exists:
Expand Down Expand Up @@ -427,7 +427,7 @@ tests:
- containsDocument:
kind: ValidatingWebhookConfiguration
apiVersion: admissionregistration.k8s.io/v1
name: shield-release-cluster-shield-audit
name: shield-release-cluster-shield
- exists:
path: .webhooks[?(@.name == "audit.secure.sysdig.com")]
- exists:
Expand Down Expand Up @@ -490,7 +490,7 @@ tests:
- containsDocument:
kind: ValidatingWebhookConfiguration
apiVersion: admissionregistration.k8s.io/v1
name: shield-release-cluster-shield-audit
name: shield-release-cluster-shield
- exists:
path: .webhooks[?(@.name == "audit.secure.sysdig.com")]
- exists:
Expand Down
Loading

0 comments on commit 1305009

Please sign in to comment.