Skip to content

Commit

Permalink
feat(shield): cluster shield 1.8.0 (#2142)
Browse files Browse the repository at this point in the history
  • Loading branch information
@francesco-furlan
francesco-furlan authored Feb 5, 2025
1 parent 99b3dd9 commit 97157a7
Show file tree
Hide file tree
Showing 6 changed files with 94 additions and 4 deletions.
2 changes: 1 addition & 1 deletion charts/shield/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,5 +13,5 @@ maintainers:
- name: mavimo
email: [email protected]
type: application
version: 0.7.0
version: 0.8.0
appVersion: "1.0.0"
2 changes: 1 addition & 1 deletion charts/shield/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -172,7 +172,7 @@ The following table lists the configurable parameters of the `shield` chart and
| host.volume_mounts | The custom volume mounts for the host shield | <code>[]</code> |
| cluster.image.registry | The registry where the cluster shield image is stored | <code>quay.io</code> |
| cluster.image.repository | The repository where the cluster shield image is stored | <code>sysdig/cluster-shield</code> |
| cluster.image.tag | The tag for the cluster shield image | <code>1.7.1</code> |
| cluster.image.tag | The tag for the cluster shield image | <code>1.8.0</code> |
| cluster.image.pull_policy | The pull policy for the cluster shield image | <code>IfNotPresent</code> |
| cluster.image.pull_secrets | The pull secrets for the cluster shield image | <code>[]</code> |
| cluster.run_mode | The mode in which the cluster shield should run (Accepted Values: single-process, multi-process) | <code>multi-process</code> |
Expand Down
3 changes: 2 additions & 1 deletion charts/shield/templates/cluster/clusterrole.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -121,7 +121,7 @@ rules:
verbs:
- get
{{- end }}
{{- if (include "cluster.kubernetes_metadata_enabled" .) }}
{{- if or (include "cluster.kubernetes_metadata_enabled" .) .Values.features.investigations.network_security.enabled }}
- apiGroups:
- ""
resources:
Expand Down Expand Up @@ -172,6 +172,7 @@ rules:
- networking.k8s.io
resources:
- ingresses
- networkpolicies
verbs:
- get
- list
Expand Down
26 changes: 26 additions & 0 deletions charts/shield/tests/cluster/clusterrole_test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,7 @@ tests:
- networking.k8s.io
resources:
- ingresses
- networkpolicies
verbs:
- get
- list
Expand Down Expand Up @@ -218,6 +219,30 @@ tests:
- list
- watch

- it: Test network_security enabled
set:
features:
investigations:
network_security:
enabled: true
asserts:
- isKind:
of: ClusterRole
- isAPIVersion:
of: rbac.authorization.k8s.io/v1
- contains:
path: rules
content:
apiGroups:
- networking.k8s.io
resources:
- ingresses
- networkpolicies
verbs:
- get
- list
- watch

- it: Posture
set:
features:
Expand Down Expand Up @@ -407,6 +432,7 @@ tests:
- networking.k8s.io
resources:
- ingresses
- networkpolicies
verbs:
- get
- list
Expand Down
63 changes: 63 additions & 0 deletions charts/shield/values.schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -649,6 +649,64 @@
}
}
},
"filters": {
"type": "object",
"description": "Filters to apply to the images to scan",
"properties": {
"rules": {
"type": "array",
"items": {
"type": "object",
"properties": {
"type": {
"enum": [
"include",
"exclude"
]
},
"field": {
"enum": [
"k8s.container.image"
],
"description": "The field to run the filter against"
},
"value": {
"type": "string",
"description": "The value to run the filter against",
"examples": [
"docker.io*",
"cd.docker-registry.corp.yahoo.co.jp:4443*",
"library*"
]
}
},
"required": [
"type"
],
"examples": [
{
"type": "include",
"field": "docker.io*",
"value": "k8s.container.image"
}
],
"additionalProperties": false
},
"examples": [
[
{
"type": "include",
"field": "k8s.container.image",
"value": "docker.io*"
},
{
"type": "exclude"
}
]
]
}
}
},
"parallel_files_analysis_count": {
"type": "integer",
"description": "Maximum number of files that are analyzed in parallel"
Expand All @@ -660,6 +718,11 @@
"max_file_size_bytes_in_memory": {
"type": "integer",
"description": "Maximum size in bytes for a file to be analyzed in memory; file whose size is bigger than this are temporarily copied on to the filesystem"
},
"memory_optimized_k8s_mode": {
"type": "boolean",
"description": "Enable memory-optimized access to Kubernetes API. Enabled by default, queries K8s using the Metadata API for all resources but Pods. Set this to false if you need to see the replicas counters, but it will require more memory.",
"default": true
}
}
},
Expand Down
2 changes: 1 addition & 1 deletion charts/shield/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -297,7 +297,7 @@ cluster:
# The repository where the cluster shield image is stored
repository: sysdig/cluster-shield
# The tag for the cluster shield image
tag: 1.7.1
tag: 1.8.0
# The pull policy for the cluster shield image
pull_policy: IfNotPresent
# The pull secrets for the cluster shield image
Expand Down

0 comments on commit 97157a7

Please sign in to comment.