diff --git a/charts/shield/Chart.yaml b/charts/shield/Chart.yaml index be1ab6cb0..979c3bf2b 100644 --- a/charts/shield/Chart.yaml +++ b/charts/shield/Chart.yaml @@ -13,5 +13,5 @@ maintainers: - name: mavimo email: marcovito.moscaritolo@sysdig.com type: application -version: 0.7.0 +version: 0.8.0 appVersion: "1.0.0" diff --git a/charts/shield/README.md b/charts/shield/README.md index 898a36687..0dfc39351 100644 --- a/charts/shield/README.md +++ b/charts/shield/README.md @@ -172,7 +172,7 @@ The following table lists the configurable parameters of the `shield` chart and | host.volume_mounts | The custom volume mounts for the host shield | [] | | cluster.image.registry | The registry where the cluster shield image is stored | quay.io | | cluster.image.repository | The repository where the cluster shield image is stored | sysdig/cluster-shield | -| cluster.image.tag | The tag for the cluster shield image | 1.7.1 | +| cluster.image.tag | The tag for the cluster shield image | 1.8.0 | | cluster.image.pull_policy | The pull policy for the cluster shield image | IfNotPresent | | cluster.image.pull_secrets | The pull secrets for the cluster shield image | [] | | cluster.run_mode | The mode in which the cluster shield should run (Accepted Values: single-process, multi-process) | multi-process | diff --git a/charts/shield/templates/cluster/clusterrole.yaml b/charts/shield/templates/cluster/clusterrole.yaml index a29479183..31ef6a7bb 100644 --- a/charts/shield/templates/cluster/clusterrole.yaml +++ b/charts/shield/templates/cluster/clusterrole.yaml @@ -121,7 +121,7 @@ rules: verbs: - get {{- end }} -{{- if (include "cluster.kubernetes_metadata_enabled" .) }} +{{- if or (include "cluster.kubernetes_metadata_enabled" .) .Values.features.investigations.network_security.enabled }} - apiGroups: - "" resources: @@ -172,6 +172,7 @@ rules: - networking.k8s.io resources: - ingresses + - networkpolicies verbs: - get - list diff --git a/charts/shield/tests/cluster/clusterrole_test.yaml b/charts/shield/tests/cluster/clusterrole_test.yaml index 6b7790459..fcd7087da 100644 --- a/charts/shield/tests/cluster/clusterrole_test.yaml +++ b/charts/shield/tests/cluster/clusterrole_test.yaml @@ -78,6 +78,7 @@ tests: - networking.k8s.io resources: - ingresses + - networkpolicies verbs: - get - list @@ -218,6 +219,30 @@ tests: - list - watch + - it: Test network_security enabled + set: + features: + investigations: + network_security: + enabled: true + asserts: + - isKind: + of: ClusterRole + - isAPIVersion: + of: rbac.authorization.k8s.io/v1 + - contains: + path: rules + content: + apiGroups: + - networking.k8s.io + resources: + - ingresses + - networkpolicies + verbs: + - get + - list + - watch + - it: Posture set: features: @@ -407,6 +432,7 @@ tests: - networking.k8s.io resources: - ingresses + - networkpolicies verbs: - get - list diff --git a/charts/shield/values.schema.json b/charts/shield/values.schema.json index b20296554..b3e1c9761 100644 --- a/charts/shield/values.schema.json +++ b/charts/shield/values.schema.json @@ -649,6 +649,64 @@ } } }, + "filters": { + "type": "object", + "description": "Filters to apply to the images to scan", + "properties": { + "rules": { + "type": "array", + "items": { + "type": "object", + "properties": { + "type": { + "enum": [ + "include", + "exclude" + ] + }, + "field": { + "enum": [ + "k8s.container.image" + ], + "description": "The field to run the filter against" + }, + "value": { + "type": "string", + "description": "The value to run the filter against", + "examples": [ + "docker.io*", + "cd.docker-registry.corp.yahoo.co.jp:4443*", + "library*" + ] + } + }, + "required": [ + "type" + ], + "examples": [ + { + "type": "include", + "field": "docker.io*", + "value": "k8s.container.image" + } + ], + "additionalProperties": false + }, + "examples": [ + [ + { + "type": "include", + "field": "k8s.container.image", + "value": "docker.io*" + }, + { + "type": "exclude" + } + ] + ] + } + } + }, "parallel_files_analysis_count": { "type": "integer", "description": "Maximum number of files that are analyzed in parallel" @@ -660,6 +718,11 @@ "max_file_size_bytes_in_memory": { "type": "integer", "description": "Maximum size in bytes for a file to be analyzed in memory; file whose size is bigger than this are temporarily copied on to the filesystem" + }, + "memory_optimized_k8s_mode": { + "type": "boolean", + "description": "Enable memory-optimized access to Kubernetes API. Enabled by default, queries K8s using the Metadata API for all resources but Pods. Set this to false if you need to see the replicas counters, but it will require more memory.", + "default": true } } }, diff --git a/charts/shield/values.yaml b/charts/shield/values.yaml index 2f0e76ab5..0944856bc 100644 --- a/charts/shield/values.yaml +++ b/charts/shield/values.yaml @@ -297,7 +297,7 @@ cluster: # The repository where the cluster shield image is stored repository: sysdig/cluster-shield # The tag for the cluster shield image - tag: 1.7.1 + tag: 1.8.0 # The pull policy for the cluster shield image pull_policy: IfNotPresent # The pull secrets for the cluster shield image