diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 00adde676..0a1a40d9e 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,3 +1,380 @@ # Contributing -TODO +These guidelines will help you get started with the Starboard project. + +## Table of Contents + +- [Contribution Workflow](#contribution-workflow) + - [Issues and Discussions](#issues-and-discussions) + - [Pull Requests](#pull-requests) +- [Set up your Development Environment](#set-up-your-development-environment) +- [Build Binaries](#build-binaries) +- [Run Tests](#run-tests) + - [Run Unit Tests](#run-unit-tests) + - [Run Integration Tests](#run-integration-tests) + - [Cove Coverage](#code-coverage) +- [Custom Resource Definitions](#custom-resource-definitions) + - [Generate Code](#generate-code) +- [Test Starboard Operator](#test-starboard-operator) + - [Prerequisites](#prerequisites) + - [In Cluster](#in-cluster) + - [Out of Cluster](#out-of-cluster) + - [Enable Aqua Scanner](#enable-aqua-scanner) +- [Operator Lifecycle Manager (OLM)](#operator-lifecycle-manager-olm) + - [Install OLM and Operator Marketplace](#install-olm-and-operator-marketplace) + - [Publish the OLM Bundle to Quay.io](#publish-the-olm-bundle-to-quayio) + - [Install the OLM Bundle from Quay.io](#install-the-olm-bundle-from-quayio) + +## Contribution Workflow + +### Issues and Discussions + +- Feel free to open issues for any reason as long as you make it clear what this issue is about: bug/feature/proposal/comment. +- For questions and general discussions, please do not open an issue, and instead create a discussion in the "Discussions" tab. +- Please spend a minimal amount of time giving due diligence to existing issues or discussions. Your topic might be a duplicate. If it is, please add your comment to the existing one. +- Please give your issue or discussion a meaningful title that will be clear for future users. +- The issue should clearly explain the reason for opening, the proposal if you have any, and any relevant technical information. +- For technical questions, please explain in detail what you were trying to do, provide an error message if applicable, and your versions of Starboard and your environment. + +### Pull Requests + +- Every Pull Request should have an associated Issue unless it is a trivial fix. +- Your PR is more likely to be accepted if it focuses on just one change. +- Describe what the PR does. There's no convention enforced, but please try to be concise and descriptive. Treat the PR description as a commit message. Titles that start with "fix"/"add"/"improve"/"remove" are good examples. +- There's no need to add or tag reviewers, if your PR is left unattended for too long, you can add a comment to bring it up to attention, optionally "@" mention one of the maintainers that was involved with the issue. +- If a reviewer commented on your code or asked for changes, please remember to mark the discussion as resolved after you address it and re-request a review. +- When addressing comments, try to fix each suggestion in a separate commit. +- Tests are not required at this point as Starboard is evolving fast, but if you can include tests that will be appreciated. + +## Set up your Development Environment + +1. Install Go + + The project requires [Go 1.15][go-download] or later. We also assume that you're familiar with + Go's [GOPATH workspace][go-code] convention, and have the appropriate environment variables set. +2. Get the source code: + + ``` + $ git clone git@github.com:aquasecurity/starboard.git + $ cd starboard + ``` +3. Access to a Kubernetes cluster. We assume that you're using a [KIND][kind] cluster. To create a single-node KIND + cluster, run: + + ``` + $ kind create cluster + ``` + +## Build Binaries + +| Binary | Image | Description | +| ------------------------ | ------------------------------------------ | ------------------------------------------------------------ | +| `starboard` | `docker.io/aquasec/starboard:dev` | Starboard command-line interface | +| `starboard-operator` | `docker.io/aquasec/starboard-operator:dev` | Starboard Operator | +| `starboard-scanner-aqua` | `docker.io/aquasec/starboard-scanner-aqua` | Starboard plugin to integrate with Aqua vulnerability scanner | + +To build all Starboard binaries, run: + +``` +$ make +``` + +This uses the `go build` command and builds binaries in the `./bin` directory. + +To build all Starboard binaries into Docker images, run: + +``` +$ make docker-build +``` + +To load Docker images into your KIND cluster, run: + +``` +$ kind load docker-image aquasec/starboard:dev +$ kind load docker-image aquasec/starboard-operator:dev +$ kind load docker-image aquasec/starboard-scanner-aqua:dev +``` + +## Run Tests + +We generally require tests to be added for all, but the most trivial of changes. However, unit tests alone don't +provide guarantees about the behaviour of Starboard. To verify that each Go module correctly interacts with its +collaborators, more coarse grained integration tests might be required. + +### Run Unit Tests + +To run all unit tests with code coverage enabled, run: + +``` +$ make unit-tests +``` + +To open the test coverage report in your web browser, run: + +``` +$ go tool cover -html=coverage.txt`. +``` + +### Run Integration Tests + +The integration tests assumes that you have a working kubernetes cluster (e.g KIND cluster) and `KUBECONFIG` environment +variable is pointing to that cluster configuration file. For example: + +``` +$ export KUBECONFIG=~/.kube/config +``` + +To run all integration tests with code coverage enabled, run: + +``` +$ make integration-tests +``` + +To open the test coverage report in your web browser, run: + +``` +$ go tool cover -html=itest/coverage.txt +``` + +### Code Coverage + +In the CI workflow, after running all tests, we do upload code coverage reports to [Codecov][codecov]. Codecov will +merge the reports automatically while maintaining the original upload context as explained +[here][codecov-merging-reports]. + +## Custom Resource Definitions + +### Generate Code + +Code generators are used a lot in the implementation of native Kubernetes resources, and we're using the very same +generators here for custom security resources. This project follows the patterns of +[k8s.io/sample-controller][k8s-sample-controller], which is a blueprint for many controllers built in Kubernetes itself. + +The code generation starts with: + +``` +$ go mod vendor +$ export GOPATH="$(go env GOPATH)" +$ ./hack/update-codegen.sh +``` + +In addition, there is a second script called `./hack/verify-codegen.sh`. This script calls the +`./hack/update-codegen.sh` script and checks whether anything changed, and then it terminates with a nonzero return +code if any of the generated files is not up-to-date. We're running it as a step in the CI workflow. + +## Test Starboard Operator + +You can deploy the operator in the `starboard-operator` namespace and configure it to watch the `default` +namespace. In OLM terms such install mode is called *SingleNamespace*. The *SingleNamespace* mode is good to get +started with a basic development workflow. For other install modes see [Operator Multitenancy with OperatorGroups][olm-operator-groups]. + +### Prerequisites + +1. Send the definition of the VulnerabilityReport custom resource to the Kubernetes API: + + ``` + $ kubectl apply -f deploy/crd/vulnerabilityreports.crd.yaml + ``` +2. Send the following Kubernetes objects definitions to the Kubernetes API: + + ``` + $ kubectl apply -f deploy/kubectl/01-starboard-operator.ns.yaml \ + -f deploy/kubectl/02-starboard-operator.sa.yaml \ + -f deploy/kubectl/03-starboard-operator.clusterrole.yaml \ + -f deploy/kubectl/04-starboard-operator.clusterrolebinding.yaml + ``` + + This will create the `starboard-operator` namespace, and the `starboard-operator` service account. Beyond that, + it will create the `starboard-operator` ClusterRole and bind it to the `starboard-operator` service account in the + `starboard-operator` namespace via the `starboard-operator` ClusterRoleBinding. + +### In cluster + +1. Create the `starboard-operator` Deployment in the `starboard-operator` namespace to run the operator's container: + + ``` + $ kubectl apply -f deploy/kubectl/05-starboard-operator.deployment.yaml + ``` + +### Out of cluster + +1. Run the main method of the operator program: + + ``` + $ OPERATOR_NAMESPACE=starboard-operator \ + OPERATOR_TARGET_NAMESPACES=default \ + OPERATOR_LOG_DEV_MODE=true \ + go run cmd/starboard-operator/main.go + ``` + +### Enable Aqua Scanner + +1. Create the `starboard-operator` secret in the `starboard-operator` namespace that holds the scanner's configuration: + + ``` + $ kubectl create secret generic starboard-operator \ + --namespace starboard-operator \ + --from-literal OPERATOR_SCANNER_AQUA_CSP_USERNAME=$AQUA_CONSOLE_USERNAME \ + --from-literal OPERATOR_SCANNER_AQUA_CSP_PASSWORD=$AQUA_CONSOLE_PASSWORD \ + --from-literal OPERATOR_SCANNER_AQUA_CSP_VERSION=$AQUA_VERSION \ + --from-literal OPERATOR_SCANNER_AQUA_CSP_HOST=http://csp-console-svc.aqua:8080 + ``` +2. Patch or edit the `starboard-operator` deployment and set the value of the `OPERATOR_SCANNER_AQUA_CSP_ENABLED` to + `true` and disable the default Trivy scanner by setting `OPERATOR_SCANNER_TRIVY_ENABLED` to `false`. + +## Operator Lifecycle Manager (OLM) + +### Install OLM and Operator Marketplace + +To install [Operator Lifecycle Manager][olm] (OLM) and [Operator Marketplace][operator-marketplace], run: + +``` +$ ./deploy/olm/install.sh +``` + +### Publish the OLM Bundle to Quay.io + +1. [Sign up][quay] for a free Quay.io account if you're a new user. +2. Install [Operator Courier][operator-courier]: + + ``` + $ pip3 install operator-courier + ``` +3. Lint the OLM bundle: + + ``` + $ BUNDLE_SRC_DIR=deploy/olm/bundle + $ operator-courier verify $BUNDLE_SRC_DIR + ``` +4. Retrieve a Quay.io token: + ``` + $ QUAY_USERNAME= + $ QUAY_PASSWORD= + $ QUAY_URL=https://quay.io/cnr/api/v1/users/login + + $ QUAY_TOKEN=$(curl -s -H "Content-Type: application/json" -XPOST $QUAY_URL -d \ + '{"user":{"username":"'"${QUAY_USERNAME}"'","password": "'"${QUAY_PASSWORD}"'"}}' | + jq -r .token) + ``` +5. Push the OLM bundle to Quay.io: + ``` + $ QUAY_NAMESPACE= + $ PACKAGE_NAME=starboard-operator + $ PACKAGE_VERSION= + + $ operator-courier push "$BUNDLE_SRC_DIR" "$QUAY_NAMESPACE" \ + "$PACKAGE_NAME" "$PACKAGE_VERSION" "$QUAY_TOKEN" + ``` +6. Navigate to https://quay.io/application/$QUAY_USERNAME/starboard-operator?tab=settings and make the published + bundle public by clicking the **Make Public** button. + + +### Install the OLM Bundle from Quay.io + +1. Create the OperatorSource resource: + + ``` + QUAY_FULL_NAME= + $ cat << EOF | kubectl apply -f - + apiVersion: operators.coreos.com/v1 + kind: OperatorSource + metadata: + name: $QUAY_USERNAME-operators + namespace: marketplace + spec: + type: appregistry + endpoint: https://quay.io/cnr + displayName: "$QUAY_FULL_NAME Quay.io Applications" + publisher: "$QUAY_FULL_NAME" + registryNamespace: "$QUAY_USERNAME" + EOF + ``` + + An OperatorSource resource defines the external data store used to host operator bundles. In this case, you will be + defining an OperatorSource to point to your Quay.io account, which will provide access to its hosted OLM bundles. + +2. Create the OperatorGroup resource: + + ``` + $ cat << EOF | kubectl apply -f - + apiVersion: operators.coreos.com/v1alpha2 + kind: OperatorGroup + metadata: + name: starboard-operator + namespace: marketplace + spec: + targetNamespaces: + - default + EOF + ``` + + You'll need an OperatorGroup to denote which namespaces the operator should watch. It must exist in the namespace + where you want to deploy the operator. + +3. Create the Subscription resource + 1. with Trivy scanner, which is enabled by default: + + ``` + $ cat << EOF | kubectl apply -f - + apiVersion: operators.coreos.com/v1alpha1 + kind: Subscription + metadata: + name: starboard-operator + namespace: marketplace + spec: + channel: alpha + name: starboard-operator + source: $QUAY_NAMESPACE-operators + sourceNamespace: marketplace + EOF + ``` + 2. with Aqua CSP scanner: + + ``` + $ kubectl create secret generic starboard-operator \ + --namespace marketplace \ + --from-literal OPERATOR_SCANNER_AQUA_CSP_USERNAME=$AQUA_CONSOLE_USERNAME \ + --from-literal OPERATOR_SCANNER_AQUA_CSP_PASSWORD=$AQUA_CONSOLE_PASSWORD \ + --from-literal OPERATOR_SCANNER_AQUA_CSP_VERSION=$AQUA_VERSION \ + --from-literal OPERATOR_SCANNER_AQUA_CSP_HOST=http://csp-console-svc.aqua:8080 + ``` + + ``` + $ cat << EOF | kubectl apply -f - + apiVersion: operators.coreos.com/v1alpha1 + kind: Subscription + metadata: + name: starboard-operator + namespace: marketplace + spec: + channel: alpha + name: starboard-operator + source: $QUAY_NAMESPACE-operators + sourceNamespace: marketplace + config: + env: + - name: OPERATOR_SCANNER_TRIVY_ENABLED + value: "false" + - name: OPERATOR_SCANNER_AQUA_CSP_ENABLED + value: "true" + envFrom: + - secretRef: + name: starboard-operator + EOF + ``` + + A Subscription links the previous steps together by selecting an operator and one of its channels. OLM uses this + information to start the corresponding operator Pod. The example above creates a new Subscription to the `alpha` + channel for the Starboard Operator. + +[go-download]: https://golang.org/dl/ +[go-code]: https://golang.org/doc/code.html +[kind]: https://github.com/kubernetes-sigs/kind +[codecov]: https://codecov.io/ +[codecov-merging-reports]: https://docs.codecov.io/docs/merging-reports/ +[olm]: https://github.com/operator-framework/operator-lifecycle-manager +[operator-marketplace]: https://github.com/operator-framework/operator-marketplace +[operator-courier]: https://github.com/operator-framework/operator-courier +[olm-operator-groups]: https://github.com/operator-framework/operator-lifecycle-manager/blob/master/doc/design/operatorgroups.md +[quay]: https://quay.io +[k8s-sample-controller]: https://github.com/kubernetes/sample-controller diff --git a/Dockerfile.starboard b/Dockerfile.starboard index e34ebec96..0541ec381 100644 --- a/Dockerfile.starboard +++ b/Dockerfile.starboard @@ -1,5 +1,9 @@ -FROM scratch +FROM alpine:3.12 + +RUN adduser -u 10000 -D -g '' starboard starboard COPY starboard /usr/local/bin/starboard +USER starboard + ENTRYPOINT ["starboard"] diff --git a/Dockerfile.starboard-operator b/Dockerfile.starboard-operator index b3d4df351..6d027e94c 100644 --- a/Dockerfile.starboard-operator +++ b/Dockerfile.starboard-operator @@ -1,4 +1,4 @@ -FROM alpine:3 +FROM alpine:3.12 RUN adduser -u 10000 -D -g '' starboard starboard diff --git a/HACKING.md b/HACKING.md deleted file mode 100644 index 15e2d3090..000000000 --- a/HACKING.md +++ /dev/null @@ -1,143 +0,0 @@ -# Hacking - -## Prerequisites - -- [Go 1.15 or above](https://golang.org/dl/) - -## Getting Started - -``` -$ git clone git@github.com:aquasecurity/starboard.git -$ cd starboard -$ make build -$ ./bin/starboard help -``` - -## Testing - -We generally require tests to be added for all but the most trivial of changes. You can run the tests using the -commands below: - -``` -# To run only unit tests -$ make unit-tests - -# To run only integration tests -# Please note that integration tests assumes that you have a working kubernetes cluster (e.g KIND cluster) and KUBECONFIG env variable is pointing to that cluster -$ make integration-tests - -# To run both unit-tests and integration-tests -$ make test -``` - -## Generating Code - -Code generators are used a lot in the implementation of native Kubernetes resources, and we're using the very same -generators here for custom security resources. This project follows the patterns of -[k8s.io/sample-controller][k8s-sample-controller], which is a blueprint for many controllers built in Kubernetes itself. - -The code generation starts with: - -``` -$ go mod vendor -$ export GOPATH="$(go env GOPATH)" -$ ./hack/update-codegen.sh -``` - -In addition, there is a second script called `./hack/verify-codegen.sh`. This script calls the -`./hack/update-codegen.sh` script and checks whether anything changed, and then it terminates with a nonzero return -code if any of the generated files is not up-to-date. We're running it as a step in the CI/CD pipeline. - -## Using Generated Code - -An instance of a client set can be created with the `NewForConfig` helper function. This is analogous to the client sets -for core Kubernetes resources. The following listings shows how to create an instance of the -`vulnerabilities.aquasecurity.github.io` resource and send it to the Kubernetes API. - -```go -package main - -import ( - "log" - "os" - "time" - - "k8s.io/client-go/tools/clientcmd" - - starboard "github.com/aquasecurity/starboard/pkg/apis/aquasecurity/v1alpha1" - starboardapi "github.com/aquasecurity/starboard/pkg/generated/clientset/versioned" - meta "k8s.io/apimachinery/pkg/apis/meta/v1" -) - -func main() { - if err := run(os.Args); err != nil { - log.Fatalf("Error: %v", err) - } -} - -func run(_ []string) (err error) { - config, err := clientcmd.BuildConfigFromFlags("", "~/.kube/config") - if err != nil { - return - } - client, err := starboardapi.NewForConfig(config) - if err != nil { - return - } - - vulnerability := &starboard.Vulnerability{ - ObjectMeta: meta.ObjectMeta{ - Name: "a2a6b603-97b4-4e5d-bbcd-404723c4177a", - Namespace: "dev", - Labels: map[string]string{ - "starboard.resource.kind": "Deployment", - "starboard.resource.name": "nginx", - "starboard.container.name": "nginx", - }, - Annotations: map[string]string{ - "starboard.history.limit": "10", - "starboard.image.digest": "sha256:72c42ed48c3a2db31b7dafe17d275b634664a708d901ec9fd57b1529280f01fb", - }, - }, - Report: starboard.VulnerabilityReport{ - Scanner: starboard.Scanner{ - Name: "Trivy", - Vendor: "Aqua Security", - Version: "latest", - }, - Artifact: starboard.Artifact{ - Repository: "library/nginx", - Digest: "sha256:72c42ed48c3a2db31b7dafe17d275b634664a708d901ec9fd57b1529280f01fb", - Tag: "1.16", - MimeType: "application/vnd.docker.distribution.manifest.v2+json", - }, - Summary: starboard.VulnerabilitySummary{ - CriticalCount: 0, - HighCount: 0, - MediumCount: 1, - LowCount: 0, - UnknownCount: 0, - }, - Vulnerabilities: []starboard.VulnerabilityItem{ - { - VulnerabilityID: "CVE-2019-1549", - Resource: "openssl", - Severity: starboard.SeverityMedium, - InstalledVersion: "1.1.1c-r0", - FixedVersion: "1.1.1d-r0", - Title: "openssl: information disclosure in fork()", - }, - }, - }, - } - - _, err = client.AquasecurityV1alpha1(). - Vulnerabilities("dev"). - Create(vulnerability) - return -} -``` - -Note that higher-level tools like informers and listers are also generated and available. - -[k8s-sample-controller]: https://github.com/kubernetes/sample-controller diff --git a/README.md b/README.md index c122f5570..95b493c60 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,7 @@ [![Go Report Card][report-card-img]][report-card] [![License][license-img]][license] [![GitHub All Releases][github-all-releases-img]][release] +![Docker Pulls Starboard][docker-pulls-starboard] ## Table of Contents @@ -317,9 +318,10 @@ At this early stage we would love your feedback on the overall concept of Starbo contributions integrating different security tools so that users can access security information in standard, Kubernetes-native ways. -See our [hacking](HACKING.md) guide for getting your development environment setup. - -See our [roadmap](ROADMAP.md) for tentative features in a 1.0 release. +* See [CONTRIBUTING.md](CONTRIBUTING.md) for information about setting up your development environment, and the + contribution workflow that we expect. +* See [ROADMAP.md](ROADMAP.md) for tentative features in a 1.0 release. +* Join our [discussions][discussions]. ## License @@ -337,20 +339,19 @@ This repository is available under the [Apache License 2.0][license]. [license-img]: https://img.shields.io/github/license/aquasecurity/starboard.svg [license]: https://github.com/aquasecurity/starboard/blob/master/LICENSE [github-all-releases-img]: https://img.shields.io/github/downloads/aquasecurity/starboard/total?logo=github +[docker-pulls-starboard]: https://img.shields.io/docker/pulls/aquasec/starboard?logo=docker&label=docker%20pulls%20%2F%20starboard [aqua-starboard-blog]: https://blog.aquasec.com/starboard-kubernetes-tools [discussions]: https://github.com/aquasecurity/starboard/discussions [starboard-crds]: #custom-security-resources-definitions [starboard-crds-spec]: ./SECURITY_CRDS_SPEC.md -[vulnerabilityreports-crd]: ./kube/crd/vulnerabilityreports-crd.yaml -[ciskubebenchreports-crd]: ./kube/crd/ciskubebenchreports-crd.yaml -[kubehunterreports-crd]: ./kube/crd/kubehunterreports-crd.yaml -[configauditreports-crd]: ./kube/crd/configauditreports-crd.yaml +[vulnerabilityreports-crd]: ./deploy/crd/vulnerabilityreports.crd.yaml +[ciskubebenchreports-crd]: ./deploy/crd/ciskubebenchreports.crd.yaml +[kubehunterreports-crd]: ./deploy/crd/kubehunterreports.crd.yaml +[configauditreports-crd]: ./deploy/crd/configauditreports.crd.yaml [starboard-go-module]: ./pkg [starboard-cli]: #starboard-cli [starboard-octant-plugin]: https://github.com/aquasecurity/octant-starboard-plugin -[starboard-security-operator]: https://github.com/aquasecurity/starboard-security-operator -[starboard-harbor-webhook]: https://github.com/aquasecurity/starboard-harbor-webhook [aqua-kube-bench]: https://github.com/aquasecurity/kube-bench [aqua-kube-hunter]: https://github.com/aquasecurity/kube-hunter [octant]: https://github.com/vmware-tanzu/octant @@ -363,4 +364,4 @@ This repository is available under the [Apache License 2.0][license]. [krew]: https://github.com/kubernetes-sigs/krew -[default-polaris-config]: ./kube/init/starboard-cm.yaml +[default-polaris-config]: ./deploy/init/03-starboard.cm.yaml diff --git a/ROADMAP.md b/ROADMAP.md index 75df62328..ee66ccc98 100644 --- a/ROADMAP.md +++ b/ROADMAP.md @@ -1,9 +1,8 @@ # Roadmap -Initially we want to get feedback from the community about the Starboard approach before we define a roadmap, but some high-level ideas we would like to address include: +Initially we want to get feedback from the community about the Starboard approach before we define a roadmap, but some +high-level ideas we would like to address include: -* [Starboard operator][operator] to automatically run reports as resources are created -* Summarizing security issues at the namespace level +* Release Starboard operator to automatically run reports as resources are created +* Summarizing security issues at the namespace level * Scale: supporting large amounts of security report data may become an issue - -[operator]: https://github.com/aquasecurity/starboard-operator diff --git a/kube/crd/ciskubebenchreports-crd.yaml b/deploy/crd/ciskubebenchreports.crd.yaml similarity index 100% rename from kube/crd/ciskubebenchreports-crd.yaml rename to deploy/crd/ciskubebenchreports.crd.yaml diff --git a/kube/crd/configauditreports-crd.yaml b/deploy/crd/configauditreports.crd.yaml similarity index 100% rename from kube/crd/configauditreports-crd.yaml rename to deploy/crd/configauditreports.crd.yaml diff --git a/kube/crd/kubehunterreports-crd.yaml b/deploy/crd/kubehunterreports.crd.yaml similarity index 100% rename from kube/crd/kubehunterreports-crd.yaml rename to deploy/crd/kubehunterreports.crd.yaml diff --git a/kube/crd/vulnerabilityreports-crd.yaml b/deploy/crd/vulnerabilityreports.crd.yaml similarity index 100% rename from kube/crd/vulnerabilityreports-crd.yaml rename to deploy/crd/vulnerabilityreports.crd.yaml diff --git a/kube/examples/configauditreports.yaml b/deploy/examples/configauditreports.yaml similarity index 100% rename from kube/examples/configauditreports.yaml rename to deploy/examples/configauditreports.yaml diff --git a/deploy/operator/examples/starboard-scanner-aqua.job.yaml b/deploy/examples/starboard-scanner-aqua.job.yaml similarity index 83% rename from deploy/operator/examples/starboard-scanner-aqua.job.yaml rename to deploy/examples/starboard-scanner-aqua.job.yaml index 315bc7db7..d975a3cb9 100644 --- a/deploy/operator/examples/starboard-scanner-aqua.job.yaml +++ b/deploy/examples/starboard-scanner-aqua.job.yaml @@ -16,7 +16,6 @@ spec: emptyDir: {} - name: dockersock hostPath: - ## TODO This works only for Docker container runtime path: "/var/run/docker.sock" initContainers: - name: download @@ -35,23 +34,23 @@ spec: command: - "/bin/sh" - "-c" - - "/usr/local/bin/starboard-scanner-aqua --version $(AQUA_VERSION) --host $(OPERATOR_SCANNER_AQUA_CSP_HOST) --user $(OPERATOR_SCANNER_AQUA_CSP_USERNAME) --password $(OPERATOR_SCANNER_AQUA_CSP_PASSWORD) $(IMAGE_REF) 2> /dev/termination-log" + - "/usr/local/bin/starboard-scanner-aqua --version $(AQUA_VERSION) --host $(AQUA_CSP_HOST) --user $(AQUA_CSP_USERNAME) --password $(AQUA_CSP_PASSWORD) $(IMAGE_REF) 2> /dev/termination-log" env: - name: IMAGE_REF value: nginx:1.16 - name: AQUA_VERSION value: "5.0" - - name: OPERATOR_SCANNER_AQUA_CSP_HOST + - name: AQUA_CSP_HOST valueFrom: secretKeyRef: name: starboard-operator key: OPERATOR_SCANNER_AQUA_CSP_HOST - - name: OPERATOR_SCANNER_AQUA_CSP_USERNAME + - name: AQUA_CSP_USERNAME valueFrom: secretKeyRef: name: starboard-operator key: OPERATOR_SCANNER_AQUA_CSP_USERNAME - - name: OPERATOR_SCANNER_AQUA_CSP_PASSWORD + - name: AQUA_CSP_PASSWORD valueFrom: secretKeyRef: name: starboard-operator diff --git a/kube/examples/vulnerabilities.yaml b/deploy/examples/vulnerabilities.yaml similarity index 100% rename from kube/examples/vulnerabilities.yaml rename to deploy/examples/vulnerabilities.yaml diff --git a/kube/init/starboard-ns.yaml b/deploy/init/01-starboard.ns.yaml similarity index 100% rename from kube/init/starboard-ns.yaml rename to deploy/init/01-starboard.ns.yaml diff --git a/kube/init/starboard-sa.yaml b/deploy/init/02-starboard.sa.yaml similarity index 100% rename from kube/init/starboard-sa.yaml rename to deploy/init/02-starboard.sa.yaml diff --git a/kube/init/starboard-cm.yaml b/deploy/init/03-starboard.cm.yaml similarity index 100% rename from kube/init/starboard-cm.yaml rename to deploy/init/03-starboard.cm.yaml diff --git a/kube/init/starboard-clusterrole.yaml b/deploy/init/04-starboard.clusterrole.yaml similarity index 100% rename from kube/init/starboard-clusterrole.yaml rename to deploy/init/04-starboard.clusterrole.yaml diff --git a/kube/init/starboard-clusterrolebinding.yaml b/deploy/init/05-starboard.clusterrolebinding.yaml similarity index 100% rename from kube/init/starboard-clusterrolebinding.yaml rename to deploy/init/05-starboard.clusterrolebinding.yaml diff --git a/deploy/operator/kubectl/01-starboard-operator.ns.yaml b/deploy/kubectl/01-starboard-operator.ns.yaml similarity index 100% rename from deploy/operator/kubectl/01-starboard-operator.ns.yaml rename to deploy/kubectl/01-starboard-operator.ns.yaml diff --git a/deploy/operator/kubectl/02-starboard-operator.sa.yaml b/deploy/kubectl/02-starboard-operator.sa.yaml similarity index 100% rename from deploy/operator/kubectl/02-starboard-operator.sa.yaml rename to deploy/kubectl/02-starboard-operator.sa.yaml diff --git a/deploy/operator/kubectl/03-starboard-operator.clusterrole.yaml b/deploy/kubectl/03-starboard-operator.clusterrole.yaml similarity index 100% rename from deploy/operator/kubectl/03-starboard-operator.clusterrole.yaml rename to deploy/kubectl/03-starboard-operator.clusterrole.yaml diff --git a/deploy/operator/kubectl/04-starboard-operator.clusterrolebinding.yaml b/deploy/kubectl/04-starboard-operator.clusterrolebinding.yaml similarity index 100% rename from deploy/operator/kubectl/04-starboard-operator.clusterrolebinding.yaml rename to deploy/kubectl/04-starboard-operator.clusterrolebinding.yaml diff --git a/deploy/operator/kubectl/05-starboard-operator.deployment.yaml b/deploy/kubectl/05-starboard-operator.deployment.yaml similarity index 100% rename from deploy/operator/kubectl/05-starboard-operator.deployment.yaml rename to deploy/kubectl/05-starboard-operator.deployment.yaml diff --git a/deploy/operator/olm/bundle/0.0.1/starboard-operator.v0.0.1.clusterserviceversion.yaml b/deploy/olm/bundle/0.6.0/starboard-operator.v0.6.0.clusterserviceversion.yaml similarity index 98% rename from deploy/operator/olm/bundle/0.0.1/starboard-operator.v0.0.1.clusterserviceversion.yaml rename to deploy/olm/bundle/0.6.0/starboard-operator.v0.6.0.clusterserviceversion.yaml index a2c58f6d0..8f2cd2805 100644 --- a/deploy/operator/olm/bundle/0.0.1/starboard-operator.v0.0.1.clusterserviceversion.yaml +++ b/deploy/olm/bundle/0.6.0/starboard-operator.v0.6.0.clusterserviceversion.yaml @@ -1,14 +1,14 @@ apiVersion: operators.coreos.com/v1alpha1 kind: ClusterServiceVersion metadata: - name: starboard-operator.v0.0.1 + name: starboard-operator.v0.6.0 namespace: starboard-operator annotations: capabilities: Basic Install categories: Security description: Keeps security report resources updated certified: "false" - containerImage: aquasec/starboard-operator:0.0.1 + containerImage: aquasec/starboard-operator:0.6.0 createdAt: 2020-09-15T08:00:00Z support: Aqua Security repository: https://github.com/aquasecurity/starboard-operator @@ -16,7 +16,7 @@ metadata: [] spec: displayName: Starboard Operator - version: 0.0.1 + version: 0.6.0 description: |- This operator for Starboard automatically updates security report resources in response to workload and other changes on a Kubernetes cluster - for example, initiating a vulnerability scan when a new pod is started. Please see @@ -266,7 +266,7 @@ spec: fsGroup: 10000 containers: - name: starboard-operator - image: aquasec/starboard-operator:0.0.1 + image: aquasec/starboard-operator:0.6.0 imagePullPolicy: IfNotPresent securityContext: privileged: false diff --git a/deploy/operator/olm/bundle/0.0.1/vulnerabilityreports.v1alpha1.aquasecurity.github.io.yaml b/deploy/olm/bundle/0.6.0/vulnerabilityreports.v1alpha1.aquasecurity.github.io.crd.yaml similarity index 100% rename from deploy/operator/olm/bundle/0.0.1/vulnerabilityreports.v1alpha1.aquasecurity.github.io.yaml rename to deploy/olm/bundle/0.6.0/vulnerabilityreports.v1alpha1.aquasecurity.github.io.crd.yaml diff --git a/deploy/operator/olm/bundle/starboard-operator.package.yaml b/deploy/olm/bundle/starboard-operator.package.yaml similarity index 100% rename from deploy/operator/olm/bundle/starboard-operator.package.yaml rename to deploy/olm/bundle/starboard-operator.package.yaml diff --git a/deploy/operator/olm/install.sh b/deploy/olm/install.sh similarity index 100% rename from deploy/operator/olm/install.sh rename to deploy/olm/install.sh