From 0773b4cb68b506acfa5b4869ba6697349e161231 Mon Sep 17 00:00:00 2001 From: draios-jenkins Date: Mon, 17 Jun 2024 17:36:41 +0200 Subject: [PATCH] chore(cluster-shield): Automatic bump to version 1.0.1 (#1779) Co-authored-by: AlbertoBarba <16882595+AlbertoBarba@users.noreply.github.com> --- charts/cluster-shield/Chart.yaml | 4 +- charts/cluster-shield/README.md | 8 +- charts/cluster-shield/templates/_helpers.tpl | 26 +- .../cluster-shield/templates/deployment.yaml | 20 +- charts/cluster-shield/templates/service.yaml | 20 +- .../validatingwebhookconfiguration.yaml | 4 +- .../cluster-shield/tests/deployment_test.yaml | 66 +++- charts/cluster-shield/tests/service_test.yaml | 191 +++++++++++- .../validatingwebhookconfiguration_test.yaml | 282 ++++++++++++++++++ charts/cluster-shield/values.schema.json | 18 +- charts/cluster-shield/values.yaml | 6 +- 11 files changed, 584 insertions(+), 61 deletions(-) create mode 100644 charts/cluster-shield/tests/validatingwebhookconfiguration_test.yaml diff --git a/charts/cluster-shield/Chart.yaml b/charts/cluster-shield/Chart.yaml index f16faffba..1893a4b77 100644 --- a/charts/cluster-shield/Chart.yaml +++ b/charts/cluster-shield/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: cluster-shield description: Cluster Shield Helm Chart for Kubernetes type: application -version: 1.0.0 -appVersion: "1.0.0" +version: 1.0.1 +appVersion: "1.0.1" maintainers: - name: AlbertoBarba email: alberto.barba@sysdig.com diff --git a/charts/cluster-shield/README.md b/charts/cluster-shield/README.md index aa361c7c1..759414636 100644 --- a/charts/cluster-shield/README.md +++ b/charts/cluster-shield/README.md @@ -23,7 +23,7 @@ $ pre-commit run -a $ helm repo add sysdig https://charts.sysdig.com $ helm repo update $ helm upgrade --install sysdig-sysdig-cluster-shield sysdig/cluster-shield \ - --create-namespace -n sysdig-agent --version=1.0.0 \ + --create-namespace -n sysdig-agent --version=1.0.1 \ --set global.clusterConfig.name=CLUSTER_NAME \ --set global.sysdig.region=SYSDIG_REGION \ --set global.sysdig.accessKey=YOUR-KEY-HERE @@ -134,8 +134,10 @@ The following table lists the configurable parameters of the `cluster-shield` ch | cluster_shield.features.admission_control.deny_on_error | | false | | cluster_shield.features.admission_control.dry_run | | true | | cluster_shield.features.admission_control.timeout | | 5 | +| cluster_shield.features.admission_control.http_port | | 8443 | | cluster_shield.features.admission_control.container_vulnerability_management.enabled | | false | | cluster_shield.features.audit.enabled | | false | +| cluster_shield.features.audit.http_port | | 6443 | | cluster_shield.features.audit.timeout | | 5 | | cluster_shield.features.posture.enabled | | false | | cluster_shield.features.container_vulnerability_management.enabled | | false | @@ -167,7 +169,9 @@ The following table lists the configurable parameters of the `cluster-shield` ch | podAnnotations | | {} | | podLabels | | {} | | service.type | | ClusterIP | -| service.port | | 8080 | +| service.monitoring_port | | | +| service.admission_control_port | | | +| service.audit_port | | | | serviceAccount.labels | | {} | | serviceAccount.annotations | | {} | | resources | | {} | diff --git a/charts/cluster-shield/templates/_helpers.tpl b/charts/cluster-shield/templates/_helpers.tpl index 85a93765f..2cb048c7c 100644 --- a/charts/cluster-shield/templates/_helpers.tpl +++ b/charts/cluster-shield/templates/_helpers.tpl @@ -331,20 +331,6 @@ CA Cert File Name ca.crt {{- end }} -{{/* -Audit Port -*/}} -{{- define "cluster-shield.admissionControllerAuditPort" -}} -6443 -{{- end }} - -{{/* -Audit Port -*/}} -{{- define "cluster-shield.admissionControlPort" -}} -8443 -{{- end }} - {{/* ConfigMap Name */}} @@ -399,3 +385,15 @@ Define the proper image repository to use for cluster-shield {{- .Values.image.repository -}} {{- end -}} {{- end -}} + +{{- define "cluster-shield.serviceMonitoringPort" -}} + {{ .Values.service.monitoring_port | default .Values.cluster_shield.monitoring_port }} +{{- end -}} + +{{- define "cluster-shield.serviceAdmissionControlPort" -}} + {{ .Values.service.admission_control_port | default .Values.cluster_shield.features.admission_control.http_port }} +{{- end -}} + +{{- define "cluster-shield.serviceAuditPort" -}} + {{ .Values.service.audit_port | default .Values.cluster_shield.features.audit.http_port }} +{{- end -}} diff --git a/charts/cluster-shield/templates/deployment.yaml b/charts/cluster-shield/templates/deployment.yaml index 872b9f336..037b58899 100644 --- a/charts/cluster-shield/templates/deployment.yaml +++ b/charts/cluster-shield/templates/deployment.yaml @@ -51,23 +51,23 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy | default .Values.global.image.pullPolicy | default "IfNotPresent" }} args: [ {{ .Values.run_command | quote }} ] ports: - - name: http - containerPort: {{ .Values.cluster_shield.monitoring_port | default 8080 }} + - name: monitoring + containerPort: {{ .Values.cluster_shield.monitoring_port }} protocol: TCP - {{- if .Values.cluster_shield.features.audit.enabled }} - - name: audit - containerPort: {{ include "cluster-shield.admissionControllerAuditPort" . }} + {{- if .Values.cluster_shield.features.admission_control.enabled }} + - name: admission + containerPort: {{ .Values.cluster_shield.features.admission_control.http_port }} protocol: TCP {{- end }} - {{- if .Values.cluster_shield.features.admission_control.enabled }} - - name: posture-ac - containerPort: {{ include "cluster-shield.admissionControlPort" . }} + {{- if .Values.cluster_shield.features.audit.enabled }} + - name: audit + containerPort: {{ .Values.cluster_shield.features.audit.http_port }} protocol: TCP {{- end }} livenessProbe: httpGet: path: /healthz - port: http + port: monitoring {{- if and (.Values.probes) (.Values.probes.liveness) }} initialDelaySeconds: {{ .Values.probes.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.probes.liveness.periodSeconds }} @@ -75,7 +75,7 @@ spec: readinessProbe: httpGet: path: /healthz - port: http + port: monitoring {{- if and (.Values.probes) (.Values.probes.readiness) }} initialDelaySeconds: {{ .Values.probes.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.probes.readiness.periodSeconds }} diff --git a/charts/cluster-shield/templates/service.yaml b/charts/cluster-shield/templates/service.yaml index 21deb0973..0e4f3f53e 100644 --- a/charts/cluster-shield/templates/service.yaml +++ b/charts/cluster-shield/templates/service.yaml @@ -8,21 +8,21 @@ metadata: spec: type: {{ .Values.service.type }} ports: - - port: {{ .Values.service.port }} - targetPort: http + - port: {{ include "cluster-shield.serviceMonitoringPort" . }} + targetPort: monitoring protocol: TCP - name: http + name: monitoring + {{- if and .Values.cluster_shield.features.admission_control.enabled }} + - port: {{ include "cluster-shield.serviceAdmissionControlPort" . }} + targetPort: admission + protocol: TCP + name: admission + {{- end }} {{- if .Values.cluster_shield.features.audit.enabled }} - - port: {{ include "cluster-shield.admissionControllerAuditPort" . }} + - port: {{ include "cluster-shield.serviceAuditPort" . }} targetPort: audit protocol: TCP name: audit {{- end }} - {{- if and .Values.cluster_shield.features.admission_control.enabled }} - - port: {{ include "cluster-shield.admissionControlPort" . }} - targetPort: posture-ac - protocol: TCP - name: posture-ac - {{- end }} selector: {{- include "cluster-shield.selectorLabels" . | nindent 4 }} diff --git a/charts/cluster-shield/templates/validatingwebhookconfiguration.yaml b/charts/cluster-shield/templates/validatingwebhookconfiguration.yaml index 18da0c6cb..0e618760b 100644 --- a/charts/cluster-shield/templates/validatingwebhookconfiguration.yaml +++ b/charts/cluster-shield/templates/validatingwebhookconfiguration.yaml @@ -36,7 +36,7 @@ webhooks: namespace: {{ .Release.Namespace }} name: {{ include "cluster-shield.fullname" . }} path: /k8s-audit - port: {{ include "cluster-shield.admissionControllerAuditPort" . }} + port: {{ include "cluster-shield.serviceAuditPort" . }} caBundle: {{ $certList._2 }} admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None @@ -71,7 +71,7 @@ webhooks: namespace: {{ .Release.Namespace }} name: {{ include "cluster-shield.fullname" . }} path: /validate - port: {{ include "cluster-shield.admissionControlPort" . }} + port: {{ include "cluster-shield.serviceAdmissionControlPort" . }} caBundle: {{ $certList._2 }} admissionReviewVersions: [ "v1", "v1beta1" ] sideEffects: None diff --git a/charts/cluster-shield/tests/deployment_test.yaml b/charts/cluster-shield/tests/deployment_test.yaml index 014945be2..068ea03d9 100644 --- a/charts/cluster-shield/tests/deployment_test.yaml +++ b/charts/cluster-shield/tests/deployment_test.yaml @@ -26,6 +26,7 @@ tests: - equal: path: spec.template.spec.containers[?(@.name == "cluster-shield")].securityContext.privileged value: true + - it: Test run-all mode set: run_command: "run-all" @@ -66,6 +67,7 @@ tests: - equal: path: spec.template.spec.containers[?(@.name == "cluster-shield")].env[?(@.name == "SYSDIG_CLUSTER_SHIELD_SYSDIG_ENDPOINT__ACCESS_KEY")].valueFrom.secretKeyRef.key value: access-key + - it: Test env var is set when secureAPITokenSecret provided set: global: @@ -98,13 +100,14 @@ tests: value: /healthz - equal: path: spec.template.spec.containers[?(@.name == "cluster-shield")].readinessProbe.httpGet.port - value: http + value: monitoring - equal: path: spec.template.spec.containers[?(@.name == "cluster-shield")].readinessProbe.initialDelaySeconds value: 10 - equal: path: spec.template.spec.containers[?(@.name == "cluster-shield")].readinessProbe.periodSeconds value: 5 + - it: Test readinessProbe custom values set: probes: @@ -117,13 +120,14 @@ tests: value: /healthz - equal: path: spec.template.spec.containers[?(@.name == "cluster-shield")].readinessProbe.httpGet.port - value: http + value: monitoring - equal: path: spec.template.spec.containers[?(@.name == "cluster-shield")].readinessProbe.initialDelaySeconds value: 20 - equal: path: spec.template.spec.containers[?(@.name == "cluster-shield")].readinessProbe.periodSeconds value: 10 + - it: Test livenessProbe default values asserts: - equal: @@ -131,13 +135,14 @@ tests: value: /healthz - equal: path: spec.template.spec.containers[?(@.name == "cluster-shield")].livenessProbe.httpGet.port - value: http + value: monitoring - equal: path: spec.template.spec.containers[?(@.name == "cluster-shield")].livenessProbe.initialDelaySeconds value: 5 - equal: path: spec.template.spec.containers[?(@.name == "cluster-shield")].livenessProbe.periodSeconds value: 5 + - it: Test livenessProbe custom values set: probes: @@ -150,10 +155,63 @@ tests: value: /healthz - equal: path: spec.template.spec.containers[?(@.name == "cluster-shield")].livenessProbe.httpGet.port - value: http + value: monitoring - equal: path: spec.template.spec.containers[?(@.name == "cluster-shield")].livenessProbe.initialDelaySeconds value: 20 - equal: path: spec.template.spec.containers[?(@.name == "cluster-shield")].livenessProbe.periodSeconds value: 10 + + - it: Test default container ports + set: + cluster_shield: + features: + audit: + enabled: true + admission_control: + enabled: true + asserts: + - isNotNull: + path: spec.template.spec.containers[?(@.name == "cluster-shield")].ports[?(@.name == "monitoring")] + - equal: + path: spec.template.spec.containers[?(@.name == "cluster-shield")].ports[?(@.name == "monitoring")].containerPort + value: 8080 + - isNotNull: + path: spec.template.spec.containers[?(@.name == "cluster-shield")].ports[?(@.name == "audit")] + - equal: + path: spec.template.spec.containers[?(@.name == "cluster-shield")].ports[?(@.name == "audit")].containerPort + value: 6443 + - isNotNull: + path: spec.template.spec.containers[?(@.name == "cluster-shield")].ports[?(@.name == "admission")] + - equal: + path: spec.template.spec.containers[?(@.name == "cluster-shield")].ports[?(@.name == "admission")].containerPort + value: 8443 + + - it: Test custom container ports + set: + cluster_shield: + monitoring_port: 1234 + features: + audit: + enabled: true + http_port: 5678 + admission_control: + enabled: true + http_port: 9876 + asserts: + - isNotNull: + path: spec.template.spec.containers[?(@.name == "cluster-shield")].ports[?(@.name == "monitoring")] + - equal: + path: spec.template.spec.containers[?(@.name == "cluster-shield")].ports[?(@.name == "monitoring")].containerPort + value: 1234 + - isNotNull: + path: spec.template.spec.containers[?(@.name == "cluster-shield")].ports[?(@.name == "audit")] + - equal: + path: spec.template.spec.containers[?(@.name == "cluster-shield")].ports[?(@.name == "audit")].containerPort + value: 5678 + - isNotNull: + path: spec.template.spec.containers[?(@.name == "cluster-shield")].ports[?(@.name == "admission")] + - equal: + path: spec.template.spec.containers[?(@.name == "cluster-shield")].ports[?(@.name == "admission")].containerPort + value: 9876 diff --git a/charts/cluster-shield/tests/service_test.yaml b/charts/cluster-shield/tests/service_test.yaml index 2bbb37ff6..a8dea14de 100644 --- a/charts/cluster-shield/tests/service_test.yaml +++ b/charts/cluster-shield/tests/service_test.yaml @@ -7,7 +7,7 @@ release: name: shield-release namespace: shield-namespace tests: - - it: Contains a Service resource + - it: Without any features enabled [default values] asserts: - isKind: of: Service @@ -18,20 +18,77 @@ tests: path: metadata.namespace value: shield-namespace - isNotNull: - path: .spec.ports[?(@.name == "http")] + path: .spec.ports[?(@.name == "monitoring")] - equal: - path: spec.ports[?(@.name == "http")].port + path: spec.ports[?(@.name == "monitoring")].port value: 8080 - equal: - path: spec.ports[?(@.name == "http")].protocol + path: spec.ports[?(@.name == "monitoring")].protocol value: TCP - equal: - path: spec.ports[?(@.name == "http")].targetPort - value: http + path: spec.ports[?(@.name == "monitoring")].targetPort + value: monitoring - lengthEqual: path: spec.ports count: 1 - - it: Enable Audit Feature + + - it: Without any features enabled [custom service monitoring port] + set: + service: + monitoring_port: 1234 + asserts: + - isKind: + of: Service + - equal: + path: metadata.name + value: shield-release-cluster-shield + - equal: + path: metadata.namespace + value: shield-namespace + - isNotNull: + path: .spec.ports[?(@.name == "monitoring")] + - equal: + path: spec.ports[?(@.name == "monitoring")].port + value: 1234 + - equal: + path: spec.ports[?(@.name == "monitoring")].protocol + value: TCP + - equal: + path: spec.ports[?(@.name == "monitoring")].targetPort + value: monitoring + - lengthEqual: + path: spec.ports + count: 1 + + - it: Without any features enabled [custom pod monitoring port] + set: + cluster_shield: + monitoring_port: 1234 + asserts: + - isKind: + of: Service + - equal: + path: metadata.name + value: shield-release-cluster-shield + - equal: + path: metadata.namespace + value: shield-namespace + - isNotNull: + path: .spec.ports[?(@.name == "monitoring")] + - equal: + path: spec.ports[?(@.name == "monitoring")].port + value: 1234 + - equal: + path: spec.ports[?(@.name == "monitoring")].protocol + value: TCP + - equal: + path: spec.ports[?(@.name == "monitoring")].targetPort + value: monitoring + - lengthEqual: + path: spec.ports + count: 1 + + - it: Enable Audit Feature [default values] set: cluster_shield: features: @@ -54,7 +111,59 @@ tests: - lengthEqual: path: spec.ports count: 2 - - it: Enable Admission Control Feature + + - it: Enable Audit Feature [custom service audit port] + set: + cluster_shield: + features: + audit: + enabled: true + service: + audit_port: 1234 + asserts: + - isKind: + of: Service + - isNotNull: + path: .spec.ports[?(@.name == "audit")] + - equal: + path: spec.ports[?(@.name == "audit")].port + value: 1234 + - equal: + path: spec.ports[?(@.name == "audit")].protocol + value: TCP + - equal: + path: spec.ports[?(@.name == "audit")].targetPort + value: audit + - lengthEqual: + path: spec.ports + count: 2 + + - it: Enable Audit Feature [custom pod audit port] + set: + cluster_shield: + features: + audit: + enabled: true + http_port: 1234 + asserts: + - isKind: + of: Service + - isNotNull: + path: .spec.ports[?(@.name == "audit")] + - equal: + path: spec.ports[?(@.name == "audit")].port + value: 1234 + - equal: + path: spec.ports[?(@.name == "audit")].protocol + value: TCP + - equal: + path: spec.ports[?(@.name == "audit")].targetPort + value: audit + - lengthEqual: + path: spec.ports + count: 2 + + - it: Enable Admission Control Feature [default values] set: cluster_shield: features: @@ -64,19 +173,71 @@ tests: - isKind: of: Service - isNotNull: - path: .spec.ports[?(@.name == "posture-ac")] + path: .spec.ports[?(@.name == "admission")] - equal: - path: spec.ports[?(@.name == "posture-ac")].port + path: spec.ports[?(@.name == "admission")].port value: 8443 - equal: - path: spec.ports[?(@.name == "posture-ac")].protocol + path: spec.ports[?(@.name == "admission")].protocol + value: TCP + - equal: + path: spec.ports[?(@.name == "admission")].targetPort + value: admission + - lengthEqual: + path: spec.ports + count: 2 + + - it: Enable Admission Control Feature [custom service admission_control port] + set: + cluster_shield: + features: + admission_control: + enabled: true + service: + admission_control_port: 5678 + asserts: + - isKind: + of: Service + - isNotNull: + path: .spec.ports[?(@.name == "admission")] + - equal: + path: spec.ports[?(@.name == "admission")].port + value: 5678 + - equal: + path: spec.ports[?(@.name == "admission")].protocol + value: TCP + - equal: + path: spec.ports[?(@.name == "admission")].targetPort + value: admission + - lengthEqual: + path: spec.ports + count: 2 + + - it: Enable Admission Control Feature [custom pod admission_control port] + set: + cluster_shield: + features: + admission_control: + enabled: true + http_port: 5678 + asserts: + - isKind: + of: Service + - isNotNull: + path: .spec.ports[?(@.name == "admission")] + - equal: + path: spec.ports[?(@.name == "admission")].port + value: 5678 + - equal: + path: spec.ports[?(@.name == "admission")].protocol value: TCP - equal: - path: spec.ports[?(@.name == "posture-ac")].targetPort - value: posture-ac + path: spec.ports[?(@.name == "admission")].targetPort + value: admission - lengthEqual: path: spec.ports count: 2 + - it: Enable All Features set: cluster_shield: @@ -92,8 +253,8 @@ tests: path: spec.ports count: 3 - isNotNull: - path: .spec.ports[?(@.name == "http")] + path: .spec.ports[?(@.name == "monitoring")] - isNotNull: path: .spec.ports[?(@.name == "audit")] - isNotNull: - path: .spec.ports[?(@.name == "posture-ac")] + path: .spec.ports[?(@.name == "admission")] diff --git a/charts/cluster-shield/tests/validatingwebhookconfiguration_test.yaml b/charts/cluster-shield/tests/validatingwebhookconfiguration_test.yaml new file mode 100644 index 000000000..7e294edf8 --- /dev/null +++ b/charts/cluster-shield/tests/validatingwebhookconfiguration_test.yaml @@ -0,0 +1,282 @@ +suite: Test ValidatingWebhookConfiguration +templates: + - templates/validatingwebhookconfiguration.yaml +values: + - ../ci/base-values.yaml +release: + name: shield-release + namespace: shield-namespace +tests: + - it: Doesn't create a ValidatingWebhookConfiguration resource when admission control and audit features are disabled + set: + cluster_shield: + features: + admission_control: + enabled: false + audit: + enabled: false + asserts: + - hasDocuments: + count: 0 + + - it: Creates a ValidatingWebhookConfiguration resource when admission control feature is enabled + set: + cluster_shield: + features: + admission_control: + enabled: true + audit: + enabled: false + documentIndex: 0 + asserts: + - hasDocuments: + count: 2 + - isNotNull: + path: .webhooks[?(@.name == "vac.secure.sysdig.com")] + - equal: + path: .webhooks[?(@.name == "vac.secure.sysdig.com")].failurePolicy + value: "Ignore" + - equal: + path: .webhooks[?(@.name == "vac.secure.sysdig.com")].timeoutSeconds + value: 5 + - equal: + path: .webhooks[?(@.name == "vac.secure.sysdig.com")].clientConfig.service.namespace + value: "shield-namespace" + - equal: + path: .webhooks[?(@.name == "vac.secure.sysdig.com")].clientConfig.service.name + value: "shield-release-cluster-shield" + - equal: + path: .webhooks[?(@.name == "vac.secure.sysdig.com")].clientConfig.service.path + value: "/validate" + - equal: + path: .webhooks[?(@.name == "vac.secure.sysdig.com")].clientConfig.service.port + value: 8443 + + - it: Creates a ValidatingWebhookConfiguration resource when admission control feature is enabled with deny_on_error + set: + cluster_shield: + features: + admission_control: + enabled: true + deny_on_error: true + audit: + enabled: false + documentIndex: 0 + asserts: + - hasDocuments: + count: 2 + - isNotNull: + path: .webhooks[?(@.name == "vac.secure.sysdig.com")] + - equal: + path: .webhooks[?(@.name == "vac.secure.sysdig.com")].failurePolicy + value: "Fail" + - equal: + path: .webhooks[?(@.name == "vac.secure.sysdig.com")].clientConfig.service.namespace + value: "shield-namespace" + - equal: + path: .webhooks[?(@.name == "vac.secure.sysdig.com")].clientConfig.service.name + value: "shield-release-cluster-shield" + - equal: + path: .webhooks[?(@.name == "vac.secure.sysdig.com")].clientConfig.service.path + value: "/validate" + - equal: + path: .webhooks[?(@.name == "vac.secure.sysdig.com")].clientConfig.service.port + value: 8443 + + - it: Creates a ValidatingWebhookConfiguration resource when audit feature is enabled + set: + cluster_shield: + features: + admission_control: + enabled: false + audit: + enabled: true + documentIndex: 0 + asserts: + - hasDocuments: + count: 2 + - isNotNull: + path: .webhooks[?(@.name == "audit.secure.sysdig.com")] + - equal: + path: .webhooks[?(@.name == "audit.secure.sysdig.com")].clientConfig.service.namespace + value: "shield-namespace" + - equal: + path: .webhooks[?(@.name == "audit.secure.sysdig.com")].clientConfig.service.name + value: "shield-release-cluster-shield" + - equal: + path: .webhooks[?(@.name == "audit.secure.sysdig.com")].clientConfig.service.path + value: "/k8s-audit" + - equal: + path: .webhooks[?(@.name == "audit.secure.sysdig.com")].clientConfig.service.port + value: 6443 + - equal: + path: .webhooks[?(@.name == "audit.secure.sysdig.com")].failurePolicy + value: "Ignore" + - equal: + path: .webhooks[?(@.name == "audit.secure.sysdig.com")].timeoutSeconds + value: 5 + + - it: Creates a ValidatingWebhookConfiguration resource when admission control and audit features are enabled with custom timeouts + set: + cluster_shield: + features: + admission_control: + enabled: true + timeout: 10 + audit: + enabled: true + timeout: 20 + documentIndex: 0 + asserts: + - hasDocuments: + count: 2 + - isNotNull: + path: .webhooks[?(@.name == "vac.secure.sysdig.com")] + - isNotNull: + path: .webhooks[?(@.name == "audit.secure.sysdig.com")] + - equal: + path: .webhooks[?(@.name == "vac.secure.sysdig.com")].clientConfig.service.namespace + value: "shield-namespace" + - equal: + path: .webhooks[?(@.name == "vac.secure.sysdig.com")].clientConfig.service.name + value: "shield-release-cluster-shield" + - equal: + path: .webhooks[?(@.name == "vac.secure.sysdig.com")].clientConfig.service.path + value: "/validate" + - equal: + path: .webhooks[?(@.name == "vac.secure.sysdig.com")].clientConfig.service.port + value: 8443 + - equal: + path: .webhooks[?(@.name == "vac.secure.sysdig.com")].timeoutSeconds + value: 10 + - equal: + path: .webhooks[?(@.name == "vac.secure.sysdig.com")].failurePolicy + value: "Ignore" + - equal: + path: .webhooks[?(@.name == "audit.secure.sysdig.com")].clientConfig.service.namespace + value: "shield-namespace" + - equal: + path: .webhooks[?(@.name == "audit.secure.sysdig.com")].clientConfig.service.name + value: "shield-release-cluster-shield" + - equal: + path: .webhooks[?(@.name == "audit.secure.sysdig.com")].clientConfig.service.path + value: "/k8s-audit" + - equal: + path: .webhooks[?(@.name == "audit.secure.sysdig.com")].clientConfig.service.port + value: 6443 + - equal: + path: .webhooks[?(@.name == "audit.secure.sysdig.com")].timeoutSeconds + value: 20 + - equal: + path: .webhooks[?(@.name == "audit.secure.sysdig.com")].failurePolicy + value: "Ignore" + + - it: Creates a ValidatingWebhookConfiguration resource when admission control and audit features are enabled using custom service ports + set: + cluster_shield: + features: + admission_control: + enabled: true + audit: + enabled: true + service: + admission_control_port: 1234 + audit_port: 5678 + documentIndex: 0 + asserts: + - hasDocuments: + count: 2 + - isNotNull: + path: .webhooks[?(@.name == "vac.secure.sysdig.com")] + - isNotNull: + path: .webhooks[?(@.name == "audit.secure.sysdig.com")] + - equal: + path: .webhooks[?(@.name == "vac.secure.sysdig.com")].clientConfig.service.namespace + value: "shield-namespace" + - equal: + path: .webhooks[?(@.name == "vac.secure.sysdig.com")].clientConfig.service.name + value: "shield-release-cluster-shield" + - equal: + path: .webhooks[?(@.name == "vac.secure.sysdig.com")].clientConfig.service.path + value: "/validate" + - equal: + path: .webhooks[?(@.name == "vac.secure.sysdig.com")].clientConfig.service.port + value: 1234 + - equal: + path: .webhooks[?(@.name == "audit.secure.sysdig.com")].clientConfig.service.namespace + value: "shield-namespace" + - equal: + path: .webhooks[?(@.name == "audit.secure.sysdig.com")].clientConfig.service.name + value: "shield-release-cluster-shield" + - equal: + path: .webhooks[?(@.name == "audit.secure.sysdig.com")].clientConfig.service.path + value: "/k8s-audit" + - equal: + path: .webhooks[?(@.name == "audit.secure.sysdig.com")].clientConfig.service.port + value: 5678 + + - it: Creates a ValidatingWebhookConfiguration resource when admission control and audit features are enabled using custom pod ports + set: + cluster_shield: + features: + admission_control: + enabled: true + http_port: 1234 + audit: + enabled: true + http_port: 5678 + documentIndex: 0 + asserts: + - hasDocuments: + count: 2 + - isNotNull: + path: .webhooks[?(@.name == "vac.secure.sysdig.com")] + - isNotNull: + path: .webhooks[?(@.name == "audit.secure.sysdig.com")] + - equal: + path: .webhooks[?(@.name == "vac.secure.sysdig.com")].clientConfig.service.namespace + value: "shield-namespace" + - equal: + path: .webhooks[?(@.name == "vac.secure.sysdig.com")].clientConfig.service.name + value: "shield-release-cluster-shield" + - equal: + path: .webhooks[?(@.name == "vac.secure.sysdig.com")].clientConfig.service.path + value: "/validate" + - equal: + path: .webhooks[?(@.name == "vac.secure.sysdig.com")].clientConfig.service.port + value: 1234 + - equal: + path: .webhooks[?(@.name == "audit.secure.sysdig.com")].clientConfig.service.namespace + value: "shield-namespace" + - equal: + path: .webhooks[?(@.name == "audit.secure.sysdig.com")].clientConfig.service.name + value: "shield-release-cluster-shield" + - equal: + path: .webhooks[?(@.name == "audit.secure.sysdig.com")].clientConfig.service.path + value: "/k8s-audit" + - equal: + path: .webhooks[?(@.name == "audit.secure.sysdig.com")].clientConfig.service.port + value: 5678 + + - it: Creates a Valid secret for certificates + set: + cluster_shield: + features: + admission_control: + enabled: true + audit: + enabled: true + documentIndex: 1 + asserts: + - hasDocuments: + count: 2 + - containsDocument: + kind: Secret + apiVersion: v1 + name: sysdig-cluster-shield-tls-certs + - isNotNull: + path: data["tls.crt"] + - isNotNull: + path: data["tls.key"] + - isNotNull: + path: data["ca.crt"] diff --git a/charts/cluster-shield/values.schema.json b/charts/cluster-shield/values.schema.json index 0c4dd0611..786a596b9 100644 --- a/charts/cluster-shield/values.schema.json +++ b/charts/cluster-shield/values.schema.json @@ -452,6 +452,13 @@ "description": "Specify if the audit feature is enabled", "default": false }, + "http_port": { + "type": "integer", + "default": 6443, + "minimum": 1, + "maximum": 65535, + "description": "HTTP Server port used to expose the webhook web server." + }, "timeout": { "type": "integer", "description": "The number of seconds for the request to time out", @@ -460,6 +467,7 @@ }, "required": [ "enabled", + "http_port", "timeout" ], "additionalProperties": false, @@ -912,6 +920,13 @@ "container_vulnerability_management": { "$ref": "#/$defs/ClusterShieldConfiguration/$defs/AdmissionControlContainerVulnerabilityManagement" }, + "http_port": { + "type": "integer", + "default": 8443, + "minimum": 1, + "maximum": 65535, + "description": "HTTP Server port used to expose the webhook web server." + }, "timeout": { "type": "integer", "description": "The number of seconds for the request to time out", @@ -920,7 +935,8 @@ }, "required": [ "enabled", - "deny_on_error" + "deny_on_error", + "http_port" ], "$defs": { "IsEnabled": { diff --git a/charts/cluster-shield/values.yaml b/charts/cluster-shield/values.yaml index 69c221761..542af268e 100644 --- a/charts/cluster-shield/values.yaml +++ b/charts/cluster-shield/values.yaml @@ -60,10 +60,12 @@ cluster_shield: deny_on_error: false dry_run: true timeout: 5 + http_port: 8443 container_vulnerability_management: enabled: false audit: enabled: false + http_port: 6443 timeout: 5 posture: enabled: false @@ -125,7 +127,9 @@ podAnnotations: {} podLabels: {} service: type: ClusterIP - port: 8080 + monitoring_port: + admission_control_port: + audit_port: serviceAccount: labels: {} annotations: {}