Merge pull request #111 from dwertent/dev

Dev

Author: David Wertenteil

README.md

@@ -69,11 +69,6 @@ helm upgrade --install armo  armo/armo-cluster-components -n armo-system --creat
 | armoNotificationService.nodeSelector | object | `{}` | [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) |
 | armoNotificationService.volumes | object | `[]` | Additional volumes for the notification service |
 | armoNotificationService.volumeMounts | object | `[]` | Additional volumeMounts for the notification service |
-| armoScanScheduler.enabled | bool | `true` | enable/disable image vulnerability a schedule scan using a CronJob |
-| armoScanScheduler.image.repository | string | `"curlimages/curl"` | image: curlimages/curl |
-| armoScanScheduler.scanSchedule | string | `"0 0 * * *"` | scan schedule frequency |
-| armoScanScheduler.volumes | object | `[]` | Additional volumes for scan scheduler |
-| armoScanScheduler.volumeMounts | object | `[]` | Additional volumeMounts for scan scheduler |
 | armoVulnScanner.affinity | object | `{}` | Assign custom [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) rules to the deployment |
 | armoVulnScanner.enabled | bool | `true` | enable/disable image vulnerability scanning |
 | armoVulnScanner.image.repository | string | `"quay.io/kubescape/kubevuln"` | [source code](https://github.com/kubescape/kubevuln) |

charts/armo-components/assets/armo-kubescape-cronjob-full.yaml

@@ -8,7 +8,7 @@ apiVersion: batch/v1
         tier: {{ .Values.global.namespaceTier}}
         armo.tier: "kubescape-scan"
     spec:
-      schedule: "{{ .Values.armoScanScheduler.scanSchedule }}"
+      schedule: "{{ .Values.armoKubescapeScanScheduler.scanSchedule }}"
       jobTemplate:
         spec:
           template:

charts/armo-components/assets/armo-vulnscan-cronjob-full.yaml

@@ -8,7 +8,7 @@ apiVersion: batch/v1
         tier: {{ .Values.global.namespaceTier}}
         armo.tier: "vuln-scan"
     spec:
-      schedule: "{{ .Values.armoScanScheduler.scanSchedule }}"
+      schedule: "{{ .Values.armoVulnScanScheduler.scanSchedule }}"
       jobTemplate:
         spec:
           template:

charts/armo-components/templates/armo-collector-statefulset.yaml

@@ -35,21 +35,21 @@ spec:
       imagePullSecrets:
       - name: {{ toYaml .Values.imagePullSecrets }}
       {{- end }}
-      # initContainers:
-      # - image: bitnami/kubectl:1.24
-      #   name: disconnect-handle
-      #   command: 
-      #   - bash
-      #   args:
-      #   - -c
-      #   - set -xv; kubectl delete deployment armo-collector -n armo-system; dep_exist=$?; echo $dep_exist; while [ $dep_exist -eq 0 ]; do kubectl get deployment armo-collector -n armo-system; dep_exist=$?; echo $dep_exist; done 
-      #   resources:
-      #     limits:
-      #       cpu: 10m
-      #       memory: 40Mi
-      #     requests:
-      #       cpu: 10m
-      #       memory: 40Mi
+      initContainers:
+      - image: quay.io/armosec/kubectl
+        name: disconnect-handle
+        command: 
+        - bash
+        args:
+        - -c
+        - set -xv; kubectl delete deployment armo-collector -n armo-system; dep_exist=$?; echo $dep_exist; while [ $dep_exist -eq 0 ]; do kubectl get deployment armo-collector -n armo-system; dep_exist=$?; echo $dep_exist; done 
+        resources:
+          limits:
+            cpu: 10m
+            memory: 40Mi
+          requests:
+            cpu: 10m
+            memory: 40Mi
       containers:
         - name: {{ .Values.armoCollector.name }}
           image: "{{ .Values.armoCollector.image.repository }}:{{ .Values.armoCollector.image.tag }}"

charts/armo-components/templates/armo-kubescape-configmap.yaml

@@ -10,7 +10,6 @@ metadata:
     app: {{ .Values.armoKubescape.name }}-config
     tier: {{ .Values.global.namespaceTier }}  
 data:
-  clusterName: {{ regexReplaceAll "\\W+" .Values.clusterName "-" | lower  }}  # deprecate
   config.json: |
     {
       "accountID": "{{ .Values.accountGuid }}",

charts/armo-components/templates/armo-scanScheduler-configmap.yaml

@@ -0,0 +1,13 @@
+{{- if and .Values.armoVulnScanScheduler.enabled .Values.armoKubescape.submit }}
+kind: ConfigMap 
+apiVersion: v1 
+metadata:
+  name: {{ .Values.armoVulnScanScheduler.name }}
+  namespace: {{ .Values.armoNameSpace }}
+  labels:
+    app: {{ .Values.armoVulnScanScheduler.name }}
+    tier: {{ .Values.global.namespaceTier }}
+data:
+  request-body.json: |-
+    {"commands":[{"commandName":"scan","designators":[{"designatorType":"Attributes","attributes":{}}]}]}
+{{- end }}

charts/armo-components/templates/armo-scanScheduler-cronjob.yaml

@@ -0,0 +1,58 @@
+{{- if and .Values.armoVulnScanScheduler.enabled .Values.armoKubescape.submit }}
+{{- if .Capabilities.APIVersions.Has "batch/v1/CronJob" }}
+apiVersion: batch/v1
+{{- else }}
+apiVersion: batch/v1beta1
+{{- end }}
+kind: CronJob
+metadata:
+  name: {{ .Values.armoVulnScanScheduler.name }}
+  namespace: {{ .Values.armoNameSpace }}
+  labels:
+    app: {{ .Values.armoVulnScanScheduler.name }}
+    tier: {{ .Values.global.namespaceTier}}
+    armo.tier: "kubescape-scan"
+spec:
+  schedule: "{{ .Values.armoVulnScanScheduler.scanSchedule }}"
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          labels:
+            armo.tier: "kubescape-scan"
+        spec:
+          containers:
+          - name: {{ .Values.armoVulnScanScheduler.name }}
+            image: "{{ .Values.armoVulnScanScheduler.image.repository }}:{{ .Values.armoVulnScanScheduler.image.tag }}"
+            imagePullPolicy: {{ .Values.armoVulnScanScheduler.image.pullPolicy }}
+            args: 
+              - -method=post
+              - -scheme=http
+              - -host={{ .Values.armoWebsocket.name }}:{{ .Values.armoWebsocket.service.port }}
+              - -path=v1/triggerAction
+              - -headers="Content-Type:application/json"
+              - -path-body=/home/ks/request-body.json
+            volumeMounts:
+              - name: {{ .Values.armoVulnScanScheduler.name }}
+                mountPath: /home/ks/request-body.json
+                subPath: request-body.json
+                readOnly: true
+{{- if .Values.volumeMounts }}
+{{ toYaml .Values.volumeMounts | indent 14 }}
+{{- end }}
+{{- if .Values.armoVulnScanScheduler.volumeMounts }}
+{{ toYaml .Values.armoVulnScanScheduler.volumeMounts | indent 14 }}
+{{- end }}
+          restartPolicy: Never
+          automountServiceAccountToken: false
+          volumes:
+          - name: {{ .Values.armoVulnScanScheduler.name }}
+            configMap:
+              name: {{ .Values.armoVulnScanScheduler.name }}
+{{- if .Values.volumes }}
+{{ toYaml .Values.volumes | indent 10 }}
+{{- end }}
+{{- if .Values.armoVulnScanScheduler.volumes }}
+{{ toYaml .Values.armoVulnScanScheduler.volumes | indent 10 }}
+{{- end }}
+{{- end }}

charts/armo-components/templates/armo-vulnScanScheduler-configmap.yaml

@@ -72,42 +72,6 @@ global:
   armoServiceAccountName: armo-scanner-service-account
   armoKubescapeServiceAccountName: armo-kubescape-service-account
 
-# image vulnerability scheduled scan using a CronJob
-armoScanScheduler:
-
-  # -- enable/disable image vulnerability a schedule scan using a CronJob
-  enabled: true
-
-  # scan scheduler container name
-  name: armo-scan-scheduler
-
-          # Frequency of running the scan
-          #     ┌───────────── minute (0 - 59)
-          #     │ ┌───────────── hour (0 - 23)
-          #     │ │ ┌───────────── day of the month (1 - 31)
-          #     │ │ │ ┌───────────── month (1 - 12)
-          #     │ │ │ │ ┌───────────── day of the week (0 - 6) (Sunday to Saturday;
-          #     │ │ │ │ │                         7 is also Sunday on some systems)
-          #     │ │ │ │ │
-          #     │ │ │ │ │
-          #     * * * * *
-  # -- scan schedule frequency
-  scanSchedule: "0 0 * * *"
-  
-  image:
-    # -- image: curlimages/curl
-    repository: curlimages/curl
-    tag: latest
-    pullPolicy: IfNotPresent
-
-  replicaCount: 1
-
-  # Additional volumes to be mounted on the scan scheduler
-  volumes: []
-
-  # Additional volumeMounts to be mounted on the scan scheduler
-  volumeMounts: []
-
 # kubescape scheduled scan using a CronJob
 armoKubescapeScanScheduler: