Merge pull request #789 from snyk/feat/cloud-pak-linting

ivanstanev · web-flow · commit 0e4710f979c3 · 2021-06-03T15:29:18.000+01:00
chore: update main README with IBM Cloud Pak suggestions
diff --git a/.dockerignore b/.dockerignore
@@ -46,6 +46,7 @@ opm
 .operator_version
 snyk-monitor-operator-source.yaml
 snyk-monitor-catalog-source.yaml
+scc.txt
 
 # Linting and formatting
 .eslintrc.json
diff --git a/README.md b/README.md
@@ -9,8 +9,17 @@ Container to monitor Kubernetes clusters' security
 
 ## Prerequisites ##
 
-* 50 GB of storage in the form of [emptyDir](https://kubernetes.io/docs/concepts/storage/volumes/#emptydir).
-* External internet access from the Kubernetes cluster.
+* 50 GiB of storage in the form of [emptyDir](https://kubernetes.io/docs/concepts/storage/volumes/#emptydir).
+* External internet access from the Kubernetes cluster, specifically to `kubernetes-upstream.snyk.io`.
+* 1 CPU, 2 GiB RAM
+* 1 Kubernetes worker node of type `linux/amd64` - supported and tested only on the AMD64 CPU architecture
+
+Supported Kubernetes distributions:
+
+* Any Kubernetes Certified distribution, for example: GKE, AKS, EKS, OCP.
+* OCP 4.1+ if running on OpenShift - supported and tested on Generally Available versions
+
+Tested with the following [Security Context Constraint](scc.txt) on OCP.
 
 ## Installing ##
 
@@ -117,6 +126,12 @@ Finally, to launch the Snyk monitor in your cluster, run the following:
 kubectl apply -f snyk-monitor-deployment.yaml
 ```
 
+## Upgrades ##
+
+You can apply the latest version of the YAML installation files to upgrade.
+
+If running with Operator Lifecycle Manager (OLM) then OLM will handle upgrades for you when you request to install the latest version. This applies to OpenShift (OCP) and regular installations of OLM.
+
 ## Setting up proxying ##
 
 Proxying traffic through a forwarding proxy can be achieved by modifying the `snyk-monitor-cluster-permissions.yaml` or `snyk-monitor-namespaced-permissions.yaml` (depending on which one was applied) and setting the following variables in the `ConfigMap`:
diff --git a/scc.txt b/scc.txt
@@ -0,0 +1,36 @@
+# Generated with "oc describe scc restricted"
+
+Name:                                           restricted
+Priority:                                       <none>
+Access:
+  Users:                                        <none>
+  Groups:                                       system:authenticated
+Settings:
+  Allow Privileged:                             false
+  Allow Privilege Escalation:                   true
+  Default Add Capabilities:                     <none>
+  Required Drop Capabilities:                   KILL,MKNOD,SETUID,SETGID
+  Allowed Capabilities:                         <none>
+  Allowed Seccomp Profiles:                     <none>
+  Allowed Volume Types:                         configMap,downwardAPI,emptyDir,persistentVolumeClaim,projected,secret
+  Allowed Flexvolumes:                          <all>
+  Allowed Unsafe Sysctls:                       <none>
+  Forbidden Sysctls:                            <none>
+  Allow Host Network:                           false
+  Allow Host Ports:                             false
+  Allow Host PID:                               false
+  Allow Host IPC:                               false
+  Read Only Root Filesystem:                    false
+  Run As User Strategy: MustRunAsRange
+    UID:                                        <none>
+    UID Range Min:                              <none>
+    UID Range Max:                              <none>
+  SELinux Context Strategy: MustRunAs
+    User:                                       <none>
+    Role:                                       <none>
+    Type:                                       <none>
+    Level:                                      <none>
+  FSGroup Strategy: MustRunAs
+    Ranges:                                     <none>
+  Supplemental Groups Strategy: RunAsAny
+    Ranges:                                     <none>
diff --git a/snyk-monitor/README.md b/snyk-monitor/README.md
@@ -98,6 +98,12 @@ helm upgrade --install snyk-monitor snyk-charts/snyk-monitor --namespace snyk-mo
 To better organise the data scanned inside your cluster, the monitor requires a cluster name to be set.
 Replace the value of `clusterName` with the name of your cluster.
 
+## Upgrades ##
+
+You can apply the latest version of the YAML installation files to upgrade.
+
+If running with Operator Lifecycle Manager (OLM) then OLM will handle upgrades for you when you request to install the latest version. This applies to OpenShift (OCP) and regular installations of OLM.
+
 ## Setting up proxying ##
 
 Proxying traffic through a forwarding proxy can be achieved by setting the following values in the Helm chart:
diff --git a/snyk-monitor/templates/deployment.yaml b/snyk-monitor/templates/deployment.yaml
@@ -106,6 +106,14 @@ spec:
             limits:
               cpu: {{ .Values.limits.cpu }}
               memory: {{ .Values.limits.memory }}
+          livenessProbe:
+            exec:
+              command:
+              - "true"
+          readinessProbe:
+            exec:
+              command:
+              - "true"
           securityContext:
             privileged: false
             runAsNonRoot: true
diff --git a/snyk-monitor/templates/networkpolicy.yaml b/snyk-monitor/templates/networkpolicy.yaml
@@ -0,0 +1,21 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "snyk-monitor.name" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "snyk-monitor.name" . }}
+    helm.sh/chart: {{ include "snyk-monitor.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "snyk-monitor.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  policyTypes:
+  - Ingress
+  - Egress
+  # Ingress is denied hence there is no "ingress" block.
+  # Egress is allowed for any traffic.
+  egress:
+  - {}
diff --git a/snyk-operator/deploy/olm-catalog/snyk-operator/0.0.0/snyk-operator.v0.0.0.clusterserviceversion.yaml b/snyk-operator/deploy/olm-catalog/snyk-operator/0.0.0/snyk-operator.v0.0.0.clusterserviceversion.yaml
@@ -263,6 +263,14 @@ spec:
                       limits:
                         cpu: "500m"
                         memory: "500Mi"
+                    livenessProbe:
+                      exec:
+                        command:
+                        - "true"
+                    readinessProbe:
+                      exec:
+                        command:
+                        - "true"
                     securityContext:
                       privileged: false
                       runAsNonRoot: true
