ROX-30729: Add Fact behind a feature flag

FACT_VERSION

@@ -0,0 +1 @@
+4345fc0

Makefile

@@ -762,6 +762,10 @@ ossls-notice: deps
 collector-tag:
 	@echo "$$(cat COLLECTOR_VERSION)"
 
+.PHONY: fact-tag
+fact-tag:
+	@echo "$$(cat FACT_VERSION)"
+
 .PHONY: scanner-tag
 scanner-tag:
 	@echo "$$(cat SCANNER_VERSION)"

image/templates/helm/stackrox-secured-cluster/internal/config-shape.yaml

@@ -62,6 +62,13 @@ image:
     name: null # string
     tag: null # string
     fullRef: null # string
+  fact:
+    registry: null # string
+    name: null # string
+    repository: null # string
+    tag: null # string
+    fullRef: null # string
+    pullPolicy: null # string
 env:
   grpcEnforceALPN: null # bool
   openshift: null # bool | int
@@ -142,6 +149,8 @@ collector:
     enabled: null # bool
   runtimeConfig:
     enabled: null # bool
+fact:
+  resources: null # string | dict
 auditLogs:
   disableCollection: null # bool
 customize:

image/templates/helm/stackrox-secured-cluster/internal/defaults/30-base-config.yaml.htpl

@@ -115,6 +115,8 @@ collector:
     enabled: true
   [<- end >]
 
+fact:
+
 auditLogs:
   disableCollection: {{ ne ._rox.env.openshift 4 }}
 

image/templates/helm/stackrox-secured-cluster/internal/defaults/40-resources.yaml

@@ -42,3 +42,12 @@ collector:
     limits:
       memory: "500Mi"
       cpu: "1"
+
+fact:
+  resources:
+    requests:
+      memory: "320Mi"
+      cpu: "50m"
+    limits:
+      memory: "1Gi"
+      cpu: "750m"

image/templates/helm/stackrox-secured-cluster/internal/defaults/50-images.yaml.htpl

@@ -96,6 +96,8 @@ image:
     fullRef: "{{ printf "%s:%s" ._rox.image.scannerV4.repository ._rox.image.scannerV4.tag }}"
   scannerV4DB:
     fullRef: "{{ printf "%s:%s" ._rox.image.scannerV4DB.repository ._rox.image.scannerV4DB.tag }}"
+  fact:
+    fullRef: "{{ printf "%s:%s" ._rox.image.fact.repository ._rox.image.fact.tag }}"
   [<- end >]
 collector:
   imagePullPolicy: {{ ._rox.image.collector.pullPolicy }}
@@ -104,3 +106,5 @@ sensor:
   imagePullPolicy: {{ ._rox.image.main.pullPolicy }}
 admissionControl:
   imagePullPolicy: {{ ._rox.image.main.pullPolicy }}
+fact:
+  imagePullPolicy: {{ ._rox.image.fact.pullPolicy }}

image/templates/helm/stackrox-secured-cluster/templates/collector.yaml.htpl

@@ -127,6 +127,39 @@ spec:
         - mountPath: /var/profiles
           name: collector-profiles
       {{- end }}
+
+      [<- if .FeatureFlags.ROX_SFA_ENABLED >]
+      - name: fact
+        image: {{ quote ._rox.image.fact.fullRef }}
+        imagePullPolicy: {{ ._rox.fact.imagePullPolicy }}
+        {{- if ._rox.fact.exposeMonitoring }}
+        ports:
+          - containerPort: 9090
+            name: monitoring
+        {{- end }}
+        command: ["/usr/local/bin/fact", "--skip-pre-flight"]
+        env:
+        - name: FACT_LOGLEVEL
+          value: 'debug'
+        {{- include "srox.envVars" (list . "daemonset" "fact" "fact") | nindent 8 }}
+        resources:
+          {{- ._rox.fact._resources | nindent 10 }}
+        securityContext:
+          capabilities:
+            drop:
+            - NET_RAW
+          privileged: true
+          readOnlyRootFilesystem: true
+        volumeMounts:
+        - mountPath: /sys
+          name: sys-ro
+          readOnly: true
+          mountPropagation: HostToContainer
+        - mountPath: /run/secrets/stackrox.io/certs/
+          name: certs
+          readOnly: true
+      [<- end >]
+
       - command:
         - stackrox/compliance
         env:

operator/api/v1alpha1/securedcluster_types.go

@@ -226,6 +226,10 @@ type PerNodeSpec struct {
 	//+operator-sdk:csv:customresourcedefinitions:type=spec,order=3,displayName="Node Scanning Settings"
 	NodeInventory *ContainerSpec `json:"nodeInventory,omitempty"`
 
+	// Settings for the SFA container, which is responsible for file activity monitoring on the Node.
+	//+operator-sdk:csv:customresourcedefinitions:type=spec,order=3,displayName="SFA"
+	SFA *ContainerSpec `json:"fact,omitempty"`
+
 	// To ensure comprehensive monitoring of your cluster activity, Red Hat Advanced Cluster Security
 	// will run services on every node in the cluster, including tainted nodes by default. If you do
 	// not want this behavior, please select 'AvoidTaints' here.

operator/config/crd/bases/platform.stackrox.io_securedclusters.yaml

@@ -693,6 +693,72 @@ spec:
                             type: object
                         type: object
                     type: object
+                  fact:
+                    description: Settings for the SFA container, which is responsible
+                      for file activity monitoring on the Node.
+                    properties:
+                      resources:
+                        description: |-
+                          Allows overriding the default resource settings for this component. Please consult the documentation
+                          for an overview of default resource requirements and a sizing guide.
+                        properties:
+                          claims:
+                            description: |-
+                              Claims lists the names of resources, defined in spec.resourceClaims,
+                              that are used by this container.
+
+                              This is an alpha field and requires enabling the
+                              DynamicResourceAllocation feature gate.
+
+                              This field is immutable. It can only be set for containers.
+                            items:
+                              description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name must match the name of one entry in pod.spec.resourceClaims of
+                                    the Pod where this field is used. It makes that resource available
+                                    inside a container.
+                                  type: string
+                                request:
+                                  description: |-
+                                    Request is the name chosen for a request in the referenced claim.
+                                    If empty, everything from the claim is made available, otherwise
+                                    only the result of this request.
+                                  type: string
+                              required:
+                              - name
+                              type: object
+                            type: array
+                            x-kubernetes-list-map-keys:
+                            - name
+                            x-kubernetes-list-type: map
+                          limits:
+                            additionalProperties:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                              x-kubernetes-int-or-string: true
+                            description: |-
+                              Limits describes the maximum amount of compute resources allowed.
+                              More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                            type: object
+                          requests:
+                            additionalProperties:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                              x-kubernetes-int-or-string: true
+                            description: |-
+                              Requests describes the minimum amount of compute resources required.
+                              If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+                              otherwise to an implementation-defined value. Requests cannot exceed Limits.
+                              More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                            type: object
+                        type: object
+                    type: object
                   hostAliases:
                     description: HostAliases allows configuring additional hostnames
                       to resolve in the pod's hosts file.

operator/internal/images/env.go

@@ -13,4 +13,5 @@ var (
 	Collector     = env.RegisterSetting("RELATED_IMAGE_COLLECTOR")
 	ScannerV4DB   = env.RegisterSetting("RELATED_IMAGE_SCANNER_V4_DB")
 	ScannerV4     = env.RegisterSetting("RELATED_IMAGE_SCANNER_V4")
+	Fact          = env.RegisterSetting("RELATED_IMAGE_FACT")
 )

operator/internal/securedcluster/values/translation/image_overrides.go

@@ -10,5 +10,6 @@ var (
 		images.ScannerSlimDB: "image.scannerDb.fullRef",
 		images.ScannerV4DB:   "image.scannerV4DB.fullRef",
 		images.ScannerV4:     "image.scannerV4.fullRef",
+		images.Fact:          "image.fact.fullRef",
 	}
 )

operator/internal/securedcluster/values/translation/translation.go

@@ -379,6 +379,7 @@ func (t Translator) getCollectorValues(perNode *platform.PerNodeSpec) *translati
 	cv.AddAllFrom(t.getCollectorContainerValues(perNode.Collector))
 	cv.AddAllFrom(t.getComplianceContainerValues(perNode.Compliance))
 	cv.AddAllFrom(t.getNodeInventoryContainerValues(perNode.NodeInventory))
+	cv.AddAllFrom(t.getSFAContainerValues(perNode.SFA))
 
 	return &cv
 }
@@ -434,6 +435,17 @@ func (t Translator) getNodeInventoryContainerValues(nodeInventory *platform.Cont
 	return &cv
 }
 
+func (t Translator) getSFAContainerValues(sfaContainerSpec *platform.ContainerSpec) *translation.ValuesBuilder {
+	if sfaContainerSpec == nil {
+		return nil
+	}
+
+	cv := translation.NewValuesBuilder()
+	cv.AddChild(translation.ResourcesKey, translation.GetResources(sfaContainerSpec.Resources))
+
+	return &cv
+}
+
 func (t Translator) getLocalScannerComponentValues(securedCluster platform.SecuredCluster, config scanner.AutoSenseResult) *translation.ValuesBuilder {
 	sv := translation.NewValuesBuilder()
 	s := securedCluster.Spec.Scanner

pkg/features/list.go

@@ -169,4 +169,7 @@ var (
 	ScannerV4MavenSearch = registerFeature("Enables Scanner V4 to reach out to ROX_SCANNER_V4_MAVEN_SEARCH_URL for additional information about Java packages", "ROX_SCANNER_V4_MAVEN_SEARCH")
 
 	VirtualMachines = registerFeature("Enables virtual machine management", "ROX_VIRTUAL_MACHINES")
+
+	// SFA enables monitoring of sensitive files.
+	SensitiveFileActivity = registerFeature("Enable sensitive file monitoring", "ROX_SFA_ENABLED", enabled)
 )

pkg/images/defaults/flavor.go

@@ -79,6 +79,10 @@ type ImageFlavor struct {
 	CollectorImageName string
 	CollectorImageTag  string
 
+	FactRegistry  string
+	FactImageName string
+	FactImageTag  string
+
 	// ScannerImageTag is used for all scanner* images (scanner, scanner-db, scanner-slim and scanner-db-slim)
 	ScannerImageTag        string
 	ScannerImageName       string
@@ -115,6 +119,10 @@ func DevelopmentBuildImageFlavor() ImageFlavor {
 		CollectorImageName: "collector",
 		CollectorImageTag:  collectorTag,
 
+		FactRegistry:  "quay.io/rhacs-eng",
+		FactImageName: "fact",
+		FactImageTag:  v.FactVersion,
+
 		ScannerImageName:       "scanner",
 		ScannerSlimImageName:   "scanner-slim",
 		ScannerImageTag:        v.ScannerVersion,
@@ -151,6 +159,10 @@ func RHACSReleaseImageFlavor() ImageFlavor {
 		CollectorImageName: "rhacs-collector-rhel8",
 		CollectorImageTag:  v.CollectorVersion,
 
+		FactRegistry:  "registry.redhat.io/advanced-cluster-security",
+		FactImageName: "rhacs-fact-rhel8",
+		FactImageTag:  v.FactVersion,
+
 		ScannerImageName:       "rhacs-scanner-rhel8",
 		ScannerSlimImageName:   "rhacs-scanner-slim-rhel8",
 		ScannerImageTag:        v.ScannerVersion,
@@ -196,6 +208,10 @@ func OpenSourceImageFlavor() ImageFlavor {
 		CollectorImageName: "collector",
 		CollectorImageTag:  collectorTag,
 
+		FactRegistry:  "quay.io/stackrox-io",
+		FactImageName: "fact",
+		FactImageTag:  v.FactVersion,
+
 		ScannerImageName:       "scanner",
 		ScannerSlimImageName:   "scanner-slim",
 		ScannerImageTag:        v.ScannerVersion,

pkg/version/internal/version_data.go

@@ -5,6 +5,8 @@ var (
 	MainVersion string //XDef:STABLE_MAIN_VERSION
 	// CollectorVersion is the collector version to be used by default.
 	CollectorVersion string //XDef:STABLE_COLLECTOR_VERSION
+	// FactVersion is the fact version to be used by default.
+	FactVersion string //XDef:STABLE_FACT_VERSION
 	// ScannerVersion is the scanner version to be used with this Rox version.
 	ScannerVersion string //XDef:STABLE_SCANNER_VERSION
 	// GitShortSha is the (short) Git SHA that was built.

pkg/version/version.go

@@ -38,6 +38,7 @@ type Versions struct {
 	// Please do not depend on it. Rely on internal.CollectorVersion if you need the value from the COLLECTOR_VERSION file,
 	// or rely on defaults.ImageFlavor if you need a default collector image tag.
 	CollectorVersion string `json:"CollectorVersion"`
+	FactVersion      string `json:"FactVersion"`
 	GitCommit        string `json:"GitCommit"`
 	GoVersion        string `json:"GoVersion"`
 	MainVersion      string `json:"MainVersion"`

status.sh

@@ -3,5 +3,6 @@
 # Note: This requires .git directory in the build context (e.g. builder container)
 echo "STABLE_MAIN_VERSION $(make --quiet --no-print-directory tag)"
 echo "STABLE_COLLECTOR_VERSION $(make --quiet --no-print-directory collector-tag)"
+echo "STABLE_FACT_VERSION $(make --quiet --no-print-directory fact-tag)"
 echo "STABLE_SCANNER_VERSION $(make --quiet --no-print-directory scanner-tag)"
 echo "STABLE_GIT_SHORT_SHA $(make --quiet --no-print-directory shortcommit)"