Skip to content

Commit 1e512f9

Browse files
michele-mangiliFedericoFeresini
michele-mangili
and
FedericoFeresini
authored
feat(node-analyzer): bumped host-scanner to 0.7.0 to add container scanning support (#1538)
Co-authored-by: Federico Feresini <[email protected]>
1 parent f4070c7 commit 1e512f9

File tree

7 files changed

+100
-5
lines changed

7 files changed

+100
-5
lines changed

charts/node-analyzer/Chart.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@ apiVersion: v2
22
name: node-analyzer
33
description: Sysdig Node Analyzer
44
# currently matching Sysdig's appVersion 1.14.34
5-
version: 1.20.4
5+
version: 1.21.0
66
appVersion: 12.9.0
77
keywords:
88
- monitoring

charts/node-analyzer/README.md

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -195,7 +195,7 @@ The following table lists the configurable parameters of the Sysdig Node Analyze
195195
| `nodeAnalyzer.hostScanner.additionalDirsToScan` | Sets the optional comma-separated list of directories in addition to the default ones. | ` ` |
196196
| `nodeAnalyzer.hostScanner.env` | Specifies the extra environment variables that will be passed onto pods. | `{}` |
197197
| `nodeAnalyzer.hostScanner.image.repository` | Specifies the image repository to pull the Host Scanner from. | `sysdig/vuln-host-scanner` |
198-
| `nodeAnalyzer.hostScanner.image.tag` | Specifies the image tag to pull the Host Scanner. | `0.6.8` |
198+
| `nodeAnalyzer.hostScanner.image.tag` | Specifies the image tag to pull the Host Scanner. | `0.7.0` |
199199
| `nodeAnalyzer.hostScanner.image.digest` | Specifies the image digest to pull. | ` ` |
200200
| `nodeAnalyzer.hostScanner.image.pullPolicy` | Specifies the image pull policy for the Host Scanner. | `""` |
201201
| `nodeAnalyzer.hostScanner.http_proxy` | Sets `HTTP_PROXY` on the Host Scanner container. | `""` |
@@ -209,6 +209,9 @@ The following table lists the configurable parameters of the Sysdig Node Analyze
209209
| `nodeAnalyzer.hostScanner.resources.limits.ephemeral-storage` | Specifies the Host Scanner Storage limit per node. | `1Gi` |
210210
| `nodeAnalyzer.hostScanner.sslVerifyCertificate` | Set to `false` to allow insecure connections to the Sysdig backend, such as an On-Prem deployment. | |
211211
| `nodeAnalyzer.hostScanner.probesPort` | Specifies the port where readiness and liveness probes are exposed. | `7001` |
212+
| `nodeAnalyzer.hostScanner.scanContainers.enabled` | Set to `true` to scan containers | `false` |
213+
| `nodeAnalyzer.hostScanner.scanContainers.dockerSocketPath` | Specifies the path to docker socket | `unix:///var/run/docker.sock` |
214+
| `nodeAnalyzer.hostScanner.scanContainers.podmanSocketPath` | Specifies the path to podman socket | `unix:///var/run/podman.sock` |
212215
| `nodeAnalyzer.runtimeScanner.debug` | Set to `true` to show debug logging, which is useful for troubleshooting. | `false` |
213216
| `nodeAnalyzer.runtimeScanner.deploy` | Deploys the Runtime Scanner. | `false` |
214217
| `nodeAnalyzer.runtimeScanner.extraMounts` | Specifies a container engine custom socket path (docker, containerd, CRI-O). | |

charts/node-analyzer/templates/configmap-host-scanner.yaml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,4 +39,12 @@ data:
3939
{{- if .Values.nodeAnalyzer.hostScanner.vulnerabilityDBVersion }}
4040
vuln_db_version: {{ .Values.nodeAnalyzer.hostScanner.vulnerabilityDBVersion | quote }}
4141
{{- end }}
42+
{{- if .Values.nodeAnalyzer.hostScanner.scanContainers.enabled }}
43+
{{- if .Values.nodeAnalyzer.hostScanner.scanContainers.dockerSocketPath }}
44+
docker_socket_path: {{ .Values.nodeAnalyzer.hostScanner.scanContainers.dockerSocketPath | quote}}
45+
{{- end }}
46+
{{- if .Values.nodeAnalyzer.hostScanner.scanContainers.podmanSocketPath }}
47+
podman_socket_path: {{ .Values.nodeAnalyzer.hostScanner.scanContainers.podmanSocketPath | quote}}
48+
{{- end }}
49+
{{- end}}
4250
{{- end }}

charts/node-analyzer/templates/daemonset-node-analyzer.yaml

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -890,6 +890,26 @@ spec:
890890
- name: "{{ $key }}"
891891
value: "{{ $value }}"
892892
{{- end }}
893+
894+
{{- if .Values.nodeAnalyzer.hostScanner.scanContainers.enabled }}
895+
# Container scanner
896+
- name: USE_COMBINED_SCANNER
897+
value: "true"
898+
- name: SCAN_CONTAINERS_ENABLED
899+
value: "true"
900+
- name: DOCKER_SOCKET_PATHS
901+
valueFrom:
902+
configMapKeyRef:
903+
name: {{ .Release.Name }}-host-scanner
904+
key: docker_socket_path
905+
optional: true
906+
- name: PODMAN_SOCKET_PATHS
907+
valueFrom:
908+
configMapKeyRef:
909+
name: {{ .Release.Name }}-host-scanner
910+
key: podman_socket_path
911+
optional: true
912+
{{- end }}
893913
volumeMounts:
894914
- mountPath: /tmp
895915
name: tmp-vol

charts/node-analyzer/tests/hostscanner_test.yaml

Lines changed: 59 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -168,3 +168,62 @@ tests:
168168
of: ConfigMap
169169
- isNull:
170170
path: data.additional_dirs_to_scan
171+
172+
- it: "Container scanner is disabled by default"
173+
set:
174+
clusterName: "test"
175+
nodeAnalyzer.hostScanner.deploy: true
176+
templates:
177+
- ../templates/daemonset-node-analyzer.yaml
178+
asserts:
179+
- isKind:
180+
of: DaemonSet
181+
- isNull:
182+
path: spec.template.spec.containers[3].env[?(@.name == "USE_COMBINED_SCANNER")].value
183+
- isNull:
184+
path: spec.template.spec.containers[3].env[?(@.name == "SCAN_CONTAINERS_ENABLED")].value
185+
- it: "Container scanner enabled - daemonset"
186+
set:
187+
clusterName: "test"
188+
nodeAnalyzer.hostScanner.deploy: true
189+
nodeAnalyzer.hostScanner.scanContainers.enabled: true
190+
templates:
191+
- ../templates/daemonset-node-analyzer.yaml
192+
asserts:
193+
- isKind:
194+
of: DaemonSet
195+
- equal:
196+
path: spec.template.spec.containers[3].env[?(@.name == "USE_COMBINED_SCANNER")].value
197+
value: "true"
198+
- it: "Container scanner enabled and empty socket paths - configmap"
199+
set:
200+
clusterName: "test"
201+
nodeAnalyzer.hostScanner.deploy: true
202+
nodeAnalyzer.hostScanner.scanContainers.enabled: true
203+
templates:
204+
- ../templates/configmap-host-scanner.yaml
205+
asserts:
206+
- isKind:
207+
of: ConfigMap
208+
- isNull:
209+
path: data.docker_socket_path
210+
- isNull:
211+
path: data.podman_socket_path
212+
- it: "Container scanner enabled and not empty socket paths - configmap"
213+
set:
214+
clusterName: "test"
215+
nodeAnalyzer.hostScanner.deploy: true
216+
nodeAnalyzer.hostScanner.scanContainers.enabled: true
217+
nodeAnalyzer.hostScanner.scanContainers.dockerSocketPath: "/docker/socket"
218+
nodeAnalyzer.hostScanner.scanContainers.podmanSocketPath: "/podman/socket"
219+
templates:
220+
- ../templates/configmap-host-scanner.yaml
221+
asserts:
222+
- isKind:
223+
of: ConfigMap
224+
- equal:
225+
path: data.docker_socket_path
226+
value: "/docker/socket"
227+
- equal:
228+
path: data.podman_socket_path
229+
value: "/podman/socket"

charts/node-analyzer/values.yaml

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -392,7 +392,7 @@ nodeAnalyzer:
392392

393393
image:
394394
repository: sysdig/vuln-host-scanner
395-
tag: "0.6.8"
395+
tag: "0.7.0"
396396
digest:
397397
pullPolicy:
398398

@@ -416,6 +416,11 @@ nodeAnalyzer:
416416
settings:
417417
replicas: 1
418418

419+
scanContainers:
420+
enabled: false
421+
# dockerSocketPath: "unix:///var/run/docker.sock"
422+
# podmanSocketPath: "unix:///var/run/podman.sock"
423+
419424
kspmAnalyzer:
420425
debug: false
421426
image:

charts/sysdig-deploy/Chart.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@ apiVersion: v2
22
name: sysdig-deploy
33
description: A chart with various Sysdig components for Kubernetes
44
type: application
5-
version: 1.34.9
5+
version: 1.35.0
66
maintainers:
77
- name: AlbertoBarba
88
email: [email protected]
@@ -36,7 +36,7 @@ dependencies:
3636
- name: node-analyzer
3737
# repository: https://charts.sysdig.com
3838
repository: file://../node-analyzer
39-
version: ~1.20.4
39+
version: ~1.21.0
4040
alias: nodeAnalyzer
4141
condition: nodeAnalyzer.enabled
4242
- name: cluster-scanner

0 commit comments

Comments
 (0)