Skip to content

Commit 85d9d63

Browse files
francesco-furlanfcracker79
francesco-furlan
and
fcracker79
authored
chore(shield): cluster shield release 1.14.0 (#2332)
Co-authored-by: Mirko Bonasorte <[email protected]>
1 parent ecfea85 commit 85d9d63

File tree

7 files changed

+541
-19
lines changed

7 files changed

+541
-19
lines changed

charts/shield/Chart.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,5 +13,5 @@ maintainers:
1313
- name: mavimo
1414
email: [email protected]
1515
type: application
16-
version: 1.14.0
16+
version: 1.15.0
1717
appVersion: "1.0.0"

charts/shield/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -199,7 +199,7 @@ The following table lists the configurable parameters of the `shield` chart and
199199
| host.dns_policy | The dns policy for the host shield | <code></code> |
200200
| cluster.image.registry | The registry where the cluster shield image is stored | <code>quay.io</code> |
201201
| cluster.image.repository | The repository where the cluster shield image is stored | <code>sysdig/cluster-shield</code> |
202-
| cluster.image.tag | The tag for the cluster shield image | <code>1.13.0</code> |
202+
| cluster.image.tag | The tag for the cluster shield image | <code>1.14.0</code> |
203203
| cluster.image.pull_policy | The pull policy for the cluster shield image | <code>IfNotPresent</code> |
204204
| cluster.image.pull_secrets | The pull secrets for the cluster shield image | <code>[]</code> |
205205
| cluster.run_mode | The mode in which the cluster shield should run (Accepted Values: single-process, multi-process) | <code>multi-process</code> |

charts/shield/templates/cluster/_config.tpl

Lines changed: 63 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,6 @@
1313
(dict "kubernetes_metadata" (dig "kubernetes_metadata" nil .Values.features ))
1414
(dict "monitor" (pick $monitorFeature "kube_state_metrics" "kubernetes_events"))
1515
(dict "investigations" (pick $investigationsFeature "investigations" "network_security"))
16-
(dict "respond" (pick $respondFeature "response_actions"))
1716
-}}
1817
{{- $featuresConfig := dict -}}
1918
{{- range $feature := $features }}
@@ -22,7 +21,9 @@
2221
{{- end -}}
2322
{{- end }}
2423
{{- $_ := set $featuresConfig.container_vulnerability_management "in_use" .Values.features.vulnerability_management.in_use -}}
25-
{{- $_ := set $featuresConfig.respond "response_actions" (pick $featuresConfig.respond.response_actions "enabled" "queue_length" "timeout" "cluster") -}}
24+
{{- $respond := (include "cluster.configmap.respond" .) | fromYaml }}
25+
{{- $_ := set $featuresConfig "respond" $respond -}}
26+
2627
{{- $additionalFeaturesSettings := (dig "features" (dict) .Values.cluster.additional_settings) -}}
2728
{{- (mergeOverwrite $featuresConfig $additionalFeaturesSettings) | toYaml -}}
2829
{{- end }}
@@ -207,28 +208,80 @@
207208
{{- end -}}
208209
{{- end }}
209210

211+
{{/*
212+
Generic helper: checks if .Values.features.respond.response_actions.<action>.trigger == "all"
213+
Usage: {{ include "cluster.response_actions.is_enabled" (dict "Action" "delete_pod" "Context" .) }}
214+
*/}}
215+
{{- define "cluster.response_actions.is_enabled" -}}
216+
{{- $action := .Action }}
217+
{{- $ctx := .Context }}
218+
{{- with $ctx.Values.features.respond.response_actions -}}
219+
{{- $entry := index . $action }}
220+
{{- if and $entry (eq $entry.trigger "none") -}}
221+
false
222+
{{- else -}}
223+
true
224+
{{- end -}}
225+
{{- else -}}
226+
true
227+
{{- end -}}
228+
{{- end -}}
229+
210230
{{/*
211231
Response Actions: Cluster actions
212232
In the future we will have more complex logic to determine if the action is enabled or not.
213233
*/}}
214234
{{- define "cluster.response_actions.rollout_restart.enabled" }}
215-
{{- include "cluster.response_actions_enabled" . }}
235+
{{- include "cluster.response_actions.is_enabled" (dict "Action" "rollout_restart" "Context" .) }}
216236
{{- end}}
217237
{{- define "cluster.response_actions.delete_pod.enabled" }}
218-
{{- include "cluster.response_actions_enabled" . }}
238+
{{- include "cluster.response_actions.is_enabled" (dict "Action" "delete_pod" "Context" .) }}
219239
{{- end}}
220240
{{- define "cluster.response_actions.isolate_network.enabled" }}
221-
{{- include "cluster.response_actions_enabled" . }}
241+
{{- include "cluster.response_actions.is_enabled" (dict "Action" "isolate_network" "Context" .) }}
222242
{{- end}}
223243
{{- define "cluster.response_actions.delete_network_policy.enabled" }}
224-
{{- include "cluster.response_actions_enabled" . }}
244+
{{- include "cluster.response_actions.is_enabled" (dict "Action" "delete_network_policy" "Context" .) }}
225245
{{- end}}
226246
{{- define "cluster.response_actions.get_logs.enabled" }}
227-
{{- include "cluster.response_actions_enabled" . }}
247+
{{- include "cluster.response_actions.is_enabled" (dict "Action" "get_logs" "Context" .) }}
228248
{{- end}}
229249
{{- define "cluster.response_actions.volume_snapshot.enabled" }}
230-
{{- include "cluster.response_actions_enabled" . }}
250+
{{- include "cluster.response_actions.is_enabled" (dict "Action" "volume_snapshot" "Context" .) }}
231251
{{- end}}
232-
{{- define "cluster.response_actions.delete_volume_snapshot.enabled" }}
233-
{{- include "cluster.response_actions_enabled" . }}
252+
{{- define "cluster.response_actions.delete_volume_snapshot.enabled" -}}
253+
{{- include "cluster.response_actions.is_enabled" (dict "Action" "delete_volume_snapshot" "Context" .) -}}
234254
{{- end}}
255+
256+
257+
{{- define "cluster.configmap.respond" }}
258+
{{- $response_actions_feature := (dig "respond" "response_actions" nil .Values.features) }}
259+
{{- $fields := list "enabled" "queue_length" "timeout" "cluster" }}
260+
{{- $actions := list
261+
"rollout_restart"
262+
"delete_pod"
263+
"isolate_network"
264+
"delete_network_policy"
265+
"get_logs"
266+
"volume_snapshot"
267+
"delete_volume_snapshot"
268+
}}
269+
{{- if and (include "common.semver.is_valid" .Values.cluster.image.tag) (semverCompare ">= 1.14.0" .Values.cluster.image.tag) }}
270+
{{- $fields = (concat $fields $actions) }}
271+
{{- end }}
272+
{{- $response_actions := dict }}
273+
{{- range $field := $fields }}
274+
{{- if hasKey $response_actions_feature $field}}
275+
{{- $response_actions := set $response_actions $field (index $response_actions_feature $field) }}
276+
{{- end}}
277+
{{- end }}
278+
279+
{{- if (include "common.semver.is_valid" (.Values.on_prem_version | default "")) -}}
280+
{{- if semverCompare ">= 7.3.0" .Values.on_prem_version -}}
281+
{{- dict "response_actions" $response_actions | toYaml -}}
282+
{{- end -}}
283+
{{- else -}}
284+
{{- dict "response_actions" $response_actions | toYaml -}}
285+
{{- end -}}
286+
287+
{{- end }}

charts/shield/templates/host/_configmap_helpers.tpl

Lines changed: 26 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -10,11 +10,33 @@
1010
1111
{{- define "host.configmap.respond" }}
1212
{{- $respond := dict -}}
13-
{{- $featureRespond := get . (include "host.respond_key" .) }}
13+
{{- $featureRespond := get .Values.features (include "host.respond_key" .Values.features) }}
1414
{{- $rapid_response := dict "rapid_response" (pick $featureRespond.rapid_response "enabled") }}
1515
{{- $respond = merge $respond $rapid_response -}}
16-
{{- $respond = merge $respond (pick .respond "response_actions") -}}
17-
{{- dict "respond" $respond | toYaml }}
16+
{{- $response_actions := index $featureRespond "response_actions" }}
17+
{{- $host_response_actions := dict }}
18+
{{- $fields := list "enabled" "queue_length" "timeout" "host" }}
19+
{{- $actions := list
20+
"kill_process"
21+
"file_acquire"
22+
"file_quarantine"
23+
"file_unquarantine"
24+
"kill_container"
25+
"stop_container"
26+
"start_container"
27+
"pause_container"
28+
"unpause_container"
29+
}}
30+
{{- if and (include "common.semver.is_valid" .Values.host.image.tag) (semverCompare ">= 14.1.0" .Values.host.image.tag) }}
31+
{{- $fields = (concat $fields $actions) }}
32+
{{- end }}
33+
{{- range $field := $fields }}
34+
{{- if hasKey $response_actions $field}}
35+
{{- $host_response_actions := set $host_response_actions $field (index $response_actions $field) }}
36+
{{- end}}
37+
{{- end }}
38+
{{- $respond = merge $respond (dict "response_actions" $host_response_actions) }}
39+
{{ dict "respond" $respond | toYaml }}
1840
{{- end }}
1941
2042
{{- define "host.configmap.detections" }}
@@ -33,7 +55,7 @@
3355
{{- $featuresConfig = merge $featuresConfig ((include "host.configmap.vm" .) | fromYaml) }}
3456
{{- end }}
3557
36-
{{- $featuresConfig = merge $featuresConfig ((include "host.configmap.respond" .Values.features) | fromYaml) }}
58+
{{- $featuresConfig = merge $featuresConfig ((include "host.configmap.respond" .) | fromYaml) }}
3759
3860
{{- with .Values.features.detections }}
3961
{{- $featuresConfig = merge $featuresConfig ((include "host.configmap.detections" .) | fromYaml)}}

0 commit comments

Comments
 (0)