Skip to content

Commit d0784da

Browse files
draios-jenkinsfrancesco-furlan
draios-jenkins
and
francesco-furlan
authored
chore(cluster-shield,shield,sysdig-deploy): Automatic bump to version 1.13.0 (#2297)
Co-authored-by: francesco-furlan <[email protected]> Co-authored-by: Francesco Furlan <[email protected]>
1 parent 1189585 commit d0784da

File tree

17 files changed

+813
-9
lines changed

17 files changed

+813
-9
lines changed

charts/cluster-shield/Chart.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,8 +2,8 @@ apiVersion: v2
22
name: cluster-shield
33
description: Cluster Shield Helm Chart for Kubernetes
44
type: application
5-
version: 1.12.1
6-
appVersion: "1.12.1"
5+
version: 1.13.0
6+
appVersion: "1.13.0"
77
maintainers:
88
- name: AlbertoBarba
99
email: [email protected]

charts/cluster-shield/README.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -137,6 +137,7 @@ The following table lists the configurable parameters of the `cluster-shield` ch
137137
| cluster_shield.features.container_vulnerability_management.registry_ssl.verify | If set to false it allows insecure connections to registries, Such as for registries with self-signed or private certificates. | <code>true</code> |
138138
| cluster_shield.features.investigations.network_security.enabled | Enable the network security feature | <code>false</code> |
139139
| cluster_shield.features.kubernetes_metadata.enabled | Enable the Kubernetes Metadata feature | <code>false</code> |
140+
| cluster_shield.features.respond.response_actions.enabled | | <code>false</code> |
140141
| cluster_shield.features.monitor.kube_state_metrics.enabled | Enable the Kubernetes State Metrics feature | <code>false</code> |
141142
| cluster_shield.features.monitor.kubernetes_events.enabled | Enable the Kubernetes Events feature | <code>false</code> |
142143
| ca.certs | A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. | <code>[]</code> |
@@ -189,6 +190,8 @@ The following table lists the configurable parameters of the `cluster-shield` ch
189190
| env | Optional parameter used to add environment variables to the Cluster Shield pods | <code>[]</code> |
190191
| volumes | Optional parameter to specify additional host volumes for the Cluster Shield pods | <code>[]</code> |
191192
| volumeMounts | Optional parameter to specify additional volume mounts for the Cluster Shield pods | <code>[]</code> |
193+
| podDisruptionBudget.create | Specifies whether a Pod Disruption Budget should be created | <code>true</code> |
194+
| podDisruptionBudget.minAvailable | The minimum number of pods that must be available during a disruption | <code>1</code> |
192195

193196

194197
## Running helm unit tests

charts/cluster-shield/templates/_helpers.tpl

Lines changed: 35 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -97,7 +97,7 @@ Adds kubernetes related keys to the configuration.
9797
{{- if not $conf.sysdig_endpoint.api_url -}}
9898
{{- fail "Custom region requires one of global.sysdig.apiHost or cluster_shield.sysdig_endpoint.api_url to be defined." -}}
9999
{{- end -}}
100-
{{- if and ($conf.features.kubernetes_metadata.enabled) (not $conf.sysdig_endpoint.collector) -}}
100+
{{- if and (or $conf.features.kubernetes_metadata.enabled (and $conf.features.audit.enabled $conf.features.audit.use_falco)) (not $conf.sysdig_endpoint.collector) -}}
101101
{{- fail "Custom region requires cluster_shield.sysdig_endpoint.collector to be defined." -}}
102102
{{- end -}}
103103
{{- end -}}
@@ -489,3 +489,37 @@ run-all-namespaced
489489
{{- $tag._0 }}: {{ $tag._1 | quote }}
490490
{{ end -}}
491491
{{- end -}}
492+
493+
{{- define "cluster.response_actions_enabled" -}}
494+
{{- with .Values.cluster_shield.features.respond.response_actions.enabled }}
495+
{{- . }}
496+
{{- else }}
497+
false
498+
{{- end }}
499+
{{- end }}
500+
501+
{{/*
502+
Response Actions: Cluster actions
503+
In the future we will have more complex logic to determine if the action is enabled or not.
504+
*/}}
505+
{{- define "cluster.response_actions.rollout_restart.enabled" }}
506+
{{- include "cluster.response_actions_enabled" . }}
507+
{{- end}}
508+
{{- define "cluster.response_actions.delete_pod.enabled" }}
509+
{{- include "cluster.response_actions_enabled" . }}
510+
{{- end}}
511+
{{- define "cluster.response_actions.isolate_network.enabled" }}
512+
{{- include "cluster.response_actions_enabled" . }}
513+
{{- end}}
514+
{{- define "cluster.response_actions.delete_network_policy.enabled" }}
515+
{{- include "cluster.response_actions_enabled" . }}
516+
{{- end}}
517+
{{- define "cluster.response_actions.get_logs.enabled" }}
518+
{{- include "cluster.response_actions_enabled" . }}
519+
{{- end}}
520+
{{- define "cluster.response_actions.volume_snapshot.enabled" }}
521+
{{- include "cluster.response_actions_enabled" . }}
522+
{{- end}}
523+
{{- define "cluster.response_actions.delete_volume_snapshot.enabled" }}
524+
{{- include "cluster.response_actions_enabled" . }}
525+
{{- end}}

charts/cluster-shield/templates/clusterrole.yaml

Lines changed: 123 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -201,3 +201,126 @@ rules:
201201
verbs:
202202
- get
203203
{{- end}}
204+
205+
{{- if eq "true" (include "cluster.response_actions_enabled" .) }}
206+
- apiGroups:
207+
- ""
208+
resources:
209+
- events
210+
verbs:
211+
- create
212+
- patch
213+
{{- end }}
214+
215+
{{- if eq "true" (include "cluster.response_actions.rollout_restart.enabled" .) }}
216+
- apiGroups: ["apps"]
217+
resources:
218+
- daemonsets
219+
- deployments
220+
- statefulsets
221+
verbs:
222+
- get
223+
- update # needed for rollout restart
224+
- watch
225+
{{- end }}
226+
227+
{{- if eq "true" (include "cluster.response_actions.delete_pod.enabled" .) }}
228+
- apiGroups:
229+
- ""
230+
resources:
231+
- pods
232+
verbs:
233+
- delete
234+
- get
235+
{{- end }}
236+
237+
{{- if eq "true" (include "cluster.response_actions.isolate_network.enabled" .) }}
238+
- apiGroups:
239+
- apps
240+
resources:
241+
- daemonsets
242+
- deployments
243+
- statefulsets
244+
verbs:
245+
- get # needed to identify the pods to isolate
246+
247+
- apiGroups:
248+
- networking.k8s.io
249+
resources:
250+
- networkpolicies
251+
verbs:
252+
- create
253+
{{- end }}
254+
255+
{{- if eq "true" (include "cluster.response_actions.delete_network_policy.enabled" .) }}
256+
- apiGroups:
257+
- networking.k8s.io
258+
resources:
259+
- networkpolicies
260+
verbs:
261+
- get
262+
- delete
263+
{{- end }}
264+
265+
{{- if eq "true" (include "cluster.response_actions.get_logs.enabled" .) }}
266+
- apiGroups:
267+
- apps
268+
resources:
269+
- daemonsets
270+
- deployments
271+
- statefulsets
272+
verbs:
273+
- get # needed to identify the pods to get logs from
274+
275+
- apiGroups:
276+
- ""
277+
resources:
278+
- pods
279+
verbs:
280+
- list
281+
282+
- apiGroups:
283+
- ""
284+
resources:
285+
- pods/log
286+
verbs:
287+
- get
288+
{{- end }}
289+
290+
{{- if eq "true" (include "cluster.response_actions.volume_snapshot.enabled" .) }}
291+
- apiGroups:
292+
- apps
293+
resources:
294+
- daemonsets
295+
- deployments
296+
- statefulsets
297+
verbs:
298+
- get # needed to identify the pods with PVCs
299+
300+
- apiGroups:
301+
- ""
302+
resources:
303+
- pods
304+
verbs:
305+
- list
306+
307+
- apiGroups:
308+
- snapshot.storage.k8s.io
309+
resources:
310+
- volumesnapshots
311+
verbs:
312+
- create
313+
- watch
314+
{{- end }}
315+
316+
{{- if eq "true" (include "cluster.response_actions.delete_volume_snapshot.enabled" .) }}
317+
- apiGroups:
318+
- snapshot.storage.k8s.io
319+
resources:
320+
- volumesnapshots
321+
verbs:
322+
- delete
323+
- get
324+
- watch
325+
- patch # needed to remove finalizers, which could prevent deletion
326+
{{- end }}

charts/cluster-shield/templates/poddisruptionbudget.yaml

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
{{- if hasKey .Values "podDisruptionBudget" }}
2+
{{- if .Values.podDisruptionBudget.create }}
3+
apiVersion: policy/v1
4+
kind: PodDisruptionBudget
5+
metadata:
6+
name: {{ include "cluster-shield.fullname" . | trunc 59 }}-pdb
7+
namespace: {{ .Release.Namespace }}
8+
spec:
9+
minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
10+
selector:
11+
matchLabels:
12+
{{ include "cluster-shield.selectorLabels" . | nindent 6 }}
13+
{{- end }}
14+
{{- end }}

charts/cluster-shield/tests/clusterrole_test.yaml

Lines changed: 146 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -167,3 +167,149 @@ tests:
167167
- get
168168
- list
169169
- watch
170+
- it: Test response_actions enabled
171+
set:
172+
cluster_shield:
173+
features:
174+
respond:
175+
response_actions:
176+
enabled: true
177+
asserts:
178+
- isKind:
179+
of: ClusterRole
180+
- isAPIVersion:
181+
of: rbac.authorization.k8s.io/v1
182+
- contains:
183+
path: rules
184+
content:
185+
apiGroups:
186+
- apps
187+
resources:
188+
- daemonsets
189+
- deployments
190+
- statefulsets
191+
verbs:
192+
- get
193+
- update
194+
- watch
195+
- contains:
196+
path: rules
197+
content:
198+
apiGroups:
199+
- ""
200+
resources:
201+
- pods
202+
verbs:
203+
- delete
204+
- get
205+
- contains:
206+
path: rules
207+
content:
208+
apiGroups:
209+
- apps
210+
resources:
211+
- daemonsets
212+
- deployments
213+
- statefulsets
214+
verbs:
215+
- get
216+
- contains:
217+
path: rules
218+
content:
219+
apiGroups:
220+
- networking.k8s.io
221+
resources:
222+
- networkpolicies
223+
verbs:
224+
- create
225+
- contains:
226+
path: rules
227+
content:
228+
apiGroups:
229+
- networking.k8s.io
230+
resources:
231+
- networkpolicies
232+
verbs:
233+
- get
234+
- delete
235+
- contains:
236+
path: rules
237+
content:
238+
apiGroups:
239+
- apps
240+
resources:
241+
- daemonsets
242+
- deployments
243+
- statefulsets
244+
verbs:
245+
- get
246+
- contains:
247+
path: rules
248+
content:
249+
apiGroups:
250+
- ""
251+
resources:
252+
- pods
253+
verbs:
254+
- list
255+
- contains:
256+
path: rules
257+
content:
258+
apiGroups:
259+
- ""
260+
resources:
261+
- pods/log
262+
verbs:
263+
- get
264+
- contains:
265+
path: rules
266+
content:
267+
apiGroups:
268+
- apps
269+
resources:
270+
- daemonsets
271+
- deployments
272+
- statefulsets
273+
verbs:
274+
- get
275+
- contains:
276+
path: rules
277+
content:
278+
apiGroups:
279+
- ""
280+
resources:
281+
- pods
282+
verbs:
283+
- list
284+
- contains:
285+
path: rules
286+
content:
287+
apiGroups:
288+
- snapshot.storage.k8s.io
289+
resources:
290+
- volumesnapshots
291+
verbs:
292+
- create
293+
- watch
294+
- contains:
295+
path: rules
296+
content:
297+
apiGroups:
298+
- snapshot.storage.k8s.io
299+
resources:
300+
- volumesnapshots
301+
verbs:
302+
- delete
303+
- get
304+
- watch
305+
- patch
306+
- contains:
307+
path: rules
308+
content:
309+
apiGroups:
310+
- ""
311+
resources:
312+
- events
313+
verbs:
314+
- create
315+
- patch

0 commit comments

Comments
 (0)