Merge pull request #8679 from zalando-incubator/vthupili

feat: add wiz manifests

Author: mikkeloscar

cluster/config-defaults.yaml

@@ -1221,3 +1221,18 @@ role_sync_controller_enabled: "true"
 {{ else }}
 role_sync_controller_enabled: "false"
 {{ end }}
+
+#Wiz Configs
+# When wiz_enable_runtime_sensor and wiz_enable_runtime_connector are set to true,
+# this enables WIZ runtime monitoring. A DaemonSet called Sensor and a Deployment
+# called Connector will be deployed into the cluster.
+wiz_enable_runtime_sensor: "false"
+wiz_enable_runtime_connector: "false"
+wiz_sensor_cpu: "300m"
+wiz_sensor_memory: "300Mi"
+wiz_connector_cpu: "300m"
+wiz_connector_memory: "300Mi"
+# Please note when this is set to true it allows the use of the node selector feature
+# to deploy the sensor and connector on specific nodes, by manually setting the node selector label on the nodes.
+# This is useful when you want to deploy the sensor and connector on specific nodes.
+wiz_node_feature_rollout : "false"

cluster/manifests/01-admission-control/config.yaml

@@ -115,6 +115,9 @@ data:
 {{- range $sa := split .Cluster.ConfigItems.teapot_admission_controller_pod_security_policy_privileged_service_accounts "," }}
   pod.pod-security-policy.privileged-service-accounts.{{ $sa }}: ""
 {{- end}}
+{{- if eq .Cluster.ConfigItems.wiz_enable_runtime_sensor "true" }}
+  pod.pod-security-policy.privileged-service-accounts.wiz_wiz_sensor: ""
+{{- end }}
 
   pod.pod-security-policy.allowed-restricted-capabilities.AUDIT_WRITE: ""
   pod.pod-security-policy.allowed-restricted-capabilities.CHOWN: ""
@@ -139,6 +142,17 @@ data:
   pod.pod-security-policy.allowed-privileged-capabilities.{{ $cap }}: ""
 {{- end}}
 
+{{- if eq .Cluster.ConfigItems.wiz_enable_runtime_sensor "true" }}
+  pod.pod-security-policy.allowed-privileged-capabilities.DAC_READ_SEARCH: ""
+  pod.pod-security-policy.allowed-privileged-capabilities.IPC_LOCK: ""
+  pod.pod-security-policy.allowed-privileged-capabilities.NET_ADMIN: ""
+  pod.pod-security-policy.allowed-privileged-capabilities.SYS_ADMIN: ""
+  pod.pod-security-policy.allowed-privileged-capabilities.SYS_MODULE: ""
+  pod.pod-security-policy.allowed-privileged-capabilities.SYS_PTRACE: ""
+  pod.pod-security-policy.allowed-privileged-capabilities.SYS_RESOURCE: ""
+  pod.pod-security-policy.allowed-privileged-capabilities.SYS_RAWIO: ""
+  pod.pod-security-policy.allowed-privileged-capabilities.SYSLOG: ""
+{{- end }}
 
 {{- range $sysctl := split .Cluster.ConfigItems.allowed_unsafe_sysctls "," }}
   pod.pod-security-policy.allowed-unsafe-sysctls.{{ $sysctl }}: ""

cluster/manifests/deletions.yaml

@@ -339,6 +339,65 @@ post_apply:
 - name: kube-janitor
   kind: ClusterRoleBinding
 {{- end }}
+{{- if ne .Cluster.ConfigItems.wiz_enable_runtime_connector "true" }}
+- name: wiz-kubernetes-connector-create-connector
+  kind : Job
+  namespace: wiz
+- name: wiz-kubernetes-connector-delete-connector
+  kind : Job
+  namespace: wiz
+- name: wiz-connector-agent
+  kind : Deployment
+  namespace: wiz
+- name: wiz-broker
+  kind : ServiceAccount
+  namespace: wiz
+- name: wiz-cluster-reader
+  kind : ServiceAccount
+  namespace: wiz
+- name: wiz-auto-modify-connector
+  kind : ServiceAccount
+  namespace: wiz
+- name: wiz-connector-connector
+  kind : Secret
+  namespace: wiz
+- name: wiz-cluster-reader-token
+  kind : Secret
+  namespace: wiz
+- name: wiz-api-token
+  kind : Secret
+  namespace: wiz
+- name: wiz-auto-modify-connector
+  kind : Role
+  namespace: wiz
+- name: wiz-auto-modify-connector
+  kind : RoleBinding
+  namespace: wiz
+- name: wiz-cluster-reader
+  kind : ClusterRoleBinding
+  namespace: wiz
+{{- end }}
+{{- if ne .Cluster.ConfigItems.wiz_enable_runtime_sensor "true" }}
+- name: wiz-sensor
+  kind : DaemonSet
+  namespace: wiz
+- name: wiz-sensor
+  kind: ServiceAccount
+  namespace: wiz
+- name: wiz-sensor-apikey
+  kind: Secret
+  namespace: wiz
+- name: wiz-sensor
+  kind : ClusterRole
+  namespace: wiz
+- name: wiz-sensor
+  kind : ClusterRoleBinding
+  namespace: wiz
+{{- end }}
+{{- if and (ne .Cluster.ConfigItems.wiz_enable_runtime_connector "true") (ne .Cluster.ConfigItems.wiz_enable_runtime_sensor "true") }}
+- name: wiz
+  kind: Namespace
+{{- end }}
 {{- if ne .Cluster.ConfigItems.aws_efa_device_plugin_enabled "true"}}
 - name: aws-efa-k8s-device-plugin
   kind: DaemonSet

cluster/manifests/wiz/001-namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: wiz

cluster/manifests/wiz/002-connector-serviceaccount.yaml

@@ -0,0 +1,35 @@
+{{ if eq .Cluster.ConfigItems.wiz_enable_runtime_connector "true"}}
+---
+# Source: wiz-kubernetes-integration/charts/wiz-kubernetes-connector/charts/wiz-broker/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: wiz-broker
+  namespace: "wiz"
+  labels:
+    helm.sh/chart: wiz-broker-2.1.0
+    application: "wiz"
+    component: "connector"
+---
+# Source: wiz-kubernetes-integration/charts/wiz-kubernetes-connector/templates/service-account-cluster-reader.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: wiz-cluster-reader
+  namespace: "wiz"
+  labels:
+    helm.sh/chart: wiz-broker-2.1.0
+    application: "wiz"
+    component: "connector"
+---
+# Source: wiz-kubernetes-integration/charts/wiz-kubernetes-connector/templates/service-account-modify-connector.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: wiz-auto-modify-connector
+  namespace: "wiz"
+  labels:
+    helm.sh/chart: wiz-broker-2.1.0
+    application: "wiz"
+    component: "connector"
+{{end}}

cluster/manifests/wiz/002-sensor-serviceaccount.yaml

@@ -0,0 +1,13 @@
+{{ if eq .Cluster.ConfigItems.wiz_enable_runtime_sensor "true"}}
+---
+# Source: wiz-sensor/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: wiz-sensor
+  namespace: wiz
+  labels:
+    helm.sh/chart: wiz-sensor-1.0.4760
+    application: "wiz"
+    component: "connector"
+{{end}}

cluster/manifests/wiz/003-connector-clusterrole.yaml

@@ -0,0 +1,20 @@
+{{ if eq .Cluster.ConfigItems.wiz_enable_runtime_connector "true"}}
+---
+# Source: wiz-kubernetes-integration/charts/wiz-kubernetes-connector/templates/service-account-cluster-reader.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: wiz-cluster-reader
+  labels:
+    helm.sh/chart: wiz-broker-2.1.0
+    application: "wiz"
+    component: "connector"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name:  readonly # readonly role created by default in out kubernetes environment
+subjects:
+- kind: ServiceAccount
+  name: wiz-cluster-reader
+  namespace: "wiz"
+{{end}}

cluster/manifests/wiz/003-connector-role.yaml

@@ -0,0 +1,43 @@
+{{ if eq .Cluster.ConfigItems.wiz_enable_runtime_connector "true"}}
+---
+# Source: wiz-kubernetes-integration/charts/wiz-kubernetes-connector/templates/service-account-modify-connector.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: wiz-auto-modify-connector
+  namespace: "wiz"
+  labels:
+    helm.sh/chart: wiz-broker-2.1.0
+    application: "wiz"
+    component: "connector"
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    resourceNames: ["wiz-connector-connector"]
+    verbs: ["update", "get"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    resourceNames: 
+      - "wiz-api-token"
+      - "wiz-cluster-reader-token"
+    verbs: ["get"]
+---
+# Source: wiz-kubernetes-integration/charts/wiz-kubernetes-connector/templates/service-account-modify-connector.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: wiz-auto-modify-connector
+  namespace: "wiz"
+  labels:
+    helm.sh/chart: wiz-broker-2.1.0
+    application: "wiz"
+    component: "connector"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name:  wiz-auto-modify-connector
+subjects:
+- kind: ServiceAccount
+  name: wiz-auto-modify-connector
+  namespace: "wiz"
+{{end}}

cluster/manifests/wiz/003-sensor-clusterrole.yaml

@@ -0,0 +1,42 @@
+{{ if eq .Cluster.ConfigItems.wiz_enable_runtime_sensor "true"}}
+---
+# Source: wiz-sensor/templates/clusterrole.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: wiz-sensor
+  labels:
+    helm.sh/chart: wiz-sensor-1.0.4760
+    application: "wiz"
+    component: "sensor"
+rules:
+  - apiGroups: [""]
+    resources: ["pods", "namespaces", "nodes", "replicationcontrollers", "serviceaccounts"]
+    verbs: ["get", "list", "watch"]
+
+  - apiGroups: ["apps"]
+    resources: ["daemonsets", "replicasets", "deployments", "statefulsets"]
+    verbs: ["get", "list", "watch"]
+
+  - apiGroups: ["batch"]
+    resources: ["cronjobs"]
+    verbs: ["get", "list", "watch"]
+---
+# Source: wiz-sensor/templates/clusterrolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: wiz-sensor
+  labels:
+    helm.sh/chart: wiz-sensor-1.0.4760
+    application: "wiz"
+    component: "sensor"
+subjects:
+- kind: ServiceAccount
+  name: wiz-sensor
+  namespace: wiz
+roleRef:
+  kind: ClusterRole
+  name: wiz-sensor
+  apiGroup: rbac.authorization.k8s.io
+{{end}}

cluster/manifests/wiz/004-connector-secrets.yaml

@@ -0,0 +1,45 @@
+{{ if eq .Cluster.ConfigItems.wiz_enable_runtime_connector "true"}}
+---
+# Source: wiz-kubernetes-integration/charts/wiz-kubernetes-connector/templates/secret-connector.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: wiz-connector-connector
+  namespace: "wiz"
+  labels:
+    helm.sh/chart: wiz-broker-2.1.0
+    application: "wiz"
+    component: "connector"
+type: Opaque
+data:
+  connectorData: "e30="
+---
+# Source: wiz-kubernetes-integration/charts/wiz-kubernetes-connector/templates/service-account-cluster-reader.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: wiz-cluster-reader-token
+  namespace: "wiz"
+  labels:
+    helm.sh/chart: wiz-broker-2.1.0
+    application: "wiz"
+    component: "connector"
+  annotations:
+    kubernetes.io/service-account.name: wiz-cluster-reader
+type: kubernetes.io/service-account-token
+---
+# Source: wiz-sensor/templates/apikeysecret.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: wiz-api-token
+  namespace: wiz
+  labels:
+    helm.sh/chart: wiz-broker-2.1.0
+    application: "wiz"
+    component: "connector"
+type: Opaque
+stringData:
+  clientId: "{{ .Cluster.ConfigItems.wiz_api_client_id }}"
+  clientToken: "{{ .Cluster.ConfigItems.wiz_api_client_token }}"
+{{end}}