Skip to content

Commit

Permalink
Helm chart update: 2.29.0
Browse files Browse the repository at this point in the history
  • Loading branch information
helm authored and helm committed Apr 4, 2024
1 parent 478e4db commit 9e18257
Show file tree
Hide file tree
Showing 13 changed files with 368 additions and 51 deletions.
4 changes: 2 additions & 2 deletions checkpoint/cloudguard/Chart.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
apiVersion: v2
appVersion: 2.28.0
appVersion: 2.29.0
description: A Helm chart for Check Point CloudGuard Workload Security
home: https://portal.checkpoint.com
icon: https://www.checkpoint.com/wp-content/uploads/icon-cloudguard-nav.png
Expand Down Expand Up @@ -34,4 +34,4 @@ keywords:
- gke
- autopilot
name: cloudguard
version: 2.28.0
version: 2.29.0
11 changes: 11 additions & 0 deletions checkpoint/cloudguard/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -192,6 +192,17 @@ The following table list the configurable parameters of this chart and their def
| `addons.imageScan.list.tolerations` | List of node taints to tolerate | `[]` |
| `addons.imageScan.list.affinity` | Affinity setting | `{}` |
| `addons.imageScan.list.podAnnotations.custom` | Custom Pod annotations (for Pods of this agent) | `{}` |
| `addons.imageScan.armon.enabled` | Specifies whether the Image Access Runtime Monitor addon should be installed | `false` |
| `addons.imageScan.armon.image` | Specify image for the agent | `checkpoint/consec-imagescan-armon` |
| `addons.imageScan.armon.tag` | Specify image tag for the agent | see defaults.yaml |
| `addons.imageScan.armon.serviceAccountName` | Specify custom Service Account for the agent | `` |
| `addons.imageScan.armon.env` | Additional environmental variables for the agent | `{}` |
| `addons.imageScan.armon.resources` | Resources restriction (e.g. CPU, memory) | see defaults.yaml |
| `addons.imageScan.armon.nodeSelector` | Node labels for pod assignment | see below |
| `addons.imageScan.armon.tolerations` | List of node taints to tolerate | `operator: Exists` |
| `addons.imageScan.armon.affinity` | Affinity setting | see below |
| `addons.imageScan.armon.podAnnotations.custom` | Custom Pod annotations (for Pods of this agent) | `{}` |
| `addons.imageScan.armon.priorityClassName` | Specifies custom priorityClassName (for Pods of this daemonset) | `system-node-critical` |
| `addons.imageScan.daemonConfigurationOverrides` | Overrides for multiple daemonSets with different configuration values | see below |
| `addons.flowLogs.enabled` | Specifies whether the Flow Logs addon should be installed | `false` |
| `addons.flowLogs.priorityClassName` | Specifies custom priorityClassName | `system-cluster-critical` |
Expand Down
39 changes: 38 additions & 1 deletion checkpoint/cloudguard/defaults.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,7 @@ addons:
enabled: false
mountPodman : false
priorityClassName: "system-cluster-critical"

daemon:
priorityClassName: "system-node-critical"
## Specify image and tag
Expand Down Expand Up @@ -230,6 +231,42 @@ addons:
podAnnotations:
custom: {}

# Image Access Runtime Monitor
armon:
enabled: false
priorityClassName: "system-node-critical"
## Specify image and tag
image: checkpoint/consec-imagescan-armon
tag: 0.1.2

## Specify existing service account name ("" to create)
serviceAccountName: ""


## Extra environment variables passed to the container
env: []

## Configure resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
resources:
requests:
cpu: 100m
memory: 500Mi
limits:
cpu: 100m
memory: 500Mi

## Configuration options for nodeSelector, tolerations and affinity for pod
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
nodeSelector:
kubernetes.io/os: linux
kubernetes.io/arch: amd64
tolerations:
- operator: Exists
affinity: {}
podAnnotations:
custom: {}


## Flow Logs Add-on
flowLogs:
Expand Down Expand Up @@ -351,7 +388,7 @@ addons:
## Main container settings
## Specify image and tag
image: checkpoint/consec-runtime-daemon
tag: 1.14.0
tag: 1.16.2

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand Down
10 changes: 10 additions & 0 deletions checkpoint/cloudguard/templates/imagescan/armon/_helpers.tpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
{{- define "imagescan.armon.config" -}}
{{- $config := (include "get.root" .) | fromYaml -}}
{{- $_ := set $config "featureName" "imagescan" -}}
{{- $_ := set $config "agentName" "armon" -}}
{{- $_ := set $config "featureConfig" $config.Values.addons.imageScan -}}
{{- /* special Case for fileaccess daemonSet name to be different than daemon*/ -}}
{{- $_ := set $config "daemonConfigName" "armon" -}}
{{- $_ := set $config "agentConfig" $config.Values.addons.imageScan.armon -}}
{{- $config | toYaml -}}
{{- end -}}
22 changes: 22 additions & 0 deletions checkpoint/cloudguard/templates/imagescan/armon/clusterrole.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
{{- $config := fromYaml (include "imagescan.armon.config" .) -}}
{{- if and $config.featureConfig.enabled $config.agentConfig.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "agent.resource.name" $config }}
namespace: {{ .Release.Namespace }}
labels:
{{ include "common.labels.with.chart" $config | indent 4 }}
rules:
- apiGroups: [""]
resources: [ "pods", "nodes"]
verbs: [ "list", "get" ]

- apiGroups: ["apps"]
resources: [ "daemonsets", "deployments", "replicasets", "statefulsets"]
verbs: [ "list", "get" ]

- apiGroups: [ "batch" ]
resources: [ "jobs", "cronjobs" ]
verbs: [ "list", "get" ]
{{- end -}}
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
{{- $config := fromYaml (include "imagescan.armon.config" .) -}}
{{- if and $config.featureConfig.enabled $config.agentConfig.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "agent.resource.name" $config }}
namespace: {{ .Release.Namespace }}
labels:
{{ include "common.labels.with.chart" $config | indent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "agent.resource.name" $config }}
subjects:
- kind: ServiceAccount
name: {{ template "agent.service.account.name" $config }}
namespace: {{ .Release.Namespace }}
{{- end -}}
96 changes: 96 additions & 0 deletions checkpoint/cloudguard/templates/imagescan/armon/daemonset.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,96 @@
{{- $config := fromYaml (include "imagescan.armon.config" .) -}}
{{- /* Make ".Files" of the chart accessible and properly formatted when accessed via $config' */ -}}
{{- $_ := set $config "Files" $.Files -}}
{{- if and $config.featureConfig.enabled $config.agentConfig.enabled -}}
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: {{ include "daemonset.daemon.resource.name" $config }}
namespace: {{ $.Release.Namespace }}
labels:
{{ include "common.labels.with.chart" $config | indent 4 }}
spec:
selector:
matchLabels:
{{ include "common.labels" $config | indent 6 }}
{{ include "daemonset.updateStrategy" $config | indent 2}}
template:
metadata:
annotations:
{{ include "common.pod.annotations" $config | indent 8 }}
labels:
{{ include "common.labels" $config | indent 8 }}
spec:
{{ include "common.pod.properties" $config | indent 6 }}
containers:
- name: {{ $config.agentName }}
image: {{ template "agent.main.image" $config }}
imagePullPolicy: {{ $config.Values.imagePullPolicy }}
securityContext:
{{- if contains "openshift" $config.platform }}
seLinuxOptions:
type: spc_t
{{- end }}
runAsUser: 0
capabilities:
add:
- SYS_RESOURCE # setrlimit
- SYS_ADMIN # bpf
- IPC_LOCK # lock memory for bpf kernel >= 5.11
volumeMounts:
- name: secret-volume
mountPath: /etc/secret-volume
{{- if eq $config.containerRuntime "docker" }}
- mountPath: /var/run/docker.sock
name: docker-sock
readOnly: true
{{- else if eq $config.containerRuntime "containerd" }}
- mountPath: /run/containerd/containerd.sock
name: containerd-sock
readOnly: true
{{- else if eq $config.containerRuntime "cri-o" }}
- mountPath: /var/run/crio/crio.sock
name: crio-sock
readOnly: true
{{- end }}
{{- if $config.agentConfig.resources }}
resources:
{{ toYaml $config.agentConfig.resources | indent 10 }}
{{- end }}
env:
- name: REPORT_USE_DOME9_AGENT_CFG
value: "1"
- name: "REPORT_POST_ENDPOINT"
value: "/imageaccessruntimemonitor"
- name: "TELEMETRY_URL"
value: "https://eptelemetry.epmgmt.checkpoint.com/gwstats/services/antimalware/1_0_0/log"
- name: "CONTAINERS_RUNTIME"
value: {{ $config.containerRuntime }}

{{ include "common.env" $config | indent 8 }}
volumes:
- name: secret-volume
secret:
secretName: {{ template "cg.creds.secret.name" $config }}
{{- if eq $config.containerRuntime "docker" }}
- name: docker-sock
hostPath:
{{- if eq $config.platform "tanzu" }}
path: /var/vcap/sys/run/docker/docker.sock
{{- else }}
path: /var/run/docker.sock
{{- end }}
type: Socket
{{- else if eq $config.containerRuntime "containerd" }}
- name: containerd-sock
hostPath:
path: {{ include "containerd.sock.path" $config }}
type: Socket
{{- else if eq $config.containerRuntime "cri-o" }}
- name: crio-sock
hostPath:
path: /run/crio/crio.sock
type: Socket
{{- end }}
---
{{- end -}}
21 changes: 21 additions & 0 deletions checkpoint/cloudguard/templates/imagescan/armon/role.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
{{- $config := fromYaml (include "imagescan.armon.config" .) -}}
{{- if and $config.featureConfig.enabled $config.agentConfig.enabled -}}
{{- if (contains "openshift" $config.platform) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "agent.resource.name" $config }}
namespace: {{ .Release.Namespace }}
labels:
{{ include "common.labels.with.chart" $config | indent 4 }}
rules:
- apiGroups:
- security.openshift.io
resourceNames:
- {{ template "agent.resource.name" $config }}
resources:
- securitycontextconstraints
verbs:
- use
{{- end -}}
{{- end -}}
20 changes: 20 additions & 0 deletions checkpoint/cloudguard/templates/imagescan/armon/rolebinding.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
{{- $config := fromYaml (include "imagescan.armon.config" .) -}}
{{- if and $config.featureConfig.enabled $config.agentConfig.enabled -}}
{{- if (contains "openshift" $config.platform) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "agent.resource.name" $config }}
namespace: {{ .Release.Namespace }}
labels:
{{ include "common.labels.with.chart" $config | indent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "agent.resource.name" $config }}
subjects:
- kind: ServiceAccount
name: {{ template "agent.service.account.name" $config }}
namespace: {{ .Release.Namespace }}
{{- end -}}
{{- end -}}
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
{{- $config := fromYaml (include "imagescan.armon.config" .) -}}
{{- if and $config.featureConfig.enabled $config.agentConfig.enabled -}}
{{- if (contains "openshift" $config.platform) -}}
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
name: {{ template "agent.resource.name" $config }}
namespace: {{ .Release.Namespace }}
labels:
{{ include "common.labels.with.chart" $config | indent 4 }}
allowPrivilegedContainer: false
allowHostDirVolumePlugin: true
runAsUser:
type: RunAsAny
seLinuxContext:
type: RunAsAny
fsGroup:
type: RunAsAny
supplementalGroups:
type: RunAsAny
users:
- system:serviceaccount
allowedCapabilities:
- SYS_RESOURCE
- SYS_ADMIN
- IPC_LOCK
volumes:
- hostPath
- secret
{{- end -}}
{{- end -}}
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
{{- $config := fromYaml (include "imagescan.armon.config" .) -}}
{{- if and $config.featureConfig.enabled $config.agentConfig.enabled (not $config.agentConfig.serviceAccountName) -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "agent.resource.name" $config }}
namespace: {{ .Release.Namespace }}
labels:
{{ include "common.labels.with.chart" $config | indent 4 }}
{{- end -}}
Binary file added repository/cloudguard-2.29.0.tgz
Binary file not shown.
Loading

0 comments on commit 9e18257

Please sign in to comment.