From fe117fd9a448eb3779e4f3ab40969f5286fbffb2 Mon Sep 17 00:00:00 2001 From: robot Date: Sat, 23 Nov 2024 20:08:59 +0000 Subject: [PATCH] robot: project neuvector chart upgrades from 2.4.2 to 2.8.3 Signed-off-by: robot --- charts/neuvector/config | 2 +- charts/neuvector/neuvector/Chart.yaml | 10 +- charts/neuvector/neuvector/README.md | 150 +- .../neuvector/charts/core/Chart.yaml | 8 +- .../neuvector/neuvector/charts/core/README.md | 150 +- .../neuvector/charts/core/templates/NOTES.txt | 16 +- .../charts/core/templates/_helpers.tpl | 36 + .../templates/admission-webhook-service.yaml | 1 - .../core/templates/bootstrap-secret.yaml | 19 + .../core/templates/cert-manager-secret.yaml | 33 + .../charts/core/templates/clusterrole.yaml | 4 - .../templates/clusterrolebinding-least.yaml | 145 ++ .../core/templates/clusterrolebinding.yaml | 7 +- .../core/templates/controller-deployment.yaml | 153 +- .../core/templates/controller-ingress.yaml | 6 - .../core/templates/controller-lease.yaml | 8 + .../core/templates/controller-route.yaml | 3 - .../core/templates/controller-secret.yaml | 33 + .../core/templates/controller-service.yaml | 37 +- .../charts/core/templates/crd-role-least.yaml | 403 ++++ .../charts/core/templates/crd-role.yaml | 403 ++++ .../core/templates/crd-webhook-service.yaml | 19 + .../neuvector/charts/core/templates/crd.yaml | 431 ++--- .../core/templates/csp-clusterrole.yaml | 53 + .../templates/csp-clusterrolebinding.yaml | 61 + .../charts/core/templates/csp-crd.yaml | 46 + .../charts/core/templates/csp-deployment.yaml | 72 + .../charts/core/templates/csp-role.yaml | 55 + .../core/templates/csp-rolebinding.yaml | 31 + .../core/templates/csp-serviceaccount.yaml | 23 + .../core/templates/enforcer-daemonset.yaml | 71 +- .../charts/core/templates/init-configmap.yaml | 5 +- .../charts/core/templates/init-secret.yaml | 1 - .../core/templates/manager-deployment.yaml | 84 +- .../core/templates/manager-ingress.yaml | 2 - .../charts/core/templates/manager-route.yaml | 1 - .../charts/core/templates/manager-secret.yaml | 24 + .../core/templates/manager-service.yaml | 8 +- .../neuvector/charts/core/templates/psp.yaml | 85 +- .../neuvector/charts/core/templates/pvc.yaml | 1 - .../templates/registry-adapter-ingress.yaml | 106 ++ .../templates/registry-adapter-secret.yaml | 21 + .../core/templates/registry-adapter.yaml | 204 ++ .../charts/core/templates/role-least.yaml | 28 + .../neuvector/charts/core/templates/role.yaml | 132 ++ .../core/templates/rolebinding-least.yaml | 269 +++ .../charts/core/templates/rolebinding.yaml | 123 +- .../core/templates/scanner-deployment.yaml | 39 +- .../core/templates/serviceaccount-least.yaml | 76 + .../charts/core/templates/serviceaccount.yaml | 3 +- .../core/templates/updater-cronjob.yaml | 20 +- .../core/templates/upgrader-cronjob.yaml | 84 + .../charts/core/templates/upgrader-lease.yaml | 8 + .../neuvector/charts/core/values.schema.json | 1689 +++++++++++++++++ .../neuvector/charts/core/values.yaml | 376 +++- charts/neuvector/neuvector/values.yaml | 307 ++- 56 files changed, 5673 insertions(+), 512 deletions(-) create mode 100644 charts/neuvector/neuvector/charts/core/templates/bootstrap-secret.yaml create mode 100644 charts/neuvector/neuvector/charts/core/templates/cert-manager-secret.yaml create mode 100644 charts/neuvector/neuvector/charts/core/templates/clusterrolebinding-least.yaml create mode 100644 charts/neuvector/neuvector/charts/core/templates/controller-lease.yaml create mode 100644 charts/neuvector/neuvector/charts/core/templates/controller-secret.yaml create mode 100644 charts/neuvector/neuvector/charts/core/templates/crd-role-least.yaml create mode 100644 charts/neuvector/neuvector/charts/core/templates/crd-role.yaml create mode 100644 charts/neuvector/neuvector/charts/core/templates/crd-webhook-service.yaml create mode 100644 charts/neuvector/neuvector/charts/core/templates/csp-clusterrole.yaml create mode 100644 charts/neuvector/neuvector/charts/core/templates/csp-clusterrolebinding.yaml create mode 100644 charts/neuvector/neuvector/charts/core/templates/csp-crd.yaml create mode 100644 charts/neuvector/neuvector/charts/core/templates/csp-deployment.yaml create mode 100644 charts/neuvector/neuvector/charts/core/templates/csp-role.yaml create mode 100644 charts/neuvector/neuvector/charts/core/templates/csp-rolebinding.yaml create mode 100644 charts/neuvector/neuvector/charts/core/templates/csp-serviceaccount.yaml create mode 100644 charts/neuvector/neuvector/charts/core/templates/manager-secret.yaml create mode 100644 charts/neuvector/neuvector/charts/core/templates/registry-adapter-ingress.yaml create mode 100644 charts/neuvector/neuvector/charts/core/templates/registry-adapter-secret.yaml create mode 100644 charts/neuvector/neuvector/charts/core/templates/registry-adapter.yaml create mode 100644 charts/neuvector/neuvector/charts/core/templates/role-least.yaml create mode 100644 charts/neuvector/neuvector/charts/core/templates/role.yaml create mode 100644 charts/neuvector/neuvector/charts/core/templates/rolebinding-least.yaml create mode 100644 charts/neuvector/neuvector/charts/core/templates/serviceaccount-least.yaml create mode 100644 charts/neuvector/neuvector/charts/core/templates/upgrader-cronjob.yaml create mode 100644 charts/neuvector/neuvector/charts/core/templates/upgrader-lease.yaml create mode 100644 charts/neuvector/neuvector/charts/core/values.schema.json diff --git a/charts/neuvector/config b/charts/neuvector/config index 3a52cf6fc..aed3fedc6 100644 --- a/charts/neuvector/config +++ b/charts/neuvector/config @@ -4,7 +4,7 @@ export USE_OPENSOURCE_CHART=false export REPO_URL=https://neuvector.github.io/neuvector-helm export REPO_NAME=neuvector export CHART_NAME=core -export VERSION=2.4.2 +export VERSION=2.8.3 # pr, issue, none export UPGRADE_METHOD=pr diff --git a/charts/neuvector/neuvector/Chart.yaml b/charts/neuvector/neuvector/Chart.yaml index 14959a59f..8ad55b061 100644 --- a/charts/neuvector/neuvector/Chart.yaml +++ b/charts/neuvector/neuvector/Chart.yaml @@ -1,17 +1,19 @@ apiVersion: v1 -appVersion: 5.1.1 +appVersion: 5.4.1 description: Helm chart for NeuVector's core services -engine: gotpl home: https://neuvector.com icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4 maintainers: - email: support@neuvector.com name: becitsthere name: neuvector -version: 2.4.2 +sources: + - https://github.com/neuvector/neuvector + - https://github.com/neuvector/neuvector-helm +version: 2.8.3 dependencies: - name: core - version: "2.4.2" + version: "2.8.3" repository: "https://neuvector.github.io/neuvector-helm" keywords: - monitoring diff --git a/charts/neuvector/neuvector/README.md b/charts/neuvector/neuvector/README.md index 36a3a01f3..cacd69b06 100644 --- a/charts/neuvector/neuvector/README.md +++ b/charts/neuvector/neuvector/README.md @@ -6,7 +6,7 @@ Helm chart for NeuVector container security's core services. Because the CRD (Custom Resource Definition) policies can be deployed before NeuVector's core product, a new 'crd' helm chart is created. The crd template in the 'core' chart is kept for the backward compatibility. Please set `crdwebhook.enabled` to false, if you use the new 'crd' chart. ## Choosing container runtime -The NeuVector platform supports docker, cri-o and containerd as the container runtime. For a k3s/rke2, or bottlerocket cluster, they have their own runtime socket path. You should enable their runtime options, `k3s.enabled` and `bottlerocket.enabled`, respectively. +Prior to 5.3 release, the user has to specify the correct container runtime type and its socket path. In 5.3.0 release, the enforcer is able to automatically detect the container runtime at its default socket location. The settings of docker/containerd/crio/k8s/bottlerocket become deprecated. If the container runtime socket is not at the default location, please specify it using 'runtimePath' field. In the meantime, the controller does not require the runtime socket to be mounted any more. ## Configuration @@ -19,15 +19,42 @@ Parameter | Description | Default | Notes `tag` | image tag for controller enforcer manager | `latest` | `oem` | OEM release name | `nil` | `imagePullSecrets` | image pull secret | `nil` | -`rbac` | NeuVector RBAC manifests are installed when rbac is enabled | `true` | +`rbac` | NeuVector RBAC Manifests are installed when RBAC is enabled | `true` | Required for Rancher Authentication. | `psp` | NeuVector Pod Security Policy when psp policy is enabled | `false` | `serviceAccount` | Service account name for NeuVector components | `default` | +`leastPrivilege` | Use least privileged service account | `false` | +`bootstrapPassword` | Set password for admin user account if present | `false` | Random password generated if aws billing is enabled +`autoGenerateCert` | Automatically generate certificate or not | `true` | +`internal.certmanager.enabled` | cert-manager is installed for the internal certificates | `false` | +`internal.certmanager.secretname` | Name of the secret to be used for the internal certificates | `neuvector-internal` | +`internal.autoGenerateCert` | Automatically generate internal certificate or not | `true` | +`internal.autoRotateCert` | Automatically rotate internal certificate or not | `false` | +`defaultValidityPeriod` | The default validity period used for certs automatically generated (days) | `365` | +`global.cattle.url` | Set the Rancher Server URL | | Required for Rancher Authentication. `https:///` | +`global.aws.enabled` | If true, install AWS billing csp adapter | `false` | **Note**: default admin user is disabled when aws market place billing enabled, use secret to create admin-role user to manage NeuVector deployment. +`global.aws.accountNumber` | AWS Account Number | `nil` | Follow AWS subscription instruction +`global.aws.roleName` | AWS Role name for billing | `nil` | Follow AWS subscription instruction +`global.aws.serviceAccount` | Service account name for csp adapter | `csp` | Follow AWS subscription instruction +`global.aws.imagePullSecrets` | Pull secret for csp adapter image | `nil` | Follow AWS subscription instruction +`global.aws.image.repository` | csp adapter image repository | `neuvector/neuvector-csp-adapter` | Follow AWS subscription instruction +`global.aws.image.tag` | csp adapter image tag | `latest` | Follow AWS subscription instruction +`global.aws.image.digest` | csp adapter image digest | `nil` | Follow AWS subscription instruction +`global.aws.image.imagePullPolicy` | csp adapter image pull policy | `IfNotPresent` | Follow AWS subscription instruction +`global.azure.enabled` | If true, install Azure billing csp adapter | `false` | **Note**: default admin user is disabled when azure market place billing enabled, use secret to create admin-role user to manage NeuVector deployment. +`global.azure.serviceAccount` | Service account name for csp adapter | `csp` | Follow Azure subscription instruction +`global.azure.imagePullSecrets` | Pull secret for csp adapter image | `nil` | Follow Azure subscription instruction +`global.azure.images.neuvector_csp_pod.registry` | csp adapter image registry | `susellcforazuremarketplace.azurecr.io` | Follow Azure subscription instruction +`global.azure.images.neuvector_csp_pod.image` | csp adapter image repository | `neuvector-billing-azure-by-suse-llc` | Follow Azure subscription instruction +`global.azure.images.neuvector_csp_pod.digest` | csp adapter image digest | `nil` | Follow Azure subscription instruction +`global.azure.images.neuvector_csp_pod.imagePullPolicy` | csp adapter image pull policy | `IfNotPresent` | Follow Azure subscription instruction `controller.enabled` | If true, create controller | `true` | +`controller.prime.enabled` | NeuVector prime deployment | `false` | `controller.image.repository` | controller image repository | `neuvector/controller` | `controller.image.hash` | controller image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | `controller.replicas` | controller replicas | `3` | `controller.schedulerName` | kubernetes scheduler name | `nil` | `controller.affinity` | controller affinity rules | ... | spread controllers to different nodes | +`controller.topologySpreadConstraints` | List of constraints to control Pods spread across the cluster | `nil` | `controller.tolerations` | List of node taints to tolerate | `nil` | `controller.resources` | Add resources requests and limits to controller deployment | `{}` | see examples in [values.yaml](values.yaml) `controller.nodeSelector` | Enable and specify nodeSelector labels | `{}` | @@ -36,11 +63,13 @@ Parameter | Description | Default | Notes `controller.podLabels` | Specify the pod labels. | `{}` | `controller.podAnnotations` | Specify the pod annotations. | `{}` | `controller.env` | User-defined environment variables for controller. | `[]` | -`controller.ranchersso.enabled` | If true, enable Rancher single sign on | `false` | Rancher server address auto configured.| +`controller.ranchersso.enabled` | If true, enable single sign on for Rancher | `false` | Required for Rancher Authentication. | `controller.pvc.enabled` | If true, enable persistence for controller using PVC | `false` | Require persistent volume type RWX, and storage 1Gi -`controller.pvc.existingClaim` | Boolean value to specify if there is an existing PVC claim. If true, pvc in the helm chart is not used. | `false` | +`controller.pvc.accessModes` | Access modes for the created PVC. | `["ReadWriteMany"]` | +`controller.pvc.existingClaim` | If `false`, a new PVC will be created. If a string is provided, an existing PVC with this name will be used. | `false` | `controller.pvc.storageClass` | Storage Class to be used | `default` | `controller.pvc.capacity` | Storage capacity | `1Gi` | +`controller.searchRegistries` | Custom search registries for Admission control | `nil` | `controller.azureFileShare.enabled` | If true, enable the usage of an existing or statically provisioned Azure File Share | `false` | `controller.azureFileShare.secretName` | The name of the secret containing the Azure file share storage account name and key | `nil` | `controller.azureFileShare.shareName` | The name of the Azure file share to use | `nil` | @@ -56,7 +85,12 @@ Parameter | Description | Default | Notes `controller.certificate.secret` | Replace controller REST API certificate using secret if secret name is specified | `nil` | `controller.certificate.keyFile` | Replace controller REST API certificate key file | `tls.key` | `controller.certificate.pemFile` | Replace controller REST API certificate pem file | `tls.pem` | -`controller.federation.mastersvc.type` | Multi-cluster primary cluster service type. If specified, the deployment will be used to manage other clusters. Possible values include NodePort, LoadBalancer and ClusterIP. | `nil` | +`controller.federation.mastersvc.type` | Multi-cluster primary cluster service type. If specified, the deployment will be used to manage other clusters. Possible values include NodePort, LoadBalancer and ClusterIP. | `nil` | +`controller.federation.mastersvc.loadBalancerIP` | Multi-cluster primary cluster service load balancer IP. If specified, the deployment must also specify controller.federation.mastersvc.type of LoadBalancer. | `nil` | +`controller.federation.mastersvc.clusterIP` | Set clusterIP to be used for mastersvc | `nil` | +`controller.federation.mastersvc.nodePort` | Define a nodePort for mastersvc | `nil` | Must be a valid NodePort (30000-32767) +`controller.federation.mastersvc.externalTrafficPolicy` | Set externalTrafficPolicy to be used for mastersvc | `nil` | +`controller.federation.mastersvc.internalTrafficPolicy` | Set internalTrafficPolicy to be used for mastersvc | `nil` | `controller.federation.mastersvc.annotations` | Add annotations to Multi-cluster primary cluster REST API service | `{}` | `controller.federation.mastersvc.route.enabled` | If true, create a OpenShift route to expose the Multi-cluster primary cluster service | `false` | `controller.federation.mastersvc.route.host` | Set OpenShift route host for primary cluster service | `nil` | @@ -73,6 +107,11 @@ Parameter | Description | Default | Notes `controller.federation.mastersvc.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. `controller.federation.mastersvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](values.yaml) `controller.federation.managedsvc.type` | Multi-cluster managed cluster service type. If specified, the deployment will be managed by the managed clsuter. Possible values include NodePort, LoadBalancer and ClusterIP. | `nil` | +`controller.federation.managedsvc.loadBalancerIP` | Multi-cluster primary cluster service load balancer IP. If specified, the deployment must also specify controller.federation.mastersvc.type of LoadBalancer. | `nil` | +`controller.federation.managedsvc.clusterIP` | Set clusterIP to be used for managedsvc | `nil` | +`controller.federation.managedsvc.nodePort` | Define a nodePort for managedsvc | `nil` | Must be a valid NodePort (30000-32767) +`controller.federation.managedsvc.externalTrafficPolicy` | Set externalTrafficPolicy to be used for managedsvc | `nil` | +`controller.federation.managedsvc.internalTrafficPolicy` | Set internalTrafficPolicy to be used for managedsvc | `nil` | `controller.federation.managedsvc.annotations` | Add annotations to Multi-cluster managed cluster REST API service | `{}` | `controller.federation.managedsvc.route.enabled` | If true, create a OpenShift route to expose the Multi-cluster managed cluster service | `false` | `controller.federation.managedsvc.route.host` | Set OpenShift route host for manageed service | `nil` | @@ -99,6 +138,17 @@ Parameter | Description | Default | Notes `controller.configmap.data` | NeuVector configuration in YAML format | `{}` `controller.secret.enabled` | If true, configure NeuVector global settings using secrets | `false` `controller.secret.data` | NeuVector configuration in key/value pair format | `{}` +`controller.internal.certificate.secret` | Secret name to be used for custom controller internal certificate | `nil` | +`controller.internal.certificate.keyFile` | Set PEM format key file for custom controller internal certificate | `tls.key` | +`controller.internal.certificate.pemFile` | Set PEM format certificate file for custom controller internal certificate | `tls.crt` | +`controller.internal.certificate.caFile` | Set CA certificate file for controller custom internal certificate | `ca.crt` | +`controller.certupgrader.env` | User-defined environment variables. | `[]` | +`controller.certupgrader.schedule` | cert upgrader schedule. Leave empty to disable | `` | +`controller.certupgrader.priorityClassName` | cert upgrader priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | +`controller.certupgrader.podLabels` | Specify the pod labels. | `{}` | +`controller.certupgrader.podAnnotations` | Specify the pod annotations. | `{}` | +`controller.certupgrader.nodeSelector` | Enable and specify nodeSelector labels | `{}` | +`controller.certupgrader.runAsUser` | Specify the run as User ID | `nil` | `enforcer.enabled` | If true, create enforcer | `true` | `enforcer.image.repository` | enforcer image repository | `neuvector/enforcer` | `enforcer.image.hash` | enforcer image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | @@ -106,8 +156,13 @@ Parameter | Description | Default | Notes `enforcer.priorityClassName` | enforcer priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | `enforcer.podLabels` | Specify the pod labels. | `{}` | `enforcer.podAnnotations` | Specify the pod annotations. | `{}` | +`enforcer.env` | User-defined environment variables for enforcers. | `[]` | `enforcer.tolerations` | List of node taints to tolerate | `- effect: NoSchedule`
`key: node-role.kubernetes.io/master` | other taints can be added after the default `enforcer.resources` | Add resources requests and limits to enforcer deployment | `{}` | see examples in [values.yaml](values.yaml) +`enforcer.internal.certificate.secret` | Secret name to be used for custom enforcer internal certificate | `nil` | +`enforcer.internal.certificate.keyFile` | Set PEM format key file for custom enforcer internal certificate | `tls.key` | +`enforcer.internal.certificate.pemFile` | Set PEM format certificate file for custom enforcer internal certificate | `tls.crt` | +`enforcer.internal.certificate.caFile` | Set CA certificate file for enforcer custom internal certificate | `ca.crt` | `manager.enabled` | If true, create manager | `true` | `manager.image.repository` | manager image repository | `neuvector/manager` | `manager.image.hash` | manager image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | @@ -115,6 +170,13 @@ Parameter | Description | Default | Notes `manager.podLabels` | Specify the pod labels. | `{}` | `manager.podAnnotations` | Specify the pod annotations. | `{}` | `manager.env.ssl` | If false, manager will listen on HTTP access instead of HTTPS | `true` | +`manager.env.envs` | Other environment variables. The following variables are accepted. | `[]` | +` CUSTOM_LOGIN_LOGO` | SVG file encoded in based64, the logo is displayed as a 300 x 80 pixels icon. | +` CUSTOM_EULA_POLICY` | HTML or TEXT encoded in base64. | +` CUSTOM_PAGE_HEADER_CONTENT` | max. 120 characters, base64 encoded. | +` CUSTOM_PAGE_HEADER_COLOR` | use color name (yellow) or value (#ffff00) | +` CUSTOM_PAGE_FOOTER_CONTENT` | max. 120 characters, base64 encoded. | +` CUSTOM_PAGE_FOOTER_COLOR` | use color name (yellow) or value (#ffff00) | `manager.svc.type` | set manager service type for native Kubernetes | `NodePort`;
if it is OpenShift platform or ingress is enabled, then default is `ClusterIP` | set to LoadBalancer if using cloud providers, such as Azure, Amazon, Google `manager.svc.loadBalancerIP` | if manager service type is LoadBalancer, this is used to specify the load balancer's IP | `nil` | `manager.svc.annotations` | Add annotations to manager service | `{}` | see examples in [values.yaml](values.yaml) @@ -137,45 +199,101 @@ Parameter | Description | Default | Notes `manager.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually) `manager.resources` | Add resources requests and limits to manager deployment | `{}` | see examples in [values.yaml](values.yaml) `manager.affinity` | manager affinity rules | `{}` | +`manager.topologySpreadConstraints` | List of constraints to control Pods spread across the cluster | `nil` | `manager.tolerations` | List of node taints to tolerate | `nil` | `manager.nodeSelector` | Enable and specify nodeSelector labels | `{}` | `manager.runAsUser` | Specify the run as User ID | `nil` | +`manager.probes.enabled` | enabled startup, liveness and readiness probes | 1 | +`manager.probes.timeout` | timeout for startup, liveness and readiness probes | 1 | +`manager.probes.periodSeconds` | periodSeconds for startup, liveness and readiness probes | 10 | +`manager.probes.startupFailureThreshold` | failure threshold for startup probe | 30 | +`cve.adapter.enabled` | If true, create registry adapter | `true` | +`cve.adapter.image.repository` | registry adapter image repository | `neuvector/registry-adapter` | +`cve.adapter.image.tag` | registry adapter image tag | | +`cve.adapter.image.hash` | registry adapter image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | +`cve.adapter.priorityClassName` | registry adapter priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | +`cve.adapter.podLabels` | Specify the pod labels. | `{}` | +`cve.adapter.podAnnotations` | Specify the pod annotations. | `{}` | +`cve.adapter.env` | User-defined environment variables for adapter. | `[]` | +`cve.adapter.svc.type` | set registry adapter service type for native Kubernetes | `NodePort`;
if it is OpenShift platform or ingress is enabled, then default is `ClusterIP` | set to LoadBalancer if using cloud providers, such as Azure, Amazon, Google +`cve.adapter.svc.loadBalancerIP` | if registry adapter service type is LoadBalancer, this is used to specify the load balancer's IP | `nil` | +`cve.adapter.svc.annotations` | Add annotations to registry adapter service | `{}` | see examples in [values.yaml](values.yaml) +`cve.adapter.harbor.protocol` | Harbor registry request protocol [http|https] | `https` | +`cve.adapter.harbor.secretName` | Harbor registry adapter's basic authentication secret | | +`cve.adapter.route.enabled` | If true, create a OpenShift route to expose the management console service | `true` | +`cve.adapter.route.host` | Set OpenShift route host for management console service | `nil` | +`cve.adapter.route.termination` | Specify TLS termination for OpenShift route for management console service. Possible passthrough, edge, reencrypt | `passthrough` | +`cve.adapter.route.tls.key` | Set PEM format key file for OpenShift route for management console service | `nil` | +`cve.adapter.route.tls.certificate` | Set PEM format certificate file for OpenShift route for management console service | `nil` | +`cve.adapter.route.tls.caCertificate` | Set CA certificate may be required to establish a certificate chain for validation for OpenShift route for management console service | `nil` | +`cve.adapter.route.tls.destinationCACertificate` | Set controller REST API service CA certificate to validate the endpoint certificate for OpenShift route for management console service | `nil` | +`cve.adapter.certificate.secret` | Replace registry adapter certificate using secret if secret name is specified | `nil` | +`cve.adapter.certificate.keyFile` | Replace registry adapter certificate key file | `tls.key` | +`cve.adapter.certificate.pemFile` | Replace registry adapter certificate crt file | `tls.crt` | +`cve.adapter.ingress.enabled` | If true, create ingress, must also set ingress host value | `false` | enable this if ingress controller is installed +`cve.adapter.ingress.host` | Must set this host value if ingress is enabled | `nil` | +`cve.adapter.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` | +`cve.adapter.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. Currently only supports `/` +`cve.adapter.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](values.yaml) +`cve.adapter.ingress.tls` | If true, TLS is enabled for registry adapter ingress service |`false` | If set, the tls-host used is the one set with `cve.adapter.ingress.host`. +`cve.adapter.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually) +`cve.adapter.resources` | Add resources requests and limits to registry adapter deployment | `{}` | see examples in [values.yaml](values.yaml) +`cve.adapter.affinity` | registry adapter affinity rules | `{}` | +`cve.adapter.tolerations` | List of node taints to tolerate | `nil` | +`cve.adapter.nodeSelector` | Enable and specify nodeSelector labels | `{}` | +`cve.adapter.runAsUser` | Specify the run as User ID | `nil` | +`cve.adapter.internal.certificate.secret` | Secret name to be used for custom registry adapter internal certificate | `nil` | +`cve.adapter.internal.certificate.keyFile` | Set PEM format key file for custom registry adapter internal certificate | `tls.key` | +`cve.adapter.internal.certificate.pemFile` | Set PEM format certificate file for custom registry adapter internal certificate | `tls.crt` | +`cve.adapter.internal.certificate.caFile` | Set CA certificate file for registry adapter custom internal certificate | `ca.crt` | `cve.updater.enabled` | If true, create cve updater | `true` | -`cve.updater.secure` | If ture, API server's certificate is validated | `false` | +`cve.updater.secure` | If true, API server's certificate is validated | `false` | +`cve.updater.cacert` | If set, use this ca file to validate API server's certificate | `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt` | +`cve.updater.image.registry` | cve updater image registry to overwrite global registry | | `cve.updater.image.repository` | cve updater image repository | `neuvector/updater` | `cve.updater.image.tag` | image tag for cve updater | `latest` | `cve.updater.image.hash` | cve updateer image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | `cve.updater.priorityClassName` | cve updater priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | +`cve.updater.resources` | Add resources requests and limits to updater cronjob | `{}` | see examples in [values.yaml](values.yaml) `cve.updater.podLabels` | Specify the pod labels. | `{}` | `cve.updater.podAnnotations` | Specify the pod annotations. | `{}` | `cve.updater.schedule` | cronjob cve updater schedule | `0 0 * * *` | `cve.updater.nodeSelector` | Enable and specify nodeSelector labels | `{}` | `cve.updater.runAsUser` | Specify the run as User ID | `nil` | `cve.scanner.enabled` | If true, cve scanners will be deployed | `true` | +`cve.scanner.image.registry` | cve scanner image registry to overwrite global registry | | `cve.scanner.image.repository` | cve scanner image repository | `neuvector/scanner` | `cve.scanner.image.tag` | cve scanner image tag | `latest` | `cve.scanner.image.hash` | cve scanner image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | `cve.scanner.priorityClassName` | cve scanner priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | `cve.scanner.podLabels` | Specify the pod labels. | `{}` | `cve.scanner.podAnnotations` | Specify the pod annotations. | `{}` | +`cve.scanner.env` | User-defined environment variables for scanner. | `[]` | `cve.scanner.replicas` | external scanner replicas | `3` | `cve.scanner.dockerPath` | the remote docker socket if CI/CD integration need scan images before they are pushed to the registry | `nil` | `cve.scanner.resources` | Add resources requests and limits to scanner deployment | `{}` | see examples in [values.yaml](values.yaml) | `cve.scanner.affinity` | scanner affinity rules | `{}` | +`cve.scanner.topologySpreadConstraints` | List of constraints to control Pods spread across the cluster | `nil` | `cve.scanner.tolerations` | List of node taints to tolerate | `nil` | `cve.scanner.nodeSelector` | Enable and specify nodeSelector labels | `{}` | `cve.scanner.runAsUser` | Specify the run as User ID | `nil` | -`docker.path` | docker path | `/var/run/docker.sock` | -`containerd.enabled` | Set to true, if the container runtime is containerd | `false` | **Note**: For k3s and rke clusters, set k3s.enabled to true instead -`containerd.path` | If containerd is enabled, this local containerd socket path will be used | `/var/run/containerd/containerd.sock` | -`crio.enabled` | Set to true, if the container runtime is cri-o | `false` | -`crio.path` | If cri-o is enabled, this local cri-o socket path will be used | `/var/run/crio/crio.sock` | -`k3s.enabled` | Set to true for k3s or rke2 | `false` | -`k3s.runtimePath` | If k3s is enabled, this local containerd socket path will be used | `/run/k3s/containerd/containerd.sock` | -`bottlerocket.enabled` | Set to true if using AWS bottlerocket | `false` | -`bottlerocket.runtimePath` | If bottlerocket is enabled, this local containerd socket path will be used | `/run/dockershim.sock` | +`cve.scanner.internal.certificate.secret` | Secret name to be used for custom scanner internal certificate | `nil` | +`cve.scanner.internal.certificate.keyFile` | Set PEM format key file for custom scanner internal certificate | `tls.key` | +`cve.scanner.internal.certificate.pemFile` | Set PEM format certificate file for custom scanner internal certificate | `tls.crt` | +`cve.scanner.internal.certificate.caFile` | Set CA certificate file for scanner custom internal certificate | `ca.crt` | +`runtimePath` | container runtime socket path, if it's not at the default location. | `` | +`docker.path` | docker path | `/var/run/docker.sock` | Deprecated in 5.3.0 +`containerd.enabled` | Set to true, if the container runtime is containerd | `false` | Deprecated in 5.3.0. Prior to 5.3.0, for k3s and rke clusters, set k3s.enabled to true instead +`containerd.path` | If containerd is enabled, this local containerd socket path will be used | `/var/run/containerd/containerd.sock` | Deprecated in 5.3.0. +`crio.enabled` | Set to true, if the container runtime is cri-o | `false` | Deprecated in 5.3.0. +`crio.path` | If cri-o is enabled, this local cri-o socket path will be used | `/var/run/crio/crio.sock` | Deprecated in 5.3.0. +`k3s.enabled` | Set to true for k3s or rke2 | `false` | Deprecated in 5.3.0. +`k3s.runtimePath` | If k3s is enabled, this local containerd socket path will be used | `/run/k3s/containerd/containerd.sock` | Deprecated in 5.3.0. +`bottlerocket.enabled` | Set to true if using AWS bottlerocket | `false` | Deprecated in 5.3.0. +`bottlerocket.runtimePath` | If bottlerocket is enabled, this local containerd socket path will be used | `/run/dockershim.sock` | Deprecated in 5.3.0. `admissionwebhook.type` | admission webhook type | `ClusterIP` | -`crdwebhook.enabled` | Enable crd service and create crd related resources | `true` | +`crdwebhooksvc.enabled` | Enable crd service | `true` | +`crdwebhook.enabled` | Create crd resources | `true` | `crdwebhook.type` | crd webhook type | `ClusterIP` | Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, diff --git a/charts/neuvector/neuvector/charts/core/Chart.yaml b/charts/neuvector/neuvector/charts/core/Chart.yaml index a94e15e58..c9a4a4f1c 100644 --- a/charts/neuvector/neuvector/charts/core/Chart.yaml +++ b/charts/neuvector/neuvector/charts/core/Chart.yaml @@ -1,11 +1,13 @@ apiVersion: v1 -appVersion: 5.1.1 +appVersion: 5.4.1 description: Helm chart for NeuVector's core services -engine: gotpl home: https://neuvector.com icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4 maintainers: - email: support@neuvector.com name: becitsthere name: core -version: 2.4.2 +sources: +- https://github.com/neuvector/neuvector +- https://github.com/neuvector/neuvector-helm +version: 2.8.3 diff --git a/charts/neuvector/neuvector/charts/core/README.md b/charts/neuvector/neuvector/charts/core/README.md index 36a3a01f3..cacd69b06 100644 --- a/charts/neuvector/neuvector/charts/core/README.md +++ b/charts/neuvector/neuvector/charts/core/README.md @@ -6,7 +6,7 @@ Helm chart for NeuVector container security's core services. Because the CRD (Custom Resource Definition) policies can be deployed before NeuVector's core product, a new 'crd' helm chart is created. The crd template in the 'core' chart is kept for the backward compatibility. Please set `crdwebhook.enabled` to false, if you use the new 'crd' chart. ## Choosing container runtime -The NeuVector platform supports docker, cri-o and containerd as the container runtime. For a k3s/rke2, or bottlerocket cluster, they have their own runtime socket path. You should enable their runtime options, `k3s.enabled` and `bottlerocket.enabled`, respectively. +Prior to 5.3 release, the user has to specify the correct container runtime type and its socket path. In 5.3.0 release, the enforcer is able to automatically detect the container runtime at its default socket location. The settings of docker/containerd/crio/k8s/bottlerocket become deprecated. If the container runtime socket is not at the default location, please specify it using 'runtimePath' field. In the meantime, the controller does not require the runtime socket to be mounted any more. ## Configuration @@ -19,15 +19,42 @@ Parameter | Description | Default | Notes `tag` | image tag for controller enforcer manager | `latest` | `oem` | OEM release name | `nil` | `imagePullSecrets` | image pull secret | `nil` | -`rbac` | NeuVector RBAC manifests are installed when rbac is enabled | `true` | +`rbac` | NeuVector RBAC Manifests are installed when RBAC is enabled | `true` | Required for Rancher Authentication. | `psp` | NeuVector Pod Security Policy when psp policy is enabled | `false` | `serviceAccount` | Service account name for NeuVector components | `default` | +`leastPrivilege` | Use least privileged service account | `false` | +`bootstrapPassword` | Set password for admin user account if present | `false` | Random password generated if aws billing is enabled +`autoGenerateCert` | Automatically generate certificate or not | `true` | +`internal.certmanager.enabled` | cert-manager is installed for the internal certificates | `false` | +`internal.certmanager.secretname` | Name of the secret to be used for the internal certificates | `neuvector-internal` | +`internal.autoGenerateCert` | Automatically generate internal certificate or not | `true` | +`internal.autoRotateCert` | Automatically rotate internal certificate or not | `false` | +`defaultValidityPeriod` | The default validity period used for certs automatically generated (days) | `365` | +`global.cattle.url` | Set the Rancher Server URL | | Required for Rancher Authentication. `https:///` | +`global.aws.enabled` | If true, install AWS billing csp adapter | `false` | **Note**: default admin user is disabled when aws market place billing enabled, use secret to create admin-role user to manage NeuVector deployment. +`global.aws.accountNumber` | AWS Account Number | `nil` | Follow AWS subscription instruction +`global.aws.roleName` | AWS Role name for billing | `nil` | Follow AWS subscription instruction +`global.aws.serviceAccount` | Service account name for csp adapter | `csp` | Follow AWS subscription instruction +`global.aws.imagePullSecrets` | Pull secret for csp adapter image | `nil` | Follow AWS subscription instruction +`global.aws.image.repository` | csp adapter image repository | `neuvector/neuvector-csp-adapter` | Follow AWS subscription instruction +`global.aws.image.tag` | csp adapter image tag | `latest` | Follow AWS subscription instruction +`global.aws.image.digest` | csp adapter image digest | `nil` | Follow AWS subscription instruction +`global.aws.image.imagePullPolicy` | csp adapter image pull policy | `IfNotPresent` | Follow AWS subscription instruction +`global.azure.enabled` | If true, install Azure billing csp adapter | `false` | **Note**: default admin user is disabled when azure market place billing enabled, use secret to create admin-role user to manage NeuVector deployment. +`global.azure.serviceAccount` | Service account name for csp adapter | `csp` | Follow Azure subscription instruction +`global.azure.imagePullSecrets` | Pull secret for csp adapter image | `nil` | Follow Azure subscription instruction +`global.azure.images.neuvector_csp_pod.registry` | csp adapter image registry | `susellcforazuremarketplace.azurecr.io` | Follow Azure subscription instruction +`global.azure.images.neuvector_csp_pod.image` | csp adapter image repository | `neuvector-billing-azure-by-suse-llc` | Follow Azure subscription instruction +`global.azure.images.neuvector_csp_pod.digest` | csp adapter image digest | `nil` | Follow Azure subscription instruction +`global.azure.images.neuvector_csp_pod.imagePullPolicy` | csp adapter image pull policy | `IfNotPresent` | Follow Azure subscription instruction `controller.enabled` | If true, create controller | `true` | +`controller.prime.enabled` | NeuVector prime deployment | `false` | `controller.image.repository` | controller image repository | `neuvector/controller` | `controller.image.hash` | controller image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | `controller.replicas` | controller replicas | `3` | `controller.schedulerName` | kubernetes scheduler name | `nil` | `controller.affinity` | controller affinity rules | ... | spread controllers to different nodes | +`controller.topologySpreadConstraints` | List of constraints to control Pods spread across the cluster | `nil` | `controller.tolerations` | List of node taints to tolerate | `nil` | `controller.resources` | Add resources requests and limits to controller deployment | `{}` | see examples in [values.yaml](values.yaml) `controller.nodeSelector` | Enable and specify nodeSelector labels | `{}` | @@ -36,11 +63,13 @@ Parameter | Description | Default | Notes `controller.podLabels` | Specify the pod labels. | `{}` | `controller.podAnnotations` | Specify the pod annotations. | `{}` | `controller.env` | User-defined environment variables for controller. | `[]` | -`controller.ranchersso.enabled` | If true, enable Rancher single sign on | `false` | Rancher server address auto configured.| +`controller.ranchersso.enabled` | If true, enable single sign on for Rancher | `false` | Required for Rancher Authentication. | `controller.pvc.enabled` | If true, enable persistence for controller using PVC | `false` | Require persistent volume type RWX, and storage 1Gi -`controller.pvc.existingClaim` | Boolean value to specify if there is an existing PVC claim. If true, pvc in the helm chart is not used. | `false` | +`controller.pvc.accessModes` | Access modes for the created PVC. | `["ReadWriteMany"]` | +`controller.pvc.existingClaim` | If `false`, a new PVC will be created. If a string is provided, an existing PVC with this name will be used. | `false` | `controller.pvc.storageClass` | Storage Class to be used | `default` | `controller.pvc.capacity` | Storage capacity | `1Gi` | +`controller.searchRegistries` | Custom search registries for Admission control | `nil` | `controller.azureFileShare.enabled` | If true, enable the usage of an existing or statically provisioned Azure File Share | `false` | `controller.azureFileShare.secretName` | The name of the secret containing the Azure file share storage account name and key | `nil` | `controller.azureFileShare.shareName` | The name of the Azure file share to use | `nil` | @@ -56,7 +85,12 @@ Parameter | Description | Default | Notes `controller.certificate.secret` | Replace controller REST API certificate using secret if secret name is specified | `nil` | `controller.certificate.keyFile` | Replace controller REST API certificate key file | `tls.key` | `controller.certificate.pemFile` | Replace controller REST API certificate pem file | `tls.pem` | -`controller.federation.mastersvc.type` | Multi-cluster primary cluster service type. If specified, the deployment will be used to manage other clusters. Possible values include NodePort, LoadBalancer and ClusterIP. | `nil` | +`controller.federation.mastersvc.type` | Multi-cluster primary cluster service type. If specified, the deployment will be used to manage other clusters. Possible values include NodePort, LoadBalancer and ClusterIP. | `nil` | +`controller.federation.mastersvc.loadBalancerIP` | Multi-cluster primary cluster service load balancer IP. If specified, the deployment must also specify controller.federation.mastersvc.type of LoadBalancer. | `nil` | +`controller.federation.mastersvc.clusterIP` | Set clusterIP to be used for mastersvc | `nil` | +`controller.federation.mastersvc.nodePort` | Define a nodePort for mastersvc | `nil` | Must be a valid NodePort (30000-32767) +`controller.federation.mastersvc.externalTrafficPolicy` | Set externalTrafficPolicy to be used for mastersvc | `nil` | +`controller.federation.mastersvc.internalTrafficPolicy` | Set internalTrafficPolicy to be used for mastersvc | `nil` | `controller.federation.mastersvc.annotations` | Add annotations to Multi-cluster primary cluster REST API service | `{}` | `controller.federation.mastersvc.route.enabled` | If true, create a OpenShift route to expose the Multi-cluster primary cluster service | `false` | `controller.federation.mastersvc.route.host` | Set OpenShift route host for primary cluster service | `nil` | @@ -73,6 +107,11 @@ Parameter | Description | Default | Notes `controller.federation.mastersvc.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. `controller.federation.mastersvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](values.yaml) `controller.federation.managedsvc.type` | Multi-cluster managed cluster service type. If specified, the deployment will be managed by the managed clsuter. Possible values include NodePort, LoadBalancer and ClusterIP. | `nil` | +`controller.federation.managedsvc.loadBalancerIP` | Multi-cluster primary cluster service load balancer IP. If specified, the deployment must also specify controller.federation.mastersvc.type of LoadBalancer. | `nil` | +`controller.federation.managedsvc.clusterIP` | Set clusterIP to be used for managedsvc | `nil` | +`controller.federation.managedsvc.nodePort` | Define a nodePort for managedsvc | `nil` | Must be a valid NodePort (30000-32767) +`controller.federation.managedsvc.externalTrafficPolicy` | Set externalTrafficPolicy to be used for managedsvc | `nil` | +`controller.federation.managedsvc.internalTrafficPolicy` | Set internalTrafficPolicy to be used for managedsvc | `nil` | `controller.federation.managedsvc.annotations` | Add annotations to Multi-cluster managed cluster REST API service | `{}` | `controller.federation.managedsvc.route.enabled` | If true, create a OpenShift route to expose the Multi-cluster managed cluster service | `false` | `controller.federation.managedsvc.route.host` | Set OpenShift route host for manageed service | `nil` | @@ -99,6 +138,17 @@ Parameter | Description | Default | Notes `controller.configmap.data` | NeuVector configuration in YAML format | `{}` `controller.secret.enabled` | If true, configure NeuVector global settings using secrets | `false` `controller.secret.data` | NeuVector configuration in key/value pair format | `{}` +`controller.internal.certificate.secret` | Secret name to be used for custom controller internal certificate | `nil` | +`controller.internal.certificate.keyFile` | Set PEM format key file for custom controller internal certificate | `tls.key` | +`controller.internal.certificate.pemFile` | Set PEM format certificate file for custom controller internal certificate | `tls.crt` | +`controller.internal.certificate.caFile` | Set CA certificate file for controller custom internal certificate | `ca.crt` | +`controller.certupgrader.env` | User-defined environment variables. | `[]` | +`controller.certupgrader.schedule` | cert upgrader schedule. Leave empty to disable | `` | +`controller.certupgrader.priorityClassName` | cert upgrader priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | +`controller.certupgrader.podLabels` | Specify the pod labels. | `{}` | +`controller.certupgrader.podAnnotations` | Specify the pod annotations. | `{}` | +`controller.certupgrader.nodeSelector` | Enable and specify nodeSelector labels | `{}` | +`controller.certupgrader.runAsUser` | Specify the run as User ID | `nil` | `enforcer.enabled` | If true, create enforcer | `true` | `enforcer.image.repository` | enforcer image repository | `neuvector/enforcer` | `enforcer.image.hash` | enforcer image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | @@ -106,8 +156,13 @@ Parameter | Description | Default | Notes `enforcer.priorityClassName` | enforcer priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | `enforcer.podLabels` | Specify the pod labels. | `{}` | `enforcer.podAnnotations` | Specify the pod annotations. | `{}` | +`enforcer.env` | User-defined environment variables for enforcers. | `[]` | `enforcer.tolerations` | List of node taints to tolerate | `- effect: NoSchedule`
`key: node-role.kubernetes.io/master` | other taints can be added after the default `enforcer.resources` | Add resources requests and limits to enforcer deployment | `{}` | see examples in [values.yaml](values.yaml) +`enforcer.internal.certificate.secret` | Secret name to be used for custom enforcer internal certificate | `nil` | +`enforcer.internal.certificate.keyFile` | Set PEM format key file for custom enforcer internal certificate | `tls.key` | +`enforcer.internal.certificate.pemFile` | Set PEM format certificate file for custom enforcer internal certificate | `tls.crt` | +`enforcer.internal.certificate.caFile` | Set CA certificate file for enforcer custom internal certificate | `ca.crt` | `manager.enabled` | If true, create manager | `true` | `manager.image.repository` | manager image repository | `neuvector/manager` | `manager.image.hash` | manager image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | @@ -115,6 +170,13 @@ Parameter | Description | Default | Notes `manager.podLabels` | Specify the pod labels. | `{}` | `manager.podAnnotations` | Specify the pod annotations. | `{}` | `manager.env.ssl` | If false, manager will listen on HTTP access instead of HTTPS | `true` | +`manager.env.envs` | Other environment variables. The following variables are accepted. | `[]` | +` CUSTOM_LOGIN_LOGO` | SVG file encoded in based64, the logo is displayed as a 300 x 80 pixels icon. | +` CUSTOM_EULA_POLICY` | HTML or TEXT encoded in base64. | +` CUSTOM_PAGE_HEADER_CONTENT` | max. 120 characters, base64 encoded. | +` CUSTOM_PAGE_HEADER_COLOR` | use color name (yellow) or value (#ffff00) | +` CUSTOM_PAGE_FOOTER_CONTENT` | max. 120 characters, base64 encoded. | +` CUSTOM_PAGE_FOOTER_COLOR` | use color name (yellow) or value (#ffff00) | `manager.svc.type` | set manager service type for native Kubernetes | `NodePort`;
if it is OpenShift platform or ingress is enabled, then default is `ClusterIP` | set to LoadBalancer if using cloud providers, such as Azure, Amazon, Google `manager.svc.loadBalancerIP` | if manager service type is LoadBalancer, this is used to specify the load balancer's IP | `nil` | `manager.svc.annotations` | Add annotations to manager service | `{}` | see examples in [values.yaml](values.yaml) @@ -137,45 +199,101 @@ Parameter | Description | Default | Notes `manager.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually) `manager.resources` | Add resources requests and limits to manager deployment | `{}` | see examples in [values.yaml](values.yaml) `manager.affinity` | manager affinity rules | `{}` | +`manager.topologySpreadConstraints` | List of constraints to control Pods spread across the cluster | `nil` | `manager.tolerations` | List of node taints to tolerate | `nil` | `manager.nodeSelector` | Enable and specify nodeSelector labels | `{}` | `manager.runAsUser` | Specify the run as User ID | `nil` | +`manager.probes.enabled` | enabled startup, liveness and readiness probes | 1 | +`manager.probes.timeout` | timeout for startup, liveness and readiness probes | 1 | +`manager.probes.periodSeconds` | periodSeconds for startup, liveness and readiness probes | 10 | +`manager.probes.startupFailureThreshold` | failure threshold for startup probe | 30 | +`cve.adapter.enabled` | If true, create registry adapter | `true` | +`cve.adapter.image.repository` | registry adapter image repository | `neuvector/registry-adapter` | +`cve.adapter.image.tag` | registry adapter image tag | | +`cve.adapter.image.hash` | registry adapter image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | +`cve.adapter.priorityClassName` | registry adapter priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | +`cve.adapter.podLabels` | Specify the pod labels. | `{}` | +`cve.adapter.podAnnotations` | Specify the pod annotations. | `{}` | +`cve.adapter.env` | User-defined environment variables for adapter. | `[]` | +`cve.adapter.svc.type` | set registry adapter service type for native Kubernetes | `NodePort`;
if it is OpenShift platform or ingress is enabled, then default is `ClusterIP` | set to LoadBalancer if using cloud providers, such as Azure, Amazon, Google +`cve.adapter.svc.loadBalancerIP` | if registry adapter service type is LoadBalancer, this is used to specify the load balancer's IP | `nil` | +`cve.adapter.svc.annotations` | Add annotations to registry adapter service | `{}` | see examples in [values.yaml](values.yaml) +`cve.adapter.harbor.protocol` | Harbor registry request protocol [http|https] | `https` | +`cve.adapter.harbor.secretName` | Harbor registry adapter's basic authentication secret | | +`cve.adapter.route.enabled` | If true, create a OpenShift route to expose the management console service | `true` | +`cve.adapter.route.host` | Set OpenShift route host for management console service | `nil` | +`cve.adapter.route.termination` | Specify TLS termination for OpenShift route for management console service. Possible passthrough, edge, reencrypt | `passthrough` | +`cve.adapter.route.tls.key` | Set PEM format key file for OpenShift route for management console service | `nil` | +`cve.adapter.route.tls.certificate` | Set PEM format certificate file for OpenShift route for management console service | `nil` | +`cve.adapter.route.tls.caCertificate` | Set CA certificate may be required to establish a certificate chain for validation for OpenShift route for management console service | `nil` | +`cve.adapter.route.tls.destinationCACertificate` | Set controller REST API service CA certificate to validate the endpoint certificate for OpenShift route for management console service | `nil` | +`cve.adapter.certificate.secret` | Replace registry adapter certificate using secret if secret name is specified | `nil` | +`cve.adapter.certificate.keyFile` | Replace registry adapter certificate key file | `tls.key` | +`cve.adapter.certificate.pemFile` | Replace registry adapter certificate crt file | `tls.crt` | +`cve.adapter.ingress.enabled` | If true, create ingress, must also set ingress host value | `false` | enable this if ingress controller is installed +`cve.adapter.ingress.host` | Must set this host value if ingress is enabled | `nil` | +`cve.adapter.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` | +`cve.adapter.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. Currently only supports `/` +`cve.adapter.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](values.yaml) +`cve.adapter.ingress.tls` | If true, TLS is enabled for registry adapter ingress service |`false` | If set, the tls-host used is the one set with `cve.adapter.ingress.host`. +`cve.adapter.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually) +`cve.adapter.resources` | Add resources requests and limits to registry adapter deployment | `{}` | see examples in [values.yaml](values.yaml) +`cve.adapter.affinity` | registry adapter affinity rules | `{}` | +`cve.adapter.tolerations` | List of node taints to tolerate | `nil` | +`cve.adapter.nodeSelector` | Enable and specify nodeSelector labels | `{}` | +`cve.adapter.runAsUser` | Specify the run as User ID | `nil` | +`cve.adapter.internal.certificate.secret` | Secret name to be used for custom registry adapter internal certificate | `nil` | +`cve.adapter.internal.certificate.keyFile` | Set PEM format key file for custom registry adapter internal certificate | `tls.key` | +`cve.adapter.internal.certificate.pemFile` | Set PEM format certificate file for custom registry adapter internal certificate | `tls.crt` | +`cve.adapter.internal.certificate.caFile` | Set CA certificate file for registry adapter custom internal certificate | `ca.crt` | `cve.updater.enabled` | If true, create cve updater | `true` | -`cve.updater.secure` | If ture, API server's certificate is validated | `false` | +`cve.updater.secure` | If true, API server's certificate is validated | `false` | +`cve.updater.cacert` | If set, use this ca file to validate API server's certificate | `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt` | +`cve.updater.image.registry` | cve updater image registry to overwrite global registry | | `cve.updater.image.repository` | cve updater image repository | `neuvector/updater` | `cve.updater.image.tag` | image tag for cve updater | `latest` | `cve.updater.image.hash` | cve updateer image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | `cve.updater.priorityClassName` | cve updater priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | +`cve.updater.resources` | Add resources requests and limits to updater cronjob | `{}` | see examples in [values.yaml](values.yaml) `cve.updater.podLabels` | Specify the pod labels. | `{}` | `cve.updater.podAnnotations` | Specify the pod annotations. | `{}` | `cve.updater.schedule` | cronjob cve updater schedule | `0 0 * * *` | `cve.updater.nodeSelector` | Enable and specify nodeSelector labels | `{}` | `cve.updater.runAsUser` | Specify the run as User ID | `nil` | `cve.scanner.enabled` | If true, cve scanners will be deployed | `true` | +`cve.scanner.image.registry` | cve scanner image registry to overwrite global registry | | `cve.scanner.image.repository` | cve scanner image repository | `neuvector/scanner` | `cve.scanner.image.tag` | cve scanner image tag | `latest` | `cve.scanner.image.hash` | cve scanner image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | `cve.scanner.priorityClassName` | cve scanner priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | `cve.scanner.podLabels` | Specify the pod labels. | `{}` | `cve.scanner.podAnnotations` | Specify the pod annotations. | `{}` | +`cve.scanner.env` | User-defined environment variables for scanner. | `[]` | `cve.scanner.replicas` | external scanner replicas | `3` | `cve.scanner.dockerPath` | the remote docker socket if CI/CD integration need scan images before they are pushed to the registry | `nil` | `cve.scanner.resources` | Add resources requests and limits to scanner deployment | `{}` | see examples in [values.yaml](values.yaml) | `cve.scanner.affinity` | scanner affinity rules | `{}` | +`cve.scanner.topologySpreadConstraints` | List of constraints to control Pods spread across the cluster | `nil` | `cve.scanner.tolerations` | List of node taints to tolerate | `nil` | `cve.scanner.nodeSelector` | Enable and specify nodeSelector labels | `{}` | `cve.scanner.runAsUser` | Specify the run as User ID | `nil` | -`docker.path` | docker path | `/var/run/docker.sock` | -`containerd.enabled` | Set to true, if the container runtime is containerd | `false` | **Note**: For k3s and rke clusters, set k3s.enabled to true instead -`containerd.path` | If containerd is enabled, this local containerd socket path will be used | `/var/run/containerd/containerd.sock` | -`crio.enabled` | Set to true, if the container runtime is cri-o | `false` | -`crio.path` | If cri-o is enabled, this local cri-o socket path will be used | `/var/run/crio/crio.sock` | -`k3s.enabled` | Set to true for k3s or rke2 | `false` | -`k3s.runtimePath` | If k3s is enabled, this local containerd socket path will be used | `/run/k3s/containerd/containerd.sock` | -`bottlerocket.enabled` | Set to true if using AWS bottlerocket | `false` | -`bottlerocket.runtimePath` | If bottlerocket is enabled, this local containerd socket path will be used | `/run/dockershim.sock` | +`cve.scanner.internal.certificate.secret` | Secret name to be used for custom scanner internal certificate | `nil` | +`cve.scanner.internal.certificate.keyFile` | Set PEM format key file for custom scanner internal certificate | `tls.key` | +`cve.scanner.internal.certificate.pemFile` | Set PEM format certificate file for custom scanner internal certificate | `tls.crt` | +`cve.scanner.internal.certificate.caFile` | Set CA certificate file for scanner custom internal certificate | `ca.crt` | +`runtimePath` | container runtime socket path, if it's not at the default location. | `` | +`docker.path` | docker path | `/var/run/docker.sock` | Deprecated in 5.3.0 +`containerd.enabled` | Set to true, if the container runtime is containerd | `false` | Deprecated in 5.3.0. Prior to 5.3.0, for k3s and rke clusters, set k3s.enabled to true instead +`containerd.path` | If containerd is enabled, this local containerd socket path will be used | `/var/run/containerd/containerd.sock` | Deprecated in 5.3.0. +`crio.enabled` | Set to true, if the container runtime is cri-o | `false` | Deprecated in 5.3.0. +`crio.path` | If cri-o is enabled, this local cri-o socket path will be used | `/var/run/crio/crio.sock` | Deprecated in 5.3.0. +`k3s.enabled` | Set to true for k3s or rke2 | `false` | Deprecated in 5.3.0. +`k3s.runtimePath` | If k3s is enabled, this local containerd socket path will be used | `/run/k3s/containerd/containerd.sock` | Deprecated in 5.3.0. +`bottlerocket.enabled` | Set to true if using AWS bottlerocket | `false` | Deprecated in 5.3.0. +`bottlerocket.runtimePath` | If bottlerocket is enabled, this local containerd socket path will be used | `/run/dockershim.sock` | Deprecated in 5.3.0. `admissionwebhook.type` | admission webhook type | `ClusterIP` | -`crdwebhook.enabled` | Enable crd service and create crd related resources | `true` | +`crdwebhooksvc.enabled` | Enable crd service | `true` | +`crdwebhook.enabled` | Create crd resources | `true` | `crdwebhook.type` | crd webhook type | `ClusterIP` | Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, diff --git a/charts/neuvector/neuvector/charts/core/templates/NOTES.txt b/charts/neuvector/neuvector/charts/core/templates/NOTES.txt index e79b2cc21..f2492a0f1 100644 --- a/charts/neuvector/neuvector/charts/core/templates/NOTES.txt +++ b/charts/neuvector/neuvector/charts/core/templates/NOTES.txt @@ -1,6 +1,9 @@ {{- if and .Values.manager.enabled .Values.manager.ingress.enabled }} From outside the cluster, the NeuVector URL is: http://{{ .Values.manager.ingress.host }} +{{- else if and .Values.manager.enabled .Values.manager.ingress.enabled .Values.manager.ingress.tls}} +From outside the cluster, the NeuVector URL is: +https://{{ .Values.manager.ingress.host }} {{- else if not .Values.openshift }} Get the NeuVector URL by running these commands: {{- if contains "NodePort" .Values.manager.svc.type }} @@ -17,4 +20,15 @@ Get the NeuVector URL by running these commands: SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} neuvector-service-webui -o jsonpath="{.status.loadBalancer.ingress[0].ip}") echo https://$SERVICE_IP:8443 {{- end }} -{{- end }} \ No newline at end of file +{{- end }} + + +{{- if or (.Values.global.aws.enabled) (.Values.bootstrapPassword) }} + +NOTE: Use below command to get the password to login to NeuVector WebUi using admin account if it is a fresh install and not a restore from PVC, no admin password is set in the configmap or secret. The password is randomly generated during the deployment if AWS cloud billing is enabled. + +To get the bootstrap password: + +kubectl get secret --namespace {{ .Release.Namespace }} neuvector-bootstrap-secret -o go-template='{{ "{{" }}.data.bootstrapPassword|base64decode{{ "}}" }}{{ "{{" }} "\n" {{ "}}" }}' + +{{- end }} diff --git a/charts/neuvector/neuvector/charts/core/templates/_helpers.tpl b/charts/neuvector/neuvector/charts/core/templates/_helpers.tpl index c0cc49294..8a598d323 100644 --- a/charts/neuvector/neuvector/charts/core/templates/_helpers.tpl +++ b/charts/neuvector/neuvector/charts/core/templates/_helpers.tpl @@ -30,3 +30,39 @@ Create chart name and version as used by the chart label. {{- define "neuvector.chart" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} {{- end -}} + +{{/* +Lookup secret. +*/}} +{{- define "neuvector.secrets.lookup" -}} +{{- $value := "" -}} +{{- $secretData := (lookup "v1" "Secret" .namespace .secret).data -}} +{{- if and $secretData (hasKey $secretData .key) -}} + {{- $value = index $secretData .key -}} +{{- else if .defaultValue -}} + {{- $value = .defaultValue | toString | b64enc -}} +{{- end -}} +{{- if $value -}} +{{- printf "%s" $value -}} +{{- end -}} +{{- end -}} + +{{- define "neuvector.controller.image" -}} +{{- if .Values.global.azure.enabled }} + {{- printf "%s/%s:%s" .Values.global.azure.images.controller.registry .Values.global.azure.images.controller.image .Values.global.azure.images.controller.tag }} +{{- else }} + {{- if eq .Values.registry "registry.neuvector.com" }} + {{- if .Values.oem }} + {{- printf "%s/%s/controller:%s" .Values.registry .Values.oem .Values.tag }} + {{- else }} + {{- printf "%s/controller:%s" .Values.registry .Values.tag }} + {{- end }} + {{- else }} + {{- if .Values.controller.image.hash }} + {{- printf "%s/%s@%s" .Values.registry .Values.controller.image.repository .Values.controller.image.hash }} + {{- else }} + {{- printf "%s/%s:%s" .Values.registry .Values.controller.image.repository .Values.tag }} + {{- end }} + {{- end }} +{{- end }} +{{- end -}} diff --git a/charts/neuvector/neuvector/charts/core/templates/admission-webhook-service.yaml b/charts/neuvector/neuvector/charts/core/templates/admission-webhook-service.yaml index 8a0a76aaa..6a1bfa63f 100644 --- a/charts/neuvector/neuvector/charts/core/templates/admission-webhook-service.yaml +++ b/charts/neuvector/neuvector/charts/core/templates/admission-webhook-service.yaml @@ -6,7 +6,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: {{ .Release.Service }} spec: ports: - port: 443 diff --git a/charts/neuvector/neuvector/charts/core/templates/bootstrap-secret.yaml b/charts/neuvector/neuvector/charts/core/templates/bootstrap-secret.yaml new file mode 100644 index 000000000..23dc67a1d --- /dev/null +++ b/charts/neuvector/neuvector/charts/core/templates/bootstrap-secret.yaml @@ -0,0 +1,19 @@ +{{/* Use the bootstrap password from values.yaml or random value*/}} +{{- $bootstrapPassword := .Values.bootstrapPassword -}} +{{- if and .Values.global.aws.enabled (not .Values.bootstrapPassword) -}} + {{- $bootstrapPassword = randAlphaNum 18 -}} +{{- end -}} +{{/* If a bootstrap password was found in the values or AWS is enabled */}} +{{- if $bootstrapPassword }} +apiVersion: v1 +kind: Secret +metadata: + name: "neuvector-bootstrap-secret" + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +type: Opaque +data: + bootstrapPassword: {{ $bootstrapPassword | b64enc |quote }} +{{- end }} diff --git a/charts/neuvector/neuvector/charts/core/templates/cert-manager-secret.yaml b/charts/neuvector/neuvector/charts/core/templates/cert-manager-secret.yaml new file mode 100644 index 000000000..3692886b4 --- /dev/null +++ b/charts/neuvector/neuvector/charts/core/templates/cert-manager-secret.yaml @@ -0,0 +1,33 @@ +{{- if .Values.internal.certmanager.enabled }} +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ .Values.internal.certmanager.secretname }} + namespace: {{ .Release.Namespace }} +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ .Values.internal.certmanager.secretname }} + namespace: {{ .Release.Namespace }} +spec: + duration: 17520h # 2 years + subject: + organizations: + - NeuVector + isCA: true + commonName: neuvector.internal + dnsNames: + - neuvector.internal + - NeuVector + secretName: {{ .Values.internal.certmanager.secretname }} + usages: + - digital signature + - key encipherment + issuerRef: + group: cert-manager.io + kind: Issuer + name: {{ .Values.internal.certmanager.secretname }} +{{- end }} \ No newline at end of file diff --git a/charts/neuvector/neuvector/charts/core/templates/clusterrole.yaml b/charts/neuvector/neuvector/charts/core/templates/clusterrole.yaml index cce7a8254..49228b70c 100644 --- a/charts/neuvector/neuvector/charts/core/templates/clusterrole.yaml +++ b/charts/neuvector/neuvector/charts/core/templates/clusterrole.yaml @@ -14,7 +14,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: {{ .Release.Service }} rules: - apiGroups: - "" @@ -44,7 +43,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: {{ .Release.Service }} rules: {{- if .Values.openshift }} - apiGroups: @@ -83,7 +81,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: {{ .Release.Service }} rules: - apiGroups: - admissionregistration.k8s.io @@ -108,7 +105,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: {{ .Release.Service }} rules: - apiGroups: - config.openshift.io diff --git a/charts/neuvector/neuvector/charts/core/templates/clusterrolebinding-least.yaml b/charts/neuvector/neuvector/charts/core/templates/clusterrolebinding-least.yaml new file mode 100644 index 000000000..edb1007fd --- /dev/null +++ b/charts/neuvector/neuvector/charts/core/templates/clusterrolebinding-least.yaml @@ -0,0 +1,145 @@ +{{- if and .Values.rbac .Values.leastPrivilege -}} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-app + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-app +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-rbac + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-rbac +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-admission + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-admission +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-view + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: view +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +{{- if $oc4 }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-co + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: neuvector-binding-co +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +- kind: ServiceAccount + name: enforcer + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} diff --git a/charts/neuvector/neuvector/charts/core/templates/clusterrolebinding.yaml b/charts/neuvector/neuvector/charts/core/templates/clusterrolebinding.yaml index 70596a2b3..4ea258c09 100644 --- a/charts/neuvector/neuvector/charts/core/templates/clusterrolebinding.yaml +++ b/charts/neuvector/neuvector/charts/core/templates/clusterrolebinding.yaml @@ -1,4 +1,4 @@ -{{- if .Values.rbac -}} +{{- if and .Values.rbac (not .Values.leastPrivilege) -}} {{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} {{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} @@ -15,7 +15,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: {{ .Release.Service }} roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -46,7 +45,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: {{ .Release.Service }} roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -77,7 +75,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: {{ .Release.Service }} roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -108,7 +105,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: {{ .Release.Service }} roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -134,7 +130,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: {{ .Release.Service }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/charts/neuvector/neuvector/charts/core/templates/controller-deployment.yaml b/charts/neuvector/neuvector/charts/core/templates/controller-deployment.yaml index 99f4b5643..6bb8e6821 100644 --- a/charts/neuvector/neuvector/charts/core/templates/controller-deployment.yaml +++ b/charts/neuvector/neuvector/charts/core/templates/controller-deployment.yaml @@ -1,3 +1,11 @@ +{{- $pre530 := false -}} +{{- if regexMatch "^[0-9]+\\.[0-9]+\\.[0-9]+" .Values.tag }} +{{- $pre530 = (semverCompare "<5.2.10-0" .Values.tag) -}} +{{- end }} +{{- $pre540 := false -}} +{{- if regexMatch "^[0-9]+\\.[0-9]+\\.[0-9]+" .Values.tag }} +{{- $pre540 = (semverCompare "<5.3.10-0" .Values.tag) -}} +{{- end }} {{- if .Values.controller.enabled -}} {{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} apiVersion: apps/v1 @@ -11,7 +19,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: {{ .Release.Service }} {{- with .Values.controller.annotations }} annotations: {{ toYaml . | indent 4 }} @@ -32,10 +39,19 @@ spec: {{- with .Values.controller.podLabels }} {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.controller.podAnnotations }} annotations: - {{- toYaml . | nindent 8 }} - {{- end }} + {{- if .Values.controller.secret.enabled }} + checksum/init-secret: {{ include (print $.Template.BasePath "/init-secret.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.controller.configmap.enabled }} + checksum/init-configmap: {{ include (print $.Template.BasePath "/init-configmap.yaml") . | sha256sum }} + {{- end }} + {{- if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.controller.certificate.key .Values.controller.certificate.certificate) }} + checksum/controller-secret: {{ include (print $.Template.BasePath "/controller-secret.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + {{- toYaml .Values.controller.podAnnotations | nindent 8 }} + {{- end }} spec: {{- if .Values.controller.affinity }} affinity: @@ -44,6 +60,10 @@ spec: {{- if .Values.controller.tolerations }} tolerations: {{ toYaml .Values.controller.tolerations | indent 8 }} + {{- end }} + {{- if .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: +{{ toYaml .Values.controller.topologySpreadConstraints | indent 8 }} {{- end }} {{- if .Values.controller.nodeSelector }} nodeSelector: @@ -59,25 +79,52 @@ spec: {{- if .Values.controller.priorityClassName }} priorityClassName: {{ .Values.controller.priorityClassName }} {{- end }} + {{- if .Values.leastPrivilege }} + serviceAccountName: controller + serviceAccount: controller + {{- else }} serviceAccountName: {{ .Values.serviceAccount }} serviceAccount: {{ .Values.serviceAccount }} - containers: - - name: neuvector-controller-pod - {{- if eq .Values.registry "registry.neuvector.com" }} - {{- if .Values.oem }} - image: "{{ .Values.registry }}/{{ .Values.oem }}/controller:{{ .Values.tag }}" - {{- else }} - image: "{{ .Values.registry }}/controller:{{ .Values.tag }}" + {{- end }} + initContainers: + {{- if or .Values.internal.certmanager.enabled .Values.controller.internal.certificate.secret }} + {{- else if and .Values.internal.autoGenerateCert (not $pre540) }} + - name: init + image: {{ include "neuvector.controller.image" . | quote }} + command: ["/usr/local/bin/upgrader", "create-upgrader-job" ] + imagePullPolicy: {{ .Values.controller.certupgrader.imagePullPolicy }} + env: + - name: OVERRIDE_CHECKSUM + value: {{ dict "image" (include "neuvector.controller.image" .) "internal" .Values.internal "certupgrader" .Values.controller.certupgrader | toJson | sha256sum }} + {{- with .Values.controller.certupgrader.env }} +{{- toYaml . | nindent 12 }} {{- end }} + {{- end }} + {{- if .Values.controller.prime.enabled }} + - name: prime-config-container + {{- if .Values.controller.prime.image.hash }} + image: "{{ .Values.registry }}/{{ .Values.controller.prime.image.repository }}@{{ .Values.controller.prime.image.hash }}" {{- else }} - {{- if .Values.controller.image.hash }} - image: "{{ .Values.registry }}/{{ .Values.controller.image.repository }}@{{ .Values.controller.image.hash }}" - {{- else }} - image: "{{ .Values.registry }}/{{ .Values.controller.image.repository }}:{{ .Values.tag }}" - {{- end }} + image: "{{ .Values.registry }}/{{ .Values.controller.prime.image.repository }}:{{ .Values.controller.prime.image.tag }}" {{- end }} + imagePullPolicy: Always + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /usr/share + name: prime-config + {{- end }} + containers: + - name: neuvector-controller-pod + image: {{ include "neuvector.controller.image" . | quote }} + {{- if $pre530 }} securityContext: privileged: true + {{- else }} + securityContext: + runAsUser: 0 + {{- end }} resources: {{- if .Values.controller.resources }} {{ toYaml .Values.controller.resources | indent 12 }} @@ -112,13 +159,37 @@ spec: - name: CTRL_PERSIST_CONFIG value: "1" {{- end }} + {{- if .Values.global.aws.enabled }} + - name: CSP_ENV + value: "aws" + {{- end }} + {{- if .Values.global.azure.enabled }} + - name: CSP_ENV + value: "azure" + {{- end }} + {{- if .Values.global.azure.enabled }} + - name: NO_DEFAULT_ADMIN + value: "1" + {{- end }} + {{- if .Values.controller.searchRegistries }} + - name: CTRL_SEARCH_REGISTRIES + value: "{{ .Values.controller.searchRegistries }}" + {{- end }} + {{- if or .Values.internal.certmanager.enabled .Values.controller.internal.certificate.secret }} + {{- else if (and .Values.internal.autoGenerateCert (not $pre540))}} + - name: AUTO_INTERNAL_CERT + value: "1" + {{- end }} {{- with .Values.controller.env }} {{- toYaml . | nindent 12 }} {{- end }} volumeMounts: + {{- if or .Values.controller.pvc.enabled .Values.controller.azureFileShare.enabled }} - mountPath: /var/neuvector name: nv-share readOnly: false + {{- end }} + {{- if $pre530 }} {{- if .Values.containerd.enabled }} - mountPath: /var/run/containerd/containerd.sock {{- else if .Values.k3s.enabled }} @@ -138,20 +209,36 @@ spec: - mountPath: /host/cgroup name: cgroup-vol readOnly: true + {{- end }} - mountPath: /etc/config name: config-volume readOnly: true + {{- if .Values.controller.prime.enabled }} + - mountPath: /etc/neuvector/prime/compliance/ + name: prime-config + readOnly: true + {{- end }} {{- if .Values.controller.certificate.secret }} - mountPath: /etc/neuvector/certs/ssl-cert.key subPath: {{ .Values.controller.certificate.keyFile }} - name: cert + name: usercert readOnly: true - mountPath: /etc/neuvector/certs/ssl-cert.pem subPath: {{ .Values.controller.certificate.pemFile }} + name: usercert + readOnly: true + {{- else if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.controller.certificate.key .Values.controller.certificate.certificate) }} + - mountPath: /etc/neuvector/certs/ssl-cert.key + subPath: ssl-cert.key + name: cert + readOnly: true + - mountPath: /etc/neuvector/certs/ssl-cert.pem + subPath: ssl-cert.pem name: cert readOnly: true + {{- else }} {{- end }} - {{- if .Values.controller.internal.certificate.secret }} + {{- if or .Values.internal.certmanager.enabled .Values.controller.internal.certificate.secret }} - mountPath: /etc/neuvector/certs/internal/cert.key subPath: {{ .Values.controller.internal.certificate.keyFile }} name: internal-cert @@ -164,10 +251,14 @@ spec: subPath: {{ .Values.controller.internal.certificate.caFile }} name: internal-cert readOnly: true + {{- else if and .Values.internal.autoRotateCert (not $pre540) }} + - mountPath: /etc/neuvector/certs/internal/ + name: internal-cert-dir {{- end }} terminationGracePeriodSeconds: 300 restartPolicy: Always volumes: + {{- if or .Values.controller.pvc.enabled .Values.controller.azureFileShare.enabled }} - name: nv-share {{- if .Values.controller.pvc.enabled }} persistentVolumeClaim: @@ -177,10 +268,9 @@ spec: secretName: {{ .Values.controller.azureFileShare.secretName }} shareName: {{ .Values.controller.azureFileShare.shareName }} readOnly: false - {{- else }} - hostPath: - path: /var/neuvector {{- end }} + {{- end }} + {{- if $pre530 }} - name: runtime-sock hostPath: {{- if .Values.containerd.enabled }} @@ -200,6 +290,7 @@ spec: - name: cgroup-vol hostPath: path: /sys/fs/cgroup + {{- end }} - name: config-volume projected: sources: @@ -209,15 +300,31 @@ spec: - secret: name: neuvector-init optional: true - {{- if .Values.controller.certificate.secret }} + - secret: + name: neuvector-secret + optional: true + {{- if .Values.controller.prime.enabled }} + - emptyDir: {} + name: prime-config + {{- end }} + {{- if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.controller.certificate.key .Values.controller.certificate.certificate) }} - name: cert + secret: + secretName: neuvector-controller-secret + {{- end }} + {{- if .Values.controller.certificate.secret }} + - name: usercert secret: secretName: {{ .Values.controller.certificate.secret }} {{- end }} - {{- if .Values.controller.internal.certificate.secret }} + {{- if or .Values.internal.certmanager.enabled .Values.controller.internal.certificate.secret }} - name: internal-cert secret: secretName: {{ .Values.controller.internal.certificate.secret }} + {{- else if and .Values.internal.autoRotateCert (not $pre540) }} + - name: internal-cert-dir + emptyDir: + sizeLimit: 50Mi {{- end }} {{- if gt (int .Values.controller.disruptionbudget) 0 }} --- diff --git a/charts/neuvector/neuvector/charts/core/templates/controller-ingress.yaml b/charts/neuvector/neuvector/charts/core/templates/controller-ingress.yaml index b36fbbdc0..d8bcb32a1 100644 --- a/charts/neuvector/neuvector/charts/core/templates/controller-ingress.yaml +++ b/charts/neuvector/neuvector/charts/core/templates/controller-ingress.yaml @@ -13,7 +13,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: {{ .Release.Service }} spec: {{- if .Values.controller.ingress.ingressClassName }} ingressClassName: {{ .Values.controller.ingress.ingressClassName | quote }} @@ -50,7 +49,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: {{ .Release.Service }} spec: {{- if .Values.controller.ingress.tls }} tls: @@ -85,7 +83,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: {{ .Release.Service }} spec: {{- if .Values.controller.federation.mastersvc.ingress.ingressClassName }} ingressClassName: {{ .Values.controller.federation.mastersvc.ingress.ingressClassName | quote }} @@ -123,7 +120,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: {{ .Release.Service }} spec: {{- if .Values.controller.federation.mastersvc.ingress.tls }} tls: @@ -158,7 +154,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: {{ .Release.Service }} spec: {{- if .Values.controller.federation.managedsvc.ingress.ingressClassName }} ingressClassName: {{ .Values.controller.federation.managedsvc.ingress.ingressClassName | quote }} @@ -196,7 +191,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: {{ .Release.Service }} spec: {{- if .Values.controller.federation.managedsvc.ingress.tls }} tls: diff --git a/charts/neuvector/neuvector/charts/core/templates/controller-lease.yaml b/charts/neuvector/neuvector/charts/core/templates/controller-lease.yaml new file mode 100644 index 000000000..cccde5479 --- /dev/null +++ b/charts/neuvector/neuvector/charts/core/templates/controller-lease.yaml @@ -0,0 +1,8 @@ +{{- if .Values.internal.autoGenerateCert }} +apiVersion: coordination.k8s.io/v1 +kind: Lease +metadata: + name: neuvector-controller +spec: + leaseTransitions: 0 +{{- end }} diff --git a/charts/neuvector/neuvector/charts/core/templates/controller-route.yaml b/charts/neuvector/neuvector/charts/core/templates/controller-route.yaml index 686a77ec4..b80816f13 100644 --- a/charts/neuvector/neuvector/charts/core/templates/controller-route.yaml +++ b/charts/neuvector/neuvector/charts/core/templates/controller-route.yaml @@ -12,7 +12,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: {{ .Release.Service }} spec: {{- if .Values.controller.apisvc.route.host }} host: {{ .Values.controller.apisvc.route.host }} @@ -45,7 +44,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: {{ .Release.Service }} spec: {{- if .Values.controller.federation.mastersvc.route.host }} host: {{ .Values.controller.federation.mastersvc.route.host }} @@ -77,7 +75,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: {{ .Release.Service }} spec: {{- if .Values.controller.federation.managedsvc.route.host }} host: {{ .Values.controller.federation.managedsvc.route.host }} diff --git a/charts/neuvector/neuvector/charts/core/templates/controller-secret.yaml b/charts/neuvector/neuvector/charts/core/templates/controller-secret.yaml new file mode 100644 index 000000000..fb743c249 --- /dev/null +++ b/charts/neuvector/neuvector/charts/core/templates/controller-secret.yaml @@ -0,0 +1,33 @@ +{{- if .Values.controller.enabled -}} +{{- if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.controller.certificate.key .Values.controller.certificate.certificate) }} +{{- $cert := (dict) }} +{{- if and .Values.controller.certificate.key .Values.controller.certificate.certificate }} +{{- $cert = (dict "Key" .Values.controller.certificate.key "Cert" .Values.controller.certificate.certificate ) }} +{{- else }} +{{- $cn := "neuvector" }} +{{- $cert = genSelfSignedCert $cn nil (list $cn) (.Values.defaultValidityPeriod | int) -}} +{{- end }} + +apiVersion: v1 +kind: Secret +metadata: + name: neuvector-controller-secret + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +type: Opaque +data: + ssl-cert.key: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" "neuvector-controller-secret" "key" "ssl-cert.key" "defaultValue" $cert.Key) }} + ssl-cert.pem: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" "neuvector-controller-secret" "key" "ssl-cert.pem" "defaultValue" $cert.Cert) }} +{{- end}} +--- +{{- if .Values.internal.certmanager.enabled }} +{{- else if .Values.internal.autoGenerateCert }} +apiVersion: v1 +kind: Secret +metadata: + name: neuvector-internal-certs +type: Opaque +{{- end}} +{{- end}} diff --git a/charts/neuvector/neuvector/charts/core/templates/controller-service.yaml b/charts/neuvector/neuvector/charts/core/templates/controller-service.yaml index d4040a78a..4705d491b 100644 --- a/charts/neuvector/neuvector/charts/core/templates/controller-service.yaml +++ b/charts/neuvector/neuvector/charts/core/templates/controller-service.yaml @@ -7,7 +7,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: {{ .Release.Service }} spec: clusterIP: None ports: @@ -36,13 +35,13 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: {{ .Release.Service }} spec: type: {{ .Values.controller.apisvc.type }} ports: - port: 10443 protocol: "TCP" name: "controller-api" + appProtocol: HTTPS selector: app: neuvector-controller-pod {{ end -}} @@ -60,13 +59,28 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: {{ .Release.Service }} spec: type: {{ .Values.controller.federation.mastersvc.type }} +{{- if and .Values.controller.federation.mastersvc.loadBalancerIP (eq .Values.controller.federation.mastersvc.type "LoadBalancer") }} + loadBalancerIP: {{ .Values.controller.federation.mastersvc.loadBalancerIP }} +{{- end }} +{{- if .Values.controller.federation.mastersvc.clusterIP }} + clusterIP: {{ .Values.controller.federation.mastersvc.clusterIP }} +{{- end }} +{{- if .Values.controller.federation.mastersvc.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.federation.mastersvc.externalTrafficPolicy }} +{{- end }} +{{- if .Values.controller.federation.mastersvc.internalTrafficPolicy }} + internalTrafficPolicy: {{ .Values.controller.federation.mastersvc.internalTrafficPolicy }} +{{- end }} ports: - port: 11443 name: fed protocol: TCP + appProtocol: HTTPS +{{- if .Values.controller.federation.mastersvc.nodePort }} + nodePort: {{ .Values.controller.federation.mastersvc.nodePort }} +{{- end }} selector: app: neuvector-controller-pod {{ end -}} @@ -84,13 +98,28 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: {{ .Release.Service }} spec: type: {{ .Values.controller.federation.managedsvc.type }} +{{- if and .Values.controller.federation.managedsvc.loadBalancerIP (eq .Values.controller.federation.managedsvc.type "LoadBalancer") }} + loadBalancerIP: {{ .Values.controller.federation.managedsvc.loadBalancerIP }} +{{- end }} +{{- if .Values.controller.federation.managedsvc.clusterIP }} + clusterIP: {{ .Values.controller.federation.managedsvc.clusterIP }} +{{- end }} +{{- if .Values.controller.federation.managedsvc.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.federation.managedsvc.externalTrafficPolicy }} +{{- end }} +{{- if .Values.controller.federation.managedsvc.internalTrafficPolicy }} + internalTrafficPolicy: {{ .Values.controller.federation.managedsvc.internalTrafficPolicy }} +{{- end }} ports: - port: 10443 name: fed protocol: TCP + appProtocol: HTTPS +{{- if .Values.controller.federation.managedsvc.nodePort }} + nodePort: {{ .Values.controller.federation.managedsvc.nodePort }} +{{- end }} selector: app: neuvector-controller-pod {{ end -}} diff --git a/charts/neuvector/neuvector/charts/core/templates/crd-role-least.yaml b/charts/neuvector/neuvector/charts/core/templates/crd-role-least.yaml new file mode 100644 index 000000000..45222a48e --- /dev/null +++ b/charts/neuvector/neuvector/charts/core/templates/crd-role-least.yaml @@ -0,0 +1,403 @@ +{{- if .Values.leastPrivilege -}} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +# ClusterRole for NeuVector to operate CRD +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-customresourcedefinition + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - update + - watch + - create + - get + +--- + +# ClusterRoleBinding for NeuVector to operate CRD +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-customresourcedefinition + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-customresourcedefinition +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +# ClusterRole for NeuVector to manage network/process CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - neuvector.com + resources: + - nvsecurityrules + - nvclustersecurityrules + verbs: + - get + - list + - delete + +--- + +# ClusterRoleBinding for NeuVector to manage network/process CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvsecurityrules +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +# ClusterRole for NeuVector to manage dlp CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvdlpsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - neuvector.com + resources: + - nvdlpsecurityrules + verbs: + - get + - list + - delete + +--- + +# ClusterRole for NeuVector to manage admission control CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvadmissioncontrolsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - neuvector.com + resources: + - nvadmissioncontrolsecurityrules + verbs: + - get + - list + - delete + +--- + +# ClusterRoleBinding for NeuVector to manage admission control CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvdlpsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvdlpsecurityrules +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +# ClusterRoleBinding for NeuVector to manage admission control CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvadmissioncontrolsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvadmissioncontrolsecurityrules +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +# ClusterRole for NeuVector to manage waf CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvwafsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - neuvector.com + resources: + - nvwafsecurityrules + verbs: + - get + - list + - delete + +--- + +# ClusterRoleBinding for NeuVector to manage waf CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvwafsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvwafsecurityrules +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +# ClusterRole for NeuVector to manage compliance CRD profiles +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvcomplianceprofiles + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - neuvector.com + resources: + - nvcomplianceprofiles + verbs: + - get + - list + - delete + +--- + +# ClusterRoleBinding for NeuVector to manage compliance CRD profiles +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvcomplianceprofiles + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvcomplianceprofiles +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +# ClusterRole for NeuVector to manage vulnerability CRD profiles +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvvulnerabilityprofiles + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - neuvector.com + resources: + - nvvulnerabilityprofiles + verbs: + - get + - list + - delete + +--- + +# ClusterRoleBinding for NeuVector to manage vulnerability CRD profiles +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvvulnerabilityprofiles + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvvulnerabilityprofiles +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +{{- end }} diff --git a/charts/neuvector/neuvector/charts/core/templates/crd-role.yaml b/charts/neuvector/neuvector/charts/core/templates/crd-role.yaml new file mode 100644 index 000000000..ffa029c46 --- /dev/null +++ b/charts/neuvector/neuvector/charts/core/templates/crd-role.yaml @@ -0,0 +1,403 @@ +{{- if not .Values.leastPrivilege -}} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +# ClusterRole for NeuVector to operate CRD +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-customresourcedefinition + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - update + - watch + - create + - get + +--- + +# ClusterRoleBinding for NeuVector to operate CRD +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-customresourcedefinition + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-customresourcedefinition +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +# ClusterRole for NeuVector to manage network/process CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - neuvector.com + resources: + - nvsecurityrules + - nvclustersecurityrules + verbs: + - get + - list + - delete + +--- + +# ClusterRoleBinding for NeuVector to manage network/process CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvsecurityrules +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +# ClusterRole for NeuVector to manage dlp CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvdlpsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - neuvector.com + resources: + - nvdlpsecurityrules + verbs: + - get + - list + - delete + +--- + +# ClusterRole for NeuVector to manage admission control CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvadmissioncontrolsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - neuvector.com + resources: + - nvadmissioncontrolsecurityrules + verbs: + - get + - list + - delete + +--- + +# ClusterRoleBinding for NeuVector to manage admission control CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvdlpsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvdlpsecurityrules +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +# ClusterRoleBinding for NeuVector to manage admission control CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvadmissioncontrolsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvadmissioncontrolsecurityrules +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +# ClusterRole for NeuVector to manage waf CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvwafsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - neuvector.com + resources: + - nvwafsecurityrules + verbs: + - get + - list + - delete + +--- + +# ClusterRoleBinding for NeuVector to manage waf CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvwafsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvwafsecurityrules +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +# ClusterRole for NeuVector to manage compliance CRD profiles +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvcomplianceprofiles + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - neuvector.com + resources: + - nvcomplianceprofiles + verbs: + - get + - list + - delete + +--- + +# ClusterRoleBinding for NeuVector to manage compliance CRD profiles +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvcomplianceprofiles + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvcomplianceprofiles +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +# ClusterRole for NeuVector to manage vulnerability CRD profiles +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvvulnerabilityprofiles + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - neuvector.com + resources: + - nvvulnerabilityprofiles + verbs: + - get + - list + - delete + +--- + +# ClusterRoleBinding for NeuVector to manage vulnerability CRD profiles +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvvulnerabilityprofiles + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvvulnerabilityprofiles +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +{{- end }} diff --git a/charts/neuvector/neuvector/charts/core/templates/crd-webhook-service.yaml b/charts/neuvector/neuvector/charts/core/templates/crd-webhook-service.yaml new file mode 100644 index 000000000..bcfcecdb8 --- /dev/null +++ b/charts/neuvector/neuvector/charts/core/templates/crd-webhook-service.yaml @@ -0,0 +1,19 @@ +{{- if .Values.crdwebhooksvc.enabled -}} +apiVersion: v1 +kind: Service +metadata: + name: neuvector-svc-crd-webhook + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +spec: + ports: + - port: 443 + targetPort: 30443 + protocol: TCP + name: crd-webhook + type: {{ .Values.crdwebhook.type }} + selector: + app: neuvector-controller-pod +{{- end }} diff --git a/charts/neuvector/neuvector/charts/core/templates/crd.yaml b/charts/neuvector/neuvector/charts/core/templates/crd.yaml index 7a969b61b..15834c9df 100644 --- a/charts/neuvector/neuvector/charts/core/templates/crd.yaml +++ b/charts/neuvector/neuvector/charts/core/templates/crd.yaml @@ -12,7 +12,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: {{ .Release.Service }} spec: group: neuvector.com names: @@ -182,6 +181,12 @@ spec: - basic - zero-drift type: string + mode: + enum: + - Discover + - Monitor + - Protect + type: string type: object target: properties: @@ -215,6 +220,14 @@ spec: type: string original_name: type: string + mon_metric: + type: boolean + grp_sess_cur: + type: integer + grp_sess_rate: + type: integer + grp_band_width: + type: integer required: - name type: object @@ -278,7 +291,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: {{ .Release.Service }} spec: group: neuvector.com names: @@ -448,6 +460,12 @@ spec: - basic - zero-drift type: string + mode: + enum: + - Discover + - Monitor + - Protect + type: string type: object target: properties: @@ -481,6 +499,14 @@ spec: type: string original_name: type: string + mon_metric: + type: boolean + grp_sess_cur: + type: integer + grp_sess_rate: + type: integer + grp_band_width: + type: integer required: - name type: object @@ -544,7 +570,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: {{ .Release.Service }} spec: group: neuvector.com names: @@ -630,7 +655,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: {{ .Release.Service }} spec: group: neuvector.com names: @@ -688,6 +712,8 @@ spec: type: string op: type: string + path: + type: string sub_criteria: items: properties: @@ -703,8 +729,14 @@ spec: - value type: object type: array + template_kind: + type: string + type: + type: string value: type: string + value_type: + type: string required: - name - op @@ -715,6 +747,20 @@ spec: type: boolean id: type: integer + rule_mode: + enum: + - "" + - monitor + - protect + type: string + containers: + items: + enum: + - containers + - init_containers + - ephemeral_containers + type: string + type: array required: - action - criteria @@ -735,7 +781,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: {{ .Release.Service }} spec: group: neuvector.com names: @@ -810,295 +855,123 @@ spec: type: object {{- end }} --- -apiVersion: v1 -kind: Service -metadata: - name: neuvector-svc-crd-webhook - namespace: {{ .Release.Namespace }} - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - ports: - - port: 443 - targetPort: 30443 - protocol: TCP - name: crd-webhook - type: {{ .Values.crdwebhook.type }} - selector: - app: neuvector-controller-pod ---- -# ClusterRole for NeuVector to operate CRD -{{- if $oc3 }} -apiVersion: authorization.openshift.io/v1 -{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} -apiVersion: rbac.authorization.k8s.io/v1 -{{- else }} -apiVersion: v1 -{{- end }} -kind: ClusterRole -metadata: - name: neuvector-binding-customresourcedefinition - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -rules: -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - update - - watch - - create - - get ---- -# ClusterRoleBinding for NeuVector to operate CRD -{{- if $oc3 }} -apiVersion: authorization.openshift.io/v1 -{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} -apiVersion: rbac.authorization.k8s.io/v1 -{{- else }} -apiVersion: v1 -{{- end }} -kind: ClusterRoleBinding -metadata: - name: neuvector-binding-customresourcedefinition - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -roleRef: -{{- if not $oc3 }} - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole -{{- end }} - name: neuvector-binding-customresourcedefinition -subjects: -- kind: ServiceAccount - name: {{ .Values.serviceAccount }} - namespace: {{ .Release.Namespace }} -{{- if $oc3 }} -userNames: -- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} -{{- end }} ---- -# ClusterRole for NeuVector to manager user-created network/process CRD rules -{{- if $oc3 }} -apiVersion: authorization.openshift.io/v1 -{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} -apiVersion: rbac.authorization.k8s.io/v1 -{{- else }} -apiVersion: v1 -{{- end }} -kind: ClusterRole -metadata: - name: neuvector-binding-nvsecurityrules - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -rules: -- apiGroups: - - neuvector.com - resources: - - nvsecurityrules - - nvclustersecurityrules - verbs: - - list - - delete ---- -# ClusterRoleBinding for NeuVector to manager user-created network/process CRD rules -{{- if $oc3 }} -apiVersion: authorization.openshift.io/v1 -{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} -apiVersion: rbac.authorization.k8s.io/v1 -{{- else }} -apiVersion: v1 -{{- end }} -kind: ClusterRoleBinding -metadata: - name: neuvector-binding-nvsecurityrules - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -roleRef: -{{- if not $oc3 }} - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole -{{- end }} - name: neuvector-binding-nvsecurityrules -subjects: -- kind: ServiceAccount - name: {{ .Values.serviceAccount }} - namespace: {{ .Release.Namespace }} -{{- if $oc3 }} -userNames: -- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} -{{- end }} ---- -# ClusterRole for NeuVector to manager user-created dlp CRD rules -{{- if $oc3 }} -apiVersion: authorization.openshift.io/v1 -{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} -apiVersion: rbac.authorization.k8s.io/v1 -{{- else }} -apiVersion: v1 -{{- end }} -kind: ClusterRole -metadata: - name: neuvector-binding-nvdlpsecurityrules - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -rules: -- apiGroups: - - neuvector.com - resources: - - nvdlpsecurityrules - verbs: - - list - - delete ---- -# ClusterRole for NeuVector to manager user-created admission control CRD rules -{{- if $oc3 }} -apiVersion: authorization.openshift.io/v1 -{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} -apiVersion: rbac.authorization.k8s.io/v1 -{{- else }} -apiVersion: v1 -{{- end }} -kind: ClusterRole -metadata: - name: neuvector-binding-nvadmissioncontrolsecurityrules - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -rules: -- apiGroups: - - neuvector.com - resources: - - nvadmissioncontrolsecurityrules - verbs: - - list - - delete ---- -# ClusterRoleBinding for NeuVector to manager user-created admission control CRD rules -{{- if $oc3 }} -apiVersion: authorization.openshift.io/v1 -{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} -apiVersion: rbac.authorization.k8s.io/v1 -{{- else }} -apiVersion: v1 -{{- end }} -kind: ClusterRoleBinding -metadata: - name: neuvector-binding-nvdlpsecurityrules - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -roleRef: -{{- if not $oc3 }} - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole -{{- end }} - name: neuvector-binding-nvdlpsecurityrules -subjects: -- kind: ServiceAccount - name: {{ .Values.serviceAccount }} - namespace: {{ .Release.Namespace }} -{{- if $oc3 }} -userNames: -- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} -{{- end }} ---- -# ClusterRoleBinding for NeuVector to manager user-created admission control CRD rules -{{- if $oc3 }} -apiVersion: authorization.openshift.io/v1 -{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} -apiVersion: rbac.authorization.k8s.io/v1 +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apiextensions.k8s.io/v1 {{- else }} -apiVersion: v1 +apiVersion: apiextensions.k8s.io/v1beta1 {{- end }} -kind: ClusterRoleBinding +kind: CustomResourceDefinition metadata: - name: neuvector-binding-nvadmissioncontrolsecurityrules + name: nvcomplianceprofiles.neuvector.com labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -roleRef: -{{- if not $oc3 }} - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole -{{- end }} - name: neuvector-binding-nvadmissioncontrolsecurityrules -subjects: -- kind: ServiceAccount - name: {{ .Values.serviceAccount }} - namespace: {{ .Release.Namespace }} -{{- if $oc3 }} -userNames: -- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +spec: + group: neuvector.com + names: + kind: NvComplianceProfile + listKind: NvComplianceProfileList + plural: nvcomplianceprofiles + singular: nvcomplianceprofile + scope: Cluster +{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + version: v1 {{- end }} ---- -# ClusterRole for NeuVector to manager user-created waf CRD rules -{{- if $oc3 }} -apiVersion: authorization.openshift.io/v1 -{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} -apiVersion: rbac.authorization.k8s.io/v1 -{{- else }} -apiVersion: v1 + versions: + - name: v1 + served: true + storage: true +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + schema: + openAPIV3Schema: + properties: + spec: + properties: + templates: + properties: + disable_system: + type: boolean + entries: + items: + properties: + tags: + items: + type: string + type: array + test_number: + type: string + required: + - test_number + type: object + type: array + required: + - entries + type: object + type: object + type: object {{- end }} -kind: ClusterRole -metadata: - name: neuvector-binding-nvwafsecurityrules - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -rules: -- apiGroups: - - neuvector.com - resources: - - nvwafsecurityrules - verbs: - - list - - delete --- -# ClusterRoleBinding for NeuVector to manager user-created waf CRD rules -{{- if $oc3 }} -apiVersion: authorization.openshift.io/v1 -{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} -apiVersion: rbac.authorization.k8s.io/v1 +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apiextensions.k8s.io/v1 {{- else }} -apiVersion: v1 +apiVersion: apiextensions.k8s.io/v1beta1 {{- end }} -kind: ClusterRoleBinding +kind: CustomResourceDefinition metadata: - name: neuvector-binding-nvwafsecurityrules + name: nvvulnerabilityprofiles.neuvector.com labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -roleRef: -{{- if not $oc3 }} - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole +spec: + group: neuvector.com + names: + kind: NvVulnerabilityProfile + listKind: NvVulnerabilityProfileList + plural: nvvulnerabilityprofiles + singular: nvvulnerabilityprofile + scope: Cluster +{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + version: v1 {{- end }} - name: neuvector-binding-nvwafsecurityrules -subjects: -- kind: ServiceAccount - name: {{ .Values.serviceAccount }} - namespace: {{ .Release.Namespace }} -{{- if $oc3 }} -userNames: -- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} + versions: + - name: v1 + served: true + storage: true +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + schema: + openAPIV3Schema: + properties: + spec: + properties: + profile: + properties: + entries: + items: + properties: + comment: + type: string + days: + type: integer + domains: + items: + type: string + type: array + images: + items: + type: string + type: array + name: + type: string + required: + - name + type: object + type: array + required: + - entries + type: object + required: + - profile + type: object + type: object {{- end }} {{- end }} diff --git a/charts/neuvector/neuvector/charts/core/templates/csp-clusterrole.yaml b/charts/neuvector/neuvector/charts/core/templates/csp-clusterrole.yaml new file mode 100644 index 000000000..234f50db6 --- /dev/null +++ b/charts/neuvector/neuvector/charts/core/templates/csp-clusterrole.yaml @@ -0,0 +1,53 @@ +{{- if or .Values.global.aws.enabled .Values.global.azure.enabled }} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-csp-adapter-cluster-role + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - susecloud.net + resources: + - cspadapterusagerecords + resourceNames: + - neuvector-usage + verbs: + - get +--- + +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-csp-usages + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - susecloud.net + resources: + - cspadapterusagerecords + verbs: + - get + - create + - update + - delete +{{- end }} diff --git a/charts/neuvector/neuvector/charts/core/templates/csp-clusterrolebinding.yaml b/charts/neuvector/neuvector/charts/core/templates/csp-clusterrolebinding.yaml new file mode 100644 index 000000000..bb0a331b6 --- /dev/null +++ b/charts/neuvector/neuvector/charts/core/templates/csp-clusterrolebinding.yaml @@ -0,0 +1,61 @@ +{{- if or .Values.global.aws.enabled .Values.global.azure.enabled }} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-csp-adapter-crb + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: neuvector-csp-adapter-cluster-role +subjects: + - kind: ServiceAccount + {{- if .Values.global.aws.enabled }} + name: {{ .Values.global.aws.serviceAccount }} + {{- end }} + {{- if .Values.global.azure.enabled }} + name: {{ .Values.global.azure.serviceAccount }} + {{- end }} + namespace: {{ .Release.Namespace }} + +--- + +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-csp-usages + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: neuvector-binding-csp-usages +subjects: + - kind: ServiceAccount + {{- if and .Values.rbac .Values.leastPrivilege }} + name: controller + {{- else }} + name: {{ .Values.serviceAccount }} + {{- end }} + namespace: {{ .Release.Namespace }} +{{- end }} + diff --git a/charts/neuvector/neuvector/charts/core/templates/csp-crd.yaml b/charts/neuvector/neuvector/charts/core/templates/csp-crd.yaml new file mode 100644 index 000000000..b879776e4 --- /dev/null +++ b/charts/neuvector/neuvector/charts/core/templates/csp-crd.yaml @@ -0,0 +1,46 @@ +{{- if or .Values.global.aws.enabled .Values.global.azure.enabled }} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apiextensions.k8s.io/v1 +{{- else }} +apiVersion: apiextensions.k8s.io/v1beta1 +{{- end }} +kind: CustomResourceDefinition +metadata: + name: cspadapterusagerecords.susecloud.net + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +spec: + group: susecloud.net + names: + kind: CspAdapterUsageRecord + listKind: CspAdapterUsageRecordList + plural: cspadapterusagerecords + singular: cspadapterusagerecord + shortNames: + - caur + scope: Cluster +{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + version: v1 +{{- end }} + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + base_product: + type: string + managed_node_count: + type: integer + reporting_time: + type: string + required: + - managed_node_count + - reporting_time + - base_product + type: object + served: true + storage: true +{{- end }} diff --git a/charts/neuvector/neuvector/charts/core/templates/csp-deployment.yaml b/charts/neuvector/neuvector/charts/core/templates/csp-deployment.yaml new file mode 100644 index 000000000..82ef4739a --- /dev/null +++ b/charts/neuvector/neuvector/charts/core/templates/csp-deployment.yaml @@ -0,0 +1,72 @@ +{{- if or .Values.global.aws.enabled .Values.global.azure.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: neuvector-csp-pod + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +{{- with .Values.global.aws.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: + selector: + matchLabels: + app: neuvector-csp-pod + template: + metadata: + labels: + app: neuvector-csp-pod + release: {{ .Release.Name }} + spec: + {{- if .Values.global.aws.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.global.aws.imagePullSecrets }} + {{- end }} + {{- if .Values.global.azure.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.global.azure.imagePullSecrets }} + {{- end }} + containers: + - env: + - name: ADAPTER_NAMESPACE + value: {{ .Release.Namespace }} + - name: USAGE_CRD_PLURAL + value: "cspadapterusagerecords" + - name: USAGE_RESOURCE + value: "neuvector-usage" + - name: USAGE_API_VERSION + value: "v1" + - name: USAGE_API_GROUP + value: "susecloud.net" + {{- if .Values.global.azure.enabled }} + - name: "CLIENT_ID" + value: "{{ .Values.global.azure.identity.clientId }}" + - name: "EXTENSION_RESOURCE_ID" + value: "{{ .Values.global.azure.extension.resourceId }}" + - name: "PLAN_ID" + value: "{{ .Values.global.azure.marketplace.planId }}" + {{- end }} + {{- if and .Values.global.aws.enabled .Values.global.aws.image.digest }} + image: "{{ .Values.registry }}/{{ .Values.global.aws.image.repository }}@{{ .Values.global.aws.image.digest }}" + {{- else if and .Values.global.aws.enabled .Values.global.aws.image.tag }} + image: "{{ .Values.registry }}/{{ .Values.global.aws.image.repository }}:{{ .Values.global.aws.image.tag }}" + {{- else if and .Values.global.azure.enabled }} + image: "{{ .Values.global.azure.images.neuvector_csp_pod.registry }}/{{ .Values.global.azure.images.neuvector_csp_pod.image }}:{{ .Values.global.azure.images.neuvector_csp_pod.tag }}" + {{- end }} + name: neuvector-csp-pod + {{- if .Values.global.aws.enabled }} + imagePullPolicy: "{{ .Values.global.aws.image.imagePullPolicy }}" + {{- else if .Values.global.azure.enabled }} + imagePullPolicy: "{{ .Values.global.azure.images.neuvector_csp_pod.imagePullPolicy }}" + {{- end }} + {{- if .Values.global.aws.enabled }} + serviceAccountName: {{ .Values.global.aws.serviceAccount }} + serviceAccount: {{ .Values.global.aws.serviceAccount }} + {{- else if .Values.global.azure.enabled }} + serviceAccountName: {{ .Values.global.azure.serviceAccount }} + serviceAccount: {{ .Values.global.azure.serviceAccount }} + {{- end }} +{{- end }} diff --git a/charts/neuvector/neuvector/charts/core/templates/csp-role.yaml b/charts/neuvector/neuvector/charts/core/templates/csp-role.yaml new file mode 100644 index 000000000..3bba9540d --- /dev/null +++ b/charts/neuvector/neuvector/charts/core/templates/csp-role.yaml @@ -0,0 +1,55 @@ +{{- if or .Values.global.aws.enabled .Values.global.azure.enabled }} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: Role +metadata: + name: neuvector-csp-adapter-role + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - "" + resources: + - secrets + resourceNames: + - csp-adapter-cache + verbs: + - "*" +- apiGroups: + - "" + resources: + - secrets + verbs: + - create +- apiGroups: + - "" + resources: + - configmaps + resourceNames: + - csp-config + verbs: + - "*" +- apiGroups: + - "" + resources: + - configmaps + resourceNames: + - metering-archive + verbs: + - "*" +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create +{{- end }} diff --git a/charts/neuvector/neuvector/charts/core/templates/csp-rolebinding.yaml b/charts/neuvector/neuvector/charts/core/templates/csp-rolebinding.yaml new file mode 100644 index 000000000..0327fdc77 --- /dev/null +++ b/charts/neuvector/neuvector/charts/core/templates/csp-rolebinding.yaml @@ -0,0 +1,31 @@ +{{- if or .Values.global.aws.enabled .Values.global.azure.enabled }} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: RoleBinding +metadata: + name: neuvector-csp-adapter-binding + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: neuvector-csp-adapter-role +subjects: + - kind: ServiceAccount + {{- if .Values.global.aws.enabled }} + name: {{ .Values.global.aws.serviceAccount }} + {{- end }} + {{- if .Values.global.azure.enabled }} + name: {{ .Values.global.azure.serviceAccount }} + {{- end }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/neuvector/neuvector/charts/core/templates/csp-serviceaccount.yaml b/charts/neuvector/neuvector/charts/core/templates/csp-serviceaccount.yaml new file mode 100644 index 000000000..328275020 --- /dev/null +++ b/charts/neuvector/neuvector/charts/core/templates/csp-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if or .Values.global.aws.enabled .Values.global.azure.enabled }} +{{- if not .Values.openshift}} +{{- if and (ne .Values.global.aws.serviceAccount "default") (ne .Values.global.azure.serviceAccount "default") }} +apiVersion: v1 +kind: ServiceAccount +metadata: + {{- if .Values.global.aws.enabled }} + name: {{ .Values.global.aws.serviceAccount }} + {{- end }} + {{- if .Values.global.azure.enabled }} + name: {{ .Values.global.azure.serviceAccount }} + {{- end }} + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + annotations: + {{- if .Values.global.aws.enabled }} + eks.amazonaws.com/role-arn: arn:aws:iam::{{ .Values.global.aws.accountNumber }}:role/{{ .Values.global.aws.roleName }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/neuvector/neuvector/charts/core/templates/enforcer-daemonset.yaml b/charts/neuvector/neuvector/charts/core/templates/enforcer-daemonset.yaml index fc41d46ac..de89e92fa 100644 --- a/charts/neuvector/neuvector/charts/core/templates/enforcer-daemonset.yaml +++ b/charts/neuvector/neuvector/charts/core/templates/enforcer-daemonset.yaml @@ -1,3 +1,25 @@ +{{- $pre530 := false -}} +{{- if regexMatch "^[0-9]+\\.[0-9]+\\.[0-9]+" .Values.tag }} +{{- $pre530 = (semverCompare "<5.2.10-0" .Values.tag) -}} +{{- end }} +{{- $pre540 := false -}} +{{- if regexMatch "^[0-9]+\\.[0-9]+\\.[0-9]+" .Values.tag }} +{{- $pre540 = (semverCompare "<5.3.10-0" .Values.tag) -}} +{{- end }} +{{- $runtimePath := "" -}} +{{- if .Values.runtimePath }} +{{- $runtimePath = .Values.runtimePath -}} +{{- else if and .Values.k3s.enabled (ne .Values.k3s.runtimePath "/run/k3s/containerd/containerd.sock") }} +{{- $runtimePath = .Values.k3s.runtimePath -}} +{{- else if and .Values.bottlerocket.enabled (ne .Values.bottlerocket.runtimePath "/run/dockershim.sock") }} +{{- $runtimePath = .Values.bottlerocket.runtimePath -}} +{{- else if and .Values.containerd.enabled (ne .Values.containerd.path "/var/run/containerd/containerd.sock") }} +{{- $runtimePath = .Values.containerd.path -}} +{{- else if and .Values.crio.enabled (ne .Values.crio.path "/var/run/crio/crio.sock") }} +{{- $runtimePath = .Values.crio.path -}} +{{- else if ne .Values.docker.path "/var/run/docker.sock" }} +{{- $runtimePath = .Values.docker.path -}} +{{- end }} {{- if .Values.enforcer.enabled -}} {{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} apiVersion: apps/v1 @@ -10,7 +32,6 @@ metadata: namespace: {{ .Release.Namespace }} labels: chart: {{ template "neuvector.chart" . }} - heritage: {{ .Release.Service }} release: {{ .Release.Name }} spec: updateStrategy: {{- toYaml .Values.enforcer.updateStrategy | nindent 4 }} @@ -42,10 +63,18 @@ spec: {{- if .Values.enforcer.priorityClassName }} priorityClassName: {{ .Values.enforcer.priorityClassName }} {{- end }} + {{- if .Values.leastPrivilege }} + serviceAccountName: enforcer + serviceAccount: enforcer + {{- else }} serviceAccountName: {{ .Values.serviceAccount }} serviceAccount: {{ .Values.serviceAccount }} + {{- end }} containers: - name: neuvector-enforcer-pod + {{- if .Values.global.azure.enabled }} + image: "{{ .Values.global.azure.images.enforcer.registry }}/{{ .Values.global.azure.images.enforcer.image }}:{{ .Values.global.azure.images.enforcer.tag }}" + {{- else }} {{- if eq .Values.registry "registry.neuvector.com" }} {{- if .Values.oem }} image: "{{ .Values.registry }}/{{ .Values.oem }}/enforcer:{{ .Values.tag }}" @@ -59,6 +88,7 @@ spec: image: "{{ .Values.registry }}/{{ .Values.enforcer.image.repository }}:{{ .Values.tag }}" {{- end }} {{- end }} + {{- end }} securityContext: privileged: true resources: @@ -78,11 +108,20 @@ spec: valueFrom: fieldRef: fieldPath: status.podIP + {{- if or .Values.internal.certmanager.enabled .Values.enforcer.internal.certificate.secret }} + {{- else if (and .Values.internal.autoGenerateCert (not $pre540))}} + - name: AUTO_INTERNAL_CERT + value: "1" + {{- end }} + {{- with .Values.enforcer.env }} +{{- toYaml . | nindent 12 }} + {{- end }} volumeMounts: + {{- if $pre530 }} {{- if .Values.containerd.enabled }} - mountPath: /var/run/containerd/containerd.sock {{- else if .Values.k3s.enabled }} - - mountPath: /var/run/containerd/containerd.sock + - mountPath: /run/containerd/containerd.sock {{- else if .Values.bottlerocket.enabled }} - mountPath: /var/run/containerd/containerd.sock {{- else if .Values.crio.enabled }} @@ -98,10 +137,18 @@ spec: - mountPath: /host/cgroup name: cgroup-vol readOnly: true + {{- else if $runtimePath }} + - mountPath: /run/runtime.sock + name: runtime-sock + readOnly: true + {{- end }} - mountPath: /lib/modules name: modules-vol readOnly: true - {{- if .Values.enforcer.internal.certificate.secret }} + - mountPath: /var/nv_debug + name: nv-debug + readOnly: false + {{- if or .Values.internal.certmanager.enabled .Values.enforcer.internal.certificate.secret }} - mountPath: /etc/neuvector/certs/internal/cert.key subPath: {{ .Values.enforcer.internal.certificate.keyFile }} name: internal-cert @@ -114,10 +161,14 @@ spec: subPath: {{ .Values.enforcer.internal.certificate.caFile }} name: internal-cert readOnly: true + {{- else if and .Values.internal.autoRotateCert (not $pre540) }} + - mountPath: /etc/neuvector/certs/internal/ + name: internal-cert-dir {{- end }} terminationGracePeriodSeconds: 1200 restartPolicy: Always volumes: + {{- if $pre530 }} - name: runtime-sock hostPath: {{- if .Values.containerd.enabled }} @@ -137,12 +188,24 @@ spec: - name: cgroup-vol hostPath: path: /sys/fs/cgroup + {{- else if $runtimePath }} + - name: runtime-sock + hostPath: + path: {{ $runtimePath }} + {{- end }} - name: modules-vol hostPath: path: /lib/modules - {{- if .Values.enforcer.internal.certificate.secret }} + - name: nv-debug + hostPath: + path: /var/nv_debug + {{- if or .Values.internal.certmanager.enabled .Values.enforcer.internal.certificate.secret }} - name: internal-cert secret: secretName: {{ .Values.enforcer.internal.certificate.secret }} + {{- else if and .Values.internal.autoRotateCert (not $pre540) }} + - name: internal-cert-dir + emptyDir: + sizeLimit: 50Mi {{- end }} {{- end }} diff --git a/charts/neuvector/neuvector/charts/core/templates/init-configmap.yaml b/charts/neuvector/neuvector/charts/core/templates/init-configmap.yaml index 4d3b97129..5c29ca257 100644 --- a/charts/neuvector/neuvector/charts/core/templates/init-configmap.yaml +++ b/charts/neuvector/neuvector/charts/core/templates/init-configmap.yaml @@ -7,7 +7,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: {{ .Release.Service }} data: -{{ toYaml .Values.controller.configmap.data | indent 4 }} -{{- end }} \ No newline at end of file +{{ toYaml .Values.controller.configmap.data | indent 2 }} +{{- end }} diff --git a/charts/neuvector/neuvector/charts/core/templates/init-secret.yaml b/charts/neuvector/neuvector/charts/core/templates/init-secret.yaml index 8a5081408..d9b4676c5 100644 --- a/charts/neuvector/neuvector/charts/core/templates/init-secret.yaml +++ b/charts/neuvector/neuvector/charts/core/templates/init-secret.yaml @@ -7,7 +7,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: {{ .Release.Service }} data: {{- range $key, $val := .Values.controller.secret.data }} {{ $key }}: | {{ toYaml $val | b64enc | nindent 4 }} diff --git a/charts/neuvector/neuvector/charts/core/templates/manager-deployment.yaml b/charts/neuvector/neuvector/charts/core/templates/manager-deployment.yaml index 447b54862..e744c86ab 100644 --- a/charts/neuvector/neuvector/charts/core/templates/manager-deployment.yaml +++ b/charts/neuvector/neuvector/charts/core/templates/manager-deployment.yaml @@ -11,7 +11,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: {{ .Release.Service }} spec: replicas: 1 selector: @@ -25,10 +24,13 @@ spec: {{- with .Values.manager.podLabels }} {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.manager.podAnnotations }} annotations: - {{- toYaml . | nindent 8 }} - {{- end }} + {{- if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.manager.certificate.key .Values.manager.certificate.certificate) }} + checksum/manager-secret: {{ include (print $.Template.BasePath "/manager-secret.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.manager.podAnnotations }} + {{- toYaml .Values.manager.podAnnotations | nindent 8 }} + {{- end }} spec: {{- if .Values.manager.affinity }} affinity: @@ -37,6 +39,10 @@ spec: {{- if .Values.manager.tolerations }} tolerations: {{ toYaml .Values.manager.tolerations | indent 8 }} + {{- end }} + {{- if .Values.manager.topologySpreadConstraints }} + topologySpreadConstraints: +{{ toYaml .Values.manager.topologySpreadConstraints | indent 8 }} {{- end }} {{- if .Values.manager.nodeSelector }} nodeSelector: @@ -49,14 +55,22 @@ spec: {{- if .Values.manager.priorityClassName }} priorityClassName: {{ .Values.manager.priorityClassName }} {{- end }} + {{- if .Values.leastPrivilege }} + serviceAccountName: basic + serviceAccount: basic + {{- else }} serviceAccountName: {{ .Values.serviceAccount }} serviceAccount: {{ .Values.serviceAccount }} + {{- end }} {{- if .Values.manager.runAsUser }} securityContext: runAsUser: {{ .Values.manager.runAsUser }} {{- end }} containers: - name: neuvector-manager-pod + {{- if .Values.global.azure.enabled }} + image: "{{ .Values.global.azure.images.manager.registry }}/{{ .Values.global.azure.images.manager.image }}:{{ .Values.global.azure.images.manager.tag }}" + {{- else }} {{- if eq .Values.registry "registry.neuvector.com" }} {{- if .Values.oem }} image: "{{ .Values.registry }}/{{ .Values.oem }}/manager:{{ .Values.tag }}" @@ -70,6 +84,11 @@ spec: image: "{{ .Values.registry }}/{{ .Values.manager.image.repository }}:{{ .Values.tag }}" {{- end }} {{- end }} + {{- end }} + ports: + - name: http + containerPort: 8443 + protocol: TCP env: - name: CTRL_SERVER_IP value: neuvector-svc-controller.{{ .Release.Namespace }} @@ -77,6 +96,9 @@ spec: - name: MANAGER_SSL value: "off" {{- end }} + {{- with .Values.manager.env.envs }} +{{- toYaml . | nindent 12 }} + {{- end }} volumeMounts: {{- if .Values.manager.certificate.secret }} - mountPath: /etc/neuvector/certs/ssl-cert.key @@ -87,6 +109,56 @@ spec: subPath: {{ .Values.manager.certificate.pemFile }} name: cert readOnly: true + {{- else if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.manager.certificate.key .Values.manager.certificate.certificate) }} + - mountPath: /etc/neuvector/certs/ssl-cert.key + subPath: ssl-cert.key + name: cert + readOnly: true + - mountPath: /etc/neuvector/certs/ssl-cert.pem + subPath: ssl-cert.pem + name: cert + readOnly: true + {{- end }} + {{- if .Values.manager.probes.enabled }} + startupProbe: + httpGet: + path: / + port: 8443 + {{- if .Values.manager.env.ssl }} + scheme: HTTPS + {{- else }} + scheme: HTTP + {{- end }} + timeoutSeconds: {{ .Values.manager.probes.timeout | default 1 }} + periodSeconds: {{ .Values.manager.probes.periodSeconds | default 10 }} + successThreshold: 1 + failureThreshold: {{ .Values.manager.probes.startupFailureThreshold | default 30 }} + livenessProbe: + httpGet: + path: / + port: 8443 + {{- if .Values.manager.env.ssl }} + scheme: HTTPS + {{- else }} + scheme: HTTP + {{- end }} + timeoutSeconds: {{ .Values.manager.probes.timeout | default 1 }} + periodSeconds: {{ .Values.manager.probes.periodSeconds | default 10 }} + successThreshold: 1 + failureThreshold: 3 + readinessProbe: + httpGet: + path: / + port: 8443 + {{- if .Values.manager.env.ssl }} + scheme: HTTPS + {{- else }} + scheme: HTTP + {{- end }} + timeoutSeconds: {{ .Values.manager.probes.timeout | default 1 }} + periodSeconds: {{ .Values.manager.probes.periodSeconds | default 10 }} + successThreshold: 1 + failureThreshold: 3 {{- end }} resources: {{- if .Values.manager.resources }} @@ -100,5 +172,9 @@ spec: - name: cert secret: secretName: {{ .Values.manager.certificate.secret }} + {{- else if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.manager.certificate.key .Values.manager.certificate.certificate) }} + - name: cert + secret: + secretName: neuvector-manager-secret {{- end }} {{- end }} diff --git a/charts/neuvector/neuvector/charts/core/templates/manager-ingress.yaml b/charts/neuvector/neuvector/charts/core/templates/manager-ingress.yaml index d6e2e3350..9dc4bb539 100644 --- a/charts/neuvector/neuvector/charts/core/templates/manager-ingress.yaml +++ b/charts/neuvector/neuvector/charts/core/templates/manager-ingress.yaml @@ -12,7 +12,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: {{ .Release.Service }} spec: {{- if .Values.manager.ingress.ingressClassName }} ingressClassName: {{ .Values.manager.ingress.ingressClassName | quote }} @@ -49,7 +48,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: {{ .Release.Service }} spec: {{- if .Values.manager.ingress.tls }} tls: diff --git a/charts/neuvector/neuvector/charts/core/templates/manager-route.yaml b/charts/neuvector/neuvector/charts/core/templates/manager-route.yaml index 784a4ae23..f79a7332e 100644 --- a/charts/neuvector/neuvector/charts/core/templates/manager-route.yaml +++ b/charts/neuvector/neuvector/charts/core/templates/manager-route.yaml @@ -12,7 +12,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: {{ .Release.Service }} spec: {{- if .Values.manager.route.host }} host: {{ .Values.manager.route.host }} diff --git a/charts/neuvector/neuvector/charts/core/templates/manager-secret.yaml b/charts/neuvector/neuvector/charts/core/templates/manager-secret.yaml new file mode 100644 index 000000000..46563bcbd --- /dev/null +++ b/charts/neuvector/neuvector/charts/core/templates/manager-secret.yaml @@ -0,0 +1,24 @@ +{{- if .Values.manager.enabled -}} +{{- if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.manager.certificate.key .Values.manager.certificate.certificate) }} +{{- $cert := (dict) }} +{{- if and .Values.manager.certificate.key .Values.manager.certificate.certificate }} +{{- $cert = (dict "Key" .Values.manager.certificate.key "Cert" .Values.manager.certificate.certificate ) }} +{{- else }} +{{- $cn := "neuvector" }} +{{- $cert = genSelfSignedCert $cn nil (list $cn) (.Values.defaultValidityPeriod | int) -}} +{{- end }} +apiVersion: v1 +kind: Secret +metadata: + name: neuvector-manager-secret + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +type: Opaque +data: + ssl-cert.key: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" "neuvector-manager-secret" "key" "ssl-cert.key" "defaultValue" $cert.Key) }} + ssl-cert.pem: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" "neuvector-manager-secret" "key" "ssl-cert.pem" "defaultValue" $cert.Cert) }} +--- +{{- end }} +{{- end }} diff --git a/charts/neuvector/neuvector/charts/core/templates/manager-service.yaml b/charts/neuvector/neuvector/charts/core/templates/manager-service.yaml index e18e55c35..b310f63d7 100644 --- a/charts/neuvector/neuvector/charts/core/templates/manager-service.yaml +++ b/charts/neuvector/neuvector/charts/core/templates/manager-service.yaml @@ -11,7 +11,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: {{ .Release.Service }} spec: type: {{ .Values.manager.svc.type }} {{- if and .Values.manager.svc.loadBalancerIP (eq .Values.manager.svc.type "LoadBalancer") }} @@ -21,6 +20,13 @@ spec: - port: 8443 name: manager protocol: TCP +{{- if or (.Capabilities.KubeVersion.GitVersion | contains "-eks") (.Capabilities.KubeVersion.GitVersion | contains "-gke") }} +{{- if .Values.manager.env.ssl }} + appProtocol: HTTPS +{{- else }} + appProtocol: HTTP +{{- end }} +{{- end }} selector: app: neuvector-manager-pod {{- end }} diff --git a/charts/neuvector/neuvector/charts/core/templates/psp.yaml b/charts/neuvector/neuvector/charts/core/templates/psp.yaml index c1d68857b..2d9d77e87 100644 --- a/charts/neuvector/neuvector/charts/core/templates/psp.yaml +++ b/charts/neuvector/neuvector/charts/core/templates/psp.yaml @@ -1,4 +1,4 @@ -{{- if .Values.psp -}} +{{- if and .Values.psp (semverCompare "<1.25-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: @@ -7,7 +7,6 @@ metadata: seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' labels: chart: {{ template "neuvector.chart" . }} - heritage: {{ .Release.Service }} release: {{ .Release.Name }} spec: privileged: true @@ -44,7 +43,6 @@ metadata: namespace: {{ .Release.Namespace }} labels: chart: {{ template "neuvector.chart" . }} - heritage: {{ .Release.Service }} release: {{ .Release.Name }} rules: - apiGroups: @@ -64,14 +62,93 @@ metadata: namespace: {{ .Release.Namespace }} labels: chart: {{ template "neuvector.chart" . }} - heritage: {{ .Release.Service }} release: {{ .Release.Name }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: neuvector-binding-psp subjects: +{{- if .Values.leastPrivilege }} +- kind: ServiceAccount + name: enforcer + namespace: {{ .Release.Namespace }} +{{- else }} - kind: ServiceAccount name: {{ .Values.serviceAccount }} namespace: {{ .Release.Namespace }} {{- end }} + +{{- if .Values.leastPrivilege }} +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: neuvector-binding-psp-controller + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +spec: + privileged: false + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + allowedCapabilities: null + requiredDropCapabilities: + - ALL + volumes: + - configMap + - downwardAPI + - emptyDir + - persistentVolumeClaim + - azureFile + - projected + - secret + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: neuvector-binding-psp-controller + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - policy + - extensions + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - neuvector-binding-psp-controller +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: neuvector-binding-psp-controller + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: neuvector-binding-psp-controller +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- end }} + +{{- end }} diff --git a/charts/neuvector/neuvector/charts/core/templates/pvc.yaml b/charts/neuvector/neuvector/charts/core/templates/pvc.yaml index 3821d0485..d0c519627 100644 --- a/charts/neuvector/neuvector/charts/core/templates/pvc.yaml +++ b/charts/neuvector/neuvector/charts/core/templates/pvc.yaml @@ -8,7 +8,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: {{ .Release.Service }} spec: accessModes: {{ toYaml .Values.controller.pvc.accessModes | indent 4 }} diff --git a/charts/neuvector/neuvector/charts/core/templates/registry-adapter-ingress.yaml b/charts/neuvector/neuvector/charts/core/templates/registry-adapter-ingress.yaml new file mode 100644 index 000000000..ab05054fe --- /dev/null +++ b/charts/neuvector/neuvector/charts/core/templates/registry-adapter-ingress.yaml @@ -0,0 +1,106 @@ +{{- if .Values.cve.adapter.enabled -}} + +{{- if .Values.cve.adapter.ingress.enabled }} +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: neuvector-registry-adapter-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.cve.adapter.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +spec: +{{- if .Values.cve.adapter.ingress.ingressClassName }} + ingressClassName: {{ .Values.cve.adapter.ingress.ingressClassName | quote }} +{{ end }} +{{- if .Values.cve.adapter.ingress.tls }} + tls: + - hosts: + - {{ .Values.cve.adapter.ingress.host }} +{{- if .Values.cve.adapter.ingress.secretName }} + secretName: {{ .Values.cve.adapter.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.cve.adapter.ingress.host }} + http: + paths: + - path: {{ .Values.cve.adapter.ingress.path }} + pathType: Prefix + backend: + service: + name: neuvector-service-registry-adapter + port: + number: 9443 +{{- else }} +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: neuvector-registry-adapter-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.cve.adapter.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +spec: +{{- if .Values.cve.adapter.ingress.tls }} + tls: + - hosts: + - {{ .Values.cve.adapter.ingress.host }} +{{- if .Values.cve.adapter.ingress.secretName }} + secretName: {{ .Values.cve.adapter.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.cve.adapter.ingress.host }} + http: + paths: + - path: {{ .Values.cve.adapter.ingress.path }} + backend: + serviceName: neuvector-service-webui + servicePort: 9443 +{{- end }} +{{- end }} + +--- + +{{- if and .Values.openshift .Values.cve.adapter.route.enabled }} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: route.openshift.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: Route +metadata: + name: neuvector-route-registry-adapter + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +spec: +{{- if .Values.cve.adapter.route.host }} + host: {{ .Values.cve.adapter.route.host }} +{{- end }} + to: + kind: Service + name: neuvector-service-registry-adapter + port: + targetPort: registry-adapter + tls: + termination: {{ .Values.cve.adapter.route.termination }} +{{- if or (eq .Values.cve.adapter.route.termination "reencrypt") (eq .Values.cve.adapter.route.termination "edge") }} +{{- with .Values.cve.adapter.route.tls }} +{{ toYaml . | indent 4 }} +{{- end }} +{{- end }} +{{- end }} + +{{- end }} diff --git a/charts/neuvector/neuvector/charts/core/templates/registry-adapter-secret.yaml b/charts/neuvector/neuvector/charts/core/templates/registry-adapter-secret.yaml new file mode 100644 index 000000000..66f0d80e2 --- /dev/null +++ b/charts/neuvector/neuvector/charts/core/templates/registry-adapter-secret.yaml @@ -0,0 +1,21 @@ +{{- if .Values.cve.adapter.enabled -}} +{{- if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.cve.adapter.certificate.key .Values.cve.adapter.certificate.certificate) }} +{{- $cert := (dict) }} +{{- if and .Values.cve.adapter.certificate.key .Values.cve.adapter.certificate.certificate }} +{{- $cert = (dict "Key" .Values.cve.adapter.certificate.key "Cert" .Values.cve.adapter.certificate.certificate ) }} +{{- else }} +{{- $cn := "neuvector" }} +{{- $cert = genSelfSignedCert $cn nil (list $cn "neuvector-service-registry-adapter.cattle-neuvector-system.svc.cluster.local" "neuvector-service-registry-adapter") (.Values.defaultValidityPeriod | int) -}} +{{- end }} + +apiVersion: v1 +kind: Secret +metadata: + name: neuvector-registry-adapter-secret +type: Opaque +data: + ssl-cert.key: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" "neuvector-registry-adapter-secret" "key" "ssl-cert.key" "defaultValue" $cert.Key) }} + ssl-cert.pem: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" "neuvector-registry-adapter-secret" "key" "ssl-cert.pem" "defaultValue" $cert.Cert) }} +--- +{{- end }} +{{- end }} diff --git a/charts/neuvector/neuvector/charts/core/templates/registry-adapter.yaml b/charts/neuvector/neuvector/charts/core/templates/registry-adapter.yaml new file mode 100644 index 000000000..7c7e44e17 --- /dev/null +++ b/charts/neuvector/neuvector/charts/core/templates/registry-adapter.yaml @@ -0,0 +1,204 @@ +{{- $pre540 := false -}} +{{- if regexMatch "^[0-9]+\\.[0-9]+\\.[0-9]+" .Values.tag }} +{{- $pre540 = (semverCompare "<5.3.10-0" .Values.tag) -}} +{{- end }} +{{- if .Values.cve.adapter.enabled -}} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apps/v1 +{{- else }} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Deployment +metadata: + name: neuvector-registry-adapter-pod + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +spec: + replicas: 1 + selector: + matchLabels: + app: neuvector-registry-adapter-pod + template: + metadata: + labels: + app: neuvector-registry-adapter-pod + release: {{ .Release.Name }} + {{- with .Values.cve.adapter.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + annotations: + {{- if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.cve.adapter.certificate.key .Values.cve.adapter.certificate.certificate) }} + checksum/registry-adapter-secret: {{ include (print $.Template.BasePath "/registry-adapter-secret.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.cve.adapter.podAnnotations }} + {{- toYaml .Values.cve.adapter.podAnnotations | nindent 8 }} + {{- end }} + spec: + {{- if .Values.cve.adapter.affinity }} + affinity: +{{ toYaml .Values.cve.adapter.affinity | indent 8 }} + {{- end }} + {{- if .Values.cve.adapter.tolerations }} + tolerations: +{{ toYaml .Values.cve.adapter.tolerations | indent 8 }} + {{- end }} + {{- if .Values.cve.adapter.nodeSelector }} + nodeSelector: +{{ toYaml .Values.cve.adapter.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + {{- if .Values.cve.adapter.priorityClassName }} + priorityClassName: {{ .Values.cve.adapter.priorityClassName }} + {{- end }} + {{- if .Values.leastPrivilege }} + serviceAccountName: registry-adapter + serviceAccount: registry-adapter + {{- else }} + serviceAccountName: {{ .Values.serviceAccount }} + serviceAccount: {{ .Values.serviceAccount }} + {{- end }} + {{- if .Values.cve.adapter.runAsUser }} + securityContext: + runAsUser: {{ .Values.cve.adapter.runAsUser }} + {{- end }} + containers: + - name: neuvector-registry-adapter-pod + {{- if eq .Values.registry "registry.neuvector.com" }} + {{- if .Values.oem }} + image: "{{ .Values.registry }}/{{ .Values.oem }}/registry-adapter:{{ .Values.cve.adapter.image.tag }}" + {{- else }} + image: "{{ .Values.registry }}/registry-adapter:{{ .Values.cve.adapter.image.tag }}" + {{- end }} + {{- else }} + {{- if .Values.cve.adapter.image.hash }} + image: "{{ .Values.registry }}/{{ .Values.cve.adapter.image.repository }}@{{ .Values.cve.adapter.image.hash }}" + {{- else }} + image: "{{ .Values.registry }}/{{ .Values.cve.adapter.image.repository }}:{{ .Values.cve.adapter.image.tag }}" + {{- end }} + {{- end }} + env: + - name: CLUSTER_JOIN_ADDR + value: neuvector-svc-controller.{{ .Release.Namespace }} + - name: HARBOR_SERVER_PROTO + value: {{ .Values.cve.adapter.harbor.protocol }} + {{- if .Values.cve.adapter.harbor.secretName }} + - name: HARBOR_BASIC_AUTH_USERNAME + valueFrom: + secretKeyRef: + name: {{ .Values.cve.adapter.harbor.secretName }} + key: username + - name: HARBOR_BASIC_AUTH_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.cve.adapter.harbor.secretName }} + key: password + {{- end }} + {{- if or .Values.internal.certmanager.enabled .Values.cve.adapter.internal.certificate.secret }} + {{- else if (and .Values.internal.autoGenerateCert (not $pre540))}} + - name: AUTO_INTERNAL_CERT + value: "1" + {{- end }} + {{- with .Values.cve.adapter.env }} +{{- toYaml . | nindent 14 }} + {{- end }} + volumeMounts: + {{- if or .Values.internal.certmanager.enabled .Values.cve.adapter.internal.certificate.secret }} + - mountPath: /etc/neuvector/certs/internal/cert.key + subPath: {{ .Values.cve.adapter.internal.certificate.keyFile }} + name: internal-cert + readOnly: true + - mountPath: /etc/neuvector/certs/internal/cert.pem + subPath: {{ .Values.cve.adapter.internal.certificate.pemFile }} + name: internal-cert + readOnly: true + - mountPath: /etc/neuvector/certs/internal/ca.cert + subPath: {{ .Values.cve.adapter.internal.certificate.caFile }} + name: internal-cert + readOnly: true + {{- else if and .Values.internal.autoRotateCert (not $pre540) }} + - mountPath: /etc/neuvector/certs/internal/ + name: internal-cert-dir + {{- end }} + {{- if .Values.cve.adapter.certificate.secret }} + - mountPath: /etc/neuvector/certs/ssl-cert.key + subPath: {{ .Values.cve.adapter.certificate.keyFile }} + name: cert + readOnly: true + - mountPath: /etc/neuvector/certs/ssl-cert.pem + subPath: {{ .Values.cve.adapter.certificate.pemFile }} + name: cert + readOnly: true + {{- else if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.cve.adapter.certificate.key .Values.cve.adapter.certificate.certificate) }} + - mountPath: /etc/neuvector/certs/ssl-cert.key + subPath: ssl-cert.key + name: cert + readOnly: true + - mountPath: /etc/neuvector/certs/ssl-cert.pem + subPath: ssl-cert.pem + name: cert + readOnly: true + {{- end }} + resources: + {{- if .Values.cve.adapter.resources }} +{{ toYaml .Values.cve.adapter.resources | indent 12 }} + {{- else }} +{{ toYaml .Values.resources | indent 12 }} + {{- end }} + restartPolicy: Always + volumes: + {{- if .Values.cve.adapter.certificate.secret }} + - name: cert + secret: + secretName: {{ .Values.cve.adapter.certificate.secret }} + {{- else if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.cve.adapter.certificate.key .Values.cve.adapter.certificate.certificate) }} + - name: cert + secret: + secretName: neuvector-registry-adapter-secret + {{- end }} + {{- if or .Values.internal.certmanager.enabled .Values.cve.adapter.internal.certificate.secret }} + - name: internal-cert + secret: + secretName: {{ .Values.cve.adapter.internal.certificate.secret }} + {{- else if and .Values.internal.autoRotateCert (not $pre540) }} + - name: internal-cert-dir + emptyDir: + sizeLimit: 50Mi + {{- end }} +--- + +apiVersion: v1 +kind: Service +metadata: + name: neuvector-service-registry-adapter + namespace: {{ .Release.Namespace }} +{{- with .Values.cve.adapter.svc.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +spec: + type: {{ .Values.cve.adapter.svc.type }} +{{- if and .Values.cve.adapter.svc.loadBalancerIP (eq .Values.cve.adapter.svc.type "LoadBalancer") }} + loadBalancerIP: {{ .Values.cve.adapter.svc.loadBalancerIP }} +{{- end }} + ports: + - name: registry-adapter +{{- if (eq .Values.cve.adapter.harbor.protocol "https") }} + port: 9443 + appProtocol: HTTPS +{{- else }} + port: 8090 + appProtocol: HTTP +{{- end }} + protocol: TCP + selector: + app: neuvector-registry-adapter-pod + +{{- end }} diff --git a/charts/neuvector/neuvector/charts/core/templates/role-least.yaml b/charts/neuvector/neuvector/charts/core/templates/role-least.yaml new file mode 100644 index 000000000..7520d7c94 --- /dev/null +++ b/charts/neuvector/neuvector/charts/core/templates/role-least.yaml @@ -0,0 +1,28 @@ +{{- if and .Values.rbac .Values.leastPrivilege -}} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: Role +metadata: + name: neuvector-binding-scanner + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - watch + - patch + - update +{{- end }} diff --git a/charts/neuvector/neuvector/charts/core/templates/role.yaml b/charts/neuvector/neuvector/charts/core/templates/role.yaml new file mode 100644 index 000000000..19aac0a61 --- /dev/null +++ b/charts/neuvector/neuvector/charts/core/templates/role.yaml @@ -0,0 +1,132 @@ +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: Role +metadata: + name: neuvector-binding-secret + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + +--- + +{{- if .Values.internal.autoGenerateCert }} +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: Role +metadata: + name: neuvector-binding-lease + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update +--- +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: Role +metadata: + name: neuvector-binding-job-creation + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - batch + resources: + - jobs + verbs: + - create + - get + - delete +- apiGroups: + - batch + resources: + - cronjobs + - cronjobs/finalizers + verbs: + - update + - patch +--- +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: Role +metadata: + name: neuvector-binding-cert-upgrader + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - update + - list + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list +- apiGroups: + - "apps" + resources: + - deployments + - daemonsets + verbs: + - get + - list + - watch +- apiGroups: + - batch + resources: + - cronjobs + verbs: + - update +{{- end }} diff --git a/charts/neuvector/neuvector/charts/core/templates/rolebinding-least.yaml b/charts/neuvector/neuvector/charts/core/templates/rolebinding-least.yaml new file mode 100644 index 000000000..a3effd3f8 --- /dev/null +++ b/charts/neuvector/neuvector/charts/core/templates/rolebinding-least.yaml @@ -0,0 +1,269 @@ +{{- if and .Values.rbac .Values.leastPrivilege -}} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: RoleBinding +metadata: + name: neuvector-binding-scanner + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: Role +{{- end }} + name: neuvector-binding-scanner +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +- kind: ServiceAccount + name: updater + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +{{- if .Values.internal.autoGenerateCert }} +--- +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: RoleBinding +metadata: + name: neuvector-binding-lease + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: Role +{{- end }} + name: neuvector-binding-lease +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +- kind: ServiceAccount + name: cert-upgrader + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +- system:serviceaccount:{{ .Release.Namespace }}:controller +- system:serviceaccount:{{ .Release.Namespace }}:cert-upgrader +{{- end }} +--- +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: RoleBinding +metadata: + name: neuvector-binding-job-creation + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: Role +{{- end }} + name: neuvector-binding-job-creation +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} +{{- end }} +--- +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: RoleBinding +metadata: + name: neuvector-binding-cert-upgrader + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: Role +{{- end }} + name: neuvector-binding-cert-upgrader +subjects: +- kind: ServiceAccount + name: cert-upgrader + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:cert-upgrader +{{- end }} +--- +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: RoleBinding +metadata: + name: neuvector-binding-secret + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: Role +{{- end }} + name: neuvector-binding-secret +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +- kind: ServiceAccount + name: enforcer + namespace: {{ .Release.Namespace }} +- kind: ServiceAccount + name: scanner + namespace: {{ .Release.Namespace }} +- kind: ServiceAccount + name: registry-adapter + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +- system:serviceaccount:{{ .Release.Namespace }}:enforcer +- system:serviceaccount:{{ .Release.Namespace }}:scanner +- system:serviceaccount:{{ .Release.Namespace }}:registry-adapter +{{- end }} + +--- + +{{- if $oc4 }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: system:openshift:scc:privileged + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:openshift:scc:privileged +subjects: +- kind: ServiceAccount + name: enforcer + namespace: {{ .Release.Namespace }} + +--- + +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: false +allowPrivilegedContainer: false +allowedCapabilities: null +apiVersion: security.openshift.io/v1 +defaultAddCapabilities: null +fsGroup: + type: RunAsAny +groups: [] +kind: SecurityContextConstraints +metadata: + name: neuvector-scc-controller +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: +- ALL +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +supplementalGroups: + type: RunAsAny +users: [] +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- azureFile +- projected +- secret + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: system:openshift:scc:neuvector-scc-controller + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - neuvector-scc-controller + resources: + - securitycontextconstraints + verbs: + - use + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: system:openshift:scc:neuvector-scc-controller + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:openshift:scc:neuvector-scc-controller +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} diff --git a/charts/neuvector/neuvector/charts/core/templates/rolebinding.yaml b/charts/neuvector/neuvector/charts/core/templates/rolebinding.yaml index 6e6af5b6a..8a721dc74 100644 --- a/charts/neuvector/neuvector/charts/core/templates/rolebinding.yaml +++ b/charts/neuvector/neuvector/charts/core/templates/rolebinding.yaml @@ -1,4 +1,4 @@ -{{- if .Values.rbac -}} +{{- if and .Values.rbac (not .Values.leastPrivilege) -}} {{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} {{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} @@ -16,7 +16,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: {{ .Release.Service }} roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -34,6 +33,37 @@ userNames: --- +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: RoleBinding +metadata: + name: neuvector-binding-secret + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: Role +{{- end }} + name: neuvector-binding-secret +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + {{- if $oc4 }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -43,7 +73,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: {{ .Release.Service }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -53,4 +82,92 @@ subjects: name: {{ .Values.serviceAccount }} namespace: {{ .Release.Namespace }} {{- end }} + +--- + +{{- if .Values.internal.autoGenerateCert }} +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: RoleBinding +metadata: + name: neuvector-binding-lease + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: Role +{{- end }} + name: neuvector-binding-lease +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- end }} +--- +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: RoleBinding +metadata: + name: neuvector-binding-job-creation + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: Role +{{- end }} + name: neuvector-binding-job-creation +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} +--- +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: RoleBinding +metadata: + name: neuvector-binding-cert-upgrader + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: Role +{{- end }} + name: neuvector-binding-cert-upgrader +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:cert-upgrader +{{- end }} {{- end }} + diff --git a/charts/neuvector/neuvector/charts/core/templates/scanner-deployment.yaml b/charts/neuvector/neuvector/charts/core/templates/scanner-deployment.yaml index 31abb2a7f..b6ba53c79 100644 --- a/charts/neuvector/neuvector/charts/core/templates/scanner-deployment.yaml +++ b/charts/neuvector/neuvector/charts/core/templates/scanner-deployment.yaml @@ -1,3 +1,7 @@ +{{- $pre540 := false -}} +{{- if regexMatch "^[0-9]+\\.[0-9]+\\.[0-9]+" .Values.tag }} +{{- $pre540 = (semverCompare "<5.3.10-0" .Values.tag) -}} +{{- end }} {{- if .Values.cve.scanner.enabled -}} {{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} apiVersion: apps/v1 @@ -10,7 +14,6 @@ metadata: namespace: {{ .Release.Namespace }} labels: chart: {{ template "neuvector.chart" . }} - heritage: {{ .Release.Service }} release: {{ .Release.Name }} spec: strategy: @@ -38,6 +41,10 @@ spec: {{- if .Values.cve.scanner.tolerations }} tolerations: {{ toYaml .Values.cve.scanner.tolerations | indent 8 }} + {{- end }} + {{- if .Values.cve.scanner.topologySpreadConstraints }} + topologySpreadConstraints: +{{ toYaml .Values.cve.scanner.topologySpreadConstraints | indent 8 }} {{- end }} {{- if .Values.cve.scanner.nodeSelector }} nodeSelector: @@ -50,14 +57,22 @@ spec: {{- if .Values.cve.scanner.priorityClassName }} priorityClassName: {{ .Values.cve.scanner.priorityClassName }} {{- end }} + {{- if .Values.leastPrivilege }} + serviceAccountName: scanner + serviceAccount: scanner + {{- else }} serviceAccountName: {{ .Values.serviceAccount }} serviceAccount: {{ .Values.serviceAccount }} + {{- end }} {{- if .Values.cve.scanner.runAsUser }} securityContext: runAsUser: {{ .Values.cve.scanner.runAsUser }} {{- end }} containers: - name: neuvector-scanner-pod + {{- if .Values.global.azure.enabled }} + image: "{{ .Values.global.azure.images.scanner.registry }}/{{ .Values.global.azure.images.scanner.image }}:{{ .Values.global.azure.images.scanner.tag }}" + {{- else }} {{- if eq .Values.registry "registry.neuvector.com" }} {{- if .Values.oem }} image: "{{ .Values.registry }}/{{ .Values.oem }}/scanner:{{ .Values.cve.scanner.image.tag }}" @@ -67,10 +82,13 @@ spec: {{- else }} {{- if .Values.cve.scanner.image.hash }} image: "{{ .Values.registry }}/{{ .Values.cve.scanner.image.repository }}@{{ .Values.cve.scanner.image.hash }}" + {{- else if .Values.cve.scanner.image.registry }} + image: "{{ .Values.cve.scanner.image.registry }}/{{ .Values.cve.scanner.image.repository }}:{{ .Values.cve.scanner.image.tag }}" {{- else }} image: "{{ .Values.registry }}/{{ .Values.cve.scanner.image.repository }}:{{ .Values.cve.scanner.image.tag }}" {{- end }} {{- end }} + {{- end }} imagePullPolicy: Always env: - name: CLUSTER_JOIN_ADDR @@ -79,10 +97,18 @@ spec: - name: SCANNER_DOCKER_URL value: {{ .Values.cve.scanner.dockerPath }} {{- end }} + {{- if or .Values.internal.certmanager.enabled .Values.cve.scanner.internal.certificate.secret }} + {{- else if (and .Values.internal.autoGenerateCert (not $pre540))}} + - name: AUTO_INTERNAL_CERT + value: "1" + {{- end }} + {{- with .Values.cve.scanner.env }} +{{- toYaml . | nindent 12 }} + {{- end }} resources: {{ toYaml .Values.cve.scanner.resources | indent 12 }} - {{- if .Values.cve.scanner.internal.certificate.secret }} volumeMounts: + {{- if or .Values.internal.certmanager.enabled .Values.cve.scanner.internal.certificate.secret }} - mountPath: /etc/neuvector/certs/internal/cert.key subPath: {{ .Values.cve.scanner.internal.certificate.keyFile }} name: internal-cert @@ -95,12 +121,19 @@ spec: subPath: {{ .Values.cve.scanner.internal.certificate.caFile }} name: internal-cert readOnly: true + {{- else if and .Values.internal.autoRotateCert (not $pre540) }} + - mountPath: /etc/neuvector/certs/internal/ + name: internal-cert-dir {{- end }} restartPolicy: Always - {{- if .Values.cve.scanner.internal.certificate.secret }} volumes: + {{- if or .Values.internal.certmanager.enabled .Values.cve.scanner.internal.certificate.secret }} - name: internal-cert secret: secretName: {{ .Values.cve.scanner.internal.certificate.secret }} + {{- else if and .Values.internal.autoRotateCert (not $pre540) }} + - name: internal-cert-dir + emptyDir: + sizeLimit: 50Mi {{- end }} {{- end }} diff --git a/charts/neuvector/neuvector/charts/core/templates/serviceaccount-least.yaml b/charts/neuvector/neuvector/charts/core/templates/serviceaccount-least.yaml new file mode 100644 index 000000000..f018447a4 --- /dev/null +++ b/charts/neuvector/neuvector/charts/core/templates/serviceaccount-least.yaml @@ -0,0 +1,76 @@ +{{- if .Values.leastPrivilege }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: basic + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: controller + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: enforcer + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: scanner + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: updater + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: registry-adapter + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cert-upgrader + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +{{- end }} diff --git a/charts/neuvector/neuvector/charts/core/templates/serviceaccount.yaml b/charts/neuvector/neuvector/charts/core/templates/serviceaccount.yaml index 47da190a5..dc625cde5 100644 --- a/charts/neuvector/neuvector/charts/core/templates/serviceaccount.yaml +++ b/charts/neuvector/neuvector/charts/core/templates/serviceaccount.yaml @@ -1,4 +1,4 @@ -{{- if not .Values.openshift}} +{{- if not .Values.leastPrivilege }} {{- if ne .Values.serviceAccount "default"}} apiVersion: v1 kind: ServiceAccount @@ -8,6 +8,5 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: {{ .Release.Service }} {{- end }} {{- end }} diff --git a/charts/neuvector/neuvector/charts/core/templates/updater-cronjob.yaml b/charts/neuvector/neuvector/charts/core/templates/updater-cronjob.yaml index fdac8611d..936ec4b88 100644 --- a/charts/neuvector/neuvector/charts/core/templates/updater-cronjob.yaml +++ b/charts/neuvector/neuvector/charts/core/templates/updater-cronjob.yaml @@ -13,7 +13,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: {{ .Release.Service }} spec: schedule: {{ .Values.cve.updater.schedule | quote }} jobTemplate: @@ -42,8 +41,13 @@ spec: {{- if .Values.cve.updater.priorityClassName }} priorityClassName: {{ .Values.cve.updater.priorityClassName }} {{- end }} + {{- if .Values.leastPrivilege }} + serviceAccountName: updater + serviceAccount: updater + {{- else }} serviceAccountName: {{ .Values.serviceAccount }} serviceAccount: {{ .Values.serviceAccount }} + {{- end }} {{- if .Values.cve.updater.runAsUser }} securityContext: runAsUser: {{ .Values.cve.updater.runAsUser }} @@ -59,23 +63,31 @@ spec: {{- else }} {{- if .Values.cve.updater.image.hash }} image: "{{ .Values.registry }}/{{ .Values.cve.updater.image.repository }}@{{ .Values.cve.updater.image.hash }}" + {{- else if .Values.cve.updater.image.registry }} + image: "{{ .Values.cve.updater.image.registry }}/{{ .Values.cve.updater.image.repository }}:{{ .Values.cve.updater.image.tag }}" {{- else }} image: "{{ .Values.registry }}/{{ .Values.cve.updater.image.repository }}:{{ .Values.cve.updater.image.tag }}" {{- end }} {{- end }} imagePullPolicy: Always + resources: +{{ toYaml .Values.cve.updater.resources | indent 16 }} {{- if .Values.cve.scanner.enabled }} command: - /bin/sh - -c {{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} {{- if .Values.cve.updater.secure }} - - /usr/bin/curl -v -X PATCH -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" -H "Content-Type:application/strategic-merge-patch+json" -d '{"spec":{"template":{"metadata":{"annotations":{"kubectl.kubernetes.io/restartedAt":"'`date +%Y-%m-%dT%H:%M:%S%z`'"}}}}}' 'https://kubernetes.default/apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/neuvector-scanner-pod' + {{- if .Values.cve.updater.cacert }} + - /usr/bin/curl -v --cacert {{ .Values.cve.updater.cacert }} -X PATCH -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" -H "Content-Type:application/strategic-merge-patch+json" -d '{"spec":{"template":{"metadata":{"annotations":{"kubectl.kubernetes.io/restartedAt":"'`date +%Y-%m-%dT%H:%M:%S%z`'"}}}}}' 'https://kubernetes.default/apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/neuvector-scanner-pod' 2>&1 | grep -v Bearer + {{- else }} + - /usr/bin/curl -v -X PATCH -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" -H "Content-Type:application/strategic-merge-patch+json" -d '{"spec":{"template":{"metadata":{"annotations":{"kubectl.kubernetes.io/restartedAt":"'`date +%Y-%m-%dT%H:%M:%S%z`'"}}}}}' 'https://kubernetes.default/apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/neuvector-scanner-pod' 2>&1 | grep -v Bearer + {{- end }} {{- else }} - - /usr/bin/curl -kv -X PATCH -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" -H "Content-Type:application/strategic-merge-patch+json" -d '{"spec":{"template":{"metadata":{"annotations":{"kubectl.kubernetes.io/restartedAt":"'`date +%Y-%m-%dT%H:%M:%S%z`'"}}}}}' 'https://kubernetes.default/apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/neuvector-scanner-pod' + - /usr/bin/curl -kv -X PATCH -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" -H "Content-Type:application/strategic-merge-patch+json" -d '{"spec":{"template":{"metadata":{"annotations":{"kubectl.kubernetes.io/restartedAt":"'`date +%Y-%m-%dT%H:%M:%S%z`'"}}}}}' 'https://kubernetes.default/apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/neuvector-scanner-pod' 2>&1 | grep -v Bearer {{- end }} {{- else }} - - /usr/bin/curl -kv -X PATCH -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" -H "Content-Type:application/strategic-merge-patch+json" -d '{"spec":{"template":{"metadata":{"annotations":{"kubectl.kubernetes.io/restartedAt":"'`date +%Y-%m-%dT%H:%M:%S%z`'"}}}}}' 'https://kubernetes.default/apis/extensions/v1beta1/namespaces/{{ .Release.Namespace }}/deployments/neuvector-scanner-pod' + - /usr/bin/curl -kv -X PATCH -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" -H "Content-Type:application/strategic-merge-patch+json" -d '{"spec":{"template":{"metadata":{"annotations":{"kubectl.kubernetes.io/restartedAt":"'`date +%Y-%m-%dT%H:%M:%S%z`'"}}}}}' 'https://kubernetes.default/apis/extensions/v1beta1/namespaces/{{ .Release.Namespace }}/deployments/neuvector-scanner-pod' 2>&1 | grep -v Bearer {{- end }} {{- end }} restartPolicy: Never diff --git a/charts/neuvector/neuvector/charts/core/templates/upgrader-cronjob.yaml b/charts/neuvector/neuvector/charts/core/templates/upgrader-cronjob.yaml new file mode 100644 index 000000000..aecdd1ffc --- /dev/null +++ b/charts/neuvector/neuvector/charts/core/templates/upgrader-cronjob.yaml @@ -0,0 +1,84 @@ +{{- if and .Values.controller.enabled .Values.internal.autoGenerateCert -}} +{{- if (semverCompare ">=1.21-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: batch/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: batch/v1beta1 +{{- else }} +apiVersion: batch/v2alpha1 +{{- end }} +kind: CronJob +metadata: + name: neuvector-cert-upgrader-pod + namespace: {{ .Release.Namespace }} + annotations: + cert-upgrader-uid: "" + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +spec: +{{- if .Values.controller.certupgrader.schedule }} + schedule: {{ .Values.controller.certupgrader.schedule | quote }} +{{- else }} + schedule: "0 0 1 1 *" + suspend: true +{{- end }} + concurrencyPolicy: Forbid + failedJobsHistoryLimit: 3 + successfulJobsHistoryLimit: 3 + jobTemplate: + spec: + activeDeadlineSeconds: {{ .Values.controller.certupgrader.timeout }} + parallelism: 1 + completions: 1 + backoffLimit: 6 + template: + metadata: + labels: + app: neuvector-cert-upgrader-pod + release: {{ .Release.Name }} + {{- with .Values.controller.certupgrader.podLabels }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.controller.certupgrader.podAnnotations }} + annotations: + {{- toYaml . | nindent 12 }} + {{- end }} + spec: + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + {{- if .Values.controller.certupgrader.nodeSelector }} + nodeSelector: +{{ toYaml .Values.controller.certupgrader.nodeSelector | indent 12 }} + {{- end }} + {{- if .Values.controller.certupgrader.priorityClassName }} + priorityClassName: {{ .Values.controller.certupgrader.priorityClassName }} + {{- end }} + {{- if .Values.leastPrivilege }} + serviceAccountName: cert-upgrader + serviceAccount: cert-upgrader + {{- else }} + serviceAccountName: {{ .Values.serviceAccount }} + serviceAccount: {{ .Values.serviceAccount }} + {{- end }} + restartPolicy: Never + {{- if .Values.controller.certupgrader.runAsUser }} + securityContext: + runAsUser: {{ .Values.controller.certupgrader.runAsUser }} + {{- end }} + containers: + - name: neuvector-cert-upgrader-pod + image: {{ include "neuvector.controller.image" . | quote }} + imagePullPolicy: {{ .Values.controller.certupgrader.imagePullPolicy }} + command: + - /usr/local/bin/upgrader + - upgrader-job + {{- if and .Values.internal.autoRotateCert }} + - --enable-rotation + {{- end }} + env: + {{- with .Values.controller.certupgrader.env }} +{{- toYaml . | nindent 14 }} + {{- end }} +{{- end }} diff --git a/charts/neuvector/neuvector/charts/core/templates/upgrader-lease.yaml b/charts/neuvector/neuvector/charts/core/templates/upgrader-lease.yaml new file mode 100644 index 000000000..2afa935de --- /dev/null +++ b/charts/neuvector/neuvector/charts/core/templates/upgrader-lease.yaml @@ -0,0 +1,8 @@ +{{- if .Values.internal.autoGenerateCert }} +apiVersion: coordination.k8s.io/v1 +kind: Lease +metadata: + name: neuvector-cert-upgrader +spec: + leaseTransitions: 0 +{{- end }} diff --git a/charts/neuvector/neuvector/charts/core/values.schema.json b/charts/neuvector/neuvector/charts/core/values.schema.json new file mode 100644 index 000000000..d4ef6212c --- /dev/null +++ b/charts/neuvector/neuvector/charts/core/values.schema.json @@ -0,0 +1,1689 @@ +{ + "$schema": "https://json-schema.org/draft/2019-09/schema", + "properties": { + "openshift": { + "type": "boolean", + "description": "If deploying in OpenShift, set this to true" + }, + "registry": { + "type": "string", + "description": "NeuVector container registry" + }, + "tag": { + "type": ["string", "null"], + "description": "image tag for controller enforcer manager" + }, + "oem": { + "type": ["string", "null"], + "description": "OEM release name" + }, + "imagePullSecrets": { + "description": "image pull secret" + }, + "psp": { + "type": "boolean", + "description": "NeuVector Pod Security Policy when psp policy is enabled" + }, + "rbac": { + "type": "boolean", + "description": "NeuVector RBAC Manifests are installed when RBAC is enabled; required for rancher authentication" + }, + "serviceAccount": { + "type": "string", + "description": "Service account name for NeuVector components" + }, + "leastPrivilege": { + "type": "boolean", + "description": "Use least privileged service account" + }, + "global" : { + "type": "object", + "properties": { + "cattle": { + "type": "object", + "description": "required for rancher authentication", "properties": { + "url": { + "type": ["string", "null"], + "description": "Set the Rancher Server URL; Required for Rancher Authentication. https:///", + "format": "uri" + } + } + }, + "azure": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "If true, install Azure billing csp adapter; **Note**: default admin user is disabled when azure market place billing enabled, use secret to create admin-role user to manage NeuVector deployment." + }, + "identity": { + "type": "object", + "properties": { + "clientId": { + "type": "string", + "description": "Azure populates this value at deployment time" + } + } + }, + "marketplace": { + "type": "object", + "properties": { + "planId": { + "type": "string", + "description": "Azure populates this value at deployment time" + } + } + }, + "extension": { + "type": "object", + "properties": { + "resourceId": { + "type": "string", + "description": "application's Azure Resource ID, Azure populates this value at deployment time" + } + } + }, + "serviceAccount": { + "type": "string", + "description": "Service account name for csp adapter" + }, + "imagePullSecrets": { + "description": "Pull secret for csp adapter image" + }, + "images": { + "type": "object", + "properties": { + "neuvector_csp_pod": { + "type": "object", + "properties": { + "digest": { + "type": "string", + "description": "csp adapter image digest" + }, + "image": { + "type": "string", + "description": " csp adapter image repository" + }, + "registry": { + "type": "string", + "description": "csp adapter image registry" + }, + "imagePullPolicy": { + "enum": ["Always", "Never", "IfNotPresent"], + "description": "csp adapter image pull policy" + } + } + }, + "controller": { + "type": "object", + "properties": { + "digest": { + "type": "string" + }, + "image": { + "type": "string" + }, + "registry": { + "type": "string" + } + } + }, + "manager": { + "type": "object", + "properties": { + "digest": { + "type": "string" + }, + "image": { + "type": "string" + }, + "registry": { + "type": "string" + } + } + }, + "scanner": { + "type": "object", + "properties": { + "digest": { + "type": "string" + }, + "image": { + "type": "string" + }, + "registry": { + "type": "string" + } + } + }, + "enforcer": { + "type": "object", + "properties": { + "digest": { + "type": "string" + }, + "image": { + "type": "string" + }, + "registry": { + "type": "string" + } + } + } + } + } + }, + "required": [ + "enabled" + ] + }, + "aws": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "If true, install AWS billing csp adapter. **Note**: default admin user is disabled when aws market place billing enabled, use secret to create admin-role user to manage NeuVector deployment." + }, + "accountNumber": { + "type": ["integer", "string"], + "description": "AWS Account Number; Follow AWS subscription instruction" + }, + "roleName": { + "type": "string", + "description": "AWS Role name for billing; Follow AWS subscription instruction" + }, + "serviceAccount": { + "type": "string", + "description": "Service account name for csp adapter" + }, + "annotations": { + "type": "object" + }, + "imagePullSecrets": { + "description": "Pull secret for csp adapter image" + }, + "image": { + "type": "object", + "properties": { + "digest": { + "type": "string", + "description": "csp adapter image digest" + }, + "repository": { + "type": "string", + "description": "csp adapter image repository" + }, + "tag": { + "type": ["string", "null"], + "description": "csp adapter image tag" + }, + "imagePullPolicy": { + "type": "string", + "enum": ["Always", "Never", "IfNotPresent"], + "description": "csp adapter image pull policy" + } + } + } + }, + "required": [ + "enabled" + ] + } + }, + "required": [ + "azure", + "aws" + ] + }, + "autoGenerateCert": { + "type": "boolean", + "description": "Automatically generate certificate or not" + }, + "defaultValidityPeriod": { + "type": "integer", + "description": "The default validity period used for certs automatically generated (days)" + }, + "internal": { + "type": "object", + "properties": { + "certmanager": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "enable when cert-manager is installed for the internal certificates" + }, + "secretname": { + "type": "string" + } + }, + "required": [ + "enabled" + ] + } + } + }, + "controller": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "If false, controller will not be installed" + }, + "annotations": { + "type": "object" + }, + "strategy": { + "type": "object", + "properties": { + "type": { + "enum": ["Recreate", "RollingUpdate"] + }, + "rollingUpdate": { + "type": "object", + "properties": { + "maxSurge": { + "type": "integer" + }, + "maxUnavailable": { + "type": "integer" + } + } + } + } + }, + "image": { + "type": "object", + "properties": { + "repository": { + "type": "string", + "description": "controller image repository" + }, + "hash": { + "type": ["string", "null"], + "description": "controller image hash in the format of sha256:xxxx. If present it overwrites the image tag value." + } + } + }, + "replicas": { + "type": "integer", + "description": "controller replicas" + }, + "disruptionbudget": { + "type": "integer", + "description": "controller PodDisruptionBudget. 0 to disable. Recommended value: 2." + }, + "schedulerName": { + "type": ["string", "null"], + "description": "kubernetes scheduler name" + }, + "priorityClassName": { + "type": ["string", "null"], + "description": "controller priorityClassName. Must exist prior to helm deployment. Leave empty to disable." + }, + "podLabels": { + "type": "object", + "description": "Specify the pod labels." + }, + "podAnnotations": { + "type": "object", + "description": "Specify the pod annotations." + }, + "env": { + "type": "array", + "description": "User-defined environment variables for controller." + }, + "affinity": { + "type": "object", + "description": "controller affinity rules", + "properties": { + "podAntiAffinity": { + "type": "object", + "properties": { + "preferredDuringSchedulingIgnoredDuringExecution": { + "type": "array", + "items": { + "type": "object", + "properties": { + "weight": { + "type": "integer", + "minimum": 1, + "maximum": 100 + }, + "podAffinityTerm": { + "type": "object", + "properties": { + "labelSelector": { + "type": "object", + "properties": { + "matchExpressions": { + "type": "array", + "items": { + "type": "object", + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "type": "array", + "items": { + "type": "string" + } + } + } + } + } + } + }, + "topologyKey": { + "type": "string" + } + } + } + } + } + } + } + } + } + }, + "tolerations": { + "type": "array", + "description": "List of node taints to tolerate" + }, + "nodeSelector": { + "type": "object", + "description": "Enable and specify nodeSelector labels" + }, + "apisvc": { + "type": "object", + "properties": { + "type": { + "description": "Controller REST API service type" + }, + "annotations": { + "type": "object", + "description": "Add annotations to controller REST API service" + }, + "route": { + "type": "object", + "description": "OpenShift Route configuration. Controller supports HTTPS only, so edge termination not supported.", + "properties": { + "enabled": { + "type": "boolean", + "description": "If true, create a OpenShift route to expose the Controller REST API service" + }, + "termination": { + "enum": ["passthrough", "reencrypt"], + "description": "Specify TLS termination for OpenShift route for Controller REST API service. Possible passthrough, reencrypt" + }, + "host": { + "type": ["string", "null"], + "format": "hostname", + "description": "Set controller REST API service hostname" + }, + "tls": { + "type": ["object", "null"], + "properties": { + "certificate": { + "type": "string", + "description": "Set controller REST API service PEM format certificate file" + }, + "caCertificate": { + "type": "string", + "description": "Set controller REST API service CA certificate may be required to establish a certificate chain for validation" + }, + "destinationCACertificate": { + "type": "string", + "description": "Set controller REST API service CA certificate to validate the endpoint certificate" + }, + "key": { + "type": "string", + "description": "Set controller REST API service PEM format key file" + } + } + } + }, + "required": [ + "enabled" + ] + } + } + }, + "ranchersso": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "If true, enable single sign on for Rancher; required for rancher authentication" + } + }, + "required": [ + "enabled" + ] + }, + "pvc": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "If true, enable persistence for controller using PVC" + }, + "existingClaim": { + "type": ["boolean", "string"], + "description": "If `false`, a new PVC will be created. If a string is provided, an existing PVC with this name will be used." + }, + "accessModes": { + "type": "array", + "description": "Access modes for the created PVC. Requires RWX", + "items": { + "enum": ["ReadWriteOnce", "ReadOnlyMany", "ReadWriteMany", "ReadWriteOncePod"] + } + }, + "storageClass": { + "type": ["string", "null"], + "description": "Storage Class to be used" + }, + "capacity": { + "type": ["string", "null"], + "description": "Storage capacity. Requires 1Gi", + "pattern": "^([0-9]+)(m|k|M|G|T|P|E|Ki|Mi|Gi|Ti|Pi|Ei)$" + } + }, + "required": [ + "enabled" + ] + }, + "azureFileShare": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "If true, enable the usage of an existing or statically provisioned Azure File Share" + }, + "secretName": { + "type": ["string", "null"], + "description": "The name of the secret containing the Azure file share storage account name and key" + }, + "shareName": { + "type": ["string", "null"], + "description": "The name of the Azure file share to use" + } + }, + "required": [ + "enabled" + ] + }, + "certificate": { + "type": "object", + "properties": { + "secret": { + "description": "Replace controller REST API certificate using secret if secret name is specified" + }, + "keyFile": { + "type": "string", + "description": "Replace controller REST API certificate key file" + }, + "pemFile": { + "type": "string", + "description": "Replace controller REST API certificate pem file" + } + } + }, + "internal": { + "type": "object", + "properties": { + "certificate": { + "type": "object", + "description": "this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer)", + "properties": { + "secret": { + "type": "string" + }, + "keyFile": { + "type": "string" + }, + "pemFile": { + "type": "string" + }, + "caFile": { + "type": "string", + "description": "must be the same CA for all internal." + } + } + } + } + }, + "federation": { + "type": "object", + "properties": { + "mastersvc": { + "type": "object", + "properties": { + "type": { + "enum": ["ClusterIP", "NodePort", "LoadBalancer", "ExternalName", null], + "description": "Multi-cluster primary cluster service type. If specified, the deployment will be used to manage other clusters. Possible values include NodePort, LoadBalancer and ClusterIP." + }, + "clusterIP": { + "type": ["string", "null"], + "format": "ipv4", + "description": "Set clusterIP to be used for mastersvc" + }, + "externalTrafficPolicy": { + "description": "Set externalTrafficPolicy to be used for mastersvc" + }, + "internalTrafficPolicy": { + "description": "Set internalTrafficPolicy to be used for mastersvc" + }, + "ingress": { + "type": "object", + "description": "Federation Master Ingress", + "properties": { + "enabled": { + "type": "boolean", + "description": "If true, create ingress for federation master service, must also set ingress host value" + }, + "host": { + "type": ["string", "null"], + "description": "MUST be set, if ingress is enabled", + "format": "hostname" + }, + "ingressClassName": { + "type": "string", + "description": "To be used instead of the ingress.class annotation if an IngressClass is provisioned" + }, + "path": { + "type": "string", + "description": "or this could be \"/api\", but might need \"rewrite-target\" annotation", + "format": "uri-reference" + }, + "annotations": { + "type": "object", + "description": "Add annotations to ingress to influence behavior", + "properties": { + "nginx.ingress.kubernetes.io/backend-protocol": { + "type": "string" + }, + "ingress.kubernetes.io/rewrite-target": { + "type": "string" + } + } + }, + "tls": { + "type": "boolean", + "description": "If true, TLS is enabled for controller federation master ingress service. If set, the tls-host used is the one set with `controller.federation.mastersvc.ingress.host`." + }, + "secretName": { + "type": ["string", "null"], + "description": "Name of the secret to be used for TLS-encryption. Secret must be created separately (Let's encrypt, manually)" + } + }, + "required": [ + "enabled" + ] + }, + "annotations": { + "type": "object", + "description": "Add annotations to Multi-cluster primary cluster REST API service" + }, + "route": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "If true, create a OpenShift route to expose the Multi-cluster primary cluster service" + }, + "termination": { + "enum": ["passthrough", "reencrypt"], + "description": "Specify TLS termination for OpenShift route for Multi-cluster primary cluster service. Possible passthrough, reencrypt" + }, + "host": { + "type": ["string", "null"], + "format": "hostname", + "description": "Set OpenShift route host for primary cluster service" + }, + "tls": { + "type": ["object", "null"], + "properties": { + "certificate": { + "type": "string", + "description": "Set PEM format key certificate file for OpenShift route for Multi-cluster primary cluster service" + }, + "caCertificate": { + "type": "string", + "description": "Set CA certificate may be required to establish a certificate chain for validation for OpenShift route for Multi-cluster primary cluster service" + }, + "destinationCACertificate": { + "type": "string", + "description": "Set CA certificate to validate the endpoint certificate for OpenShift route for Multi-cluster primary cluster service" + }, + "key": { + "type": "string", + "description": "Set PEM format key file for OpenShift route for Multi-cluster primary cluster service" + } + } + } + }, + "required": [ + "enabled" + ] + } + } + }, + "managedsvc": { + "type": "object", + "properties": { + "type": { + "enum": ["ClusterIP", "NodePort", "LoadBalancer", "ExternalName", null], + "description": "Multi-cluster managed cluster service type. If specified, the deployment will be managed by the managed cluster. Possible values include NodePort, LoadBalancer and ClusterIP." + }, + "clusterIP": { + "type": ["string", "null"], + "format": "ipv4", + "description": "Set clusterIP to be used for managedsvc" + }, + "externalTrafficPolicy": { + "description": "Set externalTrafficPolicy to be used for managedsvc" + }, + "internalTrafficPolicy": { + "description": "Set internalTrafficPolicy to be used for managedsvc" + }, + "ingress": { + "type": "object", + "description": "Federation Managed Ingress", + "properties": { + "enabled": { + "type": "boolean", + "description": "If true, create ingress for federation managed service, must also set ingress host value" + }, + "host": { + "type": ["string", "null"], + "description": "MUST be set, if ingress is enabled", + "format": "hostname" + }, + "ingressClassName": { + "type": "string", + "description": "To be used instead of the ingress.class annotation if an IngressClass is provisioned" + }, + "path": { + "type": "string", + "description": "or this could be \"/api\", but might need \"rewrite-target\" annotation", + "format": "uri-reference" + }, + "annotations": { + "type": "object", + "description": "Add annotations to ingress to influence behavior", + "properties": { + "nginx.ingress.kubernetes.io/backend-protocol": { + "type": "string" + }, + "ingress.kubernetes.io/rewrite-target": { + "type": "string" + } + } + }, + "tls": { + "type": "boolean", + "description": "If true, TLS is enabled for controller federation managed ingress service" + }, + "secretName": { + "type": ["string", "null"], + "description": "Name of the secret to be used for TLS-encryption. Secret must be created separately (Let's encrypt, manually)" + } + }, + "required": [ + "enabled" + ] + }, + "annotations": { + "type": "object", + "description": "Add annotations to Multi-cluster managed cluster REST API service" + }, + "route": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "If true, create a OpenShift route to expose the Multi-cluster managed cluster service" + }, + "termination": { + "enum": ["passthrough", "reencrypt"], + "description": "Specify TLS termination for OpenShift route for Multi-cluster managed cluster service. Possible passthrough, reencrypt" + }, + "host": { + "type": ["string", "null"], + "format": "hostname", + "description": "Set OpenShift route host for manageed service" + }, + "tls": { + "type": ["object", "null"], + "properties": { + "certificate": { + "type": "string", + "description": "Set PEM format certificate file for OpenShift route for Multi-cluster managed cluster service" + }, + "caCertificate": { + "type": "string", + "description": "Set CA certificate may be required to establish a certificate chain for validation for OpenShift route for Multi-cluster managed cluster service" + }, + "destinationCACertificate": { + "type": "string", + "description": "Set CA certificate to validate the endpoint certificate for OpenShift route for Multi-cluster managed cluster service" + }, + "key": { + "type": "string", + "description": "Set PEM format key file for OpenShift route for Multi-cluster managed cluster service" + } + } + } + }, + "required": [ + "enabled" + ] + } + } + } + } + }, + "ingress": { + "type": "object", + "description": "Federation Managed Ingress", + "properties": { + "enabled": { + "type": "boolean", + "description": "If true, create ingress for rest api, must also set ingress host value" + }, + "host": { + "type": ["string", "null"], + "description": "MUST be set, if ingress is enabled", + "format": "hostname" + }, + "ingressClassName": { + "type": "string", + "description": "To be used instead of the ingress.class annotation if an IngressClass is provisioned" + }, + "path": { + "type": "string", + "description": "or this could be \"/api\", but might need \"rewrite-target\" annotation", + "format": "uri-reference" + }, + "annotations": { + "type": "object", + "description": "Add annotations to ingress to influence behavior", + "properties": { + "nginx.ingress.kubernetes.io/backend-protocol": { + "type": "string" + }, + "ingress.kubernetes.io/rewrite-target": { + "type": "string" + } + } + }, + "tls": { + "type": "boolean", + "description": "If true, TLS is enabled for controller rest api ingress service. If set, the tls-host used is the one set with `controller.ingress.host`" + }, + "secretName": { + "type": ["string", "null"], + "description": " Name of the secret to be used for TLS-encryption. Secret must be created separately (Let's encrypt, manually)" + } + }, + "required": [ + "enabled" + ] + }, + "resources": { + "type": "object", + "description": "Add resources requests and limits to controller deployment" + }, + "configmap": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "If true, configure NeuVector global settings using a ConfigMap" + }, + "data": { + "type": ["object", "null"], + "description": "NeuVector configuration in YAML format" + } + }, + "required": [ + "enabled" + ] + }, + "secret": { + "type": "object", + "description": "files defined here have preferrence over the ones defined in the configmap section", + "properties": { + "enabled": { + "type":"boolean", + "description": "If true, configure NeuVector global settings using secrets" + }, + "data": { + "type": "object", + "description": "NeuVector configuration in key/value pair format", + "properties": { + "userinitcfg.yaml": { + "type": "object", + "properties": { + "users": { + "type": "array", + "items": { + "type": "object", + "properties": { + "Fullname": { + "type": "string" + }, + "Password": { + "type": ["string", "null"] + }, + "Role": { + "type": "string" + } + } + } + } + } + } + } + } + }, + "required": [ + "enabled" + ] + } + }, + "required": [ + "enabled" + ] + }, + "enforcer": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "If false, enforcer will not be installed", + "description": "If true, create enforcer" + }, + "image": { + "type": "object", + "properties": { + "repository": { + "type": "string", + "description": "enforcer image repository" + }, + "hash": { + "type": ["string", "null"], + "description": "enforcer image hash in the format of sha256:xxxx. If present it overwrites the image tag value." + } + } + }, + "updateStrategy": { + "type": "object", + "description": "enforcer update strategy type.", + "properties": { + "type": { + "enum": ["Recreate", "RollingUpdate"] + } + } + }, + "priorityClassName": { + "description": "enforcer priorityClassName. Must exist prior to helm deployment. Leave empty to disable." + }, + "podLabels": { + "type": "object", + "description": "Specify the pod labels." + }, + "podAnnotations": { + "type": "object", + "description": "Specify the pod annotations." + }, + "env": { + "type": "array", + "description": "User-defined environment variables for enforcers." + }, + "tolerations": { + "type": "array", + "description": "List of node taints to tolerate. Other taints can be added after the default", + "items": { + "type": "object", + "properties": { + "effect": { + "enum": ["NoExecute", "NoSchedule", "PreferNoSchedule"] + }, + "key": { + "type": "string" + } + } + } + }, + "resources": { + "type": "object", + "description": "Add resources requests and limits to enforcer deployment" + }, + "internal": { + "type": "object", + "properties": { + "certificate": { + "type": "object", + "description": "this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer)", + "properties": { + "secret": { + "type": "string" + }, + "keyFile": { + "type": "string" + }, + "pemFile": { + "type": "string" + }, + "caFile": { + "type": "string", + "description": "must be the same CA for all internal." + } + } + } + } + } + }, + "required": [ + "enabled" + ] + }, + "manager": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "If true, create manager" + }, + "image": { + "type": "object", + "properties": { + "repository": { + "type": "string", + "description": "manager image repository" + }, + "hash": { + "type": ["string", "null"], + "description": "manager image hash in the format of sha256:xxxx. If present it overwrites the image tag value." + } + } + }, + "priorityClassName": { + "type": ["string", "null"], + "description": "manager priorityClassName. Must exist prior to helm deployment. Leave empty to disable." + }, + "env": { + "type": "object", + "properties": { + "ssl": { + "type": "boolean", + "description": "If false, manager will listen on HTTP access instead of HTTPS" + }, + "envs": { + "type": "array", + "description": "Other environment variables. The following variables are accepted.", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + } + } + } + }, + "required": [ + "ssl" + ] + }, + "svc": { + "type": "object", + "description": "set manager service type for native Kubernetes. if it is OpenShift platform or ingress is enabled, then default is `ClusterIP`. Set to LoadBalancer if using cloud providers, such as Azure, Amazon, Google.", + "properties": { + "type": { + "enum": ["ClusterIP", "NodePort", "LoadBalancer", "ExternalName"] + }, + "loadBalancerIP": { + "type": ["string", "null"], + "format": "ipv4", + "description": "if manager service type is LoadBalancer, this is used to specify the load balancer's IP" + }, + "annotations": { + "type": "object", + "description": "Add annotations to manager service" + } + } + }, + "route": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "If true, create a OpenShift route to expose the management console service" + }, + "termination": { + "enum": ["passthrough", "reencrypt", "edge"], + "description": "Specify TLS termination for OpenShift route for management console service. Possible passthrough, reencrypt, edge" + }, + "host": { + "type": ["string", "null"], + "format": "hostname", + "description": "Set OpenShift route host for management console service" + }, + "tls": { + "type": ["object", "null"], + "properties": { + "certificate": { + "type": "string", + "description": "Set PEM format certificate file for OpenShift route for management console service" + }, + "caCertificate": { + "type": "string", + "description": "Set CA certificate may be required to establish a certificate chain for validation for OpenShift route for management console service" + }, + "destinationCACertificate": { + "type": "string", + "description": "Set controller REST API service CA certificate to validate the endpoint certificate for OpenShift route for management console service" + }, + "key": { + "type": "string", + "description": "Set PEM format key file for OpenShift route for management console service" + } + } + } + }, + "required": [ + "enabled" + ] + }, + "certificate": { + "type": "object", + "properties": { + "secret": { + "type": ["string", "null"], + "description": "Replace manager UI certificate using secret if secret name is specified" + }, + "keyFile": { + "type": "string", + "description": "Replace manager UI certificate key file" + }, + "pemFile": { + "type": "string", + "description": "Replace manager UI certificate pem file" + } + } + }, + "ingress": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "If true, create ingress, must also set ingress host value" + }, + "host": { + "type": ["string", "null"], + "description": "MUST be set, if ingress is enabled", + "format": "hostname" + }, + "ingressClassName": { + "type": "string", + "description": "To be used instead of the ingress.class annotation if an IngressClass is provisioned" + }, + "path": { + "type": "string", + "format": "uri-reference", + "description": "Set ingress path. If set, it might be necessary to set a rewrite rule in annotations. Currently only supports `/`" + }, + "annotations": { + "type": "object", + "description": "Add annotations to ingress to influence behavior", + "properties": { + "nginx.ingress.kubernetes.io/backend-protocol": { + "type": "string" + }, + "kubernetes.io/ingress.class": { + "type": "string" + }, + "nginx.ingress.kubernetes.io/whitelist-source-range": { + "type": "string" + }, + "ingress.kubernetes.io/rewrite-target": { + "type": "string" + }, + "nginx.ingress.kubernetes.io/enable-rewrite-log": { + "type": "string" + } + } + }, + "tls": { + "type": "boolean", + "description": "only for end-to-end tls conf - ingress-nginx accepts backend self-signed cert" + }, + "secretName": { + "description": "my-tls-secret", + "description": "Name of the secret to be used for TLS-encryption. Secret must be created separately (Let's encrypt, manually)" + } + }, + "required": [ + "enabled" + ] + }, + "resources": { + "type": "object", + "description": "Add resources requests and limits to manager deployment" + }, + "affinity": { + "type": "object", + "description": "manager affinity rules" + }, + "podLabels": { + "type": "object", + "description": "Specify the pod labels." + }, + "podAnnotations": { + "type": "object", + "description": "Specify the pod annotations." + }, + "tolerations": { + "type": "array", + "description": "List of node taints to tolerate" + }, + "nodeSelector": { + "type": "object", + "description": "Enable and specify nodeSelector labels" + }, + "runAsUser": { + "type": ["string", "null"], + "description": "MUST be set for Rancher hardened cluster" + } + }, + "required": [ + "enabled" + ] + }, + "cve": { + "type": "object", + "properties": { + "adapter": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "If true, create registry adapter" + }, + "image": { + "type": "object", + "properties": { + "repository": { + "type": "string", + "description": "registry adapter image repository" + }, + "tag": { + "type": ["string", "null"], + "description": "registry adapter image tag" + }, + "hash": { + "type": ["string", "null"], + "description": "registry adapter image hash in the format of sha256:xxxx. If present it overwrites the image tag value." + } + } + }, + "priorityClassName": { + "type": ["string", "null"], + "description": "registry adapter priorityClassName. Must exist prior to helm deployment. Leave empty to disable." + }, + "resources": { + "type": "object", + "description": "Add resources requests and limits to registry adapter deployment" + }, + "affinity": { + "type": "object", + "description": "registry adapter affinity rules" + }, + "podLabels": { + "type": "object", + "description": "Specify the pod labels." + }, + "podAnnotations": { + "type": "object", + "description": "Specify the pod annotations." + }, + "env": { + "type": "array", + "description": "User-defined environment variables for adapter." + }, + "tolerations": { + "type": "array", + "description": "List of node taints to tolerate" + }, + "nodeSelector": { + "type": "object", + "description": "Enable and specify nodeSelector labels" + }, + "runAsUser": { + "type": ["string", "null"], + "description": "Specify the run as User ID. MUST be set for Rancher hardened cluster" + }, + "certificate": { + "type": "object", + "description": "TLS cert/key. If absent, TLS cert/key automatically generated will be used.", + "properties": { + "secret": { + "type": ["string", "null"], + "description": "Replace registry adapter certificate using secret if secret name is specified" + }, + "keyFile": { + "type": "string", + "description": "Replace registry adapter certificate key file" + }, + "pemFile": { + "type": "string", + "description": "Replace registry adapter certificate pem file" + } + } + }, + "harbor": { + "type": "object", + "properties": { + "protocol": { + "enum": ["http", "https"], + "description": "Harbor registry request protocol" + }, + "secretName": { + "type": ["string", "null"], + "description": "Harbor registry adapter's basic authentication secret" + } + } + }, + "svc": { + "type": "object", + "properties": { + "type": { + "enum": ["ClusterIP", "NodePort", "LoadBalancer", "ExternalName"], + "description": "set registry adapter service type for native Kubernetes. If it is OpenShift platform or ingress is enabled, then default is `ClusterIP`. Set to LoadBalancer if using cloud providers, such as Azure, Amazon, Google" + }, + "loadBalancerIP": { + "type": ["string", "null"], + "format": "ipv4", + "description": "if registry adapter service type is LoadBalancer, this is used to specify the load balancer's IP" + }, + "annotations": { + "type": "object", + "description": "Add annotations to registry adapter service" + } + } + }, + "route": { + "type": "object", + "description": "OpenShift Route configuration", + "properties": { + "enabled": { + "type": "boolean", + "description": "If true, create a OpenShift route to expose the management console service" + }, + "termination": { + "enum": ["passthrough", "reencrypt", "edge"], + "description": "Specify TLS termination for OpenShift route for management console service. Possible passthrough, reencrypt, edge" + }, + "host": { + "type": ["string", "null"], + "format": "hostname", + "description": "Set OpenShift route host for management console service" + }, + "tls": { + "type": ["object", "null"], + "properties": { + "certificate": { + "type": "string", + "description": "Set PEM format certificate file for OpenShift route for management console service" + }, + "caCertificate": { + "type": "string", + "description": "Set CA certificate may be required to establish a certificate chain for validation for OpenShift route for management console service" + }, + "destinationCACertificate": { + "type": "string", + "description": "Set controller REST API service CA certificate to validate the endpoint certificate for OpenShift route for management console service" + }, + "key": { + "type": "string", + "description": "Set PEM format key file for OpenShift route for management console service" + } + } + } + } + }, + "ingress": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "If true, create ingress, must also set ingress host value" + }, + "host": { + "type": ["string", "null"], + "description": "MUST be set, if ingress is enabled", + "format": "hostname" + }, + "ingressClassName": { + "type": "string", + "description": "To be used instead of the ingress.class annotation if an IngressClass is provisioned" + }, + "path": { + "type": "string", + "format": "uri-reference", + "description": "Set ingress path. If set, it might be necessary to set a rewrite rule in annotations. Currently only supports `/`" + }, + "annotations": { + "type": "object", + "description": "Add annotations to ingress to influence behavior", + "properties": { + "nginx.ingress.kubernetes.io/backend-protocol": { + "type": "string" + }, + "kubernetes.io/ingress.class": { + "type": "string" + }, + "nginx.ingress.kubernetes.io/whitelist-source-range": { + "type": "string" + }, + "ingress.kubernetes.io/rewrite-target": { + "type": "string" + }, + "nginx.ingress.kubernetes.io/enable-rewrite-log": { + "type": "string" + } + } + }, + "tls": { + "type": "boolean", + "description": "If true, TLS is enabled for registry adapter ingress service. If set, the tls-host used is the one set with `cve.adapter.ingress.host`." + }, + "secretName": { + "type": ["string", "null"], + "description": "Name of the secret to be used for TLS-encryption. Secret must be created separately (Let's encrypt, manually)" + } + } + }, + "internal": { + "type": "object", + "properties": { + "certificate": { + "type": "object", + "description": "this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer)", + "properties": { + "secret": { + "type": "string" + }, + "keyFile": { + "type": "string" + }, + "pemFile": { + "type": "string" + }, + "caFile": { + "type": "string", + "description": "must be the same CA for all internal." + } + } + } + } + } + }, + "required": [ + "enabled" + ] + }, + "updater": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "If true, create cve updater . If false, cve updater will not be installed" + }, + "secure": { + "type": "boolean", + "description": "If true, API server's certificate is validated" + }, + "cacert": { + "type": "string", + "format": "uri-reference", + "description": "If set, use this ca file to validate API server's certificate" + }, + "image": { + "type": "object", + "properties": { + "registry": { + "type": "string", + "description": "cve updater image registry to overwrite global registry" + }, + "repository": { + "type": "string", + "description": "cve updater image repository" + }, + "tag": { + "type": ["string", "null"], + "description": "image tag for cve updater" + }, + "hash": { + "type": ["string", "null"], + "description": "cve updateer image hash in the format of sha256:xxxx. If present it overwrites the image tag value." + } + } + }, + "schedule": { + "type": "string", + "description": "cronjob cve updater schedule" + }, + "priorityClassName": { + "type": ["string", "null"], + "description": "cve updater priorityClassName. Must exist prior to helm deployment. Leave empty to disable." + }, + "podLabels": { + "type": "object", + "description": "Specify the pod labels." + }, + "podAnnotations": { + "type": "object", + "description": "Specify the pod annotations." + }, + "nodeSelector": { + "type": "object", + "description": "Enable and specify nodeSelector labels" + }, + "runAsUser": { + "description": "Specify the run as User ID. MUST be set for Rancher hardened cluster" + } + }, + "required": [ + "enabled" + ] + }, + "scanner": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "If true, cve scanners will be deployed" + }, + "replicas": { + "type": "integer", + "description": "external scanner replicas" + }, + "dockerPath": { + "type": "string", + "description": "the remote docker socket if CI/CD integration need scan images before they are pushed to the registry" + }, + "strategy": { + "type": "object", + "properties": { + "type": { + "enum": ["Recreate", "RollingUpdate"] + }, + "rollingUpdate": { + "type": "object", + "properties": { + "maxSurge": { + "type": "integer" + }, + "maxUnavailable": { + "type": "integer" + } + } + } + } + }, + "image": { + "type": "object", + "properties": { + "registry": { + "type": "string", + "description": "cve scanner image registry to overwrite global registry" + }, + "repository": { + "type": "string", + "description": "cve scanner image repository" + }, + "tag": { + "type": ["string", "null"], + "description": "cve scanner image tag" + }, + "hash": { + "type": ["string", "null"], + "description": "cve scanner image hash in the format of sha256:xxxx. If present it overwrites the image tag value." + } + } + }, + "priorityClassName": { + "type": ["string", "null"], + "description": "cve scanner priorityClassName. Must exist prior to helm deployment. Leave empty to disable." + }, + "resources": { + "type": "object", + "description": "Add resources requests and limits to scanner deployment" + }, + "affinity": { + "type": "object", + "description": "scanner affinity rules" + }, + "podLabels": { + "type": "object", + "description": "Specify the pod labels." + }, + "podAnnotations": { + "type": "object", + "description": "Specify the pod annotations." + }, + "env": { + "type": "array", + "description": "User-defined environment variables for scanner." + }, + "tolerations": { + "type": "array", + "description": "List of node taints to tolerate" + }, + "nodeSelector": { + "type": "object", + "description": "Enable and specify nodeSelector labels" + }, + "runAsUser": { + "description": "Specify the run as User ID. MUST be set for Rancher hardened cluster" + }, + "internal": { + "type": "object", + "properties": { + "certificate": { + "type": "object", + "description": "this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer)", + "properties": { + "secret": { + "type": "string" + }, + "keyFile": { + "type": "string" + }, + "pemFile": { + "type": "string" + }, + "caFile": { + "type": "string", + "description": "must be the same CA for all internal." + } + } + } + } + } + }, + "required": [ + "enabled" + ] + } + }, + "required": [ + "adapter", + "updater", + "scanner" + ] + }, + "resources": { + "type": "object" + }, + "runtimePath": { + "type": ["string", "null"], + "format": "uri-reference", + "description": "container runtime socket path, if it's not at the default location." + }, + "admissionwebhook": { + "type": "object", + "properties": { + "type": { + "enum": ["ClusterIP", "NodePort", "LoadBalancer", "ExternalName"], + "description": "admission webhook type" + } + } + }, + "crdwebhook": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Enable crd service and create crd related resources" + }, + "type": { + "enum": ["ClusterIP", "NodePort", "LoadBalancer", "ExternalName"], + "description": "crd webhook type" + } + }, + "required": [ + "enabled" + ] + } + }, + "required": [ + "openshift", + "registry", + "psp", + "rbac", + "serviceAccount", + "leastPrivilege", + "global", + "autoGenerateCert", + "defaultValidityPeriod", + "internal", + "controller", + "enforcer", + "manager", + "cve" + ], + "title": "Values", + "type": "object" +} diff --git a/charts/neuvector/neuvector/charts/core/values.yaml b/charts/neuvector/neuvector/charts/core/values.yaml index ab0b8f461..f39f95269 100644 --- a/charts/neuvector/neuvector/charts/core/values.yaml +++ b/charts/neuvector/neuvector/charts/core/values.yaml @@ -5,12 +5,71 @@ openshift: false registry: docker.io -tag: 5.1.1 +tag: 5.4.1 oem: imagePullSecrets: psp: false -rbac: true +rbac: true # required for rancher authentication serviceAccount: default +leastPrivilege: false +global: # required for rancher authentication (https:///) + cattle: + url: + azure: + enabled: false + identity: + clientId: "DONOTMODIFY" # Azure populates this value at deployment time + marketplace: + planId: "DONOTMODIFY" # Azure populates this value at deployment time + extension: + resourceId: "DONOTMODIFY" # application's Azure Resource ID, Azure populates this value at deployment time + serviceAccount: csp + imagePullSecrets: + images: + neuvector_csp_pod: + tag: latest + image: neuvector-billing-azure-by-suse-llc + registry: registry.suse.de/suse/sle-15-sp5/update/pubclouds/images + imagePullPolicy: IfNotPresent + controller: + tag: 5.2.4 + image: controller + registry: docker.io/neuvector + manager: + tag: 5.2.4 + image: manager + registry: docker.io/neuvector + enforcer: + tag: 5.2.4 + image: enforcer + registry: docker.io/neuvector + + aws: + enabled: false + accountNumber: "" + roleName: "" + serviceAccount: csp + annotations: {} + imagePullSecrets: + image: + digest: "" + repository: neuvector/neuvector-csp-adapter + tag: latest + imagePullPolicy: IfNotPresent + +# Set a bootstrap password. If leave empty, default admin password used. +bootstrapPassword: "" + +autoGenerateCert: true + +defaultValidityPeriod: 365 + +internal: + certmanager: # enable when cert-manager is installed for the internal certificates + enabled: false + secretname: neuvector-internal + autoGenerateCert: true + autoRotateCert: false controller: # If false, controller will not be installed @@ -30,21 +89,24 @@ controller: priorityClassName: podLabels: {} podAnnotations: {} + searchRegistries: env: [] affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - neuvector-controller-pod - topologyKey: "kubernetes.io/hostname" + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - neuvector-controller-pod + topologyKey: "kubernetes.io/hostname" tolerations: [] - nodeSelector: {} + topologySpreadConstraints: [] + nodeSelector: + {} # key1: value1 # key2: value2 apisvc: @@ -69,7 +131,7 @@ controller: #key: | # -----BEGIN PRIVATE KEY----- # -----END PRIVATE KEY----- - ranchersso: + ranchersso: # required for rancher authentication enabled: false pvc: enabled: false @@ -83,24 +145,35 @@ controller: secretName: shareName: certificate: - secret: + secret: "" keyFile: tls.key pemFile: tls.pem - internal: # this is used for internal communication. Please use the SAME CA for all the components ( controller, scanner, and enforcer ) The cert needs to have a CN of "NeuVector" + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + internal: # this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer) certificate: - secret: - keyFile: cert.key - pemFile: cert.pem - caFile: ca.cert # must be the same CA for all internal. + secret: "" + keyFile: tls.key + pemFile: tls.crt + caFile: ca.crt # must be the same CA for all internal. federation: mastersvc: type: + loadBalancerIP: + clusterIP: + nodePort: # Must be a valid NodePort: 30000-32767 + externalTrafficPolicy: + internalTrafficPolicy: # Federation Master Ingress ingress: enabled: false - host: # MUST be set, if ingress is enabled + host: # MUST be set, if ingress is enabled ingressClassName: "" - path: "/" # or this could be "/api", but might need "rewrite-target" annotation + path: "/" # or this could be "/api", but might need "rewrite-target" annotation annotations: nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" # ingress.kubernetes.io/rewrite-target: / @@ -128,12 +201,17 @@ controller: # -----END PRIVATE KEY----- managedsvc: type: + loadBalancerIP: + clusterIP: + nodePort: # Must be a valid NodePort: 30000-32767 + externalTrafficPolicy: + internalTrafficPolicy: # Federation Managed Ingress ingress: enabled: false - host: # MUST be set, if ingress is enabled + host: # MUST be set, if ingress is enabled ingressClassName: "" - path: "/" # or this could be "/api", but might need "rewrite-target" annotation + path: "/" # or this could be "/api", but might need "rewrite-target" annotation annotations: nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" # ingress.kubernetes.io/rewrite-target: / @@ -161,15 +239,16 @@ controller: # -----END PRIVATE KEY----- ingress: enabled: false - host: # MUST be set, if ingress is enabled + host: # MUST be set, if ingress is enabled ingressClassName: "" - path: "/" # or this could be "/api", but might need "rewrite-target" annotation + path: "/" # or this could be "/api", but might need "rewrite-target" annotation annotations: nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" # ingress.kubernetes.io/rewrite-target: / tls: false secretName: - resources: {} + resources: + {} # limits: # cpu: 400m # memory: 2792Mi @@ -179,7 +258,9 @@ controller: configmap: enabled: false data: - # eulainitcfg.yaml: | + # passwordprofileinitcfg.yaml: | + # ... + # roleinitcfg.yaml: | # ... # ldapinitcfg.yaml: | # ... @@ -191,13 +272,16 @@ controller: # ... # userinitcfg.yaml: | # ... + # fedinitcfg.yaml: | + # ... secret: # NOTE: files defined here have preferrence over the ones defined in the configmap section enabled: false - data: {} - # eulainitcfg.yaml: - # license_key: 0Bca63Iy2FiXGqjk... - # ... + data: + # passwordprofileinitcfg.yaml: + # ... + # roleinitcfg.yaml: + # ... # ldapinitcfg.yaml: # directory: OpenLDAP # ... @@ -208,9 +292,32 @@ controller: # ... # sysinitcfg.yaml: # ... - # userinitcfg.yaml: - # ... - + userinitcfg.yaml: + users: + - Fullname: admin + Password: + Role: admin + certupgrader: + env: [] + # The cronjob schedule that cert-upgrader will run to check and rotate internal certificate. + # default: "" (off) + schedule: "" + imagePullPolicy: IfNotPresent + timeout: 3600 + priorityClassName: + podLabels: {} + podAnnotations: {} + nodeSelector: + {} + # key1: value1 + # key2: value2 + runAsUser: # MUST be set for Rancher hardened cluster + prime: + enabled: false + image: + repository: neuvector/compliance-config + tag: latest + hash: enforcer: # If false, enforcer will not be installed enabled: true @@ -222,25 +329,27 @@ enforcer: priorityClassName: podLabels: {} podAnnotations: {} + env: [] tolerations: - effect: NoSchedule key: node-role.kubernetes.io/master - effect: NoSchedule key: node-role.kubernetes.io/control-plane - resources: {} + resources: + {} # limits: # cpu: 400m # memory: 2792Mi # requests: # cpu: 100m # memory: 2280Mi - internal: # this is used for internal communication. Please use the SAME CA for all the components ( controller, scanner, and enforcer ) The cert needs to have a CN of "NeuVector" + internal: # this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer) certificate: - secret: - keyFile: cert.key - pemFile: cert.pem - caFile: ca.cert # must be the same CA for all internal. - + secret: "" + keyFile: tls.key + pemFile: tls.crt + caFile: ca.crt # must be the same CA for all internal. + manager: # If false, manager will not be installed enabled: true @@ -250,10 +359,16 @@ manager: priorityClassName: env: ssl: true + envs: [] + # - name: CUSTOM_PAGE_HEADER_COLOR + # value: "#FFFFFF" + # - name: CUSTOM_PAGE_FOOTER_COLOR + # value: "#FFFFFF" svc: - type: NodePort + type: NodePort # should be set to - ClusterIP loadBalancerIP: - annotations: {} + annotations: + {} # azure # service.beta.kubernetes.io/azure-load-balancer-internal: "true" # service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "apps-subnet" @@ -264,25 +379,31 @@ manager: termination: passthrough host: tls: - #certificate: | + #certificate: | # -----BEGIN CERTIFICATE----- # -----END CERTIFICATE----- - #caCertificate: | + #caCertificate: | # -----BEGIN CERTIFICATE----- # -----END CERTIFICATE----- - #destinationCACertificate: | + #destinationCACertificate: | # -----BEGIN CERTIFICATE----- # -----END CERTIFICATE----- - #key: | + #key: | # -----BEGIN PRIVATE KEY----- # -----END PRIVATE KEY----- certificate: - secret: + secret: "" keyFile: tls.key pemFile: tls.pem + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- ingress: enabled: false - host: # MUST be set, if ingress is enabled + host: # MUST be set, if ingress is enabled ingressClassName: "" path: "/" annotations: @@ -293,40 +414,146 @@ manager: # nginx.ingress.kubernetes.io/enable-rewrite-log: "true" # only for end-to-end tls conf - ingress-nginx accepts backend self-signed cert tls: false - secretName: # my-tls-secret - resources: {} + secretName: # my-tls-secret + resources: + {} # limits: # cpu: 400m # memory: 2792Mi # requests: # cpu: 100m # memory: 2280Mi + topologySpreadConstraints: [] affinity: {} podLabels: {} podAnnotations: {} tolerations: [] - nodeSelector: {} + nodeSelector: + {} # key1: value1 # key2: value2 - runAsUser: # MUST be set for Rancher hardened cluster - + runAsUser: # MUST be set for Rancher hardened cluster + probes: + enabled: false + timeout: 1 + periodSeconds: 10 + startupFailureThreshold: 30 + cve: + adapter: + enabled: false + image: + repository: neuvector/registry-adapter + tag: 0.1.3 + hash: + priorityClassName: + resources: + {} + # limits: + # cpu: 400m + # memory: 512Mi + # requests: + # cpu: 100m + # memory: 1024Mi + affinity: {} + podLabels: {} + podAnnotations: {} + env: [] + tolerations: [] + nodeSelector: + {} + # key1: value1 + # key2: value2 + runAsUser: # MUST be set for Rancher hardened cluster + ## TLS cert/key. If absent, TLS cert/key automatically generated will be used. + ## + ## default: (none) + certificate: + secret: "" + keyFile: tls.key + pemFile: tls.crt + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + harbor: + protocol: https + secretName: + svc: + type: NodePort # should be set to - ClusterIP + loadBalancerIP: + annotations: + {} + # azure + # service.beta.kubernetes.io/azure-load-balancer-internal: "true" + # service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "apps-subnet" + # OpenShift Route configuration + route: + enabled: true + termination: passthrough + host: + tls: + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #caCertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #destinationCACertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- + ingress: + enabled: false + host: # MUST be set, if ingress is enabled + ingressClassName: "" + path: "/" + annotations: + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + # kubernetes.io/ingress.class: my-nginx + # nginx.ingress.kubernetes.io/whitelist-source-range: "1.1.1.1" + # nginx.ingress.kubernetes.io/rewrite-target: / + # nginx.ingress.kubernetes.io/enable-rewrite-log: "true" + # only for end-to-end tls conf - ingress-nginx accepts backend self-signed cert + tls: false + secretName: # my-tls-secret + internal: # this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer) + certificate: + secret: "" + keyFile: tls.key + pemFile: tls.crt + caFile: ca.crt # must be the same CA for all internal. updater: # If false, cve updater will not be installed enabled: true secure: false + cacert: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt image: + registry: "" repository: neuvector/updater tag: latest hash: schedule: "0 0 * * *" priorityClassName: + resources: + {} + # limits: + # cpu: 100m + # memory: 256Mi + # requests: + # cpu: 100m + # memory: 256Mi podLabels: {} podAnnotations: {} - nodeSelector: {} + nodeSelector: + {} # key1: value1 # key2: value2 - runAsUser: # MUST be set for Rancher hardened cluster + runAsUser: # MUST be set for Rancher hardened cluster scanner: enabled: true replicas: 3 @@ -337,36 +564,39 @@ cve: maxSurge: 1 maxUnavailable: 0 image: + registry: "" repository: neuvector/scanner tag: latest hash: priorityClassName: - resources: {} + resources: + {} # limits: # cpu: 400m # memory: 2792Mi # requests: # cpu: 100m # memory: 2280Mi + topologySpreadConstraints: [] affinity: {} podLabels: {} podAnnotations: {} + env: [] tolerations: [] - nodeSelector: {} + nodeSelector: + {} # key1: value1 # key2: value2 - runAsUser: # MUST be set for Rancher hardened cluster - internal: # this is used for internal communication. Please use the SAME CA for all the components ( controller, scanner, and enforcer ) The cert needs to have a CN of "NeuVector" + runAsUser: # MUST be set for Rancher hardened cluster + internal: # this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer) certificate: - secret: - keyFile: cert.key - pemFile: cert.pem - caFile: ca.cert # must be the same CA for all internal. + secret: "" + keyFile: tls.key + pemFile: tls.crt + caFile: ca.crt # must be the same CA for all internal. -docker: - path: /var/run/docker.sock - -resources: {} +resources: + {} # limits: # cpu: 400m # memory: 2792Mi @@ -374,6 +604,13 @@ resources: {} # cpu: 100m # memory: 2280Mi +runtimePath: + +# The following runtime type and socket location are deprecated after 5.3.0. +# If the socket path is not at the default location, use above 'runtimePath' to specify the location. +docker: + path: /var/run/docker.sock + k3s: enabled: false runtimePath: /run/k3s/containerd/containerd.sock @@ -393,6 +630,9 @@ crio: admissionwebhook: type: ClusterIP +crdwebhooksvc: + enabled: true + crdwebhook: enabled: true type: ClusterIP diff --git a/charts/neuvector/neuvector/values.yaml b/charts/neuvector/neuvector/values.yaml index bec59e21e..e20cd9a68 100644 --- a/charts/neuvector/neuvector/values.yaml +++ b/charts/neuvector/neuvector/values.yaml @@ -5,12 +5,66 @@ core: # Declare variables to be passed into the templates. openshift: false registry: docker.m.daocloud.io - tag: 5.1.1 + tag: 5.4.1 oem: imagePullSecrets: psp: false - rbac: true + rbac: true # required for rancher authentication serviceAccount: default + leastPrivilege: false + global: # required for rancher authentication (https:///) + cattle: + url: + azure: + enabled: false + identity: + clientId: "DONOTMODIFY" # Azure populates this value at deployment time + marketplace: + planId: "DONOTMODIFY" # Azure populates this value at deployment time + extension: + resourceId: "DONOTMODIFY" # application's Azure Resource ID, Azure populates this value at deployment time + serviceAccount: csp + imagePullSecrets: + images: + neuvector_csp_pod: + tag: latest + image: neuvector-billing-azure-by-suse-llc + registry: registry.suse.de/suse/sle-15-sp5/update/pubclouds/images + imagePullPolicy: IfNotPresent + controller: + tag: 5.2.4 + image: controller + registry: docker.io/neuvector + manager: + tag: 5.2.4 + image: manager + registry: docker.io/neuvector + enforcer: + tag: 5.2.4 + image: enforcer + registry: docker.io/neuvector + aws: + enabled: false + accountNumber: "" + roleName: "" + serviceAccount: csp + annotations: {} + imagePullSecrets: + image: + digest: "" + repository: neuvector/neuvector-csp-adapter + tag: latest + imagePullPolicy: IfNotPresent + # Set a bootstrap password. If leave empty, default admin password used. + bootstrapPassword: "" + autoGenerateCert: true + defaultValidityPeriod: 365 + internal: + certmanager: # enable when cert-manager is installed for the internal certificates + enabled: false + secretname: neuvector-internal + autoGenerateCert: true + autoRotateCert: false controller: # If false, controller will not be installed enabled: true @@ -29,6 +83,7 @@ core: priorityClassName: podLabels: {} podAnnotations: {} + searchRegistries: env: [] affinity: podAntiAffinity: @@ -43,6 +98,7 @@ core: - neuvector-controller-pod topologyKey: "kubernetes.io/hostname" tolerations: [] + topologySpreadConstraints: [] nodeSelector: {} # key1: value1 # key2: value2 @@ -68,7 +124,7 @@ core: #key: | # -----BEGIN PRIVATE KEY----- # -----END PRIVATE KEY----- - ranchersso: + ranchersso: # required for rancher authentication enabled: false pvc: enabled: true @@ -82,18 +138,29 @@ core: secretName: shareName: certificate: - secret: + secret: "" keyFile: tls.key pemFile: tls.pem - internal: # this is used for internal communication. Please use the SAME CA for all the components ( controller, scanner, and enforcer ) The cert needs to have a CN of "NeuVector" + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + internal: # this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer) certificate: - secret: - keyFile: cert.key - pemFile: cert.pem - caFile: ca.cert # must be the same CA for all internal. + secret: "" + keyFile: tls.key + pemFile: tls.crt + caFile: ca.crt # must be the same CA for all internal. federation: mastersvc: type: NodePort + loadBalancerIP: + clusterIP: + nodePort: # Must be a valid NodePort: 30000-32767 + externalTrafficPolicy: + internalTrafficPolicy: # Federation Master Ingress ingress: enabled: false @@ -127,6 +194,11 @@ core: # -----END PRIVATE KEY----- managedsvc: type: NodePort + loadBalancerIP: + clusterIP: + nodePort: # Must be a valid NodePort: 30000-32767 + externalTrafficPolicy: + internalTrafficPolicy: # Federation Managed Ingress ingress: enabled: false @@ -184,7 +256,9 @@ core: configmap: enabled: false data: - # eulainitcfg.yaml: | + # passwordprofileinitcfg.yaml: | + # ... + # roleinitcfg.yaml: | # ... # ldapinitcfg.yaml: | # ... @@ -196,25 +270,51 @@ core: # ... # userinitcfg.yaml: | # ... + # fedinitcfg.yaml: | + # ... secret: # NOTE: files defined here have preferrence over the ones defined in the configmap section enabled: false - data: {} - # eulainitcfg.yaml: - # license_key: 0Bca63Iy2FiXGqjk... - # ... - # ldapinitcfg.yaml: - # directory: OpenLDAP - # ... - # oidcinitcfg.yaml: - # Issuer: https://... - # ... - # samlinitcfg.yaml: - # ... - # sysinitcfg.yaml: - # ... - # userinitcfg.yaml: - # ... + data: + # passwordprofileinitcfg.yaml: + # ... + # roleinitcfg.yaml: + # ... + # ldapinitcfg.yaml: + # directory: OpenLDAP + # ... + # oidcinitcfg.yaml: + # Issuer: https://... + # ... + # samlinitcfg.yaml: + # ... + # sysinitcfg.yaml: + # ... + userinitcfg.yaml: + users: + - Fullname: admin + Password: + Role: admin + certupgrader: + env: [] + # The cronjob schedule that cert-upgrader will run to check and rotate internal certificate. + # default: "" (off) + schedule: "" + imagePullPolicy: IfNotPresent + timeout: 3600 + priorityClassName: + podLabels: {} + podAnnotations: {} + nodeSelector: {} + # key1: value1 + # key2: value2 + runAsUser: # MUST be set for Rancher hardened cluster + prime: + enabled: false + image: + repository: neuvector/compliance-config + tag: latest + hash: enforcer: # If false, enforcer will not be installed enabled: true @@ -226,6 +326,7 @@ core: priorityClassName: podLabels: {} podAnnotations: {} + env: [] tolerations: - effect: NoSchedule key: node-role.kubernetes.io/master @@ -244,12 +345,12 @@ core: # requests: # cpu: 100m # memory: 2280Mi - internal: # this is used for internal communication. Please use the SAME CA for all the components ( controller, scanner, and enforcer ) The cert needs to have a CN of "NeuVector" + internal: # this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer) certificate: - secret: - keyFile: cert.key - pemFile: cert.pem - caFile: ca.cert # must be the same CA for all internal. + secret: "" + keyFile: tls.key + pemFile: tls.crt + caFile: ca.crt # must be the same CA for all internal. manager: # If false, manager will not be installed enabled: true @@ -259,8 +360,13 @@ core: priorityClassName: env: ssl: false + envs: [] + # - name: CUSTOM_PAGE_HEADER_COLOR + # value: "#FFFFFF" + # - name: CUSTOM_PAGE_FOOTER_COLOR + # value: "#FFFFFF" svc: - type: NodePort + type: NodePort # should be set to - ClusterIP loadBalancerIP: annotations: {} # azure @@ -273,22 +379,28 @@ core: termination: passthrough host: tls: - #certificate: | + #certificate: | # -----BEGIN CERTIFICATE----- # -----END CERTIFICATE----- - #caCertificate: | + #caCertificate: | # -----BEGIN CERTIFICATE----- # -----END CERTIFICATE----- - #destinationCACertificate: | + #destinationCACertificate: | # -----BEGIN CERTIFICATE----- # -----END CERTIFICATE----- - #key: | + #key: | # -----BEGIN PRIVATE KEY----- # -----END PRIVATE KEY----- certificate: - secret: + secret: "" keyFile: tls.key pemFile: tls.pem + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- ingress: enabled: false host: # MUST be set, if ingress is enabled @@ -316,6 +428,7 @@ core: # requests: # cpu: 100m # memory: 2280Mi + topologySpreadConstraints: [] affinity: {} podLabels: {} podAnnotations: {} @@ -324,17 +437,115 @@ core: # key1: value1 # key2: value2 runAsUser: # MUST be set for Rancher hardened cluster + probes: + enabled: false + timeout: 1 + periodSeconds: 10 + startupFailureThreshold: 30 cve: + adapter: + enabled: false + image: + repository: neuvector/registry-adapter + tag: 0.1.3 + hash: + priorityClassName: + resources: {} + # limits: + # cpu: 400m + # memory: 512Mi + # requests: + # cpu: 100m + # memory: 1024Mi + affinity: {} + podLabels: {} + podAnnotations: {} + env: [] + tolerations: [] + nodeSelector: {} + # key1: value1 + # key2: value2 + runAsUser: # MUST be set for Rancher hardened cluster + ## TLS cert/key. If absent, TLS cert/key automatically generated will be used. + ## + ## default: (none) + certificate: + secret: "" + keyFile: tls.key + pemFile: tls.crt + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + harbor: + protocol: https + secretName: + svc: + type: NodePort # should be set to - ClusterIP + loadBalancerIP: + annotations: {} + # azure + # service.beta.kubernetes.io/azure-load-balancer-internal: "true" + # service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "apps-subnet" + # OpenShift Route configuration + route: + enabled: true + termination: passthrough + host: + tls: + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #caCertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #destinationCACertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- + ingress: + enabled: false + host: # MUST be set, if ingress is enabled + ingressClassName: "" + path: "/" + annotations: + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + # kubernetes.io/ingress.class: my-nginx + # nginx.ingress.kubernetes.io/whitelist-source-range: "1.1.1.1" + # nginx.ingress.kubernetes.io/rewrite-target: / + # nginx.ingress.kubernetes.io/enable-rewrite-log: "true" + # only for end-to-end tls conf - ingress-nginx accepts backend self-signed cert + tls: false + secretName: # my-tls-secret + internal: # this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer) + certificate: + secret: "" + keyFile: tls.key + pemFile: tls.crt + caFile: ca.crt # must be the same CA for all internal. updater: # If false, cve updater will not be installed enabled: false secure: false + cacert: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt image: + registry: "" repository: neuvector/updater tag: latest hash: schedule: "0 0 * * *" priorityClassName: + resources: {} + # limits: + # cpu: 100m + # memory: 256Mi + # requests: + # cpu: 100m + # memory: 256Mi podLabels: {} podAnnotations: {} nodeSelector: {} @@ -351,6 +562,7 @@ core: maxSurge: 1 maxUnavailable: 0 image: + registry: "" repository: neuvector/scanner tag: latest hash: @@ -368,20 +580,22 @@ core: # requests: # cpu: 100m # memory: 2280Mi + topologySpreadConstraints: [] affinity: {} podLabels: {} podAnnotations: {} + env: [] tolerations: [] nodeSelector: {} # key1: value1 # key2: value2 runAsUser: # MUST be set for Rancher hardened cluster - internal: # this is used for internal communication. Please use the SAME CA for all the components ( controller, scanner, and enforcer ) The cert needs to have a CN of "NeuVector" + internal: # this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer) certificate: - secret: - keyFile: cert.key - pemFile: cert.pem - caFile: ca.cert # must be the same CA for all internal. + secret: "" + keyFile: tls.key + pemFile: tls.crt + caFile: ca.crt # must be the same CA for all internal. resources: limits: cpu: 400m @@ -389,8 +603,6 @@ core: requests: cpu: 100m memory: 2280Mi - docker: - path: /var/run/docker.sock resources: {} # limits: # cpu: 400m @@ -399,6 +611,11 @@ core: # cpu: 100m # memory: 2280Mi + runtimePath: + # The following runtime type and socket location are deprecated after 5.3.0. + # If the socket path is not at the default location, use above 'runtimePath' to specify the location. + docker: + path: /var/run/docker.sock k3s: enabled: false runtimePath: /run/k3s/containerd/containerd.sock @@ -413,6 +630,8 @@ core: path: /var/run/crio/crio.sock admissionwebhook: type: ClusterIP + crdwebhooksvc: + enabled: true crdwebhook: enabled: true type: ClusterIP