Skip to content
This repository has been archived by the owner on Oct 14, 2024. It is now read-only.

Commit

Permalink
Update Helm chart with ClusterRole secret option and Curl Registry (#287
Browse files Browse the repository at this point in the history 
)

* Update Helm chart with ClusterRole secret option and Curl Image registry

Define whether we would like to allow Secret Read Cluster wide
Define Curl Image registry/repo/tag
  • Loading branch information
@yossicohn
yossicohn authored Jan 16, 2023
1 parent 7e34769 commit 01a8c4a
Show file tree
Hide file tree
Showing 5 changed files with 33 additions and 8 deletions.
2 changes: 2 additions & 0 deletions charts/kubeclarity/templates/clusterrole.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,11 @@ rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get"]
{{- if index .Values "kubeclarity" "clusterRole" "readClusterSecrets" }}
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
{{- end}}
- apiGroups: [""]
resources: ["pods"]
verbs: ["list"]
Expand Down
6 changes: 4 additions & 2 deletions charts/kubeclarity/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ spec:
resources:
{{- toYaml .Values.kubeclarity.initContainers.resources | nindent 12 }}
- name: '{{ include "kubeclarity.name" . }}-wait-for-sbom-db'
image: curlimages/curl:7.84.0
image: {{ index .Values "curl" "image" "registry" }}/{{ index .Values "curl" "image" "repository" }}:{{ index .Values "curl" "image" "tag" }}
args:
- /bin/sh
- -c
Expand All @@ -62,7 +62,7 @@ spec:
{{- toYaml .Values.kubeclarity.initContainers.resources | nindent 12 }}
{{- if index .Values "kubeclarity-grype-server" "enabled" }}
- name: '{{ include "kubeclarity.name" . }}-wait-for-grype-server'
image: curlimages/curl:7.84.0
image: {{ index .Values "curl" "image" "registry" }}/{{ index .Values "curl" "image" "repository" }}:{{ index .Values "curl" "image" "tag" }}
args:
- /bin/sh
- -c
Expand Down Expand Up @@ -125,6 +125,8 @@ spec:
value: "{{ include "kubeclarity.name" . }}-scanner-template"
- name: SCANNER_JOB_TEMPLATE_CONFIG_MAP_NAMESPACE
value: "{{ .Release.Namespace }}"
- name: READ_CLUSTER_SECRETS
value: "{{ index .Values "kubeclarity" "clusterRole" "readClusterSecrets" }}"
readinessProbe:
httpGet:
path: /healthz/ready
Expand Down
13 changes: 13 additions & 0 deletions charts/kubeclarity/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,16 @@ global:
## End of Global Values
#######################################################################################

#######################################################################################
## Curl Values
curl:
image:
registry: "docker.io"
repository: curlimages/curl
tag: 7.84.0
## End of Curl Values
#######################################################################################

#######################################################################################
## KubeClarity Values

Expand Down Expand Up @@ -53,6 +63,9 @@ kubeclarity:
memory: "1000Mi"
cpu: "1000m"

clusterRole:
readClusterSecrets: true

initContainers:
resources:
requests:
Expand Down
4 changes: 4 additions & 0 deletions runtime_scan/pkg/config/config.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,19 +29,22 @@ const (
ScannerJobTemplateConfigMapName = "SCANNER_JOB_TEMPLATE_CONFIG_MAP_NAME"
ScannerJobTemplateConfigMapNamespace = "SCANNER_JOB_TEMPLATE_CONFIG_MAP_NAMESPACE"
defaultScannerJobResultListenPort = 8888
ReadClusterSecrets = "READ_CLUSTER_SECRETS" // nolint: gosec
)

type Config struct {
ScannerJobResultListenPort int
CredsSecretNamespace string
ScannerJobTemplate *batchv1.Job
ReadClusterSecrets bool
}

func setConfigDefaults() {
viper.SetDefault(CredsSecretNamespace, "kubeclarity")
viper.SetDefault(ScannerJobTemplateConfigMapName, "")
viper.SetDefault(ScannerJobTemplateConfigMapNamespace, "kubeclarity")
viper.SetDefault(ScannerJobResultListenPort, defaultScannerJobResultListenPort)
viper.SetDefault(ReadClusterSecrets, "true")

viper.AutomaticEnv()
}
Expand All @@ -59,6 +62,7 @@ func LoadConfig(clientset kubernetes.Interface) (*Config, error) {
ScannerJobResultListenPort: viper.GetInt(ScannerJobResultListenPort),
CredsSecretNamespace: viper.GetString(CredsSecretNamespace),
ScannerJobTemplate: scannerJobTemplate,
ReadClusterSecrets: viper.GetBool(ReadClusterSecrets),
}

return config, nil
Expand Down
16 changes: 10 additions & 6 deletions runtime_scan/pkg/scanner/scanner.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,14 @@ type Scanner struct {
}

func CreateScanner(config *_config.Config, clientset kubernetes.Interface) *Scanner {
credentialAdders := []_creds.CredentialAdder{}
if config.ReadClusterSecrets {
credentialAdders = []_creds.CredentialAdder{
_creds.CreateBasicRegCred(clientset, config.CredsSecretNamespace),
_creds.CreateECR(clientset, config.CredsSecretNamespace),
_creds.CreateGCR(clientset, config.CredsSecretNamespace),
}
}
s := &Scanner{
progress: _types.ScanProgress{
Status: _types.Idle,
Expand All @@ -59,12 +67,8 @@ func CreateScanner(config *_config.Config, clientset kubernetes.Interface) *Scan
killSignal: make(chan bool),
clientset: clientset,
logFields: log.Fields{"scanner id": uuid.NewV4().String()},
credentialAdders: []_creds.CredentialAdder{
_creds.CreateBasicRegCred(clientset, config.CredsSecretNamespace),
_creds.CreateECR(clientset, config.CredsSecretNamespace),
_creds.CreateGCR(clientset, config.CredsSecretNamespace),
},
Mutex: sync.Mutex{},
credentialAdders: credentialAdders,
Mutex: sync.Mutex{},
}

return s
Expand Down

0 comments on commit 01a8c4a

Please sign in to comment.