Update image version in manifest to v0.2.2

manifests/Kptfile

@@ -1,22 +1,8 @@
-# Copyright 2021 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
 apiVersion: kpt.dev/v1
 kind: Kptfile
 metadata:
  name: gatekeeper-securitycenter
  annotations:
- config.kubernetes.io/local-config: 'true'
+ config.kubernetes.io/local-config: "true"
 info:
  description: kpt package for gatekeeper-securitycenter

manifests/README.md

@@ -16,7 +16,7 @@ This package assumes that you have already created the
 ### Fetch this package
 
 ```sh
-VERSION=v0.2.1
+VERSION=v0.2.2
 
 kpt pkg get https://github.com/GoogleCloudPlatform/gatekeeper-securitycenter.git/manifests@$VERSION manifests
 ```

manifests/README.md~

@@ -0,0 +1,82 @@
+# `gatekeeper-securitycenter` controller kpt package
+
+kpt package for the `gatekeeper-securitycenter` Kubernetes controller.
+
+## Usage
+
+This package assumes that you have already created the
+[prerequisite resources](https://github.com/GoogleCloudPlatform/gatekeeper-securitycenter#prerequisites).
+
+### Tools required
+
+- [kpt](https://kpt.dev/installation/) v1.0.0-beta.1 or later
+
+- [kustomize](https://kubectl.docs.kubernetes.io/installation/kustomize/)
+
+### Fetch this package
+
+```sh
+VERSION=v0.2.1
+
+kpt pkg get https://github.com/GoogleCloudPlatform/gatekeeper-securitycenter.git/manifests@$VERSION manifests
+```
+
+### Set source name and cluster name
+
+1. Set the Security Command Center source name:
+
+ ```sh
+ kpt fn eval manifests \
+ --image gcr.io/kpt-fn/apply-setters:v0.1 -- \
+ "source=$SOURCE_NAME"
+ ```
+
+ Where `$SOURCE_NAME` is your Security Command Center source in the format
+ `organizations/$ORGANIZATION_ID/sources/$SOURCE_ID`.
+
+2. (Optional) Set the cluster name. You can use any name you like, or you can
+ leave it blank. If you provide a cluster name, it will be visible in
+ Security Command Center. As an example, you can use your current kubectl
+ context name:
+
+ ```sh
+ kpt fn eval manifests \
+ --image gcr.io/kpt-fn/apply-setters:v0.1 -- \
+ "cluster=$(kubectl config current-context)"
+ ```
+
+### Add Workload Identity annotation
+
+If your Google Kubernetes Engine (GKE) cluster uses
+[Workload Identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity),
+add an annotation for the Google service account `FINDINGS_EDITOR_SA` to bind
+it to the `gatekeeper-securitycenter-controller` Kubernetes service account:
+
+```sh
+kustomize cfg annotate manifests/ \
+ --kind ServiceAccount \
+ --name gatekeeper-securitycenter-controller \
+ --namespace gatekeeper-securitycenter \
+ --kv "iam.gke.io/gcp-service-account=$FINDINGS_EDITOR_SA"
+```
+
+The Google service account must have the
+[Security Center Findings Editor](https://cloud.google.com/iam/docs/understanding-roles#security-center-roles)
+Cloud IAM role on the source or at the organization level.
+
+If you don't use Workload Identity, see the documentation on
+[Authenticating to Google Cloud with service accounts](https://cloud.google.com/kubernetes-engine/docs/tutorials/authenticating-to-cloud-platform)
+for alternative instructions on how to provide Google service account
+credentials to the `gatekeeper-securitycenter` controller pods.
+
+### Setup inventory tracking for the package
+
+```sh
+kpt live init manifests
+```
+
+### Apply the package
+
+```sh
+kpt live apply manifests --reconcile-timeout=3m --output=table
+```

manifests/cluster-role-binding.yaml

@@ -11,7 +11,6 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -23,6 +22,6 @@ roleRef:
  kind: ClusterRole
  apiGroup: rbac.authorization.k8s.io
 subjects:
-- name: gatekeeper-securitycenter-controller
- namespace: gatekeeper-securitycenter
- kind: ServiceAccount
+ - name: gatekeeper-securitycenter-controller
+  namespace: gatekeeper-securitycenter
+  kind: ServiceAccount

manifests/cluster-role.yaml

@@ -11,18 +11,17 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: gatekeeper-securitycenter-view-all
  labels:
  gatekeeper-securitycenter/system: 'yes'
 rules:
-- resources:
- - '*'
- apiGroups:
- - '*'
- verbs:
- - get
- - list
+ - resources:
+  - '*'
+  apiGroups:
+  - '*'
+  verbs:
+  - get
+  - list

manifests/config-map.yaml

@@ -11,7 +11,6 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-
 apiVersion: v1
 kind: ConfigMap
 metadata:

manifests/deployment.yaml

@@ -11,7 +11,6 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -39,38 +38,38 @@ spec:
  spec:
  serviceAccountName: gatekeeper-securitycenter-controller
  containers:
- - name: manager
- image: ko://github.com/googlecloudplatform/gatekeeper-securitycenter # kpt-set: ${image}
- args:
- - findings
- - manager
- - --source=$(SOURCE)
- - --cluster=$(CLUSTER)
- - --interval=120 # kpt-set: --interval=${interval}
- - --dry-run=false # kpt-set: --dry-run=${dry-run}
- env:
- - name: SOURCE
- valueFrom:
- configMapKeyRef:
- name: gatekeeper-securitycenter-config
- key: SOURCE_NAME
- - name: CLUSTER
- valueFrom:
- configMapKeyRef:
- name: gatekeeper-securitycenter-config
- key: CLUSTER_NAME
- - name: DEBUG
- value: "false" # kpt-set: ${debug-env}
- resources:
- requests:
- cpu: 250m # kpt-set: ${request-cpu}
- memory: 512Mi # kpt-set: ${request-memory}
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - all
- readOnlyRootFilesystem: true
- runAsGroup: 65532
- runAsNonRoot: true
- runAsUser: 65532
+  - name: manager
+  image: ghcr.io/googlecloudplatform/gatekeeper-securitycenter:v0.2.2@sha256:502a984c5daa99308b467bd24d5257d6bbcbfa35e26051cb7f68f11db838afc1 # kpt-set: ${image}
+  args:
+  - findings
+  - manager
+  - --source=$(SOURCE)
+  - --cluster=$(CLUSTER)
+  - --interval=120 # kpt-set: --interval=${interval}
+  - --dry-run=false # kpt-set: --dry-run=${dry-run}
+  env:
+  - name: SOURCE
+  valueFrom:
+  configMapKeyRef:
+  name: gatekeeper-securitycenter-config
+  key: SOURCE_NAME
+  - name: CLUSTER
+  valueFrom:
+  configMapKeyRef:
+  name: gatekeeper-securitycenter-config
+  key: CLUSTER_NAME
+  - name: DEBUG
+  value: "false" # kpt-set: ${debug-env}
+  resources:
+  requests:
+  cpu: 250m # kpt-set: ${request-cpu}
+  memory: 512Mi # kpt-set: ${request-memory}
+  securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+  drop:
+  - all
+  readOnlyRootFilesystem: true
+  runAsGroup: 65532
+  runAsNonRoot: true
+  runAsUser: 65532

manifests/namespace.yaml

@@ -11,7 +11,6 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-
 apiVersion: v1
 kind: Namespace
 metadata:

manifests/service-account.yaml

@@ -11,7 +11,6 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-
 apiVersion: v1
 kind: ServiceAccount
 metadata: