diff --git a/.github/workflows/kubescape.yaml b/.github/workflows/kubescape.yaml index fd7c2df0..002fe750 100644 --- a/.github/workflows/kubescape.yaml +++ b/.github/workflows/kubescape.yaml @@ -16,6 +16,7 @@ jobs: outputFile: results.sarif severityThreshold: critical account: ${{secrets.KUBESCAPE_ACCOUNT }} + accessKey: ${{secrets.KUBESCAPE_ACCESS_KEY }} - name: Upload Kubescape scan results to Github Code Scanning uses: github/codeql-action/upload-sarif@v2 with: diff --git a/charts/kubescape-operator/Chart.yaml b/charts/kubescape-operator/Chart.yaml index 4f6a38cb..0f2f47bb 100644 --- a/charts/kubescape-operator/Chart.yaml +++ b/charts/kubescape-operator/Chart.yaml @@ -9,14 +9,14 @@ type: application # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.17.2 +version: 1.17.3 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: 1.17.2 +appVersion: 1.17.3 maintainers: - name: Ben Hirschberg diff --git a/charts/kubescape-operator/README.md b/charts/kubescape-operator/README.md index 73523455..fcf6782a 100644 --- a/charts/kubescape-operator/README.md +++ b/charts/kubescape-operator/README.md @@ -1,6 +1,6 @@ # Kubescape Operator -![Version: 1.17.2](https://img.shields.io/badge/Version-1.17.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.17.2](https://img.shields.io/badge/AppVersion-v1.17.2-informational?style=flat-square) +![Version: 1.17.3](https://img.shields.io/badge/Version-1.17.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.17.3](https://img.shields.io/badge/AppVersion-v1.17.3-informational?style=flat-square) ## Install @@ -225,7 +225,6 @@ docker-compose logs uptrace | cloudProviderMetadata.aksClientID | string | `nil` | AKS client ID | | cloudProviderMetadata.aksClientSecret | string | `nil` | AKS client secret | | cloudProviderMetadata.aksTenantID | string | `nil` | AKS tenant ID | -| triggerNewImageScan | bool | `false` | enable/disable trigger image scan for new images | | volumes | object | `[]` | Additional volumes for all containers | | volumeMounts | object | `[]` | Additional volumeMounts for all containers | diff --git a/charts/kubescape-operator/templates/configs/cloudapi-configmap.yaml b/charts/kubescape-operator/templates/configs/cloudapi-configmap.yaml index 3ae2db52..349cb26e 100644 --- a/charts/kubescape-operator/templates/configs/cloudapi-configmap.yaml +++ b/charts/kubescape-operator/templates/configs/cloudapi-configmap.yaml @@ -29,7 +29,6 @@ data: "vulnScanURL": "{{ .Values.kubevuln.name }}:{{ .Values.kubevuln.service.port }}", "kubevulnURL": "{{ .Values.kubevuln.name }}:{{ .Values.kubevuln.service.port }}", "kubescapeURL": "{{ .Values.kubescape.name }}:{{ .Values.kubescape.service.port }}", - "triggerNewImageScan": "{{ .Values.triggerNewImageScan }}", "clusterName": "{{ regexReplaceAll "\\W+" .Values.clusterName "-" }}", "storage": {{ $components.storage.enabled }}, "relevantImageVulnerabilitiesEnabled": {{ eq .Values.capabilities.relevancy "enable" }}, diff --git a/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap b/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap index 544bff97..edad9459 100644 --- a/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap +++ b/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap @@ -1,6 +1,6 @@ all capabilities: 1: | - raw: "Thank you for installing kubescape-operator version 1.17.2.\nView your cluster's configuration scanning schedule: \n> kubectl -n kubescape get cj kubescape-scheduler -o=jsonpath='{.metadata.name}{\"\\t\"}{.spec.schedule}{\"\\n\"}'\n\nTo change the schedule, set `.spec.schedule`: \n> kubectl -n kubescape edit cj kubescape-scheduler\nView your cluster's image scanning schedule: \n> kubectl -n kubescape get cj kubevuln-scheduler -o=jsonpath='{.metadata.name}{\"\\t\"}{.spec.schedule}{\"\\n\"}' \n\nTo change the schedule, edit `.spec.schedule`: \n> kubectl -n kubescape edit cj kubevuln-scheduler\nView your configuration scan summaries: \n> kubectl get workloadconfigurationscansummaries -A\n\nDetailed reports are also available: \n> kubectl get workloadconfigurationscans -A\n\nView your image vulnerabilities scan summaries: \n> kubectl get vulnerabilitymanifestsummaries -A\n\nDetailed reports are also available: \n> kubectl get vulnerabilitymanifests -A\n\nkubescape-operator generates suggested network policies. To view them: \n> kubectl get generatednetworkpolicies -n \n\n" + raw: "Thank you for installing kubescape-operator version 1.17.3.\nView your cluster's configuration scanning schedule: \n> kubectl -n kubescape get cj kubescape-scheduler -o=jsonpath='{.metadata.name}{\"\\t\"}{.spec.schedule}{\"\\n\"}'\n\nTo change the schedule, set `.spec.schedule`: \n> kubectl -n kubescape edit cj kubescape-scheduler\nView your cluster's image scanning schedule: \n> kubectl -n kubescape get cj kubevuln-scheduler -o=jsonpath='{.metadata.name}{\"\\t\"}{.spec.schedule}{\"\\n\"}' \n\nTo change the schedule, edit `.spec.schedule`: \n> kubectl -n kubescape edit cj kubevuln-scheduler\nView your configuration scan summaries: \n> kubectl get workloadconfigurationscansummaries -A\n\nDetailed reports are also available: \n> kubectl get workloadconfigurationscans -A\n\nView your image vulnerabilities scan summaries: \n> kubectl get vulnerabilitymanifestsummaries -A\n\nDetailed reports are also available: \n> kubectl get vulnerabilitymanifests -A\n\nkubescape-operator generates suggested network policies. To view them: \n> kubectl get generatednetworkpolicies -n \n\n" 2: | apiVersion: batch/v1 kind: CronJob @@ -114,7 +114,6 @@ all capabilities: "vulnScanURL": "kubevuln:8080", "kubevulnURL": "kubevuln:8080", "kubescapeURL": "kubescape:8080", - "triggerNewImageScan": "false", "clusterName": "kind-kind", "storage": true, "relevantImageVulnerabilitiesEnabled": true, @@ -183,7 +182,7 @@ all capabilities: app: gateway app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: gateway - helm.sh/chart: kubescape-operator-1.17.2 + helm.sh/chart: kubescape-operator-1.17.3 tier: ks-control-plane name: gateway namespace: kubescape @@ -309,7 +308,7 @@ all capabilities: metadata: labels: app: gateway - helm.sh/chart: kubescape-operator-1.17.2 + helm.sh/chart: kubescape-operator-1.17.3 tier: ks-control-plane name: gateway namespace: kubescape @@ -387,7 +386,7 @@ all capabilities: app: grype-offline-db app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: grype-offline-db - helm.sh/chart: kubescape-operator-1.17.2 + helm.sh/chart: kubescape-operator-1.17.3 tier: ks-control-plane spec: affinity: null @@ -570,7 +569,7 @@ all capabilities: app: kollector app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kollector - helm.sh/chart: kubescape-operator-1.17.2 + helm.sh/chart: kubescape-operator-1.17.3 tier: ks-control-plane spec: affinity: null @@ -936,7 +935,7 @@ all capabilities: app: kubescape app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape - helm.sh/chart: kubescape-operator-1.17.2 + helm.sh/chart: kubescape-operator-1.17.3 tier: ks-control-plane name: kubescape namespace: kubescape @@ -964,7 +963,7 @@ all capabilities: app: kubescape app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape - helm.sh/chart: kubescape-operator-1.17.2 + helm.sh/chart: kubescape-operator-1.17.3 otel: enabled tier: ks-control-plane spec: @@ -1191,7 +1190,7 @@ all capabilities: metadata: labels: app: kubescape - helm.sh/chart: kubescape-operator-1.17.2 + helm.sh/chart: kubescape-operator-1.17.3 tier: ks-control-plane name: kubescape namespace: kubescape @@ -1442,7 +1441,7 @@ all capabilities: app: kubevuln app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubevuln - helm.sh/chart: kubescape-operator-1.17.2 + helm.sh/chart: kubescape-operator-1.17.3 otel: enabled tier: ks-control-plane spec: @@ -1728,7 +1727,7 @@ all capabilities: app: node-agent app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: node-agent - helm.sh/chart: kubescape-operator-1.17.2 + helm.sh/chart: kubescape-operator-1.17.3 otel: enabled tier: ks-control-plane spec: @@ -1984,7 +1983,7 @@ all capabilities: app: operator app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: operator - helm.sh/chart: kubescape-operator-1.17.2 + helm.sh/chart: kubescape-operator-1.17.3 otel: enabled tier: ks-control-plane spec: @@ -2269,7 +2268,7 @@ all capabilities: app: otel-collector app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: otel-collector - helm.sh/chart: kubescape-operator-1.17.2 + helm.sh/chart: kubescape-operator-1.17.3 tier: ks-control-plane name: otel-collector namespace: kubescape @@ -2352,7 +2351,7 @@ all capabilities: metadata: labels: app: otel-collector - helm.sh/chart: kubescape-operator-1.17.2 + helm.sh/chart: kubescape-operator-1.17.3 tier: ks-control-plane name: otel-collector namespace: kubescape @@ -2428,7 +2427,7 @@ all capabilities: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: service-discovery - helm.sh/chart: kubescape-operator-1.17.2 + helm.sh/chart: kubescape-operator-1.17.3 otel: enabled tier: ks-control-plane name: RELEASE-NAME @@ -2995,7 +2994,7 @@ all capabilities: app: synchronizer app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: synchronizer - helm.sh/chart: kubescape-operator-1.17.2 + helm.sh/chart: kubescape-operator-1.17.3 otel: enabled tier: ks-control-plane spec: @@ -3117,7 +3116,7 @@ all capabilities: namespace: kubescape default capabilities: 1: | - raw: "Thank you for installing kubescape-operator version 1.17.2.\nView your cluster's configuration scanning schedule: \n> kubectl -n kubescape get cj kubescape-scheduler -o=jsonpath='{.metadata.name}{\"\\t\"}{.spec.schedule}{\"\\n\"}'\n\nTo change the schedule, set `.spec.schedule`: \n> kubectl -n kubescape edit cj kubescape-scheduler\nView your cluster's image scanning schedule: \n> kubectl -n kubescape get cj kubevuln-scheduler -o=jsonpath='{.metadata.name}{\"\\t\"}{.spec.schedule}{\"\\n\"}' \n\nTo change the schedule, edit `.spec.schedule`: \n> kubectl -n kubescape edit cj kubevuln-scheduler\n\n\nView your image vulnerabilities scan summaries: \n> kubectl get vulnerabilitymanifestsummaries -A\n\nDetailed reports are also available: \n> kubectl get vulnerabilitymanifests -A\n\nkubescape-operator generates suggested network policies. To view them: \n> kubectl get generatednetworkpolicies -n \n\n" + raw: "Thank you for installing kubescape-operator version 1.17.3.\nView your cluster's configuration scanning schedule: \n> kubectl -n kubescape get cj kubescape-scheduler -o=jsonpath='{.metadata.name}{\"\\t\"}{.spec.schedule}{\"\\n\"}'\n\nTo change the schedule, set `.spec.schedule`: \n> kubectl -n kubescape edit cj kubescape-scheduler\nView your cluster's image scanning schedule: \n> kubectl -n kubescape get cj kubevuln-scheduler -o=jsonpath='{.metadata.name}{\"\\t\"}{.spec.schedule}{\"\\n\"}' \n\nTo change the schedule, edit `.spec.schedule`: \n> kubectl -n kubescape edit cj kubevuln-scheduler\n\n\nView your image vulnerabilities scan summaries: \n> kubectl get vulnerabilitymanifestsummaries -A\n\nDetailed reports are also available: \n> kubectl get vulnerabilitymanifests -A\n\nkubescape-operator generates suggested network policies. To view them: \n> kubectl get generatednetworkpolicies -n \n\n" 2: | apiVersion: v1 data: @@ -3143,7 +3142,6 @@ default capabilities: "vulnScanURL": "kubevuln:8080", "kubevulnURL": "kubevuln:8080", "kubescapeURL": "kubescape:8080", - "triggerNewImageScan": "false", "clusterName": "kind-kind", "storage": true, "relevantImageVulnerabilitiesEnabled": true, @@ -3212,7 +3210,7 @@ default capabilities: app: gateway app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: gateway - helm.sh/chart: kubescape-operator-1.17.2 + helm.sh/chart: kubescape-operator-1.17.3 tier: ks-control-plane name: gateway namespace: kubescape @@ -3338,7 +3336,7 @@ default capabilities: metadata: labels: app: gateway - helm.sh/chart: kubescape-operator-1.17.2 + helm.sh/chart: kubescape-operator-1.17.3 tier: ks-control-plane name: gateway namespace: kubescape @@ -3416,7 +3414,7 @@ default capabilities: app: grype-offline-db app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: grype-offline-db - helm.sh/chart: kubescape-operator-1.17.2 + helm.sh/chart: kubescape-operator-1.17.3 tier: ks-control-plane spec: affinity: null @@ -3599,7 +3597,7 @@ default capabilities: app: kollector app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kollector - helm.sh/chart: kubescape-operator-1.17.2 + helm.sh/chart: kubescape-operator-1.17.3 tier: ks-control-plane spec: affinity: null @@ -3965,7 +3963,7 @@ default capabilities: app: kubescape app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape - helm.sh/chart: kubescape-operator-1.17.2 + helm.sh/chart: kubescape-operator-1.17.3 tier: ks-control-plane name: kubescape namespace: kubescape @@ -3993,7 +3991,7 @@ default capabilities: app: kubescape app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape - helm.sh/chart: kubescape-operator-1.17.2 + helm.sh/chart: kubescape-operator-1.17.3 otel: enabled tier: ks-control-plane spec: @@ -4220,7 +4218,7 @@ default capabilities: metadata: labels: app: kubescape - helm.sh/chart: kubescape-operator-1.17.2 + helm.sh/chart: kubescape-operator-1.17.3 tier: ks-control-plane name: kubescape namespace: kubescape @@ -4471,7 +4469,7 @@ default capabilities: app: kubevuln app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubevuln - helm.sh/chart: kubescape-operator-1.17.2 + helm.sh/chart: kubescape-operator-1.17.3 otel: enabled tier: ks-control-plane spec: @@ -4757,7 +4755,7 @@ default capabilities: app: node-agent app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: node-agent - helm.sh/chart: kubescape-operator-1.17.2 + helm.sh/chart: kubescape-operator-1.17.3 otel: enabled tier: ks-control-plane spec: @@ -5013,7 +5011,7 @@ default capabilities: app: operator app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: operator - helm.sh/chart: kubescape-operator-1.17.2 + helm.sh/chart: kubescape-operator-1.17.3 otel: enabled tier: ks-control-plane spec: @@ -5298,7 +5296,7 @@ default capabilities: app: otel-collector app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: otel-collector - helm.sh/chart: kubescape-operator-1.17.2 + helm.sh/chart: kubescape-operator-1.17.3 tier: ks-control-plane name: otel-collector namespace: kubescape @@ -5381,7 +5379,7 @@ default capabilities: metadata: labels: app: otel-collector - helm.sh/chart: kubescape-operator-1.17.2 + helm.sh/chart: kubescape-operator-1.17.3 tier: ks-control-plane name: otel-collector namespace: kubescape @@ -5457,7 +5455,7 @@ default capabilities: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: service-discovery - helm.sh/chart: kubescape-operator-1.17.2 + helm.sh/chart: kubescape-operator-1.17.3 otel: enabled tier: ks-control-plane name: RELEASE-NAME @@ -6024,7 +6022,7 @@ default capabilities: app: synchronizer app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: synchronizer - helm.sh/chart: kubescape-operator-1.17.2 + helm.sh/chart: kubescape-operator-1.17.3 otel: enabled tier: ks-control-plane spec: @@ -6146,7 +6144,7 @@ default capabilities: namespace: kubescape minimal capabilities: 1: | - raw: "Thank you for installing kubescape-operator version 1.17.2.\n\n\n\n\nView your image vulnerabilities scan summaries: \n> kubectl get vulnerabilitymanifestsummaries -A\n\nDetailed reports are also available: \n> kubectl get vulnerabilitymanifests -A\n\nkubescape-operator generates suggested network policies. To view them: \n> kubectl get generatednetworkpolicies -n \n\n" + raw: "Thank you for installing kubescape-operator version 1.17.3.\n\n\n\n\nView your image vulnerabilities scan summaries: \n> kubectl get vulnerabilitymanifestsummaries -A\n\nDetailed reports are also available: \n> kubectl get vulnerabilitymanifests -A\n\nkubescape-operator generates suggested network policies. To view them: \n> kubectl get generatednetworkpolicies -n \n\n" 2: | apiVersion: v1 data: @@ -6172,7 +6170,6 @@ minimal capabilities: "vulnScanURL": "kubevuln:8080", "kubevulnURL": "kubevuln:8080", "kubescapeURL": "kubescape:8080", - "triggerNewImageScan": "false", "clusterName": "kind-kind", "storage": true, "relevantImageVulnerabilitiesEnabled": true, @@ -6423,7 +6420,7 @@ minimal capabilities: app: kubescape app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape - helm.sh/chart: kubescape-operator-1.17.2 + helm.sh/chart: kubescape-operator-1.17.3 tier: ks-control-plane name: kubescape namespace: kubescape @@ -6450,7 +6447,7 @@ minimal capabilities: app: kubescape app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape - helm.sh/chart: kubescape-operator-1.17.2 + helm.sh/chart: kubescape-operator-1.17.3 otel: enabled tier: ks-control-plane spec: @@ -6794,7 +6791,7 @@ minimal capabilities: app: kubevuln app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubevuln - helm.sh/chart: kubescape-operator-1.17.2 + helm.sh/chart: kubescape-operator-1.17.3 otel: enabled tier: ks-control-plane spec: @@ -7039,7 +7036,7 @@ minimal capabilities: app: node-agent app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: node-agent - helm.sh/chart: kubescape-operator-1.17.2 + helm.sh/chart: kubescape-operator-1.17.3 otel: enabled tier: ks-control-plane spec: @@ -7286,7 +7283,7 @@ minimal capabilities: app: operator app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: operator - helm.sh/chart: kubescape-operator-1.17.2 + helm.sh/chart: kubescape-operator-1.17.3 otel: enabled tier: ks-control-plane spec: @@ -7520,7 +7517,7 @@ minimal capabilities: app: otel-collector app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: otel-collector - helm.sh/chart: kubescape-operator-1.17.2 + helm.sh/chart: kubescape-operator-1.17.3 tier: ks-control-plane name: otel-collector namespace: kubescape diff --git a/charts/kubescape-operator/values.yaml b/charts/kubescape-operator/values.yaml index 15f07d35..583bbde5 100644 --- a/charts/kubescape-operator/values.yaml +++ b/charts/kubescape-operator/values.yaml @@ -23,8 +23,8 @@ capabilities: # ====== Runtime related capabilities ====== # - runtimeObservability: enable - networkPolicyService: enable + runtimeObservability: disable + networkPolicyService: disable # ====== Other capabilities ====== # @@ -67,9 +67,6 @@ cloudProviderMetadata: # -- GKE project gkeProject: -# -- enable/disable trigger image scan for new images -triggerNewImageScan: false - # Additional volumes applied to all containers volumes: [ ] @@ -186,7 +183,7 @@ kubescape: image: # -- source code: https://github.com/kubescape/kubescape/tree/master/httphandler (public repo) repository: quay.io/kubescape/kubescape - tag: v3.0.2 + tag: v3.0.3 pullPolicy: IfNotPresent resources: @@ -245,7 +242,7 @@ operator: image: # -- source code: https://github.com/kubescape/operator repository: quay.io/kubescape/operator - tag: v0.1.70-hotfix + tag: v0.1.71 pullPolicy: IfNotPresent service: @@ -325,7 +322,7 @@ kubevuln: image: # -- source code: https://github.com/kubescape/kubevuln repository: quay.io/kubescape/kubevuln - tag: v0.2.139 + tag: v0.2.140 pullPolicy: IfNotPresent replicaCount: 1 @@ -566,7 +563,7 @@ storage: replicaCount: 1 image: repository: quay.io/kubescape/storage - tag: v0.0.57 + tag: v0.0.58 pullPolicy: IfNotPresent