From af59d38e00fb91dc411b8676df8f1d643bfa3ab9 Mon Sep 17 00:00:00 2001 From: Matthias Bertschy Date: Tue, 24 Sep 2024 12:22:01 +0200 Subject: [PATCH] use application profile instead of sbomp for relevancy Signed-off-by: Matthias Bertschy --- .../templates/kubevuln/clusterrole.yaml | 2 +- .../templates/node-agent/clusterrole.yaml | 2 +- .../templates/operator/clusterrole.yaml | 2 +- .../__snapshot__/snapshot_test.yaml.snap | 68 +++++++++---------- charts/kubescape-operator/values.yaml | 18 ++--- 5 files changed, 44 insertions(+), 48 deletions(-) diff --git a/charts/kubescape-operator/templates/kubevuln/clusterrole.yaml b/charts/kubescape-operator/templates/kubevuln/clusterrole.yaml index eeac13c2..14403ea2 100644 --- a/charts/kubescape-operator/templates/kubevuln/clusterrole.yaml +++ b/charts/kubescape-operator/templates/kubevuln/clusterrole.yaml @@ -11,6 +11,6 @@ rules: resources: ["vulnerabilitymanifests", "vulnerabilitymanifestsummaries", "openvulnerabilityexchangecontainers", "sbomsyfts"] verbs: ["create", "get", "update", "watch", "list", "patch"] - apiGroups: ["spdx.softwarecomposition.kubescape.io"] - resources: ["sbomsyftfiltereds"] + resources: ["applicationprofiles"] verbs: ["get", "watch", "list"] {{- end }} diff --git a/charts/kubescape-operator/templates/node-agent/clusterrole.yaml b/charts/kubescape-operator/templates/node-agent/clusterrole.yaml index 863a142d..e133c4ef 100644 --- a/charts/kubescape-operator/templates/node-agent/clusterrole.yaml +++ b/charts/kubescape-operator/templates/node-agent/clusterrole.yaml @@ -23,7 +23,7 @@ rules: resources: ["sbomsyfts", "seccompprofiles"] verbs: ["get", "watch", "list"] - apiGroups: ["spdx.softwarecomposition.kubescape.io"] - resources: ["applicationactivities", "applicationprofiles", "networkneighborses", "networkneighborhoods", "sbomsyftfiltereds"] + resources: ["applicationactivities", "applicationprofiles", "networkneighborses", "networkneighborhoods"] verbs: ["create", "get", "update", "watch", "list", "patch"] - apiGroups: ["kubescape.io"] resources: ["runtimerulealertbindings"] diff --git a/charts/kubescape-operator/templates/operator/clusterrole.yaml b/charts/kubescape-operator/templates/operator/clusterrole.yaml index 0cd43cf6..be825dfa 100644 --- a/charts/kubescape-operator/templates/operator/clusterrole.yaml +++ b/charts/kubescape-operator/templates/operator/clusterrole.yaml @@ -17,7 +17,7 @@ rules: resources: ["deployments", "daemonsets", "statefulsets", "replicasets"] verbs: ["get", "watch", "list"] - apiGroups: ["spdx.softwarecomposition.kubescape.io"] - resources: ["vulnerabilitymanifests", "vulnerabilitymanifestsummaries", "workloadconfigurationscans", "workloadconfigurationscansummaries", "openvulnerabilityexchangecontainers", "sbomsyftfiltereds", "sbomsyfts"] + resources: ["vulnerabilitymanifests", "vulnerabilitymanifestsummaries", "workloadconfigurationscans", "workloadconfigurationscansummaries", "openvulnerabilityexchangecontainers", "applicationprofiles", "sbomsyfts"] verbs: ["get", "watch", "list", "delete"] - apiGroups: ["kubescape.io"] resources: ["runtimerulealertbindings"] diff --git a/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap b/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap index c53dd280..eb861288 100644 --- a/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap +++ b/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap @@ -2204,7 +2204,7 @@ all capabilities: - apiGroups: - spdx.softwarecomposition.kubescape.io resources: - - sbomsyftfiltereds + - applicationprofiles verbs: - get - watch @@ -2313,8 +2313,8 @@ all capabilities: value: https://foo:bar@baz:1234 - name: no_proxy value: gateway,kubescape,kubevuln,node-agent,operator,otel-collector,kubernetes.default.svc.*,127.0.0.1,*.foo,bar.baz - image: quay.io/kubescape/kubevuln:v0.3.33 - imagePullPolicy: IfNotPresent + image: quay.io/matthiasb_1/kubevuln:appprofile + imagePullPolicy: Always livenessProbe: httpGet: path: /v1/liveness @@ -2592,7 +2592,6 @@ all capabilities: - applicationprofiles - networkneighborses - networkneighborhoods - - sbomsyftfiltereds verbs: - create - get @@ -2825,8 +2824,8 @@ all capabilities: fieldRef: fieldPath: metadata.namespace - name: NodeName - image: quay.io/kubescape/node-agent:v0.2.141 - imagePullPolicy: IfNotPresent + image: quay.io/matthiasb_1/node-agent:appprofile + imagePullPolicy: Always livenessProbe: httpGet: path: /livez @@ -3274,7 +3273,7 @@ all capabilities: - workloadconfigurationscans - workloadconfigurationscansummaries - openvulnerabilityexchangecontainers - - sbomsyftfiltereds + - applicationprofiles - sbomsyfts verbs: - get @@ -3430,8 +3429,8 @@ all capabilities: value: https://foo:bar@baz:1234 - name: no_proxy value: gateway,kubescape,kubevuln,node-agent,operator,otel-collector,kubernetes.default.svc.*,127.0.0.1,*.foo,bar.baz - image: quay.io/kubescape/operator:v0.2.32 - imagePullPolicy: IfNotPresent + image: quay.io/matthiasb_1/operator:appprofile + imagePullPolicy: Always livenessProbe: httpGet: path: /v1/liveness @@ -7707,7 +7706,7 @@ default capabilities: - apiGroups: - spdx.softwarecomposition.kubescape.io resources: - - sbomsyftfiltereds + - applicationprofiles verbs: - get - watch @@ -7812,8 +7811,8 @@ default capabilities: name: cloud-secret - name: OTEL_COLLECTOR_SVC value: otel-collector:4317 - image: quay.io/kubescape/kubevuln:v0.3.33 - imagePullPolicy: IfNotPresent + image: quay.io/matthiasb_1/kubevuln:appprofile + imagePullPolicy: Always livenessProbe: httpGet: path: /v1/liveness @@ -8053,7 +8052,6 @@ default capabilities: - applicationprofiles - networkneighborses - networkneighborhoods - - sbomsyftfiltereds verbs: - create - get @@ -8217,8 +8215,8 @@ default capabilities: fieldRef: fieldPath: metadata.namespace - name: NodeName - image: quay.io/kubescape/node-agent:v0.2.141 - imagePullPolicy: IfNotPresent + image: quay.io/matthiasb_1/node-agent:appprofile + imagePullPolicy: Always livenessProbe: httpGet: path: /livez @@ -8543,7 +8541,7 @@ default capabilities: - workloadconfigurationscans - workloadconfigurationscansummaries - openvulnerabilityexchangecontainers - - sbomsyftfiltereds + - applicationprofiles - sbomsyfts verbs: - get @@ -8695,8 +8693,8 @@ default capabilities: value: zap - name: OTEL_COLLECTOR_SVC value: otel-collector:4318 - image: quay.io/kubescape/operator:v0.2.32 - imagePullPolicy: IfNotPresent + image: quay.io/matthiasb_1/operator:appprofile + imagePullPolicy: Always livenessProbe: httpGet: path: /v1/liveness @@ -12117,7 +12115,7 @@ disable otel: - apiGroups: - spdx.softwarecomposition.kubescape.io resources: - - sbomsyftfiltereds + - applicationprofiles verbs: - get - watch @@ -12221,8 +12219,8 @@ disable otel: name: cloud-secret - name: OTEL_COLLECTOR_SVC value: otel-collector:4317 - image: quay.io/kubescape/kubevuln:v0.3.33 - imagePullPolicy: IfNotPresent + image: quay.io/matthiasb_1/kubevuln:appprofile + imagePullPolicy: Always livenessProbe: httpGet: path: /v1/liveness @@ -12400,7 +12398,6 @@ disable otel: - applicationprofiles - networkneighborses - networkneighborhoods - - sbomsyftfiltereds verbs: - create - get @@ -12563,8 +12560,8 @@ disable otel: fieldRef: fieldPath: metadata.namespace - name: NodeName - image: quay.io/kubescape/node-agent:v0.2.141 - imagePullPolicy: IfNotPresent + image: quay.io/matthiasb_1/node-agent:appprofile + imagePullPolicy: Always livenessProbe: httpGet: path: /livez @@ -12781,7 +12778,7 @@ disable otel: - workloadconfigurationscans - workloadconfigurationscansummaries - openvulnerabilityexchangecontainers - - sbomsyftfiltereds + - applicationprofiles - sbomsyfts verbs: - get @@ -12932,8 +12929,8 @@ disable otel: value: zap - name: OTEL_COLLECTOR_SVC value: otel-collector:4318 - image: quay.io/kubescape/operator:v0.2.32 - imagePullPolicy: IfNotPresent + image: quay.io/matthiasb_1/operator:appprofile + imagePullPolicy: Always livenessProbe: httpGet: path: /v1/liveness @@ -15497,7 +15494,7 @@ minimal capabilities: - apiGroups: - spdx.softwarecomposition.kubescape.io resources: - - sbomsyftfiltereds + - applicationprofiles verbs: - get - watch @@ -15601,8 +15598,8 @@ minimal capabilities: name: cloud-secret - name: OTEL_COLLECTOR_SVC value: otel-collector:4317 - image: quay.io/kubescape/kubevuln:v0.3.33 - imagePullPolicy: IfNotPresent + image: quay.io/matthiasb_1/kubevuln:appprofile + imagePullPolicy: Always livenessProbe: httpGet: path: /v1/liveness @@ -15778,7 +15775,6 @@ minimal capabilities: - applicationprofiles - networkneighborses - networkneighborhoods - - sbomsyftfiltereds verbs: - create - get @@ -15940,8 +15936,8 @@ minimal capabilities: fieldRef: fieldPath: metadata.namespace - name: NodeName - image: quay.io/kubescape/node-agent:v0.2.141 - imagePullPolicy: IfNotPresent + image: quay.io/matthiasb_1/node-agent:appprofile + imagePullPolicy: Always livenessProbe: httpGet: path: /livez @@ -16156,7 +16152,7 @@ minimal capabilities: - workloadconfigurationscans - workloadconfigurationscansummaries - openvulnerabilityexchangecontainers - - sbomsyftfiltereds + - applicationprofiles - sbomsyfts verbs: - get @@ -16306,8 +16302,8 @@ minimal capabilities: value: zap - name: OTEL_COLLECTOR_SVC value: otel-collector:4318 - image: quay.io/kubescape/operator:v0.2.32 - imagePullPolicy: IfNotPresent + image: quay.io/matthiasb_1/operator:appprofile + imagePullPolicy: Always livenessProbe: httpGet: path: /v1/liveness diff --git a/charts/kubescape-operator/values.yaml b/charts/kubescape-operator/values.yaml index 863e36ee..a96457d6 100644 --- a/charts/kubescape-operator/values.yaml +++ b/charts/kubescape-operator/values.yaml @@ -272,9 +272,9 @@ operator: image: # -- source code: https://github.com/kubescape/operator - repository: quay.io/kubescape/operator - tag: v0.2.32 - pullPolicy: IfNotPresent + repository: quay.io/matthiasb_1/operator + tag: appprofile + pullPolicy: Always service: type: ClusterIP @@ -317,9 +317,9 @@ kubevuln: image: # -- source code: https://github.com/kubescape/kubevuln - repository: quay.io/kubescape/kubevuln - tag: v0.3.33 - pullPolicy: IfNotPresent + repository: quay.io/matthiasb_1/kubevuln + tag: appprofile + pullPolicy: Always replicaCount: 1 @@ -504,9 +504,9 @@ nodeAgent: name: node-agent image: # -- source code: https://github.com/kubescape/node-agent - repository: quay.io/kubescape/node-agent - tag: v0.2.141 - pullPolicy: IfNotPresent + repository: quay.io/matthiasb_1/node-agent + tag: appprofile + pullPolicy: Always config: maxLearningPeriod: 24h # duration string