Skip to content

Commit

Permalink
generate sbom locally on node-agent
Browse files Browse the repository at this point in the history 
Signed-off-by: Matthias Bertschy <[email protected]>
  • Loading branch information
@matthyx
matthyx committed Nov 1, 2024
1 parent f13445e commit b978a5c
Show file tree
Hide file tree
Showing 4 changed files with 59 additions and 54 deletions.
4 changes: 2 additions & 2 deletions charts/kubescape-operator/templates/node-agent/clusterrole.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,10 +23,10 @@ rules:
resources: ["deployments", "daemonsets", "statefulsets", "replicasets"]
verbs: ["get", "watch", "list"]
- apiGroups: ["spdx.softwarecomposition.kubescape.io"]
resources: ["sbomsyfts", "seccompprofiles"]
resources: ["seccompprofiles"]
verbs: ["get", "watch", "list"]
- apiGroups: ["spdx.softwarecomposition.kubescape.io"]
resources: ["applicationactivities", "applicationprofiles", "networkneighborses", "networkneighborhoods", "sbomsyftfiltereds"]
resources: ["applicationactivities", "applicationprofiles", "networkneighborses", "networkneighborhoods", "sbomsyfts", "sbomsyftfiltereds"]
verbs: ["create", "get", "update", "watch", "list", "patch"]
- apiGroups: ["kubescape.io"]
resources: ["runtimerulealertbindings"]
Expand Down
1 change: 1 addition & 0 deletions charts/kubescape-operator/templates/node-agent/configmap.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ data:
"networkServiceEnabled": {{ eq .Values.capabilities.networkPolicyService "enable" }},
"malwareDetectionEnabled": {{ eq .Values.capabilities.malwareDetection "enable" }},
"nodeProfileServiceEnabled": {{ eq .Values.capabilities.nodeProfileService "enable" }},
"sbomGenerationEnabled": true,
"seccompServiceEnabled": {{ eq .Values.capabilities.seccompProfileService "enable" }},
"initialDelay": "{{ .Values.nodeAgent.config.learningPeriod }}",
"updateDataPeriod": "{{ .Values.nodeAgent.config.updatePeriod }}",
Expand Down
84 changes: 44 additions & 40 deletions charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2357,8 +2357,8 @@ all capabilities:
value: https://foo:bar@baz:1234
- name: no_proxy
value: gateway,kubescape,kubevuln,node-agent,operator,otel-collector,kubernetes.default.svc.*,127.0.0.1,*.foo,bar.baz
image: quay.io/kubescape/kubevuln:v0.3.36
imagePullPolicy: IfNotPresent
image: quay.io/matthiasb_1/kubevuln:sbom
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /v1/liveness
Expand Down Expand Up @@ -2637,7 +2637,6 @@ all capabilities:
- apiGroups:
- spdx.softwarecomposition.kubescape.io
resources:
- sbomsyfts
- seccompprofiles
verbs:
- get
Expand All @@ -2650,6 +2649,7 @@ all capabilities:
- applicationprofiles
- networkneighborses
- networkneighborhoods
- sbomsyfts
- sbomsyftfiltereds
verbs:
- create
Expand Down Expand Up @@ -2727,6 +2727,7 @@ all capabilities:
"networkServiceEnabled": true,
"malwareDetectionEnabled": true,
"nodeProfileServiceEnabled": true,
"sbomGenerationEnabled": true,
"seccompServiceEnabled": true,
"initialDelay": "2m",
"updateDataPeriod": "10m",
Expand Down Expand Up @@ -2820,7 +2821,7 @@ all capabilities:
annotations:
checksum/cloud-config: e676e6d4282e48cde90d56356ebe417818278b5a260941f00176a2c064b77eb6
checksum/cloud-secret: cf2e73d4ff0ce943730b3ed5bd4740f0bd8c4386e5843870f51c302b41df8da9
checksum/node-agent-config: 0d6d395a60e006df95e7955f15a6d0b0889ec2a60b815ab1ef8b13fd60d631c0
checksum/node-agent-config: 3fbd133967aed7b57cea303967a2d1f56bdfcd954963c0dd19c27e40156ab151
checksum/proxy-config: 3669c08e51ef779cd00a107f19592b34195c3ebdb60bedaf8ebf1491a3f2a747
container.apparmor.security.beta.kubernetes.io/node-agent: unconfined
labels:
Expand Down Expand Up @@ -2910,8 +2911,8 @@ all capabilities:
fieldRef:
fieldPath: metadata.namespace
- name: NodeName
image: quay.io/kubescape/node-agent:v0.2.167
imagePullPolicy: IfNotPresent
image: quay.io/matthiasb_1/node-agent:sbom
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /livez
Expand Down Expand Up @@ -3531,8 +3532,8 @@ all capabilities:
value: https://foo:bar@baz:1234
- name: no_proxy
value: gateway,kubescape,kubevuln,node-agent,operator,otel-collector,kubernetes.default.svc.*,127.0.0.1,*.foo,bar.baz
image: quay.io/kubescape/operator:v0.2.34
imagePullPolicy: IfNotPresent
image: quay.io/matthiasb_1/operator:sbom
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /v1/liveness
Expand Down Expand Up @@ -5105,8 +5106,8 @@ all capabilities:
name: cloud-secret
- name: OTEL_COLLECTOR_SVC
value: otel-collector:4317
image: quay.io/kubescape/storage:v0.0.127
imagePullPolicy: IfNotPresent
image: quay.io/matthiasb_1/storage:sbom
imagePullPolicy: Always
livenessProbe:
tcpSocket:
port: 8443
Expand Down Expand Up @@ -8149,8 +8150,8 @@ default capabilities:
name: cloud-secret
- name: OTEL_COLLECTOR_SVC
value: otel-collector:4318
image: quay.io/kubescape/kubevuln:v0.3.36
imagePullPolicy: IfNotPresent
image: quay.io/matthiasb_1/kubevuln:sbom
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /v1/liveness
Expand Down Expand Up @@ -8391,7 +8392,6 @@ default capabilities:
- apiGroups:
- spdx.softwarecomposition.kubescape.io
resources:
- sbomsyfts
- seccompprofiles
verbs:
- get
Expand All @@ -8404,6 +8404,7 @@ default capabilities:
- applicationprofiles
- networkneighborses
- networkneighborhoods
- sbomsyfts
- sbomsyftfiltereds
verbs:
- create
Expand Down Expand Up @@ -8481,6 +8482,7 @@ default capabilities:
"networkServiceEnabled": true,
"malwareDetectionEnabled": false,
"nodeProfileServiceEnabled": false,
"sbomGenerationEnabled": true,
"seccompServiceEnabled": true,
"initialDelay": "2m",
"updateDataPeriod": "10m",
Expand Down Expand Up @@ -8537,7 +8539,7 @@ default capabilities:
annotations:
checksum/cloud-config: f753b01d880e21ddc33cef3935d2ff4d41d12899432962a5a9b5dfda91d2c8d9
checksum/cloud-secret: cf2e73d4ff0ce943730b3ed5bd4740f0bd8c4386e5843870f51c302b41df8da9
checksum/node-agent-config: 95e1b4e2bce876798692fff5f095ad335541e59f48a337c09aa74c7847958c28
checksum/node-agent-config: 075aa19c8d3f25faf13dae740d6a53e03064ecf8782a8af9951b786426db367f
checksum/proxy-config: 3669c08e51ef779cd00a107f19592b34195c3ebdb60bedaf8ebf1491a3f2a747
container.apparmor.security.beta.kubernetes.io/node-agent: unconfined
labels:
Expand Down Expand Up @@ -8594,8 +8596,8 @@ default capabilities:
fieldRef:
fieldPath: metadata.namespace
- name: NodeName
image: quay.io/kubescape/node-agent:v0.2.167
imagePullPolicy: IfNotPresent
image: quay.io/matthiasb_1/node-agent:sbom
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /livez
Expand Down Expand Up @@ -9083,8 +9085,8 @@ default capabilities:
value: zap
- name: OTEL_COLLECTOR_SVC
value: otel-collector:4318
image: quay.io/kubescape/operator:v0.2.34
imagePullPolicy: IfNotPresent
image: quay.io/matthiasb_1/operator:sbom
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /v1/liveness
Expand Down Expand Up @@ -10309,8 +10311,8 @@ default capabilities:
name: cloud-secret
- name: OTEL_COLLECTOR_SVC
value: otel-collector:4317
image: quay.io/kubescape/storage:v0.0.127
imagePullPolicy: IfNotPresent
image: quay.io/matthiasb_1/storage:sbom
imagePullPolicy: Always
livenessProbe:
tcpSocket:
port: 8443
Expand Down Expand Up @@ -12729,8 +12731,8 @@ disable otel:
name: cloud-secret
- name: OTEL_COLLECTOR_SVC
value: otel-collector:4318
image: quay.io/kubescape/kubevuln:v0.3.36
imagePullPolicy: IfNotPresent
image: quay.io/matthiasb_1/kubevuln:sbom
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /v1/liveness
Expand Down Expand Up @@ -12905,7 +12907,6 @@ disable otel:
- apiGroups:
- spdx.softwarecomposition.kubescape.io
resources:
- sbomsyfts
- seccompprofiles
verbs:
- get
Expand All @@ -12918,6 +12919,7 @@ disable otel:
- applicationprofiles
- networkneighborses
- networkneighborhoods
- sbomsyfts
- sbomsyftfiltereds
verbs:
- create
Expand Down Expand Up @@ -12995,6 +12997,7 @@ disable otel:
"networkServiceEnabled": true,
"malwareDetectionEnabled": false,
"nodeProfileServiceEnabled": false,
"sbomGenerationEnabled": true,
"seccompServiceEnabled": true,
"initialDelay": "2m",
"updateDataPeriod": "10m",
Expand Down Expand Up @@ -13051,7 +13054,7 @@ disable otel:
annotations:
checksum/cloud-config: d568e07a1bb2d6f372ab0e5a3fb91bd018b05433558890eb621af5234dd7c8c4
checksum/cloud-secret: cf2e73d4ff0ce943730b3ed5bd4740f0bd8c4386e5843870f51c302b41df8da9
checksum/node-agent-config: 95e1b4e2bce876798692fff5f095ad335541e59f48a337c09aa74c7847958c28
checksum/node-agent-config: 075aa19c8d3f25faf13dae740d6a53e03064ecf8782a8af9951b786426db367f
container.apparmor.security.beta.kubernetes.io/node-agent: unconfined
labels:
app: node-agent
Expand Down Expand Up @@ -13107,8 +13110,8 @@ disable otel:
fieldRef:
fieldPath: metadata.namespace
- name: NodeName
image: quay.io/kubescape/node-agent:v0.2.167
imagePullPolicy: IfNotPresent
image: quay.io/matthiasb_1/node-agent:sbom
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /livez
Expand Down Expand Up @@ -13476,8 +13479,8 @@ disable otel:
value: zap
- name: OTEL_COLLECTOR_SVC
value: otel-collector:4318
image: quay.io/kubescape/operator:v0.2.34
imagePullPolicy: IfNotPresent
image: quay.io/matthiasb_1/operator:sbom
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /v1/liveness
Expand Down Expand Up @@ -14557,8 +14560,8 @@ disable otel:
name: cloud-secret
- name: OTEL_COLLECTOR_SVC
value: otel-collector:4317
image: quay.io/kubescape/storage:v0.0.127
imagePullPolicy: IfNotPresent
image: quay.io/matthiasb_1/storage:sbom
imagePullPolicy: Always
livenessProbe:
tcpSocket:
port: 8443
Expand Down Expand Up @@ -16233,8 +16236,8 @@ minimal capabilities:
name: cloud-secret
- name: OTEL_COLLECTOR_SVC
value: otel-collector:4318
image: quay.io/kubescape/kubevuln:v0.3.36
imagePullPolicy: IfNotPresent
image: quay.io/matthiasb_1/kubevuln:sbom
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /v1/liveness
Expand Down Expand Up @@ -16407,7 +16410,6 @@ minimal capabilities:
- apiGroups:
- spdx.softwarecomposition.kubescape.io
resources:
- sbomsyfts
- seccompprofiles
verbs:
- get
Expand All @@ -16420,6 +16422,7 @@ minimal capabilities:
- applicationprofiles
- networkneighborses
- networkneighborhoods
- sbomsyfts
- sbomsyftfiltereds
verbs:
- create
Expand Down Expand Up @@ -16497,6 +16500,7 @@ minimal capabilities:
"networkServiceEnabled": true,
"malwareDetectionEnabled": false,
"nodeProfileServiceEnabled": false,
"sbomGenerationEnabled": true,
"seccompServiceEnabled": true,
"initialDelay": "2m",
"updateDataPeriod": "10m",
Expand Down Expand Up @@ -16552,7 +16556,7 @@ minimal capabilities:
annotations:
checksum/cloud-config: f5eda48aecb77a239b89ba75d2c49d92ad3c48f7f2b2951deca9e77052f7c00c
checksum/cloud-secret: f1356b6dba8ba4a01197f4030346928c33c7dab7b123a2aecaffb0630352929c
checksum/node-agent-config: c210b0875265f4d1cc5217e0f754632e9c3ce74bec5ba28929706deddb3c425d
checksum/node-agent-config: bea5ad88e2dc905f4e4b69bbd2531070c1fe86df0933448c1a2378473a0d39fd
container.apparmor.security.beta.kubernetes.io/node-agent: unconfined
labels:
app: node-agent
Expand Down Expand Up @@ -16608,8 +16612,8 @@ minimal capabilities:
fieldRef:
fieldPath: metadata.namespace
- name: NodeName
image: quay.io/kubescape/node-agent:v0.2.167
imagePullPolicy: IfNotPresent
image: quay.io/matthiasb_1/node-agent:sbom
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /livez
Expand Down Expand Up @@ -16974,8 +16978,8 @@ minimal capabilities:
value: zap
- name: OTEL_COLLECTOR_SVC
value: otel-collector:4318
image: quay.io/kubescape/operator:v0.2.34
imagePullPolicy: IfNotPresent
image: quay.io/matthiasb_1/operator:sbom
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /v1/liveness
Expand Down Expand Up @@ -17825,8 +17829,8 @@ minimal capabilities:
name: cloud-secret
- name: OTEL_COLLECTOR_SVC
value: otel-collector:4317
image: quay.io/kubescape/storage:v0.0.127
imagePullPolicy: IfNotPresent
image: quay.io/matthiasb_1/storage:sbom
imagePullPolicy: Always
livenessProbe:
tcpSocket:
port: 8443
Expand Down
24 changes: 12 additions & 12 deletions charts/kubescape-operator/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -273,9 +273,9 @@ operator:

image:
# -- source code: https://github.com/kubescape/operator
repository: quay.io/kubescape/operator
tag: v0.2.34
pullPolicy: IfNotPresent
repository: quay.io/matthiasb_1/operator
tag: sbom
pullPolicy: Always

service:
type: ClusterIP
Expand Down Expand Up @@ -318,9 +318,9 @@ kubevuln:

image:
# -- source code: https://github.com/kubescape/kubevuln
repository: quay.io/kubescape/kubevuln
tag: v0.3.36
pullPolicy: IfNotPresent
repository: quay.io/matthiasb_1/kubevuln
tag: sbom
pullPolicy: Always

replicaCount: 1

Expand Down Expand Up @@ -481,9 +481,9 @@ storage:

image:
# -- source code: https://github.com/kubescape/storage
repository: quay.io/kubescape/storage
tag: v0.0.127
pullPolicy: IfNotPresent
repository: quay.io/matthiasb_1/storage
tag: sbom
pullPolicy: Always

# cleanup interval is a duration string
cleanupInterval: "6h"
Expand All @@ -505,9 +505,9 @@ nodeAgent:
name: node-agent
image:
# -- source code: https://github.com/kubescape/node-agent
repository: quay.io/kubescape/node-agent
tag: v0.2.167
pullPolicy: IfNotPresent
repository: quay.io/matthiasb_1/node-agent
tag: sbom
pullPolicy: Always

config:
maxLearningPeriod: 24h # duration string
Expand Down

0 comments on commit b978a5c

Please sign in to comment.