diff --git a/charts/kubescape-operator/templates/node-agent/clusterrole.yaml b/charts/kubescape-operator/templates/node-agent/clusterrole.yaml index 33183b7a..6b8ec203 100644 --- a/charts/kubescape-operator/templates/node-agent/clusterrole.yaml +++ b/charts/kubescape-operator/templates/node-agent/clusterrole.yaml @@ -23,10 +23,10 @@ rules: resources: ["deployments", "daemonsets", "statefulsets", "replicasets"] verbs: ["get", "watch", "list"] - apiGroups: ["spdx.softwarecomposition.kubescape.io"] - resources: ["sbomsyfts", "seccompprofiles"] + resources: ["seccompprofiles"] verbs: ["get", "watch", "list"] - apiGroups: ["spdx.softwarecomposition.kubescape.io"] - resources: ["applicationactivities", "applicationprofiles", "networkneighborses", "networkneighborhoods", "sbomsyftfiltereds"] + resources: ["applicationactivities", "applicationprofiles", "networkneighborses", "networkneighborhoods", "sbomsyfts", "sbomsyftfiltereds"] verbs: ["create", "get", "update", "watch", "list", "patch"] - apiGroups: ["kubescape.io"] resources: ["runtimerulealertbindings"] diff --git a/charts/kubescape-operator/templates/node-agent/configmap.yaml b/charts/kubescape-operator/templates/node-agent/configmap.yaml index b49d1397..3cf94c7d 100644 --- a/charts/kubescape-operator/templates/node-agent/configmap.yaml +++ b/charts/kubescape-operator/templates/node-agent/configmap.yaml @@ -26,6 +26,7 @@ data: "networkServiceEnabled": {{ eq .Values.capabilities.networkPolicyService "enable" }}, "malwareDetectionEnabled": {{ eq .Values.capabilities.malwareDetection "enable" }}, "nodeProfileServiceEnabled": {{ eq .Values.capabilities.nodeProfileService "enable" }}, + "sbomGenerationEnabled": true, "seccompServiceEnabled": {{ eq .Values.capabilities.seccompProfileService "enable" }}, "initialDelay": "{{ .Values.nodeAgent.config.learningPeriod }}", "updateDataPeriod": "{{ .Values.nodeAgent.config.updatePeriod }}", diff --git a/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap b/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap index 46e44f07..41452205 100644 --- a/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap +++ b/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap @@ -2357,8 +2357,8 @@ all capabilities: value: https://foo:bar@baz:1234 - name: no_proxy value: gateway,kubescape,kubevuln,node-agent,operator,otel-collector,kubernetes.default.svc.*,127.0.0.1,*.foo,bar.baz - image: quay.io/kubescape/kubevuln:v0.3.36 - imagePullPolicy: IfNotPresent + image: quay.io/matthiasb_1/kubevuln:sbom + imagePullPolicy: Always livenessProbe: httpGet: path: /v1/liveness @@ -2637,7 +2637,6 @@ all capabilities: - apiGroups: - spdx.softwarecomposition.kubescape.io resources: - - sbomsyfts - seccompprofiles verbs: - get @@ -2650,6 +2649,7 @@ all capabilities: - applicationprofiles - networkneighborses - networkneighborhoods + - sbomsyfts - sbomsyftfiltereds verbs: - create @@ -2727,6 +2727,7 @@ all capabilities: "networkServiceEnabled": true, "malwareDetectionEnabled": true, "nodeProfileServiceEnabled": true, + "sbomGenerationEnabled": true, "seccompServiceEnabled": true, "initialDelay": "2m", "updateDataPeriod": "10m", @@ -2820,7 +2821,7 @@ all capabilities: annotations: checksum/cloud-config: e676e6d4282e48cde90d56356ebe417818278b5a260941f00176a2c064b77eb6 checksum/cloud-secret: cf2e73d4ff0ce943730b3ed5bd4740f0bd8c4386e5843870f51c302b41df8da9 - checksum/node-agent-config: 0d6d395a60e006df95e7955f15a6d0b0889ec2a60b815ab1ef8b13fd60d631c0 + checksum/node-agent-config: 3fbd133967aed7b57cea303967a2d1f56bdfcd954963c0dd19c27e40156ab151 checksum/proxy-config: 3669c08e51ef779cd00a107f19592b34195c3ebdb60bedaf8ebf1491a3f2a747 container.apparmor.security.beta.kubernetes.io/node-agent: unconfined labels: @@ -2910,8 +2911,8 @@ all capabilities: fieldRef: fieldPath: metadata.namespace - name: NodeName - image: quay.io/kubescape/node-agent:v0.2.167 - imagePullPolicy: IfNotPresent + image: quay.io/matthiasb_1/node-agent:sbom + imagePullPolicy: Always livenessProbe: httpGet: path: /livez @@ -3531,8 +3532,8 @@ all capabilities: value: https://foo:bar@baz:1234 - name: no_proxy value: gateway,kubescape,kubevuln,node-agent,operator,otel-collector,kubernetes.default.svc.*,127.0.0.1,*.foo,bar.baz - image: quay.io/kubescape/operator:v0.2.34 - imagePullPolicy: IfNotPresent + image: quay.io/matthiasb_1/operator:sbom + imagePullPolicy: Always livenessProbe: httpGet: path: /v1/liveness @@ -5105,8 +5106,8 @@ all capabilities: name: cloud-secret - name: OTEL_COLLECTOR_SVC value: otel-collector:4317 - image: quay.io/kubescape/storage:v0.0.127 - imagePullPolicy: IfNotPresent + image: quay.io/matthiasb_1/storage:sbom + imagePullPolicy: Always livenessProbe: tcpSocket: port: 8443 @@ -8149,8 +8150,8 @@ default capabilities: name: cloud-secret - name: OTEL_COLLECTOR_SVC value: otel-collector:4318 - image: quay.io/kubescape/kubevuln:v0.3.36 - imagePullPolicy: IfNotPresent + image: quay.io/matthiasb_1/kubevuln:sbom + imagePullPolicy: Always livenessProbe: httpGet: path: /v1/liveness @@ -8391,7 +8392,6 @@ default capabilities: - apiGroups: - spdx.softwarecomposition.kubescape.io resources: - - sbomsyfts - seccompprofiles verbs: - get @@ -8404,6 +8404,7 @@ default capabilities: - applicationprofiles - networkneighborses - networkneighborhoods + - sbomsyfts - sbomsyftfiltereds verbs: - create @@ -8481,6 +8482,7 @@ default capabilities: "networkServiceEnabled": true, "malwareDetectionEnabled": false, "nodeProfileServiceEnabled": false, + "sbomGenerationEnabled": true, "seccompServiceEnabled": true, "initialDelay": "2m", "updateDataPeriod": "10m", @@ -8537,7 +8539,7 @@ default capabilities: annotations: checksum/cloud-config: f753b01d880e21ddc33cef3935d2ff4d41d12899432962a5a9b5dfda91d2c8d9 checksum/cloud-secret: cf2e73d4ff0ce943730b3ed5bd4740f0bd8c4386e5843870f51c302b41df8da9 - checksum/node-agent-config: 95e1b4e2bce876798692fff5f095ad335541e59f48a337c09aa74c7847958c28 + checksum/node-agent-config: 075aa19c8d3f25faf13dae740d6a53e03064ecf8782a8af9951b786426db367f checksum/proxy-config: 3669c08e51ef779cd00a107f19592b34195c3ebdb60bedaf8ebf1491a3f2a747 container.apparmor.security.beta.kubernetes.io/node-agent: unconfined labels: @@ -8594,8 +8596,8 @@ default capabilities: fieldRef: fieldPath: metadata.namespace - name: NodeName - image: quay.io/kubescape/node-agent:v0.2.167 - imagePullPolicy: IfNotPresent + image: quay.io/matthiasb_1/node-agent:sbom + imagePullPolicy: Always livenessProbe: httpGet: path: /livez @@ -9083,8 +9085,8 @@ default capabilities: value: zap - name: OTEL_COLLECTOR_SVC value: otel-collector:4318 - image: quay.io/kubescape/operator:v0.2.34 - imagePullPolicy: IfNotPresent + image: quay.io/matthiasb_1/operator:sbom + imagePullPolicy: Always livenessProbe: httpGet: path: /v1/liveness @@ -10309,8 +10311,8 @@ default capabilities: name: cloud-secret - name: OTEL_COLLECTOR_SVC value: otel-collector:4317 - image: quay.io/kubescape/storage:v0.0.127 - imagePullPolicy: IfNotPresent + image: quay.io/matthiasb_1/storage:sbom + imagePullPolicy: Always livenessProbe: tcpSocket: port: 8443 @@ -12729,8 +12731,8 @@ disable otel: name: cloud-secret - name: OTEL_COLLECTOR_SVC value: otel-collector:4318 - image: quay.io/kubescape/kubevuln:v0.3.36 - imagePullPolicy: IfNotPresent + image: quay.io/matthiasb_1/kubevuln:sbom + imagePullPolicy: Always livenessProbe: httpGet: path: /v1/liveness @@ -12905,7 +12907,6 @@ disable otel: - apiGroups: - spdx.softwarecomposition.kubescape.io resources: - - sbomsyfts - seccompprofiles verbs: - get @@ -12918,6 +12919,7 @@ disable otel: - applicationprofiles - networkneighborses - networkneighborhoods + - sbomsyfts - sbomsyftfiltereds verbs: - create @@ -12995,6 +12997,7 @@ disable otel: "networkServiceEnabled": true, "malwareDetectionEnabled": false, "nodeProfileServiceEnabled": false, + "sbomGenerationEnabled": true, "seccompServiceEnabled": true, "initialDelay": "2m", "updateDataPeriod": "10m", @@ -13051,7 +13054,7 @@ disable otel: annotations: checksum/cloud-config: d568e07a1bb2d6f372ab0e5a3fb91bd018b05433558890eb621af5234dd7c8c4 checksum/cloud-secret: cf2e73d4ff0ce943730b3ed5bd4740f0bd8c4386e5843870f51c302b41df8da9 - checksum/node-agent-config: 95e1b4e2bce876798692fff5f095ad335541e59f48a337c09aa74c7847958c28 + checksum/node-agent-config: 075aa19c8d3f25faf13dae740d6a53e03064ecf8782a8af9951b786426db367f container.apparmor.security.beta.kubernetes.io/node-agent: unconfined labels: app: node-agent @@ -13107,8 +13110,8 @@ disable otel: fieldRef: fieldPath: metadata.namespace - name: NodeName - image: quay.io/kubescape/node-agent:v0.2.167 - imagePullPolicy: IfNotPresent + image: quay.io/matthiasb_1/node-agent:sbom + imagePullPolicy: Always livenessProbe: httpGet: path: /livez @@ -13476,8 +13479,8 @@ disable otel: value: zap - name: OTEL_COLLECTOR_SVC value: otel-collector:4318 - image: quay.io/kubescape/operator:v0.2.34 - imagePullPolicy: IfNotPresent + image: quay.io/matthiasb_1/operator:sbom + imagePullPolicy: Always livenessProbe: httpGet: path: /v1/liveness @@ -14557,8 +14560,8 @@ disable otel: name: cloud-secret - name: OTEL_COLLECTOR_SVC value: otel-collector:4317 - image: quay.io/kubescape/storage:v0.0.127 - imagePullPolicy: IfNotPresent + image: quay.io/matthiasb_1/storage:sbom + imagePullPolicy: Always livenessProbe: tcpSocket: port: 8443 @@ -16233,8 +16236,8 @@ minimal capabilities: name: cloud-secret - name: OTEL_COLLECTOR_SVC value: otel-collector:4318 - image: quay.io/kubescape/kubevuln:v0.3.36 - imagePullPolicy: IfNotPresent + image: quay.io/matthiasb_1/kubevuln:sbom + imagePullPolicy: Always livenessProbe: httpGet: path: /v1/liveness @@ -16407,7 +16410,6 @@ minimal capabilities: - apiGroups: - spdx.softwarecomposition.kubescape.io resources: - - sbomsyfts - seccompprofiles verbs: - get @@ -16420,6 +16422,7 @@ minimal capabilities: - applicationprofiles - networkneighborses - networkneighborhoods + - sbomsyfts - sbomsyftfiltereds verbs: - create @@ -16497,6 +16500,7 @@ minimal capabilities: "networkServiceEnabled": true, "malwareDetectionEnabled": false, "nodeProfileServiceEnabled": false, + "sbomGenerationEnabled": true, "seccompServiceEnabled": true, "initialDelay": "2m", "updateDataPeriod": "10m", @@ -16552,7 +16556,7 @@ minimal capabilities: annotations: checksum/cloud-config: f5eda48aecb77a239b89ba75d2c49d92ad3c48f7f2b2951deca9e77052f7c00c checksum/cloud-secret: f1356b6dba8ba4a01197f4030346928c33c7dab7b123a2aecaffb0630352929c - checksum/node-agent-config: c210b0875265f4d1cc5217e0f754632e9c3ce74bec5ba28929706deddb3c425d + checksum/node-agent-config: bea5ad88e2dc905f4e4b69bbd2531070c1fe86df0933448c1a2378473a0d39fd container.apparmor.security.beta.kubernetes.io/node-agent: unconfined labels: app: node-agent @@ -16608,8 +16612,8 @@ minimal capabilities: fieldRef: fieldPath: metadata.namespace - name: NodeName - image: quay.io/kubescape/node-agent:v0.2.167 - imagePullPolicy: IfNotPresent + image: quay.io/matthiasb_1/node-agent:sbom + imagePullPolicy: Always livenessProbe: httpGet: path: /livez @@ -16974,8 +16978,8 @@ minimal capabilities: value: zap - name: OTEL_COLLECTOR_SVC value: otel-collector:4318 - image: quay.io/kubescape/operator:v0.2.34 - imagePullPolicy: IfNotPresent + image: quay.io/matthiasb_1/operator:sbom + imagePullPolicy: Always livenessProbe: httpGet: path: /v1/liveness @@ -17825,8 +17829,8 @@ minimal capabilities: name: cloud-secret - name: OTEL_COLLECTOR_SVC value: otel-collector:4317 - image: quay.io/kubescape/storage:v0.0.127 - imagePullPolicy: IfNotPresent + image: quay.io/matthiasb_1/storage:sbom + imagePullPolicy: Always livenessProbe: tcpSocket: port: 8443 diff --git a/charts/kubescape-operator/values.yaml b/charts/kubescape-operator/values.yaml index 1c5b7f88..49f130af 100644 --- a/charts/kubescape-operator/values.yaml +++ b/charts/kubescape-operator/values.yaml @@ -273,9 +273,9 @@ operator: image: # -- source code: https://github.com/kubescape/operator - repository: quay.io/kubescape/operator - tag: v0.2.34 - pullPolicy: IfNotPresent + repository: quay.io/matthiasb_1/operator + tag: sbom + pullPolicy: Always service: type: ClusterIP @@ -318,9 +318,9 @@ kubevuln: image: # -- source code: https://github.com/kubescape/kubevuln - repository: quay.io/kubescape/kubevuln - tag: v0.3.36 - pullPolicy: IfNotPresent + repository: quay.io/matthiasb_1/kubevuln + tag: sbom + pullPolicy: Always replicaCount: 1 @@ -481,9 +481,9 @@ storage: image: # -- source code: https://github.com/kubescape/storage - repository: quay.io/kubescape/storage - tag: v0.0.127 - pullPolicy: IfNotPresent + repository: quay.io/matthiasb_1/storage + tag: sbom + pullPolicy: Always # cleanup interval is a duration string cleanupInterval: "6h" @@ -505,9 +505,9 @@ nodeAgent: name: node-agent image: # -- source code: https://github.com/kubescape/node-agent - repository: quay.io/kubescape/node-agent - tag: v0.2.167 - pullPolicy: IfNotPresent + repository: quay.io/matthiasb_1/node-agent + tag: sbom + pullPolicy: Always config: maxLearningPeriod: 24h # duration string