diff --git a/.github/workflows/02-e2e-test.yaml b/.github/workflows/02-e2e-test.yaml index 2734e314..d1346016 100644 --- a/.github/workflows/02-e2e-test.yaml +++ b/.github/workflows/02-e2e-test.yaml @@ -1,11 +1,16 @@ name: 02-E2E Test helm chart on: - # workflow_dispatch: - # inputs: - # HELM_E2E_TEST: - # required: true - # default: true - # type: boolean + workflow_dispatch: + inputs: + BRANCH: + description: 'helm chart branch name' + required: false + default: 'dev' + type: string + HELM_E2E_TEST: + required: false + default: true + type: boolean workflow_call: inputs: @@ -13,7 +18,11 @@ on: required: true default: true type: boolean - + BRANCH: + required: false + default: 'dev' + type: string + description: 'helm chart branch name' jobs: e2e-test: @@ -65,7 +74,6 @@ jobs: uses: actions/checkout@v3 with: repository: armosec/system-tests - ref: relevancy path: . - uses: actions/setup-python@v4 @@ -108,7 +116,7 @@ jobs: -b production \ -c CyberArmorTests \ --logger DEBUG \ - --kwargs helm_branch=dev + --kwargs helm_branch=${{ inputs.BRANCH }} deactivate diff --git a/.github/workflows/inspektor-trigger-e2e-tests.yaml b/.github/workflows/inspektor-trigger-e2e-tests.yaml new file mode 100644 index 00000000..dd567ea9 --- /dev/null +++ b/.github/workflows/inspektor-trigger-e2e-tests.yaml @@ -0,0 +1,14 @@ +name: inspektor-e2e-tests + +on: + push: + branches: + - inspektor + +jobs: + call-e2e-tests: + uses: ./.github/workflows/relevancy-e2e-test.yaml + with: + BRANCH: "inspektor" + secrets: inherit + \ No newline at end of file diff --git a/.github/workflows/relevancy-e2e-test.yaml b/.github/workflows/relevancy-e2e-test.yaml index df599d4b..c0024e20 100644 --- a/.github/workflows/relevancy-e2e-test.yaml +++ b/.github/workflows/relevancy-e2e-test.yaml @@ -1,12 +1,21 @@ -name: relevancy-tests branch E2E tests - +name: Relevancy E2E tests on: + workflow_dispatch: + inputs: + BRANCH: + description: 'helm chart branch name' + required: false + default: 'main' + type: string + workflow_call: inputs: BRANCH: - required: true + required: false + default: 'main' type: string + description: 'helm chart branch name' jobs: e2e-test: @@ -14,34 +23,20 @@ jobs: fail-fast: false matrix: test: [ - vulnerability_scanning, - vulnerability_scanning_trigger_scan_on_new_image, - vulnerability_scanning_trigger_scan_public_registry, - vulnerability_scanning_trigger_scan_public_registry_excluded, - vulnerability_scanning_trigger_scan_private_quay_registry, - vulnerability_scanning_triggering_with_cron_job, - registry_scanning_triggering_with_cron_job, - ks_microservice_ns_creation, - ks_microservice_on_demand, - ks_microservice_mitre_framework_on_demand, - ks_microservice_nsa_and_mitre_framework_demand, - ks_microservice_triggering_with_cron_job, - ks_microservice_update_cronjob_schedule, - ks_microservice_delete_cronjob, - ks_microservice_create_2_cronjob_mitre_and_nsa, - scan_compliance_score, - vulnerability_scanning_cve_exceptions, - vulnerability_scanning_test_public_registry_connectivity_by_backend, - vulnerability_scanning_test_public_registry_connectivity_excluded_by_backend, - relevantCVEs, - relevancy_disabled_installation, - relevancy_enabled_stop_sniffing, - relevant_data_is_appended, - relevancy_large_image, - relevancy_extra_large_image, - relevancy_storage_disabled, - relevancy_fix_vuln - ] + relevantCVEs, + relevancy_disabled_installation, + relevancy_storage_disabled, + relevancy_enabled_stop_sniffing, + relevant_data_is_appended, + relevancy_large_image, + relevancy_extra_large_image, + relevancy_fix_vuln, + relevancy_python, + relevancy_golang, + relevancy_java, + relevancy_java_and_python, + relevancy_golang_dynamic + ] runs-on: ubuntu-latest steps: @@ -54,7 +49,6 @@ jobs: uses: actions/checkout@v3 with: repository: armosec/system-tests - ref: relevancy path: . - uses: actions/setup-python@v4 @@ -66,7 +60,6 @@ jobs: - name: create env run: ./create_env.sh - - name: Generate uuid id: uuid run: | diff --git a/.github/workflows/relevancy-helm-release.yaml b/.github/workflows/relevancy-helm-release.yaml deleted file mode 100644 index 2a8f14cc..00000000 --- a/.github/workflows/relevancy-helm-release.yaml +++ /dev/null @@ -1,55 +0,0 @@ -name: relevancy-helm-release - -on: - push: - paths: - - 'charts/kubescape-cloud-operator/Chart.yaml' - branches: [ relevancy ] - -jobs: - # e2e-test: - # uses: ./.github/workflows/relevancy-e2e-test.yaml - # with: - # BRANCH: relevancy - # secrets: inherit - - helm-chart-release: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - - name: get latest commit sha - id: commit-ref - run: echo "COMMIT_REF=$(git log --oneline | head -n1 | awk {'print $1}')" >> $GITHUB_OUTPUT - - - name: echo commit ref - run: echo ${{ steps.commit-ref.outputs.COMMIT_REF }} - - - name: Configure Git - run: | - git config user.name "$GITHUB_ACTOR" - git config user.email "$GITHUB_ACTOR@users.noreply.github.com" - - - name: git checkout to new commit - run: git checkout ${{ steps.commit-ref.outputs.COMMIT_REF }} - - - name: Install Helm - uses: azure/setup-helm@v3.5 - - - name: Run chart-releaser - uses: helm/chart-releaser-action@v1.4.1 - with: - charts_dir: "charts" - # charts_repo_url: xxxxxx - env: - CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - - e2e-test: - uses: ./.github/workflows/relevancy-e2e-test.yaml - with: - BRANCH: relevancy - secrets: inherit diff --git a/.github/workflows/relevancy-push.yaml b/.github/workflows/relevancy-push.yaml deleted file mode 100644 index edd77694..00000000 --- a/.github/workflows/relevancy-push.yaml +++ /dev/null @@ -1,37 +0,0 @@ -name: relevancy-helm-release - -on: - pull_request: - branches: - - relevancy - -jobs: - which_branch: - runs-on: ubuntu-latest - outputs: - branch_name: ${{ steps.extract_branch.outputs.branch_name }} - steps: - # extract branch name - - name: Extract branch name - id: extract_branch - run: | - if [[ "${{ github.event_name }}" == "pull_request" ]]; then - echo "branch_name=${{ github.head_ref }}" >> $GITHUB_ENV - echo "branch_name=${{ github.head_ref }}" >> $GITHUB_OUTPUT - else - BRANCH_NAME="${{ github.ref }}" - BRANCH_NAME=${BRANCH_NAME#refs/heads/} - echo "branch_name=$BRANCH_NAME" >> $GITHUB_ENV - echo "branch_name=$BRANCH_NAME" >> $GITHUB_OUTPUT - fi - echo "::set-output name=branch_name::$(echo $BRANCH_NAME)" - - - name: Print branch name - run: echo "${{ steps.extract_branch.outputs.branch_name }}" - - e2e-test: - needs: which_branch - uses: ./.github/workflows/relevancy-e2e-test.yaml - with: - BRANCH: "${{ needs.which_branch.outputs.branch_name }}" - secrets: inherit diff --git a/charts/kubescape-cloud-operator/Chart.yaml b/charts/kubescape-cloud-operator/Chart.yaml index 9ff53475..fa9007eb 100644 --- a/charts/kubescape-cloud-operator/Chart.yaml +++ b/charts/kubescape-cloud-operator/Chart.yaml @@ -9,14 +9,14 @@ type: application # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.13.7 +version: 1.14.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: 1.13.7 +appVersion: 1.14.0 maintainers: - name: Ben Hirschberg diff --git a/charts/kubescape-cloud-operator/README.md b/charts/kubescape-cloud-operator/README.md index 72ce8d48..bbb2a841 100644 --- a/charts/kubescape-cloud-operator/README.md +++ b/charts/kubescape-cloud-operator/README.md @@ -1,6 +1,6 @@ # Kubescape Operator -![Version: 1.11.0](https://img.shields.io/badge/Version-1.11.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.11.0](https://img.shields.io/badge/AppVersion-v1.11.0-informational?style=flat-square) +![Version: 1.14.0](https://img.shields.io/badge/Version-1.11.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.14.0](https://img.shields.io/badge/AppVersion-v1.11.0-informational?style=flat-square) ## [Docs](https://hub.armosec.io/docs/installation-of-armo-in-cluster) diff --git a/charts/kubescape-cloud-operator/templates/node-agent/clusterrole.yaml b/charts/kubescape-cloud-operator/templates/node-agent/clusterrole.yaml index 825ca6a6..b7a04d95 100644 --- a/charts/kubescape-cloud-operator/templates/node-agent/clusterrole.yaml +++ b/charts/kubescape-cloud-operator/templates/node-agent/clusterrole.yaml @@ -7,6 +7,9 @@ rules: - apiGroups: [""] resources: ["pods", "nodes"] verbs: ["get", "watch", "list"] +- apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create"] - apiGroups: ["batch"] resources: ["jobs", "cronjobs"] verbs: ["get", "watch", "list"] diff --git a/charts/kubescape-cloud-operator/templates/node-agent/configmap.yaml b/charts/kubescape-cloud-operator/templates/node-agent/configmap.yaml index e93b861a..6a67b9a8 100644 --- a/charts/kubescape-cloud-operator/templates/node-agent/configmap.yaml +++ b/charts/kubescape-cloud-operator/templates/node-agent/configmap.yaml @@ -2,30 +2,13 @@ apiVersion: v1 kind: ConfigMap metadata: - name: {{ .Values.nodeAgent.config.name }} + name: {{ .Values.nodeAgent.name }} namespace: {{ .Values.ksNamespace }} data: - ConfigurationFile.json: | + config.json: | { - "sniffer": { - "services": [ - { - "Name": "relevantCVEs" - } - ], - "maxSniffingTimePerContainer": {{ .Values.nodeAgent.config.maxLearningPeriod }} - }, - "falcoEbpfEngine": { - "kernelObjPath": "/root/.falco/falco-bpf.o", - "ebpfEngineLoaderPath": "/etc/node-agent/resources/ebpf/falco/userspace_app" - }, - "node": { - "name": "" - }, - "db": { - "updateDataPeriod": {{ .Values.nodeAgent.config.learningPeriod }} - }, - "clusterName": "{{ regexReplaceAll "\\W+" .Values.clusterName "-" }}", - "accountID": "{{ .Values.account }}" + "relevantCVEServiceEnabled": true, + "maxSniffingTimePerContainer": "{{ .Values.nodeAgent.config.maxLearningPeriod }}", + "updateDataPeriod": "{{ .Values.nodeAgent.config.learningPeriod }}" } {{- end }} diff --git a/charts/kubescape-cloud-operator/templates/node-agent/daemonset.yaml b/charts/kubescape-cloud-operator/templates/node-agent/daemonset.yaml index bd30dc90..8fcadcea 100644 --- a/charts/kubescape-cloud-operator/templates/node-agent/daemonset.yaml +++ b/charts/kubescape-cloud-operator/templates/node-agent/daemonset.yaml @@ -52,10 +52,23 @@ spec: - linux serviceAccountName: {{ .Values.nodeAgent.name }} automountServiceAccountToken: true + hostPID: true nodeSelector: kubernetes.io/os: linux kubernetes.io/arch: amd64 volumes: + - name: {{ .Values.global.cloudConfig }} + configMap: + name: {{ .Values.global.cloudConfig }} + items: + - key: "clusterData" + path: "clusterData.json" + - name: config + configMap: + name: {{ .Values.nodeAgent.name }} + items: + - key: "config.json" + path: "config.json" {{- range .Values.nodeAgent.volumes }} - name: {{ .name }} {{- if .configMap }} @@ -73,39 +86,6 @@ spec: - name: proxy-secret secret: secretName: {{ .Values.global.proxySecretName }} - {{- end }} - initContainers: - - env: - {{- range .Values.nodeAgent.initContainer.env }} - - name: {{ .name }} - {{- if .value }} - value: "{{ .value }}" - {{- end }} - {{- end }} - {{- if ne .Values.global.httpsProxy "" }} - - name: HTTPS_PROXY - value: "{{ .Values.global.httpsProxy }}" - - name: HTTP_PROXY - value: "{{ .Values.global.httpsProxy }}" - - name : no_proxy - value: "{{ $no_proxy_envar_list }}" - {{- end }} - image: "{{ .Values.nodeAgent.initContainer.image.repository }}:{{ .Values.nodeAgent.initContainer.image.tag }}" - imagePullPolicy: {{ .Values.nodeAgent.initContainer.image.pullPolicy }} - name: {{ .Values.nodeAgent.initContainer.name }} - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - {{- range .Values.nodeAgent.initContainer.volumeMounts }} - - mountPath: {{ .mountPath }} - name: {{ .name }} - readOnly: {{ .readOnly }} - {{- end }} - {{- if ne .Values.global.proxySecretFile "" }} - - name: proxy-secret - mountPath: /etc/ssl/certs/proxy.crt - subPath: proxy.crt {{- end }} containers: - name: {{ .Values.nodeAgent.containers.nodeAgent.name }} @@ -134,6 +114,12 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: HOST_ROOT + value: "/host" {{- range .Values.nodeAgent.containers.nodeAgent.env }} - name: {{ .name }} {{- if .value }} @@ -142,11 +128,19 @@ spec: {{- end }} securityContext: runAsUser: 0 + privileged: true capabilities: add: - - SYS_RESOURCE - SYS_ADMIN volumeMounts: + - name: {{ .Values.global.cloudConfig }} + mountPath: /etc/config/clusterData.json + readOnly: true + subPath: "clusterData.json" + - name: config + mountPath: /etc/config/config.json + readOnly: true + subPath: "config.json" {{- range .Values.nodeAgent.containers.nodeAgent.volumeMounts }} - mountPath: {{ .mountPath }} name: {{ .name }} diff --git a/charts/kubescape-cloud-operator/values.yaml b/charts/kubescape-cloud-operator/values.yaml index 62ef2377..1b1fe808 100644 --- a/charts/kubescape-cloud-operator/values.yaml +++ b/charts/kubescape-cloud-operator/values.yaml @@ -228,7 +228,7 @@ operator: image: # -- source code: https://github.com/kubescape/operator repository: quay.io/kubescape/operator - tag: v0.1.25 + tag: v0.1.28-prerelease pullPolicy: IfNotPresent service: @@ -569,9 +569,8 @@ nodeAgent: name: "node-agent" config: - name: node-agent-config-map - maxLearningPeriod: 180 # minutes - learningPeriod: 2 # minutes + maxLearningPeriod: 3h # duration string + learningPeriod: 2m # duration string resources: requests: @@ -585,101 +584,51 @@ nodeAgent: - name: configmap-volume configMap: name: node-agent-config-map - - emptyDir: {} - name: root-falco-fs - hostPath: - path: /boot - type: "" - name: boot-fs + path: / + name: host - hostPath: - path: /lib/modules - type: "" - name: lib-modules - - hostPath: - path: /usr - type: "" - name: usr-fs - - hostPath: - path: /etc - type: "" - name: etc-fs + path: /run + name: run - hostPath: - path: /dev - type: "" - name: dev-fs + path: /sys/fs/cgroup + name: cgroup - hostPath: - path: /var/run/docker.sock - type: "" - name: docker-socket - - hostPath: - path: /run/containerd/containerd.sock - type: "" - name: containerd-socket - - hostPath: - path: /run/crio/crio.sock - type: "" - name: crio-socket + path: /lib/modules + name: modules - hostPath: - path: /proc - type: "" - name: proc-fs + path: /sys/fs/bpf + name: bpffs - hostPath: path: /sys/kernel/debug - type: "" name: debugfs + - emptyDir: + name: data - initContainer: - name: falco-driver-loader - image: - repository: docker.io/falcosecurity/falco-driver-loader - tag: 0.34.1 - pullPolicy: IfNotPresent - env: - - name: FALCO_BPF_PROBE - volumeMounts: - - mountPath: /root/.falco - name: root-falco-fs - readOnly: false - - mountPath: /host/proc - name: proc-fs - readOnly: true - - mountPath: /host/boot - name: boot-fs - readOnly: true - - mountPath: /host/lib/modules - name: lib-modules - - mountPath: /host/usr - name: usr-fs - readOnly: true - - mountPath: /host/etc - name: etc-fs - readOnly: true containers: nodeAgent: name: node-agent - image: + image: repository: quay.io/kubescape/node-agent - tag: v0.1.75 + tag: v0.1.76-prerelease pullPolicy: IfNotPresent - env: - - name: CONFIG_ENV_VAR - value: "/etc/node-agent/configuration/ConfigurationFile.json" + env: - name: NodeName valueFrom: fieldRef: fieldPath: spec.nodeName volumeMounts: - - mountPath: /etc/node-agent/configuration - name: configmap-volume - - mountPath: /root/.falco - name: root-falco-fs - - mountPath: /host/proc - name: proc-fs + - mountPath: /host + name: host + - mountPath: /run + name: run + - mountPath: /lib/modules + name: modules - mountPath: /sys/kernel/debug name: debugfs - - mountPath: /host/var/run/docker.sock - name: docker-socket - - mountPath: /host/run/containerd/containerd.sock - name: containerd-socket - - mountPath: /host/run/crio/crio.sock - name: crio-socket + - mountPath: /sys/fs/cgroup + name: cgroup + - mountPath: /sys/fs/bpf + name: bpffs + - mountPath: /data + name: data