Skip to content

Commit

Permalink
2.13.0: image admission, registry scan ACR and ECR GA, ECS scan (#91)
Browse files Browse the repository at this point in the history
- Admission Control policy 1.2.0, enforcer 1.5.0:
** Image Admission (new feature) that integrates Admission Control and Image Assurance allowing users to block the deployment of workloads based on the Image Assurance policy.
- Image Assurance 2.13.0:
** Registry Scanning for ACR and ECR GA
** Registry listing functionality has been split from engine agent into a separate 'imagescan-list' deployment
** Support for scanner scaling
- All features:
** improving telemetry infrastructure
** fluentbit container has been removed from all agents except for Admission Control enforcer & gsl, Runtime Protection daemon.
- Resources reduced for:
** Admission Control enforcer and policy
** Image Assurance engine
** Runtime Protection policy
  • Loading branch information
chkp-rigor authored Jul 11, 2022
1 parent c7845ab commit 1e82c38
Show file tree
Hide file tree
Showing 54 changed files with 402 additions and 306 deletions.
6 changes: 4 additions & 2 deletions checkpoint/cloudguard/Chart.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
apiVersion: v2
appVersion: 2.11.1
appVersion: 2.13.0
description: A Helm chart for Check Point CloudGuard Workload Security
home: https://portal.checkpoint.com
icon: https://www.checkpoint.com/wp-content/uploads/icon-cloudguard-nav.png
Expand All @@ -17,5 +17,7 @@ keywords:
- runtime protection
- registry scan
- acr
- ecr
- ecs
name: cloudguard
version: 2.11.1
version: 2.13.0
43 changes: 31 additions & 12 deletions checkpoint/cloudguard/README.md

Large diffs are not rendered by default.

167 changes: 54 additions & 113 deletions checkpoint/cloudguard/defaults.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ podAnnotations:
proxy: {}

containerRuntime:
platform: kubernetes # kubernetes, openshift or tanzu
platform: kubernetes # kubernetes, openshift, openshift.v3 or tanzu

seccompProfile:
type: RuntimeDefault
Expand All @@ -61,7 +61,7 @@ inventory:

## Specify image and tag
image: checkpoint/consec-inventory-agent
tag: 1.4.5
tag: 1.6.0

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand All @@ -86,20 +86,6 @@ inventory:
nodeSelector: {}
tolerations: []
affinity: {}
fluentbit:
## Specify image and tag
image: checkpoint/consec-fluentbit
tag: 1.6.9-cp

## Configure resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
resources:
requests:
cpu: 100m
memory: 20Mi
limits:
cpu: 200m
memory: 30Mi

### Addons configuration
### Each addon may be disabled
Expand All @@ -108,11 +94,12 @@ addons:
## Image Scan Add-on
imageScan:
enabled: false

daemon:

## Specify image and tag
image: checkpoint/consec-imagescan-daemon
tag: 2.10.0
tag: 2.13.0

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand All @@ -125,16 +112,16 @@ addons:
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
resources:
requests:
cpu: 100m
cpu: 50m
memory: 50Mi
limits:
cpu: 200m
cpu: 50m
memory: 50Mi

shim:
## Specify image and tag
image: checkpoint/consec-imagescan-shim
tag: 2.10.0
tag: 2.13.0

## Configure resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
Expand All @@ -143,7 +130,7 @@ addons:
cpu: 100m
memory: 50Mi
limits:
cpu: 200m
cpu: 150m
memory: 50Mi

## resources for shim container for CRI-O are higher
Expand All @@ -162,38 +149,26 @@ addons:
- operator: Exists
affinity: {}

fluentbit:
## Specify image and tag
image: checkpoint/consec-fluentbit
tag: 1.6.9-cp

## Configure resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
resources:
requests:
cpu: 100m
memory: 20Mi
limits:
cpu: 200m
memory: 30Mi

engine:
## Specify image and tag
image: checkpoint/consec-imagescan-engine
tag: 2.10.0
tag: 2.13.0

## Specify existing service account name ("" to create)
serviceAccountName: ""

replicaCount: 1

## Extra environment variables passed to the container
env: []

## Configure resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
resources:
requests:
cpu: 200m
memory: 500Mi
cpu: 150m
memory: 100Mi
limits:
cpu: 1000m
memory: 2500Mi
Expand All @@ -203,21 +178,33 @@ addons:
nodeSelector: {}
tolerations: []
affinity: {}

fluentbit:
## Specify image and tag
image: checkpoint/consec-fluentbit
tag: 1.6.9-cp

## Configure resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
resources:
requests:
cpu: 100m
memory: 20Mi
limits:
cpu: 200m
memory: 30Mi
list:
## Specify image and tag
image: checkpoint/consec-imagescan-engine
tag: 2.13.0

## Specify existing service account name ("" to create)
serviceAccountName: ""

## Extra environment variables passed to the container
env: []

## Configure resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
resources:
requests:
cpu: 50m
memory: 100Mi
limits:
cpu: 50m
memory: 100Mi

## Configuration options for nodeSelector, tolerations and affinity for pod
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
nodeSelector: { }
tolerations: [ ]
affinity: { }


## Flow Logs Add-on
Expand All @@ -226,7 +213,7 @@ addons:
daemon:
## Specify image and tag
image: checkpoint/consec-flowlogs-daemon
tag: 0.6.1
tag: 0.7.0

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand Down Expand Up @@ -255,29 +242,13 @@ addons:
- operator: Exists
affinity: {}

fluentbit:
## Specify image and tag
image: checkpoint/consec-fluentbit
tag: 1.6.9-cp

## Configure resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
resources:
requests:
cpu: 100m
memory: 20Mi
limits:
cpu: 200m
memory: 30Mi


## Admission Control Add-on
admissionControl:
enabled: false
policy:
## Specify image and tag
image: checkpoint/consec-admission-policy
tag: 1.0.3
tag: 1.2.0

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand All @@ -289,37 +260,22 @@ addons:
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
resources:
requests:
cpu: 100m
cpu: 50m
memory: 30Mi
limits:
cpu: 200m
cpu: 50m
memory: 50Mi

## Configuration options for nodeSelector, tolerations and affinity for pod
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
nodeSelector: {}
affinity: {}
tolerations: []

fluentbit:
## Specify image and tag
image: checkpoint/consec-fluentbit
tag: 1.6.9-cp

## Configure resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
resources:
requests:
cpu: 100m
memory: 20Mi
limits:
cpu: 200m
memory: 30Mi


enforcer:
## Specify image and tag
image: checkpoint/consec-admission-enforcer
tag: 1.3.2
tag: 1.5.0

failurePolicyIntervalHours: 24

Expand All @@ -336,15 +292,15 @@ addons:
resources:
requests:
cpu: 200m
memory: 100Mi
memory: 50Mi
limits:
cpu: 200m
memory: 100Mi

gsl:
## Specify image and tag
image: checkpoint/consec-admission-gsl
tag: 1.3.2
tag: 1.3.3

## Configure resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
Expand Down Expand Up @@ -387,7 +343,7 @@ addons:
## Main container settings
## Specify image and tag
image: checkpoint/consec-runtime-daemon
tag: 0.0.677
tag: 0.0.740

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand All @@ -409,7 +365,7 @@ addons:
probe:
## Specify image and tag
image: checkpoint/consec-runtime-probe
tag: 0.27.1-cp-1
tag: 0.28.0-cp-2

## Configure resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
Expand All @@ -430,10 +386,10 @@ addons:
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
resources:
requests:
cpu: 100m
cpu: 30m
memory: 20Mi
limits:
cpu: 200m
cpu: 30m
memory: 30Mi

## Configuration options for nodeSelector, tolerations and affinity for pod
Expand All @@ -449,7 +405,7 @@ addons:

## Specify custom image ("" to use default)
image: checkpoint/consec-runtime-policy
tag: 1.1.0
tag: 1.2.0

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand All @@ -461,27 +417,12 @@ addons:
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
resources:
requests:
cpu: 100m
cpu: 50m
memory: 30Mi
limits:
cpu: 200m
cpu: 50m
memory: 50Mi

fluentbit:
## Specify image and tag
image: checkpoint/consec-fluentbit
tag: 1.6.9-cp

## Configure resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
resources:
requests:
cpu: 100m
memory: 20Mi
limits:
cpu: 200m
memory: 30Mi

## Configuration options for nodeSelector, tolerations and affinity for pod
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
nodeSelector: {}
Expand Down
Loading

0 comments on commit 1e82c38

Please sign in to comment.