diff --git a/checkpoint/cloudguard/Chart.yaml b/checkpoint/cloudguard/Chart.yaml index 6c351a32..cb633dc0 100644 --- a/checkpoint/cloudguard/Chart.yaml +++ b/checkpoint/cloudguard/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 2.11.1 +appVersion: 2.13.0 description: A Helm chart for Check Point CloudGuard Workload Security home: https://portal.checkpoint.com icon: https://www.checkpoint.com/wp-content/uploads/icon-cloudguard-nav.png @@ -17,5 +17,7 @@ keywords: - runtime protection - registry scan - acr +- ecr +- ecs name: cloudguard -version: 2.11.1 +version: 2.13.0 diff --git a/checkpoint/cloudguard/README.md b/checkpoint/cloudguard/README.md index 19fb9f71..24960f23 100644 --- a/checkpoint/cloudguard/README.md +++ b/checkpoint/cloudguard/README.md @@ -100,6 +100,16 @@ For Image Assurance feature the default maximal image size to scan is 2GB, and t It will define memory limit for *imagescan-engine* pod to be 3.5GB. +**Number of Image Assurance Scanners** + +The number of Image Assurance scanners can be increased to add parallelism and reduce the time it takes to scan multiple images. By default there is one such scanner. +Modifying the number of Image Assurance scanners can be done by setting the addons.imageScan.engine.replicaCount parameter. E.g. to set the number of scanning pods to 2, helm install command should be appended with: +```bash +--set addons.imageScan.engine.replicaCount=2 +``` + +Note that each additional scanner will require additional resources. + ## Configurable parameters The following table list the configurable parameters of this chart and their default values. @@ -118,12 +128,12 @@ The following table list the configurable parameters of this chart and their def | `imagePullPolicy` | Image pull policy | `Always` | | `proxy` | Proxy settings (e.g. http://my-proxy.com:8080) | `{}` | | `containerRuntime` | Container runtime (docker/containerd/cri-o) overriding auto-detection | `` | -| `platform` | Kubernetes platform (kubernetes/tanzu/openshift) overriding auto-detection | `kubernetes` | +| `platform` | Kubernetes platform (kubernetes/tanzu/openshift/openshift.v3/eks.bottlerocket) overriding auto-detection | `kubernetes` | | `seccompProfile` | Computer Security facility profile. (to be used in kubernetes 1.19 and up) | `RuntimeDefault` | | `podAnnotations.seccomp` | Computer Security facility profile. (to be used in kubernetes below 1.19) | `runtime/default` | | `podAnnotations.apparmor` | Apparmor Linux kernel security module profile. | `{}` | | `inventory.agent.image` | Specify image for the agent | `checkpoint/consec-inventory-agent` | -| `inventory.agent.tag` | Specify image tag for the agent | `1.4.5` | +| `inventory.agent.tag` | Specify image tag for the agent | `1.6.0` | | `inventory.agent.serviceAccountName` | Specify custom Service Account for the Inventory agent | `` | | `inventory.agent.replicaCount` | Number of Inventory agent instances to be deployed | `1` | | `inventory.agent.env` | Additional environmental variables for Inventory agent | `{}` | @@ -134,7 +144,7 @@ The following table list the configurable parameters of this chart and their def | `addons.imageScan.enabled` | Specifies whether the Image Scan addon should be installed | `false` | | `addons.imageScan.maxImageSizeMb` | Specifies in MiBytes maximal image size to scan, its value + 500MB will be imageScan.engine main container memory limit | `` | | `addons.imageScan.daemon.image` | Specify image for the agent | `checkpoint/consec-imagescan-daemon` | -| `addons.imageScan.daemon.tag` | Specify image tag for the agent |`2.10.0` | +| `addons.imageScan.daemon.tag` | Specify image tag for the agent |`2.13.0` | | `addons.imageScan.daemon.serviceAccountName` | Specify custom Service Account for the agent | `` | | `addons.imageScan.daemon.env` | Additional environmental variables for the agent | `{}` | | `addons.imageScan.daemon.resources` | Resources restriction (e.g. CPU, memory) | `{}` | @@ -142,20 +152,29 @@ The following table list the configurable parameters of this chart and their def | `addons.imageScan.daemon.tolerations` | List of node taints to tolerate | `operator: Exists` | | `addons.imageScan.daemon.affinity` | Affinity setting | `{}` | | `addons.imageScan.daemon.shim.image` | Specify image for the shim container | `checkpoint/consec-imagescan-shim` | -| `addons.imageScan.daemon.shim.tag` | Specify image tag for the shim container |`2.10.0` | +| `addons.imageScan.daemon.shim.tag` | Specify image tag for the shim container |`2.13.0` | | `addons.imageScan.daemon.shim.env` | Additional environmental variables for the shim container | `{}` | | `addons.imageScan.daemon.shim.resources` | Resources restriction (e.g. CPU, memory) | `{}` | | `addons.imageScan.engine.image` | Specify image for the agent | `checkpoint/consec-imagescan-engine` | -| `addons.imageScan.engine.tag` | Specify image tag for the agent |`2.10.0` | +| `addons.imageScan.engine.tag` | Specify image tag for the agent |`2.13.0` | | `addons.imageScan.engine.serviceAccountName` | Specify custom Service Account for the agent | `` | +| `addons.imageScan.engine.replicaCount` | Number of scanning engine instances to be deployed | `1` | | `addons.imageScan.engine.env` | Additional environmental variables for the agent | `{}` | | `addons.imageScan.engine.resources` | Resources restriction (e.g. CPU, memory) | `{}` | | `addons.imageScan.engine.nodeSelector` | Node labels for pod assignment | `{}` | | `addons.imageScan.engine.tolerations` | List of node taints to tolerate | `[]` | | `addons.imageScan.engine.affinity` | Affinity setting | `{}` | +| `addons.imageScan.list.image` | Specify image for the agent | `checkpoint/consec-imagescan-engine` | +| `addons.imageScan.list.tag` | Specify image tag for the agent |`2.13.0` | +| `addons.imageScan.list.serviceAccountName` | Specify custom Service Account for the agent | `` | +| `addons.imageScan.list.env` | Additional environmental variables for the agent | `{}` | +| `addons.imageScan.list.resources` | Resources restriction (e.g. CPU, memory) | `{}` | +| `addons.imageScan.list.nodeSelector` | Node labels for pod assignment | `{}` | +| `addons.imageScan.list.tolerations` | List of node taints to tolerate | `[]` | +| `addons.imageScan.list.affinity` | Affinity setting | `{}` | | `addons.flowLogs.enabled` | Specifies whether the Flow Logs addon should be installed | `false` | | `addons.flowLogs.daemon.image` | Specify image for the agent | `checkpoint/consec-flowlogs-daemon` | -| `addons.flowLogs.daemon.tag` | Specify image tag for the agent |`0.6.1` | +| `addons.flowLogs.daemon.tag` | Specify image tag for the agent |`0.7.0` | | `addons.flowLogs.daemon.serviceAccountName` | Specify custom Service Account for the agent | `` | | `addons.flowLogs.daemon.logLevel` | What should be logged. (info, debug) | `info` | | `addons.flowLogs.daemon.env` | Additional environmental variables for the agent | `{}` | @@ -165,7 +184,7 @@ The following table list the configurable parameters of this chart and their def | `addons.flowLogs.daemon.affinity` | Affinity setting | `{}` | | `addons.admissionControl.enabled` | Specify whether the Admission Control addon should be installed | `false` | | `addons.admissionControl.policy.image` | Specify image for the agent | `checkpoint/consec-admission-policy` | -| `addons.admissionControl.policy.tag` | Specify image tag for the agent |`1.0.3` | +| `addons.admissionControl.policy.tag` | Specify image tag for the agent |`1.2.0` | | `addons.admissionControl.policy.serviceAccountName` | Specify custom Service Account for the agent | `` | | `addons.admissionControl.policy.env` | Additional environmental variables for the agent | `{}` | | `addons.admissionControl.policy.resources` | Resources restriction (e.g. CPU, memory) | `{}` | @@ -176,14 +195,14 @@ The following table list the configurable parameters of this chart and their def | `addons.admissionControl.policy.fluentbit.tag` | Specify image tag for the agent |`1.6.9-cp` | | `addons.admissionControl.policy.fluentbit.resources` | Resources restriction (e.g. CPU, memory) | `{}` | | `addons.admissionControl.enforcer.image` | Specify image for the agent | `checkpoint/consec-admission-enforcer` | -| `addons.admissionControl.enforcer.tag` | Specify image tag for the agent |`1.3.2` | +| `addons.admissionControl.enforcer.tag` | Specify image tag for the agent |`1.5.0` | | `addons.admissionControl.enforcer.serviceAccountName` | Specify custom Service Account for the agent | `` | | `addons.admissionControl.enforcer.replicaCount` | Number of Inventory agent instances to be deployed | `2` | | `addons.admissionControl.enforcer.env` | Additional environmental variables for the agent | `{}` | | `addons.admissionControl.enforcer.failurePolicyIntervalHours`| If the agent is unable to synchronize it's policy, this is the number of hours it will wait before switching to a fail-open policy | `24` | | `addons.admissionControl.enforcer.resources` | Resources restriction (e.g. CPU, memory) | `{}` | | `addons.admissionControl.enforcer.gsl.image` | Specify image for the agent | `checkpoint/consec-admission-gsl` | -| `addons.admissionControl.enforcer.gsl.tag` | Specify image tag for the agent |`1.3.2` | +| `addons.admissionControl.enforcer.gsl.tag` | Specify image tag for the agent |`1.3.3` | | `addons.admissionControl.enforcer.gsl.resources` | Resources restriction (e.g. CPU, memory) | `{}` | | `addons.admissionControl.enforcer.fluentbit.image` | Specify image for the agent | `checkpoint/consec-fluentbit` | | `addons.admissionControl.enforcer.fluentbit.tag` | Specify image tag for the agent |`1.6.9-cp` | @@ -193,7 +212,7 @@ The following table list the configurable parameters of this chart and their def | `addons.admissionControl.enforcer.affinity` | Affinity setting | `{}` | | `addons.runtimeProtection.enabled` | Specifies whether the Runtime Protection addon should be installed | `false` | | `addons.runtimeProtection.daemon.image` | Specify image for the agent | `checkpoint/consec-runtime-daemon` | -| `addons.runtimeProtection.daemon.tag` | Specify image tag for the agent |`0.0.677` | +| `addons.runtimeProtection.daemon.tag` | Specify image tag for the agent |`0.0.740` | | `addons.runtimeProtection.daemon.serviceAccountName` | Specify custom Service Account for the agent | `` | | `addons.runtimeProtection.daemon.env` | Additional environmental variables for the agent | `{}` | | `addons.runtimeProtection.daemon.resources` | Resources restriction (e.g. CPU, memory) | `requests.cpu: 100m` | @@ -201,7 +220,7 @@ The following table list the configurable parameters of this chart and their def | | | `limits.cpu: 2000m` | | | | `limits.memory: 1Gi` | | `addons.runtimeProtection.daemon.probe.image` | Specify image for the agent | `checkpoint/consec-runtime-probe` | -| `addons.runtimeProtection.daemon.probe.tag` | Specify image tag for the agent |`0.27.1-cp-1` | +| `addons.runtimeProtection.daemon.probe.tag` | Specify image tag for the agent |`0.28.0-cp-2` | | `addons.runtimeProtection.daemon.probe.resources` | Resources restriction (e.g. CPU, memory) | `{}` | | `addons.runtimeProtection.daemon.fluentbit.image` | Specify image for the agent | `checkpoint/consec-fluentbit` | | `addons.runtimeProtection.daemon.fluentbit.tag` | Specify image tag for the agent |`1.6.9-cp` | @@ -210,7 +229,7 @@ The following table list the configurable parameters of this chart and their def | `addons.runtimeProtection.daemon.tolerations` | List of node taints to tolerate | `operator: Exists` | | `addons.runtimeProtection.daemon.affinity` | Affinity setting | `{}` | | `addons.runtimeProtection.policy.image` | Specify image for the agent | `checkpoint/consec-runtime-policy` | -| `addons.runtimeProtection.policy.tag` | Specify image tag for the agent |`1.1.0` | +| `addons.runtimeProtection.policy.tag` | Specify image tag for the agent |`1.2.0` | | `addons.runtimeProtection.policy.serviceAccountName` | Specify custom Service Account for the agent | `` | | `addons.runtimeProtection.policy.env` | Additional environmental variables for the agent | `{}` | | `addons.runtimeProtection.policy.resources` | Resources restriction (e.g. CPU, memory) | `{}` | diff --git a/checkpoint/cloudguard/defaults.yaml b/checkpoint/cloudguard/defaults.yaml index 78c99d10..cee957df 100644 --- a/checkpoint/cloudguard/defaults.yaml +++ b/checkpoint/cloudguard/defaults.yaml @@ -50,7 +50,7 @@ podAnnotations: proxy: {} containerRuntime: -platform: kubernetes # kubernetes, openshift or tanzu +platform: kubernetes # kubernetes, openshift, openshift.v3 or tanzu seccompProfile: type: RuntimeDefault @@ -61,7 +61,7 @@ inventory: ## Specify image and tag image: checkpoint/consec-inventory-agent - tag: 1.4.5 + tag: 1.6.0 ## Specify existing service account name ("" to create) serviceAccountName: "" @@ -86,20 +86,6 @@ inventory: nodeSelector: {} tolerations: [] affinity: {} - fluentbit: - ## Specify image and tag - image: checkpoint/consec-fluentbit - tag: 1.6.9-cp - - ## Configure resource requests and limits - ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ - resources: - requests: - cpu: 100m - memory: 20Mi - limits: - cpu: 200m - memory: 30Mi ### Addons configuration ### Each addon may be disabled @@ -108,11 +94,12 @@ addons: ## Image Scan Add-on imageScan: enabled: false + daemon: ## Specify image and tag image: checkpoint/consec-imagescan-daemon - tag: 2.10.0 + tag: 2.13.0 ## Specify existing service account name ("" to create) serviceAccountName: "" @@ -125,16 +112,16 @@ addons: ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ resources: requests: - cpu: 100m + cpu: 50m memory: 50Mi limits: - cpu: 200m + cpu: 50m memory: 50Mi shim: ## Specify image and tag image: checkpoint/consec-imagescan-shim - tag: 2.10.0 + tag: 2.13.0 ## Configure resource requests and limits ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ @@ -143,7 +130,7 @@ addons: cpu: 100m memory: 50Mi limits: - cpu: 200m + cpu: 150m memory: 50Mi ## resources for shim container for CRI-O are higher @@ -162,29 +149,17 @@ addons: - operator: Exists affinity: {} - fluentbit: - ## Specify image and tag - image: checkpoint/consec-fluentbit - tag: 1.6.9-cp - - ## Configure resource requests and limits - ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ - resources: - requests: - cpu: 100m - memory: 20Mi - limits: - cpu: 200m - memory: 30Mi engine: ## Specify image and tag image: checkpoint/consec-imagescan-engine - tag: 2.10.0 + tag: 2.13.0 ## Specify existing service account name ("" to create) serviceAccountName: "" + replicaCount: 1 + ## Extra environment variables passed to the container env: [] @@ -192,8 +167,8 @@ addons: ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ resources: requests: - cpu: 200m - memory: 500Mi + cpu: 150m + memory: 100Mi limits: cpu: 1000m memory: 2500Mi @@ -203,21 +178,33 @@ addons: nodeSelector: {} tolerations: [] affinity: {} - - fluentbit: - ## Specify image and tag - image: checkpoint/consec-fluentbit - tag: 1.6.9-cp - ## Configure resource requests and limits - ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ - resources: - requests: - cpu: 100m - memory: 20Mi - limits: - cpu: 200m - memory: 30Mi + list: + ## Specify image and tag + image: checkpoint/consec-imagescan-engine + tag: 2.13.0 + + ## Specify existing service account name ("" to create) + serviceAccountName: "" + + ## Extra environment variables passed to the container + env: [] + + ## Configure resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + resources: + requests: + cpu: 50m + memory: 100Mi + limits: + cpu: 50m + memory: 100Mi + + ## Configuration options for nodeSelector, tolerations and affinity for pod + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + nodeSelector: { } + tolerations: [ ] + affinity: { } ## Flow Logs Add-on @@ -226,7 +213,7 @@ addons: daemon: ## Specify image and tag image: checkpoint/consec-flowlogs-daemon - tag: 0.6.1 + tag: 0.7.0 ## Specify existing service account name ("" to create) serviceAccountName: "" @@ -255,29 +242,13 @@ addons: - operator: Exists affinity: {} - fluentbit: - ## Specify image and tag - image: checkpoint/consec-fluentbit - tag: 1.6.9-cp - - ## Configure resource requests and limits - ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ - resources: - requests: - cpu: 100m - memory: 20Mi - limits: - cpu: 200m - memory: 30Mi - - ## Admission Control Add-on admissionControl: enabled: false policy: ## Specify image and tag image: checkpoint/consec-admission-policy - tag: 1.0.3 + tag: 1.2.0 ## Specify existing service account name ("" to create) serviceAccountName: "" @@ -289,10 +260,10 @@ addons: ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ resources: requests: - cpu: 100m + cpu: 50m memory: 30Mi limits: - cpu: 200m + cpu: 50m memory: 50Mi ## Configuration options for nodeSelector, tolerations and affinity for pod @@ -300,26 +271,11 @@ addons: nodeSelector: {} affinity: {} tolerations: [] - - fluentbit: - ## Specify image and tag - image: checkpoint/consec-fluentbit - tag: 1.6.9-cp - - ## Configure resource requests and limits - ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ - resources: - requests: - cpu: 100m - memory: 20Mi - limits: - cpu: 200m - memory: 30Mi - + enforcer: ## Specify image and tag image: checkpoint/consec-admission-enforcer - tag: 1.3.2 + tag: 1.5.0 failurePolicyIntervalHours: 24 @@ -336,7 +292,7 @@ addons: resources: requests: cpu: 200m - memory: 100Mi + memory: 50Mi limits: cpu: 200m memory: 100Mi @@ -344,7 +300,7 @@ addons: gsl: ## Specify image and tag image: checkpoint/consec-admission-gsl - tag: 1.3.2 + tag: 1.3.3 ## Configure resource requests and limits ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ @@ -387,7 +343,7 @@ addons: ## Main container settings ## Specify image and tag image: checkpoint/consec-runtime-daemon - tag: 0.0.677 + tag: 0.0.740 ## Specify existing service account name ("" to create) serviceAccountName: "" @@ -409,7 +365,7 @@ addons: probe: ## Specify image and tag image: checkpoint/consec-runtime-probe - tag: 0.27.1-cp-1 + tag: 0.28.0-cp-2 ## Configure resource requests and limits ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ @@ -430,10 +386,10 @@ addons: ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ resources: requests: - cpu: 100m + cpu: 30m memory: 20Mi limits: - cpu: 200m + cpu: 30m memory: 30Mi ## Configuration options for nodeSelector, tolerations and affinity for pod @@ -449,7 +405,7 @@ addons: ## Specify custom image ("" to use default) image: checkpoint/consec-runtime-policy - tag: 1.1.0 + tag: 1.2.0 ## Specify existing service account name ("" to create) serviceAccountName: "" @@ -461,27 +417,12 @@ addons: ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ resources: requests: - cpu: 100m + cpu: 50m memory: 30Mi limits: - cpu: 200m + cpu: 50m memory: 50Mi - fluentbit: - ## Specify image and tag - image: checkpoint/consec-fluentbit - tag: 1.6.9-cp - - ## Configure resource requests and limits - ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ - resources: - requests: - cpu: 100m - memory: 20Mi - limits: - cpu: 200m - memory: 30Mi - ## Configuration options for nodeSelector, tolerations and affinity for pod ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ nodeSelector: {} diff --git a/checkpoint/cloudguard/templates/_helpers.tpl b/checkpoint/cloudguard/templates/_helpers.tpl index b275c037..a3f57c68 100644 --- a/checkpoint/cloudguard/templates/_helpers.tpl +++ b/checkpoint/cloudguard/templates/_helpers.tpl @@ -74,7 +74,7 @@ helm.sh/chart: {{ printf "%s-%s" .Chart.name .Chart.version | replace "+" "_" | agentVersion: {{ .agentConfig.tag }} {{- /* Openshift does not allow seccomp - So we don't add seccomp in openshift case */ -}} {{- /* From k8s 1.19 and up we use the seccomp in securityContext so no need for it here, in case of template we don't know the version so we fall back to annotation */ -}} -{{- if and (ne (include "get.platform" .) "openshift") (or (semverCompare "<1.19-0" .Capabilities.KubeVersion.Version ) (include "is.helm.template.command" .)) }} +{{- if and (not (contains "openshift" (include "get.platform" .))) (or (semverCompare "<1.19-0" .Capabilities.KubeVersion.Version ) (include "is.helm.template.command" .)) }} seccomp.security.alpha.kubernetes.io/pod: {{ .Values.podAnnotations.seccomp }} {{- end }} {{- if .Values.podAnnotations.apparmor }} @@ -85,7 +85,7 @@ container.apparmor.security.beta.kubernetes.io/{{ template "agent.resource.name" {{- /* Pod properties commonly used in agents */ -}} {{- define "common.pod.properties" -}} -{{- if ne (include "get.platform" .) "openshift" }} +{{- if not (contains "openshift" (include "get.platform" .)) }} securityContext: runAsUser: {{ include "cloudguard.nonroot.user" . }} runAsGroup: {{ include "cloudguard.nonroot.user" . }} @@ -138,7 +138,8 @@ imagePullSecrets: valueFrom: fieldRef: fieldPath: spec.nodeName - +- name: PLATFORM + value: {{ include "get.platform" . }} {{- template "user.defined.env" . -}} @@ -386,23 +387,31 @@ key: {{ $cert.Key | b64enc }} {{- end -}} {{- define "get.platform" -}} -{{- if has "security.openshift.io/v1" .Capabilities.APIVersions -}} +{{- if (include "is.helm.template.command" .) -}} +{{- include "validate.platform" . -}} +{{- lower .Values.platform -}} +{{- else if has "config.openshift.io/v1" .Capabilities.APIVersions -}} openshift +{{- else if has "security.openshift.io/v1" .Capabilities.APIVersions -}} +openshift.v3 {{- else if has "nsx.vmware.com/v1" .Capabilities.APIVersions -}} tanzu {{- else -}} -{{- .Values.platform -}} -{{- end -}} -{{- end -}} - -{{- define "is.openshift.v4" -}} -{{- if has "config.openshift.io/v1" .Capabilities.APIVersions -}} -openshift +{{- $nodes := lookup "v1" "Node" "" "" -}} +{{/* + nodeInfo.osImage example values: + - "Bottlerocket OS 1.7.2 (aws-k8s-1.21)" + - "Container-Optimized OS from Google" +*/}} +{{- $osImage := (first $nodes.items).status.nodeInfo.osImage }} +{{- if contains "Bottlerocket" $osImage -}} +eks.bottlerocket {{- else -}} -{{- .Values.platform -}} +{{- include "validate.platform" . -}} +{{- lower .Values.platform -}} +{{- end -}} {{- end -}} {{- end -}} - {{/* use to know if we run from template (which mean wo have no connection to the cluster and cannot check Capabilities/nodes etc.) @@ -414,3 +423,19 @@ openshift true {{- end -}} {{- end -}} + +{{- define "containerd.sock.path" -}} +{{- if eq (include "get.platform" .) "eks.bottlerocket" -}} +/run/dockershim.sock +{{- else -}} +/run/containerd/containerd.sock +{{- end -}} +{{- end -}} + +{{- define "validate.platform" -}} +{{- if has .Values.platform (list "kubernetes" "tanzu" "openshift" "openshift.v3" "eks.bottlerocket") -}} +{{- else -}} +{{- $err := printf "\n\nERROR: Invalid platform: %s (should be one of: 'kubernetes', 'tanzu', 'openshift', 'openshift.v3', 'eks.bottlerocket')" .Values.platform -}} +{{- fail $err -}} +{{- end -}} +{{- end -}} diff --git a/checkpoint/cloudguard/templates/admission/enforcer/_validatingwebhookconfiguration.yaml b/checkpoint/cloudguard/templates/admission/enforcer/_validatingwebhookconfiguration.yaml index dd08dba1..1b19bfe2 100644 --- a/checkpoint/cloudguard/templates/admission/enforcer/_validatingwebhookconfiguration.yaml +++ b/checkpoint/cloudguard/templates/admission/enforcer/_validatingwebhookconfiguration.yaml @@ -43,6 +43,6 @@ webhooks: matchPolicy: Equivalent failurePolicy: Ignore sideEffects: None - timeoutSeconds: 5 + timeoutSeconds: 10 {{- end -}} diff --git a/checkpoint/cloudguard/templates/admission/enforcer/deployment.yaml b/checkpoint/cloudguard/templates/admission/enforcer/deployment.yaml index 23ce4571..43e54cee 100644 --- a/checkpoint/cloudguard/templates/admission/enforcer/deployment.yaml +++ b/checkpoint/cloudguard/templates/admission/enforcer/deployment.yaml @@ -62,14 +62,13 @@ spec: runAsNonRoot: true allowPrivilegeEscalation: false env: +{{ include "common.env" $config | indent 8 }} {{ include "user.defined.env" $config | indent 8 }} - - name: NAMESPACE_NAME - valueFrom: - fieldRef: - fieldPath: metadata.namespace - name: FAILURE_POLICY_INTERVAL_HOURS value: {{ $config.agentConfig.failurePolicyIntervalHours | quote }} volumeMounts: + - name: secret-volume + mountPath: /etc/secret-volume - name: webhook-certs mountPath: /etc/certs readOnly: true @@ -98,7 +97,7 @@ spec: imagePullPolicy: {{ $config.Values.imagePullPolicy }} securityContext: allowPrivilegeEscalation: false -{{- if ne (include "get.platform" $config) "openshift" }} +{{- if not (contains "openshift" (include "get.platform" $config)) }} runAsUser: {{ include "cloudguard.nonroot.user" $config }} runAsGroup: {{ include "cloudguard.nonroot.user" $config }} {{- end }} @@ -136,6 +135,9 @@ spec: - name: metrics-tail mountPath: /metric-tail volumes: + - name: secret-volume + secret: + secretName: {{ .Release.Name }}-cp-cloudguard-creds - name: webhook-certs secret: secretName: {{ template "agent.resource.name" $config }} diff --git a/checkpoint/cloudguard/templates/admission/policy/configmap-metrics.yaml b/checkpoint/cloudguard/templates/admission/policy/configmap-metrics.yaml deleted file mode 100644 index cf73779d..00000000 --- a/checkpoint/cloudguard/templates/admission/policy/configmap-metrics.yaml +++ /dev/null @@ -1,5 +0,0 @@ -{{- $config := fromYaml (include "admission.policy.config" .) -}} -{{ if $config.featureConfig.enabled }} -{{ template "telemetry.configmap" dict "config" $config }} -{{- end -}} - diff --git a/checkpoint/cloudguard/templates/admission/policy/deployment.yaml b/checkpoint/cloudguard/templates/admission/policy/deployment.yaml index 27de697c..5b027308 100644 --- a/checkpoint/cloudguard/templates/admission/policy/deployment.yaml +++ b/checkpoint/cloudguard/templates/admission/policy/deployment.yaml @@ -30,10 +30,6 @@ spec: volumeMounts: - name: secret-volume mountPath: /etc/secret-volume - - name: metrics - mountPath: /metric - - name: metrics-tail - mountPath: /metric-tail command: ["/admission_rule_updater"] env: {{ include "common.env" $config | indent 8 }} @@ -41,11 +37,9 @@ spec: resources: {{ toYaml $config.agentConfig.resources | indent 10 }} {{- end }} -{{ include "telemetry.container" $config | indent 6 }} volumes: - name: secret-volume secret: secretName: {{ .Release.Name }}-cp-cloudguard-creds -{{ include "fluentbit-metrics.volumes" $config | indent 6 }} -{{ end }} \ No newline at end of file +{{ end }} diff --git a/checkpoint/cloudguard/templates/admission/policy/secret-metrics-output.yaml b/checkpoint/cloudguard/templates/admission/policy/secret-metrics-output.yaml deleted file mode 100644 index 66a2f741..00000000 --- a/checkpoint/cloudguard/templates/admission/policy/secret-metrics-output.yaml +++ /dev/null @@ -1,2 +0,0 @@ -{{- $config := fromYaml (include "admission.policy.config" .) -}} -{{ template "metrics-output.secret" dict "config" $config }} diff --git a/checkpoint/cloudguard/templates/flowlogs/daemon/configmap-metrics.yaml b/checkpoint/cloudguard/templates/flowlogs/daemon/configmap-metrics.yaml deleted file mode 100644 index 4d16aede..00000000 --- a/checkpoint/cloudguard/templates/flowlogs/daemon/configmap-metrics.yaml +++ /dev/null @@ -1,2 +0,0 @@ -{{- $config := fromYaml (include "flowlogs.daemon.config" .) -}} -{{ template "telemetry.configmap" dict "config" $config }} diff --git a/checkpoint/cloudguard/templates/flowlogs/daemon/daemonset.yaml b/checkpoint/cloudguard/templates/flowlogs/daemon/daemonset.yaml index 26419c31..a0c41c58 100644 --- a/checkpoint/cloudguard/templates/flowlogs/daemon/daemonset.yaml +++ b/checkpoint/cloudguard/templates/flowlogs/daemon/daemonset.yaml @@ -23,14 +23,12 @@ spec: {{ include "common.pod.properties" $config | indent 6 }} hostNetwork: true containers: -#fluentbit container -{{ include "telemetry.container" $config | indent 6 }} # Main container - name: {{ $config.agentName }} image: {{ template "agent.main.image" $config }} imagePullPolicy: {{ $config.Values.imagePullPolicy }} securityContext: -{{- if eq (include "get.platform" $config) "openshift" }} +{{- if contains "openshift" (include "get.platform" $config) }} privileged: true {{- else }} runAsUser: 0 @@ -42,10 +40,6 @@ spec: name: secret-volume - mountPath: /etc/cpconfig name: config-volume - - name: metrics - mountPath: /metric - - name: metrics-tail - mountPath: /metric-tail command: ["/flow_logs_user"] {{- if $config.agentConfig.resources }} resources: @@ -62,5 +56,4 @@ spec: - name: config-volume configMap: name: {{ template "agent.resource.name" $config }} -{{ include "fluentbit-metrics.volumes" $config | indent 6 }} {{ end }} diff --git a/checkpoint/cloudguard/templates/flowlogs/daemon/role.yaml b/checkpoint/cloudguard/templates/flowlogs/daemon/role.yaml index e062a6bd..423603a7 100644 --- a/checkpoint/cloudguard/templates/flowlogs/daemon/role.yaml +++ b/checkpoint/cloudguard/templates/flowlogs/daemon/role.yaml @@ -1,6 +1,6 @@ {{- $config := fromYaml (include "flowlogs.daemon.config" .) -}} {{- if $config.featureConfig.enabled -}} -{{- if or $config.Values.rbac.pspEnabled (eq (include "get.platform" $config) "openshift") -}} +{{- if or $config.Values.rbac.pspEnabled (contains "openshift" (include "get.platform" $config)) -}} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -16,7 +16,7 @@ rules: resourceNames: - {{ template "agent.resource.name" $config }} {{- end }} -{{- if eq (include "get.platform" $config) "openshift" }} +{{- if contains "openshift" (include "get.platform" $config) }} - apiGroups: - security.openshift.io resourceNames: diff --git a/checkpoint/cloudguard/templates/flowlogs/daemon/rolebinding.yaml b/checkpoint/cloudguard/templates/flowlogs/daemon/rolebinding.yaml index 29bed780..a4cd2e48 100644 --- a/checkpoint/cloudguard/templates/flowlogs/daemon/rolebinding.yaml +++ b/checkpoint/cloudguard/templates/flowlogs/daemon/rolebinding.yaml @@ -1,6 +1,6 @@ {{- $config := fromYaml (include "flowlogs.daemon.config" .) -}} {{- if $config.featureConfig.enabled -}} -{{- if or $config.Values.rbac.pspEnabled (eq (include "get.platform" $config) "openshift") -}} +{{- if or $config.Values.rbac.pspEnabled (contains "openshift" (include "get.platform" $config)) -}} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: diff --git a/checkpoint/cloudguard/templates/flowlogs/daemon/secret-metrics-output.yaml b/checkpoint/cloudguard/templates/flowlogs/daemon/secret-metrics-output.yaml deleted file mode 100644 index 6ce99ad9..00000000 --- a/checkpoint/cloudguard/templates/flowlogs/daemon/secret-metrics-output.yaml +++ /dev/null @@ -1,2 +0,0 @@ -{{- $config := fromYaml (include "flowlogs.daemon.config" .) -}} -{{ template "metrics-output.secret" dict "config" $config }} diff --git a/checkpoint/cloudguard/templates/imagescan/_helpers.tpl b/checkpoint/cloudguard/templates/imagescan/_helpers.tpl new file mode 100644 index 00000000..744ef47d --- /dev/null +++ b/checkpoint/cloudguard/templates/imagescan/_helpers.tpl @@ -0,0 +1,8 @@ +{{- define "imagescan.engineAndList.commonFull.name" -}} +imagescan-engine +{{- end -}} + +{{- define "imagescan.engineAndList.commonResource.name" -}} +{{- $agentFullName := include "imagescan.engineAndList.commonFull.name" . -}} +{{ printf "%s-%s" $.Release.Name $agentFullName }} +{{- end -}} \ No newline at end of file diff --git a/checkpoint/cloudguard/templates/imagescan/daemon/_helpers.tpl b/checkpoint/cloudguard/templates/imagescan/daemon/_helpers.tpl index 5a5c965f..c4d86bfc 100644 --- a/checkpoint/cloudguard/templates/imagescan/daemon/_helpers.tpl +++ b/checkpoint/cloudguard/templates/imagescan/daemon/_helpers.tpl @@ -29,4 +29,4 @@ resources: cpu: {{ $resources.limits.cpu }} memory: {{ $resources.limits.memory }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/checkpoint/cloudguard/templates/imagescan/daemon/configmap-metrics.yaml b/checkpoint/cloudguard/templates/imagescan/daemon/configmap-metrics.yaml deleted file mode 100644 index 45873a5a..00000000 --- a/checkpoint/cloudguard/templates/imagescan/daemon/configmap-metrics.yaml +++ /dev/null @@ -1,2 +0,0 @@ -{{- $config := fromYaml (include "imagescan.daemon.config" .) -}} -{{ template "telemetry.configmap" dict "config" $config }} diff --git a/checkpoint/cloudguard/templates/imagescan/daemon/daemonset.yaml b/checkpoint/cloudguard/templates/imagescan/daemon/daemonset.yaml index 98aaae42..445032ee 100644 --- a/checkpoint/cloudguard/templates/imagescan/daemon/daemonset.yaml +++ b/checkpoint/cloudguard/templates/imagescan/daemon/daemonset.yaml @@ -24,13 +24,12 @@ spec: spec: {{ include "common.pod.properties" $config | indent 6 }} containers: -{{ include "telemetry.container" $config | indent 6 }} # Main container - name: {{ $config.agentName }} image: {{ template "agent.main.image" $config }} imagePullPolicy: {{ $config.Values.imagePullPolicy }} securityContext: -{{- if eq (include "get.platform" $config) "openshift" }} +{{- if contains "openshift" (include "get.platform" $config) }} privileged: true {{- else }} runAsUser: 0 @@ -40,6 +39,8 @@ spec: - NET_BIND_SERVICE {{- end }} volumeMounts: + - name: secret-volume + mountPath: /etc/secret-volume {{- if eq $config.containerRuntime "docker" }} - name: docker-sock-volume mountPath: /var/run/docker.sock @@ -51,10 +52,6 @@ spec: mountPath: /etc/servercert - name: clientcert-volume mountPath: /etc/clientcert - - name: metrics - mountPath: /metric - - name: metrics-tail - mountPath: /metric-tail command: ["/node_agent"] ports: - containerPort: 8443 @@ -62,7 +59,8 @@ spec: resources: {{ toYaml $config.agentConfig.resources | indent 10 }} {{- end }} - env: + env: +{{ include "common.env" $config | indent 8 }} {{ include "user.defined.env" $config | indent 8 }} {{- if or (eq $config.containerRuntime "containerd") (eq $config.containerRuntime "cri-o") }} - name: USE_SHIM @@ -84,6 +82,8 @@ spec: - NET_BIND_SERVICE {{- end }} volumeMounts: + - name: secret-volume + mountPath: /etc/secret-volume - name: cri-sock-volume mountPath: /run/cri.sock readOnly: true @@ -102,7 +102,7 @@ spec: - name: var-lib-containers mountPath: /var/lib/containers readOnly: false -{{- if ne (include "get.platform" $config) "openshift" }} +{{- if not (contains "openshift" (include "get.platform" $config)) }} - name: lib-x86-64-linux-gnu mountPath: /lib/x86_64-linux-gnu readOnly: true @@ -126,13 +126,10 @@ spec: mountPath: /usr/bin/nsenter readOnly: true {{- end }} - - name: metrics - mountPath: /metric - - name: metrics-tail - mountPath: /metric-tail command: ["/shim"] {{- include "imagescan.daemon.shim.resources" $config | indent 8 }} env: +{{ include "common.env" $config | indent 8 }} {{- if eq $config.containerRuntime "cri-o" }} - name: LD_LIBRARY_PATH value: /lib/x86_64-linux-gnu:/lib64:/usr/lib/x86_64-linux-gnu @@ -142,6 +139,9 @@ spec: {{- end -}} {{- end }} volumes: + - name: secret-volume + secret: + secretName: {{ .Release.Name }}-cp-cloudguard-creds {{- if eq $config.containerRuntime "docker" }} - name: docker-sock-volume hostPath: @@ -155,7 +155,7 @@ spec: - name: cri-sock-volume hostPath: {{- if eq $config.containerRuntime "containerd" }} - path: /run/containerd/containerd.sock + path: {{ include "containerd.sock.path" $config }} {{- else if eq $config.containerRuntime "cri-o" }} path: /run/crio/crio.sock {{- end }} @@ -163,7 +163,7 @@ spec: {{- if eq $config.containerRuntime "containerd" }} - name: containerd-sock-volume hostPath: - path: /run/containerd/containerd.sock + path: {{ include "containerd.sock.path" $config }} type: Socket {{- end }} {{- if eq $config.containerRuntime "cri-o" }} @@ -179,7 +179,7 @@ spec: hostPath: path: /var/lib/containers type: Directory -{{- if ne (include "get.platform" $config) "openshift" }} +{{- if not (contains "openshift" (include "get.platform" $config)) }} - name: lib-x86-64-linux-gnu hostPath: path: /lib/x86_64-linux-gnu @@ -219,7 +219,6 @@ spec: name: {{ template "agent.resource.name" $config }} - name: clientcert-volume configMap: - name: {{ template "imagescan.engine.resource.name" . }} + name: {{ template "imagescan.engineAndList.commonResource.name" . }} {{/* TODO: investigate why $config instead of "." fails */}} -{{ include "fluentbit-metrics.volumes" $config | indent 6 }} -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/checkpoint/cloudguard/templates/imagescan/daemon/podsecuritypolicy.yaml b/checkpoint/cloudguard/templates/imagescan/daemon/podsecuritypolicy.yaml index af003974..c0770dc0 100644 --- a/checkpoint/cloudguard/templates/imagescan/daemon/podsecuritypolicy.yaml +++ b/checkpoint/cloudguard/templates/imagescan/daemon/podsecuritypolicy.yaml @@ -24,7 +24,7 @@ spec: readOnly: true {{- end }} {{- if eq $config.containerRuntime "containerd" }} - - pathPrefix: /run/containerd/containerd.sock + - pathPrefix: {{ include "containerd.sock.path" $config }} readOnly: true {{- end }} {{- if eq $config.containerRuntime "cri-o" }} @@ -46,7 +46,7 @@ spec: readOnly: true - pathPrefix: /usr/bin/nsenter readOnly: true -{{- if ne (include "get.platform" $config) "openshift" }} +{{- if not (contains "openshift" (include "get.platform" $config)) }} - pathPrefix: /lib/x86_64-linux-gnu readOnly: true - pathPrefix: /usr/lib/x86_64-linux-gnu @@ -59,7 +59,6 @@ spec: - 'hostPath' - 'secret' - 'configMap' - - 'emptyDir' hostNetwork: false hostIPC: false hostPID: false diff --git a/checkpoint/cloudguard/templates/imagescan/daemon/role.yaml b/checkpoint/cloudguard/templates/imagescan/daemon/role.yaml index a9a89732..839e0fc9 100644 --- a/checkpoint/cloudguard/templates/imagescan/daemon/role.yaml +++ b/checkpoint/cloudguard/templates/imagescan/daemon/role.yaml @@ -1,6 +1,6 @@ {{- $config := fromYaml (include "imagescan.daemon.config" .) -}} {{- if $config.featureConfig.enabled -}} -{{- if or $config.Values.rbac.pspEnabled (eq (include "get.platform" $config) "openshift") -}} +{{- if or $config.Values.rbac.pspEnabled (contains "openshift" (include "get.platform" $config)) -}} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -16,7 +16,7 @@ rules: resourceNames: - {{ template "agent.resource.name" $config }} {{- end }} -{{- if eq (include "get.platform" $config) "openshift" }} +{{- if contains "openshift" (include "get.platform" $config) }} - apiGroups: - security.openshift.io resourceNames: diff --git a/checkpoint/cloudguard/templates/imagescan/daemon/rolebinding.yaml b/checkpoint/cloudguard/templates/imagescan/daemon/rolebinding.yaml index e117497d..5b1605be 100644 --- a/checkpoint/cloudguard/templates/imagescan/daemon/rolebinding.yaml +++ b/checkpoint/cloudguard/templates/imagescan/daemon/rolebinding.yaml @@ -1,6 +1,6 @@ {{- $config := fromYaml (include "imagescan.daemon.config" .) -}} {{- if $config.featureConfig.enabled -}} -{{- if or $config.Values.rbac.pspEnabled (eq (include "get.platform" $config) "openshift") -}} +{{- if or $config.Values.rbac.pspEnabled (contains "openshift" (include "get.platform" $config)) -}} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: diff --git a/checkpoint/cloudguard/templates/imagescan/daemon/secret-metrics-output.yaml b/checkpoint/cloudguard/templates/imagescan/daemon/secret-metrics-output.yaml deleted file mode 100644 index 985f1264..00000000 --- a/checkpoint/cloudguard/templates/imagescan/daemon/secret-metrics-output.yaml +++ /dev/null @@ -1,2 +0,0 @@ -{{- $config := fromYaml (include "imagescan.daemon.config" .) -}} -{{ template "metrics-output.secret" dict "config" $config }} diff --git a/checkpoint/cloudguard/templates/imagescan/engine/_configmap.yaml b/checkpoint/cloudguard/templates/imagescan/engine/_configmap.yaml index a5def268..afbf5b3f 100644 --- a/checkpoint/cloudguard/templates/imagescan/engine/_configmap.yaml +++ b/checkpoint/cloudguard/templates/imagescan/engine/_configmap.yaml @@ -2,11 +2,11 @@ apiVersion: v1 kind: ConfigMap metadata: - name: {{ template "agent.resource.name" .config }} + name: {{ template "imagescan.engineAndList.commonResource.name" .config }} namespace: {{ .config.Release.Namespace }} labels: {{ include "common.labels.with.chart" .config | indent 4 }} data: - {{ include "agent.full.name" .config }}.crt: | + {{ include "imagescan.engineAndList.commonFull.name" .config }}.crt: | {{ .crt | b64dec | indent 4 }} {{- end -}} \ No newline at end of file diff --git a/checkpoint/cloudguard/templates/imagescan/engine/_helpers.tpl b/checkpoint/cloudguard/templates/imagescan/engine/_helpers.tpl index a6e50d47..bb0ffe16 100644 --- a/checkpoint/cloudguard/templates/imagescan/engine/_helpers.tpl +++ b/checkpoint/cloudguard/templates/imagescan/engine/_helpers.tpl @@ -30,4 +30,4 @@ resources: memory: {{ .agentConfig.resources.limits.memory }} {{- end }} {{- end -}} -{{- end }} +{{- end }} \ No newline at end of file diff --git a/checkpoint/cloudguard/templates/imagescan/engine/_secret.yaml b/checkpoint/cloudguard/templates/imagescan/engine/_secret.yaml index 708202ec..17b561b6 100644 --- a/checkpoint/cloudguard/templates/imagescan/engine/_secret.yaml +++ b/checkpoint/cloudguard/templates/imagescan/engine/_secret.yaml @@ -2,11 +2,11 @@ apiVersion: v1 kind: Secret metadata: - name: {{ template "agent.resource.name" .config }} + name: {{ template "imagescan.engineAndList.commonResource.name" .config }} namespace: {{ .config.Release.Namespace }} labels: {{ include "common.labels.with.chart" .config | indent 4 }} type: Opaque data: - {{ include "agent.full.name" .config }}.key: {{ .key }} + {{ include "imagescan.engineAndList.commonFull.name" .config }}.key: {{ .key }} {{- end -}} \ No newline at end of file diff --git a/checkpoint/cloudguard/templates/imagescan/engine/configmap-metrics.yaml b/checkpoint/cloudguard/templates/imagescan/engine/configmap-metrics.yaml deleted file mode 100644 index dd3cead0..00000000 --- a/checkpoint/cloudguard/templates/imagescan/engine/configmap-metrics.yaml +++ /dev/null @@ -1,2 +0,0 @@ -{{- $config := fromYaml (include "imagescan.engine.config" .) -}} -{{ template "telemetry.configmap" dict "config" $config }} diff --git a/checkpoint/cloudguard/templates/imagescan/engine/deployment.yaml b/checkpoint/cloudguard/templates/imagescan/engine/deployment.yaml index 51c6dc26..9dc87992 100644 --- a/checkpoint/cloudguard/templates/imagescan/engine/deployment.yaml +++ b/checkpoint/cloudguard/templates/imagescan/engine/deployment.yaml @@ -13,7 +13,7 @@ spec: selector: matchLabels: {{ include "common.labels" $config | indent 6 }} - replicas: 1 + replicas: {{ $config.agentConfig.replicaCount }} template: metadata: annotations: @@ -25,7 +25,6 @@ spec: spec: {{ include "common.pod.properties" $config | indent 6 }} containers: -{{ include "telemetry.container" $config | indent 6 }} # Main container - name: {{ $config.agentName }} image: {{ template "agent.main.image" $config }} @@ -43,12 +42,10 @@ spec: mountPath: /etc/clientcert - name: clientkey-volume mountPath: /etc/clientkey - - name: metrics - mountPath: /metric - - name: metrics-tail - mountPath: /metric-tail command: ["/central_agent"] env: + - name: REGISTRY_AGENT_MODE + value: "scan" - name: NODE_AGENT_SELECTOR value: app.kubernetes.io/name={{ template "imagescan.daemon.resource.name" . }} {{- /* TODO: investigate why $config instead of "." fails */}} @@ -76,9 +73,8 @@ spec: {{- /* TODO: investigate why $config instead of "." fails */}} - name: clientcert-volume configMap: - name: {{ template "agent.resource.name" $config }} + name: {{ template "imagescan.engineAndList.commonResource.name" $config }} - name: clientkey-volume secret: - secretName: {{ template "agent.resource.name" $config }} -{{ include "fluentbit-metrics.volumes" $config | indent 6 }} + secretName: {{ template "imagescan.engineAndList.commonResource.name" $config }} {{- end -}} diff --git a/checkpoint/cloudguard/templates/imagescan/engine/rbac.yaml b/checkpoint/cloudguard/templates/imagescan/engine/rbac.yaml new file mode 100644 index 00000000..fc808adf --- /dev/null +++ b/checkpoint/cloudguard/templates/imagescan/engine/rbac.yaml @@ -0,0 +1,8 @@ +{{- $config := fromYaml (include "imagescan.engine.config" .) -}} +{{- if $config.featureConfig.enabled -}} +{{ template "imagescan.engine-list.role" dict "config" $config }} +--- +{{ template "imagescan.engine-list.podsecuritypolicy" dict "config" $config }} +--- +{{ template "imagescan.engine-list.rolebinding" dict "config" $config }} +{{- end -}} diff --git a/checkpoint/cloudguard/templates/imagescan/engine/secret-metrics-output.yaml b/checkpoint/cloudguard/templates/imagescan/engine/secret-metrics-output.yaml deleted file mode 100644 index cbcd68d9..00000000 --- a/checkpoint/cloudguard/templates/imagescan/engine/secret-metrics-output.yaml +++ /dev/null @@ -1,2 +0,0 @@ -{{- $config := fromYaml (include "imagescan.engine.config" .) -}} -{{ template "metrics-output.secret" dict "config" $config }} diff --git a/checkpoint/cloudguard/templates/imagescan/engine/serviceaccount.yaml b/checkpoint/cloudguard/templates/imagescan/engine/serviceaccount.yaml index 556be14b..ad2abb92 100644 --- a/checkpoint/cloudguard/templates/imagescan/engine/serviceaccount.yaml +++ b/checkpoint/cloudguard/templates/imagescan/engine/serviceaccount.yaml @@ -1,10 +1,7 @@ {{- $config := fromYaml (include "imagescan.engine.config" .) -}} -{{- if and $config.featureConfig.enabled (not $config.agentConfig.serviceAccountName) -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ template "agent.resource.name" $config }} - namespace: {{ .Release.Namespace }} - labels: -{{ include "common.labels.with.chart" $config | indent 4 }} -{{- end -}} \ No newline at end of file +{{- if $config.featureConfig.enabled -}} +{{ template "imagescan.engine-list.serviceaccount" dict "config" $config }} +{{- end -}} + + + diff --git a/checkpoint/cloudguard/templates/imagescan/engine/podsecuritypolicy.yaml b/checkpoint/cloudguard/templates/imagescan/engine_list_common/_podsecuritypolicy.yaml similarity index 87% rename from checkpoint/cloudguard/templates/imagescan/engine/podsecuritypolicy.yaml rename to checkpoint/cloudguard/templates/imagescan/engine_list_common/_podsecuritypolicy.yaml index d5119a64..0339b836 100644 --- a/checkpoint/cloudguard/templates/imagescan/engine/podsecuritypolicy.yaml +++ b/checkpoint/cloudguard/templates/imagescan/engine_list_common/_podsecuritypolicy.yaml @@ -1,11 +1,12 @@ -{{- $config := fromYaml (include "imagescan.engine.config" .) -}} +{{- define "imagescan.engine-list.podsecuritypolicy" -}} +{{- $config := .config -}} {{- if $config.featureConfig.enabled -}} {{- if $config.Values.rbac.pspEnabled -}} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: {{ template "agent.resource.name" $config }} - namespace: {{ .Release.Namespace }} + namespace: {{ .config.Release.Namespace }} labels: {{ include "common.labels.with.chart" $config | indent 4 }} annotations: @@ -19,7 +20,6 @@ spec: volumes: - 'secret' - 'configMap' - - 'emptyDir' hostNetwork: false hostIPC: false hostPID: false @@ -42,4 +42,5 @@ spec: max: 65535 readOnlyRootFilesystem: false {{- end -}} -{{- end -}} \ No newline at end of file +{{- end -}} +{{- end -}} diff --git a/checkpoint/cloudguard/templates/imagescan/engine/role.yaml b/checkpoint/cloudguard/templates/imagescan/engine_list_common/_role.yaml similarity index 80% rename from checkpoint/cloudguard/templates/imagescan/engine/role.yaml rename to checkpoint/cloudguard/templates/imagescan/engine_list_common/_role.yaml index 3719d6b9..4668f719 100644 --- a/checkpoint/cloudguard/templates/imagescan/engine/role.yaml +++ b/checkpoint/cloudguard/templates/imagescan/engine_list_common/_role.yaml @@ -1,10 +1,11 @@ -{{- $config := fromYaml (include "imagescan.engine.config" .) -}} +{{- define "imagescan.engine-list.role" -}} +{{- $config := .config -}} {{- if $config.featureConfig.enabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ template "agent.resource.name" $config }} - namespace: {{ .Release.Namespace }} + namespace: {{ .config.Release.Namespace }} labels: {{ include "common.labels.with.chart" $config | indent 4 }} rules: @@ -18,4 +19,5 @@ rules: resourceNames: - {{ template "agent.resource.name" $config }} {{- end -}} +{{- end -}} {{- end -}} \ No newline at end of file diff --git a/checkpoint/cloudguard/templates/imagescan/engine/rolebinding.yaml b/checkpoint/cloudguard/templates/imagescan/engine_list_common/_rolebinding.yaml similarity index 71% rename from checkpoint/cloudguard/templates/imagescan/engine/rolebinding.yaml rename to checkpoint/cloudguard/templates/imagescan/engine_list_common/_rolebinding.yaml index 4707bea0..5f044daa 100644 --- a/checkpoint/cloudguard/templates/imagescan/engine/rolebinding.yaml +++ b/checkpoint/cloudguard/templates/imagescan/engine_list_common/_rolebinding.yaml @@ -1,10 +1,11 @@ -{{- $config := fromYaml (include "imagescan.engine.config" .) -}} +{{- define "imagescan.engine-list.rolebinding" -}} +{{- $config := .config -}} {{- if $config.featureConfig.enabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ template "agent.resource.name" $config }} - namespace: {{ .Release.Namespace }} + namespace: {{ .config.Release.Namespace }} labels: {{ include "common.labels.with.chart" $config | indent 4 }} roleRef: @@ -14,5 +15,6 @@ roleRef: subjects: - kind: ServiceAccount name: {{ template "agent.service.account.name" $config }} - namespace: {{ .Release.Namespace }} + namespace: {{ .config.Release.Namespace }} +{{- end -}} {{- end -}} \ No newline at end of file diff --git a/checkpoint/cloudguard/templates/imagescan/engine_list_common/_serviceaccount.yaml b/checkpoint/cloudguard/templates/imagescan/engine_list_common/_serviceaccount.yaml new file mode 100644 index 00000000..7eea1a8d --- /dev/null +++ b/checkpoint/cloudguard/templates/imagescan/engine_list_common/_serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- define "imagescan.engine-list.serviceaccount" -}} +{{- $config := .config -}} +{{- if and $config.featureConfig.enabled (not $config.agentConfig.serviceAccountName) -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "agent.resource.name" $config }} + namespace: {{ .config.Release.Namespace }} + labels: +{{ include "common.labels.with.chart" $config | indent 4 }} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/checkpoint/cloudguard/templates/imagescan/list/_helpers.tpl b/checkpoint/cloudguard/templates/imagescan/list/_helpers.tpl new file mode 100644 index 00000000..36e01c1e --- /dev/null +++ b/checkpoint/cloudguard/templates/imagescan/list/_helpers.tpl @@ -0,0 +1,11 @@ +{{- define "imagescan.list.config" -}} +{{- $config := (include "get.root" .) | fromYaml }} +{{- $_ := set $config "featureName" "imagescan" }} +{{- $_ := set $config "agentName" "list" }} +{{- $_ := set $config "featureConfig" $config.Values.addons.imageScan }} +{{- $_ := set $config "agentConfig" $config.Values.addons.imageScan.list }} +{{- if $config.featureConfig.enabled }} +{{- $_ := set $config "containerRuntime" (include "get.container.runtime" .) }} +{{- end }} +{{- $config | toYaml -}} +{{- end -}} \ No newline at end of file diff --git a/checkpoint/cloudguard/templates/imagescan/list/deployment.yaml b/checkpoint/cloudguard/templates/imagescan/list/deployment.yaml new file mode 100644 index 00000000..d42ac9e9 --- /dev/null +++ b/checkpoint/cloudguard/templates/imagescan/list/deployment.yaml @@ -0,0 +1,78 @@ +{{- $config := fromYaml (include "imagescan.list.config" .) -}} +{{- if $config.featureConfig.enabled -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "agent.resource.name" $config }} + namespace: {{ .Release.Namespace }} + annotations: + agentVersion: {{ $config.agentConfig.tag }} + labels: +{{ include "common.labels.with.chart" $config | indent 4 }} + imagescan-agent-type: list +spec: + selector: + matchLabels: +{{ include "common.labels" $config | indent 6 }} + imagescan-agent-type: list + replicas: 1 + template: + metadata: + annotations: +{{ include "common.pod.annotations" $config | indent 8 }} + # adding it so workload will be restarted to be updated with certificates that were re-generated + timestamp: {{ now | quote }} + labels: +{{ include "common.labels" $config | indent 8 }} + imagescan-agent-type: list + spec: +{{ include "common.pod.properties" $config | indent 6 }} + containers: + # Main container + - name: {{ $config.agentName }} + image: {{ template "agent.main.image" $config }} + imagePullPolicy: {{ $config.Values.imagePullPolicy }} +{{- if $config.agentConfig.resources }} + resources: +{{ toYaml $config.agentConfig.resources | indent 10 }} +{{- end }} + securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + volumeMounts: + - name: secret-volume + mountPath: /etc/secret-volume + - name: servercert-volume + mountPath: /etc/servercert + - name: clientcert-volume + mountPath: /etc/clientcert + - name: clientkey-volume + mountPath: /etc/clientkey + command: ["/central_agent"] + env: + - name: REGISTRY_AGENT_MODE + value: "list" + - name: NODE_AGENT_SELECTOR + value: app.kubernetes.io/name={{ template "imagescan.daemon.resource.name" . }} + {{- /* TODO: investigate why $config instead of "." fails */}} + - name: RELEASE_NAME + value: {{ .Release.Name }} + - name: CLOUDGUARD_REGION + value: {{ include "dome9.subdomain" $config | default "us" }} +{{- /* TODO: move user env. variables to the end for all agents */}} +{{ include "common.env" $config | indent 8 }} + volumes: + - name: secret-volume + secret: + secretName: {{ .Release.Name }}-cp-cloudguard-creds + - name: servercert-volume + configMap: + name: {{ template "imagescan.daemon.resource.name" . }} + {{- /* TODO: investigate why $config instead of "." fails */}} + - name: clientcert-volume + configMap: + name: {{ template "imagescan.engineAndList.commonResource.name" $config }} + - name: clientkey-volume + secret: + secretName: {{ template "imagescan.engineAndList.commonResource.name" $config }} +{{- end -}} \ No newline at end of file diff --git a/checkpoint/cloudguard/templates/imagescan/list/rbac.yaml b/checkpoint/cloudguard/templates/imagescan/list/rbac.yaml new file mode 100644 index 00000000..a716be9a --- /dev/null +++ b/checkpoint/cloudguard/templates/imagescan/list/rbac.yaml @@ -0,0 +1,8 @@ +{{- $config := fromYaml (include "imagescan.list.config" .) -}} +{{- if $config.featureConfig.enabled -}} +{{ template "imagescan.engine-list.role" dict "config" $config }} +--- +{{ template "imagescan.engine-list.podsecuritypolicy" dict "config" $config }} +--- +{{ template "imagescan.engine-list.rolebinding" dict "config" $config }} +{{- end -}} diff --git a/checkpoint/cloudguard/templates/imagescan/list/serviceaccount.yaml b/checkpoint/cloudguard/templates/imagescan/list/serviceaccount.yaml new file mode 100644 index 00000000..22f9ff21 --- /dev/null +++ b/checkpoint/cloudguard/templates/imagescan/list/serviceaccount.yaml @@ -0,0 +1,7 @@ +{{- $config := fromYaml (include "imagescan.list.config" .) -}} +{{- if $config.featureConfig.enabled -}} +{{ template "imagescan.engine-list.serviceaccount" dict "config" $config }} +{{- end -}} + + + diff --git a/checkpoint/cloudguard/templates/inventory/agent/clusterrole.yaml b/checkpoint/cloudguard/templates/inventory/agent/clusterrole.yaml index d74d441b..7c78c057 100644 --- a/checkpoint/cloudguard/templates/inventory/agent/clusterrole.yaml +++ b/checkpoint/cloudguard/templates/inventory/agent/clusterrole.yaml @@ -35,7 +35,8 @@ rules: resources: [ "cronjobs" ] verbs: [ "list", "get" ] -{{- if eq (include "is.openshift.v4" $config) "openshift"}} +{{- if eq "openshift" (include "get.platform" $config)}} + - apiGroups: [ "config.openshift.io" ] resources: [ "clusteroperators" ] resourceNames: [ "openshift-apiserver" ] diff --git a/checkpoint/cloudguard/templates/inventory/agent/configmap-metrics.yaml b/checkpoint/cloudguard/templates/inventory/agent/configmap-metrics.yaml deleted file mode 100644 index ce45d331..00000000 --- a/checkpoint/cloudguard/templates/inventory/agent/configmap-metrics.yaml +++ /dev/null @@ -1,2 +0,0 @@ -{{- $config := fromYaml (include "inventory.agent.config" .) -}} -{{ template "telemetry.configmap" dict "config" $config }} diff --git a/checkpoint/cloudguard/templates/inventory/agent/deployment.yaml b/checkpoint/cloudguard/templates/inventory/agent/deployment.yaml index 75553c5a..51248790 100644 --- a/checkpoint/cloudguard/templates/inventory/agent/deployment.yaml +++ b/checkpoint/cloudguard/templates/inventory/agent/deployment.yaml @@ -22,7 +22,6 @@ spec: spec: {{ include "common.pod.properties" $config | indent 6 }} containers: -{{ include "telemetry.container" $config | indent 6 }} # Main container - name: {{ $config.agentName }} image: {{ template "agent.main.image" $config }} @@ -30,10 +29,6 @@ spec: volumeMounts: - name: secret-volume mountPath: /etc/secret-volume - - name: metrics - mountPath: /metric - - name: metrics-tail - mountPath: /metric-tail command: ["/inventory"] {{- if $config.agentConfig.resources }} resources: @@ -43,9 +38,7 @@ spec: runAsNonRoot: true allowPrivilegeEscalation: false env: -{{ include "common.env" $config | indent 8 }} - - name: PLATFORM - value: {{ include "is.openshift.v4" . | quote }} +{{ include "common.env" $config | indent 8 }} {{- if and (has "extensions/v1beta1/Ingress" .Capabilities.APIVersions) (not (has "networking.k8s.io/v1/Ingress" .Capabilities.APIVersions)) }} - name: USE_INGRESS_BETA value: "true" @@ -53,5 +46,4 @@ spec: volumes: - name: secret-volume secret: - secretName: {{ .Release.Name }}-cp-cloudguard-creds -{{ include "fluentbit-metrics.volumes" $config | indent 6 }} \ No newline at end of file + secretName: {{ .Release.Name }}-cp-cloudguard-creds \ No newline at end of file diff --git a/checkpoint/cloudguard/templates/inventory/agent/openshift-rolebindings.yaml b/checkpoint/cloudguard/templates/inventory/agent/openshift-rolebindings.yaml index fc02adb7..3ae76e20 100644 --- a/checkpoint/cloudguard/templates/inventory/agent/openshift-rolebindings.yaml +++ b/checkpoint/cloudguard/templates/inventory/agent/openshift-rolebindings.yaml @@ -1,5 +1,5 @@ {{- $config := fromYaml (include "inventory.agent.config" .) -}} -{{- if eq (include "is.openshift.v4" $config) "openshift"}} +{{- if eq "openshift" (include "get.platform" $config) }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: diff --git a/checkpoint/cloudguard/templates/inventory/agent/openshift-roles.yaml b/checkpoint/cloudguard/templates/inventory/agent/openshift-roles.yaml index 0b070300..4aee87f6 100644 --- a/checkpoint/cloudguard/templates/inventory/agent/openshift-roles.yaml +++ b/checkpoint/cloudguard/templates/inventory/agent/openshift-roles.yaml @@ -1,5 +1,5 @@ {{- $config := fromYaml (include "inventory.agent.config" .) -}} -{{- if eq (include "is.openshift.v4" $config) "openshift"}} +{{- if eq "openshift" (include "get.platform" $config)}} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: diff --git a/checkpoint/cloudguard/templates/inventory/agent/podsecuritypolicy.yaml b/checkpoint/cloudguard/templates/inventory/agent/podsecuritypolicy.yaml index 18e01fcf..620d55cd 100644 --- a/checkpoint/cloudguard/templates/inventory/agent/podsecuritypolicy.yaml +++ b/checkpoint/cloudguard/templates/inventory/agent/podsecuritypolicy.yaml @@ -17,7 +17,6 @@ spec: requiredDropCapabilities: - ALL volumes: - - 'emptyDir' - 'secret' - 'configMap' hostNetwork: false diff --git a/checkpoint/cloudguard/templates/inventory/agent/secret-metrics-output.yaml b/checkpoint/cloudguard/templates/inventory/agent/secret-metrics-output.yaml deleted file mode 100644 index d67b6c17..00000000 --- a/checkpoint/cloudguard/templates/inventory/agent/secret-metrics-output.yaml +++ /dev/null @@ -1,2 +0,0 @@ -{{- $config := fromYaml (include "inventory.agent.config" .) -}} -{{ template "metrics-output.secret" dict "config" $config }} diff --git a/checkpoint/cloudguard/templates/runtime/daemon/99-master-kernel-devel.yaml b/checkpoint/cloudguard/templates/runtime/daemon/99-master-kernel-devel.yaml index 87553e68..99d4bb20 100644 --- a/checkpoint/cloudguard/templates/runtime/daemon/99-master-kernel-devel.yaml +++ b/checkpoint/cloudguard/templates/runtime/daemon/99-master-kernel-devel.yaml @@ -1,6 +1,6 @@ {{- $config := fromYaml (include "runtime.daemon.config" .) -}} {{- if $config.featureConfig.enabled -}} -{{- if eq (include "get.platform" $config) "openshift" }} +{{- if contains "openshift" (include "get.platform" $config) }} apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig metadata: diff --git a/checkpoint/cloudguard/templates/runtime/daemon/99-worker-kernel-devel.yaml b/checkpoint/cloudguard/templates/runtime/daemon/99-worker-kernel-devel.yaml index 7487047c..df0365f2 100644 --- a/checkpoint/cloudguard/templates/runtime/daemon/99-worker-kernel-devel.yaml +++ b/checkpoint/cloudguard/templates/runtime/daemon/99-worker-kernel-devel.yaml @@ -1,6 +1,6 @@ {{- $config := fromYaml (include "runtime.daemon.config" .) -}} {{- if $config.featureConfig.enabled -}} -{{- if eq (include "get.platform" $config) "openshift" }} +{{- if contains "openshift" (include "get.platform" $config) }} apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig metadata: diff --git a/checkpoint/cloudguard/templates/runtime/daemon/daemonset.yaml b/checkpoint/cloudguard/templates/runtime/daemon/daemonset.yaml index 41f12765..f70f9132 100644 --- a/checkpoint/cloudguard/templates/runtime/daemon/daemonset.yaml +++ b/checkpoint/cloudguard/templates/runtime/daemon/daemonset.yaml @@ -23,6 +23,9 @@ spec: spec: {{ include "common.pod.properties" $config | indent 6 }} hostNetwork: true # needed for DNS request listener + {{- if eq (include "get.platform" $config) "eks.bottlerocket" }} + hostPID: true + {{- end }} initContainers: # probe (sysdig) - {{ $containerConfig := merge $config (dict "containerName" "probe") -}} @@ -39,13 +42,16 @@ spec: value: "/sysdig" - name: SYSDIG_BPF_PROBE value: "" - {{- if eq (include "get.platform" $config) "openshift" }} + {{- if contains "openshift" (include "get.platform" $config) }} - name: SYSDIG_WAIT_FOR_KERNEL_SOURCE_TIMEOUT # given in seconds value: "1800" {{- end }} {{- end }} securityContext: - {{- if or (not $config.featureConfig.BPF) (eq (include "get.platform" $config) "openshift") }} + {{- if eq (include "get.platform" $config) "eks.bottlerocket" }} + privileged: true + runAsUser: 0 + {{- else if or (not $config.featureConfig.BPF) (contains "openshift" (include "get.platform" $config)) }} privileged: true {{- else }} runAsUser: 0 @@ -143,18 +149,18 @@ spec: value: {{ include "get.container.runtime" . }} {{- if $config.featureConfig.BPF }} - name: SYSDIG_BPF_PROBE - value: "/sysdig/.sysdig/sysdig-probe-bpf.o" + value: "/sysdig/.scap/scap-bpf.o" {{- end }} - name: SBA_USE_NETFILTER_QUEUE value: "1" securityContext: - {{- if or (not $config.featureConfig.BPF) (eq (include "get.platform" $config) "openshift") }} + {{- if or (not $config.featureConfig.BPF) (contains "openshift" (include "get.platform" $config)) }} privileged: true {{- else }} runAsUser: 0 capabilities: add: ["SYS_RESOURCE", "SYS_ADMIN", "SYS_NICE", "SYS_PTRACE", "FOWNER", "SYS_PACCT", "NET_ADMIN", "NET_RAW"] - {{- end }} + {{- end }} volumeMounts: - name: rp4c-alerts mountPath: /rp4c/alerts @@ -245,7 +251,7 @@ spec: {{- if eq $config.containerRuntime "containerd" }} - name: containerd-sock hostPath: - path: /run/containerd/containerd.sock + path: {{ include "containerd.sock.path" $config }} type: Socket {{- end }} {{- if eq $config.containerRuntime "cri-o" }} diff --git a/checkpoint/cloudguard/templates/runtime/daemon/role.yaml b/checkpoint/cloudguard/templates/runtime/daemon/role.yaml index ae877f6f..71632369 100644 --- a/checkpoint/cloudguard/templates/runtime/daemon/role.yaml +++ b/checkpoint/cloudguard/templates/runtime/daemon/role.yaml @@ -18,7 +18,7 @@ rules: resourceNames: - {{ template "agent.resource.name" $config }} {{- end -}} -{{- if eq (include "get.platform" $config) "openshift" }} +{{- if contains "openshift" (include "get.platform" $config) }} - apiGroups: - security.openshift.io resourceNames: diff --git a/checkpoint/cloudguard/templates/runtime/policy/configmap-metrics.yaml b/checkpoint/cloudguard/templates/runtime/policy/configmap-metrics.yaml deleted file mode 100644 index de4ba8ab..00000000 --- a/checkpoint/cloudguard/templates/runtime/policy/configmap-metrics.yaml +++ /dev/null @@ -1,2 +0,0 @@ -{{- $config := fromYaml (include "runtime.policy.config" .) -}} -{{ template "telemetry.configmap" dict "config" $config }} diff --git a/checkpoint/cloudguard/templates/runtime/policy/deployment.yaml b/checkpoint/cloudguard/templates/runtime/policy/deployment.yaml index fc42f02f..c60318a8 100644 --- a/checkpoint/cloudguard/templates/runtime/policy/deployment.yaml +++ b/checkpoint/cloudguard/templates/runtime/policy/deployment.yaml @@ -23,7 +23,6 @@ spec: spec: {{ include "common.pod.properties" $config | indent 6 }} containers: -{{ include "telemetry.container" $config | indent 6 }} # Main container - name: {{ $config.agentName }} image: {{ template "agent.main.image" $config }} @@ -31,10 +30,6 @@ spec: volumeMounts: - name: secret-volume mountPath: /etc/secret-volume - - name: metrics - mountPath: /metric - - name: metrics-tail - mountPath: /metric-tail command: ["/runtime-policy"] {{- if $config.agentConfig.resources }} resources: @@ -49,5 +44,4 @@ spec: - name: secret-volume secret: secretName: {{ .Release.Name }}-cp-cloudguard-creds -{{ include "fluentbit-metrics.volumes" $config | indent 6 }} {{- end }} diff --git a/checkpoint/cloudguard/templates/runtime/policy/secret-metrics-output.yaml b/checkpoint/cloudguard/templates/runtime/policy/secret-metrics-output.yaml deleted file mode 100644 index 2f036ae4..00000000 --- a/checkpoint/cloudguard/templates/runtime/policy/secret-metrics-output.yaml +++ /dev/null @@ -1,2 +0,0 @@ -{{- $config := fromYaml (include "runtime.policy.config" .) -}} -{{ template "metrics-output.secret" dict "config" $config }} diff --git a/repository/cloudguard-2.13.0.tgz b/repository/cloudguard-2.13.0.tgz new file mode 100644 index 00000000..34db74f5 Binary files /dev/null and b/repository/cloudguard-2.13.0.tgz differ diff --git a/repository/index.yaml b/repository/index.yaml index fe4411a9..095477db 100644 --- a/repository/index.yaml +++ b/repository/index.yaml @@ -1,9 +1,36 @@ apiVersion: v1 entries: cloudguard: + - apiVersion: v2 + appVersion: 2.13.0 + created: "2022-07-10T17:02:56.9814888+03:00" + description: A Helm chart for Check Point CloudGuard Workload Security + digest: 3a5d459726cf07b6bd4ffdbb8d2c1398c64f6ebf683607b6ee20b55317641e8c + home: https://portal.checkpoint.com + icon: https://www.checkpoint.com/wp-content/uploads/icon-cloudguard-nav.png + keywords: + - check point + - cloudguard + - workload security + - inventory + - posture management + - vulnerability assessment + - image assurance + - flow logs + - threat intelligence + - admission control + - runtime protection + - registry scan + - acr + - ecr + - ecs + name: cloudguard + urls: + - https://raw.githubusercontent.com/CheckPointSW/charts/master/repository/cloudguard-2.13.0.tgz + version: 2.13.0 - apiVersion: v2 appVersion: 2.11.1 - created: "2022-04-26T16:23:38.6666346+03:00" + created: "2022-07-10T17:02:56.9776609+03:00" description: A Helm chart for Check Point CloudGuard Workload Security digest: a82065c05b0d37f94465afb5d817381012467884777ea72e8532fe7d3d82c191 home: https://portal.checkpoint.com @@ -28,7 +55,7 @@ entries: version: 2.11.1 - apiVersion: v2 appVersion: 2.10.2 - created: "2022-04-26T16:23:38.6606353+03:00" + created: "2022-07-10T17:02:56.9754689+03:00" description: A Helm chart for Check Point CloudGuard Workload Security digest: a6a6319c0d0d3f2f2e82aab3b4816be230ccec6a09a8f5c5f12dd4c1b62c0c7b home: https://portal.checkpoint.com @@ -53,7 +80,7 @@ entries: version: 2.10.2 - apiVersion: v2 appVersion: 2.10.1 - created: "2022-04-26T16:23:38.6586378+03:00" + created: "2022-07-10T17:02:56.9719126+03:00" description: A Helm chart for Check Point CloudGuard Workload Security digest: 2cdae3abc9f2988a1fb426707f24ec0f459ddb7b8b780b6e8c2ab9ba6308d083 home: https://portal.checkpoint.com @@ -78,7 +105,7 @@ entries: version: 2.10.1 - apiVersion: v2 appVersion: 2.10.0 - created: "2022-04-26T16:23:38.6566377+03:00" + created: "2022-07-10T17:02:56.96972+03:00" description: A Helm chart for Check Point CloudGuard Workload Security digest: 6360f519190507ee4f004a47e395416b514da4815b0f8f32ba52704b81da87c4 home: https://portal.checkpoint.com @@ -103,7 +130,7 @@ entries: version: 2.10.0 - apiVersion: v2 appVersion: 2.9.0 - created: "2022-04-26T16:23:38.6896685+03:00" + created: "2022-07-10T17:02:57.009243+03:00" description: A Helm chart for Check Point CloudGuard Workload Security digest: 0aa40700951df79c8eb3ba5fff812eeb608f1a1b5e77d6cdd5fb855b19579314 home: https://portal.checkpoint.com @@ -128,7 +155,7 @@ entries: version: 2.9.0 - apiVersion: v2 appVersion: 2.8.1 - created: "2022-04-26T16:23:38.6876339+03:00" + created: "2022-07-10T17:02:57.0062154+03:00" description: A Helm chart for Check Point CloudGuard Workload Security digest: b3c53cf2771aeee0e46f97b71be765da2a762c6fc042d89c12a5f3ae8b436e82 home: https://portal.checkpoint.com @@ -153,7 +180,7 @@ entries: version: 2.8.1 - apiVersion: v2 appVersion: 2.8.0 - created: "2022-04-26T16:23:38.6856591+03:00" + created: "2022-07-10T17:02:57.0004702+03:00" description: A Helm chart for Check Point CloudGuard Workload Security digest: 2335d07e6aea36d4ac4c899566d45ea77c1c362684b07dbf18ed9069fa612b06 home: https://portal.checkpoint.com @@ -178,7 +205,7 @@ entries: version: 2.8.0 - apiVersion: v2 appVersion: 2.5.2 - created: "2022-04-26T16:23:38.6836586+03:00" + created: "2022-07-10T17:02:57.0004702+03:00" description: A Helm chart for Check Point CloudGuard Workload Security digest: d070425b0eea904623b5ffa76094c4cea6e0fac63463245f6f62f3e964ff6294 home: https://portal.checkpoint.com @@ -201,7 +228,7 @@ entries: version: 2.5.2 - apiVersion: v2 appVersion: 2.5.1 - created: "2022-04-26T16:23:38.6826351+03:00" + created: "2022-07-10T17:02:56.9939533+03:00" description: A Helm chart for Check Point CloudGuard Workload Security digest: 85b711c72dc3f8ba29fe9552b3bff97bf88a2ad8fc882c9df03e693caaf05dfe home: https://portal.checkpoint.com @@ -224,7 +251,7 @@ entries: version: 2.5.1 - apiVersion: v2 appVersion: 2.5.0 - created: "2022-04-26T16:23:38.6806355+03:00" + created: "2022-07-10T17:02:56.9939533+03:00" description: A Helm chart for Check Point CloudGuard Workload Security digest: 6528eb362aa01300ca43c695759df035b7d8657930ccc9472272cf55d76ef3ed home: https://portal.checkpoint.com @@ -247,7 +274,7 @@ entries: version: 2.5.0 - apiVersion: v2 appVersion: 2.4.0 - created: "2022-04-26T16:23:38.6776637+03:00" + created: "2022-07-10T17:02:56.9939533+03:00" description: A Helm chart for Check Point CloudGuard Workload Security digest: 766b3224138ad56b9825e52aa1c3a1d14d9fb37e0aa2ce4a962bb5846fb4eb44 home: https://portal.checkpoint.com @@ -270,7 +297,7 @@ entries: version: 2.4.0 - apiVersion: v2 appVersion: 2.3.5 - created: "2022-04-26T16:23:38.6756353+03:00" + created: "2022-07-10T17:02:56.9884092+03:00" description: A Helm chart for Check Point CloudGuard Workload Security digest: 47195d99813fa84d1ff3b552dabc067183f354d4353a3c55bea8b4bf053750af home: https://secure.dome9.com/v2/ @@ -296,7 +323,7 @@ entries: version: 2.3.5 - apiVersion: v2 appVersion: 2.3.3 - created: "2022-04-26T16:23:38.6746634+03:00" + created: "2022-07-10T17:02:56.9884092+03:00" description: A Helm chart for Check Point CloudGuard Workload Security digest: 7e8ecac90cc603f7e83507358b67647ebffbee078ce5c79e2d25bad4be69d78a home: https://secure.dome9.com/v2/ @@ -322,7 +349,7 @@ entries: version: 2.3.3 - apiVersion: v2 appVersion: 2.3.2 - created: "2022-04-26T16:23:38.6726643+03:00" + created: "2022-07-10T17:02:56.9884092+03:00" description: A Helm chart for Check Point CloudGuard Workload Security digest: 81a7be75584877e4373be4fd2ef1dd11d111cc4d9964007c40ea610dc652a4d1 home: https://secure.dome9.com/v2/ @@ -348,7 +375,7 @@ entries: version: 2.3.2 - apiVersion: v2 appVersion: 2.3.1 - created: "2022-04-26T16:23:38.6706644+03:00" + created: "2022-07-10T17:02:56.9851786+03:00" description: A Helm chart for Check Point CloudGuard Workload Security digest: 91fbc7b612a6cf21abe69e40ac3b8459cb8eb46ebe4245a1c583b99515c9e5a4 home: https://secure.dome9.com/v2/ @@ -374,7 +401,7 @@ entries: version: 2.3.1 - apiVersion: v2 appVersion: 2.3.0 - created: "2022-04-26T16:23:38.6686712+03:00" + created: "2022-07-10T17:02:56.9836319+03:00" description: A Helm chart for Check Point CloudGuard Workload Security digest: 8be89cebf15b52831dab2c86495f61c1e11d8054a37d5dedb33cbedd5f18dcef home: https://secure.dome9.com/v2/ @@ -401,7 +428,7 @@ entries: cp-resource-management: - apiVersion: v1 appVersion: 1.11.0 - created: "2022-04-26T16:23:38.7026601+03:00" + created: "2022-07-10T17:02:57.0232233+03:00" description: A Helm chart for CloudGuard Workload Security digest: 194ba8d8578b0691900d3af3e51e71b5b9a679b9e8e250b9e07559638f1f5bf1 home: https://secure.dome9.com/v2/ @@ -422,7 +449,7 @@ entries: version: 1.11.0 - apiVersion: v1 appVersion: v1.1.0 - created: "2022-04-26T16:23:38.7016646+03:00" + created: "2022-07-10T17:02:57.0222534+03:00" description: A Helm chart for CloudGuard Workload Security digest: a0010f440f43895e2ed1268555663451b0185d3ad1147f7dfad2d5d6026065f4 home: https://secure.dome9.com/v2/ @@ -443,7 +470,7 @@ entries: version: 1.09.3 - apiVersion: v1 appVersion: v1.1.0 - created: "2022-04-26T16:23:38.7006351+03:00" + created: "2022-07-10T17:02:57.0212531+03:00" description: A Helm chart for CloudGuard Workload Security digest: 123efdfe387e20ee7b97d537eb85d950c15bcc6814933fdb4ee9214067b4c27b home: https://secure.dome9.com/v2/ @@ -464,7 +491,7 @@ entries: version: 1.09.2 - apiVersion: v1 appVersion: v1.1.0 - created: "2022-04-26T16:23:38.6996636+03:00" + created: "2022-07-10T17:02:57.0192536+03:00" description: A Helm chart for CloudGuard Workload Security digest: 71b7b5c3928d7fc6e1c2625651311763710a50ccb970860da7f0de85c93b58ed home: https://secure.dome9.com/v2/ @@ -486,7 +513,7 @@ entries: version: 1.09.1 - apiVersion: v1 appVersion: v1.1.0 - created: "2022-04-26T16:23:38.6986344+03:00" + created: "2022-07-10T17:02:57.0182235+03:00" description: A Helm chart for CloudGuard Workload Security digest: 5e976c6fb56ed34ea76a60c71bce292a6769f885d0ddb80464b532a03c9c4b29 home: https://secure.dome9.com/v2/ @@ -508,7 +535,7 @@ entries: version: 1.09.0 - apiVersion: v1 appVersion: v1.1.0 - created: "2022-04-26T16:23:38.6966338+03:00" + created: "2022-07-10T17:02:57.0172375+03:00" description: A Helm chart for CloudGuard Workload Security digest: 5e616877265d618bfd075fd1df8a58b9b929c0332cc61f6a28ac64f676566503 home: https://secure.dome9.com/v2/ @@ -530,7 +557,7 @@ entries: version: 1.07.1 - apiVersion: v1 appVersion: v1.1.0 - created: "2022-04-26T16:23:38.6956342+03:00" + created: "2022-07-10T17:02:57.015253+03:00" description: A Helm chart for CloudGuard Workload Security digest: 8920c6606a6038ee4ed0b1e201fc28ea094b8a0d564b262435273907d7e65e82 home: https://secure.dome9.com/v2/ @@ -552,7 +579,7 @@ entries: version: 1.07.0 - apiVersion: v1 appVersion: v1.1.0 - created: "2022-04-26T16:23:38.6936354+03:00" + created: "2022-07-10T17:02:57.0142236+03:00" description: A Helm chart for Dome9 inventory uploader digest: bebb6e83ed371d2501879219a72540a2e7f45518f32ede0c64f7109b5b443033 home: https://secure.dome9.com/v2/ @@ -571,7 +598,7 @@ entries: version: "1.06" - apiVersion: v1 appVersion: v1.1.0 - created: "2022-04-26T16:23:38.6926353+03:00" + created: "2022-07-10T17:02:57.0132243+03:00" description: A Helm chart for Dome9 inventory uploader digest: ebaf4da8a836f017cb4cbd0012b063e293e3ae805ebddb92ce49d666fe328cf4 home: https://secure.dome9.com/v2/ @@ -590,7 +617,7 @@ entries: version: "1.05" - apiVersion: v1 appVersion: v1.1.0 - created: "2022-04-26T16:23:38.6916635+03:00" + created: "2022-07-10T17:02:57.0112549+03:00" description: A Helm chart for Dome9 inventory uploader digest: 54fa558ffa87cd41617ce2422b643680ff975ae4e76252dd9dc0a6bde483af38 home: https://secure.dome9.com/v2/ @@ -609,7 +636,7 @@ entries: version: "1.03" - apiVersion: v1 appVersion: "1.01" - created: "2022-04-26T16:23:38.6906639+03:00" + created: "2022-07-10T17:02:57.010226+03:00" description: A Helm chart for Dome9 inventory uploader digest: c2514f34c7d80d704d13e7233f660ad55cd56895f671ad68128affe47ada14a5 home: https://secure.dome9.com/v2/ @@ -628,7 +655,7 @@ entries: version: "1.02" - apiVersion: v1 appVersion: "1" - created: "2022-04-26T16:23:38.703663+03:00" + created: "2022-07-10T17:02:57.0252534+03:00" description: A Helm chart for Dome9 inventory uploader digest: ee75a01ae09e8ceec83cda0d16621198ebb2139b87c323966e65ba6ca65024f0 home: https://secure.dome9.com/v2/ @@ -645,4 +672,4 @@ entries: urls: - https://raw.githubusercontent.com/CheckPointSW/charts/master/repository/cp-resource-management-1.tgz version: "1" -generated: "2022-04-26T16:23:38.6546643+03:00" +generated: "2022-07-10T17:02:56.9669625+03:00"