Skip to content

Commit

Permalink
2.12.0: Bottlerocket support; misc enhancements in Inventory, IA, AC,…
Browse files Browse the repository at this point in the history
… RP (#90)

- Support AWS BottleRocket OS (auto-detection or via flag '--set platform=eks.bottlerocket')
- Inventory 1.5.0: agent status improvement: missing permissions for Kubernetes API
- Image Assurance 2.12.0: remove fluentbit container
- Admission Control GSL 1.3.3: update packages
- Runtime Protection daemon 0.0.740: bottlerocket support; kernel headers installation prereq
  • Loading branch information
chkp-rigor authored Jun 6, 2022
1 parent f4d7a50 commit 1f32b49
Show file tree
Hide file tree
Showing 30 changed files with 292 additions and 282 deletions.
4 changes: 2 additions & 2 deletions checkpoint/cloudguard/Chart.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
apiVersion: v2
appVersion: 2.11.1
appVersion: 2.12.0
description: A Helm chart for Check Point CloudGuard Workload Security
home: https://portal.checkpoint.com
icon: https://www.checkpoint.com/wp-content/uploads/icon-cloudguard-nav.png
Expand All @@ -18,4 +18,4 @@ keywords:
- registry scan
- acr
name: cloudguard
version: 2.11.1
version: 2.12.0
16 changes: 8 additions & 8 deletions checkpoint/cloudguard/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -118,12 +118,12 @@ The following table list the configurable parameters of this chart and their def
| `imagePullPolicy` | Image pull policy | `Always` |
| `proxy` | Proxy settings (e.g. http://my-proxy.com:8080) | `{}` |
| `containerRuntime` | Container runtime (docker/containerd/cri-o) overriding auto-detection | `` |
| `platform` | Kubernetes platform (kubernetes/tanzu/openshift) overriding auto-detection | `kubernetes` |
| `platform` | Kubernetes platform (kubernetes/tanzu/openshift/openshift.v3/eks.bottlerocket) overriding auto-detection | `kubernetes` |
| `seccompProfile` | Computer Security facility profile. (to be used in kubernetes 1.19 and up) | `RuntimeDefault` |
| `podAnnotations.seccomp` | Computer Security facility profile. (to be used in kubernetes below 1.19) | `runtime/default` |
| `podAnnotations.apparmor` | Apparmor Linux kernel security module profile. | `{}` |
| `inventory.agent.image` | Specify image for the agent | `checkpoint/consec-inventory-agent` |
| `inventory.agent.tag` | Specify image tag for the agent | `1.4.5` |
| `inventory.agent.tag` | Specify image tag for the agent | `1.5.0` |
| `inventory.agent.serviceAccountName` | Specify custom Service Account for the Inventory agent | `` |
| `inventory.agent.replicaCount` | Number of Inventory agent instances to be deployed | `1` |
| `inventory.agent.env` | Additional environmental variables for Inventory agent | `{}` |
Expand All @@ -134,19 +134,19 @@ The following table list the configurable parameters of this chart and their def
| `addons.imageScan.enabled` | Specifies whether the Image Scan addon should be installed | `false` |
| `addons.imageScan.maxImageSizeMb` | Specifies in MiBytes maximal image size to scan, its value + 500MB will be imageScan.engine main container memory limit | `` |
| `addons.imageScan.daemon.image` | Specify image for the agent | `checkpoint/consec-imagescan-daemon` |
| `addons.imageScan.daemon.tag` | Specify image tag for the agent |`2.10.0` |
| `addons.imageScan.daemon.tag` | Specify image tag for the agent |`2.12.0` |
| `addons.imageScan.daemon.serviceAccountName` | Specify custom Service Account for the agent | `` |
| `addons.imageScan.daemon.env` | Additional environmental variables for the agent | `{}` |
| `addons.imageScan.daemon.resources` | Resources restriction (e.g. CPU, memory) | `{}` |
| `addons.imageScan.daemon.nodeSelector` | Node labels for pod assignment | `{}` |
| `addons.imageScan.daemon.tolerations` | List of node taints to tolerate | `operator: Exists` |
| `addons.imageScan.daemon.affinity` | Affinity setting | `{}` |
| `addons.imageScan.daemon.shim.image` | Specify image for the shim container | `checkpoint/consec-imagescan-shim` |
| `addons.imageScan.daemon.shim.tag` | Specify image tag for the shim container |`2.10.0` |
| `addons.imageScan.daemon.shim.tag` | Specify image tag for the shim container |`2.12.0` |
| `addons.imageScan.daemon.shim.env` | Additional environmental variables for the shim container | `{}` |
| `addons.imageScan.daemon.shim.resources` | Resources restriction (e.g. CPU, memory) | `{}` |
| `addons.imageScan.engine.image` | Specify image for the agent | `checkpoint/consec-imagescan-engine` |
| `addons.imageScan.engine.tag` | Specify image tag for the agent |`2.10.0` |
| `addons.imageScan.engine.tag` | Specify image tag for the agent |`2.12.0` |
| `addons.imageScan.engine.serviceAccountName` | Specify custom Service Account for the agent | `` |
| `addons.imageScan.engine.env` | Additional environmental variables for the agent | `{}` |
| `addons.imageScan.engine.resources` | Resources restriction (e.g. CPU, memory) | `{}` |
Expand Down Expand Up @@ -183,7 +183,7 @@ The following table list the configurable parameters of this chart and their def
| `addons.admissionControl.enforcer.failurePolicyIntervalHours`| If the agent is unable to synchronize it's policy, this is the number of hours it will wait before switching to a fail-open policy | `24` |
| `addons.admissionControl.enforcer.resources` | Resources restriction (e.g. CPU, memory) | `{}` |
| `addons.admissionControl.enforcer.gsl.image` | Specify image for the agent | `checkpoint/consec-admission-gsl` |
| `addons.admissionControl.enforcer.gsl.tag` | Specify image tag for the agent |`1.3.2` |
| `addons.admissionControl.enforcer.gsl.tag` | Specify image tag for the agent |`1.3.3` |
| `addons.admissionControl.enforcer.gsl.resources` | Resources restriction (e.g. CPU, memory) | `{}` |
| `addons.admissionControl.enforcer.fluentbit.image` | Specify image for the agent | `checkpoint/consec-fluentbit` |
| `addons.admissionControl.enforcer.fluentbit.tag` | Specify image tag for the agent |`1.6.9-cp` |
Expand All @@ -193,15 +193,15 @@ The following table list the configurable parameters of this chart and their def
| `addons.admissionControl.enforcer.affinity` | Affinity setting | `{}` |
| `addons.runtimeProtection.enabled` | Specifies whether the Runtime Protection addon should be installed | `false` |
| `addons.runtimeProtection.daemon.image` | Specify image for the agent | `checkpoint/consec-runtime-daemon` |
| `addons.runtimeProtection.daemon.tag` | Specify image tag for the agent |`0.0.677` |
| `addons.runtimeProtection.daemon.tag` | Specify image tag for the agent |`0.0.740` |
| `addons.runtimeProtection.daemon.serviceAccountName` | Specify custom Service Account for the agent | `` |
| `addons.runtimeProtection.daemon.env` | Additional environmental variables for the agent | `{}` |
| `addons.runtimeProtection.daemon.resources` | Resources restriction (e.g. CPU, memory) | `requests.cpu: 100m` |
| | | `requests.memory: 250Mi` |
| | | `limits.cpu: 2000m` |
| | | `limits.memory: 1Gi` |
| `addons.runtimeProtection.daemon.probe.image` | Specify image for the agent | `checkpoint/consec-runtime-probe` |
| `addons.runtimeProtection.daemon.probe.tag` | Specify image tag for the agent |`0.27.1-cp-1` |
| `addons.runtimeProtection.daemon.probe.tag` | Specify image tag for the agent |`0.28.0-cp-2` |
| `addons.runtimeProtection.daemon.probe.resources` | Resources restriction (e.g. CPU, memory) | `{}` |
| `addons.runtimeProtection.daemon.fluentbit.image` | Specify image for the agent | `checkpoint/consec-fluentbit` |
| `addons.runtimeProtection.daemon.fluentbit.tag` | Specify image tag for the agent |`1.6.9-cp` |
Expand Down
44 changes: 8 additions & 36 deletions checkpoint/cloudguard/defaults.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ podAnnotations:
proxy: {}

containerRuntime:
platform: kubernetes # kubernetes, openshift or tanzu
platform: kubernetes # kubernetes, openshift, openshift.v3 or tanzu

seccompProfile:
type: RuntimeDefault
Expand All @@ -61,7 +61,7 @@ inventory:

## Specify image and tag
image: checkpoint/consec-inventory-agent
tag: 1.4.5
tag: 1.5.0

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand Down Expand Up @@ -112,7 +112,7 @@ addons:

## Specify image and tag
image: checkpoint/consec-imagescan-daemon
tag: 2.10.0
tag: 2.12.0

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand All @@ -134,7 +134,7 @@ addons:
shim:
## Specify image and tag
image: checkpoint/consec-imagescan-shim
tag: 2.10.0
tag: 2.12.0

## Configure resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
Expand Down Expand Up @@ -162,25 +162,11 @@ addons:
- operator: Exists
affinity: {}

fluentbit:
## Specify image and tag
image: checkpoint/consec-fluentbit
tag: 1.6.9-cp

## Configure resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
resources:
requests:
cpu: 100m
memory: 20Mi
limits:
cpu: 200m
memory: 30Mi

engine:
## Specify image and tag
image: checkpoint/consec-imagescan-engine
tag: 2.10.0
tag: 2.12.0

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand All @@ -203,21 +189,7 @@ addons:
nodeSelector: {}
tolerations: []
affinity: {}

fluentbit:
## Specify image and tag
image: checkpoint/consec-fluentbit
tag: 1.6.9-cp

## Configure resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
resources:
requests:
cpu: 100m
memory: 20Mi
limits:
cpu: 200m
memory: 30Mi


## Flow Logs Add-on
Expand Down Expand Up @@ -344,7 +316,7 @@ addons:
gsl:
## Specify image and tag
image: checkpoint/consec-admission-gsl
tag: 1.3.2
tag: 1.3.3

## Configure resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
Expand Down Expand Up @@ -387,7 +359,7 @@ addons:
## Main container settings
## Specify image and tag
image: checkpoint/consec-runtime-daemon
tag: 0.0.677
tag: 0.0.740

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand All @@ -409,7 +381,7 @@ addons:
probe:
## Specify image and tag
image: checkpoint/consec-runtime-probe
tag: 0.27.1-cp-1
tag: 0.28.0-cp-2

## Configure resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
Expand Down
51 changes: 38 additions & 13 deletions checkpoint/cloudguard/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ helm.sh/chart: {{ printf "%s-%s" .Chart.name .Chart.version | replace "+" "_" |
agentVersion: {{ .agentConfig.tag }}
{{- /* Openshift does not allow seccomp - So we don't add seccomp in openshift case */ -}}
{{- /* From k8s 1.19 and up we use the seccomp in securityContext so no need for it here, in case of template we don't know the version so we fall back to annotation */ -}}
{{- if and (ne (include "get.platform" .) "openshift") (or (semverCompare "<1.19-0" .Capabilities.KubeVersion.Version ) (include "is.helm.template.command" .)) }}
{{- if and (not (contains "openshift" (include "get.platform" .))) (or (semverCompare "<1.19-0" .Capabilities.KubeVersion.Version ) (include "is.helm.template.command" .)) }}
seccomp.security.alpha.kubernetes.io/pod: {{ .Values.podAnnotations.seccomp }}
{{- end }}
{{- if .Values.podAnnotations.apparmor }}
Expand All @@ -85,7 +85,7 @@ container.apparmor.security.beta.kubernetes.io/{{ template "agent.resource.name"

{{- /* Pod properties commonly used in agents */ -}}
{{- define "common.pod.properties" -}}
{{- if ne (include "get.platform" .) "openshift" }}
{{- if not (contains "openshift" (include "get.platform" .)) }}
securityContext:
runAsUser: {{ include "cloudguard.nonroot.user" . }}
runAsGroup: {{ include "cloudguard.nonroot.user" . }}
Expand Down Expand Up @@ -138,7 +138,8 @@ imagePullSecrets:
valueFrom:
fieldRef:
fieldPath: spec.nodeName

- name: PLATFORM
value: {{ include "get.platform" . }}

{{- template "user.defined.env" . -}}

Expand Down Expand Up @@ -386,23 +387,31 @@ key: {{ $cert.Key | b64enc }}
{{- end -}}

{{- define "get.platform" -}}
{{- if has "security.openshift.io/v1" .Capabilities.APIVersions -}}
{{- if (include "is.helm.template.command" .) -}}
{{- include "validate.platform" . -}}
{{- lower .Values.platform -}}
{{- else if has "config.openshift.io/v1" .Capabilities.APIVersions -}}
openshift
{{- else if has "security.openshift.io/v1" .Capabilities.APIVersions -}}
openshift.v3
{{- else if has "nsx.vmware.com/v1" .Capabilities.APIVersions -}}
tanzu
{{- else -}}
{{- .Values.platform -}}
{{- end -}}
{{- end -}}

{{- define "is.openshift.v4" -}}
{{- if has "config.openshift.io/v1" .Capabilities.APIVersions -}}
openshift
{{- $nodes := lookup "v1" "Node" "" "" -}}
{{/*
nodeInfo.osImage example values:
- "Bottlerocket OS 1.7.2 (aws-k8s-1.21)"
- "Container-Optimized OS from Google"
*/}}
{{- $osImage := (first $nodes.items).status.nodeInfo.osImage }}
{{- if contains "Bottlerocket" $osImage -}}
eks.bottlerocket
{{- else -}}
{{- .Values.platform -}}
{{- include "validate.platform" . -}}
{{- lower .Values.platform -}}
{{- end -}}
{{- end -}}
{{- end -}}


{{/*
use to know if we run from template (which mean wo have no connection to the cluster and cannot check Capabilities/nodes etc.)
Expand All @@ -414,3 +423,19 @@ openshift
true
{{- end -}}
{{- end -}}

{{- define "containerd.sock.path" -}}
{{- if eq (include "get.platform" .) "eks.bottlerocket" -}}
/run/dockershim.sock
{{- else -}}
/run/containerd/containerd.sock
{{- end -}}
{{- end -}}

{{- define "validate.platform" -}}
{{- if has .Values.platform (list "kubernetes" "tanzu" "openshift" "openshift.v3" "eks.bottlerocket") -}}
{{- else -}}
{{- $err := printf "\n\nERROR: Invalid platform: %s (should be one of: 'kubernetes', 'tanzu', 'openshift', 'openshift.v3', 'eks.bottlerocket')" .Values.platform -}}
{{- fail $err -}}
{{- end -}}
{{- end -}}
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,7 @@ spec:
imagePullPolicy: {{ $config.Values.imagePullPolicy }}
securityContext:
allowPrivilegeEscalation: false
{{- if ne (include "get.platform" $config) "openshift" }}
{{- if not (contains "openshift" (include "get.platform" $config)) }}
runAsUser: {{ include "cloudguard.nonroot.user" $config }}
runAsGroup: {{ include "cloudguard.nonroot.user" $config }}
{{- end }}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -48,4 +48,4 @@ spec:
secretName: {{ .Release.Name }}-cp-cloudguard-creds
{{ include "fluentbit-metrics.volumes" $config | indent 6 }}

{{ end }}
{{ end }}
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ spec:
image: {{ template "agent.main.image" $config }}
imagePullPolicy: {{ $config.Values.imagePullPolicy }}
securityContext:
{{- if eq (include "get.platform" $config) "openshift" }}
{{- if contains "openshift" (include "get.platform" $config) }}
privileged: true
{{- else }}
runAsUser: 0
Expand Down
4 changes: 2 additions & 2 deletions checkpoint/cloudguard/templates/flowlogs/daemon/role.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{{- $config := fromYaml (include "flowlogs.daemon.config" .) -}}
{{- if $config.featureConfig.enabled -}}
{{- if or $config.Values.rbac.pspEnabled (eq (include "get.platform" $config) "openshift") -}}
{{- if or $config.Values.rbac.pspEnabled (contains "openshift" (include "get.platform" $config)) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
Expand All @@ -16,7 +16,7 @@ rules:
resourceNames:
- {{ template "agent.resource.name" $config }}
{{- end }}
{{- if eq (include "get.platform" $config) "openshift" }}
{{- if contains "openshift" (include "get.platform" $config) }}
- apiGroups:
- security.openshift.io
resourceNames:
Expand Down
Loading

0 comments on commit 1f32b49

Please sign in to comment.