Skip to content

Commit

Permalink
2.14.1: admission enforcer unite containers, large inventory etc (#96)
Browse files Browse the repository at this point in the history 
- AC:
enforcer 2.0.0: fluentbit and gsl containers has been removed; resources reduced
policy 1.2.1: update packages
- Image Assurance 2.14.0:
exposed new scan status ‘Unsupported OS’ for Windows images
- Inventory 1.6.1:
fix: handle big collections
- All features:
for helm template use seccompProfile by default instead of annotation
  • Loading branch information
@chkp-rigor
chkp-rigor authored Aug 17, 2022
1 parent 89c6c75 commit 2eeb2d0
Show file tree
Hide file tree
Showing 13 changed files with 99 additions and 248 deletions.
4 changes: 2 additions & 2 deletions checkpoint/cloudguard/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
apiVersion: v2
appVersion: 2.13.0
appVersion: 2.14.1
description: A Helm chart for Check Point CloudGuard Workload Security
home: https://portal.checkpoint.com
icon: https://www.checkpoint.com/wp-content/uploads/icon-cloudguard-nav.png
Expand All @@ -20,4 +20,4 @@ keywords:
- ecr
- ecs
name: cloudguard
version: 2.13.0
version: 2.14.1
23 changes: 7 additions & 16 deletions checkpoint/cloudguard/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -133,7 +133,7 @@ The following table list the configurable parameters of this chart and their def
| `podAnnotations.seccomp` | Computer Security facility profile. (to be used in kubernetes below 1.19) | `runtime/default` |
| `podAnnotations.apparmor` | Apparmor Linux kernel security module profile. | `{}` |
| `inventory.agent.image` | Specify image for the agent | `checkpoint/consec-inventory-agent` |
| `inventory.agent.tag` | Specify image tag for the agent | `1.6.0` |
| `inventory.agent.tag` | Specify image tag for the agent | `1.6.1` |
| `inventory.agent.serviceAccountName` | Specify custom Service Account for the Inventory agent | `` |
| `inventory.agent.replicaCount` | Number of Inventory agent instances to be deployed | `1` |
| `inventory.agent.env` | Additional environmental variables for Inventory agent | `{}` |
Expand All @@ -144,19 +144,19 @@ The following table list the configurable parameters of this chart and their def
| `addons.imageScan.enabled` | Specifies whether the Image Scan addon should be installed | `false` |
| `addons.imageScan.maxImageSizeMb` | Specifies in MiBytes maximal image size to scan, its value + 500MB will be imageScan.engine main container memory limit | `` |
| `addons.imageScan.daemon.image` | Specify image for the agent | `checkpoint/consec-imagescan-daemon` |
| `addons.imageScan.daemon.tag` | Specify image tag for the agent |`2.13.0` |
| `addons.imageScan.daemon.tag` | Specify image tag for the agent |`2.14.0` |
| `addons.imageScan.daemon.serviceAccountName` | Specify custom Service Account for the agent | `` |
| `addons.imageScan.daemon.env` | Additional environmental variables for the agent | `{}` |
| `addons.imageScan.daemon.resources` | Resources restriction (e.g. CPU, memory) | `{}` |
| `addons.imageScan.daemon.nodeSelector` | Node labels for pod assignment | `{}` |
| `addons.imageScan.daemon.tolerations` | List of node taints to tolerate | `operator: Exists` |
| `addons.imageScan.daemon.affinity` | Affinity setting | `{}` |
| `addons.imageScan.daemon.shim.image` | Specify image for the shim container | `checkpoint/consec-imagescan-shim` |
| `addons.imageScan.daemon.shim.tag` | Specify image tag for the shim container |`2.13.0` |
| `addons.imageScan.daemon.shim.tag` | Specify image tag for the shim container |`2.14.0` |
| `addons.imageScan.daemon.shim.env` | Additional environmental variables for the shim container | `{}` |
| `addons.imageScan.daemon.shim.resources` | Resources restriction (e.g. CPU, memory) | `{}` |
| `addons.imageScan.engine.image` | Specify image for the agent | `checkpoint/consec-imagescan-engine` |
| `addons.imageScan.engine.tag` | Specify image tag for the agent |`2.13.0` |
| `addons.imageScan.engine.tag` | Specify image tag for the agent |`2.14.0` |
| `addons.imageScan.engine.serviceAccountName` | Specify custom Service Account for the agent | `` |
| `addons.imageScan.engine.replicaCount` | Number of scanning engine instances to be deployed | `1` |
| `addons.imageScan.engine.env` | Additional environmental variables for the agent | `{}` |
Expand All @@ -165,7 +165,7 @@ The following table list the configurable parameters of this chart and their def
| `addons.imageScan.engine.tolerations` | List of node taints to tolerate | `[]` |
| `addons.imageScan.engine.affinity` | Affinity setting | `{}` |
| `addons.imageScan.list.image` | Specify image for the agent | `checkpoint/consec-imagescan-engine` |
| `addons.imageScan.list.tag` | Specify image tag for the agent |`2.13.0` |
| `addons.imageScan.list.tag` | Specify image tag for the agent |`2.14.0` |
| `addons.imageScan.list.serviceAccountName` | Specify custom Service Account for the agent | `` |
| `addons.imageScan.list.env` | Additional environmental variables for the agent | `{}` |
| `addons.imageScan.list.resources` | Resources restriction (e.g. CPU, memory) | `{}` |
Expand All @@ -184,29 +184,20 @@ The following table list the configurable parameters of this chart and their def
| `addons.flowLogs.daemon.affinity` | Affinity setting | `{}` |
| `addons.admissionControl.enabled` | Specify whether the Admission Control addon should be installed | `false` |
| `addons.admissionControl.policy.image` | Specify image for the agent | `checkpoint/consec-admission-policy` |
| `addons.admissionControl.policy.tag` | Specify image tag for the agent |`1.2.0` |
| `addons.admissionControl.policy.tag` | Specify image tag for the agent |`1.2.1` |
| `addons.admissionControl.policy.serviceAccountName` | Specify custom Service Account for the agent | `` |
| `addons.admissionControl.policy.env` | Additional environmental variables for the agent | `{}` |
| `addons.admissionControl.policy.resources` | Resources restriction (e.g. CPU, memory) | `{}` |
| `addons.admissionControl.policy.nodeSelector` | Node labels for pod assignment | `{}` |
| `addons.admissionControl.policy.tolerations` | List of node taints to tolerate | `[]` |
| `addons.admissionControl.policy.affinity` | Affinity setting | `{}` |
| `addons.admissionControl.policy.fluentbit.image` | Specify image for the agent | `checkpoint/consec-fluentbit` |
| `addons.admissionControl.policy.fluentbit.tag` | Specify image tag for the agent |`1.6.9-cp` |
| `addons.admissionControl.policy.fluentbit.resources` | Resources restriction (e.g. CPU, memory) | `{}` |
| `addons.admissionControl.enforcer.image` | Specify image for the agent | `checkpoint/consec-admission-enforcer` |
| `addons.admissionControl.enforcer.tag` | Specify image tag for the agent |`1.5.0` |
| `addons.admissionControl.enforcer.tag` | Specify image tag for the agent |`2.0.0` |
| `addons.admissionControl.enforcer.serviceAccountName` | Specify custom Service Account for the agent | `` |
| `addons.admissionControl.enforcer.replicaCount` | Number of Inventory agent instances to be deployed | `2` |
| `addons.admissionControl.enforcer.env` | Additional environmental variables for the agent | `{}` |
| `addons.admissionControl.enforcer.failurePolicyIntervalHours`| If the agent is unable to synchronize it's policy, this is the number of hours it will wait before switching to a fail-open policy | `24` |
| `addons.admissionControl.enforcer.resources` | Resources restriction (e.g. CPU, memory) | `{}` |
| `addons.admissionControl.enforcer.gsl.image` | Specify image for the agent | `checkpoint/consec-admission-gsl` |
| `addons.admissionControl.enforcer.gsl.tag` | Specify image tag for the agent |`1.3.3` |
| `addons.admissionControl.enforcer.gsl.resources` | Resources restriction (e.g. CPU, memory) | `{}` |
| `addons.admissionControl.enforcer.fluentbit.image` | Specify image for the agent | `checkpoint/consec-fluentbit` |
| `addons.admissionControl.enforcer.fluentbit.tag` | Specify image tag for the agent |`1.6.9-cp` |
| `addons.admissionControl.enforcer.fluentbit.resources` | Resources restriction (e.g. CPU, memory) | `{}` |
| `addons.admissionControl.enforcer.nodeSelector` | Node labels for pod assignment | `{}` |
| `addons.admissionControl.enforcer.tolerations` | List of node taints to tolerate | `[]` |
| `addons.admissionControl.enforcer.affinity` | Affinity setting | `{}` |
Expand Down
51 changes: 11 additions & 40 deletions checkpoint/cloudguard/defaults.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ inventory:

## Specify image and tag
image: checkpoint/consec-inventory-agent
tag: 1.6.0
tag: 1.6.1

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand Down Expand Up @@ -99,7 +99,7 @@ addons:

## Specify image and tag
image: checkpoint/consec-imagescan-daemon
tag: 2.13.0
tag: 2.14.0

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand All @@ -121,7 +121,7 @@ addons:
shim:
## Specify image and tag
image: checkpoint/consec-imagescan-shim
tag: 2.13.0
tag: 2.14.0

## Configure resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
Expand Down Expand Up @@ -153,7 +153,7 @@ addons:
engine:
## Specify image and tag
image: checkpoint/consec-imagescan-engine
tag: 2.13.0
tag: 2.14.0

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand Down Expand Up @@ -182,7 +182,7 @@ addons:
list:
## Specify image and tag
image: checkpoint/consec-imagescan-engine
tag: 2.13.0
tag: 2.14.0

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand Down Expand Up @@ -248,7 +248,7 @@ addons:
policy:
## Specify image and tag
image: checkpoint/consec-admission-policy
tag: 1.2.0
tag: 1.2.1

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand All @@ -275,7 +275,7 @@ addons:
enforcer:
## Specify image and tag
image: checkpoint/consec-admission-enforcer
tag: 1.5.0
tag: 2.0.0

failurePolicyIntervalHours: 24

Expand All @@ -291,41 +291,12 @@ addons:
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
resources:
requests:
cpu: 200m
memory: 50Mi
cpu: 550m
memory: 150Mi
limits:
cpu: 200m
memory: 100Mi

gsl:
## Specify image and tag
image: checkpoint/consec-admission-gsl
tag: 1.3.3

## Configure resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
resources:
requests:
cpu: 250m
memory: 50Mi
limits:
cpu: 500m
memory: 100Mi
cpu: 650m
memory: 200Mi

fluentbit:
## Specify image and tag
image: checkpoint/consec-fluentbit
tag: 1.6.9-cp

## Configure resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
resources:
requests:
cpu: 100m
memory: 70Mi
limits:
cpu: 200m
memory: 70Mi

## Configuration options for nodeSelector, tolerations and affinity for pod
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Expand Down
4 changes: 2 additions & 2 deletions checkpoint/cloudguard/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ helm.sh/chart: {{ printf "%s-%s" .Chart.name .Chart.version | replace "+" "_" |
agentVersion: {{ .agentConfig.tag }}
{{- /* Openshift does not allow seccomp - So we don't add seccomp in openshift case */ -}}
{{- /* From k8s 1.19 and up we use the seccomp in securityContext so no need for it here, in case of template we don't know the version so we fall back to annotation */ -}}
{{- if and (not (contains "openshift" (include "get.platform" .))) (or (semverCompare "<1.19-0" .Capabilities.KubeVersion.Version ) (include "is.helm.template.command" .)) }}
{{- if and (not (contains "openshift" (include "get.platform" .))) (semverCompare "<1.19-0" .Capabilities.KubeVersion.Version ) }}
seccomp.security.alpha.kubernetes.io/pod: {{ .Values.podAnnotations.seccomp }}
{{- end }}
{{- if .Values.podAnnotations.apparmor }}
Expand All @@ -89,7 +89,7 @@ container.apparmor.security.beta.kubernetes.io/{{ template "agent.resource.name"
securityContext:
runAsUser: {{ include "cloudguard.nonroot.user" . }}
runAsGroup: {{ include "cloudguard.nonroot.user" . }}
{{- if and (semverCompare ">=1.19-0" .Capabilities.KubeVersion.Version) (not (include "is.helm.template.command" .)) }}
{{- if (semverCompare ">=1.19-0" .Capabilities.KubeVersion.Version) }}
seccompProfile:
{{ toYaml .Values.seccompProfile | indent 4 }}
{{- end }}
Expand Down
25 changes: 0 additions & 25 deletions checkpoint/cloudguard/templates/admission/enforcer/configmap-fluentbit.yaml
View file

This file was deleted.

Loading

0 comments on commit 2eeb2d0

Please sign in to comment.