Skip to content

Commit

Permalink
Helm chart update: 2.16.0 (#109)
Browse files Browse the repository at this point in the history 
- Admission Control:
enforcer 2.3.0: fix System Event error message of “the agent has suffered a loss of connectivity which lasts for 24 hours”
policy 1.2.2: fix

- Runtime Protection: 
probe 0.28.0-cp-6: support automated installation of kernel headers on EKS, fix installation on OpenShift

- All features: 
Support Rancher/k3s via manually setting ‘platform’ helm flag
Support specifying CloudGuard credentials via a Kubernetes secret
Improve concurrency of rolling updates of daemonsets
  • Loading branch information
@chkp-rigor
chkp-rigor authored Nov 27, 2022
1 parent 927ce15 commit 485bd51
Show file tree
Hide file tree
Showing 16 changed files with 123 additions and 70 deletions.
4 changes: 2 additions & 2 deletions checkpoint/cloudguard/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
apiVersion: v2
appVersion: 2.15.1
appVersion: 2.16.0
description: A Helm chart for Check Point CloudGuard Workload Security
home: https://portal.checkpoint.com
icon: https://www.checkpoint.com/wp-content/uploads/icon-cloudguard-nav.png
Expand All @@ -20,4 +20,4 @@ keywords:
- ecr
- ecs
name: cloudguard
version: 2.15.1
version: 2.16.0
15 changes: 8 additions & 7 deletions checkpoint/cloudguard/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ $ helm install my-release checkpoint/cloudguard --set credentials.user=[CloudGua
These are the additional optional flags to enable add-ons:

```bash
$
$
$ --set addons.imageScan.enabled=true
$ --set addons.flowLogs.enabled=true
$ --set addons.admissionControl.enabled=true
Expand Down Expand Up @@ -124,8 +124,9 @@ The following table list the configurable parameters of this chart and their def
| ---------------------------------------------------------- | --------------------------------------------------------------- | ------------------------------------------------ |
| `clusterID` | Cluster Unique identifier in CloudGuard system | `CHANGEME` |
| `datacenter` | CloudGuard datacenter (usea1, euwe1 apse1, apse2, apso1) | `usea1` |
| `credentials.secret` | CloudGuard APISecret | `CHANGEME` |
| `credentials.user` | CloudGuard APIID | `CHANGEME` |
| `credentials.secret` | CloudGuard APISecret (Note: mandatory unless `credentials.secretName` is specified) | `CHANGEME` |
| `credentials.user` | CloudGuard APIID (Note: mandatory unless `credentials.secretName` is specified) | `CHANGEME` |
| `credentials.secretName` | Name of an existing Kubernetes Secret that contains CloudGuard APIID (data.username) and APISecret (data.secret) | None |
| `rbac.pspEnabled` | Specifies whether PSP resources should be created | `false` |
| `imageRegistry.url` | Image registry | `quay.io` |
| `imageRegistry.authEnabled` | Whether or not Image Registry access is password-protected | `true` |
Expand All @@ -134,7 +135,7 @@ The following table list the configurable parameters of this chart and their def
| `imagePullPolicy` | Image pull policy | `Always` |
| `proxy` | Proxy settings (e.g. http://my-proxy.com:8080) | `{}` |
| `containerRuntime` | Container runtime (docker/containerd/cri-o) overriding auto-detection | `` |
| `platform` | Kubernetes platform (kubernetes/tanzu/openshift/openshift.v3/eks.bottlerocket) overriding auto-detection | `kubernetes` |
| `platform` | Kubernetes platform (kubernetes/tanzu/openshift/openshift.v3/eks/eks.bottlerocket/k3s) overriding auto-detection | `kubernetes` |
| `seccompProfile` | Computer Security facility profile. (to be used in kubernetes 1.19 and up) | `RuntimeDefault` |
| `podAnnotations.seccomp` | Computer Security facility profile. (to be used in kubernetes below 1.19) | `runtime/default` |
| `podAnnotations.apparmor` | Apparmor Linux kernel security module profile. | `{}` |
Expand Down Expand Up @@ -202,7 +203,7 @@ The following table list the configurable parameters of this chart and their def
| `addons.admissionControl.enabled` | Specify whether the Admission Control addon should be installed | `false` |
| `addons.admissionControl.priorityClassName` | Specifies custom priorityClassName | `` |
| `addons.admissionControl.policy.image` | Specify image for the agent | `checkpoint/consec-admission-policy` |
| `addons.admissionControl.policy.tag` | Specify image tag for the agent |`1.2.1` |
| `addons.admissionControl.policy.tag` | Specify image tag for the agent |`1.2.2` |
| `addons.admissionControl.policy.serviceAccountName` | Specify custom Service Account for the agent | `` |
| `addons.admissionControl.policy.env` | Additional environmental variables for the agent | `{}` |
| `addons.admissionControl.policy.resources` | Resources restriction (e.g. CPU, memory) | `{}` |
Expand All @@ -211,7 +212,7 @@ The following table list the configurable parameters of this chart and their def
| `addons.admissionControl.policy.affinity` | Affinity setting | `{}` |
| `addons.admissionControl.policy.podAnnotations.custom` | Custom Pod annotations (for Pods of this agent) | `{}` |
| `addons.admissionControl.enforcer.image` | Specify image for the agent | `checkpoint/consec-admission-enforcer` |
| `addons.admissionControl.enforcer.tag` | Specify image tag for the agent |`2.2.0` |
| `addons.admissionControl.enforcer.tag` | Specify image tag for the agent |`2.3.0` |
| `addons.admissionControl.enforcer.serviceAccountName` | Specify custom Service Account for the agent | `` |
| `addons.admissionControl.enforcer.replicaCount` | Number of Inventory agent instances to be deployed | `2` |
| `addons.admissionControl.enforcer.env` | Additional environmental variables for the agent | `{}` |
Expand All @@ -231,7 +232,7 @@ The following table list the configurable parameters of this chart and their def
| | | `limits.cpu: 2000m` |
| | | `limits.memory: 1Gi` |
| `addons.runtimeProtection.daemon.probe.image` | Specify image for the agent | `checkpoint/consec-runtime-probe` |
| `addons.runtimeProtection.daemon.probe.tag` | Specify image tag for the agent |`0.28.0-cp-2` |
| `addons.runtimeProtection.daemon.probe.tag` | Specify image tag for the agent |`0.28.0-cp-6` |
| `addons.runtimeProtection.daemon.probe.resources` | Resources restriction (e.g. CPU, memory) | `{}` |
| `addons.runtimeProtection.daemon.fluentbit.image` | Specify image for the agent | `checkpoint/consec-fluentbit` |
| `addons.runtimeProtection.daemon.fluentbit.tag` | Specify image tag for the agent |`1.6.9-cp` |
Expand Down
28 changes: 14 additions & 14 deletions checkpoint/cloudguard/defaults.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ telemetryVersion: 0.0.4
## API ID: "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
credentials:
secret:
user:
user:

rbac:
## Specifies whether a custom PSP should be defined
Expand All @@ -39,19 +39,19 @@ imagePullPolicy: Always
## Pod annotations
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
##
podAnnotations:
podAnnotations:
seccomp: runtime/default
apparmor: {}
custom: {}

## Proxy settings
## Proxy settings
## Examples:
## proxy: http://example.com:443
## proxy: $HTTPS_PROXY
proxy: {}

containerRuntime:
platform: kubernetes # kubernetes, openshift, openshift.v3 or tanzu
platform: kubernetes # kubernetes, openshift, openshift.v3, tanzu, eks, eks.bottlerocket or k3s

seccompProfile:
type: RuntimeDefault
Expand Down Expand Up @@ -257,13 +257,13 @@ addons:
podAnnotations:
custom: {}

## Admission Control Add-on
## Admission Control Add-on
admissionControl:
enabled: false
policy:
## Specify image and tag
image: checkpoint/consec-admission-policy
tag: 1.2.1
tag: 1.2.2

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand All @@ -279,7 +279,7 @@ addons:
memory: 30Mi
limits:
cpu: 50m
memory: 50Mi
memory: 50Mi

## Configuration options for nodeSelector, tolerations and affinity for pod
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Expand All @@ -288,11 +288,11 @@ addons:
tolerations: []
podAnnotations:
custom: {}

enforcer:
## Specify image and tag
image: checkpoint/consec-admission-enforcer
tag: 2.2.0
tag: 2.3.0

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand Down Expand Up @@ -322,7 +322,7 @@ addons:
custom: {}


## Runtime Protection Add-on
## Runtime Protection Add-on
runtimeProtection:
enabled: false
BPF: true
Expand Down Expand Up @@ -353,7 +353,7 @@ addons:
probe:
## Specify image and tag
image: checkpoint/consec-runtime-probe
tag: 0.28.0-cp-2
tag: 0.28.0-cp-6

## Configure resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
Expand All @@ -378,12 +378,12 @@ addons:
memory: 20Mi
limits:
cpu: 30m
memory: 30Mi
memory: 30Mi

## Configuration options for nodeSelector, tolerations and affinity for pod
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
nodeSelector:
kubernetes.io/os: linux
kubernetes.io/os: linux
tolerations:
- operator: Exists
affinity: {}
Expand Down Expand Up @@ -416,7 +416,7 @@ addons:
## Configuration options for nodeSelector, tolerations and affinity for pod
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
nodeSelector: {}
tolerations: []
tolerations: []
affinity: {}
podAnnotations:
custom: {}
20 changes: 15 additions & 5 deletions checkpoint/cloudguard/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -417,9 +417,12 @@ tanzu
- "Bottlerocket OS 1.7.2 (aws-k8s-1.21)"
- "Container-Optimized OS from Google"
*/}}
{{- $osImage := (first $nodes.items).status.nodeInfo.osImage }}
{{- $firstNode := (first $nodes.items) -}}
{{- $osImage := $firstNode.status.nodeInfo.osImage }}
{{- if contains "Bottlerocket" $osImage -}}
eks.bottlerocket
{{- else if hasKey $firstNode.metadata.labels "eks.amazonaws.com/nodegroup" -}}
eks
{{- else -}}
{{- include "validate.platform" . -}}
{{- lower .Values.platform -}}
Expand All @@ -441,21 +444,28 @@ true
{{- define "containerd.sock.path" -}}
{{- if eq (include "get.platform" .) "eks.bottlerocket" -}}
/run/dockershim.sock
{{- else if eq (include "get.platform" .) "k3s" -}}
/run/k3s/containerd/containerd.sock
{{- else -}}
/run/containerd/containerd.sock
{{- end -}}
{{- end -}}

{{- define "validate.platform" -}}
{{- if has .Values.platform (list "kubernetes" "tanzu" "openshift" "openshift.v3" "eks.bottlerocket") -}}
{{- if has .Values.platform (list "kubernetes" "tanzu" "openshift" "openshift.v3" "eks" "eks.bottlerocket" "k3s") -}}
{{- else -}}
{{- $err := printf "\n\nERROR: Invalid platform: %s (should be one of: 'kubernetes', 'tanzu', 'openshift', 'openshift.v3', 'eks.bottlerocket')" .Values.platform -}}
{{- $err := printf "\n\nERROR: Invalid platform: %s (should be one of: 'kubernetes', 'tanzu', 'openshift', 'openshift.v3', 'eks', 'eks.bottlerocket', 'k3s')" .Values.platform -}}
{{- fail $err -}}
{{- end -}}
{{- end -}}

{{- define "daemonset.updateStrategy" }}
{{- define "daemonset.updateStrategy" -}}
updateStrategy:
rollingUpdate:
maxUnavailable: {{ .Values.daemonSetStrategy.rollingUpdate.maxUnavailable }}
{{- end -}}
{{- end -}}

{{- define "cg.creds.secret.name" -}}
{{- $defaultSecretName := printf "%s-cp-cloudguard-creds" .Release.Name }}
{{- printf "%s" (.Values.credentials.secretName | default $defaultSecretName) -}}
{{- end -}}
2 changes: 1 addition & 1 deletion checkpoint/cloudguard/templates/admission/enforcer/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ spec:
volumes:
- name: secret-volume
secret:
secretName: {{ .Release.Name }}-cp-cloudguard-creds
secretName: {{ template "cg.creds.secret.name" $config }}
- name: webhook-certs
secret:
secretName: {{ template "agent.resource.name" $config }}
Expand Down
2 changes: 1 addition & 1 deletion checkpoint/cloudguard/templates/admission/policy/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,6 @@ spec:
volumes:
- name: secret-volume
secret:
secretName: {{ .Release.Name }}-cp-cloudguard-creds
secretName: {{ template "cg.creds.secret.name" $config }}

{{ end }}
4 changes: 3 additions & 1 deletion checkpoint/cloudguard/templates/cg-creds-secret.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
{{- $config := fromYaml (include "inventory.agent.config" .) -}}
{{- if not .Values.credentials.secretName -}}
apiVersion: v1
kind: Secret
metadata:
Expand All @@ -9,4 +10,5 @@ metadata:
type: Opaque
data:
secret: {{ required "CloudGuard API Secret is required" $config.Values.credentials.secret | b64enc | quote }}
username: {{ required "CloudGuard API Key is required" $config.Values.credentials.user | b64enc | quote }}
username: {{ required "CloudGuard API Key is required" $config.Values.credentials.user | b64enc | quote }}
{{ end -}}
2 changes: 1 addition & 1 deletion checkpoint/cloudguard/templates/flowlogs/daemon/daemonset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ spec:
volumes:
- name: secret-volume
secret:
secretName: {{ .Release.Name }}-cp-cloudguard-creds
secretName: {{ template "cg.creds.secret.name" $config }}
- name: config-volume
configMap:
name: {{ template "agent.resource.name" $config }}
Expand Down
2 changes: 1 addition & 1 deletion checkpoint/cloudguard/templates/imagescan/daemon/daemonset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -141,7 +141,7 @@ spec:
volumes:
- name: secret-volume
secret:
secretName: {{ .Release.Name }}-cp-cloudguard-creds
secretName: {{ template "cg.creds.secret.name" $config }}
{{- if eq $config.containerRuntime "docker" }}
- name: docker-sock-volume
hostPath:
Expand Down
2 changes: 1 addition & 1 deletion checkpoint/cloudguard/templates/imagescan/engine/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ spec:
volumes:
- name: secret-volume
secret:
secretName: {{ .Release.Name }}-cp-cloudguard-creds
secretName: {{ template "cg.creds.secret.name" $config }}
- name: servercert-volume
configMap:
name: {{ template "imagescan.daemon.resource.name" . }}
Expand Down
2 changes: 1 addition & 1 deletion checkpoint/cloudguard/templates/imagescan/list/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ spec:
volumes:
- name: secret-volume
secret:
secretName: {{ .Release.Name }}-cp-cloudguard-creds
secretName: {{ template "cg.creds.secret.name" $config }}
- name: servercert-volume
configMap:
name: {{ template "imagescan.daemon.resource.name" . }}
Expand Down
2 changes: 1 addition & 1 deletion checkpoint/cloudguard/templates/inventory/agent/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,4 +54,4 @@ spec:
volumes:
- name: secret-volume
secret:
secretName: {{ .Release.Name }}-cp-cloudguard-creds
secretName: {{ template "cg.creds.secret.name" $config }}
13 changes: 13 additions & 0 deletions checkpoint/cloudguard/templates/runtime/daemon/daemonset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,10 @@ spec:
value: "/sysdig"
- name: SYSDIG_BPF_PROBE
value: ""
{{- if eq "eks" (include "get.platform" $config) }}
- name: AMAZON_AUTO_KERNEL_HEADERS
value: "1"
{{- end }}
{{- if contains "openshift" (include "get.platform" $config) }}
- name: SYSDIG_WAIT_FOR_KERNEL_SOURCE_TIMEOUT # given in seconds
value: "1800"
Expand Down Expand Up @@ -77,6 +81,10 @@ spec:
- name: host-dev-vol
mountPath: /host/dev
{{- end }}
{{- if eq "eks" (include "get.platform" $config) }}
- name: host-root-vol
mountPath: /host/root
{{- end }}
containers:
# fluentbit
# the fluentbit container needs to be before the daemon container
Expand Down Expand Up @@ -291,4 +299,9 @@ spec:
- name: run-xtables-lock
hostPath:
path: /run/xtables.lock
{{- if eq "eks" (include "get.platform" $config) }}
- name: host-root-vol
hostPath:
path: /
{{- end }}
{{- end }}
2 changes: 1 addition & 1 deletion checkpoint/cloudguard/templates/runtime/policy/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,5 +43,5 @@ spec:
volumes:
- name: secret-volume
secret:
secretName: {{ .Release.Name }}-cp-cloudguard-creds
secretName: {{ template "cg.creds.secret.name" $config }}
{{- end }}
Binary file added repository/cloudguard-2.16.0.tgz
View file
Binary file not shown.
Loading

0 comments on commit 485bd51

Please sign in to comment.