Skip to content

Commit

Permalink
2.3.5: container runtime auto-detection, RP 0.0.489, IA 0.4.2 (#60)
Browse files Browse the repository at this point in the history 
helm release 2.3.5:
- container runtime auto-detection
- runtime-daemon 0.0.489: containerd support, reduced agent privileges, deny rules ("kill")
- imagescan 0.4.2: improved support for OCI images, certificate pinning
- (internal) monitoring & logs shipment enhancements
  • Loading branch information
@chkp-alexgl
chkp-alexgl authored Jun 29, 2021
1 parent fe80edf commit 685e0f4
Show file tree
Hide file tree
Showing 20 changed files with 202 additions and 130 deletions.
4 changes: 2 additions & 2 deletions checkpoint/cloudguard/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
apiVersion: v2
appVersion: 2.3.3
version: 2.3.3
appVersion: 2.3.5
version: 2.3.5
description: A Helm chart for Check Point CloudGuard Workload Security
name: cloudguard
keywords:
Expand Down
14 changes: 7 additions & 7 deletions checkpoint/cloudguard/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ Note: notice that some of the above capabilities require enrollment in the Early
## Prerequisites

General
- Kubernetes 1.12+
- Kubernetes 1.12+, all nodes should have the same container runtime (docker or containerd)
- Helm 3.0+
- Check Point CloudGuard account credentials

Expand Down Expand Up @@ -106,11 +106,11 @@ The following tables list the configurable parameters of this chart and their de
| `imageRegistry.password` | Image registry password | `CHANGEME` |
| `imagePullPolicy` | Image pull policy | `Always` |
| `proxy` | Proxy settings (e.g. http://my-proxy.com:8080) | `{}` |
| `containerRuntime` | Cluster container runtime (docker, containerd) | `docker` |
| `containerRuntime` | Container runtime (docker/containerd) overriding auto-detection | `` |
| `podAnnotations.seccomp` | Computer Security facility profile. | `runtime/default` |
| `podAnnotations.apparmor` | Apparmor Linux kernel security module profile. | `{}` |
| `inventory.agent.image` | Specify image for the agent | `checkpoint/consec-inventory-agent` |
| `inventory.agent.tag` | Specify image tag for the agent | `1.2.1` |
| `inventory.agent.tag` | Specify image tag for the agent | `1.3.0` |
| `inventory.agent.serviceAccountName` | Specify custom Service Account for the Inventory agent | `` |
| `inventory.agent.replicaCount` | Number of Inventory agent instances to be deployed | `1` |
| `inventory.agent.env` | Additional environmental variables for Inventory agent | `{}` |
Expand All @@ -121,19 +121,19 @@ The following tables list the configurable parameters of this chart and their de
| `addons.imageScan.enabled` | Specifies whether the Image Scan addon should be installed | `false` |
| `addons.imageScan.maxImageSizeMb` | Specifies in MiBytes maximal image size to be scanned, imageScan.engine main container memory limit will be a double of it | `` |
| `addons.imageScan.daemon.image` | Specify image for the agent | `checkpoint/consec-imagescan-daemon` |
| `addons.imageScan.daemon.tag` | Specify image tag for the agent |`0.4.1` |
| `addons.imageScan.daemon.tag` | Specify image tag for the agent |`0.4.2` |
| `addons.imageScan.daemon.serviceAccountName` | Specify custom Service Account for the agent | `` |
| `addons.imageScan.daemon.env` | Additional environmental variables for the agent | `{}` |
| `addons.imageScan.daemon.resources` | Resources restriction (e.g. CPU, memory) | `{}` |
| `addons.imageScan.daemon.nodeSelector` | Node labels for pod assignment | `{}` |
| `addons.imageScan.daemon.tolerations` | List of node taints to tolerate | `operator: Exists` |
| `addons.imageScan.daemon.affinity` | Affinity setting | `{}` |
| `addons.imageScan.daemon.shim.image` | Specify image for the shim container | `checkpoint/consec-imagescan-shim` |
| `addons.imageScan.daemon.shim.tag` | Specify image tag for the shim container |`0.4.1` |
| `addons.imageScan.daemon.shim.tag` | Specify image tag for the shim container |`0.4.2` |
| `addons.imageScan.daemon.shim.env` | Additional environmental variables for the shim container | `{}` |
| `addons.imageScan.daemon.shim.resources` | Resources restriction (e.g. CPU, memory) | `{}` |
| `addons.imageScan.engine.image` | Specify image for the agent | `checkpoint/consec-imagescan-engine` |
| `addons.imageScan.engine.tag` | Specify image tag for the agent |`0.4.1` |
| `addons.imageScan.engine.tag` | Specify image tag for the agent |`0.4.2` |
| `addons.imageScan.engine.serviceAccountName` | Specify custom Service Account for the agent | `` |
| `addons.imageScan.engine.env` | Additional environmental variables for the agent | `{}` |
| `addons.imageScan.engine.resources` | Resources restriction (e.g. CPU, memory) | `{}` |
Expand Down Expand Up @@ -180,7 +180,7 @@ The following tables list the configurable parameters of this chart and their de
| `addons.admissionControl.enforcer.affinity` | Affinity setting | `{}` |
| `addons.runtimeProtection.enabled` | Specifies whether the Runtime Protection addon should be installed | `false` |
| `addons.runtimeProtection.daemon.image` | Specify image for the agent | `checkpoint/consec-runtime-daemon` |
| `addons.runtimeProtection.daemon.tag` | Specify image tag for the agent |`0.0.425` |
| `addons.runtimeProtection.daemon.tag` | Specify image tag for the agent |`0.0.489` |
| `addons.runtimeProtection.daemon.serviceAccountName` | Specify custom Service Account for the agent | `` |
| `addons.runtimeProtection.daemon.env` | Additional environmental variables for the agent | `{}` |
| `addons.runtimeProtection.daemon.resources` | Resources restriction (e.g. CPU, memory) | `requests.cpu: 100m` |
Expand Down
12 changes: 6 additions & 6 deletions checkpoint/cloudguard/defaults.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,15 +48,15 @@ podAnnotations:
## proxy: $HTTPS_PROXY
proxy: {}

containerRuntime: docker
containerRuntime:

### Inventory agent settings
inventory:
agent:

## Specify image and tag
image: checkpoint/consec-inventory-agent
tag: 1.2.1
tag: 1.3.0

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand Down Expand Up @@ -93,7 +93,7 @@ addons:

## Specify image and tag
image: checkpoint/consec-imagescan-daemon
tag: 0.4.1
tag: 0.4.2

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand All @@ -115,7 +115,7 @@ addons:
shim:
## Specify image and tag
image: checkpoint/consec-imagescan-shim
tag: 0.4.1
tag: 0.4.2

## Configure resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
Expand Down Expand Up @@ -152,7 +152,7 @@ addons:
engine:
## Specify image and tag
image: checkpoint/consec-imagescan-engine
tag: 0.4.1
tag: 0.4.2

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand Down Expand Up @@ -343,7 +343,7 @@ addons:
## Main container settings
## Specify image and tag
image: checkpoint/consec-runtime-daemon
tag: 0.0.425
tag: 0.0.489

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand Down
8 changes: 2 additions & 6 deletions checkpoint/cloudguard/templates/_configmap-metrics.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,17 +3,13 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "agent.resource.name" .config }}-metrics
name: {{ template "agent.resource.name" .config }}-fluentbit-metrics
namespace: {{ .config.Release.Namespace }}
labels:
{{ include "common.labels.with.chart" .config | indent 4 }}
data:
fluent-bit.conf: |
[SERVICE]
Flush 5
Daemon Off
Log_Level info
{{ $params := dict "metricPath" "/metric" "agentVersion" .config.agentConfig.tag "metricTailPath" "/metric-tail/*/*" }}
{{ include "fluentbit-metric.conf" $params | indent 4 }}
{{- include "fluentbit-metric.conf" $params | indent 4 }}
{{- end -}}
{{- end -}}
64 changes: 55 additions & 9 deletions checkpoint/cloudguard/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,14 +31,22 @@

{{- /* Full path to the image of the main container of the provided agent */ -}}
{{- define "agent.main.image" -}}
{{- $image := printf "%s/%s:%s" .Values.imageRegistry.url .agentConfig.image .agentConfig.tag }}
{{- $tag := .agentConfig.tag }}
{{- if or .Values.debugImages .featureConfig.debugImages .agentConfig.debugImages }}
{{- $tag = printf "%s-debug" .agentConfig.tag }}
{{- end }}
{{- $image := printf "%s/%s:%s" .Values.imageRegistry.url .agentConfig.image $tag }}
{{- default $image .agentConfig.fullImage }}
{{- end -}}

{{- /* Full path to the image of a provided side-car container */ -}}
{{- define "agent.sidecar.image" -}}
{{- $containerConfig := get .agentConfig .containerName }}
{{- $image := printf "%s/%s:%s" .Values.imageRegistry.url $containerConfig.image $containerConfig.tag }}
{{- $tag := $containerConfig.tag }}
{{- if or .Values.debugImages .featureConfig.debugImages .agentConfig.debugImages $containerConfig.debugImage }}
{{- $tag = printf "%s-debug" $containerConfig.tag }}
{{- end }}
{{- $image := printf "%s/%s:%s" .Values.imageRegistry.url $containerConfig.image $tag }}
{{- default $image $containerConfig.fullImage }}
{{- end -}}

Expand Down Expand Up @@ -153,6 +161,10 @@ imagePullSecrets:
fieldPath: spec.nodeName
- name: TELEMETRY_VERSION
value: {{ .Values.telemetryVersion }}
- name: POD_ID
valueFrom:
fieldRef:
fieldPath: metadata.uid

{{- if .Values.proxy }}
- name: HTTP_PROXY
Expand All @@ -170,7 +182,6 @@ Host ${CP_KUBERNETES_DOME9_URL}
Header Kubernetes-Account ${CP_KUBERNETES_CLUSTER_ID}
Header Node-Name ${NODE_NAME}
Header Agent-Version {{ .agentVersion }}
Header Telemetry-Version ${TELEMETRY_VERSION}
Compress gzip
http_User ${CP_KUBERNETES_USER}
http_Passwd ${CP_KUBERNETES_PASS}
Expand All @@ -180,24 +191,36 @@ tls.verify On
{{- end -}}

{{- /* fluentbit configmap to send metric */ -}}
{{- define "fluentbit-metric.conf" -}}
{{- define "fluentbit-metric.conf" -}}
[SERVICE]
Flush 5
Daemon Off
Log_Level info
storage.path /tmp/fb-tmp
storage.sync normal
storage.checksum off
storage.backlog.mem_limit 1M
[INPUT]
Name exec
Command find {{ .metricPath }} -type f | xargs cat
Tag metrics
Buf_Size 8mb
Mem_Buf_Limit 1mb
Interval_Sec 300
Interval_NSec 0
[INPUT]
Name tail
Path {{ .metricTailPath }}
Tag metrics
Mem_Buf_Limit 8mb
Mem_Buf_Limit 1mb
Refresh_Interval 3
Read_from_Head true
[OUTPUT]
Match metrics
Uri ${CP_KUBERNETES_METRIC_URI}
Match metrics
Uri ${CP_KUBERNETES_METRIC_URI}
Header Pod-Id ${POD_ID}
Header Telemetry-Version ${TELEMETRY_VERSION}
Retry_Limit 3
{{ include "fluentbit-http-output-param.conf" . | indent 4 }}
{{- end -}}

Expand Down Expand Up @@ -290,10 +313,10 @@ key: {{ $cert.Key | b64enc }}
17112
{{- end }}

{{- define "container.runtime.validate" -}}
{{- define "validate.container.runtime" -}}
{{- if has .Values.containerRuntime (list "docker" "containerd") -}}
{{- else -}}
{{- $err := printf "\n\nERROR: Invalid containerRuntime: %s (should be one of: 'docker' [default], 'containerd')" .Values.containerRuntime -}}
{{- $err := printf "\n\nERROR: Invalid containerRuntime: %s (should be one of: 'docker', 'containerd')" .Values.containerRuntime -}}
{{- fail $err -}}
{{- end -}}
{{- end -}}
Expand All @@ -306,3 +329,26 @@ key: {{ $cert.Key | b64enc }}
{{- $merged := deepCopy . | mustMergeOverwrite (dict "Values" $defaults) | toYaml }}
{{- $merged }}
{{- end -}}


{{- define "get.container.runtime" -}}
{{- if .Values.containerRuntime -}}
{{- include "validate.container.runtime" . -}}
{{- .Values.containerRuntime -}}
{{- else -}}
{{- $nodes := lookup "v1" "Node" "" "" -}}
{{- if ne (len $nodes) 0 -}}
{{/* examples for runtime version: docker://19.3.3, containerd://1.3.3 */}}
{{- $containerRuntimeVersion := (first $nodes.items).status.nodeInfo.containerRuntimeVersion }}
{{- $containerRuntime := first (regexSplit ":" $containerRuntimeVersion -1) }}
{{- if has $containerRuntime (list "docker" "containerd") -}}
{{- $containerRuntime }}
{{- else -}}
{{- $err := printf "\n\nERROR: Unsupported container runtime: %s" $containerRuntime -}}
{{- fail $err -}}
{{- end -}}
{{- else -}}
{{- fail "\n\nERROR: No nodes found, cannot identify container runtime. Use '--set containerRuntime=docker' or '--set containerRuntime=containerd'" -}}
{{- end -}}
{{- end -}}
{{- end -}}
26 changes: 9 additions & 17 deletions checkpoint/cloudguard/templates/admission/enforcer/configmap-fluentbit.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,29 +1,21 @@
{{- $config := fromYaml (include "admission.enforcer.config" .) -}}
{{ if $config.featureConfig.enabled }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "agent.resource.name" $config }}-fluentbit
namespace: {{ .Release.Namespace }}
labels:
{{ include "common.labels.with.chart" $config | indent 4 }}
data:
fluent-bit.conf: |
[SERVICE]
Flush 5
Daemon Off
Log_Level info
{{ $params := dict "metricPath" "/metric" "agentVersion" $config.agentConfig.tag "metricTailPath" "/metric-tail/*/*" }}
{{ template "telemetry.configmap" dict "config" $config }}

[INPUT]
Name tail
Path admission/alerts/alerts.log
Tag ac-alert
storage.type filesystem
Mem_Buf_Limit 1mb

[OUTPUT]
Match ac-alert
Uri ${CP_KUBERNETES_ADMISSION_CONTROLLER_ALERTS_URI}
Match ac-alert
Uri ${CP_KUBERNETES_ADMISSION_CONTROLLER_ALERTS_URI}
storage.total_limit_size 100M
Retry_Limit False
{{ include "fluentbit-http-output-param.conf" $config | indent 8 }}

{{ $params := dict "metricPath" "/metric" "agentVersion" $config.agentConfig.tag "metricTailPath" "/metric-tail/*/*" }}
{{ include "fluentbit-metric.conf" $params | indent 4 }}

{{- end -}}
2 changes: 1 addition & 1 deletion checkpoint/cloudguard/templates/admission/enforcer/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,7 @@ spec:
secretName: {{ template "agent.resource.name" $config }}
- name: config-volume-fluentbit
configMap:
name: {{ template "agent.resource.name" $config }}-fluentbit
name: {{ template "agent.resource.name" $config }}-fluentbit-metrics
- name: logs
emptyDir:
medium: Memory
Expand Down
19 changes: 3 additions & 16 deletions checkpoint/cloudguard/templates/admission/policy/configmap-metrics.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,18 +1,5 @@
{{- $config := fromYaml (include "admission.policy.config" .) -}}
{{ if $config.featureConfig.enabled }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "agent.resource.name" $config }}-metrics
namespace: {{ .Release.Namespace }}
labels:
{{ include "common.labels.with.chart" $config | indent 4 }}
data:
fluent-bit.conf: |
[SERVICE]
Flush 5
Daemon Off
Log_Level info
{{ $params := dict "metricPath" "/metric" "agentVersion" $config.agentConfig.tag "metricTailPath" "/metric-tail/*/*" }}
{{ include "fluentbit-metric.conf" $params | indent 4 }}
{{- end -}}
{{ template "telemetry.configmap" dict "config" $config }}
{{- end -}}

2 changes: 1 addition & 1 deletion checkpoint/cloudguard/templates/admission/policy/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ spec:
secretName: {{ .Release.Name }}-cp-cloudguard-creds
- name: config-volume-fluentbit
configMap:
name: {{ template "agent.resource.name" $config }}-metrics
name: {{ template "agent.resource.name" $config }}-fluentbit-metrics
- name: metrics
emptyDir: {}
- name: metrics-tail
Expand Down
1 change: 1 addition & 0 deletions checkpoint/cloudguard/templates/imagescan/daemon/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
{{- $_ := set $config "agentName" "daemon" }}
{{- $_ := set $config "featureConfig" $config.Values.addons.imageScan }}
{{- $_ := set $config "agentConfig" $config.Values.addons.imageScan.daemon }}
{{- $_ := set $config "containerRuntime" (include "get.container.runtime" .) }}
{{- $config | toYaml -}}
{{- end -}}

Expand Down
Loading

0 comments on commit 685e0f4

Please sign in to comment.