Skip to content

Commit

Permalink
2.8.0: ACR scan support, AC assessment history, improve for 1.19+ (#71)
Browse files Browse the repository at this point in the history 
IA 2.0.0: add ACR scan support
AC policy 1.0.1, AC enforcer 1.2.2: collect data for verification
AC GSL: build based on newer based image
remove deprecated objects so there will be no warnings
  • Loading branch information
@chkp-rigor
chkp-rigor authored Nov 18, 2021
1 parent e13e128 commit 7195358
Show file tree
Hide file tree
Showing 15 changed files with 166 additions and 88 deletions.
6 changes: 4 additions & 2 deletions checkpoint/cloudguard/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
apiVersion: v2
appVersion: 2.7.0
appVersion: 2.8.0
description: A Helm chart for Check Point CloudGuard Workload Security
home: https://portal.checkpoint.com
icon: https://www.checkpoint.com/wp-content/uploads/icon-cloudguard-nav.png
Expand All @@ -15,5 +15,7 @@ keywords:
- threat intelligence
- admission control
- runtime protection
- registry scan
- acr
name: cloudguard
version: 2.7.0
version: 2.8.0
15 changes: 8 additions & 7 deletions checkpoint/cloudguard/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -119,7 +119,8 @@ The following table list the configurable parameters of this chart and their def
| `proxy` | Proxy settings (e.g. http://my-proxy.com:8080) | `{}` |
| `containerRuntime` | Container runtime (docker/containerd/cri-o) overriding auto-detection | `` |
| `platform` | Kubernetes platform (kubernetes/tanzu/openshift) overriding auto-detection | `kubernetes` |
| `podAnnotations.seccomp` | Computer Security facility profile. | `runtime/default` |
| `seccompProfile` | Computer Security facility profile. (to be used in kubernetes 1.19 and up) | `RuntimeDefault` |
| `podAnnotations.seccomp` | Computer Security facility profile. (to be used in kubernetes below 1.19) | `runtime/default` |
| `podAnnotations.apparmor` | Apparmor Linux kernel security module profile. | `{}` |
| `inventory.agent.image` | Specify image for the agent | `checkpoint/consec-inventory-agent` |
| `inventory.agent.tag` | Specify image tag for the agent | `1.3.1` |
Expand All @@ -133,19 +134,19 @@ The following table list the configurable parameters of this chart and their def
| `addons.imageScan.enabled` | Specifies whether the Image Scan addon should be installed | `false` |
| `addons.imageScan.maxImageSizeMb` | Specifies in MiBytes maximal image size to scan, its value + 500MB will be imageScan.engine main container memory limit | `` |
| `addons.imageScan.daemon.image` | Specify image for the agent | `checkpoint/consec-imagescan-daemon` |
| `addons.imageScan.daemon.tag` | Specify image tag for the agent |`1.2.0` |
| `addons.imageScan.daemon.tag` | Specify image tag for the agent |`2.0.0` |
| `addons.imageScan.daemon.serviceAccountName` | Specify custom Service Account for the agent | `` |
| `addons.imageScan.daemon.env` | Additional environmental variables for the agent | `{}` |
| `addons.imageScan.daemon.resources` | Resources restriction (e.g. CPU, memory) | `{}` |
| `addons.imageScan.daemon.nodeSelector` | Node labels for pod assignment | `{}` |
| `addons.imageScan.daemon.tolerations` | List of node taints to tolerate | `operator: Exists` |
| `addons.imageScan.daemon.affinity` | Affinity setting | `{}` |
| `addons.imageScan.daemon.shim.image` | Specify image for the shim container | `checkpoint/consec-imagescan-shim` |
| `addons.imageScan.daemon.shim.tag` | Specify image tag for the shim container |`1.2.0` |
| `addons.imageScan.daemon.shim.tag` | Specify image tag for the shim container |`2.0.0` |
| `addons.imageScan.daemon.shim.env` | Additional environmental variables for the shim container | `{}` |
| `addons.imageScan.daemon.shim.resources` | Resources restriction (e.g. CPU, memory) | `{}` |
| `addons.imageScan.engine.image` | Specify image for the agent | `checkpoint/consec-imagescan-engine` |
| `addons.imageScan.engine.tag` | Specify image tag for the agent |`1.2.0` |
| `addons.imageScan.engine.tag` | Specify image tag for the agent |`2.0.0` |
| `addons.imageScan.engine.serviceAccountName` | Specify custom Service Account for the agent | `` |
| `addons.imageScan.engine.env` | Additional environmental variables for the agent | `{}` |
| `addons.imageScan.engine.resources` | Resources restriction (e.g. CPU, memory) | `{}` |
Expand All @@ -164,7 +165,7 @@ The following table list the configurable parameters of this chart and their def
| `addons.flowLogs.daemon.affinity` | Affinity setting | `{}` |
| `addons.admissionControl.enabled` | Specify whether the Admission Control addon should be installed | `false` |
| `addons.admissionControl.policy.image` | Specify image for the agent | `checkpoint/consec-admission-policy` |
| `addons.admissionControl.policy.tag` | Specify image tag for the agent |`1.0.0` |
| `addons.admissionControl.policy.tag` | Specify image tag for the agent |`1.0.1` |
| `addons.admissionControl.policy.serviceAccountName` | Specify custom Service Account for the agent | `` |
| `addons.admissionControl.policy.env` | Additional environmental variables for the agent | `{}` |
| `addons.admissionControl.policy.resources` | Resources restriction (e.g. CPU, memory) | `{}` |
Expand All @@ -175,14 +176,14 @@ The following table list the configurable parameters of this chart and their def
| `addons.admissionControl.policy.fluentbit.tag` | Specify image tag for the agent |`1.6.9-cp` |
| `addons.admissionControl.policy.fluentbit.resources` | Resources restriction (e.g. CPU, memory) | `{}` |
| `addons.admissionControl.enforcer.image` | Specify image for the agent | `checkpoint/consec-admission-enforcer` |
| `addons.admissionControl.enforcer.tag` | Specify image tag for the agent |`1.1.0` |
| `addons.admissionControl.enforcer.tag` | Specify image tag for the agent |`1.2.2` |
| `addons.admissionControl.enforcer.serviceAccountName` | Specify custom Service Account for the agent | `` |
| `addons.admissionControl.enforcer.replicaCount` | Number of Inventory agent instances to be deployed | `2` |
| `addons.admissionControl.enforcer.env` | Additional environmental variables for the agent | `{}` |
| `addons.admissionControl.enforcer.failurePolicyIntervalHours`| If the agent is unable to synchronize it's policy, this is the number of hours it will wait before switching to a fail-open policy | `24` |
| `addons.admissionControl.enforcer.resources` | Resources restriction (e.g. CPU, memory) | `{}` |
| `addons.admissionControl.enforcer.gsl.image` | Specify image for the agent | `checkpoint/consec-admission-gsl` |
| `addons.admissionControl.enforcer.gsl.tag` | Specify image tag for the agent |`1.1.0` |
| `addons.admissionControl.enforcer.gsl.tag` | Specify image tag for the agent |`1.1.1` |
| `addons.admissionControl.enforcer.gsl.resources` | Resources restriction (e.g. CPU, memory) | `{}` |
| `addons.admissionControl.enforcer.fluentbit.image` | Specify image for the agent | `checkpoint/consec-fluentbit` |
| `addons.admissionControl.enforcer.fluentbit.tag` | Specify image tag for the agent |`1.6.9-cp` |
Expand Down
17 changes: 10 additions & 7 deletions checkpoint/cloudguard/defaults.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,9 @@ proxy: {}
containerRuntime:
platform: kubernetes # kubernetes, openshift or tanzu

seccompProfile:
type: RuntimeDefault

### Inventory agent settings
inventory:
agent:
Expand Down Expand Up @@ -108,7 +111,7 @@ addons:

## Specify image and tag
image: checkpoint/consec-imagescan-daemon
tag: 1.2.0
tag: 2.0.0

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand All @@ -130,7 +133,7 @@ addons:
shim:
## Specify image and tag
image: checkpoint/consec-imagescan-shim
tag: 1.2.0
tag: 2.0.0

## Configure resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
Expand Down Expand Up @@ -176,7 +179,7 @@ addons:
engine:
## Specify image and tag
image: checkpoint/consec-imagescan-engine
tag: 1.2.0
tag: 2.0.0

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand Down Expand Up @@ -272,7 +275,7 @@ addons:
policy:
## Specify image and tag
image: checkpoint/consec-admission-policy
tag: 1.0.0
tag: 1.0.1

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand Down Expand Up @@ -314,7 +317,7 @@ addons:
enforcer:
## Specify image and tag
image: checkpoint/consec-admission-enforcer
tag: 1.1.0
tag: 1.2.2

failurePolicyIntervalHours: 24

Expand All @@ -339,7 +342,7 @@ addons:
gsl:
## Specify image and tag
image: checkpoint/consec-admission-gsl
tag: 1.1.0
tag: 1.1.1

## Configure resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
Expand Down Expand Up @@ -434,7 +437,7 @@ addons:
## Configuration options for nodeSelector, tolerations and affinity for pod
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
nodeSelector:
beta.kubernetes.io/os: linux
kubernetes.io/os: linux
tolerations:
- operator: Exists
affinity: {}
Expand Down
29 changes: 24 additions & 5 deletions checkpoint/cloudguard/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,9 @@ helm.sh/chart: {{ printf "%s-%s" .Chart.name .Chart.version | replace "+" "_" |
{{- /* Pod annotations commonly used in agents */ -}}
{{- define "common.pod.annotations" -}}
agentVersion: {{ .agentConfig.tag }}
{{- if ne (include "get.platform" .) "openshift" }}
{{- /* Openshift does not allow seccomp - So we don't add seccomp in openshift case */ -}}
{{- /* From k8s 1.19 and up we use the seccomp in securityContext so no need for it here, in case of template we don't know the version so we fall back to annotation */ -}}
{{- if and (ne (include "get.platform" .) "openshift") (or (semverCompare "<1.19-0" .Capabilities.KubeVersion.Version ) (include "is.helm.template.command" .)) }}
seccomp.security.alpha.kubernetes.io/pod: {{ .Values.podAnnotations.seccomp }}
{{- end }}
{{- if .Values.podAnnotations.apparmor }}
Expand All @@ -83,6 +85,15 @@ container.apparmor.security.beta.kubernetes.io/{{ template "agent.resource.name"

{{- /* Pod properties commonly used in agents */ -}}
{{- define "common.pod.properties" -}}
{{- if ne (include "get.platform" .) "openshift" }}
securityContext:
runAsUser: {{ include "cloudguard.nonroot.user" . }}
runAsGroup: {{ include "cloudguard.nonroot.user" . }}
{{- if and (semverCompare ">=1.19-0" .Capabilities.KubeVersion.Version) (not (include "is.helm.template.command" .)) }}
seccompProfile:
{{ toYaml .Values.seccompProfile | indent 4 }}
{{- end }}
{{- end }}
serviceAccountName: {{ template "agent.service.account.name" . }}
{{- if .agentConfig.nodeSelector }}
nodeSelector:
Expand Down Expand Up @@ -251,10 +262,6 @@ imagePullSecrets:
imagePullPolicy: {{ .Values.imagePullPolicy }}
securityContext:
allowPrivilegeEscalation: false
{{- if ne (include "get.platform" .) "openshift" }}
runAsUser: {{ include "cloudguard.nonroot.user" . }}
runAsGroup: {{ include "cloudguard.nonroot.user" . }}
{{- end }}
env:
{{ include "fluentbit.env" . | indent 2 }}
- name: CP_KUBERNETES_METRIC_URI
Expand Down Expand Up @@ -384,3 +391,15 @@ tanzu
{{- .Values.platform | quote -}}
{{- end -}}
{{- end -}}


{{/*
use to know if we run from template (which mean wo have no connection to the cluster and cannot check Capabilities/nodes etc.)
if there is no namespace probably we are running template
*/}}
{{- define "is.helm.template.command" -}}
{{- $namespace := lookup "v1" "Namespace" "" "" -}}
{{- if eq (len $namespace) 0 -}}
true
{{- end -}}
{{- end -}}
5 changes: 0 additions & 5 deletions checkpoint/cloudguard/templates/admission/enforcer/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,11 +38,6 @@ spec:
- {{ include "agent.resource.name" $config }}
topologyKey: "kubernetes.io/hostname"
{{ include "common.pod.properties" $config | indent 6 }}
{{- if ne (include "get.platform" $config) "openshift" }}
securityContext:
runAsUser: {{ include "cloudguard.nonroot.user" $config }}
runAsGroup: {{ include "cloudguard.nonroot.user" $config }}
{{- end }}
containers:
# gsl (note: should be first to simplify Pod startup)
- {{ $containerConfig := merge $config (dict "containerName" "gsl") -}}
Expand Down
5 changes: 0 additions & 5 deletions checkpoint/cloudguard/templates/admission/policy/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,11 +22,6 @@ spec:
{{ include "common.labels" $config | indent 8 }}
spec:
{{ include "common.pod.properties" $config | indent 6 }}
{{- if ne (include "get.platform" $config) "openshift" }}
securityContext:
runAsUser: {{ include "cloudguard.nonroot.user" $config }}
runAsGroup: {{ include "cloudguard.nonroot.user" $config }}
{{- end }}
containers:
# Main container
- name: {{ $config.agentName }}
Expand Down
1 change: 1 addition & 0 deletions checkpoint/cloudguard/templates/flowlogs/daemon/daemonset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ spec:
{{- if eq (include "get.platform" $config) "openshift" }}
privileged: true
{{- else }}
runAsUser: 0
capabilities:
add: [ "SYS_ADMIN", "SYS_RESOURCE", "NET_ADMIN" ]
{{- end }}
Expand Down
2 changes: 2 additions & 0 deletions checkpoint/cloudguard/templates/imagescan/daemon/daemonset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ spec:
{{- if eq (include "get.platform" $config) "openshift" }}
privileged: true
{{- else }}
runAsUser: 0
allowPrivilegeEscalation: false
capabilities:
add:
Expand Down Expand Up @@ -76,6 +77,7 @@ spec:
{{- if eq $config.containerRuntime "cri-o" }}
privileged: true
{{- else }}
runAsUser: 0
allowPrivilegeEscalation: false
capabilities:
add:
Expand Down
25 changes: 25 additions & 0 deletions checkpoint/cloudguard/templates/imagescan/engine/configmap-registry.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
{{- $config := fromYaml (include "imagescan.engine.config" .) -}}
{{- if $config.featureConfig.registryEnvId -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Release.Name }}-cp-cloudguard-registries
namespace: {{ .Release.Namespace }}
labels:
{{ include "common.labels.with.chart" $config | indent 4 }}
data:
registries: |
{
"config": {
"requestMaxPages": {{ $config.featureConfig.registryRequestMaxPages | default 1000 }},
"requestMaxItemsPerPage": {{ $config.featureConfig.registryRequestMaxItemsPerPage | default 0 }}
},
"envs": [{
"url": "{{ $config.featureConfig.registryUrl }}",
"id": "{{ $config.featureConfig.registryEnvId }}",
"type": "{{ $config.featureConfig.registryType }}",
"clientId": "{{ $config.featureConfig.registryClientId }}",
"tenantId": "{{ $config.featureConfig.registryTenantId }}"
}]
}
{{- end -}}
Loading

0 comments on commit 7195358

Please sign in to comment.