Skip to content

Commit

Permalink
Helm chart update: 2.34.0
Browse files Browse the repository at this point in the history
  • Loading branch information
helm authored and helm committed Dec 18, 2024
1 parent 98a903f commit b13b412
Show file tree
Hide file tree
Showing 17 changed files with 228 additions and 177 deletions.
4 changes: 2 additions & 2 deletions checkpoint/cloudguard/Chart.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
apiVersion: v2
appVersion: 2.33.1
appVersion: 2.34.0
description: A Helm chart for Check Point CloudGuard Workload Security
home: https://portal.checkpoint.com
icon: https://www.checkpoint.com/wp-content/uploads/icon-cloudguard-nav.png
Expand Down Expand Up @@ -35,4 +35,4 @@ keywords:
- gke
- autopilot
name: cloudguard
version: 2.33.1
version: 2.34.0
78 changes: 38 additions & 40 deletions checkpoint/cloudguard/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -139,7 +139,6 @@ The following table list the configurable parameters of this chart and their def
| `platform` | Kubernetes platform (kubernetes/ tanzu/ openshift/ openshift.v3/ eks/ eks.bottlerocket/ gke.cos/ gke.autopilot/ k3s/ rke2/ kubernetes.coreos) overriding auto-detection | `kubernetes` |
| `seccompProfile` | Computer Security facility profile. (to be used in kubernetes 1.19 and up) | `RuntimeDefault` |
| `podAnnotations.seccomp` | Computer Security facility profile. (to be used in kubernetes below 1.19) | `runtime/default` |
| `podAnnotations.apparmor` | Apparmor Linux kernel security module profile. | `{}` |
| `autoUpgrade` | Enable auto-upgrade (preserve, true or false). 'major.minor' tags will be set for images rather than 'major.minor.patch'" | `preserve` |
| `podAnnotations.custom` | Custom Pod annotations (for all agent Pods) | `{}` |
| `priorityClassName` | Specifies custom priorityClassName | `` |
Expand Down Expand Up @@ -265,64 +264,63 @@ The following table list the configurable parameters of this chart and their def
| `addons.runtimeProtection.policy.podAnnotations.custom` | Custom Pod annotations (for Pods of this agent) | `{}` |
| `addons.runtimeProtection.daemonConfigurationOverrides` | Overrides for multiple daemonSets with different configuration values | see below |

The default nodeSelector for Admission Control, Inventory and Runtime Protection policy agents is:
The default nodeSelector for the Runtime Protection daemon agent is:
```yaml
nodeSelector:
kubernetes.io/os: linux
kubernetes.io/os: linux
kubernetes.io/arch: amd64
```
The default nodeSelector for other agents is:
```yaml
nodeSelector:
kubernetes.io/os: linux
kubernetes.io/arch: amd64
```

The default node affinity for Admission Control, Inventory and Runtime Protection policy agents (deployment)
to support nodes with arm64 and amd64 architectures:
The default affinity is configured to support nodes with arm64 and amd64 architectures:
```yaml
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- arm64
- amd64
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- arm64
- amd64
```
For Admission Control enforcer agent, it also has default inter-pod anti-affinity ensuring the pods are scheduled on different nodes :
For Admission Control enforcer agent, it also has default inter-pod anti-affinity ensuring the pods are scheduled on different nodes:
```yaml
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
podAffinityTerm:
labelSelector:
matchExpressions:
- key: "kubernetes.io/name"
operator: In
values:
- consec-admission-enforcer
topologyKey: "kubernetes.io/hostname"
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
podAffinityTerm:
labelSelector:
matchExpressions:
- key: "kubernetes.io/name"
operator: In
values:
- consec-admission-enforcer
topologyKey: "kubernetes.io/hostname"
```
On EKS, DaemonSets are configured with node affinity that prevents Pods from running on Fargate nodes:
```yaml
addons:
imageScan:
enabled: true
daemon:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: eks.amazonaws.com/compute-type
operator: NotIn
values:
- fargate
addons:
imageScan:
enabled: true
daemon:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: eks.amazonaws.com/compute-type
operator: NotIn
values:
- fargate
```
The `daemonConfigurationOverrides` object should have one or more objects with unique names (case insensitive), each object must then have a `nodeSelector` data and any additional overrides, such as resource limits and requests. The values defined in `daemon` object are used as a basis for the overrides.\
Expand Down
17 changes: 8 additions & 9 deletions checkpoint/cloudguard/defaults.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,6 @@ imagePullPolicy: Always
##
podAnnotations:
seccomp: runtime/default
apparmor: {}
custom: {}

## Proxy settings
Expand Down Expand Up @@ -69,7 +68,7 @@ inventory:

## Specify image and tag
image: checkpoint/consec-inventory-agent
tag: 1.15.0
tag: 1.16.0

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand Down Expand Up @@ -112,7 +111,7 @@ addons:
priorityClassName: "system-node-critical"
## Specify image and tag
image: checkpoint/consec-imagescan-daemon
tag: 2.37.0
tag: 2.38.0

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand All @@ -134,7 +133,7 @@ addons:
shim:
## Specify image and tag
image: checkpoint/consec-imagescan-shim
tag: 2.37.0
tag: 2.38.0

## Configure resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
Expand Down Expand Up @@ -169,7 +168,7 @@ addons:
engine:
## Specify image and tag
image: checkpoint/consec-imagescan-engine
tag: 2.37.0
tag: 2.38.0

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand Down Expand Up @@ -201,7 +200,7 @@ addons:
list:
## Specify image and tag
image: checkpoint/consec-imagescan-engine
tag: 2.37.0
tag: 2.38.0

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand Down Expand Up @@ -272,7 +271,7 @@ addons:
priorityClassName: "system-node-critical"
## Specify image and tag
image: checkpoint/consec-flowlogs-daemon
tag: 0.15.0
tag: 0.16.0

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand Down Expand Up @@ -311,7 +310,7 @@ addons:
policy:
## Specify image and tag
image: checkpoint/consec-admission-policy
tag: 1.9.0
tag: 1.10.0

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand Down Expand Up @@ -341,7 +340,7 @@ addons:
enforcer:
## Specify image and tag
image: checkpoint/consec-admission-enforcer
tag: 2.13.0
tag: 2.14.0

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand Down
80 changes: 43 additions & 37 deletions checkpoint/cloudguard/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@
{{ printf "%s-%s-%s" (include "name.prefix" .) .featureName .daemonConfigName }}
{{- end -}}

{{- /* Service account name of a given agent (provided in values.yaml or auto-generated */ -}}
{{- /* Service account name of a given agent (provided in values.yaml or auto-generated) */ -}}
{{- define "agent.service.account.name" -}}
{{- default (include "agent.resource.name" .) .agentConfig.serviceAccountName }}
{{- end -}}
Expand Down Expand Up @@ -100,10 +100,6 @@ app.created.by.template: {{ (include "is.helm.template.command" .) | quote }}
{{- if and (not (contains "openshift" .platform)) (semverCompare "<1.19-0" .Capabilities.KubeVersion.Version) }}
seccomp.security.alpha.kubernetes.io/pod: {{ .Values.podAnnotations.seccomp }}
{{- end }}
{{- if .Values.podAnnotations.apparmor }}
container.apparmor.security.beta.kubernetes.io/{{ template "agent.resource.name" . }}:
{{ toYaml .Values.podAnnotations.apparmor | indent 2 }}
{{- end }}
{{- if .Values.podAnnotations }}
{{- if .Values.podAnnotations.custom }}
{{ toYaml .Values.podAnnotations.custom }}
Expand Down Expand Up @@ -141,14 +137,8 @@ serviceAccountName: {{ template "agent.service.account.name" . }}
nodeSelector:
{{ toYaml .agentConfig.nodeSelector | indent 2 }}
{{- end }}
{{- $allVirtualAffinities := (include "get.virtualNodesLabels" .) | fromYaml -}}
{{- if .agentConfig.affinity }}
affinity:
{{ .agentConfig.affinity | toYaml | indent 2 }}
{{- else if and (contains "daemon" .agentName) (hasKey $allVirtualAffinities .platform) }}
affinity:
{{ include "daemonset.commonAffinity.labels" . | indent 2 }}
{{- end }}
{{ include "common.pod.properties.affinity" . | indent 2 }}
{{- if .agentConfig.tolerations }}
tolerations:
{{ toYaml .agentConfig.tolerations | indent 2 }}
Expand Down Expand Up @@ -503,7 +493,7 @@ usage:
{{- if hasKey $currentConfiguration "containerRuntime" -}}
{{- $containerRuntime := get $currentConfiguration "containerRuntime" -}}
{{- include "validate.container.runtime" $currentConfiguration -}}
{{- $_ := set $copyConfig "containerRuntime" ($containerRuntime | lower) -}}
{{- $_ := set $copyConfig "containerRuntime" ($containerRuntime | lower) -}}
{{- end -}}
{{- $_ := set $mergedAgentConfig "env" ((concat (get $mergedAgentConfig "env") (get $copyAgentConfig "env") ) | uniq) -}}
{{- $_ := set $copyConfig "agentConfig" $mergedAgentConfig -}}
Expand All @@ -514,16 +504,37 @@ usage:
{{- end -}}
{{- end -}}

{{- define "common.node.affinity.multiarch" -}}
{{- define "common.pod.properties.affinity" -}}
{{- if .agentConfig.affinity }}
{{- .agentConfig.affinity | toYaml }}
{{- else }}
{{- $allVirtualAffinities := (include "get.virtualNodesLabels" .) | fromYaml -}}
{{- $nodeAffinityMatchExpressions := list (include "common.node.affinity.multiarch" . | fromYaml) -}}
{{- if and (eq "DaemonSet" .resourceKind) (hasKey $allVirtualAffinities .platform) }}
{{- $virtualNodesLabels := get $allVirtualAffinities .platform -}}
{{- range $labelKey, $labelValue := $virtualNodesLabels -}}
{{- $generatedExpression := dict "key" $labelKey "operator" "NotIn" "values" (list $labelValue) -}}
{{- $nodeAffinityMatchExpressions = append $nodeAffinityMatchExpressions ( $generatedExpression ) -}}
{{- end -}}
{{- end -}}
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- arm64
- amd64
- matchExpressions:
{{ $nodeAffinityMatchExpressions | toYaml | indent 10 }}
{{- /* add pod anti affinity */ -}}
{{- if and (eq "Deployment" .resourceKind) (and (eq "enforcer" .agentName) (eq "admission" .featureName)) }}
{{ include "deployment.common.affinity.labels" . }}
{{- end }}
{{- end -}}
{{- end -}}

{{- define "common.node.affinity.multiarch" -}}
key: kubernetes.io/arch
operator: In
values:
- arm64
- amd64
{{- end -}}

{{- /* virtual node labels, additions should keep the same format.
Expand All @@ -537,24 +548,19 @@ eks:
# exampleLabelKey: "example_label_value"
{{- end -}}

{{- /* creating the affinity for DaemonSet to not run on virtual nodes
usage:
`{{- $virtualAffinites := (include "daemonset.commonAffinity.labels" . ) | fromYaml -}}`
*/ -}}
{{- define "daemonset.commonAffinity.labels" -}}
{{- $virtualNodesLabels := get (include "get.virtualNodesLabels" . | fromYaml) .platform -}}
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
{{- range $labelKey, $labelValue := $virtualNodesLabels }}
- key: {{$labelKey}}
operator: NotIn
values:
- {{$labelValue}}
{{- define "deployment.common.affinity.labels" -}}
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
podAffinityTerm:
labelSelector:
matchExpressions:
- key: "kubernetes.io/name"
operator: In
values:
- {{ include "agent.resource.name" . }}
topologyKey: "kubernetes.io/hostname"
{{- end -}}
{{- end -}}


{{- /* list of supported platforms
usage:
Expand Down
17 changes: 2 additions & 15 deletions checkpoint/cloudguard/templates/admission/enforcer/deployment.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
{{- $config := fromYaml (include "admission.enforcer.config" .) -}}
{{- /* Make ".Files" of the chart accessible and properly formatted when accessed via $config' */ -}}
{{- $_ := set $config "Files" .Files -}}
{{- /* Mark the config as holding a resource of type "Deployment" */ -}}
{{- $_ := set $config "resourceKind" "Deployment" -}}
{{ if $config.featureConfig.enabled }}
apiVersion: apps/v1
kind: Deployment
Expand All @@ -23,21 +25,6 @@ spec:
labels:
{{ include "common.labels.with.chart" $config | indent 8 }}
spec:
# the affinity definition should be BEFORE include "common.pod.properties" .since in case the
#user will add his own "affinity" we want to take his definition
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
podAffinityTerm:
labelSelector:
matchExpressions:
- key: "kubernetes.io/name"
operator: In
values:
- {{ include "agent.resource.name" $config }}
topologyKey: "kubernetes.io/hostname"
{{ include "common.node.affinity.multiarch" $config | indent 8 }}
{{ include "common.pod.properties" $config | indent 6 }}
containers:
# Main container
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
{{- $config := fromYaml (include "admission.policy.config" .) -}}
{{- /* Make ".Files" of the chart accessible and properly formatted when accessed via $config' */ -}}
{{- $_ := set $config "Files" .Files -}}
{{- /* Mark the config as holding a resource of type "Deployment" */ -}}
{{- $_ := set $config "resourceKind" "Deployment" -}}
{{- if $config.featureConfig.enabled -}}
apiVersion: apps/v1
kind: Deployment
Expand All @@ -21,8 +23,6 @@ spec:
labels:
{{ include "common.labels.with.chart" $config | indent 8 }}
spec:
affinity:
{{ include "common.node.affinity.multiarch" $config | indent 8 }}
{{ include "common.pod.properties" $config | indent 6 }}
containers:
# Main container
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@
{{- $config = $config | fromYaml -}}
{{- /* Make ".Files" of the chart accessible and properly formatted when accessed via $config' */ -}}
{{- $_ := set $config "Files" $.Files -}}
{{- /* Mark the config as holding a resource of type "DaemonSet" */ -}}
{{- $_ := set $config "resourceKind" "DaemonSet" -}}
{{- if $config.featureConfig.enabled -}}
apiVersion: apps/v1
kind: DaemonSet
Expand All @@ -23,8 +25,6 @@ spec:
labels:
{{ include "common.labels.with.chart" $config | indent 8 }}
spec:
affinity:
{{ include "common.node.affinity.multiarch" $config | indent 8 }}
{{ include "common.pod.properties" $config | indent 6 }}
hostNetwork: true
containers:
Expand Down
Loading

0 comments on commit b13b412

Please sign in to comment.