Skip to content

Commit

Permalink
2.17.0: new registries scan, IA list batching, RP limited GA (#110)
Browse files Browse the repository at this point in the history
  • Loading branch information
idoyehiel authored Dec 19, 2022
1 parent 485bd51 commit c90e506
Show file tree
Hide file tree
Showing 17 changed files with 266 additions and 125 deletions.
4 changes: 2 additions & 2 deletions checkpoint/cloudguard/Chart.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
apiVersion: v2
appVersion: 2.16.0
appVersion: 2.17.0
description: A Helm chart for Check Point CloudGuard Workload Security
home: https://portal.checkpoint.com
icon: https://www.checkpoint.com/wp-content/uploads/icon-cloudguard-nav.png
Expand All @@ -20,4 +20,4 @@ keywords:
- ecr
- ecs
name: cloudguard
version: 2.16.0
version: 2.17.0
35 changes: 18 additions & 17 deletions checkpoint/cloudguard/README.md

Large diffs are not rendered by default.

37 changes: 20 additions & 17 deletions checkpoint/cloudguard/defaults.yaml
100644 → 100755
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,8 @@ platform: kubernetes # kubernetes, openshift, openshift.v3, tanzu, eks, eks.bott
seccompProfile:
type: RuntimeDefault

autoUpgrade: false # true or false

daemonSetStrategy:
rollingUpdate:
maxUnavailable: 50%
Expand All @@ -66,7 +68,7 @@ inventory:

## Specify image and tag
image: checkpoint/consec-inventory-agent
tag: 1.7.1
tag: 1.8.0

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand Down Expand Up @@ -106,7 +108,7 @@ addons:

## Specify image and tag
image: checkpoint/consec-imagescan-daemon
tag: 2.15.0
tag: 2.18.1

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand All @@ -128,7 +130,7 @@ addons:
shim:
## Specify image and tag
image: checkpoint/consec-imagescan-shim
tag: 2.15.0
tag: 2.18.1

## Configure resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
Expand Down Expand Up @@ -162,7 +164,7 @@ addons:
engine:
## Specify image and tag
image: checkpoint/consec-imagescan-engine
tag: 2.15.0
tag: 2.18.1

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand Down Expand Up @@ -193,7 +195,7 @@ addons:
list:
## Specify image and tag
image: checkpoint/consec-imagescan-engine
tag: 2.15.0
tag: 2.18.1

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand Down Expand Up @@ -226,7 +228,7 @@ addons:
daemon:
## Specify image and tag
image: checkpoint/consec-flowlogs-daemon
tag: 0.7.0
tag: 0.8.0

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand Down Expand Up @@ -263,7 +265,7 @@ addons:
policy:
## Specify image and tag
image: checkpoint/consec-admission-policy
tag: 1.2.2
tag: 1.3.0

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand Down Expand Up @@ -292,7 +294,7 @@ addons:
enforcer:
## Specify image and tag
image: checkpoint/consec-admission-enforcer
tag: 2.3.0
tag: 2.4.0

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand Down Expand Up @@ -326,12 +328,13 @@ addons:
runtimeProtection:
enabled: false
BPF: true

enableFileReputation: true

daemon:
## Main container settings
## Specify image and tag
image: checkpoint/consec-runtime-daemon
tag: 0.0.740
tag: 0.0.822

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand All @@ -344,10 +347,10 @@ addons:
resources:
requests:
cpu: 200m
memory: 500Mi
memory: 300Mi
limits:
cpu: 2000m
memory: 1Gi
cpu: 400m
memory: 800Mi

## Sidecars
probe:
Expand All @@ -362,13 +365,13 @@ addons:
cpu: 100m
memory: 128Mi
limits:
cpu: 200m
memory: 128Mi
cpu: 400m
memory: 800Mi

fluentbit:
## Specify image and tag
image: checkpoint/consec-fluentbit
tag: 1.6.9-cp
tag: 1.6.9-cp2

## Configure resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
Expand All @@ -395,7 +398,7 @@ addons:

## Specify custom image ("" to use default)
image: checkpoint/consec-runtime-policy
tag: 1.2.0
tag: 1.3.0

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand Down
65 changes: 44 additions & 21 deletions checkpoint/cloudguard/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -29,25 +29,31 @@
{{- default (include "agent.resource.name" .) .agentConfig.serviceAccountName }}
{{- end -}}

{{- /* Full path to the image of the main container of the provided agent */ -}}
{{- /* Full path to the image of the main container of the provided agent. in case of autoUpgrade enabled we use the version without the patch */ -}}
{{- define "agent.main.image" -}}
{{- $tag := .agentConfig.tag }}
{{- if or .Values.debugImages .featureConfig.debugImages .agentConfig.debugImages }}
{{- $tag = printf "%s-debug" .agentConfig.tag }}
{{- end }}
{{- $image := printf "%s/%s:%s" .Values.imageRegistry.url .agentConfig.image $tag }}
{{- default $image .agentConfig.fullImage }}
{{- end -}}

{{- /* Full path to the image of a provided side-car container */ -}}
{{- $tag := .agentConfig.tag }}
{{- if or .Values.debugImages .featureConfig.debugImages .agentConfig.debugImages }}
{{- $tag = printf "%s-debug" .agentConfig.tag }}
{{- end }}
{{- if and (eq (include "get.autoUpgrade" .) "true") (regexMatch "^\\d+.\\d+.\\d+$" $tag) (ne .agentConfig.image "checkpoint/consec-runtime-daemon") -}}
{{- $tag = regexFind "\\d+.\\d+" $tag }}
{{- end -}}
{{- $image := printf "%s/%s:%s" .Values.imageRegistry.url .agentConfig.image $tag }}
{{- default $image .agentConfig.fullImage }}
{{- end -}}

{{- /* Full path to the image of a provided side-car container. in case of autoUpgrade enabled we use the version without the patch */ -}}
{{- define "agent.sidecar.image" -}}
{{- $containerConfig := get .agentConfig .containerName }}
{{- $tag := $containerConfig.tag }}
{{- if or .Values.debugImages .featureConfig.debugImages .agentConfig.debugImages $containerConfig.debugImage }}
{{- $tag = printf "%s-debug" $containerConfig.tag }}
{{- end }}
{{- $image := printf "%s/%s:%s" .Values.imageRegistry.url $containerConfig.image $tag }}
{{- default $image $containerConfig.fullImage }}
{{- $containerConfig := get .agentConfig .containerName }}
{{- $tag := $containerConfig.tag }}
{{- if or .Values.debugImages .featureConfig.debugImages .agentConfig.debugImages $containerConfig.debugImage }}
{{- $tag = printf "%s-debug" $containerConfig.tag }}
{{- end }}
{{- if and (eq (include "get.autoUpgrade" .) "true") (regexMatch "^\\d+.\\d+.\\d+$" $tag) (ne .agentConfig.image "checkpoint/consec-runtime-probe") -}}
{{- $tag = regexFind "\\d+.\\d+" $tag }}
{{- end -}}
{{- $image := printf "%s/%s:%s" .Values.imageRegistry.url $containerConfig.image $tag }}
{{- default $image $containerConfig.fullImage }}
{{- end -}}

{{- /* Full path to the fluentbit image used in agent with provided config */ -}}
Expand All @@ -71,7 +77,6 @@ helm.sh/chart: {{ printf "%s-%s" .Chart.name .Chart.version | replace "+" "_" |

{{- /* Pod annotations commonly used in agents */ -}}
{{- define "common.pod.annotations" -}}
agentVersion: {{ .agentConfig.tag }}
{{- /* Openshift does not allow seccomp - So we don't add seccomp in openshift case */ -}}
{{- /* From k8s 1.19 and up we use the seccomp in securityContext so no need for it here, in case of template we don't know the version so we fall back to annotation */ -}}
{{- if and (not (contains "openshift" (include "get.platform" .))) (semverCompare "<1.19-0" .Capabilities.KubeVersion.Version ) }}
Expand Down Expand Up @@ -154,7 +159,10 @@ imagePullSecrets:
fieldPath: spec.nodeName
- name: PLATFORM
value: {{ include "get.platform" . }}

{{- if eq (include "get.autoUpgrade" .) "true" }}
- name: AUTO_UPGRADE_ENABLED
value: "true"
{{- end -}}
{{- template "user.defined.env" . -}}

{{- if .Values.proxy }}
Expand All @@ -163,6 +171,8 @@ imagePullSecrets:
- name: NO_PROXY
value: "kubernetes.default.svc"
{{- end -}}

{{- template "user.defined.env" . -}}
{{- end -}}

{{- /* Environment variables needed for fluentbit-based side-cars */ -}}
Expand Down Expand Up @@ -203,8 +213,8 @@ imagePullSecrets:
Header Node-Name ${NODE_NAME}
Header Agent-Version {{ .agentVersion }}
Compress gzip
http_User {{ .credentials.user }}
http_Passwd {{ .credentials.secret }}
http_User ${USERNAME}
http_Passwd ${SECRET}
Port 443
tls On
tls.verify On
Expand Down Expand Up @@ -430,6 +440,19 @@ eks
{{- end -}}
{{- end -}}


{{/*
if registry is not quay do not enable auto upgrade
*/}}
{{- define "get.autoUpgrade" -}}
{{- if ne .Values.imageRegistry.url "quay.io" -}}
{{- printf "false" -}}
{{- else -}}
{{- printf (.Values.autoUpgrade | toString) -}}
{{- end -}}
{{- end -}}


{{/*
use to know if we run from template (which mean wo have no connection to the cluster and cannot check Capabilities/nodes etc.)
if there is no namespace probably we are running template
Expand Down
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
{{- $config := fromYaml (include "admission.enforcer.config" .) -}}
{{- /* Make ".Files" of the chart accessible and properly formatted when accessed via $config' */ -}}
{{- $_ := set $config "Files" .Files -}}
{{ if $config.featureConfig.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "agent.resource.name" $config }}
namespace: {{ .Release.Namespace }}
annotations:
agentVersion: {{ $config.agentConfig.tag }}
labels:
{{ include "common.labels.with.chart" $config | indent 4 }}
spec:
Expand Down Expand Up @@ -61,11 +61,6 @@ spec:
{{- end }}
ports:
- containerPort: 8080
startupProbe:
tcpSocket:
port: 8080
failureThreshold: 2
periodSeconds: 5
volumes:
- name: secret-volume
secret:
Expand Down
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
{{- $config := fromYaml (include "admission.policy.config" .) -}}
{{- /* Make ".Files" of the chart accessible and properly formatted when accessed via $config' */ -}}
{{- $_ := set $config "Files" .Files -}}
{{- if $config.featureConfig.enabled -}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "agent.resource.name" $config }}
namespace: {{ .Release.Namespace }}
annotations:
agentVersion: {{ $config.agentConfig.tag }}
labels:
{{ include "common.labels.with.chart" $config | indent 4 }}
spec:
Expand Down
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
{{- $config := fromYaml (include "flowlogs.daemon.config" .) -}}
{{- /* Make ".Files" of the chart accessible and properly formatted when accessed via $config' */ -}}
{{- $_ := set $config "Files" .Files -}}
{{- if $config.featureConfig.enabled -}}
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: {{ template "agent.resource.name" $config }}
namespace: {{ .Release.Namespace }}
annotations:
agentVersion: {{ $config.agentConfig.tag }}
labels:
{{ include "common.labels.with.chart" $config | indent 4 }}
spec:
Expand Down
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
{{- $config := fromYaml (include "imagescan.daemon.config" .) -}}
{{- /* Make ".Files" of the chart accessible and properly formatted when accessed via $config' */ -}}
{{- $_ := set $config "Files" .Files -}}
{{- if $config.featureConfig.enabled -}}
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: {{ template "agent.resource.name" $config }}
namespace: {{ .Release.Namespace }}
annotations:
agentVersion: {{ $config.agentConfig.tag }}
labels:
{{ include "common.labels.with.chart" $config | indent 4 }}
spec:
Expand Down
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
{{- $config := fromYaml (include "imagescan.engine.config" .) -}}
{{- /* Make ".Files" of the chart accessible and properly formatted when accessed via $config' */ -}}
{{- $_ := set $config "Files" .Files -}}
{{- if $config.featureConfig.enabled -}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "agent.resource.name" $config }}
namespace: {{ .Release.Namespace }}
annotations:
agentVersion: {{ $config.agentConfig.tag }}
labels:
{{ include "common.labels.with.chart" $config | indent 4 }}
spec:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ metadata:
{{ include "common.labels.with.chart" $config | indent 4 }}
rules:
- apiGroups: [ "" ]
resources: [ "pods", "secrets" ]
resources: [ "pods", "secrets", "configmaps" ]
verbs: [ "list", "get"]
{{- if $config.Values.rbac.pspEnabled }}
- apiGroups: [ "policy" ]
Expand Down
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
{{- $config := fromYaml (include "imagescan.list.config" .) -}}
{{- /* Make ".Files" of the chart accessible and properly formatted when accessed via $config' */ -}}
{{- $_ := set $config "Files" .Files -}}
{{- if $config.featureConfig.enabled -}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "agent.resource.name" $config }}
namespace: {{ .Release.Namespace }}
annotations:
agentVersion: {{ $config.agentConfig.tag }}
labels:
{{ include "common.labels.with.chart" $config | indent 4 }}
imagescan-agent-type: list
Expand Down
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
{{- $config := fromYaml (include "inventory.agent.config" .) -}}
{{- /* Make ".Files" of the chart accessible and properly formatted when accessed via $config' */ -}}
{{- $_ := set $config "Files" .Files -}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "agent.resource.name" $config }}
namespace: {{ .Release.Namespace }}
annotations:
agentVersion: {{ $config.agentConfig.tag }}
labels:
{{ include "common.labels.with.chart" $config | indent 4 }}
spec:
Expand Down
Loading

0 comments on commit c90e506

Please sign in to comment.