Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

2.34.0: Image Assurance Docker Hub Registry Scanning, AppArmor for K8s 1.30+, affinity improvement #159

Merged
merged 1 commit into from
Dec 18, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions checkpoint/cloudguard/Chart.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
apiVersion: v2
appVersion: 2.33.1
appVersion: 2.34.0
description: A Helm chart for Check Point CloudGuard Workload Security
home: https://portal.checkpoint.com
icon: https://www.checkpoint.com/wp-content/uploads/icon-cloudguard-nav.png
Expand Down Expand Up @@ -35,4 +35,4 @@ keywords:
- gke
- autopilot
name: cloudguard
version: 2.33.1
version: 2.34.0
78 changes: 38 additions & 40 deletions checkpoint/cloudguard/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -139,7 +139,6 @@ The following table list the configurable parameters of this chart and their def
| `platform` | Kubernetes platform (kubernetes/ tanzu/ openshift/ openshift.v3/ eks/ eks.bottlerocket/ gke.cos/ gke.autopilot/ k3s/ rke2/ kubernetes.coreos) overriding auto-detection | `kubernetes` |
| `seccompProfile` | Computer Security facility profile. (to be used in kubernetes 1.19 and up) | `RuntimeDefault` |
| `podAnnotations.seccomp` | Computer Security facility profile. (to be used in kubernetes below 1.19) | `runtime/default` |
| `podAnnotations.apparmor` | Apparmor Linux kernel security module profile. | `{}` |
| `autoUpgrade` | Enable auto-upgrade (preserve, true or false). 'major.minor' tags will be set for images rather than 'major.minor.patch'" | `preserve` |
| `podAnnotations.custom` | Custom Pod annotations (for all agent Pods) | `{}` |
| `priorityClassName` | Specifies custom priorityClassName | `` |
Expand Down Expand Up @@ -265,64 +264,63 @@ The following table list the configurable parameters of this chart and their def
| `addons.runtimeProtection.policy.podAnnotations.custom` | Custom Pod annotations (for Pods of this agent) | `{}` |
| `addons.runtimeProtection.daemonConfigurationOverrides` | Overrides for multiple daemonSets with different configuration values | see below |

The default nodeSelector for Admission Control, Inventory and Runtime Protection policy agents is:
The default nodeSelector for the Runtime Protection daemon agent is:
```yaml
nodeSelector:
kubernetes.io/os: linux
kubernetes.io/os: linux
kubernetes.io/arch: amd64
```

The default nodeSelector for other agents is:
```yaml
nodeSelector:
kubernetes.io/os: linux
kubernetes.io/arch: amd64
```

The default node affinity for Admission Control, Inventory and Runtime Protection policy agents (deployment)
to support nodes with arm64 and amd64 architectures:
The default affinity is configured to support nodes with arm64 and amd64 architectures:
```yaml
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- arm64
- amd64
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- arm64
- amd64
```

For Admission Control enforcer agent, it also has default inter-pod anti-affinity ensuring the pods are scheduled on different nodes :
For Admission Control enforcer agent, it also has default inter-pod anti-affinity ensuring the pods are scheduled on different nodes:
```yaml
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
podAffinityTerm:
labelSelector:
matchExpressions:
- key: "kubernetes.io/name"
operator: In
values:
- consec-admission-enforcer
topologyKey: "kubernetes.io/hostname"
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
podAffinityTerm:
labelSelector:
matchExpressions:
- key: "kubernetes.io/name"
operator: In
values:
- consec-admission-enforcer
topologyKey: "kubernetes.io/hostname"
```

On EKS, DaemonSets are configured with node affinity that prevents Pods from running on Fargate nodes:

```yaml
addons:
imageScan:
enabled: true
daemon:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: eks.amazonaws.com/compute-type
operator: NotIn
values:
- fargate
addons:
imageScan:
enabled: true
daemon:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: eks.amazonaws.com/compute-type
operator: NotIn
values:
- fargate
```

The `daemonConfigurationOverrides` object should have one or more objects with unique names (case insensitive), each object must then have a `nodeSelector` data and any additional overrides, such as resource limits and requests. The values defined in `daemon` object are used as a basis for the overrides.\
Expand Down
17 changes: 8 additions & 9 deletions checkpoint/cloudguard/defaults.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,6 @@ imagePullPolicy: Always
##
podAnnotations:
seccomp: runtime/default
apparmor: {}
custom: {}

## Proxy settings
Expand Down Expand Up @@ -69,7 +68,7 @@ inventory:

## Specify image and tag
image: checkpoint/consec-inventory-agent
tag: 1.15.0
tag: 1.16.0

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand Down Expand Up @@ -112,7 +111,7 @@ addons:
priorityClassName: "system-node-critical"
## Specify image and tag
image: checkpoint/consec-imagescan-daemon
tag: 2.37.0
tag: 2.38.0

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand All @@ -134,7 +133,7 @@ addons:
shim:
## Specify image and tag
image: checkpoint/consec-imagescan-shim
tag: 2.37.0
tag: 2.38.0

## Configure resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
Expand Down Expand Up @@ -169,7 +168,7 @@ addons:
engine:
## Specify image and tag
image: checkpoint/consec-imagescan-engine
tag: 2.37.0
tag: 2.38.0

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand Down Expand Up @@ -201,7 +200,7 @@ addons:
list:
## Specify image and tag
image: checkpoint/consec-imagescan-engine
tag: 2.37.0
tag: 2.38.0

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand Down Expand Up @@ -272,7 +271,7 @@ addons:
priorityClassName: "system-node-critical"
## Specify image and tag
image: checkpoint/consec-flowlogs-daemon
tag: 0.15.0
tag: 0.16.0

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand Down Expand Up @@ -311,7 +310,7 @@ addons:
policy:
## Specify image and tag
image: checkpoint/consec-admission-policy
tag: 1.9.0
tag: 1.10.0

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand Down Expand Up @@ -341,7 +340,7 @@ addons:
enforcer:
## Specify image and tag
image: checkpoint/consec-admission-enforcer
tag: 2.13.0
tag: 2.14.0

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand Down
80 changes: 43 additions & 37 deletions checkpoint/cloudguard/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@
{{ printf "%s-%s-%s" (include "name.prefix" .) .featureName .daemonConfigName }}
{{- end -}}

{{- /* Service account name of a given agent (provided in values.yaml or auto-generated */ -}}
{{- /* Service account name of a given agent (provided in values.yaml or auto-generated) */ -}}
{{- define "agent.service.account.name" -}}
{{- default (include "agent.resource.name" .) .agentConfig.serviceAccountName }}
{{- end -}}
Expand Down Expand Up @@ -100,10 +100,6 @@ app.created.by.template: {{ (include "is.helm.template.command" .) | quote }}
{{- if and (not (contains "openshift" .platform)) (semverCompare "<1.19-0" .Capabilities.KubeVersion.Version) }}
seccomp.security.alpha.kubernetes.io/pod: {{ .Values.podAnnotations.seccomp }}
{{- end }}
{{- if .Values.podAnnotations.apparmor }}
container.apparmor.security.beta.kubernetes.io/{{ template "agent.resource.name" . }}:
{{ toYaml .Values.podAnnotations.apparmor | indent 2 }}
{{- end }}
{{- if .Values.podAnnotations }}
{{- if .Values.podAnnotations.custom }}
{{ toYaml .Values.podAnnotations.custom }}
Expand Down Expand Up @@ -141,14 +137,8 @@ serviceAccountName: {{ template "agent.service.account.name" . }}
nodeSelector:
{{ toYaml .agentConfig.nodeSelector | indent 2 }}
{{- end }}
{{- $allVirtualAffinities := (include "get.virtualNodesLabels" .) | fromYaml -}}
{{- if .agentConfig.affinity }}
affinity:
{{ .agentConfig.affinity | toYaml | indent 2 }}
{{- else if and (contains "daemon" .agentName) (hasKey $allVirtualAffinities .platform) }}
affinity:
{{ include "daemonset.commonAffinity.labels" . | indent 2 }}
{{- end }}
{{ include "common.pod.properties.affinity" . | indent 2 }}
{{- if .agentConfig.tolerations }}
tolerations:
{{ toYaml .agentConfig.tolerations | indent 2 }}
Expand Down Expand Up @@ -503,7 +493,7 @@ usage:
{{- if hasKey $currentConfiguration "containerRuntime" -}}
{{- $containerRuntime := get $currentConfiguration "containerRuntime" -}}
{{- include "validate.container.runtime" $currentConfiguration -}}
{{- $_ := set $copyConfig "containerRuntime" ($containerRuntime | lower) -}}
{{- $_ := set $copyConfig "containerRuntime" ($containerRuntime | lower) -}}
{{- end -}}
{{- $_ := set $mergedAgentConfig "env" ((concat (get $mergedAgentConfig "env") (get $copyAgentConfig "env") ) | uniq) -}}
{{- $_ := set $copyConfig "agentConfig" $mergedAgentConfig -}}
Expand All @@ -514,16 +504,37 @@ usage:
{{- end -}}
{{- end -}}

{{- define "common.node.affinity.multiarch" -}}
{{- define "common.pod.properties.affinity" -}}
{{- if .agentConfig.affinity }}
{{- .agentConfig.affinity | toYaml }}
{{- else }}
{{- $allVirtualAffinities := (include "get.virtualNodesLabels" .) | fromYaml -}}
{{- $nodeAffinityMatchExpressions := list (include "common.node.affinity.multiarch" . | fromYaml) -}}
{{- if and (eq "DaemonSet" .resourceKind) (hasKey $allVirtualAffinities .platform) }}
{{- $virtualNodesLabels := get $allVirtualAffinities .platform -}}
{{- range $labelKey, $labelValue := $virtualNodesLabels -}}
{{- $generatedExpression := dict "key" $labelKey "operator" "NotIn" "values" (list $labelValue) -}}
{{- $nodeAffinityMatchExpressions = append $nodeAffinityMatchExpressions ( $generatedExpression ) -}}
{{- end -}}
{{- end -}}
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- arm64
- amd64
- matchExpressions:
{{ $nodeAffinityMatchExpressions | toYaml | indent 10 }}
{{- /* add pod anti affinity */ -}}
{{- if and (eq "Deployment" .resourceKind) (and (eq "enforcer" .agentName) (eq "admission" .featureName)) }}
{{ include "deployment.common.affinity.labels" . }}
{{- end }}
{{- end -}}
{{- end -}}

{{- define "common.node.affinity.multiarch" -}}
key: kubernetes.io/arch
operator: In
values:
- arm64
- amd64
{{- end -}}

{{- /* virtual node labels, additions should keep the same format.
Expand All @@ -537,24 +548,19 @@ eks:
# exampleLabelKey: "example_label_value"
{{- end -}}

{{- /* creating the affinity for DaemonSet to not run on virtual nodes
usage:
`{{- $virtualAffinites := (include "daemonset.commonAffinity.labels" . ) | fromYaml -}}`
*/ -}}
{{- define "daemonset.commonAffinity.labels" -}}
{{- $virtualNodesLabels := get (include "get.virtualNodesLabels" . | fromYaml) .platform -}}
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
{{- range $labelKey, $labelValue := $virtualNodesLabels }}
- key: {{$labelKey}}
operator: NotIn
values:
- {{$labelValue}}
{{- define "deployment.common.affinity.labels" -}}
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
podAffinityTerm:
labelSelector:
matchExpressions:
- key: "kubernetes.io/name"
operator: In
values:
- {{ include "agent.resource.name" . }}
topologyKey: "kubernetes.io/hostname"
{{- end -}}
{{- end -}}


{{- /* list of supported platforms
usage:
Expand Down
17 changes: 2 additions & 15 deletions checkpoint/cloudguard/templates/admission/enforcer/deployment.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
{{- $config := fromYaml (include "admission.enforcer.config" .) -}}
{{- /* Make ".Files" of the chart accessible and properly formatted when accessed via $config' */ -}}
{{- $_ := set $config "Files" .Files -}}
{{- /* Mark the config as holding a resource of type "Deployment" */ -}}
{{- $_ := set $config "resourceKind" "Deployment" -}}
{{ if $config.featureConfig.enabled }}
apiVersion: apps/v1
kind: Deployment
Expand All @@ -23,21 +25,6 @@ spec:
labels:
{{ include "common.labels.with.chart" $config | indent 8 }}
spec:
# the affinity definition should be BEFORE include "common.pod.properties" .since in case the
#user will add his own "affinity" we want to take his definition
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
podAffinityTerm:
labelSelector:
matchExpressions:
- key: "kubernetes.io/name"
operator: In
values:
- {{ include "agent.resource.name" $config }}
topologyKey: "kubernetes.io/hostname"
{{ include "common.node.affinity.multiarch" $config | indent 8 }}
{{ include "common.pod.properties" $config | indent 6 }}
containers:
# Main container
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
{{- $config := fromYaml (include "admission.policy.config" .) -}}
{{- /* Make ".Files" of the chart accessible and properly formatted when accessed via $config' */ -}}
{{- $_ := set $config "Files" .Files -}}
{{- /* Mark the config as holding a resource of type "Deployment" */ -}}
{{- $_ := set $config "resourceKind" "Deployment" -}}
{{- if $config.featureConfig.enabled -}}
apiVersion: apps/v1
kind: Deployment
Expand All @@ -21,8 +23,6 @@ spec:
labels:
{{ include "common.labels.with.chart" $config | indent 8 }}
spec:
affinity:
{{ include "common.node.affinity.multiarch" $config | indent 8 }}
{{ include "common.pod.properties" $config | indent 6 }}
containers:
# Main container
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@
{{- $config = $config | fromYaml -}}
{{- /* Make ".Files" of the chart accessible and properly formatted when accessed via $config' */ -}}
{{- $_ := set $config "Files" $.Files -}}
{{- /* Mark the config as holding a resource of type "DaemonSet" */ -}}
{{- $_ := set $config "resourceKind" "DaemonSet" -}}
{{- if $config.featureConfig.enabled -}}
apiVersion: apps/v1
kind: DaemonSet
Expand All @@ -23,8 +25,6 @@ spec:
labels:
{{ include "common.labels.with.chart" $config | indent 8 }}
spec:
affinity:
{{ include "common.node.affinity.multiarch" $config | indent 8 }}
{{ include "common.pod.properties" $config | indent 6 }}
hostNetwork: true
containers:
Expand Down
Loading
Loading