From 052d952e4cce4ca5d75618db1762fcea17744e46 Mon Sep 17 00:00:00 2001 From: Matthias Bertschy Date: Mon, 16 Sep 2024 14:41:45 +0200 Subject: [PATCH] Revert "remove continuous scanning config" This reverts commit 37cf5dd61427be87eafd8c78ecae2550258aeddd. Signed-off-by: Matthias Bertschy --- .../kubescape-operator/templates/_common.tpl | 2 + .../templates/configs/cloudapi-configmap.yaml | 1 + .../configs/matchingRules-configmap.yaml | 11 + .../templates/operator/deployment.yaml | 11 + .../__snapshot__/snapshot_test.yaml.snap | 796 ++++++++++-------- .../tests/snapshot_test.yaml | 1 + charts/kubescape-operator/values.yaml | 19 + 7 files changed, 507 insertions(+), 334 deletions(-) create mode 100644 charts/kubescape-operator/templates/configs/matchingRules-configmap.yaml diff --git a/charts/kubescape-operator/templates/_common.tpl b/charts/kubescape-operator/templates/_common.tpl index 113b4c0b..3eeefc40 100644 --- a/charts/kubescape-operator/templates/_common.tpl +++ b/charts/kubescape-operator/templates/_common.tpl @@ -8,6 +8,7 @@ capabilitiesConfig: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.g cloudConfig: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.configMapsDirectory "cloudapi-configmap.yaml") . | sha256sum }} cloudSecret: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.configMapsDirectory "cloud-secret.yaml" ) . | sha256sum }} hostScannerConfig: {{ include (printf "%s/kubescape/host-scanner-definition-configmap.yaml" $.Template.BasePath ) . | sha256sum }} +matchingRulesConfig: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.configMapsDirectory "matchingRules-configmap.yaml") . | sha256sum }} nodeAgentConfig: {{ include (printf "%s/node-agent/configmap.yaml" $.Template.BasePath) . | sha256sum }} operatorConfig: {{ include (printf "%s/operator/configmap.yaml" $.Template.BasePath) . | sha256sum }} otelConfig: {{ include (printf "%s/otel-collector/configmap.yaml" $.Template.BasePath) . | sha256sum }} @@ -21,6 +22,7 @@ synchronizerConfig: {{ include (printf "%s/synchronizer/configmap.yaml" $.Templa {{- $ksOtel := empty .Values.otelCollector.disable -}} {{- $otel := not (empty .Values.configurations.otelUrl) -}} {{- $submit := not (empty .Values.server) -}} +continuousScan: {{ and (eq .Values.capabilities.continuousScan "enable") (not $submit) }} createCloudSecret: {{ $createCloudSecret }} ksOtel: {{ and $ksOtel $submit }} otel: {{ $otel }} diff --git a/charts/kubescape-operator/templates/configs/cloudapi-configmap.yaml b/charts/kubescape-operator/templates/configs/cloudapi-configmap.yaml index 425737c7..18cbc6e1 100644 --- a/charts/kubescape-operator/templates/configs/cloudapi-configmap.yaml +++ b/charts/kubescape-operator/templates/configs/cloudapi-configmap.yaml @@ -43,6 +43,7 @@ data: "keepLocal": {{ not $components.serviceDiscovery.enabled }}, "scanTimeout": "{{ .Values.kubevuln.config.scanTimeout }}", "vexGeneration": {{ eq .Values.capabilities.vexGeneration "enable" }}, + "continuousPostureScan": {{ $configurations.continuousScan }}, {{- if not (empty .Values.kubevuln.config.grypeDbListingURL) }} "listingURL": "{{ .Values.kubevuln.config.grypeDbListingURL }}", {{- end }} diff --git a/charts/kubescape-operator/templates/configs/matchingRules-configmap.yaml b/charts/kubescape-operator/templates/configs/matchingRules-configmap.yaml new file mode 100644 index 00000000..c6265f11 --- /dev/null +++ b/charts/kubescape-operator/templates/configs/matchingRules-configmap.yaml @@ -0,0 +1,11 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: {{ .Values.continuousScanning.configMapName }} + namespace: {{ .Values.ksNamespace }} + labels: + {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.ksLabel "tier" .Values.global.namespaceTier) | nindent 4 }} + kubescape.io/tier: "core" +data: + matchingRules.json: | + {{ mustToJson .Values.continuousScanning.matchingRules }} diff --git a/charts/kubescape-operator/templates/operator/deployment.yaml b/charts/kubescape-operator/templates/operator/deployment.yaml index 5ad2eedc..02d07c57 100644 --- a/charts/kubescape-operator/templates/operator/deployment.yaml +++ b/charts/kubescape-operator/templates/operator/deployment.yaml @@ -29,6 +29,7 @@ spec: checksum/cloud-secret: {{ $checksums.cloudSecret }} checksum/cloud-config: {{ $checksums.cloudConfig }} checksum/capabilities-config: {{ $checksums.capabilitiesConfig }} + checksum/matching-rules-config: {{ $checksums.matchingRulesConfig }} {{- if ne .Values.global.proxySecretFile "" }} checksum/proxy-config: {{ $checksums.proxySecret }} {{- end }} @@ -133,6 +134,10 @@ spec: mountPath: /etc/config/capabilities.json readOnly: true subPath: "capabilities.json" + - name: {{ .Values.continuousScanning.configMapName }} + mountPath: /etc/config/matchingRules.json + readOnly: true + subPath: "matchingRules.json" - name: config mountPath: /etc/config/config.json readOnly: true @@ -201,6 +206,12 @@ spec: items: - key: "config.json" path: "config.json" + - name: {{ .Values.continuousScanning.configMapName }} + configMap: + name: {{ .Values.continuousScanning.configMapName }} + items: + - key: "matchingRules.json" + path: "matchingRules.json" {{- if .Values.volumes }} {{ toYaml .Values.volumes | indent 8 }} {{- end }} diff --git a/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap b/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap index c9865ef2..0572ffcd 100644 --- a/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap +++ b/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap @@ -253,6 +253,7 @@ all capabilities: "keepLocal": false, "scanTimeout": "5m", "vexGeneration": true, + "continuousPostureScan": false, "listingURL": "http://grype-offline-db:80/listing.json", "relevantImageVulnerabilitiesConfiguration": "enable" } @@ -285,7 +286,7 @@ all capabilities: data: capabilities: | { - "capabilities":{"admissionController":"enable","autoUpgrading":"enable","configurationScan":"enable","httpDetection":"enable","malwareDetection":"enable","networkPolicyService":"enable","nodeProfileService":"enable","nodeScan":"enable","prometheusExporter":"enable","relevancy":"enable","runtimeDetection":"enable","runtimeObservability":"enable","seccompProfileService":"enable","testing":{"nodeAgentMultiplication":{"enabled":false,"replicas":5}},"vexGeneration":"enable","vulnerabilityScan":"enable"}, + "capabilities":{"admissionController":"enable","autoUpgrading":"enable","configurationScan":"enable","continuousScan":"enable","httpDetection":"enable","malwareDetection":"enable","networkPolicyService":"enable","nodeProfileService":"enable","nodeScan":"enable","prometheusExporter":"enable","relevancy":"enable","runtimeDetection":"enable","runtimeObservability":"enable","seccompProfileService":"enable","testing":{"nodeAgentMultiplication":{"enabled":false,"replicas":5}},"vexGeneration":"enable","vulnerabilityScan":"enable"}, "components":{"autoUpdater":{"enabled":true},"clamAV":{"enabled":true},"cloudSecret":{"create":true,"name":"cloud-secret"},"customCaCertificates":{"name":"custom-ca-certificates"},"gateway":{"enabled":true},"hostScanner":{"enabled":true},"kollector":{"enabled":true},"kubescape":{"enabled":true},"kubescapeScheduler":{"enabled":true},"kubevuln":{"enabled":true},"kubevulnScheduler":{"enabled":true},"nodeAgent":{"enabled":true},"operator":{"enabled":true},"otelCollector":{"enabled":true},"prometheusExporter":{"enabled":true},"serviceDiscovery":{"enabled":true},"storage":{"enabled":true},"synchronizer":{"enabled":true}}, "configurations":{"otelUrl":"otelCollector:4317","persistence":"enable","priorityClass":{"daemonset":100000100,"enabled":true},"prometheusAnnotations":"disable"} , "serviceScanConfig" :{"enabled":false,"interval":"1h"} @@ -326,6 +327,26 @@ all capabilities: namespace: kubescape type: Opaque 11: | + apiVersion: v1 + data: + matchingRules.json: | + {"match":[{"apiGroups":["apps"],"apiVersions":["v1"],"resources":["deployments"]}],"namespaces":["default"]} + kind: ConfigMap + metadata: + labels: + app: kubescape + app.kubernetes.io/component: kubescape + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/version: 1.21.2 + helm.sh/chart: kubescape-operator-1.21.2 + kubescape.io/ignore: "true" + kubescape.io/tier: core + tier: ks-control-plane + name: cs-matching-rules + namespace: kubescape + 12: | apiVersion: scheduling.k8s.io/v1 description: This priority class is for node-agent daemonset pods globalDefault: false @@ -343,7 +364,7 @@ all capabilities: tier: ks-control-plane name: kubescape-critical value: 1.000001e+08 - 12: | + 13: | apiVersion: apps/v1 kind: Deployment metadata: @@ -376,7 +397,7 @@ all capabilities: template: metadata: annotations: - checksum/cloud-config: 6b20bdf91cc21bcf1df27f84a619ee215e3ec83f630a09ec9fc657a0282559e1 + checksum/cloud-config: 13aedfe46132f81dbb08ee4752e47cf151fb1cab274a7e3a90021cf64759246f checksum/cloud-secret: 5f1867afe94653b7e1f514737c0f5bb8d459d9431307900fb149c1a1e67cc929 checksum/proxy-config: 887824947998455ea63ac5b04a831b07701da0c0509ea54fc442e3e3f3dfc9ff labels: @@ -501,7 +522,7 @@ all capabilities: path: services.json name: ks-cloud-config name: ks-cloud-config - 13: | + 14: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -563,7 +584,7 @@ all capabilities: policyTypes: - Ingress - Egress - 14: | + 15: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -587,7 +608,7 @@ all capabilities: - kind: ServiceAccount name: gateway namespace: kubescape - 15: | + 16: | apiVersion: v1 kind: Service metadata: @@ -618,7 +639,7 @@ all capabilities: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 16: | + 17: | apiVersion: v1 kind: ServiceAccount metadata: @@ -634,7 +655,7 @@ all capabilities: tier: ks-control-plane name: gateway namespace: kubescape - 17: | + 18: | apiVersion: apps/v1 kind: Deployment metadata: @@ -700,7 +721,7 @@ all capabilities: - name: foo nodeSelector: null tolerations: null - 18: | + 19: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -734,7 +755,7 @@ all capabilities: app.kubernetes.io/name: kubescape-operator policyTypes: - Ingress - 19: | + 20: | apiVersion: v1 kind: Service metadata: @@ -760,7 +781,7 @@ all capabilities: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 20: | + 21: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -781,7 +802,7 @@ all capabilities: - statefulsets verbs: - delete - 21: | + 22: | apiVersion: v1 kind: ServiceAccount metadata: @@ -793,7 +814,7 @@ all capabilities: app: label-selector-force-replace name: label-selector-force-replace namespace: kubescape - 22: | + 23: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -813,7 +834,7 @@ all capabilities: - kind: ServiceAccount name: label-selector-force-replace namespace: kubescape - 23: | + 24: | apiVersion: batch/v1 kind: Job metadata: @@ -841,7 +862,7 @@ all capabilities: name: label-selector-force-replace restartPolicy: Never serviceAccountName: label-selector-force-replace - 24: | + 25: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -891,7 +912,7 @@ all capabilities: - get - watch - list - 25: | + 26: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -914,7 +935,7 @@ all capabilities: - kind: ServiceAccount name: kollector namespace: kubescape - 26: | + 27: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -971,7 +992,7 @@ all capabilities: app.kubernetes.io/name: kubescape-operator policyTypes: - Egress - 27: | + 28: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -995,7 +1016,7 @@ all capabilities: - kind: ServiceAccount name: kollector namespace: kubescape - 28: | + 29: | apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount @@ -1012,7 +1033,7 @@ all capabilities: tier: ks-control-plane name: kollector namespace: kubescape - 29: | + 30: | apiVersion: apps/v1 kind: StatefulSet metadata: @@ -1040,7 +1061,7 @@ all capabilities: template: metadata: annotations: - checksum/cloud-config: 6b20bdf91cc21bcf1df27f84a619ee215e3ec83f630a09ec9fc657a0282559e1 + checksum/cloud-config: 13aedfe46132f81dbb08ee4752e47cf151fb1cab274a7e3a90021cf64759246f checksum/cloud-secret: 5f1867afe94653b7e1f514737c0f5bb8d459d9431307900fb149c1a1e67cc929 checksum/proxy-config: 887824947998455ea63ac5b04a831b07701da0c0509ea54fc442e3e3f3dfc9ff labels: @@ -1162,7 +1183,7 @@ all capabilities: path: services.json name: ks-cloud-config name: ks-cloud-config - 30: | + 31: | apiVersion: v1 data: request-body.json: '{"commands":[{"CommandName":"kubescapeScan","args":{"scanV1": {}}}]}' @@ -1181,7 +1202,7 @@ all capabilities: tier: ks-control-plane name: kubescape-scheduler namespace: kubescape - 31: | + 32: | apiVersion: batch/v1 kind: CronJob metadata: @@ -1260,7 +1281,7 @@ all capabilities: name: kubescape-scheduler schedule: 1 2 3 4 5 successfulJobsHistoryLimit: 3 - 32: | + 33: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -1308,7 +1329,7 @@ all capabilities: app.kubernetes.io/name: kubescape-operator policyTypes: - Egress - 33: | + 34: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -1517,7 +1538,7 @@ all capabilities: - get - watch - list - 34: | + 35: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -1540,7 +1561,7 @@ all capabilities: - kind: ServiceAccount name: kubescape namespace: kubescape - 35: | + 36: | apiVersion: apps/v1 kind: Deployment metadata: @@ -1573,7 +1594,7 @@ all capabilities: template: metadata: annotations: - checksum/cloud-config: 6b20bdf91cc21bcf1df27f84a619ee215e3ec83f630a09ec9fc657a0282559e1 + checksum/cloud-config: 13aedfe46132f81dbb08ee4752e47cf151fb1cab274a7e3a90021cf64759246f checksum/cloud-secret: 5f1867afe94653b7e1f514737c0f5bb8d459d9431307900fb149c1a1e67cc929 checksum/host-scanner-configmap: 3cde3d6be6e30ae13883eed05b19b7ebbd8bbe2c1136e4a9e65545f29b4a1d15 checksum/proxy-config: 887824947998455ea63ac5b04a831b07701da0c0509ea54fc442e3e3f3dfc9ff @@ -1731,7 +1752,7 @@ all capabilities: name: results - emptyDir: {} name: failed - 36: | + 37: | apiVersion: v1 data: host-scanner-yaml: |- @@ -1857,7 +1878,7 @@ all capabilities: tier: ks-control-plane name: host-scanner-definition namespace: kubescape - 37: | + 38: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -1936,7 +1957,7 @@ all capabilities: policyTypes: - Ingress - Egress - 38: | + 39: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -1965,7 +1986,7 @@ all capabilities: - list - patch - delete - 39: | + 40: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -1989,7 +2010,7 @@ all capabilities: - kind: ServiceAccount name: kubescape namespace: kubescape - 40: | + 41: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -2013,7 +2034,7 @@ all capabilities: - kind: ServiceAccount name: kubescape namespace: kubescape - 41: | + 42: | apiVersion: v1 kind: Service metadata: @@ -2040,7 +2061,7 @@ all capabilities: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 42: | + 43: | apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount @@ -2057,7 +2078,7 @@ all capabilities: tier: ks-control-plane name: kubescape namespace: kubescape - 43: | + 44: | apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: @@ -2087,7 +2108,7 @@ all capabilities: app.kubernetes.io/component: kubescape app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator - 44: | + 45: | apiVersion: v1 data: request-body.json: '{"commands":[{"commandName":"scan","designators":[{"designatorType":"Attributes","attributes":{}}]}]}' @@ -2106,7 +2127,7 @@ all capabilities: tier: ks-control-plane name: kubevuln-scheduler namespace: kubescape - 45: | + 46: | apiVersion: batch/v1 kind: CronJob metadata: @@ -2183,7 +2204,7 @@ all capabilities: name: kubevuln-scheduler schedule: 1 2 3 4 5 successfulJobsHistoryLimit: 3 - 46: | + 47: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -2231,7 +2252,7 @@ all capabilities: app.kubernetes.io/name: kubescape-operator policyTypes: - Egress - 47: | + 48: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -2269,7 +2290,7 @@ all capabilities: - get - watch - list - 48: | + 49: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -2292,7 +2313,7 @@ all capabilities: - kind: ServiceAccount name: kubevuln namespace: kubescape - 49: | + 50: | apiVersion: apps/v1 kind: Deployment metadata: @@ -2322,7 +2343,7 @@ all capabilities: template: metadata: annotations: - checksum/cloud-config: 6b20bdf91cc21bcf1df27f84a619ee215e3ec83f630a09ec9fc657a0282559e1 + checksum/cloud-config: 13aedfe46132f81dbb08ee4752e47cf151fb1cab274a7e3a90021cf64759246f checksum/cloud-secret: 5f1867afe94653b7e1f514737c0f5bb8d459d9431307900fb149c1a1e67cc929 checksum/proxy-config: 887824947998455ea63ac5b04a831b07701da0c0509ea54fc442e3e3f3dfc9ff labels: @@ -2453,7 +2474,7 @@ all capabilities: name: ks-cloud-config - emptyDir: {} name: grype-db - 50: | + 51: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -2515,7 +2536,7 @@ all capabilities: policyTypes: - Ingress - Egress - 51: | + 52: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -2539,7 +2560,7 @@ all capabilities: - kind: ServiceAccount name: kubevuln namespace: kubescape - 52: | + 53: | apiVersion: v1 kind: Service metadata: @@ -2563,7 +2584,7 @@ all capabilities: selector: app: kubevuln type: ClusterIP - 53: | + 54: | apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount @@ -2580,7 +2601,7 @@ all capabilities: tier: ks-control-plane name: kubevuln namespace: kubescape - 54: | + 55: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -2667,7 +2688,7 @@ all capabilities: verbs: - list - watch - 55: | + 56: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -2690,7 +2711,7 @@ all capabilities: - kind: ServiceAccount name: node-agent namespace: kubescape - 56: | + 57: | apiVersion: v1 data: config.json: | @@ -2731,7 +2752,7 @@ all capabilities: tier: ks-control-plane name: node-agent namespace: kubescape - 57: | + 58: | apiVersion: v1 data: clamd.conf: |- @@ -2767,7 +2788,7 @@ all capabilities: metadata: name: clamav namespace: kubescape - 58: | + 59: | apiVersion: apps/v1 kind: DaemonSet metadata: @@ -2793,7 +2814,7 @@ all capabilities: template: metadata: annotations: - checksum/cloud-config: 6b20bdf91cc21bcf1df27f84a619ee215e3ec83f630a09ec9fc657a0282559e1 + checksum/cloud-config: 13aedfe46132f81dbb08ee4752e47cf151fb1cab274a7e3a90021cf64759246f checksum/cloud-secret: 5f1867afe94653b7e1f514737c0f5bb8d459d9431307900fb149c1a1e67cc929 checksum/node-agent-config: ccadc931c5eae2b874a3fc4169acaaf9dbbe78aa77dfc63e6684708a4977483d checksum/proxy-config: 887824947998455ea63ac5b04a831b07701da0c0509ea54fc442e3e3f3dfc9ff @@ -3020,7 +3041,7 @@ all capabilities: - name: custom-ca-certificates secret: secretName: custom-ca-certificates - 59: | + 60: | apiVersion: kubescape.io/v1 kind: RuntimeRuleAlertBinding metadata: @@ -3074,7 +3095,7 @@ all capabilities: - ruleName: Exec to pod - ruleName: Port forward - ruleName: Unexpected Egress Network Traffic - 60: | + 61: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -3122,7 +3143,7 @@ all capabilities: app.kubernetes.io/name: kubescape-operator policyTypes: - Egress - 61: | + 62: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -3146,7 +3167,7 @@ all capabilities: - kind: ServiceAccount name: node-agent namespace: kubescape - 62: | + 63: | apiVersion: v1 kind: Service metadata: @@ -3170,7 +3191,7 @@ all capabilities: targetPort: 8080 selector: app.kubernetes.io/name: node-agent - 63: | + 64: | apiVersion: v1 kind: ServiceAccount metadata: @@ -3186,7 +3207,7 @@ all capabilities: tier: ks-control-plane name: node-agent namespace: kubescape - 64: | + 65: | apiVersion: v1 kind: Service metadata: @@ -3211,7 +3232,7 @@ all capabilities: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 65: | + 66: | apiVersion: v1 data: tls.crt: bW9jay1jZXJ0LWNlcnQ= @@ -3231,7 +3252,7 @@ all capabilities: name: kubescape-admission-webhook.NAMESPACE.svc-kubescape-tls-pair namespace: kubescape type: kubernetes.io/tls - 66: | + 67: | apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: @@ -3277,7 +3298,7 @@ all capabilities: - rolebindings scope: '*' sideEffects: None - 67: | + 68: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -3361,7 +3382,7 @@ all capabilities: - update - delete - patch - 68: | + 69: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -3384,7 +3405,7 @@ all capabilities: - kind: ServiceAccount name: operator namespace: kubescape - 69: | + 70: | apiVersion: v1 data: config.json: | @@ -3410,7 +3431,7 @@ all capabilities: tier: ks-control-plane name: operator namespace: kubescape - 70: | + 71: | apiVersion: apps/v1 kind: Deployment metadata: @@ -3443,9 +3464,10 @@ all capabilities: template: metadata: annotations: - checksum/capabilities-config: 2cf4362bfd6d5916bc4119b44cbf888c513620d219fde69716e376027094e4c3 - checksum/cloud-config: 6b20bdf91cc21bcf1df27f84a619ee215e3ec83f630a09ec9fc657a0282559e1 + checksum/capabilities-config: 2adc0938ae0d944740ba311701f593fd0b33fab476621a92ada27d410df79708 + checksum/cloud-config: 13aedfe46132f81dbb08ee4752e47cf151fb1cab274a7e3a90021cf64759246f checksum/cloud-secret: 5f1867afe94653b7e1f514737c0f5bb8d459d9431307900fb149c1a1e67cc929 + checksum/matching-rules-config: c50aba6f0329c36ec97f5466e2b309c8ceba85d8a6c2b56839c46692d9a82013 checksum/operator-config: 9288d49e367aa5910aa99826f8be769883ca1968d70e4d462ba88450de6b1773 checksum/proxy-config: 887824947998455ea63ac5b04a831b07701da0c0509ea54fc442e3e3f3dfc9ff labels: @@ -3543,6 +3565,10 @@ all capabilities: name: ks-capabilities readOnly: true subPath: capabilities.json + - mountPath: /etc/config/matchingRules.json + name: cs-matching-rules + readOnly: true + subPath: matchingRules.json - mountPath: /etc/config/config.json name: config readOnly: true @@ -3599,7 +3625,13 @@ all capabilities: path: config.json name: operator name: config - 71: | + - configMap: + items: + - key: matchingRules.json + path: matchingRules.json + name: cs-matching-rules + name: cs-matching-rules + 72: | apiVersion: v1 data: cronjobTemplate: |- @@ -3680,7 +3712,7 @@ all capabilities: tier: ks-control-plane name: kubescape-cronjob-template namespace: kubescape - 72: | + 73: | apiVersion: v1 data: cronjobTemplate: |- @@ -3761,7 +3793,7 @@ all capabilities: tier: ks-control-plane name: kubevuln-cronjob-template namespace: kubescape - 73: | + 74: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -3857,7 +3889,7 @@ all capabilities: policyTypes: - Ingress - Egress - 74: | + 75: | apiVersion: v1 data: cronjobTemplate: |- @@ -3938,7 +3970,7 @@ all capabilities: tier: ks-control-plane name: registry-scan-cronjob-template namespace: kubescape - 75: | + 76: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -3980,7 +4012,7 @@ all capabilities: - list - patch - delete - 76: | + 77: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -4004,7 +4036,7 @@ all capabilities: - kind: ServiceAccount name: operator namespace: kubescape - 77: | + 78: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -4028,7 +4060,7 @@ all capabilities: - kind: ServiceAccount name: operator namespace: kubescape - 78: | + 79: | apiVersion: v1 kind: Service metadata: @@ -4054,7 +4086,7 @@ all capabilities: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 79: | + 80: | apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount @@ -4071,7 +4103,7 @@ all capabilities: tier: ks-control-plane name: operator namespace: kubescape - 80: | + 81: | apiVersion: v1 data: otel-collector-config.yaml: "\n# receivers configure how data gets into the Collector.\nreceivers:\n otlp:\n protocols:\n grpc:\n endpoint: 0.0.0.0:4317\n http:\n endpoint: 0.0.0.0:4318\n hostmetrics:\n collection_interval: 30s\n scrapers:\n cpu:\n memory:\n\n# processors specify what happens with the received data.\nprocessors:\n attributes/ksCloud:\n actions:\n - key: account_id\n value: \"9e6c0c2c-6bd0-4919-815b-55030de7c9a0\"\n action: upsert\n - key: cluster_name\n value: \"kind-kind\"\n action: upsert\n batch:\n send_batch_size: 10000\n timeout: 10s\n\n# exporters configure how to send processed data to one or more backends.\nexporters:\n otlp/ksCloud:\n endpoint: ${env:CLOUD_OTEL_COLLECTOR_URL}\n tls:\n insecure: false\n otlp:\n endpoint: \"otelCollector:4317\"\n tls:\n insecure: true\n headers:\n uptrace-dsn: \n\n# service pulls the configured receivers, processors, and exporters together into\n# processing pipelines. Unused receivers/processors/exporters are ignored.\nservice:\n pipelines:\n traces:\n receivers: [otlp]\n processors: [batch]\n exporters:\n - otlp/ksCloud\n - otlp\n metrics/2:\n receivers: [hostmetrics]\n processors: [attributes/ksCloud, batch]\n exporters:\n - otlp/ksCloud\n - otlp\n metrics:\n receivers: [otlp]\n processors: [attributes/ksCloud, batch]\n exporters:\n - otlp/ksCloud\n - otlp\n logs:\n receivers: [otlp]\n processors: [attributes/ksCloud, batch]\n exporters:\n - otlp/ksCloud\n - otlp" @@ -4090,7 +4122,7 @@ all capabilities: tier: ks-control-plane name: otel-collector-config namespace: kubescape - 81: | + 82: | apiVersion: apps/v1 kind: Deployment metadata: @@ -4207,7 +4239,7 @@ all capabilities: - configMap: name: otel-collector-config name: otel-collector-config-volume - 82: | + 83: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -4269,7 +4301,7 @@ all capabilities: policyTypes: - Ingress - Egress - 83: | + 84: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -4293,7 +4325,7 @@ all capabilities: - kind: ServiceAccount name: otel-collector namespace: kubescape - 84: | + 85: | apiVersion: v1 kind: Service metadata: @@ -4322,7 +4354,7 @@ all capabilities: selector: app: otel-collector type: ClusterIP - 85: | + 86: | apiVersion: v1 kind: ServiceAccount metadata: @@ -4338,7 +4370,7 @@ all capabilities: tier: ks-control-plane name: otel-collector namespace: kubescape - 86: | + 87: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -4363,7 +4395,7 @@ all capabilities: - get - watch - list - 87: | + 88: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -4386,7 +4418,7 @@ all capabilities: - kind: ServiceAccount name: prometheus-exporter namespace: kubescape - 88: | + 89: | apiVersion: apps/v1 kind: Deployment metadata: @@ -4486,7 +4518,7 @@ all capabilities: path: clusterData.json name: ks-cloud-config name: ks-cloud-config - 89: | + 90: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -4514,7 +4546,7 @@ all capabilities: app.kubernetes.io/name: kubescape-operator policyTypes: - Ingress - 90: | + 91: | apiVersion: v1 kind: Service metadata: @@ -4538,7 +4570,7 @@ all capabilities: selector: app: prometheus-exporter type: null - 91: | + 92: | apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount @@ -4555,7 +4587,7 @@ all capabilities: tier: ks-control-plane name: prometheus-exporter namespace: kubescape - 92: | + 93: | apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: @@ -4584,7 +4616,7 @@ all capabilities: app.kubernetes.io/component: prometheus-exporter app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator - 93: | + 94: | apiVersion: v1 data: proxy.crt: foo @@ -4607,7 +4639,7 @@ all capabilities: name: kubescape-proxy-certificate namespace: kubescape type: Opaque - 94: | + 95: | apiVersion: batch/v1 kind: Job metadata: @@ -4705,7 +4737,7 @@ all capabilities: - name: proxy-secret secret: secretName: kubescape-proxy-certificate - 95: | + 96: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -4736,7 +4768,7 @@ all capabilities: - patch - get - list - 96: | + 97: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -4764,7 +4796,7 @@ all capabilities: - kind: ServiceAccount name: service-discovery namespace: kubescape - 97: | + 98: | apiVersion: v1 kind: ServiceAccount metadata: @@ -4784,7 +4816,7 @@ all capabilities: tier: ks-control-plane name: service-discovery namespace: kubescape - 98: | + 99: | apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: @@ -4808,7 +4840,7 @@ all capabilities: namespace: kubescape version: v1beta1 versionPriority: 15 - 99: | + 100: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -4914,7 +4946,7 @@ all capabilities: - get - watch - list - 100: | + 101: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -4937,7 +4969,7 @@ all capabilities: - kind: ServiceAccount name: storage namespace: kubescape - 101: | + 102: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -4960,7 +4992,7 @@ all capabilities: - kind: ServiceAccount name: storage namespace: kubescape - 102: | + 103: | apiVersion: apps/v1 kind: Deployment metadata: @@ -5073,7 +5105,7 @@ all capabilities: path: services.json name: ks-cloud-config name: ks-cloud-config - 103: | + 104: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -5132,7 +5164,7 @@ all capabilities: app.kubernetes.io/name: kubescape-operator policyTypes: - Egress - 104: | + 105: | apiVersion: v1 kind: PersistentVolumeClaim metadata: @@ -5155,7 +5187,7 @@ all capabilities: resources: requests: storage: 5Gi - 105: | + 106: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -5179,7 +5211,7 @@ all capabilities: - kind: ServiceAccount name: storage namespace: kubescape - 106: | + 107: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -5203,7 +5235,7 @@ all capabilities: - kind: ServiceAccount name: storage namespace: kubescape - 107: | + 108: | apiVersion: v1 kind: Service metadata: @@ -5228,7 +5260,7 @@ all capabilities: app.kubernetes.io/component: storage app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator - 108: | + 109: | apiVersion: v1 kind: ServiceAccount metadata: @@ -5244,7 +5276,7 @@ all capabilities: tier: ks-control-plane name: storage namespace: kubescape - 109: | + 110: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -5388,7 +5420,7 @@ all capabilities: - get - watch - list - 110: | + 111: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -5411,7 +5443,7 @@ all capabilities: - kind: ServiceAccount name: synchronizer namespace: kubescape - 111: | + 112: | apiVersion: v1 data: config.json: | @@ -5628,7 +5660,7 @@ all capabilities: tier: ks-control-plane name: synchronizer namespace: kubescape - 112: | + 113: | apiVersion: apps/v1 kind: Deployment metadata: @@ -5658,7 +5690,7 @@ all capabilities: template: metadata: annotations: - checksum/cloud-config: 6b20bdf91cc21bcf1df27f84a619ee215e3ec83f630a09ec9fc657a0282559e1 + checksum/cloud-config: 13aedfe46132f81dbb08ee4752e47cf151fb1cab274a7e3a90021cf64759246f checksum/cloud-secret: 5f1867afe94653b7e1f514737c0f5bb8d459d9431307900fb149c1a1e67cc929 checksum/proxy-config: 887824947998455ea63ac5b04a831b07701da0c0509ea54fc442e3e3f3dfc9ff checksum/synchronizer-configmap: ab71b6ff231a136b6e413613d4ab385e487eb8363aebc8cb0468a64a76666f8a @@ -5781,7 +5813,7 @@ all capabilities: path: config.json name: synchronizer name: config - 113: | + 114: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -5843,7 +5875,7 @@ all capabilities: policyTypes: - Ingress - Egress - 114: | + 115: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -5867,7 +5899,7 @@ all capabilities: - kind: ServiceAccount name: synchronizer namespace: kubescape - 115: | + 116: | apiVersion: v1 kind: Service metadata: @@ -5891,7 +5923,7 @@ all capabilities: selector: app: synchronizer type: ClusterIP - 116: | + 117: | apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount @@ -5976,6 +6008,7 @@ default capabilities: "keepLocal": false, "scanTimeout": "5m", "vexGeneration": false, + "continuousPostureScan": false, "listingURL": "http://grype-offline-db:80/listing.json", "relevantImageVulnerabilitiesConfiguration": "enable" } @@ -6029,6 +6062,26 @@ default capabilities: name: ks-capabilities namespace: kubescape 5: | + apiVersion: v1 + data: + matchingRules.json: | + {"match":[{"apiGroups":["apps"],"apiVersions":["v1"],"resources":["deployments"]}],"namespaces":["default"]} + kind: ConfigMap + metadata: + labels: + app: kubescape + app.kubernetes.io/component: kubescape + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/version: 1.21.2 + helm.sh/chart: kubescape-operator-1.21.2 + kubescape.io/ignore: "true" + kubescape.io/tier: core + tier: ks-control-plane + name: cs-matching-rules + namespace: kubescape + 6: | apiVersion: scheduling.k8s.io/v1 description: This priority class is for node-agent daemonset pods globalDefault: false @@ -6046,7 +6099,7 @@ default capabilities: tier: ks-control-plane name: kubescape-critical value: 1.000001e+08 - 6: | + 7: | apiVersion: apps/v1 kind: Deployment metadata: @@ -6079,7 +6132,7 @@ default capabilities: template: metadata: annotations: - checksum/cloud-config: 83d2370bd782db4cf4cb8c0ca23b398bc11280708b95649f975cb79b78163d66 + checksum/cloud-config: 3d2661a789bbdab1ea25a618d413d9c6272bf5527d727a68920c7c99441e5dd9 checksum/cloud-secret: 5f1867afe94653b7e1f514737c0f5bb8d459d9431307900fb149c1a1e67cc929 checksum/proxy-config: 887824947998455ea63ac5b04a831b07701da0c0509ea54fc442e3e3f3dfc9ff labels: @@ -6192,7 +6245,7 @@ default capabilities: path: services.json name: ks-cloud-config name: ks-cloud-config - 7: | + 8: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -6248,7 +6301,7 @@ default capabilities: policyTypes: - Ingress - Egress - 8: | + 9: | apiVersion: v1 kind: Service metadata: @@ -6279,7 +6332,7 @@ default capabilities: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 9: | + 10: | apiVersion: v1 kind: ServiceAccount metadata: @@ -6295,7 +6348,7 @@ default capabilities: tier: ks-control-plane name: gateway namespace: kubescape - 10: | + 11: | apiVersion: apps/v1 kind: Deployment metadata: @@ -6359,7 +6412,7 @@ default capabilities: runAsNonRoot: true nodeSelector: null tolerations: null - 11: | + 12: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -6393,7 +6446,7 @@ default capabilities: app.kubernetes.io/name: kubescape-operator policyTypes: - Ingress - 12: | + 13: | apiVersion: v1 kind: Service metadata: @@ -6419,7 +6472,7 @@ default capabilities: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 13: | + 14: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -6440,7 +6493,7 @@ default capabilities: - statefulsets verbs: - delete - 14: | + 15: | apiVersion: v1 kind: ServiceAccount metadata: @@ -6452,7 +6505,7 @@ default capabilities: app: label-selector-force-replace name: label-selector-force-replace namespace: kubescape - 15: | + 16: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -6472,7 +6525,7 @@ default capabilities: - kind: ServiceAccount name: label-selector-force-replace namespace: kubescape - 16: | + 17: | apiVersion: batch/v1 kind: Job metadata: @@ -6500,7 +6553,7 @@ default capabilities: name: label-selector-force-replace restartPolicy: Never serviceAccountName: label-selector-force-replace - 17: | + 18: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -6550,7 +6603,7 @@ default capabilities: - get - watch - list - 18: | + 19: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -6573,7 +6626,7 @@ default capabilities: - kind: ServiceAccount name: kollector namespace: kubescape - 19: | + 20: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -6624,7 +6677,7 @@ default capabilities: app.kubernetes.io/name: kubescape-operator policyTypes: - Egress - 20: | + 21: | apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount @@ -6641,7 +6694,7 @@ default capabilities: tier: ks-control-plane name: kollector namespace: kubescape - 21: | + 22: | apiVersion: apps/v1 kind: StatefulSet metadata: @@ -6669,7 +6722,7 @@ default capabilities: template: metadata: annotations: - checksum/cloud-config: 83d2370bd782db4cf4cb8c0ca23b398bc11280708b95649f975cb79b78163d66 + checksum/cloud-config: 3d2661a789bbdab1ea25a618d413d9c6272bf5527d727a68920c7c99441e5dd9 checksum/cloud-secret: 5f1867afe94653b7e1f514737c0f5bb8d459d9431307900fb149c1a1e67cc929 checksum/proxy-config: 887824947998455ea63ac5b04a831b07701da0c0509ea54fc442e3e3f3dfc9ff labels: @@ -6779,7 +6832,7 @@ default capabilities: path: services.json name: ks-cloud-config name: ks-cloud-config - 22: | + 23: | apiVersion: v1 data: request-body.json: '{"commands":[{"CommandName":"kubescapeScan","args":{"scanV1": {}}}]}' @@ -6798,7 +6851,7 @@ default capabilities: tier: ks-control-plane name: kubescape-scheduler namespace: kubescape - 23: | + 24: | apiVersion: batch/v1 kind: CronJob metadata: @@ -6875,7 +6928,7 @@ default capabilities: name: kubescape-scheduler schedule: 1 2 3 4 5 successfulJobsHistoryLimit: 3 - 24: | + 25: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -6917,7 +6970,7 @@ default capabilities: app.kubernetes.io/name: kubescape-operator policyTypes: - Egress - 25: | + 26: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -7126,7 +7179,7 @@ default capabilities: - get - watch - list - 26: | + 27: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -7149,7 +7202,7 @@ default capabilities: - kind: ServiceAccount name: kubescape namespace: kubescape - 27: | + 28: | apiVersion: apps/v1 kind: Deployment metadata: @@ -7182,7 +7235,7 @@ default capabilities: template: metadata: annotations: - checksum/cloud-config: 83d2370bd782db4cf4cb8c0ca23b398bc11280708b95649f975cb79b78163d66 + checksum/cloud-config: 3d2661a789bbdab1ea25a618d413d9c6272bf5527d727a68920c7c99441e5dd9 checksum/cloud-secret: 5f1867afe94653b7e1f514737c0f5bb8d459d9431307900fb149c1a1e67cc929 checksum/host-scanner-configmap: e32a6bb510d9e33e34c20db0a99798e011054b0c99d2f145b0e929408528373f checksum/proxy-config: 887824947998455ea63ac5b04a831b07701da0c0509ea54fc442e3e3f3dfc9ff @@ -7328,7 +7381,7 @@ default capabilities: name: results - emptyDir: {} name: failed - 28: | + 29: | apiVersion: v1 data: host-scanner-yaml: |- @@ -7452,7 +7505,7 @@ default capabilities: tier: ks-control-plane name: host-scanner-definition namespace: kubescape - 29: | + 30: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -7520,7 +7573,7 @@ default capabilities: policyTypes: - Ingress - Egress - 30: | + 31: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -7549,7 +7602,7 @@ default capabilities: - list - patch - delete - 31: | + 32: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -7573,7 +7626,7 @@ default capabilities: - kind: ServiceAccount name: kubescape namespace: kubescape - 32: | + 33: | apiVersion: v1 kind: Service metadata: @@ -7600,7 +7653,7 @@ default capabilities: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 33: | + 34: | apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount @@ -7617,7 +7670,7 @@ default capabilities: tier: ks-control-plane name: kubescape namespace: kubescape - 34: | + 35: | apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: @@ -7647,7 +7700,7 @@ default capabilities: app.kubernetes.io/component: kubescape app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator - 35: | + 36: | apiVersion: v1 data: request-body.json: '{"commands":[{"commandName":"scan","designators":[{"designatorType":"Attributes","attributes":{}}]}]}' @@ -7666,7 +7719,7 @@ default capabilities: tier: ks-control-plane name: kubevuln-scheduler namespace: kubescape - 36: | + 37: | apiVersion: batch/v1 kind: CronJob metadata: @@ -7741,7 +7794,7 @@ default capabilities: name: kubevuln-scheduler schedule: 1 2 3 4 5 successfulJobsHistoryLimit: 3 - 37: | + 38: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -7783,7 +7836,7 @@ default capabilities: app.kubernetes.io/name: kubescape-operator policyTypes: - Egress - 38: | + 39: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -7821,7 +7874,7 @@ default capabilities: - get - watch - list - 39: | + 40: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -7844,7 +7897,7 @@ default capabilities: - kind: ServiceAccount name: kubevuln namespace: kubescape - 40: | + 41: | apiVersion: apps/v1 kind: Deployment metadata: @@ -7874,7 +7927,7 @@ default capabilities: template: metadata: annotations: - checksum/cloud-config: 83d2370bd782db4cf4cb8c0ca23b398bc11280708b95649f975cb79b78163d66 + checksum/cloud-config: 3d2661a789bbdab1ea25a618d413d9c6272bf5527d727a68920c7c99441e5dd9 checksum/cloud-secret: 5f1867afe94653b7e1f514737c0f5bb8d459d9431307900fb149c1a1e67cc929 checksum/proxy-config: 887824947998455ea63ac5b04a831b07701da0c0509ea54fc442e3e3f3dfc9ff labels: @@ -7993,7 +8046,7 @@ default capabilities: name: ks-cloud-config - emptyDir: {} name: grype-db - 41: | + 42: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -8049,7 +8102,7 @@ default capabilities: policyTypes: - Ingress - Egress - 42: | + 43: | apiVersion: v1 kind: Service metadata: @@ -8073,7 +8126,7 @@ default capabilities: selector: app: kubevuln type: ClusterIP - 43: | + 44: | apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount @@ -8090,7 +8143,7 @@ default capabilities: tier: ks-control-plane name: kubevuln namespace: kubescape - 44: | + 45: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -8177,7 +8230,7 @@ default capabilities: verbs: - list - watch - 45: | + 46: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -8200,7 +8253,7 @@ default capabilities: - kind: ServiceAccount name: node-agent namespace: kubescape - 46: | + 47: | apiVersion: v1 data: config.json: | @@ -8241,7 +8294,7 @@ default capabilities: tier: ks-control-plane name: node-agent namespace: kubescape - 47: | + 48: | apiVersion: apps/v1 kind: DaemonSet metadata: @@ -8267,7 +8320,7 @@ default capabilities: template: metadata: annotations: - checksum/cloud-config: 83d2370bd782db4cf4cb8c0ca23b398bc11280708b95649f975cb79b78163d66 + checksum/cloud-config: 3d2661a789bbdab1ea25a618d413d9c6272bf5527d727a68920c7c99441e5dd9 checksum/cloud-secret: 5f1867afe94653b7e1f514737c0f5bb8d459d9431307900fb149c1a1e67cc929 checksum/node-agent-config: f3f968b1b246b729fa9f1c2841b6053b859d56084f7886bd212b635162297466 checksum/proxy-config: 887824947998455ea63ac5b04a831b07701da0c0509ea54fc442e3e3f3dfc9ff @@ -8453,7 +8506,7 @@ default capabilities: - name: proxy-secret secret: secretName: kubescape-proxy-certificate - 48: | + 49: | apiVersion: kubescape.io/v1 kind: RuntimeRuleAlertBinding metadata: @@ -8513,7 +8566,7 @@ default capabilities: - ruleName: Exec to pod - ruleName: Port forward - ruleName: Unexpected Egress Network Traffic - 49: | + 50: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -8555,7 +8608,7 @@ default capabilities: app.kubernetes.io/name: kubescape-operator policyTypes: - Egress - 50: | + 51: | apiVersion: v1 kind: Service metadata: @@ -8579,7 +8632,7 @@ default capabilities: targetPort: 8080 selector: app.kubernetes.io/name: node-agent - 51: | + 52: | apiVersion: v1 kind: ServiceAccount metadata: @@ -8595,7 +8648,7 @@ default capabilities: tier: ks-control-plane name: node-agent namespace: kubescape - 52: | + 53: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -8679,7 +8732,7 @@ default capabilities: - update - delete - patch - 53: | + 54: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -8702,7 +8755,7 @@ default capabilities: - kind: ServiceAccount name: operator namespace: kubescape - 54: | + 55: | apiVersion: v1 data: config.json: | @@ -8728,7 +8781,7 @@ default capabilities: tier: ks-control-plane name: operator namespace: kubescape - 55: | + 56: | apiVersion: apps/v1 kind: Deployment metadata: @@ -8762,8 +8815,9 @@ default capabilities: metadata: annotations: checksum/capabilities-config: 06a9d3ec7dee7d822c8edc8c5c37362ca3a2b2b658ee44c8ba03ecc967afe481 - checksum/cloud-config: 83d2370bd782db4cf4cb8c0ca23b398bc11280708b95649f975cb79b78163d66 + checksum/cloud-config: 3d2661a789bbdab1ea25a618d413d9c6272bf5527d727a68920c7c99441e5dd9 checksum/cloud-secret: 5f1867afe94653b7e1f514737c0f5bb8d459d9431307900fb149c1a1e67cc929 + checksum/matching-rules-config: c50aba6f0329c36ec97f5466e2b309c8ceba85d8a6c2b56839c46692d9a82013 checksum/operator-config: 410d76528f07a46b94a946c7881be8b883bfcbebb8962528f9b739e4303f377b checksum/proxy-config: 887824947998455ea63ac5b04a831b07701da0c0509ea54fc442e3e3f3dfc9ff labels: @@ -8854,6 +8908,10 @@ default capabilities: name: ks-capabilities readOnly: true subPath: capabilities.json + - mountPath: /etc/config/matchingRules.json + name: cs-matching-rules + readOnly: true + subPath: matchingRules.json - mountPath: /etc/config/config.json name: config readOnly: true @@ -8896,7 +8954,13 @@ default capabilities: path: config.json name: operator name: config - 56: | + - configMap: + items: + - key: matchingRules.json + path: matchingRules.json + name: cs-matching-rules + name: cs-matching-rules + 57: | apiVersion: v1 data: cronjobTemplate: |- @@ -8975,7 +9039,7 @@ default capabilities: tier: ks-control-plane name: kubescape-cronjob-template namespace: kubescape - 57: | + 58: | apiVersion: v1 data: cronjobTemplate: |- @@ -9054,7 +9118,7 @@ default capabilities: tier: ks-control-plane name: kubevuln-cronjob-template namespace: kubescape - 58: | + 59: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -9144,7 +9208,7 @@ default capabilities: policyTypes: - Ingress - Egress - 59: | + 60: | apiVersion: v1 data: cronjobTemplate: |- @@ -9223,7 +9287,7 @@ default capabilities: tier: ks-control-plane name: registry-scan-cronjob-template namespace: kubescape - 60: | + 61: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -9265,7 +9329,7 @@ default capabilities: - list - patch - delete - 61: | + 62: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -9289,7 +9353,7 @@ default capabilities: - kind: ServiceAccount name: operator namespace: kubescape - 62: | + 63: | apiVersion: v1 kind: Service metadata: @@ -9315,7 +9379,7 @@ default capabilities: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 63: | + 64: | apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount @@ -9332,7 +9396,7 @@ default capabilities: tier: ks-control-plane name: operator namespace: kubescape - 64: | + 65: | apiVersion: v1 data: otel-collector-config.yaml: "\n# receivers configure how data gets into the Collector.\nreceivers:\n otlp:\n protocols:\n grpc:\n endpoint: 0.0.0.0:4317\n http:\n endpoint: 0.0.0.0:4318\n hostmetrics:\n collection_interval: 30s\n scrapers:\n cpu:\n memory:\n\n# processors specify what happens with the received data.\nprocessors:\n attributes/ksCloud:\n actions:\n - key: account_id\n value: \"9e6c0c2c-6bd0-4919-815b-55030de7c9a0\"\n action: upsert\n - key: cluster_name\n value: \"kind-kind\"\n action: upsert\n batch:\n send_batch_size: 10000\n timeout: 10s\n\n# exporters configure how to send processed data to one or more backends.\nexporters:\n otlp/ksCloud:\n endpoint: ${env:CLOUD_OTEL_COLLECTOR_URL}\n tls:\n insecure: false\n otlp:\n endpoint: \"otelCollector:4317\"\n tls:\n insecure: true\n headers:\n uptrace-dsn: \n\n# service pulls the configured receivers, processors, and exporters together into\n# processing pipelines. Unused receivers/processors/exporters are ignored.\nservice:\n pipelines:\n traces:\n receivers: [otlp]\n processors: [batch]\n exporters:\n - otlp/ksCloud\n - otlp\n metrics/2:\n receivers: [hostmetrics]\n processors: [attributes/ksCloud, batch]\n exporters:\n - otlp/ksCloud\n - otlp\n metrics:\n receivers: [otlp]\n processors: [attributes/ksCloud, batch]\n exporters:\n - otlp/ksCloud\n - otlp\n logs:\n receivers: [otlp]\n processors: [attributes/ksCloud, batch]\n exporters:\n - otlp/ksCloud\n - otlp" @@ -9351,7 +9415,7 @@ default capabilities: tier: ks-control-plane name: otel-collector-config namespace: kubescape - 65: | + 66: | apiVersion: apps/v1 kind: Deployment metadata: @@ -9462,7 +9526,7 @@ default capabilities: - configMap: name: otel-collector-config name: otel-collector-config-volume - 66: | + 67: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -9518,7 +9582,7 @@ default capabilities: policyTypes: - Ingress - Egress - 67: | + 68: | apiVersion: v1 kind: Service metadata: @@ -9547,7 +9611,7 @@ default capabilities: selector: app: otel-collector type: ClusterIP - 68: | + 69: | apiVersion: v1 kind: ServiceAccount metadata: @@ -9563,7 +9627,7 @@ default capabilities: tier: ks-control-plane name: otel-collector namespace: kubescape - 69: | + 70: | apiVersion: v1 data: proxy.crt: foo @@ -9586,7 +9650,7 @@ default capabilities: name: kubescape-proxy-certificate namespace: kubescape type: Opaque - 70: | + 71: | apiVersion: batch/v1 kind: Job metadata: @@ -9678,7 +9742,7 @@ default capabilities: - name: proxy-secret secret: secretName: kubescape-proxy-certificate - 71: | + 72: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -9709,7 +9773,7 @@ default capabilities: - patch - get - list - 72: | + 73: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -9737,7 +9801,7 @@ default capabilities: - kind: ServiceAccount name: service-discovery namespace: kubescape - 73: | + 74: | apiVersion: v1 kind: ServiceAccount metadata: @@ -9757,7 +9821,7 @@ default capabilities: tier: ks-control-plane name: service-discovery namespace: kubescape - 74: | + 75: | apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: @@ -9781,7 +9845,7 @@ default capabilities: namespace: kubescape version: v1beta1 versionPriority: 15 - 75: | + 76: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -9887,7 +9951,7 @@ default capabilities: - get - watch - list - 76: | + 77: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -9910,7 +9974,7 @@ default capabilities: - kind: ServiceAccount name: storage namespace: kubescape - 77: | + 78: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -9933,7 +9997,7 @@ default capabilities: - kind: ServiceAccount name: storage namespace: kubescape - 78: | + 79: | apiVersion: apps/v1 kind: Deployment metadata: @@ -10044,7 +10108,7 @@ default capabilities: path: services.json name: ks-cloud-config name: ks-cloud-config - 79: | + 80: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -10092,7 +10156,7 @@ default capabilities: app.kubernetes.io/name: kubescape-operator policyTypes: - Egress - 80: | + 81: | apiVersion: v1 kind: PersistentVolumeClaim metadata: @@ -10115,7 +10179,7 @@ default capabilities: resources: requests: storage: 5Gi - 81: | + 82: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -10139,7 +10203,7 @@ default capabilities: - kind: ServiceAccount name: storage namespace: kubescape - 82: | + 83: | apiVersion: v1 kind: Service metadata: @@ -10164,7 +10228,7 @@ default capabilities: app.kubernetes.io/component: storage app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator - 83: | + 84: | apiVersion: v1 kind: ServiceAccount metadata: @@ -10180,7 +10244,7 @@ default capabilities: tier: ks-control-plane name: storage namespace: kubescape - 84: | + 85: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -10324,7 +10388,7 @@ default capabilities: - get - watch - list - 85: | + 86: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -10347,7 +10411,7 @@ default capabilities: - kind: ServiceAccount name: synchronizer namespace: kubescape - 86: | + 87: | apiVersion: v1 data: config.json: | @@ -10564,7 +10628,7 @@ default capabilities: tier: ks-control-plane name: synchronizer namespace: kubescape - 87: | + 88: | apiVersion: apps/v1 kind: Deployment metadata: @@ -10594,7 +10658,7 @@ default capabilities: template: metadata: annotations: - checksum/cloud-config: 83d2370bd782db4cf4cb8c0ca23b398bc11280708b95649f975cb79b78163d66 + checksum/cloud-config: 3d2661a789bbdab1ea25a618d413d9c6272bf5527d727a68920c7c99441e5dd9 checksum/cloud-secret: 5f1867afe94653b7e1f514737c0f5bb8d459d9431307900fb149c1a1e67cc929 checksum/proxy-config: 887824947998455ea63ac5b04a831b07701da0c0509ea54fc442e3e3f3dfc9ff checksum/synchronizer-configmap: 7d3974c9095276eb83872bb583727430aa3d6d47a907d679d585ef54dbcb4ea8 @@ -10705,7 +10769,7 @@ default capabilities: path: config.json name: synchronizer name: config - 88: | + 89: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -10761,7 +10825,7 @@ default capabilities: policyTypes: - Ingress - Egress - 89: | + 90: | apiVersion: v1 kind: Service metadata: @@ -10785,7 +10849,7 @@ default capabilities: selector: app: synchronizer type: ClusterIP - 90: | + 91: | apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount @@ -10870,6 +10934,7 @@ disable otel: "keepLocal": false, "scanTimeout": "5m", "vexGeneration": false, + "continuousPostureScan": false, "relevantImageVulnerabilitiesConfiguration": "enable" } metrics: "" @@ -10919,9 +10984,29 @@ disable otel: kubescape.io/ignore: "true" kubescape.io/tier: core tier: ks-control-plane - name: ks-capabilities + name: ks-capabilities + namespace: kubescape + 5: | + apiVersion: v1 + data: + matchingRules.json: | + {"match":[{"apiGroups":["apps"],"apiVersions":["v1"],"resources":["deployments"]}],"namespaces":["default"]} + kind: ConfigMap + metadata: + labels: + app: kubescape + app.kubernetes.io/component: kubescape + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/version: 1.21.2 + helm.sh/chart: kubescape-operator-1.21.2 + kubescape.io/ignore: "true" + kubescape.io/tier: core + tier: ks-control-plane + name: cs-matching-rules namespace: kubescape - 5: | + 6: | apiVersion: scheduling.k8s.io/v1 description: This priority class is for node-agent daemonset pods globalDefault: false @@ -10939,7 +11024,7 @@ disable otel: tier: ks-control-plane name: kubescape-critical value: 1.000001e+08 - 6: | + 7: | apiVersion: apps/v1 kind: Deployment metadata: @@ -10972,7 +11057,7 @@ disable otel: template: metadata: annotations: - checksum/cloud-config: 3c10e386a1a4e156594e46fe045faae1823146dbe3b951acc8b93f9c5ac9cf42 + checksum/cloud-config: 2ef9f34110ead7e4ef70480f18bd47b5ce061b0683ee11af7bb2d7c16ca48766 checksum/cloud-secret: 5f1867afe94653b7e1f514737c0f5bb8d459d9431307900fb149c1a1e67cc929 labels: app: gateway @@ -11078,7 +11163,7 @@ disable otel: path: services.json name: ks-cloud-config name: ks-cloud-config - 7: | + 8: | apiVersion: v1 kind: Service metadata: @@ -11109,7 +11194,7 @@ disable otel: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 8: | + 9: | apiVersion: v1 kind: ServiceAccount metadata: @@ -11125,7 +11210,7 @@ disable otel: tier: ks-control-plane name: gateway namespace: kubescape - 9: | + 10: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -11146,7 +11231,7 @@ disable otel: - statefulsets verbs: - delete - 10: | + 11: | apiVersion: v1 kind: ServiceAccount metadata: @@ -11158,7 +11243,7 @@ disable otel: app: label-selector-force-replace name: label-selector-force-replace namespace: kubescape - 11: | + 12: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -11178,7 +11263,7 @@ disable otel: - kind: ServiceAccount name: label-selector-force-replace namespace: kubescape - 12: | + 13: | apiVersion: batch/v1 kind: Job metadata: @@ -11206,7 +11291,7 @@ disable otel: name: label-selector-force-replace restartPolicy: Never serviceAccountName: label-selector-force-replace - 13: | + 14: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -11256,7 +11341,7 @@ disable otel: - get - watch - list - 14: | + 15: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -11279,7 +11364,7 @@ disable otel: - kind: ServiceAccount name: kollector namespace: kubescape - 15: | + 16: | apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount @@ -11296,7 +11381,7 @@ disable otel: tier: ks-control-plane name: kollector namespace: kubescape - 16: | + 17: | apiVersion: apps/v1 kind: StatefulSet metadata: @@ -11324,7 +11409,7 @@ disable otel: template: metadata: annotations: - checksum/cloud-config: 3c10e386a1a4e156594e46fe045faae1823146dbe3b951acc8b93f9c5ac9cf42 + checksum/cloud-config: 2ef9f34110ead7e4ef70480f18bd47b5ce061b0683ee11af7bb2d7c16ca48766 checksum/cloud-secret: 5f1867afe94653b7e1f514737c0f5bb8d459d9431307900fb149c1a1e67cc929 labels: app: kollector @@ -11427,7 +11512,7 @@ disable otel: path: services.json name: ks-cloud-config name: ks-cloud-config - 17: | + 18: | apiVersion: v1 data: request-body.json: '{"commands":[{"CommandName":"kubescapeScan","args":{"scanV1": {}}}]}' @@ -11446,7 +11531,7 @@ disable otel: tier: ks-control-plane name: kubescape-scheduler namespace: kubescape - 18: | + 19: | apiVersion: batch/v1 kind: CronJob metadata: @@ -11523,7 +11608,7 @@ disable otel: name: kubescape-scheduler schedule: 1 2 3 4 5 successfulJobsHistoryLimit: 3 - 19: | + 20: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -11732,7 +11817,7 @@ disable otel: - get - watch - list - 20: | + 21: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -11755,7 +11840,7 @@ disable otel: - kind: ServiceAccount name: kubescape namespace: kubescape - 21: | + 22: | apiVersion: apps/v1 kind: Deployment metadata: @@ -11788,7 +11873,7 @@ disable otel: template: metadata: annotations: - checksum/cloud-config: 3c10e386a1a4e156594e46fe045faae1823146dbe3b951acc8b93f9c5ac9cf42 + checksum/cloud-config: 2ef9f34110ead7e4ef70480f18bd47b5ce061b0683ee11af7bb2d7c16ca48766 checksum/cloud-secret: 5f1867afe94653b7e1f514737c0f5bb8d459d9431307900fb149c1a1e67cc929 checksum/host-scanner-configmap: e32a6bb510d9e33e34c20db0a99798e011054b0c99d2f145b0e929408528373f labels: @@ -11927,7 +12012,7 @@ disable otel: name: results - emptyDir: {} name: failed - 22: | + 23: | apiVersion: v1 data: host-scanner-yaml: |- @@ -12051,7 +12136,7 @@ disable otel: tier: ks-control-plane name: host-scanner-definition namespace: kubescape - 23: | + 24: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -12080,7 +12165,7 @@ disable otel: - list - patch - delete - 24: | + 25: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -12104,7 +12189,7 @@ disable otel: - kind: ServiceAccount name: kubescape namespace: kubescape - 25: | + 26: | apiVersion: v1 kind: Service metadata: @@ -12131,7 +12216,7 @@ disable otel: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 26: | + 27: | apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount @@ -12148,7 +12233,7 @@ disable otel: tier: ks-control-plane name: kubescape namespace: kubescape - 27: | + 28: | apiVersion: v1 data: request-body.json: '{"commands":[{"commandName":"scan","designators":[{"designatorType":"Attributes","attributes":{}}]}]}' @@ -12167,7 +12252,7 @@ disable otel: tier: ks-control-plane name: kubevuln-scheduler namespace: kubescape - 28: | + 29: | apiVersion: batch/v1 kind: CronJob metadata: @@ -12242,7 +12327,7 @@ disable otel: name: kubevuln-scheduler schedule: 1 2 3 4 5 successfulJobsHistoryLimit: 3 - 29: | + 30: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -12280,7 +12365,7 @@ disable otel: - get - watch - list - 30: | + 31: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -12303,7 +12388,7 @@ disable otel: - kind: ServiceAccount name: kubevuln namespace: kubescape - 31: | + 32: | apiVersion: apps/v1 kind: Deployment metadata: @@ -12333,7 +12418,7 @@ disable otel: template: metadata: annotations: - checksum/cloud-config: 3c10e386a1a4e156594e46fe045faae1823146dbe3b951acc8b93f9c5ac9cf42 + checksum/cloud-config: 2ef9f34110ead7e4ef70480f18bd47b5ce061b0683ee11af7bb2d7c16ca48766 checksum/cloud-secret: 5f1867afe94653b7e1f514737c0f5bb8d459d9431307900fb149c1a1e67cc929 labels: app: kubevuln @@ -12445,7 +12530,7 @@ disable otel: name: ks-cloud-config - emptyDir: {} name: grype-db - 32: | + 33: | apiVersion: v1 kind: Service metadata: @@ -12469,7 +12554,7 @@ disable otel: selector: app: kubevuln type: ClusterIP - 33: | + 34: | apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount @@ -12486,7 +12571,7 @@ disable otel: tier: ks-control-plane name: kubevuln namespace: kubescape - 34: | + 35: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -12573,7 +12658,7 @@ disable otel: verbs: - list - watch - 35: | + 36: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -12596,7 +12681,7 @@ disable otel: - kind: ServiceAccount name: node-agent namespace: kubescape - 36: | + 37: | apiVersion: v1 data: config.json: | @@ -12637,7 +12722,7 @@ disable otel: tier: ks-control-plane name: node-agent namespace: kubescape - 37: | + 38: | apiVersion: apps/v1 kind: DaemonSet metadata: @@ -12663,7 +12748,7 @@ disable otel: template: metadata: annotations: - checksum/cloud-config: 3c10e386a1a4e156594e46fe045faae1823146dbe3b951acc8b93f9c5ac9cf42 + checksum/cloud-config: 2ef9f34110ead7e4ef70480f18bd47b5ce061b0683ee11af7bb2d7c16ca48766 checksum/cloud-secret: 5f1867afe94653b7e1f514737c0f5bb8d459d9431307900fb149c1a1e67cc929 checksum/node-agent-config: f3f968b1b246b729fa9f1c2841b6053b859d56084f7886bd212b635162297466 container.apparmor.security.beta.kubernetes.io/node-agent: unconfined @@ -12842,7 +12927,7 @@ disable otel: path: config.json name: node-agent name: config - 38: | + 39: | apiVersion: v1 kind: Service metadata: @@ -12866,7 +12951,7 @@ disable otel: targetPort: 8080 selector: app.kubernetes.io/name: node-agent - 39: | + 40: | apiVersion: v1 kind: ServiceAccount metadata: @@ -12882,7 +12967,7 @@ disable otel: tier: ks-control-plane name: node-agent namespace: kubescape - 40: | + 41: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -12966,7 +13051,7 @@ disable otel: - update - delete - patch - 41: | + 42: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -12989,7 +13074,7 @@ disable otel: - kind: ServiceAccount name: operator namespace: kubescape - 42: | + 43: | apiVersion: v1 data: config.json: | @@ -13015,7 +13100,7 @@ disable otel: tier: ks-control-plane name: operator namespace: kubescape - 43: | + 44: | apiVersion: apps/v1 kind: Deployment metadata: @@ -13049,8 +13134,9 @@ disable otel: metadata: annotations: checksum/capabilities-config: 8d6e3211c0df5393144f246f4b709622cf72d957aa2c9bd89a027c184bd22863 - checksum/cloud-config: 3c10e386a1a4e156594e46fe045faae1823146dbe3b951acc8b93f9c5ac9cf42 + checksum/cloud-config: 2ef9f34110ead7e4ef70480f18bd47b5ce061b0683ee11af7bb2d7c16ca48766 checksum/cloud-secret: 5f1867afe94653b7e1f514737c0f5bb8d459d9431307900fb149c1a1e67cc929 + checksum/matching-rules-config: c50aba6f0329c36ec97f5466e2b309c8ceba85d8a6c2b56839c46692d9a82013 checksum/operator-config: 410d76528f07a46b94a946c7881be8b883bfcbebb8962528f9b739e4303f377b labels: app: operator @@ -13140,6 +13226,10 @@ disable otel: name: ks-capabilities readOnly: true subPath: capabilities.json + - mountPath: /etc/config/matchingRules.json + name: cs-matching-rules + readOnly: true + subPath: matchingRules.json - mountPath: /etc/config/config.json name: config readOnly: true @@ -13176,7 +13266,13 @@ disable otel: path: config.json name: operator name: config - 44: | + - configMap: + items: + - key: matchingRules.json + path: matchingRules.json + name: cs-matching-rules + name: cs-matching-rules + 45: | apiVersion: v1 data: cronjobTemplate: |- @@ -13255,7 +13351,7 @@ disable otel: tier: ks-control-plane name: kubescape-cronjob-template namespace: kubescape - 45: | + 46: | apiVersion: v1 data: cronjobTemplate: |- @@ -13334,7 +13430,7 @@ disable otel: tier: ks-control-plane name: kubevuln-cronjob-template namespace: kubescape - 46: | + 47: | apiVersion: v1 data: cronjobTemplate: |- @@ -13413,7 +13509,7 @@ disable otel: tier: ks-control-plane name: registry-scan-cronjob-template namespace: kubescape - 47: | + 48: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -13455,7 +13551,7 @@ disable otel: - list - patch - delete - 48: | + 49: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -13479,7 +13575,7 @@ disable otel: - kind: ServiceAccount name: operator namespace: kubescape - 49: | + 50: | apiVersion: v1 kind: Service metadata: @@ -13505,7 +13601,7 @@ disable otel: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 50: | + 51: | apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount @@ -13522,7 +13618,7 @@ disable otel: tier: ks-control-plane name: operator namespace: kubescape - 51: | + 52: | apiVersion: v1 data: otel-collector-config.yaml: |2- @@ -13600,7 +13696,7 @@ disable otel: tier: ks-control-plane name: otel-collector-config namespace: kubescape - 52: | + 53: | apiVersion: apps/v1 kind: Deployment metadata: @@ -13704,7 +13800,7 @@ disable otel: - configMap: name: otel-collector-config name: otel-collector-config-volume - 53: | + 54: | apiVersion: v1 kind: Service metadata: @@ -13733,7 +13829,7 @@ disable otel: selector: app: otel-collector type: ClusterIP - 54: | + 55: | apiVersion: v1 kind: ServiceAccount metadata: @@ -13749,7 +13845,7 @@ disable otel: tier: ks-control-plane name: otel-collector namespace: kubescape - 55: | + 56: | apiVersion: batch/v1 kind: Job metadata: @@ -13835,7 +13931,7 @@ disable otel: volumes: - emptyDir: {} name: shared-data - 56: | + 57: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -13866,7 +13962,7 @@ disable otel: - patch - get - list - 57: | + 58: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -13894,7 +13990,7 @@ disable otel: - kind: ServiceAccount name: service-discovery namespace: kubescape - 58: | + 59: | apiVersion: v1 kind: ServiceAccount metadata: @@ -13914,7 +14010,7 @@ disable otel: tier: ks-control-plane name: service-discovery namespace: kubescape - 59: | + 60: | apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: @@ -13938,7 +14034,7 @@ disable otel: namespace: kubescape version: v1beta1 versionPriority: 15 - 60: | + 61: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -14044,7 +14140,7 @@ disable otel: - get - watch - list - 61: | + 62: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -14067,7 +14163,7 @@ disable otel: - kind: ServiceAccount name: storage namespace: kubescape - 62: | + 63: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -14090,7 +14186,7 @@ disable otel: - kind: ServiceAccount name: storage namespace: kubescape - 63: | + 64: | apiVersion: apps/v1 kind: Deployment metadata: @@ -14201,7 +14297,7 @@ disable otel: path: services.json name: ks-cloud-config name: ks-cloud-config - 64: | + 65: | apiVersion: v1 kind: PersistentVolumeClaim metadata: @@ -14224,7 +14320,7 @@ disable otel: resources: requests: storage: 5Gi - 65: | + 66: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -14248,7 +14344,7 @@ disable otel: - kind: ServiceAccount name: storage namespace: kubescape - 66: | + 67: | apiVersion: v1 kind: Service metadata: @@ -14273,7 +14369,7 @@ disable otel: app.kubernetes.io/component: storage app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator - 67: | + 68: | apiVersion: v1 kind: ServiceAccount metadata: @@ -14289,7 +14385,7 @@ disable otel: tier: ks-control-plane name: storage namespace: kubescape - 68: | + 69: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -14433,7 +14529,7 @@ disable otel: - get - watch - list - 69: | + 70: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -14456,7 +14552,7 @@ disable otel: - kind: ServiceAccount name: synchronizer namespace: kubescape - 70: | + 71: | apiVersion: v1 data: config.json: | @@ -14673,7 +14769,7 @@ disable otel: tier: ks-control-plane name: synchronizer namespace: kubescape - 71: | + 72: | apiVersion: apps/v1 kind: Deployment metadata: @@ -14703,7 +14799,7 @@ disable otel: template: metadata: annotations: - checksum/cloud-config: 3c10e386a1a4e156594e46fe045faae1823146dbe3b951acc8b93f9c5ac9cf42 + checksum/cloud-config: 2ef9f34110ead7e4ef70480f18bd47b5ce061b0683ee11af7bb2d7c16ca48766 checksum/cloud-secret: 5f1867afe94653b7e1f514737c0f5bb8d459d9431307900fb149c1a1e67cc929 checksum/synchronizer-configmap: 7d3974c9095276eb83872bb583727430aa3d6d47a907d679d585ef54dbcb4ea8 labels: @@ -14807,7 +14903,7 @@ disable otel: path: config.json name: synchronizer name: config - 72: | + 73: | apiVersion: v1 kind: Service metadata: @@ -14831,7 +14927,7 @@ disable otel: selector: app: synchronizer type: ClusterIP - 73: | + 74: | apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount @@ -14908,6 +15004,7 @@ minimal capabilities: "keepLocal": true, "scanTimeout": "5m", "vexGeneration": false, + "continuousPostureScan": false, "relevantImageVulnerabilitiesConfiguration": "enable" } kind: ConfigMap @@ -14952,6 +15049,26 @@ minimal capabilities: name: ks-capabilities namespace: kubescape 5: | + apiVersion: v1 + data: + matchingRules.json: | + {"match":[{"apiGroups":["apps"],"apiVersions":["v1"],"resources":["deployments"]}],"namespaces":["default"]} + kind: ConfigMap + metadata: + labels: + app: kubescape + app.kubernetes.io/component: kubescape + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/version: 1.21.2 + helm.sh/chart: kubescape-operator-1.21.2 + kubescape.io/ignore: "true" + kubescape.io/tier: core + tier: ks-control-plane + name: cs-matching-rules + namespace: kubescape + 6: | apiVersion: scheduling.k8s.io/v1 description: This priority class is for node-agent daemonset pods globalDefault: false @@ -14969,7 +15086,7 @@ minimal capabilities: tier: ks-control-plane name: kubescape-critical value: 1.000001e+08 - 6: | + 7: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -14990,7 +15107,7 @@ minimal capabilities: - statefulsets verbs: - delete - 7: | + 8: | apiVersion: v1 kind: ServiceAccount metadata: @@ -15002,7 +15119,7 @@ minimal capabilities: app: label-selector-force-replace name: label-selector-force-replace namespace: kubescape - 8: | + 9: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -15022,7 +15139,7 @@ minimal capabilities: - kind: ServiceAccount name: label-selector-force-replace namespace: kubescape - 9: | + 10: | apiVersion: batch/v1 kind: Job metadata: @@ -15050,7 +15167,7 @@ minimal capabilities: name: label-selector-force-replace restartPolicy: Never serviceAccountName: label-selector-force-replace - 10: | + 11: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -15259,7 +15376,7 @@ minimal capabilities: - get - watch - list - 11: | + 12: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -15282,7 +15399,7 @@ minimal capabilities: - kind: ServiceAccount name: kubescape namespace: kubescape - 12: | + 13: | apiVersion: apps/v1 kind: Deployment metadata: @@ -15315,7 +15432,7 @@ minimal capabilities: template: metadata: annotations: - checksum/cloud-config: 16a220fa279006c4f231ac84d1890e2bcf0de0622baee075f21f6cd750ffd9a2 + checksum/cloud-config: 50f365c1cc11a98d3ac597281d38556a244d26bdc439f77175ae1055c90865e7 checksum/cloud-secret: 94cd3ee2960bf10c595de9f586bbc88f1703a86f94e32926cd2d6f35e48e9e65 checksum/host-scanner-configmap: e32a6bb510d9e33e34c20db0a99798e011054b0c99d2f145b0e929408528373f labels: @@ -15450,7 +15567,7 @@ minimal capabilities: name: results - emptyDir: {} name: failed - 13: | + 14: | apiVersion: v1 data: host-scanner-yaml: |- @@ -15574,7 +15691,7 @@ minimal capabilities: tier: ks-control-plane name: host-scanner-definition namespace: kubescape - 14: | + 15: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -15603,7 +15720,7 @@ minimal capabilities: - list - patch - delete - 15: | + 16: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -15627,7 +15744,7 @@ minimal capabilities: - kind: ServiceAccount name: kubescape namespace: kubescape - 16: | + 17: | apiVersion: v1 kind: Service metadata: @@ -15654,7 +15771,7 @@ minimal capabilities: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 17: | + 18: | apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount @@ -15671,7 +15788,7 @@ minimal capabilities: tier: ks-control-plane name: kubescape namespace: kubescape - 18: | + 19: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -15709,7 +15826,7 @@ minimal capabilities: - get - watch - list - 19: | + 20: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -15732,7 +15849,7 @@ minimal capabilities: - kind: ServiceAccount name: kubevuln namespace: kubescape - 20: | + 21: | apiVersion: apps/v1 kind: Deployment metadata: @@ -15762,7 +15879,7 @@ minimal capabilities: template: metadata: annotations: - checksum/cloud-config: 16a220fa279006c4f231ac84d1890e2bcf0de0622baee075f21f6cd750ffd9a2 + checksum/cloud-config: 50f365c1cc11a98d3ac597281d38556a244d26bdc439f77175ae1055c90865e7 checksum/cloud-secret: 94cd3ee2960bf10c595de9f586bbc88f1703a86f94e32926cd2d6f35e48e9e65 labels: app: kubevuln @@ -15872,7 +15989,7 @@ minimal capabilities: name: ks-cloud-config - emptyDir: {} name: grype-db - 21: | + 22: | apiVersion: v1 kind: Service metadata: @@ -15896,7 +16013,7 @@ minimal capabilities: selector: app: kubevuln type: ClusterIP - 22: | + 23: | apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount @@ -15913,7 +16030,7 @@ minimal capabilities: tier: ks-control-plane name: kubevuln namespace: kubescape - 23: | + 24: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -16000,7 +16117,7 @@ minimal capabilities: verbs: - list - watch - 24: | + 25: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -16023,7 +16140,7 @@ minimal capabilities: - kind: ServiceAccount name: node-agent namespace: kubescape - 25: | + 26: | apiVersion: v1 data: config.json: | @@ -16063,7 +16180,7 @@ minimal capabilities: tier: ks-control-plane name: node-agent namespace: kubescape - 26: | + 27: | apiVersion: apps/v1 kind: DaemonSet metadata: @@ -16089,7 +16206,7 @@ minimal capabilities: template: metadata: annotations: - checksum/cloud-config: 16a220fa279006c4f231ac84d1890e2bcf0de0622baee075f21f6cd750ffd9a2 + checksum/cloud-config: 50f365c1cc11a98d3ac597281d38556a244d26bdc439f77175ae1055c90865e7 checksum/cloud-secret: 94cd3ee2960bf10c595de9f586bbc88f1703a86f94e32926cd2d6f35e48e9e65 checksum/node-agent-config: 44b9c3d227c95a2397bce38ba0b195bf4ae25be1febef313018e724e9bcb72b7 container.apparmor.security.beta.kubernetes.io/node-agent: unconfined @@ -16266,7 +16383,7 @@ minimal capabilities: path: config.json name: node-agent name: config - 27: | + 28: | apiVersion: v1 kind: Service metadata: @@ -16290,7 +16407,7 @@ minimal capabilities: targetPort: 8080 selector: app.kubernetes.io/name: node-agent - 28: | + 29: | apiVersion: v1 kind: ServiceAccount metadata: @@ -16306,7 +16423,7 @@ minimal capabilities: tier: ks-control-plane name: node-agent namespace: kubescape - 29: | + 30: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -16390,7 +16507,7 @@ minimal capabilities: - update - delete - patch - 30: | + 31: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -16413,7 +16530,7 @@ minimal capabilities: - kind: ServiceAccount name: operator namespace: kubescape - 31: | + 32: | apiVersion: v1 data: config.json: | @@ -16438,7 +16555,7 @@ minimal capabilities: tier: ks-control-plane name: operator namespace: kubescape - 32: | + 33: | apiVersion: apps/v1 kind: Deployment metadata: @@ -16472,8 +16589,9 @@ minimal capabilities: metadata: annotations: checksum/capabilities-config: ef44ce762bcd519c0af68f0adef484336dc9249d447b7f0e158d42143a3e07f0 - checksum/cloud-config: 16a220fa279006c4f231ac84d1890e2bcf0de0622baee075f21f6cd750ffd9a2 + checksum/cloud-config: 50f365c1cc11a98d3ac597281d38556a244d26bdc439f77175ae1055c90865e7 checksum/cloud-secret: 94cd3ee2960bf10c595de9f586bbc88f1703a86f94e32926cd2d6f35e48e9e65 + checksum/matching-rules-config: c50aba6f0329c36ec97f5466e2b309c8ceba85d8a6c2b56839c46692d9a82013 checksum/operator-config: 46db259f2d187223885b1f3aed13170bcbc9c0cc0e9667b104c03e942d1714ad labels: app: operator @@ -16559,6 +16677,10 @@ minimal capabilities: name: ks-capabilities readOnly: true subPath: capabilities.json + - mountPath: /etc/config/matchingRules.json + name: cs-matching-rules + readOnly: true + subPath: matchingRules.json - mountPath: /etc/config/config.json name: config readOnly: true @@ -16593,7 +16715,13 @@ minimal capabilities: path: config.json name: operator name: config - 33: | + - configMap: + items: + - key: matchingRules.json + path: matchingRules.json + name: cs-matching-rules + name: cs-matching-rules + 34: | apiVersion: v1 data: cronjobTemplate: |- @@ -16672,7 +16800,7 @@ minimal capabilities: tier: ks-control-plane name: kubescape-cronjob-template namespace: kubescape - 34: | + 35: | apiVersion: v1 data: cronjobTemplate: |- @@ -16751,7 +16879,7 @@ minimal capabilities: tier: ks-control-plane name: kubevuln-cronjob-template namespace: kubescape - 35: | + 36: | apiVersion: v1 data: cronjobTemplate: |- @@ -16830,7 +16958,7 @@ minimal capabilities: tier: ks-control-plane name: registry-scan-cronjob-template namespace: kubescape - 36: | + 37: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -16872,7 +17000,7 @@ minimal capabilities: - list - patch - delete - 37: | + 38: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -16896,7 +17024,7 @@ minimal capabilities: - kind: ServiceAccount name: operator namespace: kubescape - 38: | + 39: | apiVersion: v1 kind: Service metadata: @@ -16922,7 +17050,7 @@ minimal capabilities: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 39: | + 40: | apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount @@ -16939,7 +17067,7 @@ minimal capabilities: tier: ks-control-plane name: operator namespace: kubescape - 40: | + 41: | apiVersion: v1 data: otel-collector-config.yaml: "\n# receivers configure how data gets into the Collector.\nreceivers:\n otlp:\n protocols:\n grpc:\n endpoint: 0.0.0.0:4317\n http:\n endpoint: 0.0.0.0:4318\n hostmetrics:\n collection_interval: 30s\n scrapers:\n cpu:\n memory:\n\n# processors specify what happens with the received data.\nprocessors:\n attributes/ksCloud:\n actions:\n - key: account_id\n value: \"\"\n action: upsert\n - key: cluster_name\n value: \"kind-kind\"\n action: upsert\n batch:\n send_batch_size: 10000\n timeout: 10s\n\n# exporters configure how to send processed data to one or more backends.\nexporters:\n otlp/ksCloud:\n endpoint: \"\"\n tls:\n insecure: false\n otlp:\n endpoint: \"otelCollector:4317\"\n tls:\n insecure: true\n headers:\n uptrace-dsn: \n\n# service pulls the configured receivers, processors, and exporters together into\n# processing pipelines. Unused receivers/processors/exporters are ignored.\nservice:\n pipelines:\n traces:\n receivers: [otlp]\n processors: [batch]\n exporters:\n - otlp/ksCloud\n - otlp\n metrics/2:\n receivers: [hostmetrics]\n processors: [attributes/ksCloud, batch]\n exporters:\n - otlp/ksCloud\n - otlp\n metrics:\n receivers: [otlp]\n processors: [attributes/ksCloud, batch]\n exporters:\n - otlp/ksCloud\n - otlp\n logs:\n receivers: [otlp]\n processors: [attributes/ksCloud, batch]\n exporters:\n - otlp/ksCloud\n - otlp" @@ -16958,7 +17086,7 @@ minimal capabilities: tier: ks-control-plane name: otel-collector-config namespace: kubescape - 41: | + 42: | apiVersion: apps/v1 kind: Deployment metadata: @@ -17062,7 +17190,7 @@ minimal capabilities: - configMap: name: otel-collector-config name: otel-collector-config-volume - 42: | + 43: | apiVersion: v1 kind: Service metadata: @@ -17091,7 +17219,7 @@ minimal capabilities: selector: app: otel-collector type: ClusterIP - 43: | + 44: | apiVersion: v1 kind: ServiceAccount metadata: @@ -17107,7 +17235,7 @@ minimal capabilities: tier: ks-control-plane name: otel-collector namespace: kubescape - 44: | + 45: | apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: @@ -17131,7 +17259,7 @@ minimal capabilities: namespace: kubescape version: v1beta1 versionPriority: 15 - 45: | + 46: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -17237,7 +17365,7 @@ minimal capabilities: - get - watch - list - 46: | + 47: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -17260,7 +17388,7 @@ minimal capabilities: - kind: ServiceAccount name: storage namespace: kubescape - 47: | + 48: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -17283,7 +17411,7 @@ minimal capabilities: - kind: ServiceAccount name: storage namespace: kubescape - 48: | + 49: | apiVersion: apps/v1 kind: Deployment metadata: @@ -17392,7 +17520,7 @@ minimal capabilities: path: clusterData.json name: ks-cloud-config name: ks-cloud-config - 49: | + 50: | apiVersion: v1 kind: PersistentVolumeClaim metadata: @@ -17415,7 +17543,7 @@ minimal capabilities: resources: requests: storage: 5Gi - 50: | + 51: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -17439,7 +17567,7 @@ minimal capabilities: - kind: ServiceAccount name: storage namespace: kubescape - 51: | + 52: | apiVersion: v1 kind: Service metadata: @@ -17464,7 +17592,7 @@ minimal capabilities: app.kubernetes.io/component: storage app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator - 52: | + 53: | apiVersion: v1 kind: ServiceAccount metadata: diff --git a/charts/kubescape-operator/tests/snapshot_test.yaml b/charts/kubescape-operator/tests/snapshot_test.yaml index 8ca9e8bf..282e5961 100644 --- a/charts/kubescape-operator/tests/snapshot_test.yaml +++ b/charts/kubescape-operator/tests/snapshot_test.yaml @@ -14,6 +14,7 @@ tests: installDefault: true capabilities: configurationScan: enable + continuousScan: enable nodeScan: enable vulnerabilityScan: enable relevancy: enable diff --git a/charts/kubescape-operator/values.yaml b/charts/kubescape-operator/values.yaml index 52bb034a..c22d5adb 100644 --- a/charts/kubescape-operator/values.yaml +++ b/charts/kubescape-operator/values.yaml @@ -961,3 +961,22 @@ registryScanScheduler: successfulJobsHistoryLimit: 3 failedJobsHistoryLimit: 1 + +# ----------------------------------------------------------------------------------------- +# ------------------------- Configurations ------------------------------------------------ +# ----------------------------------------------------------------------------------------- + +# Continuous scanning configurations +continuousScanning: + configMapName: cs-matching-rules + + # Matching rules for the monitored resources. + # Kubescape will watch resources of every provided GVR across the provided + # namespaces. + matchingRules: + match: + - apiGroups: ["apps"] + apiVersions: ["v1"] + resources: ["deployments"] + namespaces: + - default