Skip to content

Commit

Permalink
use application profile instead of sbomp for relevancy
Browse files Browse the repository at this point in the history 
Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com>
  • Loading branch information
@matthyx
matthyx committed Sep 25, 2024
1 parent 59f3f8a commit 13eb222
Show file tree
Hide file tree
Showing 5 changed files with 49 additions and 53 deletions.
2 changes: 1 addition & 1 deletion charts/kubescape-operator/templates/kubevuln/clusterrole.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,6 @@ rules:
resources: ["vulnerabilitymanifests", "vulnerabilitymanifestsummaries", "openvulnerabilityexchangecontainers", "sbomsyfts"]
verbs: ["create", "get", "update", "watch", "list", "patch"]
- apiGroups: ["spdx.softwarecomposition.kubescape.io"]
resources: ["sbomsyftfiltereds"]
resources: ["applicationprofiles"]
verbs: ["get", "watch", "list"]
{{- end }}
2 changes: 1 addition & 1 deletion charts/kubescape-operator/templates/node-agent/clusterrole.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ rules:
resources: ["sbomsyfts", "seccompprofiles"]
verbs: ["get", "watch", "list"]
- apiGroups: ["spdx.softwarecomposition.kubescape.io"]
resources: ["applicationactivities", "applicationprofiles", "networkneighborses", "networkneighborhoods", "sbomsyftfiltereds"]
resources: ["applicationactivities", "applicationprofiles", "networkneighborses", "networkneighborhoods"]
verbs: ["create", "get", "update", "watch", "list", "patch"]
- apiGroups: ["kubescape.io"]
resources: ["runtimerulealertbindings"]
Expand Down
2 changes: 1 addition & 1 deletion charts/kubescape-operator/templates/operator/clusterrole.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ rules:
resources: ["deployments", "daemonsets", "statefulsets", "replicasets"]
verbs: ["get", "watch", "list"]
- apiGroups: ["spdx.softwarecomposition.kubescape.io"]
resources: ["vulnerabilitymanifests", "vulnerabilitymanifestsummaries", "workloadconfigurationscans", "workloadconfigurationscansummaries", "openvulnerabilityexchangecontainers", "sbomsyftfiltereds", "sbomsyfts"]
resources: ["vulnerabilitymanifests", "vulnerabilitymanifestsummaries", "workloadconfigurationscans", "workloadconfigurationscansummaries", "openvulnerabilityexchangecontainers", "applicationprofiles", "sbomsyfts"]
verbs: ["get", "watch", "list", "delete"]
- apiGroups: ["kubescape.io"]
resources: ["runtimerulealertbindings"]
Expand Down
76 changes: 36 additions & 40 deletions charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2204,7 +2204,7 @@ all capabilities:
- apiGroups:
- spdx.softwarecomposition.kubescape.io
resources:
- sbomsyftfiltereds
- applicationprofiles
verbs:
- get
- watch
Expand Down Expand Up @@ -2313,8 +2313,8 @@ all capabilities:
value: https://foo:bar@baz:1234
- name: no_proxy
value: gateway,kubescape,kubevuln,node-agent,operator,otel-collector,kubernetes.default.svc.*,127.0.0.1,*.foo,bar.baz
image: quay.io/kubescape/kubevuln:v0.3.33
imagePullPolicy: IfNotPresent
image: quay.io/matthiasb_1/kubevuln:appprofile
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /v1/liveness
Expand Down Expand Up @@ -2592,7 +2592,6 @@ all capabilities:
- applicationprofiles
- networkneighborses
- networkneighborhoods
- sbomsyftfiltereds
verbs:
- create
- get
Expand Down Expand Up @@ -2825,8 +2824,8 @@ all capabilities:
fieldRef:
fieldPath: metadata.namespace
- name: NodeName
image: quay.io/kubescape/node-agent:v0.2.141
imagePullPolicy: IfNotPresent
image: quay.io/matthiasb_1/node-agent:appprofile
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /livez
Expand Down Expand Up @@ -3274,7 +3273,7 @@ all capabilities:
- workloadconfigurationscans
- workloadconfigurationscansummaries
- openvulnerabilityexchangecontainers
- sbomsyftfiltereds
- applicationprofiles
- sbomsyfts
verbs:
- get
Expand Down Expand Up @@ -3430,8 +3429,8 @@ all capabilities:
value: https://foo:bar@baz:1234
- name: no_proxy
value: gateway,kubescape,kubevuln,node-agent,operator,otel-collector,kubernetes.default.svc.*,127.0.0.1,*.foo,bar.baz
image: quay.io/kubescape/operator:v0.2.32
imagePullPolicy: IfNotPresent
image: quay.io/matthiasb_1/operator:appprofile
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /v1/liveness
Expand Down Expand Up @@ -4979,7 +4978,7 @@ all capabilities:
name: cloud-secret
- name: OTEL_COLLECTOR_SVC
value: otel-collector:4317
image: quay.io/kubescape/storage:v0.0.117
image: quay.io/kubescape/storage:v0.0.122
imagePullPolicy: IfNotPresent
livenessProbe:
tcpSocket:
Expand Down Expand Up @@ -7707,7 +7706,7 @@ default capabilities:
- apiGroups:
- spdx.softwarecomposition.kubescape.io
resources:
- sbomsyftfiltereds
- applicationprofiles
verbs:
- get
- watch
Expand Down Expand Up @@ -7812,8 +7811,8 @@ default capabilities:
name: cloud-secret
- name: OTEL_COLLECTOR_SVC
value: otel-collector:4317
image: quay.io/kubescape/kubevuln:v0.3.33
imagePullPolicy: IfNotPresent
image: quay.io/matthiasb_1/kubevuln:appprofile
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /v1/liveness
Expand Down Expand Up @@ -8053,7 +8052,6 @@ default capabilities:
- applicationprofiles
- networkneighborses
- networkneighborhoods
- sbomsyftfiltereds
verbs:
- create
- get
Expand Down Expand Up @@ -8217,8 +8215,8 @@ default capabilities:
fieldRef:
fieldPath: metadata.namespace
- name: NodeName
image: quay.io/kubescape/node-agent:v0.2.141
imagePullPolicy: IfNotPresent
image: quay.io/matthiasb_1/node-agent:appprofile
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /livez
Expand Down Expand Up @@ -8543,7 +8541,7 @@ default capabilities:
- workloadconfigurationscans
- workloadconfigurationscansummaries
- openvulnerabilityexchangecontainers
- sbomsyftfiltereds
- applicationprofiles
- sbomsyfts
verbs:
- get
Expand Down Expand Up @@ -8695,8 +8693,8 @@ default capabilities:
value: zap
- name: OTEL_COLLECTOR_SVC
value: otel-collector:4318
image: quay.io/kubescape/operator:v0.2.32
imagePullPolicy: IfNotPresent
image: quay.io/matthiasb_1/operator:appprofile
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /v1/liveness
Expand Down Expand Up @@ -9903,7 +9901,7 @@ default capabilities:
name: cloud-secret
- name: OTEL_COLLECTOR_SVC
value: otel-collector:4317
image: quay.io/kubescape/storage:v0.0.117
image: quay.io/kubescape/storage:v0.0.122
imagePullPolicy: IfNotPresent
livenessProbe:
tcpSocket:
Expand Down Expand Up @@ -12117,7 +12115,7 @@ disable otel:
- apiGroups:
- spdx.softwarecomposition.kubescape.io
resources:
- sbomsyftfiltereds
- applicationprofiles
verbs:
- get
- watch
Expand Down Expand Up @@ -12221,8 +12219,8 @@ disable otel:
name: cloud-secret
- name: OTEL_COLLECTOR_SVC
value: otel-collector:4317
image: quay.io/kubescape/kubevuln:v0.3.33
imagePullPolicy: IfNotPresent
image: quay.io/matthiasb_1/kubevuln:appprofile
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /v1/liveness
Expand Down Expand Up @@ -12400,7 +12398,6 @@ disable otel:
- applicationprofiles
- networkneighborses
- networkneighborhoods
- sbomsyftfiltereds
verbs:
- create
- get
Expand Down Expand Up @@ -12563,8 +12560,8 @@ disable otel:
fieldRef:
fieldPath: metadata.namespace
- name: NodeName
image: quay.io/kubescape/node-agent:v0.2.141
imagePullPolicy: IfNotPresent
image: quay.io/matthiasb_1/node-agent:appprofile
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /livez
Expand Down Expand Up @@ -12781,7 +12778,7 @@ disable otel:
- workloadconfigurationscans
- workloadconfigurationscansummaries
- openvulnerabilityexchangecontainers
- sbomsyftfiltereds
- applicationprofiles
- sbomsyfts
verbs:
- get
Expand Down Expand Up @@ -12932,8 +12929,8 @@ disable otel:
value: zap
- name: OTEL_COLLECTOR_SVC
value: otel-collector:4318
image: quay.io/kubescape/operator:v0.2.32
imagePullPolicy: IfNotPresent
image: quay.io/matthiasb_1/operator:appprofile
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /v1/liveness
Expand Down Expand Up @@ -14011,7 +14008,7 @@ disable otel:
name: cloud-secret
- name: OTEL_COLLECTOR_SVC
value: otel-collector:4317
image: quay.io/kubescape/storage:v0.0.117
image: quay.io/kubescape/storage:v0.0.122
imagePullPolicy: IfNotPresent
livenessProbe:
tcpSocket:
Expand Down Expand Up @@ -15497,7 +15494,7 @@ minimal capabilities:
- apiGroups:
- spdx.softwarecomposition.kubescape.io
resources:
- sbomsyftfiltereds
- applicationprofiles
verbs:
- get
- watch
Expand Down Expand Up @@ -15601,8 +15598,8 @@ minimal capabilities:
name: cloud-secret
- name: OTEL_COLLECTOR_SVC
value: otel-collector:4317
image: quay.io/kubescape/kubevuln:v0.3.33
imagePullPolicy: IfNotPresent
image: quay.io/matthiasb_1/kubevuln:appprofile
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /v1/liveness
Expand Down Expand Up @@ -15778,7 +15775,6 @@ minimal capabilities:
- applicationprofiles
- networkneighborses
- networkneighborhoods
- sbomsyftfiltereds
verbs:
- create
- get
Expand Down Expand Up @@ -15940,8 +15936,8 @@ minimal capabilities:
fieldRef:
fieldPath: metadata.namespace
- name: NodeName
image: quay.io/kubescape/node-agent:v0.2.141
imagePullPolicy: IfNotPresent
image: quay.io/matthiasb_1/node-agent:appprofile
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /livez
Expand Down Expand Up @@ -16156,7 +16152,7 @@ minimal capabilities:
- workloadconfigurationscans
- workloadconfigurationscansummaries
- openvulnerabilityexchangecontainers
- sbomsyftfiltereds
- applicationprofiles
- sbomsyfts
verbs:
- get
Expand Down Expand Up @@ -16306,8 +16302,8 @@ minimal capabilities:
value: zap
- name: OTEL_COLLECTOR_SVC
value: otel-collector:4318
image: quay.io/kubescape/operator:v0.2.32
imagePullPolicy: IfNotPresent
image: quay.io/matthiasb_1/operator:appprofile
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /v1/liveness
Expand Down Expand Up @@ -17155,7 +17151,7 @@ minimal capabilities:
name: cloud-secret
- name: OTEL_COLLECTOR_SVC
value: otel-collector:4317
image: quay.io/kubescape/storage:v0.0.117
image: quay.io/kubescape/storage:v0.0.122
imagePullPolicy: IfNotPresent
livenessProbe:
tcpSocket:
Expand Down
20 changes: 10 additions & 10 deletions charts/kubescape-operator/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -272,9 +272,9 @@ operator:

image:
# -- source code: https://github.com/kubescape/operator
repository: quay.io/kubescape/operator
tag: v0.2.32
pullPolicy: IfNotPresent
repository: quay.io/matthiasb_1/operator
tag: appprofile
pullPolicy: Always

service:
type: ClusterIP
Expand Down Expand Up @@ -317,9 +317,9 @@ kubevuln:

image:
# -- source code: https://github.com/kubescape/kubevuln
repository: quay.io/kubescape/kubevuln
tag: v0.3.33
pullPolicy: IfNotPresent
repository: quay.io/matthiasb_1/kubevuln
tag: appprofile
pullPolicy: Always

replicaCount: 1

Expand Down Expand Up @@ -481,7 +481,7 @@ storage:
image:
# -- source code: https://github.com/kubescape/storage
repository: quay.io/kubescape/storage
tag: v0.0.117
tag: v0.0.122
pullPolicy: IfNotPresent

# cleanup interval is a duration string
Expand All @@ -504,9 +504,9 @@ nodeAgent:
name: node-agent
image:
# -- source code: https://github.com/kubescape/node-agent
repository: quay.io/kubescape/node-agent
tag: v0.2.141
pullPolicy: IfNotPresent
repository: quay.io/matthiasb_1/node-agent
tag: appprofile
pullPolicy: Always

config:
maxLearningPeriod: 24h # duration string
Expand Down

0 comments on commit 13eb222

Please sign in to comment.