Skip to content

Commit

Permalink
manageWorkloads capability
Browse files Browse the repository at this point in the history 
Signed-off-by: Amir Malka <amirm@armosec.io>
  • Loading branch information
@amirmalka
amirmalka committed Oct 15, 2024
1 parent 76fb3c0 commit bbee469
Show file tree
Hide file tree
Showing 5 changed files with 104 additions and 5 deletions.
23 changes: 23 additions & 0 deletions charts/kubescape-operator/templates/synchronizer/clusterrole.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,4 +49,27 @@ rules:
- apiGroups: ["kubescape.io"]
resources: ["operatorcommands"]
verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]
{{- if eq .Values.capabilities.manageWorkloads "enable" }}
- apiGroups: ["spdx.softwarecomposition.kubescape.io"]
resources: ["seccompprofiles"]
verbs: ["get", "watch", "list", "create", "update", "patch"]
- apiGroups: ["networking.k8s.io"]
resources: ["networkpolicies"]
verbs: ["create", "update", "patch"]
- apiGroups: ["cilium.io"]
resources: ["ciliumnetworkpolicies"]
verbs: ["create", "update", "patch"]
- apiGroups: ["projectcalico.org"]
resources: ["networkpolicies"]
verbs: ["create", "update", "patch"]
- apiGroups: ["apps"]
resources: ["deployments", "statefulsets", "daemonsets", "replicasets"]
verbs: ["update", "patch"]
- apiGroups: ["batch"]
resources: ["jobs", "cronjobs"]
verbs: ["update", "patch"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["update", "patch"]
{{- end }}
{{- end }}
8 changes: 8 additions & 0 deletions charts/kubescape-operator/templates/synchronizer/configmap.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -169,6 +169,14 @@ data:
"resource": "networkneighborhoods",
"strategy": "copy"
},
{{- if eq .Values.capabilities.manageWorkloads "enable" }}
{
"group": "spdx.softwarecomposition.kubescape.io",
"version": "v1beta1",
"resource": "seccompprofiles",
"strategy": "copy"
},
{{- end }}
{
"group": "cilium.io",
"version": "v2",
Expand Down
74 changes: 70 additions & 4 deletions charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -290,7 +290,7 @@ all capabilities:
data:
capabilities: |
{
"capabilities":{"admissionController":"enable","autoUpgrading":"enable","configurationScan":"enable","continuousScan":"enable","httpDetection":"enable","malwareDetection":"enable","networkPolicyService":"enable","nodeProfileService":"enable","nodeScan":"enable","prometheusExporter":"enable","relevancy":"enable","runtimeDetection":"enable","runtimeObservability":"enable","seccompProfileService":"enable","testing":{"nodeAgentMultiplication":{"enabled":false,"replicas":5}},"vexGeneration":"enable","vulnerabilityScan":"enable"},
"capabilities":{"admissionController":"enable","autoUpgrading":"enable","configurationScan":"enable","continuousScan":"enable","httpDetection":"enable","malwareDetection":"enable","manageWorkloads":"enable","networkPolicyService":"enable","nodeProfileService":"enable","nodeScan":"enable","prometheusExporter":"enable","relevancy":"enable","runtimeDetection":"enable","runtimeObservability":"enable","seccompProfileService":"enable","testing":{"nodeAgentMultiplication":{"enabled":false,"replicas":5}},"vexGeneration":"enable","vulnerabilityScan":"enable"},
"components":{"autoUpdater":{"enabled":true},"clamAV":{"enabled":true},"cloudSecret":{"create":true,"name":"cloud-secret"},"customCaCertificates":{"name":"custom-ca-certificates"},"gateway":{"enabled":true},"hostScanner":{"enabled":true},"kollector":{"enabled":true},"kubescape":{"enabled":true},"kubescapeScheduler":{"enabled":true},"kubevuln":{"enabled":true},"kubevulnScheduler":{"enabled":true},"nodeAgent":{"enabled":true},"operator":{"enabled":true},"otelCollector":{"enabled":true},"prometheusExporter":{"enabled":true},"serviceDiscovery":{"enabled":true},"storage":{"enabled":true},"synchronizer":{"enabled":true}},
"configurations":{"otelUrl":"otelCollector:4317","persistence":"enable","priorityClass":{"daemonset":100000100,"enabled":true},"prometheusAnnotations":"disable"} ,
"serviceScanConfig" :{"enabled":false,"interval":"1h"}
Expand Down Expand Up @@ -5473,6 +5473,66 @@ all capabilities:
- update
- patch
- delete
- apiGroups:
- spdx.softwarecomposition.kubescape.io
resources:
- seccompprofiles
verbs:
- get
- watch
- list
- create
- update
- patch
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- create
- update
- patch
- apiGroups:
- cilium.io
resources:
- ciliumnetworkpolicies
verbs:
- create
- update
- patch
- apiGroups:
- projectcalico.org
resources:
- networkpolicies
verbs:
- create
- update
- patch
- apiGroups:
- apps
resources:
- deployments
- statefulsets
- daemonsets
- replicasets
verbs:
- update
- patch
- apiGroups:
- batch
resources:
- jobs
- cronjobs
verbs:
- update
- patch
- apiGroups:
- ""
resources:
- pods
verbs:
- update
- patch
107: |
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
Expand Down Expand Up @@ -5654,6 +5714,12 @@ all capabilities:
"resource": "networkneighborhoods",
"strategy": "copy"
},
{
"group": "spdx.softwarecomposition.kubescape.io",
"version": "v1beta1",
"resource": "seccompprofiles",
"strategy": "copy"
},
{
"group": "cilium.io",
"version": "v2",
Expand Down Expand Up @@ -6183,7 +6249,7 @@ default capabilities:
data:
capabilities: |
{
"capabilities":{"admissionController":"disable","autoUpgrading":"disable","configurationScan":"enable","httpDetection":"disable","malwareDetection":"disable","networkPolicyService":"enable","nodeProfileService":"disable","nodeScan":"enable","prometheusExporter":"disable","relevancy":"enable","runtimeDetection":"disable","runtimeObservability":"enable","seccompProfileService":"enable","testing":{"nodeAgentMultiplication":{"enabled":false,"replicas":5}},"vexGeneration":"disable","vulnerabilityScan":"enable"},
"capabilities":{"admissionController":"disable","autoUpgrading":"disable","configurationScan":"enable","httpDetection":"disable","malwareDetection":"disable","manageWorkloads":"disable","networkPolicyService":"enable","nodeProfileService":"disable","nodeScan":"enable","prometheusExporter":"disable","relevancy":"enable","runtimeDetection":"disable","runtimeObservability":"enable","seccompProfileService":"enable","testing":{"nodeAgentMultiplication":{"enabled":false,"replicas":5}},"vexGeneration":"disable","vulnerabilityScan":"enable"},
"components":{"autoUpdater":{"enabled":false},"clamAV":{"enabled":false},"cloudSecret":{"create":true,"name":"cloud-secret"},"customCaCertificates":{"name":"custom-ca-certificates"},"gateway":{"enabled":true},"hostScanner":{"enabled":true},"kollector":{"enabled":true},"kubescape":{"enabled":true},"kubescapeScheduler":{"enabled":true},"kubevuln":{"enabled":true},"kubevulnScheduler":{"enabled":true},"nodeAgent":{"enabled":true},"operator":{"enabled":true},"otelCollector":{"enabled":true},"prometheusExporter":{"enabled":false},"serviceDiscovery":{"enabled":true},"storage":{"enabled":true},"synchronizer":{"enabled":true}},
"configurations":{"otelUrl":"otelCollector:4317","persistence":"enable","priorityClass":{"daemonset":100000100,"enabled":true},"prometheusAnnotations":"disable"} ,
"serviceScanConfig" :{"enabled":false,"interval":"1h"}
Expand Down Expand Up @@ -11228,7 +11294,7 @@ disable otel:
data:
capabilities: |
{
"capabilities":{"admissionController":"disable","autoUpgrading":"disable","configurationScan":"enable","httpDetection":"disable","malwareDetection":"disable","networkPolicyService":"enable","nodeProfileService":"disable","nodeScan":"enable","prometheusExporter":"disable","relevancy":"enable","runtimeDetection":"disable","runtimeObservability":"enable","seccompProfileService":"enable","testing":{"nodeAgentMultiplication":{"enabled":false,"replicas":5}},"vexGeneration":"disable","vulnerabilityScan":"enable"},
"capabilities":{"admissionController":"disable","autoUpgrading":"disable","configurationScan":"enable","httpDetection":"disable","malwareDetection":"disable","manageWorkloads":"disable","networkPolicyService":"enable","nodeProfileService":"disable","nodeScan":"enable","prometheusExporter":"disable","relevancy":"enable","runtimeDetection":"disable","runtimeObservability":"enable","seccompProfileService":"enable","testing":{"nodeAgentMultiplication":{"enabled":false,"replicas":5}},"vexGeneration":"disable","vulnerabilityScan":"enable"},
"components":{"autoUpdater":{"enabled":false},"clamAV":{"enabled":false},"cloudSecret":{"create":true,"name":"cloud-secret"},"customCaCertificates":{"name":"custom-ca-certificates"},"gateway":{"enabled":true},"hostScanner":{"enabled":true},"kollector":{"enabled":true},"kubescape":{"enabled":true},"kubescapeScheduler":{"enabled":true},"kubevuln":{"enabled":true},"kubevulnScheduler":{"enabled":true},"nodeAgent":{"enabled":true},"operator":{"enabled":true},"otelCollector":{"enabled":true},"prometheusExporter":{"enabled":false},"serviceDiscovery":{"enabled":true},"storage":{"enabled":true},"synchronizer":{"enabled":true}},
"configurations":{"otelUrl":null,"persistence":"enable","priorityClass":{"daemonset":100000100,"enabled":true},"prometheusAnnotations":"disable"} ,
"serviceScanConfig" :{"enabled":false,"interval":"1h"}
Expand Down Expand Up @@ -15327,7 +15393,7 @@ minimal capabilities:
data:
capabilities: |
{
"capabilities":{"admissionController":"disable","autoUpgrading":"disable","configurationScan":"enable","httpDetection":"disable","malwareDetection":"disable","networkPolicyService":"enable","nodeProfileService":"disable","nodeScan":"enable","prometheusExporter":"disable","relevancy":"enable","runtimeDetection":"disable","runtimeObservability":"enable","seccompProfileService":"enable","testing":{"nodeAgentMultiplication":{"enabled":false,"replicas":5}},"vexGeneration":"disable","vulnerabilityScan":"enable"},
"capabilities":{"admissionController":"disable","autoUpgrading":"disable","configurationScan":"enable","httpDetection":"disable","malwareDetection":"disable","manageWorkloads":"disable","networkPolicyService":"enable","nodeProfileService":"disable","nodeScan":"enable","prometheusExporter":"disable","relevancy":"enable","runtimeDetection":"disable","runtimeObservability":"enable","seccompProfileService":"enable","testing":{"nodeAgentMultiplication":{"enabled":false,"replicas":5}},"vexGeneration":"disable","vulnerabilityScan":"enable"},
"components":{"autoUpdater":{"enabled":false},"clamAV":{"enabled":false},"cloudSecret":{"create":true,"name":"cloud-secret"},"customCaCertificates":{"name":"custom-ca-certificates"},"gateway":{"enabled":false},"hostScanner":{"enabled":true},"kollector":{"enabled":false},"kubescape":{"enabled":true},"kubescapeScheduler":{"enabled":false},"kubevuln":{"enabled":true},"kubevulnScheduler":{"enabled":false},"nodeAgent":{"enabled":true},"operator":{"enabled":true},"otelCollector":{"enabled":true},"prometheusExporter":{"enabled":false},"serviceDiscovery":{"enabled":false},"storage":{"enabled":true},"synchronizer":{"enabled":false}},
"configurations":{"otelUrl":"otelCollector:4317","persistence":"enable","priorityClass":{"daemonset":100000100,"enabled":true},"prometheusAnnotations":"disable"} ,
"serviceScanConfig" :{"enabled":false,"interval":"1h"}
Expand Down
3 changes: 2 additions & 1 deletion charts/kubescape-operator/tests/snapshot_test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ tests:
autoUpgrading: enable
prometheusExporter: enable
admissionController: enable
manageWorkloads: enable
server: api.armosec.io
configurations.otelUrl: "otelCollector:4317"
clusterName: kind-kind
Expand Down Expand Up @@ -173,4 +174,4 @@ tests:
- registry: test.example.com
username: xxx
password: yyy
insecure: true
insecure: true
1 change: 1 addition & 0 deletions charts/kubescape-operator/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,7 @@ capabilities:
admissionController: disable
httpDetection: disable
seccompProfileService: enable
manageWorkloads: disable

# ====== Other capabilities ======
#
Expand Down

0 comments on commit bbee469

Please sign in to comment.