diff --git a/charts/dependency_chart/operatorcommand-crds/Chart.yaml b/charts/dependency_chart/operatorcommand-crds/Chart.yaml new file mode 100644 index 00000000..a9a8fda8 --- /dev/null +++ b/charts/dependency_chart/operatorcommand-crds/Chart.yaml @@ -0,0 +1,9 @@ +apiVersion: v2 +name: kubescape-operator-command-crd +description: A Helm chart CRDs for Kubescape Operator commands + +type: application + +version: 0.0.1 + +appVersion: "0.0.1" diff --git a/charts/dependency_chart/operatorcommand-crds/crds/operator-command.crd.yaml b/charts/dependency_chart/operatorcommand-crds/crds/operator-command.crd.yaml new file mode 100644 index 00000000..73e69db5 --- /dev/null +++ b/charts/dependency_chart/operatorcommand-crds/crds/operator-command.crd.yaml @@ -0,0 +1,87 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: operatorcommands.kubescape.io +spec: + group: kubescape.io + names: + plural: operatorcommands + singular: operatorcommand + kind: OperatorCommand + shortNames: + - opcmd + scope: Namespaced + versions: + - name: v1alpha1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + guid: + type: string + commandType: + type: string + commandVersion: + type: string + nullable: true + designators: + type: array + items: + type: object + additionalProperties: true + body: + type: string + format: byte + nullable: true + ttl: + type: string + format: duration + nullable: true + args: + type: object + additionalProperties: true + nullable: true + commandIndex: + type: integer + nullable: true + commandCount: + type: integer + nullable: true + status: + type: object + properties: + started: + type: boolean + startedAt: + type: string + format: date-time + nullable: true + completed: + type: boolean + completedAt: + type: string + format: date-time + nullable: true + executer: + type: string + nullable: true + error: + type: object + nullable: true + properties: + reason: + type: string + nullable: true + message: + type: string + nullable: true + errorCode: + type: integer + nullable: true + subresources: + status: {} diff --git a/charts/dependency_chart/operatorcommand-crds/values.yaml b/charts/dependency_chart/operatorcommand-crds/values.yaml new file mode 100644 index 00000000..e69de29b diff --git a/charts/kubescape-operator/Chart.yaml b/charts/kubescape-operator/Chart.yaml index e54c88ef..0e2a240c 100644 --- a/charts/kubescape-operator/Chart.yaml +++ b/charts/kubescape-operator/Chart.yaml @@ -50,3 +50,7 @@ dependencies: version: 0.0.1 repository: "file://../dependency_chart/servicescanresult-crds" condition: serviceScanConfig.enabled + - name: kubescape-operator-command-crd + version: 0.0.1 + repository: "file://../dependency_chart/operatorcommand-crds" + diff --git a/charts/kubescape-operator/templates/node-agent/clusterrole.yaml b/charts/kubescape-operator/templates/node-agent/clusterrole.yaml index 863a142d..dc084825 100644 --- a/charts/kubescape-operator/templates/node-agent/clusterrole.yaml +++ b/charts/kubescape-operator/templates/node-agent/clusterrole.yaml @@ -8,8 +8,11 @@ metadata: {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.nodeAgent.name "tier" .Values.global.namespaceTier) | nindent 4 }} rules: - apiGroups: [""] - resources: ["pods", "nodes", "services", "endpoints", "namespaces"] + resources: ["nodes", "services", "endpoints", "namespaces"] verbs: ["get", "watch", "list"] +- apiGroups: [""] + resources: ["pods"] + verbs: ["get", "watch", "list", "delete"] - apiGroups: [""] resources: ["events"] verbs: ["get", "watch", "list"] @@ -28,4 +31,10 @@ rules: - apiGroups: ["kubescape.io"] resources: ["runtimerulealertbindings"] verbs: ["list", "watch"] +- apiGroups: ["kubescape.io"] + resources: ["operatorcommands"] + verbs: ["get", "watch", "list"] +- apiGroups: ["kubescape.io"] + resources: ["operatorcommands/status"] + verbs: ["get", "watch", "list", "update", "patch"] {{- end }} diff --git a/charts/kubescape-operator/templates/synchronizer/clusterrole.yaml b/charts/kubescape-operator/templates/synchronizer/clusterrole.yaml index a6684b19..4b37e923 100644 --- a/charts/kubescape-operator/templates/synchronizer/clusterrole.yaml +++ b/charts/kubescape-operator/templates/synchronizer/clusterrole.yaml @@ -46,4 +46,7 @@ rules: - apiGroups: ["kubescape.io"] resources: ["servicesscanresults"] verbs: ["get", "watch", "list"] + - apiGroups: ["kubescape.io"] + resources: ["operatorcommands"] + verbs: ["get", "watch", "list", "create", "update", "patch", "delete"] {{- end }} diff --git a/charts/kubescape-operator/templates/synchronizer/configmap.yaml b/charts/kubescape-operator/templates/synchronizer/configmap.yaml index c51503e2..6b7a98eb 100644 --- a/charts/kubescape-operator/templates/synchronizer/configmap.yaml +++ b/charts/kubescape-operator/templates/synchronizer/configmap.yaml @@ -192,6 +192,12 @@ data: "version": "v1", "resource": "servicesscanresults", "strategy": "patch" + }, + { + "group": "kubescape.io", + "version": "v1alpha1", + "resource": "operatorcommands", + "strategy": "copy" } ] }, diff --git a/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap b/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap index c53dd280..11ee77ce 100644 --- a/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap +++ b/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap @@ -2539,7 +2539,6 @@ all capabilities: - apiGroups: - "" resources: - - pods - nodes - services - endpoints @@ -2548,6 +2547,15 @@ all capabilities: - get - watch - list + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - watch + - list + - delete - apiGroups: - "" resources: @@ -2607,6 +2615,24 @@ all capabilities: verbs: - list - watch + - apiGroups: + - kubescape.io + resources: + - operatorcommands + verbs: + - get + - watch + - list + - apiGroups: + - kubescape.io + resources: + - operatorcommands/status + verbs: + - get + - watch + - list + - update + - patch 52: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -5339,6 +5365,18 @@ all capabilities: - get - watch - list + - apiGroups: + - kubescape.io + resources: + - operatorcommands + verbs: + - get + - watch + - list + - create + - update + - patch + - delete 107: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -5543,6 +5581,12 @@ all capabilities: "version": "v1", "resource": "servicesscanresults", "strategy": "patch" + }, + { + "group": "kubescape.io", + "version": "v1alpha1", + "resource": "operatorcommands", + "strategy": "copy" } ] }, @@ -5612,7 +5656,7 @@ all capabilities: checksum/cloud-config: b8da78cdc7d961c5f1a909ef55dace218e2279870114d370cdc9671de162626e checksum/cloud-secret: 24df65203633cca99bee8277b86aadb177d821b8099049d9065de756c55f71bc checksum/proxy-config: 49d2addb181c10ee040c8cd4d2dd456980ee18d972fd86bfe8667f5fbf0789ec - checksum/synchronizer-configmap: a86495835171f84c53098c46ffb905886047b3b52be05dda0244d8e7fe726982 + checksum/synchronizer-configmap: e7ae06c79351fcf9914be66e29c8f0bd3202147caea451a610552754b460a364 labels: app: synchronizer app.kubernetes.io/component: synchronizer @@ -8000,7 +8044,6 @@ default capabilities: - apiGroups: - "" resources: - - pods - nodes - services - endpoints @@ -8009,6 +8052,15 @@ default capabilities: - get - watch - list + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - watch + - list + - delete - apiGroups: - "" resources: @@ -8068,6 +8120,24 @@ default capabilities: verbs: - list - watch + - apiGroups: + - kubescape.io + resources: + - operatorcommands + verbs: + - get + - watch + - list + - apiGroups: + - kubescape.io + resources: + - operatorcommands/status + verbs: + - get + - watch + - list + - update + - patch 42: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -10226,6 +10296,18 @@ default capabilities: - get - watch - list + - apiGroups: + - kubescape.io + resources: + - operatorcommands + verbs: + - get + - watch + - list + - create + - update + - patch + - delete 82: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -10430,6 +10512,12 @@ default capabilities: "version": "v1", "resource": "servicesscanresults", "strategy": "patch" + }, + { + "group": "kubescape.io", + "version": "v1alpha1", + "resource": "operatorcommands", + "strategy": "copy" } ] }, @@ -10499,7 +10587,7 @@ default capabilities: checksum/cloud-config: d3e5cac20b095bd3af4c3be5720642133b85a47d35028dace94d338f463f8793 checksum/cloud-secret: 24df65203633cca99bee8277b86aadb177d821b8099049d9065de756c55f71bc checksum/proxy-config: 49d2addb181c10ee040c8cd4d2dd456980ee18d972fd86bfe8667f5fbf0789ec - checksum/synchronizer-configmap: a27801135e420986a6495a6d0bbce5c9c408539c4a54768410c225b5f1c19b0e + checksum/synchronizer-configmap: 94ea2c9bd998eed1bbefce521faf324c4f1ba08fdea5222d283a940d5ef18a9c labels: app: synchronizer app.kubernetes.io/component: synchronizer @@ -12347,7 +12435,6 @@ disable otel: - apiGroups: - "" resources: - - pods - nodes - services - endpoints @@ -12356,6 +12443,15 @@ disable otel: - get - watch - list + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - watch + - list + - delete - apiGroups: - "" resources: @@ -12415,6 +12511,24 @@ disable otel: verbs: - list - watch + - apiGroups: + - kubescape.io + resources: + - operatorcommands + verbs: + - get + - watch + - list + - apiGroups: + - kubescape.io + resources: + - operatorcommands/status + verbs: + - get + - watch + - list + - update + - patch 32: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -14286,6 +14400,18 @@ disable otel: - get - watch - list + - apiGroups: + - kubescape.io + resources: + - operatorcommands + verbs: + - get + - watch + - list + - create + - update + - patch + - delete 66: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -14490,6 +14616,12 @@ disable otel: "version": "v1", "resource": "servicesscanresults", "strategy": "patch" + }, + { + "group": "kubescape.io", + "version": "v1alpha1", + "resource": "operatorcommands", + "strategy": "copy" } ] }, @@ -14558,7 +14690,7 @@ disable otel: annotations: checksum/cloud-config: 87c54cf53cea73debbb12faf90deaf269291fb5b48b08016201f92432f8beb8c checksum/cloud-secret: 24df65203633cca99bee8277b86aadb177d821b8099049d9065de756c55f71bc - checksum/synchronizer-configmap: a27801135e420986a6495a6d0bbce5c9c408539c4a54768410c225b5f1c19b0e + checksum/synchronizer-configmap: 94ea2c9bd998eed1bbefce521faf324c4f1ba08fdea5222d283a940d5ef18a9c labels: app: synchronizer app.kubernetes.io/component: synchronizer @@ -15725,7 +15857,6 @@ minimal capabilities: - apiGroups: - "" resources: - - pods - nodes - services - endpoints @@ -15734,6 +15865,15 @@ minimal capabilities: - get - watch - list + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - watch + - list + - delete - apiGroups: - "" resources: @@ -15793,6 +15933,24 @@ minimal capabilities: verbs: - list - watch + - apiGroups: + - kubescape.io + resources: + - operatorcommands + verbs: + - get + - watch + - list + - apiGroups: + - kubescape.io + resources: + - operatorcommands/status + verbs: + - get + - watch + - list + - update + - patch 21: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding