diff --git a/Makefile b/Makefile index 005c04bd2..fc4939a7f 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,7 @@ .PHONY: unittest deps-docs: - go install kubepack.dev/chart-doc-gen@latest + go install kubepack.dev/chart-doc-gen@v0.4.7 docs: deps-docs find . -name "doc.yaml" | \ diff --git a/charts/admission-controller/CHANGELOG.md b/charts/admission-controller/CHANGELOG.md index 846a0f7e8..280d0f72a 100644 --- a/charts/admission-controller/CHANGELOG.md +++ b/charts/admission-controller/CHANGELOG.md @@ -10,6 +10,9 @@ Manual edits are supported only below '## Change Log' and should be used exclusively to fix incorrect entries and not to add new ones. ## Change Log +# v0.14.12 +### Bug Fixes +* **common,agent,admission-controller,cluster-scanner,kspm-collector,node-analyzer,rapid-response** [e76f1c17](https://github.com/sysdiglabs/charts/commit/e76f1c17e48491dd8ea21293ec1fed2619eed204): Update Sysdig CA ([#1393](https://github.com/sysdiglabs/charts/issues/1393)) # v0.14.11 ### Chores * **admission-controller** [684e44a1](https://github.com/sysdiglabs/charts/commit/684e44a18df462051a9a81ba2cdfb421d31d20f7): Update to v3.9.33 ([#1390](https://github.com/sysdiglabs/charts/issues/1390)) diff --git a/charts/admission-controller/Chart.yaml b/charts/admission-controller/Chart.yaml index 56cee6310..a2191f833 100644 --- a/charts/admission-controller/Chart.yaml +++ b/charts/admission-controller/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: admission-controller description: Sysdig Admission Controller using Sysdig Secure inline image scanner type: application -version: 0.14.11 +version: 0.14.12 appVersion: 3.9.33 home: https://sysdiglabs.github.io/admission-controller/ icon: https://avatars.githubusercontent.com/u/5068817?s=200&v=4 @@ -14,4 +14,4 @@ maintainers: dependencies: - name: common repository: file://../common - version: ~1.2.0 + version: ~1.2.2 diff --git a/charts/admission-controller/README.md b/charts/admission-controller/README.md index 9898d0809..799811e72 100644 --- a/charts/admission-controller/README.md +++ b/charts/admission-controller/README.md @@ -68,7 +68,7 @@ For example: ```bash helm upgrade --install admission-controller sysdig/admission-controller \ - --create-namespace -n sysdig-admission-controller --version=0.14.11 \ + --create-namespace -n sysdig-admission-controller --version=0.14.12 \ --set sysdig.secureAPIToken=YOUR-KEY-HERE,clusterName=YOUR-CLUSTER-NAME ``` @@ -80,7 +80,7 @@ For example: ```bash helm upgrade --install admission-controller sysdig/admission-controller \ - --create-namespace -n sysdig-admission-controller --version=0.14.11 \ + --create-namespace -n sysdig-admission-controller --version=0.14.12 \ --values values.yaml ``` diff --git a/charts/admission-controller/RELEASE-NOTES.md b/charts/admission-controller/RELEASE-NOTES.md index d906664a4..17732930d 100644 --- a/charts/admission-controller/RELEASE-NOTES.md +++ b/charts/admission-controller/RELEASE-NOTES.md @@ -1,5 +1,5 @@ # What's Changed -### Chores -- **admission-controller** [684e44a1](https://github.com/sysdiglabs/charts/commit/684e44a18df462051a9a81ba2cdfb421d31d20f7): Update to v3.9.33 ([#1390](https://github.com/sysdiglabs/charts/issues/1390)) -#### Full diff: https://github.com/sysdiglabs/charts/compare/admission-controller-0.14.10...admission-controller-0.14.11 +### Bug Fixes +- **common,agent,admission-controller,cluster-scanner,kspm-collector,node-analyzer,rapid-response** [e76f1c17](https://github.com/sysdiglabs/charts/commit/e76f1c17e48491dd8ea21293ec1fed2619eed204): Update Sysdig CA ([#1393](https://github.com/sysdiglabs/charts/issues/1393)) +#### Full diff: https://github.com/sysdiglabs/charts/compare/admission-controller-0.14.11...admission-controller-0.14.12 diff --git a/charts/agent/CHANGELOG.md b/charts/agent/CHANGELOG.md index de8d72f30..9f1904bef 100644 --- a/charts/agent/CHANGELOG.md +++ b/charts/agent/CHANGELOG.md @@ -10,6 +10,16 @@ Manual edits are supported only below '## Change Log' and should be used exclusively to fix incorrect entries and not to add new ones. ## Change Log +# v1.14.0 +# v1.13.15 +### New Features +* [eda0e7cd](https://github.com/sysdiglabs/charts/commit/eda0e7cdf12c0b40f0bb77c0a16e0fd5f0173256): release agent 12.17.0 ([#1410](https://github.com/sysdiglabs/charts/issues/1410)) +# v1.13.14 +### New Features +* [9fc9ddd4](https://github.com/sysdiglabs/charts/commit/9fc9ddd48e6cb2c3ea334bfc10048ffc15646fd2): release agent 12.16.3 ([#1395](https://github.com/sysdiglabs/charts/issues/1395)) +# v1.13.13 +### Bug Fixes +* **common,agent,admission-controller,cluster-scanner,kspm-collector,node-analyzer,rapid-response** [e76f1c17](https://github.com/sysdiglabs/charts/commit/e76f1c17e48491dd8ea21293ec1fed2619eed204): Update Sysdig CA ([#1393](https://github.com/sysdiglabs/charts/issues/1393)) # v1.13.12 ### New Features * [45e2f7a9](https://github.com/sysdiglabs/charts/commit/45e2f7a96c565bfe0687acaacf350e81f94a23bb): release agent 12.16.2 ([#1381](https://github.com/sysdiglabs/charts/issues/1381)) diff --git a/charts/agent/Chart.yaml b/charts/agent/Chart.yaml index 3d99ac8a4..7b7ac233a 100644 --- a/charts/agent/Chart.yaml +++ b/charts/agent/Chart.yaml @@ -1,9 +1,9 @@ apiVersion: v2 -appVersion: 12.16.2 +appVersion: 12.17.0 dependencies: - name: common repository: file://../common - version: ~1.2.1 + version: ~1.2.2 description: Sysdig Monitor and Secure agent home: https://www.sysdig.com/ icon: https://avatars.githubusercontent.com/u/5068817?s=200&v=4 @@ -30,4 +30,5 @@ sources: - https://app.sysdigcloud.com/#/settings/user - https://github.com/draios/sysdig type: application -version: 1.13.13 +version: 1.14.1 + diff --git a/charts/agent/README.md b/charts/agent/README.md index 7801298d9..2cdd8ae9a 100644 --- a/charts/agent/README.md +++ b/charts/agent/README.md @@ -88,8 +88,8 @@ The following table lists the configurable parameters of the Sysdig chart and th | Parameter | Description | Default | |---------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------| | `global.clusterConfig.name` | Sets a unique name to the cluster. You can then use the cluster name to identify events using the `kubernetes.cluster.name` tag. | `quay.io` | -| `global.sysdig.accessKey` | Specify your Sysdig Agent Access Key. | Either `accessKey` or `accessKeySecret` is required | -| `global.sysdig.accessKeySecret` | An alternative to using the Sysdig Agent access key. Specify the name of a Kubernetes secret containing an `access-key` entry. | Either `accessKey` or `accessKeySecret` is required | +| `global.sysdig.accessKey` | Specify your Sysdig Agent Access Key. | Either `accessKey` or `accessKeySecret` is required | +| `global.sysdig.accessKeySecret` | An alternative to using the Sysdig Agent access key. Specify the name of a Kubernetes secret containing an `access-key` entry. | Either `accessKey` or `accessKeySecret` is required | | `global.sysdig.region` | The SaaS region for these agents. Possible values: `"us1"`, `"us2"`, `"us3"`, `"us4"`, `"eu1"`, `"au1"`, and `"custom"` | `"us1"` | | `global.proxy.httpProxy` | Sets `http_proxy` on the `agent` container. | `""` | | `global.proxy.httpsProxy` | Sets `https_proxy` on the `agent` container. | `""` | @@ -146,6 +146,7 @@ The following table lists the configurable parameters of the Sysdig chart and th | `slim.resources.limits.cpu` | Specifies the CPU limit for building the kernel module | `1000m` | | `slim.resources.limits.memory` | Specifies the memory limit for building the kernel module. | `512Mi` | | `ebpf.enabled` | Enables eBPF support for Sysdig instead of `sysdig-probe` kernel module. | `false` | +| `ebpf.kind` | Define which eBPF driver to use, can be `legacy_ebpf` or `universal_ebpf` | `legacy_ebpf` | | `clusterName` | Sets a unique cluster name which is used to identify events with the `kubernetes.cluster.name` tag. Overrides `global.clusterConfig.name`. | ` ` | | `sysdig.accessKey` | Your Sysdig Agent Access Key. Overrides `global.sysdig.accessKey` | Either `accessKey` or `existingAccessKeySecret` is required | | `sysdig.existingAccessKeySecret` | Specifies the name of a Kubernetes secret containing an `access-key ` entry. Overrides `global.sysdig.existingAccessKeySecret` | Either `accessKey` or `existingAccessKeySecret` is required | @@ -158,7 +159,7 @@ The following table lists the configurable parameters of the Sysdig chart and th | `auditLog.auditServerUrl` | Specifies the URL where Sysdig Agent listens for the Kubernetes audit log events. | `0.0.0.0` | | `auditLog.auditServerPort` | Specifies the port where Sysdig Agent listens for the Kubernetes audit log events. | `7765` | | `auditLog.dynamicBackend.enabled` | Deploys the Audit Sink where Sysdig listens for Kubernetes audit log events. | `false` | -| `tolerations` | Specifies the tolerations for scheduling. | <pre>node-role.kubernetes.io/master:NoSchedule,<br>node-role.kubernetes.io/control-plane:NoSchedule</pre> | | +| `tolerations` | Specifies the tolerations for scheduling. | <pre>node-role.kubernetes.io/master:NoSchedule,<br>node-role.kubernetes.io/control-plane:NoSchedule</pre> | | `leaderelection.enable` | Enables the agent leader election algorithm. | `false` | | `prometheus.file` | Specifies the file to configure promscrape. | `false` | | `prometheus.yaml` | Configures the Prometheus metric collection. Performs relabelling and filtering. | ` ` | diff --git a/charts/agent/RELEASE-NOTES.md b/charts/agent/RELEASE-NOTES.md index 04a731c2a..87f128146 100644 --- a/charts/agent/RELEASE-NOTES.md +++ b/charts/agent/RELEASE-NOTES.md @@ -1,5 +1,3 @@ # What's Changed -### New Features -- [45e2f7a9](https://github.com/sysdiglabs/charts/commit/45e2f7a96c565bfe0687acaacf350e81f94a23bb): release agent 12.16.2 ([#1381](https://github.com/sysdiglabs/charts/issues/1381)) -#### Full diff: https://github.com/sysdiglabs/charts/compare/agent-1.13.11...agent-1.13.12 +#### Full diff: https://github.com/sysdiglabs/charts/compare/agent-1.13.15...agent-1.14.0 diff --git a/charts/agent/templates/_helpers.tpl b/charts/agent/templates/_helpers.tpl index 880fd3c16..8eda6b069 100644 --- a/charts/agent/templates/_helpers.tpl +++ b/charts/agent/templates/_helpers.tpl @@ -54,11 +54,15 @@ Define the proper imageRegistry to use for agent and kmodule image {{- end -}} {{/* -Return the proper Sysdig Agent image name +Return the proper Sysdig Agent repository name + +Force the slim version if customer specify enable the slim mode or if the Universal eBPF driver is enforced */}} {{- define "agent.repositoryName" -}} {{- if .Values.slim.enabled -}} {{- .Values.slim.image.repository -}} +{{- else if (include "agent.universalEbpfEnforced" . ) -}} + {{- .Values.slim.image.repository -}} {{- else -}} {{- .Values.image.repository -}} {{- end -}} @@ -219,6 +223,18 @@ it can act like a boolean {{- end -}} {{- end -}} +{{- define "agent.universalEbpfEnforced" -}} + {{- if (and (eq "true" (include "agent.ebpfEnabled" .)) (eq "universal_ebpf" .Values.ebpf.kind )) -}} + true + {{- end -}} +{{- end -}} + +{{- define "agent.legacyEbpfEnforced" -}} + {{- if (and (eq "true" (include "agent.ebpfEnabled" .)) (eq "legacy_ebpf" .Values.ebpf.kind )) -}} + true + {{- end -}} +{{- end -}} + {{/* to help the maxUnavailable pick a reasonable value depending on the cluster size */}} diff --git a/charts/agent/templates/daemonset.yaml b/charts/agent/templates/daemonset.yaml index d2ff2ee23..91eccf6cc 100644 --- a/charts/agent/templates/daemonset.yaml +++ b/charts/agent/templates/daemonset.yaml @@ -77,7 +77,8 @@ spec: imagePullSecrets: {{ toYaml .Values.global.image.pullSecrets | nindent 8 }} {{- end }} - {{- if .Values.slim.enabled }} + {{/* When the Universal eBPF is enforced by customer choice there is no reason to start the init container to build the driver */}} + {{- if and .Values.slim.enabled (not (include "agent.universalEbpfEnforced" . )) }} initContainers: - name: sysdig-agent-kmodule image: {{ template "agent.image.kmodule" . }} @@ -95,6 +96,10 @@ spec: - name: SYSDIG_BPF_PROBE value: {{- end }} + {{- if (include "agent.legacyEbpfEnforced" .) }} + - name: SYSDIG_AGENT_DRIVER + value: legacy_ebpf + {{- end }} {{- range $key, $value := .Values.daemonset.kmodule.env }} - name: {{ $key | quote }} value: {{ $value | quote }} @@ -178,10 +183,17 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - {{- if or (include "agent.ebpfEnabled" .) (include "agent.gke.autopilot" .)}} + {{- if and (or (include "agent.ebpfEnabled" .) (include "agent.gke.autopilot" .)) (not (include "agent.universalEbpfEnforced" . )) }} - name: SYSDIG_BPF_PROBE value: {{- end }} + {{- if (include "agent.universalEbpfEnforced" .) }} + - name: SYSDIG_AGENT_DRIVER + value: universal_ebpf + {{- else if (include "agent.legacyEbpfEnforced" .) }} + - name: SYSDIG_AGENT_DRIVER + value: legacy_ebpf + {{- end }} {{- if (.Values.proxy.httpProxy | default .Values.global.proxy.httpProxy) }} - name: http_proxy value: {{ .Values.proxy.httpProxy | default .Values.global.proxy.httpProxy }} diff --git a/charts/agent/tests/universal_ebpf_test.yaml b/charts/agent/tests/universal_ebpf_test.yaml new file mode 100644 index 000000000..0fe156718 --- /dev/null +++ b/charts/agent/tests/universal_ebpf_test.yaml @@ -0,0 +1,103 @@ +suite: Universal eBPF tests +templates: + - templates/daemonset.yaml +tests: + - it: Ensure that when the eBPF is disabled we create the sysdig container without SYSDIG_BPF_PROBE and SYSDIG_AGENT_DRIVER environment variables + set: + ebpf: + enabled: false + asserts: + - isNull: + path: spec.template.spec.initContainers[*].env[?(@.name == "SYSDIG_BPF_PROBE")] + - isNull: + path: spec.template.spec.initContainers[*].env[?(@.name == "SYSDIG_AGENT_DRIVER")] + - isNull: + path: spec.template.spec.containers[*].env[?(@.name == "SYSDIG_BPF_PROBE")] + - isNull: + path: spec.template.spec.containers[*].env[?(@.name == "SYSDIG_AGENT_DRIVER")] + + - it: Ensure that when the eBPF is enabled the default driver is "legacy_ebpf" we create the sysdig container with the SYSDIG_BPF_PROBE and SYSDIG_AGENT_DRIVER=legacy_ebpf environment variables + set: + ebpf: + enabled: true + asserts: + - isEmpty: + path: spec.template.spec.initContainers[*].env[?(@.name == "SYSDIG_BPF_PROBE")].value + - equal: + path: spec.template.spec.initContainers[*].env[?(@.name == "SYSDIG_AGENT_DRIVER")].value + value: legacy_ebpf + - isEmpty: + path: spec.template.spec.containers[*].env[?(@.name == "SYSDIG_BPF_PROBE")].value + - equal: + path: spec.template.spec.containers[*].env[?(@.name == "SYSDIG_AGENT_DRIVER")].value + value: legacy_ebpf + + - it: Ensure that when the eBPF is enabled and we specify to use the "legacy_ebpf" driver we create the sysdig container with the SYSDIG_BPF_PROBE and with SYSDIG_AGENT_DRIVER environment variables + set: + ebpf: + enabled: true + kind: legacy_ebpf + asserts: + - isEmpty: + path: spec.template.spec.initContainers[*].env[?(@.name == "SYSDIG_BPF_PROBE")].value + - equal: + path: spec.template.spec.initContainers[*].env[?(@.name == "SYSDIG_AGENT_DRIVER")].value + value: legacy_ebpf + - isEmpty: + path: spec.template.spec.containers[*].env[?(@.name == "SYSDIG_BPF_PROBE")].value + - equal: + path: spec.template.spec.containers[*].env[?(@.name == "SYSDIG_AGENT_DRIVER")].value + value: legacy_ebpf + + - it: Ensure that when the eBPF is enabled and we specify to use the "universal_ebpf" driver we create the sysdig container without the SYSDIG_BPF_PROBE and with the SYSDIG_AGENT_DRIVER environment variables + set: + ebpf: + enabled: true + kind: universal_ebpf + asserts: + - isNull: + path: spec.template.spec.containers[*].env[?(@.name == "SYSDIG_BPF_PROBE")] + - equal: + path: spec.template.spec.containers[*].env[?(@.name == "SYSDIG_AGENT_DRIVER")].value + value: universal_ebpf + + - it: Ensure that when the eBPF is enabled and we specify to use the "universal_ebpf" driver we don't create the init container + set: + ebpf: + enabled: true + kind: universal_ebpf + asserts: + - isNull: + path: spec.template.spec.initContainers + + - it: Ensure that when the eBPF is enabled and we specify to use the "legacy_ebpf" driver we create the init container + set: + ebpf: + enabled: true + kind: legacy_ebpf + asserts: + - matchRegex: + path: spec.template.spec.initContainers[*].image + pattern: quay.io/sysdig/agent-kmodule:.* + + - it: Ensure that when the eBPF is enabled and we specify to use the "universal_ebpf" driver we use the slim container + set: + ebpf: + enabled: true + kind: universal_ebpf + asserts: + - matchRegex: + path: spec.template.spec.containers[*].image + pattern: quay.io/sysdig/agent-slim:.* + + - it: Ensure that when the eBPF is enabled and we specify to use the "universal_ebpf" driver we use the slim container also if is slim container is not enabled + set: + slim: + enabled: false + ebpf: + enabled: true + kind: universal_ebpf + asserts: + - matchRegex: + path: spec.template.spec.containers[*].image + pattern: quay.io/sysdig/agent-slim:.* diff --git a/charts/agent/values.schema.json b/charts/agent/values.schema.json new file mode 100644 index 000000000..65eeb0df9 --- /dev/null +++ b/charts/agent/values.schema.json @@ -0,0 +1,28 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "required": [ + "ebpf" + ], + "properties": { + "ebpf": { + "type": "object", + "required": [ + "enabled", + "kind" + ], + "properties": { + "enabled": { + "type": "boolean" + }, + "kind": { + "type": "string", + "enum": [ + "legacy_ebpf", + "universal_ebpf" + ] + } + } + } + } +} diff --git a/charts/agent/values.yaml b/charts/agent/values.yaml index d7db348bf..d507e8bee 100644 --- a/charts/agent/values.yaml +++ b/charts/agent/values.yaml @@ -51,7 +51,7 @@ image: overrideValue: null registry: quay.io repository: sysdig/agent - tag: 12.16.2 + tag: 12.17.0 # Specify a imagePullPolicy # Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' # ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images @@ -169,6 +169,10 @@ priorityClassValue: 10 ebpf: # Enable eBPF support for Sysdig Agent enabled: false + + # Define the kind of eBPF driver that will be used by the agent. Can be `legacy_ebpf` or `universal_ebpf` + kind: legacy_ebpf + slim: # Uses a slim version of the Sysdig Agent enabled: true diff --git a/charts/cluster-scanner/CHANGELOG.md b/charts/cluster-scanner/CHANGELOG.md index e01c85d0b..0d162b68c 100644 --- a/charts/cluster-scanner/CHANGELOG.md +++ b/charts/cluster-scanner/CHANGELOG.md @@ -10,6 +10,21 @@ Manual edits are supported only below '## Change Log' and should be used exclusively to fix incorrect entries and not to add new ones. ## Change Log +# v0.8.1 +### New Features +* **cluster-scanner** [8f19ed47](https://github.com/sysdiglabs/charts/commit/8f19ed47df2be280d2c432d1a182f6235a8e2231): bumped cluster-scanner images to 0.5.1 ([#1412](https://github.com/sysdiglabs/charts/issues/1412)) +# v0.8.0 +### New Features +* **cluster-scanner** [23b421c6](https://github.com/sysdiglabs/charts/commit/23b421c60dafe24c2e777f38c490e7f88c2c42a4): Enable platform services only in regions which support them ([#1413](https://github.com/sysdiglabs/charts/issues/1413)) +# v0.7.2 +### Bug Fixes +* **cluster-scanner** [9b3864ff](https://github.com/sysdiglabs/charts/commit/9b3864fffdc9e8b7e8fdc96f8ed4902f945c34c7): removed unneeded version compatibility checks ([#1404](https://github.com/sysdiglabs/charts/issues/1404)) +# v0.7.1 +### Bug Fixes +* **common,agent,admission-controller,cluster-scanner,kspm-collector,node-analyzer,rapid-response** [e76f1c17](https://github.com/sysdiglabs/charts/commit/e76f1c17e48491dd8ea21293ec1fed2619eed204): Update Sysdig CA ([#1393](https://github.com/sysdiglabs/charts/issues/1393)) +# v0.7.0 +### New Features +* **cluster-scanner** [5b1e9649](https://github.com/sysdiglabs/charts/commit/5b1e96497ef50342055f3f43bc9ff5f41f7cfea1): added configuration for docker registry mirrors ([#1372](https://github.com/sysdiglabs/charts/issues/1372)) # v0.6.1 ### Bug Fixes * **cluster-scanner** [3fe6f6e6](https://github.com/sysdiglabs/charts/commit/3fe6f6e659e43dfdaaf5211b34f32025283c2b18): corrected incompatibility with helm 3.9 ([#1383](https://github.com/sysdiglabs/charts/issues/1383)) diff --git a/charts/cluster-scanner/Chart.yaml b/charts/cluster-scanner/Chart.yaml index 32b2d7cab..30af336d2 100644 --- a/charts/cluster-scanner/Chart.yaml +++ b/charts/cluster-scanner/Chart.yaml @@ -4,7 +4,7 @@ description: Sysdig Cluster Scanner type: application -version: 0.6.1 +version: 0.8.1 appVersion: "0.1.0" home: https://www.sysdig.com/ @@ -16,4 +16,4 @@ dependencies: - name: common # repository: https://charts.sysdig.com repository: file://../common - version: ~1.2.0 + version: ~1.2.2 diff --git a/charts/cluster-scanner/README.md b/charts/cluster-scanner/README.md index 8f8315d8b..e1b2ae001 100644 --- a/charts/cluster-scanner/README.md +++ b/charts/cluster-scanner/README.md @@ -25,7 +25,7 @@ $ pre-commit run -a $ helm repo add sysdig https://charts.sysdig.com $ helm repo update $ helm upgrade --install sysdig-cluster-scanner sysdig/cluster-scanner \ - --create-namespace -n sysdig --version=0.6.1 \ + --create-namespace -n sysdig --version=0.8.1 \ --set global.clusterConfig.name=CLUSTER_NAME \ --set global.sysdig.region=SYSDIG_REGION \ --set global.sysdig.accessKey=YOUR-KEY-HERE @@ -55,7 +55,7 @@ To install the chart with the release name `cluster-scanner`, run: ```console $ helm upgrade --install sysdig-cluster-scanner sysdig/cluster-scanner \ - --create-namespace -n sysdig --version=0.6.1 \ + --create-namespace -n sysdig --version=0.8.1 \ --set global.clusterConfig.name=CLUSTER_NAME \ --set global.sysdig.region=SYSDIG_REGION \ --set global.sysdig.accessKey=YOUR-KEY-HERE @@ -109,7 +109,7 @@ The following table lists the configurable parameters of the `cluster-scanner` c | sslVerifyCertificate | Optional parameter used to check the compatibility of cluster-scanner component versions with the on-premised backend version. If you are running an on-prem version of the Sysdig backend, you MUST set this parameter with the version of Sysdig backend you are using. If you are runinng on SaaS, do NOT provide this parameter. E.g. if `onPremCompatibilityVersion=6.2`, we ensure that the image tag is < 0.5.0 for both the Runtime Status Integrator and the Image SBOM Extractor. onPremCompatibilityVersion: "6.2" Can be set to false to allow insecure connections to the Sysdig backend, such as for on-premise installs that use self-signed certificates. By default, certificates are always verified. | <code>true</code> | | runtimeStatusIntegrator.image.registry | The image registry to use for the Runtime Status Integrator component of Cluster Scanner | <code>quay.io</code> | | runtimeStatusIntegrator.image.repository | The image repository to use for pulling the Runtime Status Integrator image | <code>sysdig/runtime-status-integrator</code> | -| runtimeStatusIntegrator.image.tag | | <code>"0.5.0"</code> | +| runtimeStatusIntegrator.image.tag | | <code>"0.5.1"</code> | | runtimeStatusIntegrator.multiCluster | When the Cluster Scanner is running in `multi` mode, set the secret name to be used to retrieve the kubeconfig configuration to connect to the clusters to inspect. | <code></code> | | runtimeStatusIntegrator.localCluster | Restrict access to specific Docker secrets when Cluster Scanner is running in `local` mode. The default behavior is listing all secrets. See `values.yaml` for an example. Optional. | <code></code> | | runtimeStatusIntegrator.ports.metrics | The port to be used to expose prometheus metrics for the Runtime Status Integrator | <code>25000</code> | @@ -122,7 +122,7 @@ The following table lists the configurable parameters of the `cluster-scanner` c | runtimeStatusIntegrator.natsJS.user | The username to be used in the NATS JetStream instance the Runtime Status Integrator is going to start | <code>"default-user"</code> | | imageSbomExtractor.image.registry | The image registry to use for the Image SBOM Extractor component of Cluster Scanner | <code>quay.io</code> | | imageSbomExtractor.image.repository | The image repository to use for pulling the Image SBOM Extractor image | <code>sysdig/image-sbom-extractor</code> | -| imageSbomExtractor.image.tag | | <code>"0.5.0"</code> | +| imageSbomExtractor.image.tag | | <code>"0.5.1"</code> | | imageSbomExtractor.ports.metrics | The port to be used to expose prometheus metrics for the Image SBOM Extractor | <code>25001</code> | | imageSbomExtractor.ports.probes | The port to be used for healthcheck probes for the Image SBOM Extractor | <code>7001</code> | | imageSbomExtractor.resources.limits.cpu | Image SBOM Extractor CPU limit per replica | <code>"1"</code> | @@ -134,6 +134,7 @@ The following table lists the configurable parameters of the `cluster-scanner` c | imageSbomExtractor.cache.local.maxSizeBytes | The maximum size in bytes of the local cache. By default it is set to 35MB | <code>"36700160"</code> | | imageSbomExtractor.cache.local.maxElementSizeBytes | When using `local` as cache type, restrict the maximum size of elements to be cached. By default it is set to 100KB | <code>"102400"</code> | | imageSbomExtractor.cache.local.ttl | The TTL for items in the local cache. By default it is set to 7 days. | <code>"168h"</code> | +| imageSbomExtractor.mirrors | Provide optional registry mirrors configuration to be used by Image SBOM Extractor to pull images. [Only Docker HUB images](https://docs.docker.com/registry/recipes/mirror/#gotcha) are going to be pulled from the provided mirrors. The configuration is similar to the one currently supported by the docker-daemon where multiple mirrors (potentially insecure), can be specified. See https://docs.docker.com/registry/recipes/mirror/#configure-the-docker-daemon and https://docs.docker.com/registry/insecure/ . <br> Example: <br> `mirrors:` <br> `registryMirrors:` <br> `- insecure.mirror.acme.com` <br> `- secure.mirror.acme.com` <br> `insecureRegistries:` <br> `- insecure.mirror.acme.com` | <code>{}</code> | | nameOverride | Chart name override | <code>""</code> | | fullnameOverride | Chart full name override | <code>""</code> | | serviceAccount.create | Specifies whether a service account should be created | <code>true</code> | @@ -160,7 +161,7 @@ Specify each parameter using the **`--set key=value[,key=value]`** argument to ` ```console $ helm upgrade --install sysdig-cluster-scanner sysdig/cluster-scanner \ - --create-namespace -n sysdig --version=0.6.1 \ + --create-namespace -n sysdig --version=0.8.1 \ --set global.sysdig.region="us1" ``` @@ -169,7 +170,7 @@ installing the chart. For example: ```console $ helm upgrade --install sysdig-cluster-scanner sysdig/cluster-scanner \ - --create-namespace -n sysdig --version=0.6.1 \ + --create-namespace -n sysdig --version=0.8.1 \ --values values.yaml ``` diff --git a/charts/cluster-scanner/RELEASE-NOTES.md b/charts/cluster-scanner/RELEASE-NOTES.md index 674409422..fbae7b07d 100644 --- a/charts/cluster-scanner/RELEASE-NOTES.md +++ b/charts/cluster-scanner/RELEASE-NOTES.md @@ -1,5 +1,5 @@ # What's Changed -### Bug Fixes -- **cluster-scanner** [3fe6f6e6](https://github.com/sysdiglabs/charts/commit/3fe6f6e659e43dfdaaf5211b34f32025283c2b18): corrected incompatibility with helm 3.9 ([#1383](https://github.com/sysdiglabs/charts/issues/1383)) -#### Full diff: https://github.com/sysdiglabs/charts/compare/cluster-scanner-0.6.0...cluster-scanner-0.6.1 +### New Features +- **cluster-scanner** [8f19ed47](https://github.com/sysdiglabs/charts/commit/8f19ed47df2be280d2c432d1a182f6235a8e2231): bumped cluster-scanner images to 0.5.1 ([#1412](https://github.com/sysdiglabs/charts/issues/1412)) +#### Full diff: https://github.com/sysdiglabs/charts/compare/cluster-scanner-0.8.0...cluster-scanner-0.8.1 diff --git a/charts/cluster-scanner/templates/_helpers.tpl b/charts/cluster-scanner/templates/_helpers.tpl index 661b9aaaa..abe723e34 100644 --- a/charts/cluster-scanner/templates/_helpers.tpl +++ b/charts/cluster-scanner/templates/_helpers.tpl @@ -205,37 +205,16 @@ Define the proper imageRegistry to use for imageSbomExtractor {{- end -}} {{- end -}} -{{/* -Cluster scanner version compatibility check. - -If .Values.onPremCompatibilityVersion is set to a version below 6.6.0, it checks whether -the provided tag is < 0.5.0 . - -Otherwise, it checks if the provided tag is >= 0.5.0 . - -Version tags must be semver2-compatible otherwise no check will be performed. -*/}} -{{- define "cluster-scanner.checkVersionCompatibility" -}} -{{- if regexMatch "^[0-9]+\\.[0-9]+\\.[0-9]+.*" .Tag -}} - {{- $version := .Tag -}} - {{- if ( semverCompare "< 6.6.0" ( .Values.onPremCompatibilityVersion | default "6.6.0" )) -}} - {{- if not ( semverCompare "< 0.5.0" $version ) -}} - {{- fail (printf "incompatible version for %s, set %s expected < 0.5.0" .Component .Tag) -}} - {{- end -}} - {{- else -}} - {{- if not ( semverCompare ">= 0.5.0" $version ) -}} - {{- fail (printf "incompatible version for %s, set %s expected >= 0.5.0" .Component .Tag) -}} - {{- end -}} - {{- end -}} -{{- end -}} -{{- end -}} - {{/* Generates configmap data to enable platform services if onPremCompatibility version is not set, or it is greater than 6.6.0 +It also makes sure that the platform services are enabled in regions which support them when onPremCompatibility is not defined. */}} {{- define "cluster-scanner.enablePlatformServicesConfig" -}} {{- if ( semverCompare ">= 6.6.0" (.Values.onPremCompatibilityVersion | default "6.6.0" )) -}} + {{- $regionsPlatformEnabled := list "us1" "us2" "us3" "au1" "eu1" -}} + {{- if or (has .Values.global.sysdig.region $regionsPlatformEnabled) .Values.onPremCompatibilityVersion -}} enable_platform_services: "true" + {{- end -}} {{- end -}} {{- end -}} @@ -244,7 +223,6 @@ Return the proper image name for the Runtime Status Integrator */}} {{- define "cluster-scanner.runtimeStatusIntegrator.image" -}} {{- $data := dict "Values" .Values "Tag" .Values.runtimeStatusIntegrator.image.tag "Component" "runtimeStatusIntegrator.image.tag" -}} - {{- include "cluster-scanner.checkVersionCompatibility" $data -}} {{- include "cluster-scanner.runtimeStatusIntegrator.imageRegistry" . -}} / {{- .Values.runtimeStatusIntegrator.image.repository -}} : {{- .Values.runtimeStatusIntegrator.image.tag -}} {{- end -}} @@ -254,7 +232,6 @@ Return the proper image name for the Image Sbom Extractor {{- define "cluster-scanner.imageSbomExtractor.image" -}} {{- $data := dict "Values" .Values "Tag" .Values.imageSbomExtractor.image.tag -}} {{- $data := dict "Values" .Values "Tag" .Values.imageSbomExtractor.image.tag "Component" "imageSbomExtractor.image.tag" -}} - {{- include "cluster-scanner.checkVersionCompatibility" $data -}} {{- include "cluster-scanner.imageSbomExtractor.imageRegistry" . -}} / {{- .Values.imageSbomExtractor.image.repository -}} : {{- .Values.imageSbomExtractor.image.tag -}} {{- end -}} diff --git a/charts/cluster-scanner/templates/deployment.yaml b/charts/cluster-scanner/templates/deployment.yaml index f7c907d1e..2c3806913 100644 --- a/charts/cluster-scanner/templates/deployment.yaml +++ b/charts/cluster-scanner/templates/deployment.yaml @@ -48,6 +48,11 @@ spec: configMap: name: {{ include "sysdig.custom_ca.existingConfigMap" (dict "global" .Values.global.ssl "component" .Values.ssl) }} {{- end }} + {{- if .Values.imageSbomExtractor.mirrors }} + - name: registry-mirrors-config + configMap: + name: {{ include "cluster-scanner.fullname" . }}-registry-mirrors + {{- end }} containers: - name: rsi securityContext: @@ -315,6 +320,12 @@ spec: mountPath: /ca-certs readOnly: true {{- end }} + {{- if .Values.imageSbomExtractor.mirrors }} + - name: registry-mirrors-config + mountPath: /etc/docker/daemon.json + subPath: daemon.json + readOnly: true + {{- end }} {{- with .Values.imageSbomExtractor }} ports: - name: metrics diff --git a/charts/cluster-scanner/templates/registrymirror.yaml b/charts/cluster-scanner/templates/registrymirror.yaml new file mode 100644 index 000000000..f28af3423 --- /dev/null +++ b/charts/cluster-scanner/templates/registrymirror.yaml @@ -0,0 +1,15 @@ +{{- if .Values.imageSbomExtractor.mirrors -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "cluster-scanner.fullname" . }}-registry-mirrors + namespace: {{ include "cluster-scanner.namespace" . }} + labels: + {{- include "cluster-scanner.labels" . | nindent 4 }} +data: + daemon.json: |- + { + "registry-mirrors": {{ .Values.imageSbomExtractor.mirrors.registryMirrors | default list | toJson }}, + "insecure-registries": {{ .Values.imageSbomExtractor.mirrors.insecureRegistries | default list | toJson }} + } +{{- end -}} diff --git a/charts/cluster-scanner/tests/configmap_test.yaml b/charts/cluster-scanner/tests/configmap_test.yaml index 4f6a98f62..865da59ef 100644 --- a/charts/cluster-scanner/tests/configmap_test.yaml +++ b/charts/cluster-scanner/tests/configmap_test.yaml @@ -342,26 +342,83 @@ tests: path: data.no_proxy value: "fake-no-proxy" - - it: "has correct platform services value when onPremCompatibilityVersion is NOT provided" + - it: "has correct platform services value when onPremCompatibilityVersion is NOT provided and region does NOT support platform services" set: global.sysdig.apiHost: "http://test.com" + global.sysdig.region: "" + asserts: + - isNull: + path: data.enable_platform_services + + - it: "has correct platform services value when onPremCompatibilityVersion is NOT provided and region supports platform services" + set: + global.sysdig.apiHost: "http://test.com" + global.sysdig.region: "us1" asserts: - equal: path: data.enable_platform_services value: "true" - - it: "has correct platform services value when onPremCompatibilityVersion is < 6.6" + - it: "has correct platform services value when onPremCompatibilityVersion is < 6.6 and region does NOT support platform services" set: global.sysdig.apiHost: "http://test.com" onPremCompatibilityVersion: "6.5.99" + global.sysdig.region: "" asserts: - isNull: path: data.enable_platform_services - - it: "has correct platform services value when onPremCompatibilityVersion is = 6.6.0" + - it: "has correct platform services value when onPremCompatibilityVersion is < 6.6 and region supports platform services" + set: + global.sysdig.apiHost: "http://test.com" + onPremCompatibilityVersion: "6.5.99" + global.sysdig.region: "us1" + asserts: + - isNull: + path: data.enable_platform_services + + - it: "has correct platform services value when onPremCompatibilityVersion is = 6.5 and region does NOT support platform services" + set: + global.sysdig.apiHost: "http://test.com" + onPremCompatibilityVersion: "6.5" + global.sysdig.region: "" + asserts: + - isNull: + path: data.enable_platform_services + + - it: "has correct platform services value when onPremCompatibilityVersion is = 6.5 and region supports platform services" + set: + global.sysdig.apiHost: "http://test.com" + onPremCompatibilityVersion: "6.5" + global.sysdig.region: "us1" + asserts: + - isNull: + path: data.enable_platform_services + + - it: "has correct platform services value when onPremCompatibilityVersion is = 6.6.0 and region does NOT support platform services" set: global.sysdig.apiHost: "http://test.com" onPremCompatibilityVersion: "6.6.0" + global.sysdig.region: "" + asserts: + - equal: + path: data.enable_platform_services + value: "true" + + - it: "has correct platform services value when onPremCompatibilityVersion is = 6.6.0 and region supports platform services" + set: + global.sysdig.apiHost: "http://test.com" + onPremCompatibilityVersion: "6.6.0" + global.sysdig.region: "us1" + asserts: + - equal: + path: data.enable_platform_services + value: "true" + + - it: "has correct platform services value when onPremCompatibilityVersion is just a major.minor version" + set: + global.sysdig.apiHost: "http://test.com" + onPremCompatibilityVersion: "6.6" asserts: - equal: path: data.enable_platform_services @@ -375,3 +432,11 @@ tests: - equal: path: data.enable_platform_services value: "true" + + - it: "fails if onPremCompatibilityVersion is not a valid semver" + set: + global.sysdig.apiHost: "http://test.com" + onPremCompatibilityVersion: "gigimarzullo" + asserts: + - failedTemplate: + errorMessage: "Invalid Semantic Version" diff --git a/charts/cluster-scanner/tests/deployment_test.yaml b/charts/cluster-scanner/tests/deployment_test.yaml index fc3d07c58..edb4179dc 100644 --- a/charts/cluster-scanner/tests/deployment_test.yaml +++ b/charts/cluster-scanner/tests/deployment_test.yaml @@ -181,218 +181,6 @@ tests: name: test-release-cluster-scanner optional: true - - it: "fails if the onPremCompatibilityVersion is not set and the runtimeStatusIntegrator version is incorrect" - templates: - - ../templates/deployment.yaml - set: - runtimeStatusIntegrator.image.tag: "0.3.4" - imageSbomExtractor.image.tag: "1.3.4" - asserts: - - failedTemplate: - errorMessage: "incompatible version for runtimeStatusIntegrator.image.tag, set 0.3.4 expected >= 0.5.0" - - - it: "fails if the onPremCompatibilityVersion is not set and the imageSbomExtractor version is incorrect" - templates: - - ../templates/deployment.yaml - set: - runtimeStatusIntegrator.image.tag: "1.3.4" - imageSbomExtractor.image.tag: "0.1.0" - asserts: - - failedTemplate: - errorMessage: "incompatible version for imageSbomExtractor.image.tag, set 0.1.0 expected >= 0.5.0" - - - it: "fails if the onPremCompatibilityVersion is set to 6.2 and the runtimeStatusIntegrator version is incorrect" - templates: - - ../templates/deployment.yaml - set: - onPremCompatibilityVersion: "6.2" - runtimeStatusIntegrator.image.tag: "4.3.4" - imageSbomExtractor.image.tag: "0.3.4" - asserts: - - failedTemplate: - errorMessage: "incompatible version for runtimeStatusIntegrator.image.tag, set 4.3.4 expected < 0.5.0" - - - it: "fails if the onPremCompatibilityVersion is set to 6.2 and the imageSbomExtractor version is incorrect" - templates: - - ../templates/deployment.yaml - set: - onPremCompatibilityVersion: "6.2" - runtimeStatusIntegrator.image.tag: "0.0.1" - imageSbomExtractor.image.tag: "6.1.0" - asserts: - - failedTemplate: - errorMessage: "incompatible version for imageSbomExtractor.image.tag, set 6.1.0 expected < 0.5.0" - - - it: "fails if the onPremCompatibilityVersion is set to 6.3 and the runtimeStatusIntegrator version is incorrect" - templates: - - ../templates/deployment.yaml - set: - onPremCompatibilityVersion: "6.3" - runtimeStatusIntegrator.image.tag: "4.3.4" - imageSbomExtractor.image.tag: "0.3.4" - asserts: - - failedTemplate: - errorMessage: "incompatible version for runtimeStatusIntegrator.image.tag, set 4.3.4 expected < 0.5.0" - - - it: "fails if the onPremCompatibilityVersion is set to 6.3 and the imageSbomExtractor version is incorrect" - templates: - - ../templates/deployment.yaml - set: - onPremCompatibilityVersion: "6.3" - runtimeStatusIntegrator.image.tag: "0.0.1" - imageSbomExtractor.image.tag: "6.1.0" - asserts: - - failedTemplate: - errorMessage: "incompatible version for imageSbomExtractor.image.tag, set 6.1.0 expected < 0.5.0" - - - it: "fails if the onPremCompatibilityVersion is set to 6.6 and the runtimeStatusIntegrator version is incorrect" - templates: - - ../templates/deployment.yaml - set: - onPremCompatibilityVersion: "6.6" - runtimeStatusIntegrator.image.tag: "0.3.4" - imageSbomExtractor.image.tag: "1.3.4" - asserts: - - failedTemplate: - errorMessage: "incompatible version for runtimeStatusIntegrator.image.tag, set 0.3.4 expected >= 0.5.0" - - - it: "fails if the onPremCompatibilityVersion is set to 6.6 and the imageSbomExtractor version is incorrect" - templates: - - ../templates/deployment.yaml - set: - onPremCompatibilityVersion: "6.6" - runtimeStatusIntegrator.image.tag: "1.3.4" - imageSbomExtractor.image.tag: "0.1.0" - asserts: - - failedTemplate: - errorMessage: "incompatible version for imageSbomExtractor.image.tag, set 0.1.0 expected >= 0.5.0" - - - it: "fails if the onPremCompatibilityVersion is set to 6.7 and the runtimeStatusIntegrator version is incorrect" - templates: - - ../templates/deployment.yaml - set: - onPremCompatibilityVersion: "6.7" - runtimeStatusIntegrator.image.tag: "0.3.4" - imageSbomExtractor.image.tag: "1.3.4" - asserts: - - failedTemplate: - errorMessage: "incompatible version for runtimeStatusIntegrator.image.tag, set 0.3.4 expected >= 0.5.0" - - - it: "fails if the onPremCompatibilityVersion is set to 6.7 and the imageSbomExtractor version is incorrect" - templates: - - ../templates/deployment.yaml - set: - onPremCompatibilityVersion: "6.7" - runtimeStatusIntegrator.image.tag: "1.3.4" - imageSbomExtractor.image.tag: "0.1.0" - asserts: - - failedTemplate: - errorMessage: "incompatible version for imageSbomExtractor.image.tag, set 0.1.0 expected >= 0.5.0" - - - it: "succeeds if the onPremCompatibilityVersion is not set and the runtimeStatusIntegrator and imageSbomExtractor versions are correct" - templates: - - ../templates/deployment.yaml - set: - runtimeStatusIntegrator.image.tag: "2.3.4" - imageSbomExtractor.image.tag: "0.5.0" - asserts: - - equal: - path: spec.template.spec.containers[0].image - value: quay.io/sysdig/runtime-status-integrator:2.3.4 - - equal: - path: spec.template.spec.containers[1].image - value: quay.io/sysdig/image-sbom-extractor:0.5.0 - - - it: "succeeds if the onPremCompatibilityVersion is set to 6.2 and the runtimeStatusIntegrator and imageSbomExtractor versions are correct" - templates: - - ../templates/deployment.yaml - set: - onPremCompatibilityVersion: "6.2" - runtimeStatusIntegrator.image.tag: "0.3.4" - imageSbomExtractor.image.tag: "0.4.10" - asserts: - - equal: - path: spec.template.spec.containers[0].image - value: quay.io/sysdig/runtime-status-integrator:0.3.4 - - equal: - path: spec.template.spec.containers[1].image - value: quay.io/sysdig/image-sbom-extractor:0.4.10 - - - it: "succeeds if the onPremCompatibilityVersion is set to 6.3 and the runtimeStatusIntegrator and imageSbomExtractor versions are correct" - templates: - - ../templates/deployment.yaml - set: - onPremCompatibilityVersion: "6.3" - runtimeStatusIntegrator.image.tag: "0.3.4" - imageSbomExtractor.image.tag: "0.4.10" - asserts: - - equal: - path: spec.template.spec.containers[0].image - value: quay.io/sysdig/runtime-status-integrator:0.3.4 - - equal: - path: spec.template.spec.containers[1].image - value: quay.io/sysdig/image-sbom-extractor:0.4.10 - - - it: "succeeds if the onPremCompatibilityVersion is set to 6.6 and the runtimeStatusIntegrator and imageSbomExtractor versions are correct" - templates: - - ../templates/deployment.yaml - set: - onPremCompatibilityVersion: "6.6" - runtimeStatusIntegrator.image.tag: "2.3.4" - imageSbomExtractor.image.tag: "0.5.0" - asserts: - - equal: - path: spec.template.spec.containers[0].image - value: quay.io/sysdig/runtime-status-integrator:2.3.4 - - equal: - path: spec.template.spec.containers[1].image - value: quay.io/sysdig/image-sbom-extractor:0.5.0 - - - it: "succeeds if the onPremCompatibilityVersion is set to 6.7 and the runtimeStatusIntegrator and imageSbomExtractor versions are correct" - templates: - - ../templates/deployment.yaml - set: - onPremCompatibilityVersion: "6.7" - runtimeStatusIntegrator.image.tag: "2.3.4" - imageSbomExtractor.image.tag: "0.5.0" - asserts: - - equal: - path: spec.template.spec.containers[0].image - value: quay.io/sysdig/runtime-status-integrator:2.3.4 - - equal: - path: spec.template.spec.containers[1].image - value: quay.io/sysdig/image-sbom-extractor:0.5.0 - - - it: "succeeds if the runtimeStatusIntegrator version is not a semver and the onPremCompatibilityVersion is 6.4" - templates: - - ../templates/deployment.yaml - set: - onPremCompatibilityVersion: "6.4" - runtimeStatusIntegrator.image.tag: "unstable-rc" - imageSbomExtractor.image.tag: "0.4.9" - asserts: - - equal: - path: spec.template.spec.containers[0].image - value: quay.io/sysdig/runtime-status-integrator:unstable-rc - - equal: - path: spec.template.spec.containers[1].image - value: quay.io/sysdig/image-sbom-extractor:0.4.9 - - - it: "succeeds if the imageSbomExtractor version is not a semver and the onPremCompatibilityVersion is 6.6" - templates: - - ../templates/deployment.yaml - set: - onPremCompatibilityVersion: "6.6" - runtimeStatusIntegrator.image.tag: "1.3.5" - imageSbomExtractor.image.tag: "3bc59a4958d15dfa6afed20dfd2459e268b4cda8" - asserts: - - equal: - path: spec.template.spec.containers[0].image - value: quay.io/sysdig/runtime-status-integrator:1.3.5 - - equal: - path: spec.template.spec.containers[1].image - value: quay.io/sysdig/image-sbom-extractor:3bc59a4958d15dfa6afed20dfd2459e268b4cda8 - - it: "correctly sets the CLUSTERSCANNER_PLATFORM_ENABLED env var" templates: - ../templates/deployment.yaml @@ -492,3 +280,34 @@ tests: content: name: ENV_VAR_BOOL value: "true" + + - it: "does not have registry volume nor volumeMounts if mirrors is empty" + templates: + - ../templates/deployment.yaml + asserts: + - isEmpty: + path: spec.template.spec.volumes + - isEmpty: + path: spec.template.spec.containers[1].volumeMounts + + - it: "has registry volume mount if mirrors are configured" + set: + imageSbomExtractor.mirrors: + registryMirrors: + - "foobar" + templates: + - ../templates/deployment.yaml + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: registry-mirrors-config + configMap: + name: test-release-cluster-scanner-registry-mirrors + - contains: + path: spec.template.spec.containers[1].volumeMounts + content: + name: registry-mirrors-config + mountPath: /etc/docker/daemon.json + subPath: daemon.json + readOnly: true diff --git a/charts/cluster-scanner/tests/notes_test.yaml b/charts/cluster-scanner/tests/notes_test.yaml index 6983ef5e8..0461c01cc 100644 --- a/charts/cluster-scanner/tests/notes_test.yaml +++ b/charts/cluster-scanner/tests/notes_test.yaml @@ -1,6 +1,8 @@ suite: Test links in the notes section for regions templates: - templates/NOTES.txt +values: + - ../values.yaml tests: - it: Checking default value no region specified (us1) asserts: diff --git a/charts/cluster-scanner/tests/registrymirror_test.yaml b/charts/cluster-scanner/tests/registrymirror_test.yaml new file mode 100644 index 000000000..496f81c11 --- /dev/null +++ b/charts/cluster-scanner/tests/registrymirror_test.yaml @@ -0,0 +1,120 @@ +suite: registrymirror +templates: + - ../templates/registrymirror.yaml +values: + - ../values.yaml +release: + name: test-release + namespace: test-ns + +tests: + - it: "does not have mirrors, if they are not provided" + set: + imageSbomExtractor.mirrors: {} + asserts: + - hasDocuments: + count: 0 + + - it: "has mirrors ConfigMap, when mirrors are set" + set: + imageSbomExtractor.mirrors: + registryMirrors: + - "insecure.mirror.acme.com" + - "secure.mirror.acme.com" + insecureRegistries: + - "insecure.mirror.acme.com" + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: ConfigMap + apiVersion: v1 + name: test-release-cluster-scanner-registry-mirrors + namespace: test-ns + - equal: + path: data["daemon.json"] + value: |- + { + "registry-mirrors": ["insecure.mirror.acme.com","secure.mirror.acme.com"], + "insecure-registries": ["insecure.mirror.acme.com"] + } + + - it: "has correct empty registry mirrors" + set: + imageSbomExtractor.mirrors: + insecureRegistries: + - "insecure.mirror.acme.com" + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: ConfigMap + apiVersion: v1 + name: test-release-cluster-scanner-registry-mirrors + namespace: test-ns + - equal: + path: data["daemon.json"] + value: |- + { + "registry-mirrors": [], + "insecure-registries": ["insecure.mirror.acme.com"] + } + + - it: "has correct empty insecure registries mirrors" + set: + imageSbomExtractor.mirrors: + registryMirrors: + - "insecure.mirror.acme.com" + - "secure.mirror.acme.com" + - "one more mirror" + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: ConfigMap + apiVersion: v1 + name: test-release-cluster-scanner-registry-mirrors + namespace: test-ns + - equal: + path: data["daemon.json"] + value: |- + { + "registry-mirrors": ["insecure.mirror.acme.com","secure.mirror.acme.com","one more mirror"], + "insecure-registries": [] + } + + - it: "fails if format of registry mirrors is wrong" + set: + imageSbomExtractor.mirrors: + registryMirrors: + nested: "object" + asserts: + - failedTemplate: + errorMessage: "values don't meet the specifications of the schema(s) in the following chart(s):\ncluster-scanner:\n- imageSbomExtractor.mirrors.registryMirrors: Invalid type. Expected: array, given: object\n" + + - it: "fails if format of insecure registries is wrong" + set: + imageSbomExtractor.mirrors: + insecureRegistries: 18 + asserts: + - failedTemplate: + errorMessage: "values don't meet the specifications of the schema(s) in the following chart(s):\ncluster-scanner:\n- imageSbomExtractor.mirrors.insecureRegistries: Invalid type. Expected: array, given: integer\n" + + - it: "fails if format of mirrors is wrong" + set: + imageSbomExtractor.mirrors: 18 + asserts: + - failedTemplate: + errorMessage: "values don't meet the specifications of the schema(s) in the following chart(s):\ncluster-scanner:\n- imageSbomExtractor.mirrors: Invalid type. Expected: object, given: integer\n" + + - it: "fails if mirrors contains unexpeceted property" + set: + imageSbomExtractor.mirrors: + gigi: + - "insecure.mirror.acme.com" + - "secure.mirror.acme.com" + insecureRegistries: + - "insecure.mirror.acme.com" + asserts: + - failedTemplate: + errorMessage: "values don't meet the specifications of the schema(s) in the following chart(s):\ncluster-scanner:\n- imageSbomExtractor.mirrors: Additional property gigi is not allowed\n" diff --git a/charts/cluster-scanner/values.schema.json b/charts/cluster-scanner/values.schema.json index 528627434..b27e18f49 100644 --- a/charts/cluster-scanner/values.schema.json +++ b/charts/cluster-scanner/values.schema.json @@ -43,6 +43,29 @@ } } } + }, + "imageSbomExtractor": { + "type": "object", + "properties": { + "mirrors": { + "type": "object", + "additionalProperties": false, + "properties": { + "registryMirrors": { + "type": "array", + "items": { + "type": "string" + } + }, + "insecureRegistries": { + "type": "array", + "items": { + "type": "string" + } + } + } + } + } } } } diff --git a/charts/cluster-scanner/values.yaml b/charts/cluster-scanner/values.yaml index 714d6c220..5e8a2186d 100644 --- a/charts/cluster-scanner/values.yaml +++ b/charts/cluster-scanner/values.yaml @@ -104,7 +104,7 @@ runtimeStatusIntegrator: # The image repository to use for pulling the Runtime Status Integrator # image repository: sysdig/runtime-status-integrator - tag: "0.5.0" + tag: "0.5.1" # Params to manage leader election # Leader election is implemented leveraging the native capabilities of # Kubernetes see: https://kubernetes.io/blog/2016/01/simple-leader-election-with-kubernetes/ @@ -166,7 +166,7 @@ imageSbomExtractor: registry: quay.io # The image repository to use for pulling the Image SBOM Extractor image repository: sysdig/image-sbom-extractor - tag: "0.5.0" + tag: "0.5.1" ports: # The port to be used to expose prometheus metrics for the Image SBOM # Extractor @@ -218,6 +218,25 @@ imageSbomExtractor: # sentinelAddress: "" # ttl: "168h" # Default ttl is 7 days + # Provide optional registry mirrors configuration to be used by Image SBOM Extractor to pull images. + # [Only Docker HUB images](https://docs.docker.com/registry/recipes/mirror/#gotcha) are going to be pulled from + # the provided mirrors. + # + # The configuration is similar to the one currently supported by the docker-daemon where multiple mirrors + # (potentially insecure), can be specified. + # + # See https://docs.docker.com/registry/recipes/mirror/#configure-the-docker-daemon and https://docs.docker.com/registry/insecure/ . + # + # Example: + # + # mirrors: + # registryMirrors: + # - insecure.mirror.acme.com + # - secure.mirror.acme.com + # insecureRegistries: + # - insecure.mirror.acme.com + mirrors: {} + # Chart name override nameOverride: "" # Chart full name override diff --git a/charts/common/CHANGELOG.md b/charts/common/CHANGELOG.md index a22e2ab68..273841e75 100644 --- a/charts/common/CHANGELOG.md +++ b/charts/common/CHANGELOG.md @@ -10,6 +10,9 @@ Manual edits are supported only below '## Change Log' and should be used exclusively to fix incorrect entries and not to add new ones. ## Change Log +# v1.2.2 +### Bug Fixes +* **common,agent,admission-controller,cluster-scanner,kspm-collector,node-analyzer,rapid-response** [e76f1c17](https://github.com/sysdiglabs/charts/commit/e76f1c17e48491dd8ea21293ec1fed2619eed204): Update Sysdig CA ([#1393](https://github.com/sysdiglabs/charts/issues/1393)) # v1.2.1 ### Bug Fixes * **common,agent,node-analyzer,kspm-collector** [0806635e](https://github.com/sysdiglabs/charts/commit/0806635e5824365adb8ab3d8fd31811477c8918e): support multi-level map in agent.tags ([#1351](https://github.com/sysdiglabs/charts/issues/1351)) diff --git a/charts/common/Chart.yaml b/charts/common/Chart.yaml index 29ae74a4a..774b8bec4 100644 --- a/charts/common/Chart.yaml +++ b/charts/common/Chart.yaml @@ -16,7 +16,7 @@ type: library # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.2.1 +version: 1.2.2 maintainers: - name: AlbertoBarba diff --git a/charts/common/RELEASE-NOTES.md b/charts/common/RELEASE-NOTES.md index ae22f6bc1..c2d8da266 100644 --- a/charts/common/RELEASE-NOTES.md +++ b/charts/common/RELEASE-NOTES.md @@ -1,5 +1,5 @@ # What's Changed ### Bug Fixes -- **common,agent,node-analyzer,kspm-collector** [0806635e](https://github.com/sysdiglabs/charts/commit/0806635e5824365adb8ab3d8fd31811477c8918e): support multi-level map in agent.tags ([#1351](https://github.com/sysdiglabs/charts/issues/1351)) -#### Full diff: https://github.com/sysdiglabs/charts/compare/common-1.2.0...common-1.2.1 +- **common,agent,admission-controller,cluster-scanner,kspm-collector,node-analyzer,rapid-response** [e76f1c17](https://github.com/sysdiglabs/charts/commit/e76f1c17e48491dd8ea21293ec1fed2619eed204): Update Sysdig CA ([#1393](https://github.com/sysdiglabs/charts/issues/1393)) +#### Full diff: https://github.com/sysdiglabs/charts/compare/common-1.2.1...common-1.2.2 diff --git a/charts/common/sysdig_ca.toml b/charts/common/sysdig_ca.toml index e693fb345..ec552bae3 100644 --- a/charts/common/sysdig_ca.toml +++ b/charts/common/sysdig_ca.toml @@ -1,61 +1,26 @@ -----BEGIN CERTIFICATE----- -MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw -TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh -cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw -WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg -RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK -AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP -R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx -sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm -NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg -Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG -/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC -AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB -Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA -FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw -AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw -Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB -gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W -PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl -ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz -CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm -lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4 -avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2 -yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O -yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids -hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+ -HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv -MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX -nLRbwHOoq7hHwg== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw -TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh -cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4 -WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu -ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY -MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc -h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+ -0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U -A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW -T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH -B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC -B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv -KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn -OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn -jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw -qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI -rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV -HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq -hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL -ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ -3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK -NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5 -ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur -TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC -jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc -oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq -4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA -mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d -emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc= +MIIEXjCCA0agAwIBAgITB3MSOAudZoijOx7Zv5zNpo4ODzANBgkqhkiG9w0BAQsF +ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6 +b24gUm9vdCBDQSAxMB4XDTIyMDgyMzIyMjEyOFoXDTMwMDgyMzIyMjEyOFowPDEL +MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEcMBoGA1UEAxMTQW1hem9uIFJT +QSAyMDQ4IE0wMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOtxLKnL +H4gokjIwr4pXD3i3NyWVVYesZ1yX0yLI2qIUZ2t88Gfa4gMqs1YSXca1R/lnCKeT +epWSGA+0+fkQNpp/L4C2T7oTTsddUx7g3ZYzByDTlrwS5HRQQqEFE3O1T5tEJP4t +f+28IoXsNiEzl3UGzicYgtzj2cWCB41eJgEmJmcf2T8TzzK6a614ZPyq/w4CPAff +nAV4coz96nW3AyiE2uhuB4zQUIXvgVSycW7sbWLvj5TDXunEpNCRwC4kkZjK7rol +jtT2cbb7W2s4Bkg3R42G3PLqBvt2N32e/0JOTViCk8/iccJ4sXqrS1uUN4iB5Nmv +JK74csVl+0u0UecCAwEAAaOCAVowggFWMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYD +VR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNV +HQ4EFgQUgbgOY4qJEhjl+js7UJWf5uWQE4UwHwYDVR0jBBgwFoAUhBjMhTTsvAyU +lC4IWZzHshBOCggwewYIKwYBBQUHAQEEbzBtMC8GCCsGAQUFBzABhiNodHRwOi8v +b2NzcC5yb290Y2ExLmFtYXpvbnRydXN0LmNvbTA6BggrBgEFBQcwAoYuaHR0cDov +L2NydC5yb290Y2ExLmFtYXpvbnRydXN0LmNvbS9yb290Y2ExLmNlcjA/BgNVHR8E +ODA2MDSgMqAwhi5odHRwOi8vY3JsLnJvb3RjYTEuYW1hem9udHJ1c3QuY29tL3Jv +b3RjYTEuY3JsMBMGA1UdIAQMMAowCAYGZ4EMAQIBMA0GCSqGSIb3DQEBCwUAA4IB +AQCtAN4CBSMuBjJitGuxlBbkEUDeK/pZwTXv4KqPK0G50fOHOQAd8j21p0cMBgbG +kfMHVwLU7b0XwZCav0h1ogdPMN1KakK1DT0VwA/+hFvGPJnMV1Kx2G4S1ZaSk0uU +5QfoiYIIano01J5k4T2HapKQmmOhS/iPtuo00wW+IMLeBuKMn3OLn005hcrOGTad +hcmeyfhQP7Z+iKHvyoQGi1C0ClymHETx/chhQGDyYSWqB/THwnN15AwLQo0E5V9E +SJlbe4mBlqeInUsNYugExNf+tOiybcrswBy8OFsd34XOW3rjSUtsuafd9AWySa3h +xRRrwszrzX/WWGm6wyB+f7C4 -----END CERTIFICATE----- diff --git a/charts/kspm-collector/CHANGELOG.md b/charts/kspm-collector/CHANGELOG.md index b14353dc3..113ef82a3 100644 --- a/charts/kspm-collector/CHANGELOG.md +++ b/charts/kspm-collector/CHANGELOG.md @@ -10,6 +10,18 @@ Manual edits are supported only below '## Change Log' and should be used exclusively to fix incorrect entries and not to add new ones. ## Change Log +# v0.8.5 +### Chores +* **kspm-collector,node-analyzer** [201126cf](https://github.com/sysdiglabs/charts/commit/201126cf8abb51996ee001665c17545210058ff9): KSPM v1.34.0 ([#1422](https://github.com/sysdiglabs/charts/issues/1422)) +# v0.8.4 +### New Features +* **kspm-collector,node-analyzer** [660e610d](https://github.com/sysdiglabs/charts/commit/660e610d475cdac3b9d2c51da4af0a01abce31f6): add support for NATS_MAX_RECONNECT variable ([#1400](https://github.com/sysdiglabs/charts/issues/1400)) +# v0.8.3 +### Bug Fixes +* **kspm-collector,node-analyzer** [67f042fd](https://github.com/sysdiglabs/charts/commit/67f042fd9ebb72cd121751d46fb96f7c3ad539ba): add debug logs to cloud platform metadata loading ([#1398](https://github.com/sysdiglabs/charts/issues/1398)) +# v0.8.2 +### Bug Fixes +* **common,agent,admission-controller,cluster-scanner,kspm-collector,node-analyzer,rapid-response** [e76f1c17](https://github.com/sysdiglabs/charts/commit/e76f1c17e48491dd8ea21293ec1fed2619eed204): Update Sysdig CA ([#1393](https://github.com/sysdiglabs/charts/issues/1393)) # v0.8.1 ### Bug Fixes * **common,agent,node-analyzer,kspm-collector** [0806635e](https://github.com/sysdiglabs/charts/commit/0806635e5824365adb8ab3d8fd31811477c8918e): support multi-level map in agent.tags ([#1351](https://github.com/sysdiglabs/charts/issues/1351)) @@ -99,7 +111,7 @@ exclusively to fix incorrect entries and not to add new ones. # v0.1.35 ### New Features * **kspm-collector** [d1328c0](https://github.com/sysdiglabs/charts/commit/d1328c02976901a64d91f4e86a2a26035045496c): bumped KSPM Collector to latest version ([#921](https://github.com/sysdiglabs/charts/issues/921)) -# v0.1.34 +# v0.1.33 ### Bug Fixes * **node-analyzer,kspm-collector** [59543e8](https://github.com/sysdiglabs/charts/commit/59543e8da45e1e61f21b2489500fe5452906bca0): Fix security context permission for KSPM components ([#907](https://github.com/sysdiglabs/charts/issues/907)) # v0.1.33 diff --git a/charts/kspm-collector/Chart.yaml b/charts/kspm-collector/Chart.yaml index 6db0b6f4a..24a7ee724 100644 --- a/charts/kspm-collector/Chart.yaml +++ b/charts/kspm-collector/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: kspm-collector description: Sysdig KSPM collector -version: 0.8.1 -appVersion: 1.30.0 +version: 0.8.5 +appVersion: 1.34.0 keywords: - monitoring @@ -24,4 +24,4 @@ dependencies: - name: common # repository: https://charts.sysdig.com repository: file://../common - version: ~1.2.1 + version: ~1.2.2 diff --git a/charts/kspm-collector/README.md b/charts/kspm-collector/README.md index 01261b25b..fefbf3b3f 100644 --- a/charts/kspm-collector/README.md +++ b/charts/kspm-collector/README.md @@ -27,58 +27,59 @@ To check the integrity and the origin of the charts you can now append the `--ve The following table lists the configurable parameters of the Sysdig KSPM Collector chart and their default values. -| Parameter | Description | Default | -| ------------------------------------------ | ------------------------------------------------------------ |-------------------------------------------------------------| -| `global.proxy.httpProxy` | Sets `HTTP_PROXY` on the KSPM collector containers. | `""` | -| `global.proxy.httpsProxy` | Sets `HTTPS_PROXY` on the KSPM collector containers. | `""` | -| `global.proxy.noProxy` | Sets `NO_PROXY` on the KSPM collector containers. | `""` | -| `global.sslVerifyCertificate` | Sets `NATS_INSECURE` environment variable on the KSPM collector containers. | | -| `global.kspm.deploy` | Enables Sysdig KSPM node analyzer & KSPM collector. | `true` | -| `global.image.pullSecrets` | Specifies the global pull secrets. | <code>[]</code> | -| `global.image.pullPolicy` | Specifies the global pull policy. | <code>`Always`</code> | -| `global.sysdig.tags` | The list of custom tags to be assigned to the components. | `{}` | -| `sysdig.accessKey` | Specifies your Sysdig Access Key. | ` ` Either accessKey or existingAccessKeySecret is required | -| `sysdig.existingAccessKeySecret` | Specifies the name of a Kubernetes secret containing an `access-key` entry. Alternative to using Sysdig Access Key. | ` ` Either accessKey or existingAccessKeySecret is required | -| `rbac.create` | If sets to true, RBAC resources will be created and used. | `true` | -| `serviceAccount.create` | Creates serviceAccount. | `true` | -| `serviceAccount.name` | The value you specify will be used as `serviceAccountName`. | `kspm-collector` | -| `clusterName` | Sets a unique cluster name. This name will be used to identify events using the `kubernetes.cluster.name` tag. | ` ` | -| `image.registry` | Specifies the KSPM collector image registry. | `quay.io` | -| `image.repository` | Specifies the image repository to pull from. | `sysdig/kspm-collector` | -| `image.tag` | Specifies the image tag to pull from the image repository. | `1.31.0` | -| `image.digest` | Specifies the image digest to pull from the image repository. | ` ` | -| `image.pullPolicy` | Specifies theImage pull policy. | `""` | -| `imagePullSecrets` | Specifies the Image pull secret. | `[]` | -| `replicas` | Specifies the KSPM collector deployment replicas. | `1` | -| `namespaces.included` | Specifies the namespaces to include in the KSPM collector scans. If left empty, all the namesapces will be scanned. | `` | -| `namespaces.excluded` | Specifies the namespaces to exclude in the KSPM collector scans. | `` | -| `nodeSelector` | Specifies the Node Selector. | `{}` | -| `workloads.included` | Specifies the workloads to include in the KSPM collector scans. If left empty, all the workloads will be scanned. | `` | -| `workloads.excluded` | Specifies the workloads to exclude in the KSPM collector scans. If left empty, all the workloads will be scanned. | `` | -| `healthIntervalMin` | Specifies the minutes interval for KSPM collector health status messages. | `5` | -| `resources.requests.cpu` | Specifies the KSPM collector CPU requests. | `150m` | -| `resources.requests.memory` | Specifies the KSPM collector memory requests. | `256Mi` | -| `resources.limits.cpu` | Specifies the KSPM collector CPU limits. | `500m` | -| `resources.limits.memory` | Specifies the KSPM collector memory limits | `1536Mi` | -| `priorityClassName` | Specifies the name of an existing PriorityClass for the KSPM collector to use. | `{}` | -| `apiEndpoint` | Specifies the API end point of the KSPM collector. | `""` | -| `httpProxy` | Specifies the proxy configuration variables. | | -| `httpsProxy` | Specifies the proxy configuration variables. | | -| `noProxy` | Specifies the proxy configuration variables. | | -| `sslVerifyCertificate` | Sets `NATS_INSECURE` env variable on the KSPM collector containers. | | -| `arch` | Specifies the allowed architectures for scheduling. | `[ amd64, arm64 ]` | -| `os` | Specifies the allowed operating systems for scheduling. | `[ linux ]` | -| `affinity` | Specifies the node affinities. Overrides `arch` and `os` values. | `{}` | -| `labels` | Specifies the KSPM collector specific labels as a multi-line templated string map or as YAML. | `{}` | -| `port` | Specifies the KSPM collector port for health checks. | `8080` | -| `psp.create` | Creates Pod Security Policy to allow the KSPM collector running in PSP-enabled clusters. | `true` | -| `readinessProbe.enabled` | Specifies whether KSPM collector readinessProbe is enabled or not. | `true` | -| `livenessProbe.enabled` | Specifies whether KSPM collector livenessProbe is enabled or not. | `true` | -| `scc.create` | Creates OpenShift's Security Context constraint. | `true` | -| `securityContext.runAsNonRoot` | Makes KSPM collector run as a non-root container. | `true` | -| `securityContext.runAsUser` | The user ID you specify will be used to run the KSPM collector. | `10001` | -| `securityContext.runAsGroup` | The group ID you specify will be used to run the KSPM collector. | `10001` | -| `securityContext.readOnlyRootFilesystem` | Changes the root file system of the KSPM collector to read only | `true` | -| `securityContext.allowPrivilegeEscalation` | Allows KSPM collector apps to gain priviledges stronger than their parent process. | `false` | -| `securityContext.capabilities.drop` | Specifies the Linux capabilities to be taken from KSPM collector. | `['all']` | -| `tolerations` | Specifies the tolerations for scheduling. | `kubernetes.io/arch=arm64:NoSchedule` | +| Parameter | Description | Default | +| ------------------------------------------ |--------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------| +| `global.proxy.httpProxy` | Sets `HTTP_PROXY` on the KSPM collector containers. | `""` | +| `global.proxy.httpsProxy` | Sets `HTTPS_PROXY` on the KSPM collector containers. | `""` | +| `global.proxy.noProxy` | Sets `NO_PROXY` on the KSPM collector containers. | `""` | +| `global.sslVerifyCertificate` | Sets `NATS_INSECURE` environment variable on the KSPM collector containers. | | +| `global.kspm.deploy` | Enables Sysdig KSPM node analyzer & KSPM collector. | `true` | +| `global.image.pullSecrets` | Specifies the global pull secrets. | <code>[]</code> | +| `global.image.pullPolicy` | Specifies the global pull policy. | <code>`Always`</code> | +| `global.sysdig.tags` | The list of custom tags to be assigned to the components. | `{}` | +| `sysdig.accessKey` | Specifies your Sysdig Access Key. | ` ` Either accessKey or existingAccessKeySecret is required | +| `sysdig.existingAccessKeySecret` | Specifies the name of a Kubernetes secret containing an `access-key` entry. Alternative to using Sysdig Access Key. | ` ` Either accessKey or existingAccessKeySecret is required | +| `rbac.create` | If sets to true, RBAC resources will be created and used. | `true` | +| `serviceAccount.create` | Creates serviceAccount. | `true` | +| `serviceAccount.name` | The value you specify will be used as `serviceAccountName`. | `kspm-collector` | +| `clusterName` | Sets a unique cluster name. This name will be used to identify events using the `kubernetes.cluster.name` tag. | ` ` | +| `image.registry` | Specifies the KSPM collector image registry. | `quay.io` | +| `image.repository` | Specifies the image repository to pull from. | `sysdig/kspm-collector` | +| `image.tag` | Specifies the image tag to pull from the image repository. | `1.34.0` | +| `image.digest` | Specifies the image digest to pull from the image repository. | ` ` | +| `image.pullPolicy` | Specifies theImage pull policy. | `""` | +| `imagePullSecrets` | Specifies the Image pull secret. | `[]` | +| `replicas` | Specifies the KSPM collector deployment replicas. | `1` | +| `namespaces.included` | Specifies the namespaces to include in the KSPM collector scans. If left empty, all the namesapces will be scanned. | `` | +| `namespaces.excluded` | Specifies the namespaces to exclude in the KSPM collector scans. | `` | +| `nodeSelector` | Specifies the Node Selector. | `{}` | +| `workloads.included` | Specifies the workloads to include in the KSPM collector scans. If left empty, all the workloads will be scanned. | `` | +| `workloads.excluded` | Specifies the workloads to exclude in the KSPM collector scans. If left empty, all the workloads will be scanned. | `` | +| `healthIntervalMin` | Specifies the minutes interval for KSPM collector health status messages. | `5` | +| `resources.requests.cpu` | Specifies the KSPM collector CPU requests. | `150m` | +| `resources.requests.memory` | Specifies the KSPM collector memory requests. | `256Mi` | +| `resources.limits.cpu` | Specifies the KSPM collector CPU limits. | `500m` | +| `resources.limits.memory` | Specifies the KSPM collector memory limits | `1536Mi` | +| `priorityClassName` | Specifies the name of an existing PriorityClass for the KSPM collector to use. | `{}` | +| `apiEndpoint` | Specifies the API end point of the KSPM collector. | `""` | +| `httpProxy` | Specifies the proxy configuration variables. | | +| `httpsProxy` | Specifies the proxy configuration variables. | | +| `noProxy` | Specifies the proxy configuration variables. | | +| `natsMaxReconnect` | Sets `natsMaxReconnect ` configuration variables. Set to '-1' for unlimited reconnect attempts to NATS, or leave empty for default (60 attempts).| `0` | +| `sslVerifyCertificate` | Sets `NATS_INSECURE` env variable on the KSPM collector containers. | | +| `arch` | Specifies the allowed architectures for scheduling. | `[ amd64, arm64 ]` | +| `os` | Specifies the allowed operating systems for scheduling. | `[ linux ]` | +| `affinity` | Specifies the node affinities. Overrides `arch` and `os` values. | `{}` | +| `labels` | Specifies the KSPM collector specific labels as a multi-line templated string map or as YAML. | `{}` | +| `port` | Specifies the KSPM collector port for health checks. | `8080` | +| `psp.create` | Creates Pod Security Policy to allow the KSPM collector running in PSP-enabled clusters. | `true` | +| `readinessProbe.enabled` | Specifies whether KSPM collector readinessProbe is enabled or not. | `true` | +| `livenessProbe.enabled` | Specifies whether KSPM collector livenessProbe is enabled or not. | `true` | +| `scc.create` | Creates OpenShift's Security Context constraint. | `true` | +| `securityContext.runAsNonRoot` | Makes KSPM collector run as a non-root container. | `true` | +| `securityContext.runAsUser` | The user ID you specify will be used to run the KSPM collector. | `10001` | +| `securityContext.runAsGroup` | The group ID you specify will be used to run the KSPM collector. | `10001` | +| `securityContext.readOnlyRootFilesystem` | Changes the root file system of the KSPM collector to read only | `true` | +| `securityContext.allowPrivilegeEscalation` | Allows KSPM collector apps to gain priviledges stronger than their parent process. | `false` | +| `securityContext.capabilities.drop` | Specifies the Linux capabilities to be taken from KSPM collector. | `['all']` | +| `tolerations` | Specifies the tolerations for scheduling. | `kubernetes.io/arch=arm64:NoSchedule` | diff --git a/charts/kspm-collector/RELEASE-NOTES.md b/charts/kspm-collector/RELEASE-NOTES.md index 72d99612c..1ec7b8252 100644 --- a/charts/kspm-collector/RELEASE-NOTES.md +++ b/charts/kspm-collector/RELEASE-NOTES.md @@ -1,5 +1,5 @@ # What's Changed -### Bug Fixes -- **common,agent,node-analyzer,kspm-collector** [0806635e](https://github.com/sysdiglabs/charts/commit/0806635e5824365adb8ab3d8fd31811477c8918e): support multi-level map in agent.tags ([#1351](https://github.com/sysdiglabs/charts/issues/1351)) -#### Full diff: https://github.com/sysdiglabs/charts/compare/kspm-collector-0.8.0...kspm-collector-0.8.1 +### Chores +- **kspm-collector,node-analyzer** [201126cf](https://github.com/sysdiglabs/charts/commit/201126cf8abb51996ee001665c17545210058ff9): KSPM v1.34.0 ([#1422](https://github.com/sysdiglabs/charts/issues/1422)) +#### Full diff: https://github.com/sysdiglabs/charts/compare/kspm-collector-0.8.4...kspm-collector-0.8.5 diff --git a/charts/kspm-collector/templates/configmap.yaml b/charts/kspm-collector/templates/configmap.yaml index f7fcfb99f..4f2b15034 100644 --- a/charts/kspm-collector/templates/configmap.yaml +++ b/charts/kspm-collector/templates/configmap.yaml @@ -17,6 +17,7 @@ data: excluded_workloads: {{ .Values.workloads.excluded | quote }} health_interval_minutes: {{ .Values.healthIntervalMin | default 5 | quote }} external_nats_url: {{ include "kspmCollector.natsUrl" . }} + nats_max_reconnect: {{ .Values.natsMaxReconnect | default 0 | quote }} cluster_name: {{ required "A valid clusterName is required" (include "kspmCollector.clusterName" .) }} nats_insecure: {{ include "kspmCollector.natsInsecure" . }} {{- if (.Values.httpProxy | default .Values.global.proxy.httpProxy) }} diff --git a/charts/kspm-collector/templates/deployment.yaml b/charts/kspm-collector/templates/deployment.yaml index 485bc9a48..979206e58 100644 --- a/charts/kspm-collector/templates/deployment.yaml +++ b/charts/kspm-collector/templates/deployment.yaml @@ -159,6 +159,12 @@ spec: key: nats_insecure name: {{ template "kspmCollector.fullname" . }} optional: true + - name: NATS_MAX_RECONNECT + valueFrom: + configMapKeyRef: + key: nats_max_reconnect + name: {{ template "kspmCollector.fullname" . }} + optional: true - name: AGENT_PORT valueFrom: configMapKeyRef: diff --git a/charts/kspm-collector/values.yaml b/charts/kspm-collector/values.yaml index 268880ce1..899c5e15d 100644 --- a/charts/kspm-collector/values.yaml +++ b/charts/kspm-collector/values.yaml @@ -5,6 +5,7 @@ httpProxy: httpsProxy: noProxy: sslVerifyCertificate: +natsMaxReconnect: 0 # Namespace to deploy to (Optional: Will default to release namespace) namespace: @@ -76,7 +77,7 @@ clusterName: "" image: repository: sysdig/kspm-collector - tag: 1.31.0 + tag: 1.34.0 digest: registry: quay.io pullPolicy: diff --git a/charts/node-analyzer/CHANGELOG.md b/charts/node-analyzer/CHANGELOG.md index 7c49f5d6d..01b1777ea 100644 --- a/charts/node-analyzer/CHANGELOG.md +++ b/charts/node-analyzer/CHANGELOG.md @@ -10,6 +10,30 @@ Manual edits are supported only below '## Change Log' and should be used exclusively to fix incorrect entries and not to add new ones. ## Change Log +# v1.17.12 +### Chores +* **kspm-collector,node-analyzer** [201126cf](https://github.com/sysdiglabs/charts/commit/201126cf8abb51996ee001665c17545210058ff9): KSPM v1.34.0 ([#1422](https://github.com/sysdiglabs/charts/issues/1422)) +# v1.17.11 +### Chores +* **node-analyzer** [a589d167](https://github.com/sysdiglabs/charts/commit/a589d16767394384bbc50eac4049b96d82d99355): bump sysdig/vuln-host-scanner to v0.6.5 ([#1420](https://github.com/sysdiglabs/charts/issues/1420)) + + * * Hostscanner bumped to 0.6.5 + * Fixed a bug that could cause the host-scanner go in crash loop backoff due to a missing timeout when retrieving AWS labels +# v1.17.10 +### New Features +* **node-analyzer** [02c55d84](https://github.com/sysdiglabs/charts/commit/02c55d84b746c0d136b0818d4d29df077c5576e5): enable DB V2 by default in Host and Runtime scanner ([#1416](https://github.com/sysdiglabs/charts/issues/1416)) +# v1.17.9 +### Chores +* **sysdig, node-analyzer** [84cfe9a5](https://github.com/sysdiglabs/charts/commit/84cfe9a5e6f989a9a42b14b3d16597436f23b4b1): update legacy nodeImageAnalyzer (0.1.29) and hostImageAnalyzer (0.1.17) ([#1407](https://github.com/sysdiglabs/charts/issues/1407)) +# v1.17.8 +### New Features +* **kspm-collector,node-analyzer** [660e610d](https://github.com/sysdiglabs/charts/commit/660e610d475cdac3b9d2c51da4af0a01abce31f6): add support for NATS_MAX_RECONNECT variable ([#1400](https://github.com/sysdiglabs/charts/issues/1400)) +# v1.17.7 +### Bug Fixes +* **kspm-collector,node-analyzer** [67f042fd](https://github.com/sysdiglabs/charts/commit/67f042fd9ebb72cd121751d46fb96f7c3ad539ba): add debug logs to cloud platform metadata loading ([#1398](https://github.com/sysdiglabs/charts/issues/1398)) +# v1.17.6 +### Bug Fixes +* **common,agent,admission-controller,cluster-scanner,kspm-collector,node-analyzer,rapid-response** [e76f1c17](https://github.com/sysdiglabs/charts/commit/e76f1c17e48491dd8ea21293ec1fed2619eed204): Update Sysdig CA ([#1393](https://github.com/sysdiglabs/charts/issues/1393)) # v1.17.5 ### Chores * **node-analyzer** [a66360df](https://github.com/sysdiglabs/charts/commit/a66360dfbd00f1d82ab5da6f8b70a5e1d77440cf): remove broken link from values.yaml ([#1370](https://github.com/sysdiglabs/charts/issues/1370)) diff --git a/charts/node-analyzer/Chart.yaml b/charts/node-analyzer/Chart.yaml index d3c807683..6eed856db 100644 --- a/charts/node-analyzer/Chart.yaml +++ b/charts/node-analyzer/Chart.yaml @@ -3,7 +3,7 @@ name: node-analyzer description: Sysdig Node Analyzer # currently matching Sysdig's appVersion 1.14.34 -version: 1.17.5 +version: 1.17.12 appVersion: 12.8.0 keywords: - monitoring @@ -26,4 +26,4 @@ dependencies: - name: common # repository: https://charts.sysdig.com repository: file://../common - version: ~1.2.1 + version: ~1.2.2 diff --git a/charts/node-analyzer/README.md b/charts/node-analyzer/README.md index 56231825c..111ac0c84 100644 --- a/charts/node-analyzer/README.md +++ b/charts/node-analyzer/README.md @@ -98,136 +98,137 @@ To check the integrity and the origin of the charts, append the `--verify` flag The following table lists the configurable parameters of the Sysdig Node Analyzer chart and their default values. -| Parameter | Description | Default | -|----------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `global.sysdig.region` | The region where Sysdig Secure is deployed. Valid options are`us1`, `us2`, `us3`, `us4`, `eu1`, `au1`, `custom`. | `us1` | -| `global.sysdig.tags` | The list of custom tags to be assigned to the components. | `{}` | -| `global.proxy.httpProxy` | Sets `HTTP_PROXY` on the Node Analyzer containers. | `""` | -| `global.proxy.httpsProxy` | Sets `HTTPS_PROXY` on the Node Analyzer containers. | `""` | -| `global.proxy.noProxy` | Sets `NO_PROXY` on the Node Analyzer containers. | `""` | -| `global.kspm.deploy` | Enables Sysdig KSPM node analyzer and KSPM collector. | `false` | -| `global.gke.autopilot` | If true,the agent configuration will be overridden to run on GKE Autopilot clusters. | `false` | -| `global.image.pullSecrets` | Sets the global pull secrets. | <code>[]</code> | -| `global.image.pullPolicy` | Sets the global pull policy. | <code>`IfNotPresent`</code> | -| `image.registry` | Sets the Sysdig Agent image registry. | `quay.io` | -| `gke.autopilot` | If true, the agent configuration will be overridden to run on GKE Autopilot clusters. | `false` | -| `rbac.create` | If true, RBAC resources will be created and used. | `true` | -| `scc.create` | Creates OpenShift's Security Context constraint. | `true` | -| `psp.create` | Creates Pod Security Policy to allow the agent running in clusters with PSP enabled. | `true` | -| `clusterName` | Sets a unique cluster name which is used to identify events with the `kubernetes.cluster.name` tag. | ` ` | -| `namespace` | Overrides the global namespace setting and release namespace for components. | ` ` | -| `sysdig.accessKey` | Sets your Sysdig Agent Access Key. Either `accessKey` or `existingAccessKeySecret` is required. | | -| `sysdig.existingAccessKeySecret` | An alternative to using the Sysdig Agent access key. Specify the name of a Kubernetes secret containing an `access-key` entry. Either `accessKey` or `existingAccessKeySecret` is required. | | -| `secure.enabled` | Enables Sysdig Secure. | `true` | -| `secure.vulnerabilityManagement.newEngineOnly` | Enables only the new vulnerability management engine. | `false` | -| `daemonset.annotations` | Sets custom annotations for the DaemonSet. | `{}` | -| `daemonset.labels` | Sets NodeAnalyzer-specific labels as a multi-line templated string map or as YAML. | `{}` | -| `daemonset.updateStrategy.type` | Sets the updateStrategy for updating the DaemonSet. | RollingUpdate | -| `daemonset.updateStrategy.rollingUpdate.maxUnavailable` | Sets the maximum number of pods that can be unavailable during the update process. | 1 | -| `daemonset.updateStrategy.rollingUpdate.maxSurge` | Sets the maximum number of nodes with an existing available DaemonSet pod that can have an updated DaemonSet pod during an update. | `` | -| `nodeAnalyzer.deploy` | Deploys the Node Analyzer. | `true` | -| `nodeAnalyzer.apiEndpoint` | Specifies the Sysdig secure API endpoint, without the protocol. `secure.sysdig.com` | ` ` | -| `nodeAnalyzer.sslVerifyCertificate` | Set to `false` to allow insecure connections to the Sysdig backend, such as an On-Prem deployment. | | -| `nodeAnalyzer.debug` | Set to `true` to show debug logging, which is useful for troubleshooting. | | -| `nodeAnalyzer.createPriorityClass` | Specify whether or not to create a priority class for the node analyzer components | `false` | -| `nodeAnalyzer.priorityClassName` | Sets the priority class name variable. | `` | -| `nodeAnalyzer.priorityClassValue` | Sets the priority class value for the node analyzer daemonset. | `` | -| `nodeAnalyzer.httpProxy` | Sets the HTTP proxy configuration variables. | | -| `nodeAnalyzer.httpsProxy` | Sets the HTTPS proxy configuration variables. | | -| `nodeAnalyzer.noProxy` | Sets `noProxy ` configuration variables. | | -| `nodeAnalyzer.pullSecrets` | Sets the image pull secrets for the Node Analyzer containers. | `nil` | -| `nodeAnalyzer.extraVolumes.volumes` | Specifies additional volumes to mount in the Node Analyzer. For example, docker socket. | `[]` | -| `nodeAnalyzer.imageAnalyzer.deploy` | Deploys the Image Analyzer. | `true` | -| `nodeAnalyzer.imageAnalyzer.image.repository` | Sets the image repository to pull the Node Image Analyzer from. | `sysdig/node-image-analyzer` | -| `nodeAnalyzer.imageAnalyzer.image.tag` | Sets the image tag for the Node Image Analyzer to be pulled. | `0.1.28` | -| `nodeAnalyzer.imageAnalyzer.image.digest` | Sets the image digest to pull. | ` ` | -| `nodeAnalyzer.imageAnalyzer.image.pullPolicy` | Sets the Image pull policy for the Node Image Analyzer. | `""` | -| `nodeAnalyzer.imageAnalyzer.dockerSocketPath` | Specifies the Docker socket path. | | -| `nodeAnalyzer.imageAnalyzer.criSocketPath` | Specifies the socket path to a CRI compatible runtime, such as CRI-O. | | -| `nodeAnalyzer.imageAnalyzer.containerdSocketPath` | Specifies the socket path to a CRI-Containerd daemon. | | -| `nodeAnalyzer.imageAnalyzer.extraVolumes.volumes` (Deprecated) | Specifies additional volumes to mount in the Node Image Analyzer. For example, docker socket. | `[]` | -| `nodeAnalyzer.imageAnalyzer.extraVolumes.mounts` | Specifies the mount points for additional volumes. | `[]` | -| `nodeAnalyzer.imageAnalyzer.resources.requests.cpu` | Specifies the Node Image Analyzer CPU requests per node. | `150m` | -| `nodeAnalyzer.imageAnalyzer.resources.requests.memory` | Specifies the Node Image Analyzer Memory requests per node. | `512Mi` | -| `nodeAnalyzer.imageAnalyzer.resources.limits.cpu` | Specifies the Node Image Analyzer CPU limit per node. | `500m` | -| `nodeAnalyzer.imageAnalyzer.resources.limits.memory` | Specifies the Node Image Analyzer Memory limit per node. | `1536Mi` | -| `nodeAnalyzer.imageAnalyzer.env` | Specifies the Extra environment variables that will be passed onto pods. | `{}` | -| `nodeAnalyzer.hostAnalyzer.deploy` | Deploys the Host Analyzer. | `true` | -| `nodeAnalyzer.hostAnalyzer.image.repository` | Specifies the image repository to pull the Host Analyzer from. | `sysdig/host-analyzer` | -| `nodeAnalyzer.hostAnalyzer.image.tag` | Set the image tag to pull the Host Analyzer. | `0.1.16` | -| `nodeAnalyzer.hostAnalyzer.image.digest` | Specifies the image digest to pull. | ` ` | -| `nodeAnalyzer.hostAnalyzer.image.pullPolicy` | Specifies the Image pull policy for the Host Analyzer. | `""` | -| `nodeAnalyzer.hostAnalyzer.schedule` | Specifies the scanning schedule specification for the host analyzer expressed as a crontab. | `@dailydefault` | -| `nodeAnalyzer.hostAnalyzer.dirsToScan` | Specifies the list of directories to inspect during the scan. | `/etc,/var/lib/dpkg,/usr/local,/usr/lib/sysimage/rpm,/var/lib/rpm,/lib/apk/db` | -| `nodeAnalyzer.hostAnalyzer.maxSendAttempts` | Specifies the number of times the analysis collector is allowed to retry sending results. | `3` | -| `nodeAnalyzer.hostAnalyzer.resources.requests.cpu` | Specifies the Host Analyzer CPU requests per node. | `150m` | -| `nodeAnalyzer.hostAnalyzer.resources.requests.memory` | Specifies the Host Analyzer Memory requests per node. | `512Mi` | -| `nodeAnalyzer.hostAnalyzer.resources.limits.cpu` | Specifies the Host Analyzer CPU limit per node. | `500m` | -| `nodeAnalyzer.hostAnalyzer.resources.limits.memory` | Specifies the Host Analyzer memory limit per node. | `1536Mi` | -| `nodeAnalyzer.hostAnalyzer.env` | Specifies the extra environment variables that will be passed onto pods. | `{}` | -| `nodeAnalyzer.benchmarkRunner.deploy` | Deploys the Benchmark Runner. | `true` | -| `nodeAnalyzer.benchmarkRunner.image.repository` | Specifies the image repository to pull the Benchmark Runner from. | `sysdig/compliance-benchmark-runner` | -| `nodeAnalyzer.benchmarkRunner.image.tag` | Specifies the image tag for the Benchmark Runner to be pulled. | `1.1.0.9` | -| `nodeAnalyzer.benchmarkRunner.image.digest` | Specifies the image digest to pull. | ` ` | -| `nodeAnalyzer.benchmarkRunner.image.pullPolicy` | Specifies the image pull policy for the Benchmark Runner. | `""` | -| `nodeAnalyzer.benchmarkRunner.includeSensitivePermissions` | Grant the service account elevated permissions to run CIS Benchmark for OS4. | `false` | -| `nodeAnalyzer.benchmarkRunner.resources.requests.cpu` | Specifies the Benchmark Runner CPU requests per node. | `150m` | -| `nodeAnalyzer.benchmarkRunner.resources.requests.memory` | Specifies the Benchmark Runner memory requests per node. | `128Mi` | -| `nodeAnalyzer.benchmarkRunner.resources.limits.cpu` | Specifies the Benchmark Runner CPU limit per node. | `500m` | -| `nodeAnalyzer.benchmarkRunner.resources.limits.memory` | Specifies the Benchmark Runner memory limit per node. | `256Mi` | -| `nodeAnalyzer.benchmarkRunner.env` | Specifies the extra environment variables that will be passed onto pods. | `{}` | -| `nodeAnalyzer.hostScanner.deploy` | Deploys the Host Scanner. | unset | -| `nodeAnalyzer.hostScanner.dirsToScan` | Specifies the list of directories to inspect during the scan. | `/etc,/var/lib/dpkg,/var/lib/rpm,/lib/apk/db,/bin,/sbin,/usr/bin,/usr/sbin,/usr/share,/usr/local,/usr/lib,/usr/lib64,/var/lib/google,/var/lib/toolbox,/var/lib/cloud` | -| `nodeAnalyzer.hostScanner.additionalDirsToScan` | Sets the optional comma-separated list of directories in addition to the default ones. | ` ` | -| `nodeAnalyzer.hostScanner.env` | Specifies the extra environment variables that will be passed onto pods. | `{}` | -| `nodeAnalyzer.hostScanner.image.repository` | Specifies the image repository to pull the Host Scanner from. | `sysdig/vuln-host-scanner` | -| `nodeAnalyzer.hostScanner.image.tag` | Specifies the image tag to pull the Host Scanner. | `0.5.2` | -| `nodeAnalyzer.hostScanner.image.digest` | Specifies the image digest to pull. | ` ` | -| `nodeAnalyzer.hostScanner.image.pullPolicy` | Specifies the image pull policy for the Host Scanner. | `""` | -| `nodeAnalyzer.hostScanner.resources.requests.cpu` | Specifies the Host Scanner CPU requests per node. | `150m` | -| `nodeAnalyzer.hostScanner.resources.requests.memory` | Specifies the Host Scanner memory requests per node. | `512Mi` | -| `nodeAnalyzer.hostScanner.resources.requests.ephemeral-storage` | Specifies the Host Scanner Storage requests per node. | `512Mi` | -| `nodeAnalyzer.hostScanner.resources.limits.cpu` | Specifies the Host Scanner CPU limit per node. | `500m` | -| `nodeAnalyzer.hostScanner.resources.limits.memory` | Specifies the Host Scanner memory limit per node. | `1Gi` | -| `nodeAnalyzer.hostScanner.resources.limits.ephemeral-storage` | Specifies the Host Scanner Storage limit per node. | `1Gi` | -| `nodeAnalyzer.hostScanner.probesPort` | Specifies the port where readiness and liveness probes are exposed. | `7001` | -| `nodeAnalyzer.runtimeScanner.deploy` | Deploys the Runtime Scanner. | `false` | -| `nodeAnalyzer.runtimeScanner.extraMounts` | Specifies a container engine custom socket path (docker, containerd, CRI-O). | | -| `nodeAnalyzer.runtimeScanner.storageClassName` | Specifies the Runtime Scanner storage class to use instead of emptyDir for ephemeral storage. | `` | -| `nodeAnalyzer.runtimeScanner.image.repository` | Specifies the image repository to pull the Runtime Scanner from. | `sysdig/vuln-runtime-scanner` | -| `nodeAnalyzer.runtimeScanner.image.tag` | Specifies the image tag to pull the Runtime Scanner. | `1.5.7` | -| `nodeAnalyzer.runtimeScanner.image.digest` | Specifies the image digest to pull. | ` ` | -| `nodeAnalyzer.runtimeScanner.image.pullPolicy` | Specifies the image pull policy for the Runtime Scanner. | `""` | -| `nodeAnalyzer.runtimeScanner.resources.requests.cpu` | Specifies the Runtime Scanner CPU requests per node. | `150m` | -| `nodeAnalyzer.runtimeScanner.resources.requests.memory` | Specifies the Runtime Scanner Memory requests per node. | `512Mi` | -| `nodeAnalyzer.runtimeScanner.resources.requests.ephemeral-storage` | Specifies the Runtime Scanner Storage requests per node. | `2Gi` | -| `nodeAnalyzer.runtimeScanner.resources.limits.cpu` | Specifies the Runtime Scanner CPU limit per node. | `1000m` | -| `nodeAnalyzer.runtimeScanner.resources.limits.memory` | Specifies the Runtime Scanner memory limit per node. | `2Gi` | -| `nodeAnalyzer.runtimeScanner.resources.limits.ephemeral-storage` | Specifies the Runtime Scanner Storage limit per node. | `4Gi` | -| `nodeAnalyzer.runtimeScanner.env` | Specifies the extra environment variables that will be passed onto pods. | `{}` | -| `nodeAnalyzer.runtimeScanner.settings.eveEnabled` | Enables Sysdig Eve | `false` | -| `nodeAnalyzer.runtimeScanner.eveConnector.image.repository` | Specifies the image repository to pull the Eve Connector from. | `sysdig/eveclient-api` | -| `nodeAnalyzer.runtimeScanner.eveConnector.image.tag` | Specifies the image tag for the Eve Connector to be pulled. | `1.1.0` | -| `nodeAnalyzer.runtimeScanner.eveConnector.deploy` | Enables Sysdig Eve Connector for third-party integrations. | `false` | -| `nodeAnalyzer.runtimeScanner.eveConnector.resources.requests.cpu` | Specifies the Eve Connector CPU requests per node. | `100m` | -| `nodeAnalyzer.runtimeScanner.eveConnector.resources.requests.memory` | Specifies the Eve Connector memory requests per node. | `128Mi` | -| `nodeAnalyzer.runtimeScanner.eveConnector.resources.limits.cpu` | Specifies the Eve Connector CPU limits per node. | `1000m` | -| `nodeAnalyzer.runtimeScanner.eveConnector.resources.limits.memory` | Specifies the Eve Connector Memory limits per node. | `512Mi` | -| `nodeAnalyzer.runtimeScanner.eveConnector.settings.replicas` | Specifies the Eve Connector deployment replicas. | `1` | -| `nodeAnalyzer.runtimeScanner.eveConnector.priorityClassName` | Specifies the name of an existing PriorityClass to use for the Eve Connector Deployment. | `{}` | -| `nodeAnalyzer.tolerations` | Specifies the tolerations for scheduling. | <pre>node-role.kubernetes.io/master:NoSchedule,<br>node-role.kubernetes.io/control-plane:NoSchedule</pre> | -| `nodeAnalyzer.kspmAnalyzer.debug` | Set to true to show KSPM node analyzer debug logging, which is useful for troubleshooting. | `false` | -| `nodeAnalyzer.kspmAnalyzer.image.repository` | Specifies the image repository to pull the KSPM node analyzer from. | `sysdig/kspm-analyzer` | -| `nodeAnalyzer.kspmAnalyzer.image.tag` | Specifies the image tag for the KSPM node analyzer image to be pulled. | `1.32.0` | -| `nodeAnalyzer.kspmAnalyzer.image.digest` | Specifies the image digest to pull. | ` ` | -| `nodeAnalyzer.kspmAnalyzer.image.pullPolicy` | Specifies the The image pull policy for the KSPM node analyzer. | `""` | -| `nodeAnalyzer.kspmAnalyzer.resources.requests.cpu` | Specifies the KSPM node analyzer CPU requests per node. | `150m` | -| `nodeAnalyzer.kspmAnalyzer.resources.requests.memory` | Specifies the KSPM node analyzer memory requests per node. | `256Mi` | -| `nodeAnalyzer.kspmAnalyzer.resources.limits.cpu` | Specifies the KSPM node analyzer CPU limits per node. | `500m` | -| `nodeAnalyzer.kspmAnalyzer.resources.limits.memory` | Specifies the KSPM node analyzer memory limits per node. | `1536Mi` | -| `nodeAnalyzer.kspmAnalyzer.port` | Specifies the KSPM node analyzer port for health checks and results API. | `12000` | -| `nodeAnalyzer.kspmAnalyzer.readinessProbe.enabled` | Specifies whether KSPM node analyzer readinessProbe is enabled or not. | `true` | -| `nodeAnalyzer.kspmAnalyzer.livenessProbe.enabled` | Specifies whether the KSPM node analyzer livenessProbe is enabled or not. | `true` | -| `nodeAnalyzer.kspmAnalyzer.env` | Specifies the extra environment variables that will be passed onto pods. | `{}` | -| `nodeAnalyzer.nodeSelector` | Specifies the Node Selector. | `{}` | -| `nodeAnalyzer.affinity` | Specifies the Node affinities. | `schedule on amd64 and linux` | +| Parameter | Description | Default | +|----------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `global.sysdig.region` | The region where Sysdig Secure is deployed. Valid options are`us1`, `us2`, `us3`, `us4`, `eu1`, `au1`, `custom`. | `us1` | +| `global.sysdig.tags` | The list of custom tags to be assigned to the components. | `{}` | +| `global.proxy.httpProxy` | Sets `HTTP_PROXY` on the Node Analyzer containers. | `""` | +| `global.proxy.httpsProxy` | Sets `HTTPS_PROXY` on the Node Analyzer containers. | `""` | +| `global.proxy.noProxy` | Sets `NO_PROXY` on the Node Analyzer containers. | `""` | +| `global.kspm.deploy` | Enables Sysdig KSPM node analyzer and KSPM collector. | `false` | +| `global.gke.autopilot` | If true,the agent configuration will be overridden to run on GKE Autopilot clusters. | `false` | +| `global.image.pullSecrets` | Sets the global pull secrets. | <code>[]</code> | +| `global.image.pullPolicy` | Sets the global pull policy. | <code>`IfNotPresent`</code> | +| `image.registry` | Sets the Sysdig Agent image registry. | `quay.io` | +| `gke.autopilot` | If true, the agent configuration will be overridden to run on GKE Autopilot clusters. | `false` | +| `rbac.create` | If true, RBAC resources will be created and used. | `true` | +| `scc.create` | Creates OpenShift's Security Context constraint. | `true` | +| `psp.create` | Creates Pod Security Policy to allow the agent running in clusters with PSP enabled. | `true` | +| `clusterName` | Sets a unique cluster name which is used to identify events with the `kubernetes.cluster.name` tag. | ` ` | +| `namespace` | Overrides the global namespace setting and release namespace for components. | ` ` | +| `sysdig.accessKey` | Sets your Sysdig Agent Access Key. Either `accessKey` or `existingAccessKeySecret` is required. | | +| `sysdig.existingAccessKeySecret` | An alternative to using the Sysdig Agent access key. Specify the name of a Kubernetes secret containing an `access-key` entry. Either `accessKey` or `existingAccessKeySecret` is required. | | +| `secure.enabled` | Enables Sysdig Secure. | `true` | +| `secure.vulnerabilityManagement.newEngineOnly` | Enables only the new vulnerability management engine. | `false` | +| `daemonset.annotations` | Sets custom annotations for the DaemonSet. | `{}` | +| `daemonset.labels` | Sets NodeAnalyzer-specific labels as a multi-line templated string map or as YAML. | `{}` | +| `daemonset.updateStrategy.type` | Sets the updateStrategy for updating the DaemonSet. | RollingUpdate | +| `daemonset.updateStrategy.rollingUpdate.maxUnavailable` | Sets the maximum number of pods that can be unavailable during the update process. | 1 | +| `daemonset.updateStrategy.rollingUpdate.maxSurge` | Sets the maximum number of nodes with an existing available DaemonSet pod that can have an updated DaemonSet pod during an update. | `` | +| `nodeAnalyzer.deploy` | Deploys the Node Analyzer. | `true` | +| `nodeAnalyzer.apiEndpoint` | Specifies the Sysdig secure API endpoint, without the protocol. `secure.sysdig.com` | ` ` | +| `nodeAnalyzer.sslVerifyCertificate` | Set to `false` to allow insecure connections to the Sysdig backend, such as an On-Prem deployment. | | +| `nodeAnalyzer.debug` | Set to `true` to show debug logging, which is useful for troubleshooting. | | +| `nodeAnalyzer.createPriorityClass` | Specify whether or not to create a priority class for the node analyzer components | `false` | +| `nodeAnalyzer.priorityClassName` | Sets the priority class name variable. | `` | +| `nodeAnalyzer.priorityClassValue` | Sets the priority class value for the node analyzer daemonset. | `` | +| `nodeAnalyzer.httpProxy` | Sets the HTTP proxy configuration variables. | | +| `nodeAnalyzer.httpsProxy` | Sets the HTTPS proxy configuration variables. | | +| `nodeAnalyzer.noProxy` | Sets `noProxy ` configuration variables. | | +| `nodeAnalyzer.natsMaxReconnect` | Sets `natsMaxReconnect ` configuration variables. Set to `-1` for unlimited reconnect attempts to NATS, or leave empty for default (60 attempts). | `0` | +| `nodeAnalyzer.pullSecrets` | Sets the image pull secrets for the Node Analyzer containers. | `nil` | +| `nodeAnalyzer.extraVolumes.volumes` | Specifies additional volumes to mount in the Node Analyzer. For example, docker socket. | `[]` | +| `nodeAnalyzer.imageAnalyzer.deploy` | Deploys the Image Analyzer. | `true` | +| `nodeAnalyzer.imageAnalyzer.image.repository` | Sets the image repository to pull the Node Image Analyzer from. | `sysdig/node-image-analyzer` | +| `nodeAnalyzer.imageAnalyzer.image.tag` | Sets the image tag for the Node Image Analyzer to be pulled. | `0.1.29` | +| `nodeAnalyzer.imageAnalyzer.image.digest` | Sets the image digest to pull. | ` ` | +| `nodeAnalyzer.imageAnalyzer.image.pullPolicy` | Sets the Image pull policy for the Node Image Analyzer. | `""` | +| `nodeAnalyzer.imageAnalyzer.dockerSocketPath` | Specifies the Docker socket path. | | +| `nodeAnalyzer.imageAnalyzer.criSocketPath` | Specifies the socket path to a CRI compatible runtime, such as CRI-O. | | +| `nodeAnalyzer.imageAnalyzer.containerdSocketPath` | Specifies the socket path to a CRI-Containerd daemon. | | +| `nodeAnalyzer.imageAnalyzer.extraVolumes.volumes` (Deprecated) | Specifies additional volumes to mount in the Node Image Analyzer. For example, docker socket. | `[]` | +| `nodeAnalyzer.imageAnalyzer.extraVolumes.mounts` | Specifies the mount points for additional volumes. | `[]` | +| `nodeAnalyzer.imageAnalyzer.resources.requests.cpu` | Specifies the Node Image Analyzer CPU requests per node. | `150m` | +| `nodeAnalyzer.imageAnalyzer.resources.requests.memory` | Specifies the Node Image Analyzer Memory requests per node. | `512Mi` | +| `nodeAnalyzer.imageAnalyzer.resources.limits.cpu` | Specifies the Node Image Analyzer CPU limit per node. | `500m` | +| `nodeAnalyzer.imageAnalyzer.resources.limits.memory` | Specifies the Node Image Analyzer Memory limit per node. | `1536Mi` | +| `nodeAnalyzer.imageAnalyzer.env` | Specifies the Extra environment variables that will be passed onto pods. | `{}` | +| `nodeAnalyzer.hostAnalyzer.deploy` | Deploys the Host Analyzer. | `true` | +| `nodeAnalyzer.hostAnalyzer.image.repository` | Specifies the image repository to pull the Host Analyzer from. | `sysdig/host-analyzer` | +| `nodeAnalyzer.hostAnalyzer.image.tag` | Set the image tag to pull the Host Analyzer. | `0.1.17` | +| `nodeAnalyzer.hostAnalyzer.image.digest` | Specifies the image digest to pull. | ` ` | +| `nodeAnalyzer.hostAnalyzer.image.pullPolicy` | Specifies the Image pull policy for the Host Analyzer. | `""` | +| `nodeAnalyzer.hostAnalyzer.schedule` | Specifies the scanning schedule specification for the host analyzer expressed as a crontab. | `@dailydefault` | +| `nodeAnalyzer.hostAnalyzer.dirsToScan` | Specifies the list of directories to inspect during the scan. | `/etc,/var/lib/dpkg,/usr/local,/usr/lib/sysimage/rpm,/var/lib/rpm,/lib/apk/db` | +| `nodeAnalyzer.hostAnalyzer.maxSendAttempts` | Specifies the number of times the analysis collector is allowed to retry sending results. | `3` | +| `nodeAnalyzer.hostAnalyzer.resources.requests.cpu` | Specifies the Host Analyzer CPU requests per node. | `150m` | +| `nodeAnalyzer.hostAnalyzer.resources.requests.memory` | Specifies the Host Analyzer Memory requests per node. | `512Mi` | +| `nodeAnalyzer.hostAnalyzer.resources.limits.cpu` | Specifies the Host Analyzer CPU limit per node. | `500m` | +| `nodeAnalyzer.hostAnalyzer.resources.limits.memory` | Specifies the Host Analyzer memory limit per node. | `1536Mi` | +| `nodeAnalyzer.hostAnalyzer.env` | Specifies the extra environment variables that will be passed onto pods. | `{}` | +| `nodeAnalyzer.benchmarkRunner.deploy` | Deploys the Benchmark Runner. | `true` | +| `nodeAnalyzer.benchmarkRunner.image.repository` | Specifies the image repository to pull the Benchmark Runner from. | `sysdig/compliance-benchmark-runner` | +| `nodeAnalyzer.benchmarkRunner.image.tag` | Specifies the image tag for the Benchmark Runner to be pulled. | `1.1.0.9` | +| `nodeAnalyzer.benchmarkRunner.image.digest` | Specifies the image digest to pull. | ` ` | +| `nodeAnalyzer.benchmarkRunner.image.pullPolicy` | Specifies the image pull policy for the Benchmark Runner. | `""` | +| `nodeAnalyzer.benchmarkRunner.includeSensitivePermissions` | Grant the service account elevated permissions to run CIS Benchmark for OS4. | `false` | +| `nodeAnalyzer.benchmarkRunner.resources.requests.cpu` | Specifies the Benchmark Runner CPU requests per node. | `150m` | +| `nodeAnalyzer.benchmarkRunner.resources.requests.memory` | Specifies the Benchmark Runner memory requests per node. | `128Mi` | +| `nodeAnalyzer.benchmarkRunner.resources.limits.cpu` | Specifies the Benchmark Runner CPU limit per node. | `500m` | +| `nodeAnalyzer.benchmarkRunner.resources.limits.memory` | Specifies the Benchmark Runner memory limit per node. | `256Mi` | +| `nodeAnalyzer.benchmarkRunner.env` | Specifies the extra environment variables that will be passed onto pods. | `{}` | +| `nodeAnalyzer.hostScanner.deploy` | Deploys the Host Scanner. | unset | +| `nodeAnalyzer.hostScanner.dirsToScan` | Specifies the list of directories to inspect during the scan. | `/etc,/var/lib/dpkg,/var/lib/rpm,/lib/apk/db,/bin,/sbin,/usr/bin,/usr/sbin,/usr/share,/usr/local,/usr/lib,/usr/lib64,/var/lib/google,/var/lib/toolbox,/var/lib/cloud` | +| `nodeAnalyzer.hostScanner.additionalDirsToScan` | Sets the optional comma-separated list of directories in addition to the default ones. | ` ` | +| `nodeAnalyzer.hostScanner.env` | Specifies the extra environment variables that will be passed onto pods. | `{}` | +| `nodeAnalyzer.hostScanner.image.repository` | Specifies the image repository to pull the Host Scanner from. | `sysdig/vuln-host-scanner` | +| `nodeAnalyzer.hostScanner.image.tag` | Specifies the image tag to pull the Host Scanner. | `0.6.5` | +| `nodeAnalyzer.hostScanner.image.digest` | Specifies the image digest to pull. | ` ` | +| `nodeAnalyzer.hostScanner.image.pullPolicy` | Specifies the image pull policy for the Host Scanner. | `""` | +| `nodeAnalyzer.hostScanner.resources.requests.cpu` | Specifies the Host Scanner CPU requests per node. | `150m` | +| `nodeAnalyzer.hostScanner.resources.requests.memory` | Specifies the Host Scanner memory requests per node. | `512Mi` | +| `nodeAnalyzer.hostScanner.resources.requests.ephemeral-storage` | Specifies the Host Scanner Storage requests per node. | `512Mi` | +| `nodeAnalyzer.hostScanner.resources.limits.cpu` | Specifies the Host Scanner CPU limit per node. | `500m` | +| `nodeAnalyzer.hostScanner.resources.limits.memory` | Specifies the Host Scanner memory limit per node. | `1Gi` | +| `nodeAnalyzer.hostScanner.resources.limits.ephemeral-storage` | Specifies the Host Scanner Storage limit per node. | `1Gi` | +| `nodeAnalyzer.hostScanner.probesPort` | Specifies the port where readiness and liveness probes are exposed. | `7001` | +| `nodeAnalyzer.runtimeScanner.deploy` | Deploys the Runtime Scanner. | `false` | +| `nodeAnalyzer.runtimeScanner.extraMounts` | Specifies a container engine custom socket path (docker, containerd, CRI-O). | | +| `nodeAnalyzer.runtimeScanner.storageClassName` | Specifies the Runtime Scanner storage class to use instead of emptyDir for ephemeral storage. | `` | +| `nodeAnalyzer.runtimeScanner.image.repository` | Specifies the image repository to pull the Runtime Scanner from. | `sysdig/vuln-runtime-scanner` | +| `nodeAnalyzer.runtimeScanner.image.tag` | Specifies the image tag to pull the Runtime Scanner. | `1.6.2` | +| `nodeAnalyzer.runtimeScanner.image.digest` | Specifies the image digest to pull. | ` ` | +| `nodeAnalyzer.runtimeScanner.image.pullPolicy` | Specifies the image pull policy for the Runtime Scanner. | `""` | +| `nodeAnalyzer.runtimeScanner.resources.requests.cpu` | Specifies the Runtime Scanner CPU requests per node. | `150m` | +| `nodeAnalyzer.runtimeScanner.resources.requests.memory` | Specifies the Runtime Scanner Memory requests per node. | `512Mi` | +| `nodeAnalyzer.runtimeScanner.resources.requests.ephemeral-storage` | Specifies the Runtime Scanner Storage requests per node. | `2Gi` | +| `nodeAnalyzer.runtimeScanner.resources.limits.cpu` | Specifies the Runtime Scanner CPU limit per node. | `1000m` | +| `nodeAnalyzer.runtimeScanner.resources.limits.memory` | Specifies the Runtime Scanner memory limit per node. | `2Gi` | +| `nodeAnalyzer.runtimeScanner.resources.limits.ephemeral-storage` | Specifies the Runtime Scanner Storage limit per node. | `4Gi` | +| `nodeAnalyzer.runtimeScanner.env` | Specifies the extra environment variables that will be passed onto pods. | `{}` | +| `nodeAnalyzer.runtimeScanner.settings.eveEnabled` | Enables Sysdig Eve | `false` | +| `nodeAnalyzer.runtimeScanner.eveConnector.image.repository` | Specifies the image repository to pull the Eve Connector from. | `sysdig/eveclient-api` | +| `nodeAnalyzer.runtimeScanner.eveConnector.image.tag` | Specifies the image tag for the Eve Connector to be pulled. | `1.1.0` | +| `nodeAnalyzer.runtimeScanner.eveConnector.deploy` | Enables Sysdig Eve Connector for third-party integrations. | `false` | +| `nodeAnalyzer.runtimeScanner.eveConnector.resources.requests.cpu` | Specifies the Eve Connector CPU requests per node. | `100m` | +| `nodeAnalyzer.runtimeScanner.eveConnector.resources.requests.memory` | Specifies the Eve Connector memory requests per node. | `128Mi` | +| `nodeAnalyzer.runtimeScanner.eveConnector.resources.limits.cpu` | Specifies the Eve Connector CPU limits per node. | `1000m` | +| `nodeAnalyzer.runtimeScanner.eveConnector.resources.limits.memory` | Specifies the Eve Connector Memory limits per node. | `512Mi` | +| `nodeAnalyzer.runtimeScanner.eveConnector.settings.replicas` | Specifies the Eve Connector deployment replicas. | `1` | +| `nodeAnalyzer.runtimeScanner.eveConnector.priorityClassName` | Specifies the name of an existing PriorityClass to use for the Eve Connector Deployment. | `{}` | +| `nodeAnalyzer.tolerations` | Specifies the tolerations for scheduling. | <pre>node-role.kubernetes.io/master:NoSchedule,<br>node-role.kubernetes.io/control-plane:NoSchedule</pre> | +| `nodeAnalyzer.kspmAnalyzer.debug` | Set to true to show KSPM node analyzer debug logging, which is useful for troubleshooting. | `false` | +| `nodeAnalyzer.kspmAnalyzer.image.repository` | Specifies the image repository to pull the KSPM node analyzer from. | `sysdig/kspm-analyzer` | +| `nodeAnalyzer.kspmAnalyzer.image.tag` | Specifies the image tag for the KSPM node analyzer image to be pulled. | `1.35.0` | +| `nodeAnalyzer.kspmAnalyzer.image.digest` | Specifies the image digest to pull. | ` ` | +| `nodeAnalyzer.kspmAnalyzer.image.pullPolicy` | Specifies the The image pull policy for the KSPM node analyzer. | `""` | +| `nodeAnalyzer.kspmAnalyzer.resources.requests.cpu` | Specifies the KSPM node analyzer CPU requests per node. | `150m` | +| `nodeAnalyzer.kspmAnalyzer.resources.requests.memory` | Specifies the KSPM node analyzer memory requests per node. | `256Mi` | +| `nodeAnalyzer.kspmAnalyzer.resources.limits.cpu` | Specifies the KSPM node analyzer CPU limits per node. | `500m` | +| `nodeAnalyzer.kspmAnalyzer.resources.limits.memory` | Specifies the KSPM node analyzer memory limits per node. | `1536Mi` | +| `nodeAnalyzer.kspmAnalyzer.port` | Specifies the KSPM node analyzer port for health checks and results API. | `12000` | +| `nodeAnalyzer.kspmAnalyzer.readinessProbe.enabled` | Specifies whether KSPM node analyzer readinessProbe is enabled or not. | `true` | +| `nodeAnalyzer.kspmAnalyzer.livenessProbe.enabled` | Specifies whether the KSPM node analyzer livenessProbe is enabled or not. | `true` | +| `nodeAnalyzer.kspmAnalyzer.env` | Specifies the extra environment variables that will be passed onto pods. | `{}` | +| `nodeAnalyzer.nodeSelector` | Specifies the Node Selector. | `{}` | +| `nodeAnalyzer.affinity` | Specifies the Node affinities. | `schedule on amd64 and linux` | diff --git a/charts/node-analyzer/RELEASE-NOTES.md b/charts/node-analyzer/RELEASE-NOTES.md index df427484a..0b7595be1 100644 --- a/charts/node-analyzer/RELEASE-NOTES.md +++ b/charts/node-analyzer/RELEASE-NOTES.md @@ -1,5 +1,5 @@ # What's Changed ### Chores -- **node-analyzer** [a66360df](https://github.com/sysdiglabs/charts/commit/a66360dfbd00f1d82ab5da6f8b70a5e1d77440cf): remove broken link from values.yaml ([#1370](https://github.com/sysdiglabs/charts/issues/1370)) -#### Full diff: https://github.com/sysdiglabs/charts/compare/node-analyzer-1.17.4...node-analyzer-1.17.5 +- **kspm-collector,node-analyzer** [201126cf](https://github.com/sysdiglabs/charts/commit/201126cf8abb51996ee001665c17545210058ff9): KSPM v1.34.0 ([#1422](https://github.com/sysdiglabs/charts/issues/1422)) +#### Full diff: https://github.com/sysdiglabs/charts/compare/node-analyzer-1.17.11...node-analyzer-1.17.12 diff --git a/charts/node-analyzer/templates/configmap-host-scanner.yaml b/charts/node-analyzer/templates/configmap-host-scanner.yaml index cb0046123..374eae283 100644 --- a/charts/node-analyzer/templates/configmap-host-scanner.yaml +++ b/charts/node-analyzer/templates/configmap-host-scanner.yaml @@ -36,4 +36,7 @@ data: {{- if (.Values.nodeAnalyzer.noProxy | default .Values.global.proxy.noProxy) }} no_proxy: {{ .Values.nodeAnalyzer.noProxy | default .Values.global.proxy.noProxy }} {{- end -}} + {{- if .Values.nodeAnalyzer.hostScanner.vulnerabilityDBVersion }} + vuln_db_version: {{ .Values.nodeAnalyzer.hostScanner.vulnerabilityDBVersion | quote }} + {{- end }} {{- end }} diff --git a/charts/node-analyzer/templates/configmap-kspm-analyzer.yaml b/charts/node-analyzer/templates/configmap-kspm-analyzer.yaml index b7c3c1779..e07d06b0d 100644 --- a/charts/node-analyzer/templates/configmap-kspm-analyzer.yaml +++ b/charts/node-analyzer/templates/configmap-kspm-analyzer.yaml @@ -14,6 +14,7 @@ data: {{ end}} environment: {{ $env }} external_nats_url: {{ include "nodeAnalyzer.natsUrl" . }} + nats_max_reconnect: {{ .Values.nodeAnalyzer.natsMaxReconnect | default 0 | quote }} cluster_name: {{ required "A valid clusterName is required" (include "nodeAnalyzer.clusterName" .) }} agent_app_name: {{ include "nodeAnalyzer.name" . }} {{- if hasKey .Values.nodeAnalyzer "sslVerifyCertificate" }} diff --git a/charts/node-analyzer/templates/daemonset-node-analyzer.yaml b/charts/node-analyzer/templates/daemonset-node-analyzer.yaml index b15944123..0f6ac844e 100644 --- a/charts/node-analyzer/templates/daemonset-node-analyzer.yaml +++ b/charts/node-analyzer/templates/daemonset-node-analyzer.yaml @@ -237,6 +237,12 @@ spec: name: {{ .Release.Name }}-kspm-analyzer key: agent_port optional: true + - name: NATS_MAX_RECONNECT + valueFrom: + configMapKeyRef: + name: {{ .Release.Name }}-kspm-analyzer + key: nats_max_reconnect + optional: true {{- if .Values.global.sysdig.tags }} - name: TAGS value: {{ include "agent.tags" . }} @@ -637,6 +643,12 @@ spec: name: {{ .Release.Name }}-runtime-scanner key: max_image_size_allowed optional: true + - name: VULNERABILITY_DB_VERSION + valueFrom: + configMapKeyRef: + name: {{ .Release.Name }}-runtime-scanner + key: vuln_db_version + optional: true - name: SYSDIG_API_URL valueFrom: configMapKeyRef: @@ -848,6 +860,12 @@ spec: name: {{ .Release.Name }}-host-scanner key: analyzer.maxFileSizeAllowed optional: true + - name: VULNERABILITY_DB_VERSION + valueFrom: + configMapKeyRef: + name: {{ .Release.Name }}-host-scanner + key: vuln_db_version + optional: true - name: TMPDIR value: "/tmp" - name: PROBES_PORT diff --git a/charts/node-analyzer/templates/runtimeScanner/runtime-scanner-configmap.yaml b/charts/node-analyzer/templates/runtimeScanner/runtime-scanner-configmap.yaml index 928809609..38db49651 100644 --- a/charts/node-analyzer/templates/runtimeScanner/runtime-scanner-configmap.yaml +++ b/charts/node-analyzer/templates/runtimeScanner/runtime-scanner-configmap.yaml @@ -37,4 +37,7 @@ data: {{- if .Values.nodeAnalyzer.runtimeScanner.settings.maxFileSizeAllowed }} analyzer.maxFileSizeAllowed: {{ .Values.nodeAnalyzer.runtimeScanner.settings.maxFileSizeAllowed | int64 | quote }} {{- end -}} + {{- if .Values.nodeAnalyzer.runtimeScanner.settings.vulnerabilityDBVersion }} + vuln_db_version: {{ .Values.nodeAnalyzer.runtimeScanner.settings.vulnerabilityDBVersion | quote }} + {{- end -}} {{- end }} diff --git a/charts/node-analyzer/values.yaml b/charts/node-analyzer/values.yaml index 6b796a8f3..30852b2b1 100644 --- a/charts/node-analyzer/values.yaml +++ b/charts/node-analyzer/values.yaml @@ -137,6 +137,8 @@ nodeAnalyzer: httpProxy: httpsProxy: noProxy: + # NATS max reconnect attempts + natsMaxReconnect: 0 # Allow sysdig Node Image Analyzer to run on Kubernetes 1.6 masters tolerations: @@ -182,7 +184,7 @@ nodeAnalyzer: deploy: true image: repository: sysdig/node-image-analyzer - tag: 0.1.28 + tag: 0.1.29 digest: pullPolicy: @@ -235,7 +237,7 @@ nodeAnalyzer: deploy: true image: repository: sysdig/host-analyzer - tag: 0.1.16 + tag: 0.1.17 digest: pullPolicy: @@ -287,7 +289,7 @@ nodeAnalyzer: probesPort: 7002 image: repository: sysdig/vuln-runtime-scanner - tag: "1.5.7" + tag: "1.6.2" digest: pullPolicy: storageClassName: @@ -362,7 +364,7 @@ nodeAnalyzer: image: repository: sysdig/vuln-host-scanner - tag: "0.5.2" + tag: "0.6.5" digest: pullPolicy: @@ -385,7 +387,7 @@ nodeAnalyzer: debug: false image: repository: sysdig/kspm-analyzer - tag: 1.32.0 + tag: 1.35.0 digest: pullPolicy: diff --git a/charts/rapid-response/CHANGELOG.md b/charts/rapid-response/CHANGELOG.md index e024a9779..8c2aa466d 100644 --- a/charts/rapid-response/CHANGELOG.md +++ b/charts/rapid-response/CHANGELOG.md @@ -10,6 +10,9 @@ Manual edits are supported only below '## Change Log' and should be used exclusively to fix incorrect entries and not to add new ones. ## Change Log +# v0.8.3 +### Bug Fixes +* **common,agent,admission-controller,cluster-scanner,kspm-collector,node-analyzer,rapid-response** [e76f1c17](https://github.com/sysdiglabs/charts/commit/e76f1c17e48491dd8ea21293ec1fed2619eed204): Update Sysdig CA ([#1393](https://github.com/sysdiglabs/charts/issues/1393)) # v0.8.2 ### New Features * **admission-controller,agent,cluster-scanner,kspm-collector,node-analyzer,rapid-response** [32231059](https://github.com/sysdiglabs/charts/commit/322310597ffbf9e47b5755be8f2f65a6e68296a2): pass agent tags to kspm components ([#1333](https://github.com/sysdiglabs/charts/issues/1333)) diff --git a/charts/rapid-response/Chart.yaml b/charts/rapid-response/Chart.yaml index 562acb7b7..d637c875f 100644 --- a/charts/rapid-response/Chart.yaml +++ b/charts/rapid-response/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.8.2 +version: 0.8.3 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to @@ -43,4 +43,4 @@ dependencies: - name: common # repository: https://charts.sysdig.com repository: file://../common - version: ~1.2.0 + version: ~1.2.2 diff --git a/charts/rapid-response/RELEASE-NOTES.md b/charts/rapid-response/RELEASE-NOTES.md index 8d8461f36..691777330 100644 --- a/charts/rapid-response/RELEASE-NOTES.md +++ b/charts/rapid-response/RELEASE-NOTES.md @@ -1,5 +1,5 @@ # What's Changed -### New Features -- **admission-controller,agent,cluster-scanner,kspm-collector,node-analyzer,rapid-response** [32231059](https://github.com/sysdiglabs/charts/commit/322310597ffbf9e47b5755be8f2f65a6e68296a2): pass agent tags to kspm components ([#1333](https://github.com/sysdiglabs/charts/issues/1333)) -#### Full diff: https://github.com/sysdiglabs/charts/compare/rapid-response-0.8.1...rapid-response-0.8.2 +### Bug Fixes +- **common,agent,admission-controller,cluster-scanner,kspm-collector,node-analyzer,rapid-response** [e76f1c17](https://github.com/sysdiglabs/charts/commit/e76f1c17e48491dd8ea21293ec1fed2619eed204): Update Sysdig CA ([#1393](https://github.com/sysdiglabs/charts/issues/1393)) +#### Full diff: https://github.com/sysdiglabs/charts/compare/rapid-response-0.8.2...rapid-response-0.8.3 diff --git a/charts/registry-scanner/CHANGELOG.md b/charts/registry-scanner/CHANGELOG.md index 64eea8358..2a8da0760 100644 --- a/charts/registry-scanner/CHANGELOG.md +++ b/charts/registry-scanner/CHANGELOG.md @@ -10,6 +10,16 @@ Manual edits are supported only below '## Change Log' and should be used exclusively to fix incorrect entries and not to add new ones. ## Change Log +# v1.1.13 +### Chores +* **registry-scanner** [9f3aee7d](https://github.com/sysdiglabs/charts/commit/9f3aee7d85bd420fa61239b965d528be9a583aef): Update to v0.2.51 ([#1419](https://github.com/sysdiglabs/charts/issues/1419)) +# v1.1.12 +### Bug Fixes +* **registry-scanner** [95340f9b](https://github.com/sysdiglabs/charts/commit/95340f9b730ce58de5e3ec18b190f0e97634c597): properly set vulnerability DB config ([#1417](https://github.com/sysdiglabs/charts/issues/1417)) +# v1.1.11 +### New Features +* **registry-scanner** [e948b71d](https://github.com/sysdiglabs/charts/commit/e948b71d4a222a5559306b728e6832af2901d4a2): add gar, gcr and nexus support ([#1354](https://github.com/sysdiglabs/charts/issues/1354)) +# v1.1.10 # v1.1.9 ### Chores * **registry-scanner** [b9f6b22f](https://github.com/sysdiglabs/charts/commit/b9f6b22fa7743d5f8ef9537c3e408f65a407dd07): Update to v0.2.48 ([#1374](https://github.com/sysdiglabs/charts/issues/1374)) diff --git a/charts/registry-scanner/Chart.yaml b/charts/registry-scanner/Chart.yaml index 0f6e1a1e7..429b68f62 100644 --- a/charts/registry-scanner/Chart.yaml +++ b/charts/registry-scanner/Chart.yaml @@ -4,8 +4,8 @@ description: Sysdig Registry Scanner type: application home: https://sysdiglabs.github.io/registry-scanner/ icon: https://478h5m1yrfsa3bbe262u7muv-wpengine.netdna-ssl.com/wp-content/uploads/2019/02/Shovel_600px.png -version: 1.1.9 -appVersion: 0.2.48 +version: 1.1.13 +appVersion: 0.2.51 maintainers: - name: giuse-sysdig email: giuseppe.esposito@sysdig.com diff --git a/charts/registry-scanner/README.md b/charts/registry-scanner/README.md index 12ba603c2..dec3d31e0 100644 --- a/charts/registry-scanner/README.md +++ b/charts/registry-scanner/README.md @@ -33,6 +33,7 @@ Follow the instructions in [Install Registry Scanner](https://docs.sysdig.com/en - Quay IO - IBM ICR - Azure ACR +- Google GAR Once installed, you can view the scan results in the [Vulnerabilities UI](https://docs.sysdig.com/en/docs/sysdig-secure/vulnerabilities/registry/) of Sysdig Secure. @@ -60,7 +61,7 @@ The following table lists the configurable parameters of the Sysdig Registry Sca | config.registryApiUrl | The API URL of the registry to scan. This is required if your registry type is Artifactory. | <code>""</code> | | config.registryUser | The username for registry authentication. | <code>""</code> | | config.registryPassword | The password for registry authentication. | <code>""</code> | -| config.registryType | Mandatory.<br/>The registry Type. Supported types: artifactory, ecr, icr, acr, quay, harbor, and dockerv2. | <code>""</code> | +| config.registryType | Mandatory.<br/>The registry Type. Supported types: artifactory, ecr, icr, acr, quay, harbor, gar, nexus and dockerv2. | <code>""</code> | | config.registryAccountId | The account ID. Applicable only for ICR registry type. | <code>""</code> | | config.icrIamApi | The ICR IAM API. Applicable only for ICR registry type. | <code>""</code> | | config.icrIamApiSkipTLS | Ignore TLS certificate for IAM API. Applicable only for ICR registry type. | <code>false</code> | @@ -90,7 +91,7 @@ The following table lists the configurable parameters of the Sysdig Registry Sca | config.scan.jobs.resources.requests.cpu | The CPU request for the scanner job. | <code>500m</code> | | config.scan.jobs.resources.limits.memory | The memory limit for the scanner job. | <code>2Gi</code> | | config.scan.jobs.temporaryVolumeSizeLimit | The size limit for the emptyDir volume used by the scanner job.<br/> This volume is used to store both the vulnerability database and the image to scan. | <code>2Gi</code> | -| config.useMainDbV2 | Enable vulnerability MainDB V2 | <code>false</code> | +| config.parallelGoRoutines | Number of goroutines running in parallel in metadata phase for ECR Org setup. | <code>100</code> | | ssl.ca.certs | For outbound connections. <br/>List of PEM-encoded x509 certificate authority. | <code>[]</code> | | customLabels | The additional labels to add to CronJob and Scanning Jobs. The custom labels to be added to kubernetes manifests of all the resources created. | <code>{}</code> | | proxy.httpProxy | The URL of the proxy for HTTP connections. Leave it empty if not using proxy, which sets the `http_proxy` environment variable. | <code></code> | diff --git a/charts/registry-scanner/README.tpl b/charts/registry-scanner/README.tpl index 143e6e3b2..6bfe90693 100644 --- a/charts/registry-scanner/README.tpl +++ b/charts/registry-scanner/README.tpl @@ -33,6 +33,7 @@ Follow the instructions in [Install Registry Scanner](https://docs.sysdig.com/en - Quay IO - IBM ICR - Azure ACR +- Google GAR Once installed, you can view the scan results in the [Vulnerabilities UI](https://docs.sysdig.com/en/docs/sysdig-secure/vulnerabilities/registry/) of Sysdig Secure. diff --git a/charts/registry-scanner/RELEASE-NOTES.md b/charts/registry-scanner/RELEASE-NOTES.md index 009910a93..d06a564ab 100644 --- a/charts/registry-scanner/RELEASE-NOTES.md +++ b/charts/registry-scanner/RELEASE-NOTES.md @@ -1,5 +1,5 @@ # What's Changed ### Chores -- **registry-scanner** [b9f6b22f](https://github.com/sysdiglabs/charts/commit/b9f6b22fa7743d5f8ef9537c3e408f65a407dd07): Update to v0.2.48 ([#1374](https://github.com/sysdiglabs/charts/issues/1374)) -#### Full diff: https://github.com/sysdiglabs/charts/compare/registry-scanner-1.1.8...registry-scanner-1.1.9 +- **registry-scanner** [9f3aee7d](https://github.com/sysdiglabs/charts/commit/9f3aee7d85bd420fa61239b965d528be9a583aef): Update to v0.2.51 ([#1419](https://github.com/sysdiglabs/charts/issues/1419)) +#### Full diff: https://github.com/sysdiglabs/charts/compare/registry-scanner-1.1.12...registry-scanner-1.1.13 diff --git a/charts/registry-scanner/ci/test-jfrog-saas-values.yaml.template b/charts/registry-scanner/ci/test-aws-org-values.yaml.template.disabled similarity index 100% rename from charts/registry-scanner/ci/test-jfrog-saas-values.yaml.template rename to charts/registry-scanner/ci/test-aws-org-values.yaml.template.disabled diff --git a/charts/registry-scanner/ci/test-jfrog-saas-values-with-custom-ca.yaml.template b/charts/registry-scanner/ci/test-jfrog-saas-values-with-custom-ca.yaml.template.disabled similarity index 100% rename from charts/registry-scanner/ci/test-jfrog-saas-values-with-custom-ca.yaml.template rename to charts/registry-scanner/ci/test-jfrog-saas-values-with-custom-ca.yaml.template.disabled diff --git a/charts/registry-scanner/ci/test-jfrog-saas-values.yaml.template.disabled b/charts/registry-scanner/ci/test-jfrog-saas-values.yaml.template.disabled new file mode 100644 index 000000000..c9e7fd4d9 --- /dev/null +++ b/charts/registry-scanner/ci/test-jfrog-saas-values.yaml.template.disabled @@ -0,0 +1,13 @@ +config: + secureAPIToken: ${SECURE_API_TOKEN} + registryType: artifactory + registryURL: ${SYSDIG_JFROG_SAAS_QA_URL} + registryApiUrl: ${SYSDIG_JFROG_SAAS_QA_API_URL} + registryUser: ${SYSDIG_JFROG_SAAS_QA_USER} + registryPassword: ${SYSDIG_JFROG_SAAS_QA_TOKEN} + filter: + include: 'alpine:3.1' + exclude: '.*' +scanOnStart: + enabled: true + asPostInstallHook: true diff --git a/charts/registry-scanner/templates/_job.tpl b/charts/registry-scanner/templates/_job.tpl index b3fbaa24f..241d57749 100644 --- a/charts/registry-scanner/templates/_job.tpl +++ b/charts/registry-scanner/templates/_job.tpl @@ -116,6 +116,10 @@ {{- end }} key: registryPassword {{- end }} + {{ if .Values.config.parallelGoRoutines }} + - name: GROUP_LIMIT + value: "{{ .Values.config.parallelGoRoutines }}" + {{- end }} {{- if .Values.extraEnvVars }} {{- toYaml .Values.extraEnvVars | nindent 10 }} {{- end }} diff --git a/charts/registry-scanner/templates/configmap.yaml b/charts/registry-scanner/templates/configmap.yaml index 9d80db88b..7d460aa25 100644 --- a/charts/registry-scanner/templates/configmap.yaml +++ b/charts/registry-scanner/templates/configmap.yaml @@ -102,4 +102,4 @@ data: reportPath: /output/registry-scanner-{DATE}.json {{- end }} - useMainDbV2: {{ .Values.config.useMainDbV2 }} + vulnerabilityDBVersion: {{ .Values.config.vulnerabilityDBVersion | default "v2" | quote }} diff --git a/charts/registry-scanner/templates/job.yaml b/charts/registry-scanner/templates/job.yaml index c71c3d547..951aaf738 100644 --- a/charts/registry-scanner/templates/job.yaml +++ b/charts/registry-scanner/templates/job.yaml @@ -12,4 +12,4 @@ metadata: {{- end }} spec: {{- include "registry-scanner.jobTemplate" . | indent 2}} -{{- end}} +{{- end }} diff --git a/charts/registry-scanner/templates/secret.yaml b/charts/registry-scanner/templates/secret.yaml index 107f4b0c2..8c1ae3368 100644 --- a/charts/registry-scanner/templates/secret.yaml +++ b/charts/registry-scanner/templates/secret.yaml @@ -12,6 +12,12 @@ data: aws_access_key_id: {{ .Values.config.aws.accessKeyId | b64enc | quote }} aws_secret_access_key: {{ .Values.config.aws.secretAccessKey | b64enc | quote }} aws_region: {{ required "A valid .Values.config.aws.region is required" .Values.config.aws.region | b64enc | quote }} + {{- else if eq .Values.config.registryType "gar" }} + registryUser: {{ "_json_key_base64" | b64enc | quote }} + registryPassword: {{ required "A valid .Values.config.registryPassword is required" .Values.config.registryPassword | b64enc | quote }} + {{- else if eq .Values.config.registryType "gcr" }} + registryUser: {{ "_json_key" | b64enc | quote }} + registryPassword: {{ required "A valid .Values.config.registryPassword is required" .Values.config.registryPassword | b64enc | quote }} {{- else }} registryUser: {{ required "A valid .Values.config.registryUser is required" .Values.config.registryUser | b64enc | quote }} registryPassword: {{ required "A valid .Values.config.registryPassword is required" .Values.config.registryPassword | b64enc | quote }} diff --git a/charts/registry-scanner/values.yaml b/charts/registry-scanner/values.yaml index 1a4cbeefc..8053d2696 100644 --- a/charts/registry-scanner/values.yaml +++ b/charts/registry-scanner/values.yaml @@ -26,7 +26,7 @@ config: registryUser: "" # The password for registry authentication. registryPassword: "" - # Mandatory.<br/>The registry Type. Supported types: artifactory, ecr, icr, acr, quay, harbor, and dockerv2. + # Mandatory.<br/>The registry Type. Supported types: artifactory, ecr, icr, acr, quay, harbor, gar, nexus and dockerv2. registryType: "" # The account ID. Applicable only for ICR registry type. registryAccountId: "" @@ -103,8 +103,8 @@ config: # The size limit for the emptyDir volume used by the scanner job.<br/> # This volume is used to store both the vulnerability database and the image to scan. temporaryVolumeSizeLimit: 2Gi - # Enable vulnerability MainDB V2 - useMainDbV2: false + # Number of goroutines running in parallel in metadata phase for ECR Org setup. + parallelGoRoutines: 100 ssl: ca: # For outbound connections. diff --git a/charts/sysdig-deploy/CHANGELOG.md b/charts/sysdig-deploy/CHANGELOG.md index a7a310215..dc593d2f4 100644 --- a/charts/sysdig-deploy/CHANGELOG.md +++ b/charts/sysdig-deploy/CHANGELOG.md @@ -10,6 +10,46 @@ Manual edits are supported only below '## Change Log' and should be used exclusively to fix incorrect entries and not to add new ones. ## Change Log +# v1.26.4 +### Chores +* **kspm-collector,node-analyzer** [201126cf](https://github.com/sysdiglabs/charts/commit/201126cf8abb51996ee001665c17545210058ff9): KSPM v1.34.0 ([#1422](https://github.com/sysdiglabs/charts/issues/1422)) +# v1.26.3 +### Chores +* **sysdig-deploy** [99ad329d](https://github.com/sysdiglabs/charts/commit/99ad329da1c4af6a01ed512c78b6e05ecb3a82fc): Automatic version bump due to updated dependencies ([#1421](https://github.com/sysdiglabs/charts/issues/1421)) +# v1.26.2 +### Chores +* **sysdig-deploy** [2ad42f2f](https://github.com/sysdiglabs/charts/commit/2ad42f2f3f1319bbaf3dc93b63cf7eec1d14bc86): Automatic version bump due to updated dependencies ([#1418](https://github.com/sysdiglabs/charts/issues/1418)) +# v1.26.1 +### New Features +* **cluster-scanner** [8f19ed47](https://github.com/sysdiglabs/charts/commit/8f19ed47df2be280d2c432d1a182f6235a8e2231): bumped cluster-scanner images to 0.5.1 ([#1412](https://github.com/sysdiglabs/charts/issues/1412)) +# v1.26.0 +### New Features +* **cluster-scanner** [23b421c6](https://github.com/sysdiglabs/charts/commit/23b421c60dafe24c2e777f38c490e7f88c2c42a4): Enable platform services only in regions which support them ([#1413](https://github.com/sysdiglabs/charts/issues/1413)) +# v1.25.0 +# v1.24.7 +### Chores +* **sysdig-deploy** [b40e8e79](https://github.com/sysdiglabs/charts/commit/b40e8e79dade9bbcada01f406298bb411fd241c0): Automatic version bump due to updated dependencies ([#1411](https://github.com/sysdiglabs/charts/issues/1411)) +# v1.24.6 +### Chores +* **sysdig-deploy** [7544fc18](https://github.com/sysdiglabs/charts/commit/7544fc18f6067d191023cb58f218d93f3e3de7f7): Automatic version bump due to updated dependencies ([#1408](https://github.com/sysdiglabs/charts/issues/1408)) +# v1.24.5 +### Bug Fixes +* **cluster-scanner** [9b3864ff](https://github.com/sysdiglabs/charts/commit/9b3864fffdc9e8b7e8fdc96f8ed4902f945c34c7): removed unneeded version compatibility checks ([#1404](https://github.com/sysdiglabs/charts/issues/1404)) +# v1.24.4 +### New Features +* **kspm-collector,node-analyzer** [660e610d](https://github.com/sysdiglabs/charts/commit/660e610d475cdac3b9d2c51da4af0a01abce31f6): add support for NATS_MAX_RECONNECT variable ([#1400](https://github.com/sysdiglabs/charts/issues/1400)) +# v1.24.3 +### Bug Fixes +* **kspm-collector,node-analyzer** [67f042fd](https://github.com/sysdiglabs/charts/commit/67f042fd9ebb72cd121751d46fb96f7c3ad539ba): add debug logs to cloud platform metadata loading ([#1398](https://github.com/sysdiglabs/charts/issues/1398)) +# v1.24.2 +### Chores +* **sysdig-deploy** [cec55804](https://github.com/sysdiglabs/charts/commit/cec55804dd45827f316d6f9e5c85fe9ff1eca11f): Automatic version bump due to updated dependencies ([#1397](https://github.com/sysdiglabs/charts/issues/1397)) +# v1.24.1 +### Bug Fixes +* **common,agent,admission-controller,cluster-scanner,kspm-collector,node-analyzer,rapid-response** [e76f1c17](https://github.com/sysdiglabs/charts/commit/e76f1c17e48491dd8ea21293ec1fed2619eed204): Update Sysdig CA ([#1393](https://github.com/sysdiglabs/charts/issues/1393)) +# v1.24.0 +### New Features +* **cluster-scanner** [5b1e9649](https://github.com/sysdiglabs/charts/commit/5b1e96497ef50342055f3f43bc9ff5f41f7cfea1): added configuration for docker registry mirrors ([#1372](https://github.com/sysdiglabs/charts/issues/1372)) # v1.23.10 ### Chores * **sysdig-deploy** [92591ea5](https://github.com/sysdiglabs/charts/commit/92591ea579138af67a5dfe816433ee363494bf5f): Automatic version bump due to updated dependencies ([#1391](https://github.com/sysdiglabs/charts/issues/1391)) diff --git a/charts/sysdig-deploy/Chart.yaml b/charts/sysdig-deploy/Chart.yaml index d709c170c..f306f61a9 100644 --- a/charts/sysdig-deploy/Chart.yaml +++ b/charts/sysdig-deploy/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: sysdig-deploy description: A chart with various Sysdig components for Kubernetes type: application -version: 1.23.10 +version: 1.26.4 maintainers: - name: AlbertoBarba email: alberto.barba@sysdig.com @@ -20,40 +20,40 @@ dependencies: - name: admission-controller # repository: https://charts.sysdig.com repository: file://../admission-controller - version: ~0.14.11 + version: ~0.14.12 alias: admissionController condition: admissionController.enabled - name: agent # repository: https://charts.sysdig.com repository: file://../agent - version: ~1.13.12 + version: ~1.14.0 alias: agent condition: agent.enabled - name: common # repository: https://charts.sysdig.com repository: file://../common - version: ~1.2.1 + version: ~1.2.2 - name: node-analyzer # repository: https://charts.sysdig.com repository: file://../node-analyzer - version: ~1.17.5 + version: ~1.17.12 alias: nodeAnalyzer condition: nodeAnalyzer.enabled - name: cluster-scanner # repository: https://charts.sysdig.com repository: file://../cluster-scanner - version: ~0.6.1 + version: ~0.8.1 alias: clusterScanner condition: clusterScanner.enabled - name: kspm-collector # repository: https://charts.sysdig.com repository: file://../kspm-collector - version: ~0.8.1 + version: ~0.8.5 alias: kspmCollector condition: global.kspm.deploy - name: rapid-response # repository: https://charts.sysdig.com repository: file://../rapid-response - version: ~0.8.2 + version: ~0.8.3 alias: rapidResponse condition: rapidResponse.enabled diff --git a/charts/sysdig-deploy/RELEASE-NOTES.md b/charts/sysdig-deploy/RELEASE-NOTES.md index 7bb3203ad..02f46aaee 100644 --- a/charts/sysdig-deploy/RELEASE-NOTES.md +++ b/charts/sysdig-deploy/RELEASE-NOTES.md @@ -1,5 +1,5 @@ # What's Changed ### Chores -- **sysdig-deploy** [92591ea5](https://github.com/sysdiglabs/charts/commit/92591ea579138af67a5dfe816433ee363494bf5f): Automatic version bump due to updated dependencies ([#1391](https://github.com/sysdiglabs/charts/issues/1391)) -#### Full diff: https://github.com/sysdiglabs/charts/compare/sysdig-deploy-1.23.9...sysdig-deploy-1.23.10 +- **kspm-collector,node-analyzer** [201126cf](https://github.com/sysdiglabs/charts/commit/201126cf8abb51996ee001665c17545210058ff9): KSPM v1.34.0 ([#1422](https://github.com/sysdiglabs/charts/issues/1422)) +#### Full diff: https://github.com/sysdiglabs/charts/compare/sysdig-deploy-1.26.3...sysdig-deploy-1.26.4 diff --git a/charts/sysdig/CHANGELOG.md b/charts/sysdig/CHANGELOG.md index 605b49d70..546be860d 100644 --- a/charts/sysdig/CHANGELOG.md +++ b/charts/sysdig/CHANGELOG.md @@ -10,6 +10,15 @@ Manual edits are supported only below '## Change Log' and should be used exclusively to fix incorrect entries and not to add new ones. ## Change Log +# v1.16.17 +### New Features +* [eda0e7cd](https://github.com/sysdiglabs/charts/commit/eda0e7cdf12c0b40f0bb77c0a16e0fd5f0173256): release agent 12.17.0 ([#1410](https://github.com/sysdiglabs/charts/issues/1410)) +# v1.16.16 +### Chores +* **sysdig, node-analyzer** [84cfe9a5](https://github.com/sysdiglabs/charts/commit/84cfe9a5e6f989a9a42b14b3d16597436f23b4b1): update legacy nodeImageAnalyzer (0.1.29) and hostImageAnalyzer (0.1.17) ([#1407](https://github.com/sysdiglabs/charts/issues/1407)) +# v1.16.15 +### New Features +* [9fc9ddd4](https://github.com/sysdiglabs/charts/commit/9fc9ddd48e6cb2c3ea334bfc10048ffc15646fd2): release agent 12.16.3 ([#1395](https://github.com/sysdiglabs/charts/issues/1395)) # v1.16.14 ### New Features * [45e2f7a9](https://github.com/sysdiglabs/charts/commit/45e2f7a96c565bfe0687acaacf350e81f94a23bb): release agent 12.16.2 ([#1381](https://github.com/sysdiglabs/charts/issues/1381)) diff --git a/charts/sysdig/Chart.yaml b/charts/sysdig/Chart.yaml index 06d80b22c..c3315d9f3 100644 --- a/charts/sysdig/Chart.yaml +++ b/charts/sysdig/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 -appVersion: 12.16.2 +appVersion: 12.17.0 deprecated: true description: Sysdig Monitor and Secure agent home: https://www.sysdig.com/ @@ -15,4 +15,4 @@ name: sysdig sources: - https://app.sysdigcloud.com/#/settings/user - https://github.com/draios/sysdig -version: 1.16.14 +version: 1.16.17 diff --git a/charts/sysdig/README.md b/charts/sysdig/README.md index b9ad96373..a3a1220fa 100644 --- a/charts/sysdig/README.md +++ b/charts/sysdig/README.md @@ -222,7 +222,7 @@ The following table lists the configurable parameters of the Sysdig chart and th | `nodeAnalyzer.pullSecrets` | The image pull secrets for the Node Analyzer containers. | `nil` | | `nodeAnalyzer.imageAnalyzer.deploy` | Deploys the Image Analyzer. | `true ` | | `nodeAnalyzer.imageAnalyzer.image.repository` | The image repository to pull the Node Image Analyzer from. | `sysdig/node-image-analyzer` | -| `nodeAnalyzer.imageAnalyzer.image.tag` | The image tag to pull the Node Image Analyzer. | `0.1.28` | +| `nodeAnalyzer.imageAnalyzer.image.tag` | The image tag to pull the Node Image Analyzer. | `0.1.29` | | `nodeAnalyzer.imageAnalyzer.image.digest` | The image digest to pull. | ` ` | | `nodeAnalyzer.imageAnalyzer.image.pullPolicy` | The Image pull policy for the Node Image Analyzer. | `IfNotPresent` | | `nodeAnalyzer.imageAnalyzer.dockerSocketPath` | The Docker socket path. | | @@ -237,7 +237,7 @@ The following table lists the configurable parameters of the Sysdig chart and th | `nodeAnalyzer.imageAnalyzer.env` | The extra environment variables that will be passed onto pods. | `{}` | | `nodeAnalyzer.hostAnalyzer.deploy` | Deploys the Host Analyzer. | `true ` | | `nodeAnalyzer.hostAnalyzer.image.repository` | The image repository to pull the Host Analyzer from. | `sysdig/host-analyzer` | -| `nodeAnalyzer.hostAnalyzer.image.tag` | The image tag to pull the Host Analyzer. | `0.1.16` | +| `nodeAnalyzer.hostAnalyzer.image.tag` | The image tag to pull the Host Analyzer. | `0.1.17` | | `nodeAnalyzer.hostAnalyzer.image.digest` | The image digest to pull. | ` ` | | `nodeAnalyzer.hostAnalyzer.image.pullPolicy` | The Image pull policy for the Host Analyzer. | `IfNotPresent` | | `nodeAnalyzer.hostAnalyzer.schedule` | The scanning schedule specification for the host analyzer expressed as a crontab. | `@dailydefault` | @@ -323,7 +323,7 @@ The following table lists the configurable parameters of the Sysdig chart and th | `nodeImageAnalyzer.settings.httpsProxy` | The secure proxy configuration variables. | | | `nodeImageAnalyzer.settings.noProxy` | The no proxy configuration variables. | | | `nodeImageAnalyzer.image.repository` | The image repository to pull the Node Image Analyzer from. | `sysdig/node-image-analyzer` | -| `nodeImageAnalyzer.image.tag` | The image tag to pull the Node Image Analyzer. | `0.1.28` | +| `nodeImageAnalyzer.image.tag` | The image tag to pull the Node Image Analyzer. | `0.1.29` | | `nodeImageAnalyzer.imagedigest` | The image digest to pull. | ` ` | | `nodeImageAnalyzer.image.pullPolicy` | The Image pull policy for the Node Image Analyzer. | `IfNotPresent` | | `nodeImageAnalyzer.image.pullSecrets` | Image pull secrets for the Node Image Analyzer. | `nil` | diff --git a/charts/sysdig/RELEASE-NOTES.md b/charts/sysdig/RELEASE-NOTES.md index 965664103..bb57c917f 100644 --- a/charts/sysdig/RELEASE-NOTES.md +++ b/charts/sysdig/RELEASE-NOTES.md @@ -1,5 +1,5 @@ # What's Changed ### New Features -- [45e2f7a9](https://github.com/sysdiglabs/charts/commit/45e2f7a96c565bfe0687acaacf350e81f94a23bb): release agent 12.16.2 ([#1381](https://github.com/sysdiglabs/charts/issues/1381)) -#### Full diff: https://github.com/sysdiglabs/charts/compare/sysdig-deploy-1.23.6...sysdig-1.16.14 +- [eda0e7cd](https://github.com/sysdiglabs/charts/commit/eda0e7cdf12c0b40f0bb77c0a16e0fd5f0173256): release agent 12.17.0 ([#1410](https://github.com/sysdiglabs/charts/issues/1410)) +#### Full diff: https://github.com/sysdiglabs/charts/compare/sysdig-deploy-1.24.6...sysdig-1.16.17 diff --git a/charts/sysdig/values.yaml b/charts/sysdig/values.yaml index 0c2b6d634..5d5380efe 100644 --- a/charts/sysdig/values.yaml +++ b/charts/sysdig/values.yaml @@ -7,7 +7,7 @@ image: overrideValue: null registry: quay.io repository: sysdig/agent - tag: 12.16.2 + tag: 12.17.0 # Specify a imagePullPolicy # Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' # ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images @@ -193,7 +193,7 @@ nodeImageAnalyzer: deploy: false image: repository: sysdig/node-image-analyzer - tag: 0.1.28 + tag: 0.1.29 digest: null pullPolicy: IfNotPresent # pullSecrets: @@ -351,7 +351,7 @@ nodeAnalyzer: deploy: true image: repository: sysdig/node-image-analyzer - tag: 0.1.28 + tag: 0.1.29 digest: null pullPolicy: IfNotPresent # The Docker socket path. @@ -393,7 +393,7 @@ nodeAnalyzer: deploy: true image: repository: sysdig/host-analyzer - tag: 0.1.16 + tag: 0.1.17 digest: null pullPolicy: IfNotPresent # The scanning schedule specification for the host analyzer expressed as a crontab string such as “5 4 * * *”.