Skip to content

Commit f258a15

Browse files
francesco-furlanfrancesco-furlan
authored
feat(shield): add configurations to disable individual validatingwebhooks (#2598)
1 parent 8d864e2 commit f258a15

13 files changed

Lines changed: 88 additions & 7 deletions

charts/cluster-shield/Chart.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,8 +2,8 @@ apiVersion: v2
22
name: cluster-shield
33
description: Cluster Shield Helm Chart for Kubernetes
44
type: application
5-
version: 1.21.1
6-
appVersion: 1.21.0
5+
version: 1.22.0
6+
appVersion: 1.22.0
77

88
maintainers:
99
- name: AlbertoBarba

charts/cluster-shield/README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -130,6 +130,7 @@ The following table lists the configurable parameters of the `cluster-shield` ch
130130
| cluster_shield.features.audit.timeout | The timeout for the audit feature | <code>5</code> |
131131
| cluster_shield.features.audit.excluded_namespaces | The list of namespaces to exclude from the audit feature | <code>[]</code> |
132132
| cluster_shield.features.audit.webhook_rules | List of rules used to determine if a request should be audited | <code>[{"apiGroups":["","apps","autoscaling","batch","networking.k8s.io","rbac.authorization.k8s.io","extensions"],"apiVersions":["*"],"operations":["*"],"resources":["*/*"],"scope":"*"}]</code> |
133+
| cluster_shield.features.audit.method | Method used to collect Kubernetes audit events. Use validating_webhook to intercept requests through the admission webhook, or audit_backend when using the Kubernetes audit backend integration. | <code>validating_webhook</code> |
133134
| cluster_shield.features.posture.enabled | Enable the posture feature | <code>false</code> |
134135
| cluster_shield.features.container_vulnerability_management.enabled | Enable the container vulnerability management feature | <code>false</code> |
135136
| cluster_shield.features.container_vulnerability_management.target_workloads.kubernetes.enabled | Enable detection of kubernetes workloads | <code>true</code> |

charts/cluster-shield/templates/_helpers.tpl

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -220,7 +220,7 @@ Verify if certs needs to be generated and mounted inside the pod
220220
Verify if ValidatingWebhookConfiguration needs to be generated
221221
*/}}
222222
{{- define "cluster-shield.needWebhooks"}}
223-
{{- or .Values.cluster_shield.features.audit.enabled .Values.cluster_shield.features.admission_control.enabled }}
223+
{{- or (and .Values.cluster_shield.features.audit.enabled (eq (.Values.cluster_shield.features.audit.method | default "validating_webhook") "validating_webhook")) .Values.cluster_shield.features.admission_control.enabled }}
224224
{{- end -}}
225225

226226
{{/*

charts/cluster-shield/templates/validatingwebhookconfiguration.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ kind: ValidatingWebhookConfiguration
1212
metadata:
1313
name: {{ include "cluster-shield.fullname" . }}
1414
webhooks:
15-
{{- if .Values.cluster_shield.features.audit.enabled }}
15+
{{- if and .Values.cluster_shield.features.audit.enabled (eq (.Values.cluster_shield.features.audit.method | default "validating_webhook") "validating_webhook") }}
1616
- name: audit.secure.sysdig.com
1717
matchPolicy: Equivalent
1818
{{ with .Values.cluster_shield.features.audit.excluded_namespaces }}

charts/cluster-shield/tests/validatingwebhookconfiguration_test.yaml

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -104,6 +104,48 @@ tests:
104104
path: .webhooks[?(@.name == "vac.secure.sysdig.com")].clientConfig.service.port
105105
value: 8443
106106

107+
- it: Does not create the audit webhook when audit method is audit_backend
108+
set:
109+
cluster_shield:
110+
features:
111+
admission_control:
112+
enabled: true
113+
audit:
114+
enabled: true
115+
method: audit_backend
116+
documentIndex: 0
117+
asserts:
118+
- hasDocuments:
119+
count: 2
120+
- containsDocument:
121+
kind: ValidatingWebhookConfiguration
122+
apiVersion: admissionregistration.k8s.io/v1
123+
name: shield-release-cluster-shield
124+
- notExists:
125+
path: .webhooks[?(@.name == "audit.secure.sysdig.com")]
126+
- exists:
127+
path: .webhooks[?(@.name == "vac.secure.sysdig.com")]
128+
129+
- it: Creates a ValidatingWebhookConfiguration resource when audit feature is enabled with validating_webhook method
130+
set:
131+
cluster_shield:
132+
features:
133+
admission_control:
134+
enabled: false
135+
audit:
136+
enabled: true
137+
method: validating_webhook
138+
documentIndex: 0
139+
asserts:
140+
- hasDocuments:
141+
count: 2
142+
- containsDocument:
143+
kind: ValidatingWebhookConfiguration
144+
apiVersion: admissionregistration.k8s.io/v1
145+
name: shield-release-cluster-shield
146+
- exists:
147+
path: .webhooks[?(@.name == "audit.secure.sysdig.com")]
148+
107149
- it: Creates a ValidatingWebhookConfiguration resource when audit feature is enabled
108150
set:
109151
cluster_shield:

charts/cluster-shield/values.schema.json

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -583,6 +583,15 @@
583583
"scope": "*"
584584
}
585585
]
586+
},
587+
"method": {
588+
"type": "string",
589+
"description": "The method used by the audit feature to ingest audit events",
590+
"enum": [
591+
"validating_webhook",
592+
"audit_backend"
593+
],
594+
"default": "validating_webhook"
586595
}
587596
},
588597
"required": [

charts/cluster-shield/values.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -143,6 +143,8 @@ cluster_shield:
143143
resources:
144144
- '*/*'
145145
scope: '*'
146+
# Method used to collect Kubernetes audit events. Use validating_webhook to intercept requests through the admission webhook, or audit_backend when using the Kubernetes audit backend integration.
147+
method: validating_webhook
146148
posture:
147149
# Enable the posture feature
148150
enabled: false

charts/shield/README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -105,6 +105,7 @@ The following table lists the configurable parameters of the `shield` chart and
105105
| features.detections.malware_control.enabled | | <code>false</code> |
106106
| features.detections.ml_policies.enabled | | <code>false</code> |
107107
| features.detections.kubernetes_audit.enabled | Enable the Kubernetes Audit feature on cluster shield | <code>false</code> |
108+
| features.detections.kubernetes_audit.method | Method to use: validating_webhook (emulated) or audit_backend (real audit logs) | <code>validating_webhook</code> |
108109
| features.detections.kubernetes_audit.timeout | The timeout for the audit feature | <code>10</code> |
109110
| features.detections.kubernetes_audit.http_port | The port that will be used to expose the audit endpoints | <code>6443</code> |
110111
| features.detections.kubernetes_audit.excluded_namespaces | The list of namespaces that will be excluded from the audit feature | <code>[]</code> |

charts/shield/templates/cluster/tls-certificates-admissionregistration.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,7 @@ data:
3535
{{ include "cluster.tls_certificates.ca_cert_file_name" . }}: {{ $cert.CACert }}
3636
{{- end }}
3737
{{- end -}}
38-
{{- if and .Values.cluster.validatingwebhookconfiguration.create (include "cluster.audit_enabled" .) }}
38+
{{- if and .Values.cluster.validatingwebhookconfiguration.create (eq .Values.features.detections.kubernetes_audit.method "validating_webhook") (include "cluster.audit_enabled" .) }}
3939
---
4040
apiVersion: admissionregistration.k8s.io/v1
4141
kind: ValidatingWebhookConfiguration

charts/shield/tests/cluster/configmap_test.yaml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -55,6 +55,7 @@ tests:
5555
enabled: false
5656
excluded_namespaces: \[\]
5757
http_port: 6443
58+
method: validating_webhook
5859
timeout: 10
5960
webhook_rules:
6061
- apiGroups:
@@ -152,6 +153,7 @@ tests:
152153
enabled: false
153154
excluded_namespaces: \[\]
154155
http_port: 6443
156+
method: validating_webhook
155157
timeout: 10
156158
webhook_rules:
157159
- apiGroups:
@@ -231,6 +233,7 @@ tests:
231233
enabled: false
232234
excluded_namespaces: \[\]
233235
http_port: 6443
236+
method: validating_webhook
234237
timeout: 10
235238
webhook_rules:
236239
- apiGroups:
@@ -341,6 +344,7 @@ tests:
341344
enabled: false
342345
excluded_namespaces: \[\]
343346
http_port: 6443
347+
method: validating_webhook
344348
timeout: 10
345349
webhook_rules:
346350
- apiGroups:
@@ -481,6 +485,7 @@ tests:
481485
enabled: false
482486
excluded_namespaces: \[\]
483487
http_port: 6443
488+
method: validating_webhook
484489
timeout: 10
485490
webhook_rules:
486491
- apiGroups:
@@ -841,6 +846,7 @@ tests:
841846
enabled: false
842847
excluded_namespaces: \[\]
843848
http_port: 6443
849+
method: validating_webhook
844850
timeout: 10
845851
webhook_rules:
846852
- apiGroups:
@@ -926,6 +932,7 @@ tests:
926932
enabled: false
927933
excluded_namespaces: \[\]
928934
http_port: 6443
935+
method: validating_webhook
929936
timeout: 10
930937
webhook_rules:
931938
- apiGroups:

0 commit comments

Comments
 (0)