Skip to content

Commit f7ff328

Browse files
draios-jenkinsdraios-jenkins
authored
chore(cluster-shield): Automatic bump cluster-shield to version 1.22.0 (#2596)
1 parent eac1301 commit f7ff328

15 files changed

Lines changed: 74 additions & 14 deletions

charts/cluster-shield/Chart.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,8 +2,8 @@ apiVersion: v2
22
name: cluster-shield
33
description: Cluster Shield Helm Chart for Kubernetes
44
type: application
5-
version: 1.21.1
6-
appVersion: 1.21.0
5+
version: 1.22.0
6+
appVersion: 1.22.0
77

88
maintainers:
99
- name: AlbertoBarba

charts/cluster-shield/README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -130,6 +130,7 @@ The following table lists the configurable parameters of the `cluster-shield` ch
130130
| cluster_shield.features.audit.timeout | The timeout for the audit feature | <code>5</code> |
131131
| cluster_shield.features.audit.excluded_namespaces | The list of namespaces to exclude from the audit feature | <code>[]</code> |
132132
| cluster_shield.features.audit.webhook_rules | List of rules used to determine if a request should be audited | <code>[{"apiGroups":["","apps","autoscaling","batch","networking.k8s.io","rbac.authorization.k8s.io","extensions"],"apiVersions":["*"],"operations":["*"],"resources":["*/*"],"scope":"*"}]</code> |
133+
| cluster_shield.features.audit.method | Method used to collect Kubernetes audit events. Use validating_webhook to intercept requests through the admission webhook, or audit_backend when using the Kubernetes audit backend integration. | <code>validating_webhook</code> |
133134
| cluster_shield.features.posture.enabled | Enable the posture feature | <code>false</code> |
134135
| cluster_shield.features.container_vulnerability_management.enabled | Enable the container vulnerability management feature | <code>false</code> |
135136
| cluster_shield.features.container_vulnerability_management.target_workloads.kubernetes.enabled | Enable detection of kubernetes workloads | <code>true</code> |

charts/cluster-shield/templates/_helpers.tpl

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -220,7 +220,7 @@ Verify if certs needs to be generated and mounted inside the pod
220220
Verify if ValidatingWebhookConfiguration needs to be generated
221221
*/}}
222222
{{- define "cluster-shield.needWebhooks"}}
223-
{{- or .Values.cluster_shield.features.audit.enabled .Values.cluster_shield.features.admission_control.enabled }}
223+
{{- or (and .Values.cluster_shield.features.audit.enabled (eq (.Values.cluster_shield.features.audit.method | default "validating_webhook") "validating_webhook")) .Values.cluster_shield.features.admission_control.enabled }}
224224
{{- end -}}
225225

226226
{{/*

charts/cluster-shield/templates/validatingwebhookconfiguration.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ kind: ValidatingWebhookConfiguration
1212
metadata:
1313
name: {{ include "cluster-shield.fullname" . }}
1414
webhooks:
15-
{{- if .Values.cluster_shield.features.audit.enabled }}
15+
{{- if and .Values.cluster_shield.features.audit.enabled (eq (.Values.cluster_shield.features.audit.method | default "validating_webhook") "validating_webhook") }}
1616
- name: audit.secure.sysdig.com
1717
matchPolicy: Equivalent
1818
{{ with .Values.cluster_shield.features.audit.excluded_namespaces }}

charts/cluster-shield/tests/validatingwebhookconfiguration_test.yaml

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -104,6 +104,48 @@ tests:
104104
path: .webhooks[?(@.name == "vac.secure.sysdig.com")].clientConfig.service.port
105105
value: 8443
106106

107+
- it: Does not create the audit webhook when audit method is audit_backend
108+
set:
109+
cluster_shield:
110+
features:
111+
admission_control:
112+
enabled: true
113+
audit:
114+
enabled: true
115+
method: audit_backend
116+
documentIndex: 0
117+
asserts:
118+
- hasDocuments:
119+
count: 2
120+
- containsDocument:
121+
kind: ValidatingWebhookConfiguration
122+
apiVersion: admissionregistration.k8s.io/v1
123+
name: shield-release-cluster-shield
124+
- notExists:
125+
path: .webhooks[?(@.name == "audit.secure.sysdig.com")]
126+
- exists:
127+
path: .webhooks[?(@.name == "vac.secure.sysdig.com")]
128+
129+
- it: Creates a ValidatingWebhookConfiguration resource when audit feature is enabled with validating_webhook method
130+
set:
131+
cluster_shield:
132+
features:
133+
admission_control:
134+
enabled: false
135+
audit:
136+
enabled: true
137+
method: validating_webhook
138+
documentIndex: 0
139+
asserts:
140+
- hasDocuments:
141+
count: 2
142+
- containsDocument:
143+
kind: ValidatingWebhookConfiguration
144+
apiVersion: admissionregistration.k8s.io/v1
145+
name: shield-release-cluster-shield
146+
- exists:
147+
path: .webhooks[?(@.name == "audit.secure.sysdig.com")]
148+
107149
- it: Creates a ValidatingWebhookConfiguration resource when audit feature is enabled
108150
set:
109151
cluster_shield:

charts/cluster-shield/values.schema.json

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -583,6 +583,15 @@
583583
"scope": "*"
584584
}
585585
]
586+
},
587+
"method": {
588+
"type": "string",
589+
"description": "The method used by the audit feature to ingest audit events",
590+
"enum": [
591+
"validating_webhook",
592+
"audit_backend"
593+
],
594+
"default": "validating_webhook"
586595
}
587596
},
588597
"required": [

charts/cluster-shield/values.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -143,6 +143,8 @@ cluster_shield:
143143
resources:
144144
- '*/*'
145145
scope: '*'
146+
# Method used to collect Kubernetes audit events. Use validating_webhook to intercept requests through the admission webhook, or audit_backend when using the Kubernetes audit backend integration.
147+
method: validating_webhook
146148
posture:
147149
# Enable the posture feature
148150
enabled: false

charts/node-analyzer/CHANGELOG.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,9 @@ Manual edits are supported only below '## Change Log' and should be used
1010
exclusively to fix incorrect entries and not to add new ones.
1111

1212
## Change Log
13+
# v1.43.4
14+
### Chores
15+
* **node-analyzer** [308fef1c](https://github.com/sysdiglabs/charts/commit/308fef1c72f571af0c4336a9f856993d85e0b6bf): bump sysdig/vuln-host-scanner to v0.16.5 ([#2595](https://github.com/sysdiglabs/charts/issues/2595))
1316
# v1.43.3
1417
### Chores
1518
* **node-analyzer** [7b29c97c](https://github.com/sysdiglabs/charts/commit/7b29c97cca6e3d58e4480d5e3f68f4467ce6e628): bump sysdig/vuln-runtime-scanner to v1.8.9 ([#2583](https://github.com/sysdiglabs/charts/issues/2583))

charts/node-analyzer/Chart.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@ apiVersion: v2
22
name: node-analyzer
33
description: Sysdig Node Analyzer
44
# currently matching Sysdig's appVersion 1.14.34
5-
version: 1.43.3
5+
version: 1.43.4
66
appVersion: 12.9.2
77
keywords:
88
- monitoring

charts/node-analyzer/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -194,7 +194,7 @@ The following table lists the configurable parameters of the Sysdig Node Analyze
194194
| `nodeAnalyzer.hostScanner.additionalDirsToScan` | Sets the optional comma-separated list of directories in addition to the default ones. | ` ` |
195195
| `nodeAnalyzer.hostScanner.env` | Specifies the extra environment variables that will be passed onto pods. | `{}` |
196196
| `nodeAnalyzer.hostScanner.image.repository` | Specifies the image repository to pull the Host Scanner from. | `sysdig/vuln-host-scanner` |
197-
| `nodeAnalyzer.hostScanner.image.tag` | Specifies the image tag to pull the Host Scanner. | `0.16.4` |
197+
| `nodeAnalyzer.hostScanner.image.tag` | Specifies the image tag to pull the Host Scanner. | `0.16.5` |
198198
| `nodeAnalyzer.hostScanner.image.digest` | Specifies the image digest to pull. | ` ` |
199199
| `nodeAnalyzer.hostScanner.image.pullPolicy` | Specifies the image pull policy for the Host Scanner. | `""` |
200200
| `nodeAnalyzer.hostScanner.http_proxy` | Sets `HTTP_PROXY` on the Host Scanner container. | `""` |

0 commit comments

Comments
 (0)