Skip to content

Commit 6543dd4

Browse files
draios-jenkinsupdateclifrancesco-furlan
authored
feat(shield,cluster-shield,sysdig-deploy): release cluster-shield 1.22.0 (#2597)
Co-authored-by: updatecli <[email protected]> Co-authored-by: Francesco Furlan <[email protected]>
1 parent 608a212 commit 6543dd4

14 files changed

Lines changed: 91 additions & 10 deletions

charts/cluster-shield/Chart.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,8 +2,8 @@ apiVersion: v2
22
name: cluster-shield
33
description: Cluster Shield Helm Chart for Kubernetes
44
type: application
5-
version: 1.21.1
6-
appVersion: 1.21.0
5+
version: 1.22.0
6+
appVersion: 1.22.0
77

88
maintainers:
99
- name: AlbertoBarba

charts/cluster-shield/README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -130,6 +130,7 @@ The following table lists the configurable parameters of the `cluster-shield` ch
130130
| cluster_shield.features.audit.timeout | The timeout for the audit feature | <code>5</code> |
131131
| cluster_shield.features.audit.excluded_namespaces | The list of namespaces to exclude from the audit feature | <code>[]</code> |
132132
| cluster_shield.features.audit.webhook_rules | List of rules used to determine if a request should be audited | <code>[{"apiGroups":["","apps","autoscaling","batch","networking.k8s.io","rbac.authorization.k8s.io","extensions"],"apiVersions":["*"],"operations":["*"],"resources":["*/*"],"scope":"*"}]</code> |
133+
| cluster_shield.features.audit.method | Method used to collect Kubernetes audit events. Use validating_webhook to intercept requests through the admission webhook, or audit_backend when using the Kubernetes audit backend integration. | <code>validating_webhook</code> |
133134
| cluster_shield.features.posture.enabled | Enable the posture feature | <code>false</code> |
134135
| cluster_shield.features.container_vulnerability_management.enabled | Enable the container vulnerability management feature | <code>false</code> |
135136
| cluster_shield.features.container_vulnerability_management.target_workloads.kubernetes.enabled | Enable detection of kubernetes workloads | <code>true</code> |

charts/cluster-shield/templates/_helpers.tpl

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -220,7 +220,7 @@ Verify if certs needs to be generated and mounted inside the pod
220220
Verify if ValidatingWebhookConfiguration needs to be generated
221221
*/}}
222222
{{- define "cluster-shield.needWebhooks"}}
223-
{{- or .Values.cluster_shield.features.audit.enabled .Values.cluster_shield.features.admission_control.enabled }}
223+
{{- or (and .Values.cluster_shield.features.audit.enabled (eq (.Values.cluster_shield.features.audit.method | default "validating_webhook") "validating_webhook")) .Values.cluster_shield.features.admission_control.enabled }}
224224
{{- end -}}
225225

226226
{{/*

charts/cluster-shield/templates/validatingwebhookconfiguration.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ kind: ValidatingWebhookConfiguration
1212
metadata:
1313
name: {{ include "cluster-shield.fullname" . }}
1414
webhooks:
15-
{{- if .Values.cluster_shield.features.audit.enabled }}
15+
{{- if and .Values.cluster_shield.features.audit.enabled (eq (.Values.cluster_shield.features.audit.method | default "validating_webhook") "validating_webhook") }}
1616
- name: audit.secure.sysdig.com
1717
matchPolicy: Equivalent
1818
{{ with .Values.cluster_shield.features.audit.excluded_namespaces }}

charts/cluster-shield/tests/validatingwebhookconfiguration_test.yaml

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -104,6 +104,48 @@ tests:
104104
path: .webhooks[?(@.name == "vac.secure.sysdig.com")].clientConfig.service.port
105105
value: 8443
106106

107+
- it: Does not create the audit webhook when audit method is audit_backend
108+
set:
109+
cluster_shield:
110+
features:
111+
admission_control:
112+
enabled: true
113+
audit:
114+
enabled: true
115+
method: audit_backend
116+
documentIndex: 0
117+
asserts:
118+
- hasDocuments:
119+
count: 2
120+
- containsDocument:
121+
kind: ValidatingWebhookConfiguration
122+
apiVersion: admissionregistration.k8s.io/v1
123+
name: shield-release-cluster-shield
124+
- notExists:
125+
path: .webhooks[?(@.name == "audit.secure.sysdig.com")]
126+
- exists:
127+
path: .webhooks[?(@.name == "vac.secure.sysdig.com")]
128+
129+
- it: Creates a ValidatingWebhookConfiguration resource when audit feature is enabled with validating_webhook method
130+
set:
131+
cluster_shield:
132+
features:
133+
admission_control:
134+
enabled: false
135+
audit:
136+
enabled: true
137+
method: validating_webhook
138+
documentIndex: 0
139+
asserts:
140+
- hasDocuments:
141+
count: 2
142+
- containsDocument:
143+
kind: ValidatingWebhookConfiguration
144+
apiVersion: admissionregistration.k8s.io/v1
145+
name: shield-release-cluster-shield
146+
- exists:
147+
path: .webhooks[?(@.name == "audit.secure.sysdig.com")]
148+
107149
- it: Creates a ValidatingWebhookConfiguration resource when audit feature is enabled
108150
set:
109151
cluster_shield:

charts/cluster-shield/values.schema.json

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -583,6 +583,15 @@
583583
"scope": "*"
584584
}
585585
]
586+
},
587+
"method": {
588+
"type": "string",
589+
"description": "The method used by the audit feature to ingest audit events",
590+
"enum": [
591+
"validating_webhook",
592+
"audit_backend"
593+
],
594+
"default": "validating_webhook"
586595
}
587596
},
588597
"required": [

charts/cluster-shield/values.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -143,6 +143,8 @@ cluster_shield:
143143
resources:
144144
- '*/*'
145145
scope: '*'
146+
# Method used to collect Kubernetes audit events. Use validating_webhook to intercept requests through the admission webhook, or audit_backend when using the Kubernetes audit backend integration.
147+
method: validating_webhook
146148
posture:
147149
# Enable the posture feature
148150
enabled: false

charts/shield/Chart.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,5 +13,5 @@ maintainers:
1313
- name: mavimo
1414
email: [email protected]
1515
type: application
16-
version: 1.34.6
16+
version: 1.35.0
1717
appVersion: "1.0.0"

0 commit comments

Comments
 (0)