Skip to content

Commit 838ab56

Browse files
mrgianmrgian
committed
new(shield): add configuration to disable audit validatingwebhook
Signed-off-by: Gianmatteo Palmieri <[email protected]>
1 parent 1cb36ce commit 838ab56

6 files changed

Lines changed: 29 additions & 2 deletions

File tree

charts/shield/Chart.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,5 +13,5 @@ maintainers:
1313
- name: mavimo
1414
email: [email protected]
1515
type: application
16-
version: 1.34.5
16+
version: 1.34.6
1717
appVersion: "1.0.0"

charts/shield/README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -105,6 +105,7 @@ The following table lists the configurable parameters of the `shield` chart and
105105
| features.detections.malware_control.enabled | | <code>false</code> |
106106
| features.detections.ml_policies.enabled | | <code>false</code> |
107107
| features.detections.kubernetes_audit.enabled | Enable the Kubernetes Audit feature on cluster shield | <code>false</code> |
108+
| features.detections.kubernetes_audit.method | Method to use: validating_webhook (emulated) or audit_backend (real audit logs) | <code>validating_webhook</code> |
108109
| features.detections.kubernetes_audit.timeout | The timeout for the audit feature | <code>10</code> |
109110
| features.detections.kubernetes_audit.http_port | The port that will be used to expose the audit endpoints | <code>6443</code> |
110111
| features.detections.kubernetes_audit.excluded_namespaces | The list of namespaces that will be excluded from the audit feature | <code>[]</code> |

charts/shield/templates/cluster/tls-certificates-admissionregistration.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,7 @@ data:
3535
{{ include "cluster.tls_certificates.ca_cert_file_name" . }}: {{ $cert.CACert }}
3636
{{- end }}
3737
{{- end -}}
38-
{{- if and .Values.cluster.validatingwebhookconfiguration.create (include "cluster.audit_enabled" .) }}
38+
{{- if and .Values.cluster.validatingwebhookconfiguration.create (eq .Values.features.detections.kubernetes_audit.method "validating_webhook") (include "cluster.audit_enabled" .) }}
3939
---
4040
apiVersion: admissionregistration.k8s.io/v1
4141
kind: ValidatingWebhookConfiguration

charts/shield/tests/cluster/configmap_test.yaml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -55,6 +55,7 @@ tests:
5555
enabled: false
5656
excluded_namespaces: \[\]
5757
http_port: 6443
58+
method: validating_webhook
5859
timeout: 10
5960
webhook_rules:
6061
- apiGroups:
@@ -152,6 +153,7 @@ tests:
152153
enabled: false
153154
excluded_namespaces: \[\]
154155
http_port: 6443
156+
method: validating_webhook
155157
timeout: 10
156158
webhook_rules:
157159
- apiGroups:
@@ -231,6 +233,7 @@ tests:
231233
enabled: false
232234
excluded_namespaces: \[\]
233235
http_port: 6443
236+
method: validating_webhook
234237
timeout: 10
235238
webhook_rules:
236239
- apiGroups:
@@ -341,6 +344,7 @@ tests:
341344
enabled: false
342345
excluded_namespaces: \[\]
343346
http_port: 6443
347+
method: validating_webhook
344348
timeout: 10
345349
webhook_rules:
346350
- apiGroups:
@@ -481,6 +485,7 @@ tests:
481485
enabled: false
482486
excluded_namespaces: \[\]
483487
http_port: 6443
488+
method: validating_webhook
484489
timeout: 10
485490
webhook_rules:
486491
- apiGroups:
@@ -841,6 +846,7 @@ tests:
841846
enabled: false
842847
excluded_namespaces: \[\]
843848
http_port: 6443
849+
method: validating_webhook
844850
timeout: 10
845851
webhook_rules:
846852
- apiGroups:
@@ -926,6 +932,7 @@ tests:
926932
enabled: false
927933
excluded_namespaces: \[\]
928934
http_port: 6443
935+
method: validating_webhook
929936
timeout: 10
930937
webhook_rules:
931938
- apiGroups:

charts/shield/tests/cluster/tls-certificates-admissionregistration_test.yaml

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -258,6 +258,23 @@ tests:
258258
value: 1234
259259
documentIndex: 1
260260

261+
- it: Audit AdmissionRegistration not created (audit_backend method)
262+
set:
263+
features:
264+
detections:
265+
kubernetes_audit:
266+
enabled: true
267+
method: audit_backend
268+
asserts:
269+
- hasDocuments:
270+
count: 1
271+
- containsDocument:
272+
kind: Secret
273+
apiVersion: v1
274+
name: shield-release-cluster-tls-certificates
275+
namespace: shield-namespace
276+
documentIndex: 0
277+
261278
- it: Admission Control AdmissionRegistration (Generate TLS)
262279
set:
263280
features:

charts/shield/values.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -120,6 +120,8 @@ features:
120120
kubernetes_audit:
121121
# Enable the Kubernetes Audit feature on cluster shield
122122
enabled: false
123+
# Method to use: validating_webhook (emulated) or audit_backend (real audit logs)
124+
method: validating_webhook
123125
# The timeout for the audit feature
124126
timeout: 10
125127
# The port that will be used to expose the audit endpoints

0 commit comments

Comments
 (0)