Skip to content

Commit

Permalink
Merge pull request #604 from kubescape/feature/secretless-setup
Browse files Browse the repository at this point in the history 
Feature/secretless setup
  • Loading branch information
@matthyx
matthyx authored Jan 31, 2025
2 parents 65297dc + 0add58a commit 51949ab
Show file tree
Hide file tree
Showing 5 changed files with 104 additions and 21 deletions.
10 changes: 10 additions & 0 deletions charts/kubescape-operator/templates/NOTES.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,3 +33,13 @@ Detailed reports are also available:
{{ .Chart.Name }} generates suggested network policies. To view them:
> kubectl get generatednetworkpolicies -n <namespace>
{{- end }}

{{- if and (eq .Values.capabilities.nodeSbomGeneration "disable") (not .Values.global.enableClusterWideSecretAccess) }}

WARNING: Both nodeSbomGeneration and enableClusterWideSecretAccess are disabled.
This means vulnerability scanning will be limited to images from public repositories only, since Kubescape cannot access image pull secrets.
To enable scanning of private images, either:
- Enable nodeSbomGeneration (recommended): Set capabilities.nodeSbomGeneration: "enable"
- Enable cluster-wide secret access: Set global.enableClusterWideSecretAccess: true
{{- end }}

7 changes: 6 additions & 1 deletion charts/kubescape-operator/templates/kubescape/clusterrole.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,13 @@ metadata:
{{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.kubescape.name "tier" .Values.global.namespaceTier) | nindent 4 }}
rules:
- apiGroups: [""]
resources: ["pods", "pods/proxy", "namespaces", "secrets", "nodes", "configmaps", "services", "serviceaccounts", "endpoints", "persistentvolumeclaims", "persistentvolumes", "limitranges", "replicationcontrollers", "podtemplates", "resourcequotas", "events"]
resources: ["pods", "pods/proxy", "namespaces", "nodes", "configmaps", "services", "serviceaccounts", "endpoints", "persistentvolumeclaims", "persistentvolumes", "limitranges", "replicationcontrollers", "podtemplates", "resourcequotas", "events"]
verbs: ["get", "watch", "list"]
{{- if .Values.global.enableClusterWideSecretAccess }}
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
{{- end }}
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
verbs: ["get", "watch", "list"]
Expand Down
7 changes: 6 additions & 1 deletion charts/kubescape-operator/templates/operator/clusterrole.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,13 @@ metadata:
{{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.operator.name "tier" .Values.global.namespaceTier) | nindent 4 }}
rules:
- apiGroups: [""]
resources: ["pods", "nodes", "namespaces", "configmaps", "secrets", "services"]
resources: ["pods", "nodes", "namespaces", "configmaps", "services"]
verbs: ["get", "watch", "list"]
{{- if .Values.global.enableClusterWideSecretAccess }}
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
{{- end }}
- apiGroups: ["batch"]
resources: ["jobs", "cronjobs"]
verbs: ["get", "watch", "list", "create", "update", "delete" ,"patch"]
Expand Down
92 changes: 76 additions & 16 deletions charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
all capabilities:
1: |
raw: |
1: |+
raw: |+
Thank you for installing kubescape-operator version 1.25.3.
View your cluster's configuration scanning schedule:
> kubectl -n kubescape get cj kubescape-scheduler -o=jsonpath='{.metadata.name}{"\t"}{.spec.schedule}{"\n"}'
Expand All @@ -21,6 +21,7 @@ all capabilities:

kubescape-operator generates suggested network policies. To view them:
> kubectl get generatednetworkpolicies -n <namespace>

2: |
apiVersion: batch/v1
kind: CronJob
Expand Down Expand Up @@ -808,7 +809,6 @@ all capabilities:
- pods
- pods/proxy
- namespaces
- secrets
- nodes
- configmaps
- services
Expand All @@ -825,6 +825,14 @@ all capabilities:
- get
- watch
- list
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- watch
- list
- apiGroups:
- admissionregistration.k8s.io
resources:
Expand Down Expand Up @@ -2908,12 +2916,19 @@ all capabilities:
- nodes
- namespaces
- configmaps
- secrets
- services
verbs:
- get
- watch
- list
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- watch
- list
- apiGroups:
- batch
resources:
Expand Down Expand Up @@ -5740,8 +5755,8 @@ all capabilities:
name: synchronizer
namespace: kubescape
default capabilities:
1: |
raw: |
1: |+
raw: |+
Thank you for installing kubescape-operator version 1.25.3.
View your cluster's configuration scanning schedule:
> kubectl -n kubescape get cj kubescape-scheduler -o=jsonpath='{.metadata.name}{"\t"}{.spec.schedule}{"\n"}'
Expand All @@ -5762,6 +5777,7 @@ default capabilities:

kubescape-operator generates suggested network policies. To view them:
> kubectl get generatednetworkpolicies -n <namespace>

2: |
apiVersion: v1
data:
Expand Down Expand Up @@ -6194,7 +6210,6 @@ default capabilities:
- pods
- pods/proxy
- namespaces
- secrets
- nodes
- configmaps
- services
Expand All @@ -6211,6 +6226,14 @@ default capabilities:
- get
- watch
- list
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- watch
- list
- apiGroups:
- admissionregistration.k8s.io
resources:
Expand Down Expand Up @@ -7997,12 +8020,19 @@ default capabilities:
- nodes
- namespaces
- configmaps
- secrets
- services
verbs:
- get
- watch
- list
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- watch
- list
- apiGroups:
- batch
resources:
Expand Down Expand Up @@ -10325,8 +10355,8 @@ default capabilities:
name: synchronizer
namespace: kubescape
disable otel:
1: |
raw: |
1: |+
raw: |+
Thank you for installing kubescape-operator version 1.25.3.
View your cluster's configuration scanning schedule:
> kubectl -n kubescape get cj kubescape-scheduler -o=jsonpath='{.metadata.name}{"\t"}{.spec.schedule}{"\n"}'
Expand All @@ -10347,6 +10377,7 @@ disable otel:

kubescape-operator generates suggested network policies. To view them:
> kubectl get generatednetworkpolicies -n <namespace>

2: |
apiVersion: v1
data:
Expand Down Expand Up @@ -10599,7 +10630,6 @@ disable otel:
- pods
- pods/proxy
- namespaces
- secrets
- nodes
- configmaps
- services
Expand All @@ -10616,6 +10646,14 @@ disable otel:
- get
- watch
- list
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- watch
- list
- apiGroups:
- admissionregistration.k8s.io
resources:
Expand Down Expand Up @@ -12045,12 +12083,19 @@ disable otel:
- nodes
- namespaces
- configmaps
- secrets
- services
verbs:
- get
- watch
- list
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- watch
- list
- apiGroups:
- batch
resources:
Expand Down Expand Up @@ -14111,8 +14156,8 @@ disable otel:
name: synchronizer
namespace: kubescape
minimal capabilities:
1: |
raw: |
1: |+
raw: |+
Thank you for installing kubescape-operator version 1.25.3.


Expand All @@ -14125,6 +14170,7 @@ minimal capabilities:

kubescape-operator generates suggested network policies. To view them:
> kubectl get generatednetworkpolicies -n <namespace>

2: |
apiVersion: v1
data:
Expand Down Expand Up @@ -14273,7 +14319,6 @@ minimal capabilities:
- pods
- pods/proxy
- namespaces
- secrets
- nodes
- configmaps
- services
Expand All @@ -14290,6 +14335,14 @@ minimal capabilities:
- get
- watch
- list
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- watch
- list
- apiGroups:
- admissionregistration.k8s.io
resources:
Expand Down Expand Up @@ -15613,12 +15666,19 @@ minimal capabilities:
- nodes
- namespaces
- configmaps
- secrets
- services
verbs:
- get
- watch
- list
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- watch
- list
- apiGroups:
- batch
resources:
Expand Down
9 changes: 6 additions & 3 deletions charts/kubescape-operator/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,7 @@ capabilities:

# ====== Image vulnerabilities scanning related capabilities ======
#
nodeSbomGeneration: disable
nodeSbomGeneration: disable # Warning: When disabled along with enableClusterWideSecretAccess: false, vulnerability scanning capabilities will be limited
vulnerabilityScan: enable
relevancy: enable
# Generate VEX documents alongside the image vulnerabilities report (experimental)
Expand Down Expand Up @@ -182,6 +182,7 @@ global:
noProxy: ""
proxySecretFile: "" # file content (not file path), e.g. `global.proxySecretFile=(cat /path/to/file)`
proxySecretName: kubescape-proxy-certificate
enableClusterWideSecretAccess: true
namespaceTier: ks-control-plane
cloudConfig: ks-cloud-config
proxySecretDirectory: proxy-support
Expand Down Expand Up @@ -770,7 +771,7 @@ helmReleaseUpgrader:
resources:
# Requests and Limits are the same to make the CronJob Burstable
requests:
# Setting a higher CPU request helps with the Job runtime. If you dont
# Setting a higher CPU request helps with the Job runtime. If you don't
# care about job execution speed and want to save on resources, feel free
# to lower this
cpu: 500m
Expand All @@ -780,7 +781,7 @@ helmReleaseUpgrader:
# Keep the memory limit sufficiently high.
#
# The updating CronJob runs an image that runs `helm upgrade`. It renders
# the chart and that can require a lot of memory. If you dont want your
# the chart and that can require a lot of memory. If you don't want your
# updating job to be OOM Killed, keep this at 256 MiB or higher depending
# on the size of your cluster.
memory: 256Mi
Expand Down Expand Up @@ -951,3 +952,5 @@ continuousScanning:
resources: ["deployments"]
namespaces:
- default


0 comments on commit 51949ab

Please sign in to comment.