diff --git a/charts/kubescape-operator/templates/NOTES.txt b/charts/kubescape-operator/templates/NOTES.txt index 1eaa473b..b0924587 100644 --- a/charts/kubescape-operator/templates/NOTES.txt +++ b/charts/kubescape-operator/templates/NOTES.txt @@ -33,3 +33,13 @@ Detailed reports are also available: {{ .Chart.Name }} generates suggested network policies. To view them: > kubectl get generatednetworkpolicies -n {{- end }} + +{{- if and (eq .Values.capabilities.nodeSbomGeneration "disable") (not .Values.global.enableClusterWideSecretAccess) }} + +WARNING: Both nodeSbomGeneration and enableClusterWideSecretAccess are disabled. +This means vulnerability scanning will be limited to images from public repositories only, since Kubescape cannot access image pull secrets. +To enable scanning of private images, either: +- Enable nodeSbomGeneration (recommended): Set capabilities.nodeSbomGeneration: "enable" +- Enable cluster-wide secret access: Set global.enableClusterWideSecretAccess: true +{{- end }} + diff --git a/charts/kubescape-operator/templates/kubescape/clusterrole.yaml b/charts/kubescape-operator/templates/kubescape/clusterrole.yaml index 522d0ea0..a0abbd56 100644 --- a/charts/kubescape-operator/templates/kubescape/clusterrole.yaml +++ b/charts/kubescape-operator/templates/kubescape/clusterrole.yaml @@ -8,8 +8,13 @@ metadata: {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.kubescape.name "tier" .Values.global.namespaceTier) | nindent 4 }} rules: - apiGroups: [""] - resources: ["pods", "pods/proxy", "namespaces", "secrets", "nodes", "configmaps", "services", "serviceaccounts", "endpoints", "persistentvolumeclaims", "persistentvolumes", "limitranges", "replicationcontrollers", "podtemplates", "resourcequotas", "events"] + resources: ["pods", "pods/proxy", "namespaces", "nodes", "configmaps", "services", "serviceaccounts", "endpoints", "persistentvolumeclaims", "persistentvolumes", "limitranges", "replicationcontrollers", "podtemplates", "resourcequotas", "events"] verbs: ["get", "watch", "list"] +{{- if .Values.global.enableClusterWideSecretAccess }} +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +{{- end }} - apiGroups: ["admissionregistration.k8s.io"] resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] verbs: ["get", "watch", "list"] diff --git a/charts/kubescape-operator/templates/operator/clusterrole.yaml b/charts/kubescape-operator/templates/operator/clusterrole.yaml index ac32a7a5..c34c89df 100644 --- a/charts/kubescape-operator/templates/operator/clusterrole.yaml +++ b/charts/kubescape-operator/templates/operator/clusterrole.yaml @@ -8,8 +8,13 @@ metadata: {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.operator.name "tier" .Values.global.namespaceTier) | nindent 4 }} rules: - apiGroups: [""] - resources: ["pods", "nodes", "namespaces", "configmaps", "secrets", "services"] + resources: ["pods", "nodes", "namespaces", "configmaps", "services"] verbs: ["get", "watch", "list"] + {{- if .Values.global.enableClusterWideSecretAccess }} + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] + {{- end }} - apiGroups: ["batch"] resources: ["jobs", "cronjobs"] verbs: ["get", "watch", "list", "create", "update", "delete" ,"patch"] diff --git a/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap b/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap index fec8b064..8dc61118 100644 --- a/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap +++ b/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap @@ -1,6 +1,6 @@ all capabilities: - 1: | - raw: | + 1: |+ + raw: |+ Thank you for installing kubescape-operator version 1.25.3. View your cluster's configuration scanning schedule: > kubectl -n kubescape get cj kubescape-scheduler -o=jsonpath='{.metadata.name}{"\t"}{.spec.schedule}{"\n"}' @@ -21,6 +21,7 @@ all capabilities: kubescape-operator generates suggested network policies. To view them: > kubectl get generatednetworkpolicies -n + 2: | apiVersion: batch/v1 kind: CronJob @@ -808,7 +809,6 @@ all capabilities: - pods - pods/proxy - namespaces - - secrets - nodes - configmaps - services @@ -825,6 +825,14 @@ all capabilities: - get - watch - list + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - watch + - list - apiGroups: - admissionregistration.k8s.io resources: @@ -2908,12 +2916,19 @@ all capabilities: - nodes - namespaces - configmaps - - secrets - services verbs: - get - watch - list + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - watch + - list - apiGroups: - batch resources: @@ -5740,8 +5755,8 @@ all capabilities: name: synchronizer namespace: kubescape default capabilities: - 1: | - raw: | + 1: |+ + raw: |+ Thank you for installing kubescape-operator version 1.25.3. View your cluster's configuration scanning schedule: > kubectl -n kubescape get cj kubescape-scheduler -o=jsonpath='{.metadata.name}{"\t"}{.spec.schedule}{"\n"}' @@ -5762,6 +5777,7 @@ default capabilities: kubescape-operator generates suggested network policies. To view them: > kubectl get generatednetworkpolicies -n + 2: | apiVersion: v1 data: @@ -6194,7 +6210,6 @@ default capabilities: - pods - pods/proxy - namespaces - - secrets - nodes - configmaps - services @@ -6211,6 +6226,14 @@ default capabilities: - get - watch - list + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - watch + - list - apiGroups: - admissionregistration.k8s.io resources: @@ -7997,12 +8020,19 @@ default capabilities: - nodes - namespaces - configmaps - - secrets - services verbs: - get - watch - list + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - watch + - list - apiGroups: - batch resources: @@ -10325,8 +10355,8 @@ default capabilities: name: synchronizer namespace: kubescape disable otel: - 1: | - raw: | + 1: |+ + raw: |+ Thank you for installing kubescape-operator version 1.25.3. View your cluster's configuration scanning schedule: > kubectl -n kubescape get cj kubescape-scheduler -o=jsonpath='{.metadata.name}{"\t"}{.spec.schedule}{"\n"}' @@ -10347,6 +10377,7 @@ disable otel: kubescape-operator generates suggested network policies. To view them: > kubectl get generatednetworkpolicies -n + 2: | apiVersion: v1 data: @@ -10599,7 +10630,6 @@ disable otel: - pods - pods/proxy - namespaces - - secrets - nodes - configmaps - services @@ -10616,6 +10646,14 @@ disable otel: - get - watch - list + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - watch + - list - apiGroups: - admissionregistration.k8s.io resources: @@ -12045,12 +12083,19 @@ disable otel: - nodes - namespaces - configmaps - - secrets - services verbs: - get - watch - list + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - watch + - list - apiGroups: - batch resources: @@ -14111,8 +14156,8 @@ disable otel: name: synchronizer namespace: kubescape minimal capabilities: - 1: | - raw: | + 1: |+ + raw: |+ Thank you for installing kubescape-operator version 1.25.3. @@ -14125,6 +14170,7 @@ minimal capabilities: kubescape-operator generates suggested network policies. To view them: > kubectl get generatednetworkpolicies -n + 2: | apiVersion: v1 data: @@ -14273,7 +14319,6 @@ minimal capabilities: - pods - pods/proxy - namespaces - - secrets - nodes - configmaps - services @@ -14290,6 +14335,14 @@ minimal capabilities: - get - watch - list + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - watch + - list - apiGroups: - admissionregistration.k8s.io resources: @@ -15613,12 +15666,19 @@ minimal capabilities: - nodes - namespaces - configmaps - - secrets - services verbs: - get - watch - list + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - watch + - list - apiGroups: - batch resources: diff --git a/charts/kubescape-operator/values.yaml b/charts/kubescape-operator/values.yaml index 1481987d..4d610e3e 100644 --- a/charts/kubescape-operator/values.yaml +++ b/charts/kubescape-operator/values.yaml @@ -83,7 +83,7 @@ capabilities: # ====== Image vulnerabilities scanning related capabilities ====== # - nodeSbomGeneration: disable + nodeSbomGeneration: disable # Warning: When disabled along with enableClusterWideSecretAccess: false, vulnerability scanning capabilities will be limited vulnerabilityScan: enable relevancy: enable # Generate VEX documents alongside the image vulnerabilities report (experimental) @@ -182,6 +182,7 @@ global: noProxy: "" proxySecretFile: "" # file content (not file path), e.g. `global.proxySecretFile=(cat /path/to/file)` proxySecretName: kubescape-proxy-certificate + enableClusterWideSecretAccess: true namespaceTier: ks-control-plane cloudConfig: ks-cloud-config proxySecretDirectory: proxy-support @@ -770,7 +771,7 @@ helmReleaseUpgrader: resources: # Requests and Limits are the same to make the CronJob Burstable requests: - # Setting a higher CPU request helps with the Job runtime. If you don’t + # Setting a higher CPU request helps with the Job runtime. If you don't # care about job execution speed and want to save on resources, feel free # to lower this cpu: 500m @@ -780,7 +781,7 @@ helmReleaseUpgrader: # Keep the memory limit sufficiently high. # # The updating CronJob runs an image that runs `helm upgrade`. It renders - # the chart and that can require a lot of memory. If you don’t want your + # the chart and that can require a lot of memory. If you don't want your # updating job to be OOM Killed, keep this at 256 MiB or higher depending # on the size of your cluster. memory: 256Mi @@ -951,3 +952,5 @@ continuousScanning: resources: ["deployments"] namespaces: - default + +