From ec82095b6d3faa3c0f181001a3cf13b4cfdb2a10 Mon Sep 17 00:00:00 2001 From: Daniel Pacak Date: Wed, 10 Nov 2021 12:45:37 +0100 Subject: [PATCH] chore(deploy): align static YAMLs with Helm templates (#799) Resolves: #794 Signed-off-by: Daniel Pacak --- CONTRIBUTING.md | 21 ++++ deploy/helm/templates/_helpers.tpl | 4 +- deploy/helm/templates/config.yaml | 100 ++++++++++++------ deploy/helm/templates/deployment.yaml | 62 +++++------ deploy/helm/values.yaml | 54 +++++++++- .../static/03-starboard-operator.config.yaml | 29 +++-- .../04-starboard-operator.deployment.yaml | 35 +++--- docs/integrations/config-checkers/conftest.md | 33 +++++- docs/operator/configuration.md | 6 +- pkg/operator/etc/config.go | 8 +- 10 files changed, 250 insertions(+), 102 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 0bf9939b9..f134acbe4 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -20,6 +20,7 @@ These guidelines will help you get started with the Starboard project. - [In Cluster](#in-cluster) - [Out of Cluster](#out-of-cluster) - [Uninstall](#uninstall) +- [Update Static YAML Manifests](#update-static-yaml-manifests) - [Operator Lifecycle Manager (OLM)](#operator-lifecycle-manager-olm) - [Install OLM](#install-olm) - [Build the Catalog Image](#build-the-catalog-image) @@ -255,6 +256,26 @@ kubectl delete -f deploy/crd/vulnerabilityreports.crd.yaml \ -f deploy/crd/ciskubebenchreports.crd.yaml ``` +## Update Static YAML Manifests + +``` +mkdir -p $TMPDIR/starboard-helm-template +``` + +``` +helm template starboard-operator ./deploy/helm \ + --namespace starboard-system --create-namespace \ + --set="targetNamespaces=default" \ + --set="managedBy=kubectl" \ + --output-dir=$TMPDIR/starboard-helm-template +``` + +``` +cp $TMPDIR/starboard-helm-template/starboard-operator/templates/rbac.yaml deploy/static/02-starboard-operator.rbac.yaml +cp $TMPDIR/starboard-helm-template/starboard-operator/templates/config.yaml deploy/static/03-starboard-operator.config.yaml +cp $TMPDIR/starboard-helm-template/starboard-operator/templates/deployment.yaml deploy/static/04-starboard-operator.deployment.yaml +``` + ## Operator Lifecycle Manager (OLM) ### Install OLM diff --git a/deploy/helm/templates/_helpers.tpl b/deploy/helm/templates/_helpers.tpl index 748d24733..d68a731fd 100644 --- a/deploy/helm/templates/_helpers.tpl +++ b/deploy/helm/templates/_helpers.tpl @@ -35,12 +35,14 @@ Create chart name and version as used by the chart label. Common labels */}} {{- define "starboard-operator.labels" -}} +{{- if eq .Values.managedBy "Helm" -}} helm.sh/chart: {{ include "starboard-operator.chart" . }} +{{ end -}} {{ include "starboard-operator.selectorLabels" . }} {{- if .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/managed-by: {{ .Values.managedBy }} {{- end }} {{/* diff --git a/deploy/helm/templates/config.yaml b/deploy/helm/templates/config.yaml index fbdb7ce1f..ede4fd9aa 100644 --- a/deploy/helm/templates/config.yaml +++ b/deploy/helm/templates/config.yaml @@ -6,45 +6,58 @@ metadata: labels: {{- include "starboard-operator.labels" . | nindent 4 }} data: - scanJob.tolerations: {{ .Values.starboard.scanJobTolerations | toJson | quote }} - scanJob.annotations: {{ .Values.starboard.scanJobAnnotations | quote }} + {{- with .Values.starboard.scanJobTolerations }} + scanJob.tolerations: {{ . | toJson | quote }} + {{- end }} + {{- with .Values.starboard.scanJobAnnotations }} + scanJob.annotations: {{ . | quote }} + {{- end }} {{- if .Values.operator.vulnerabilityScannerEnabled }} vulnerabilityReports.scanner: {{ .Values.starboard.vulnerabilityReportsPlugin | quote }} {{- end }} - {{- if .Values.operator.kubernetesBenchmarkEnabled }} - kube-bench.imageRef: {{ required ".Values.kubeBench.imageRef is required" .Values.kubeBench.imageRef | quote }} - {{- end }} {{- if .Values.operator.configAuditScannerEnabled }} configAuditReports.scanner: {{ .Values.starboard.configAuditReportsPlugin | quote }} {{- end }} + {{- if .Values.operator.kubernetesBenchmarkEnabled }} + kube-bench.imageRef: {{ required ".Values.kubeBench.imageRef is required" .Values.kubeBench.imageRef | quote }} + {{- end }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: starboard + labels: + {{- include "starboard-operator.labels" . | nindent 4 }} {{- if eq .Values.starboard.vulnerabilityReportsPlugin "Trivy" }} +{{- with .Values.trivy }} +{{- if .createConfig }} --- apiVersion: v1 kind: ConfigMap metadata: name: starboard-trivy-config labels: - {{- include "starboard-operator.labels" . | nindent 4 }} + {{- include "starboard-operator.labels" $ | nindent 4 }} data: - trivy.imageRef: {{ required ".Values.trivy.imageRef is required" .Values.trivy.imageRef | quote }} - trivy.mode: {{ .Values.trivy.mode | quote }} - {{- if .Values.trivy.httpProxy }} - trivy.httpProxy: {{ .Values.trivy.httpProxy | quote }} + trivy.imageRef: {{ required ".Values.trivy.imageRef is required" .imageRef | quote }} + trivy.mode: {{ .mode | quote }} + {{- if .httpProxy }} + trivy.httpProxy: {{ .httpProxy | quote }} {{- end }} - {{- if .Values.trivy.httpsProxy }} - trivy.httpsProxy: {{ .Values.trivy.httpsProxy | quote }} + {{- if .httpsProxy }} + trivy.httpsProxy: {{ .httpsProxy | quote }} {{- end }} - {{- if .Values.trivy.noProxy }} - trivy.noProxy: {{ .Values.trivy.noProxy | quote }} + {{- if .noProxy }} + trivy.noProxy: {{ .noProxy | quote }} {{- end }} - trivy.severity: {{ .Values.trivy.severity | quote }} - {{- if .Values.trivy.ignoreUnfixed }} - trivy.ignoreUnfixed: {{ .Values.trivy.ignoreUnfixed | quote }} + trivy.severity: {{ .severity | quote }} + {{- if .ignoreUnfixed }} + trivy.ignoreUnfixed: {{ .ignoreUnfixed | quote }} {{- end }} - {{- if eq .Values.trivy.mode "ClientServer" }} - trivy.serverURL: {{ required ".Values.trivy.serverURL is required" .Values.trivy.serverURL | quote }} + {{- if eq .mode "ClientServer" }} + trivy.serverURL: {{ required ".Values.trivy.serverURL is required" .serverURL | quote }} {{- end }} - {{- with .Values.trivy.resources }} + {{- with .resources }} {{- with .requests }} {{- if .cpu }} trivy.resources.requests.cpu: {{ .cpu }} @@ -68,9 +81,8 @@ kind: Secret metadata: name: starboard-trivy-config labels: - {{- include "starboard-operator.labels" . | nindent 4 }} + {{- include "starboard-operator.labels" $ | nindent 4 }} data: - {{- with .Values.trivy }} {{- if .githubToken }} trivy.githubToken: {{ .githubToken | b64enc | quote }} {{- end }} @@ -82,35 +94,59 @@ data: trivy.serverCustomHeaders: {{ .serverCustomHeaders | b64enc | quote }} {{- end }} {{- end }} - {{- end }} +{{- end }} +{{- end }} {{- end }} {{- if eq .Values.starboard.configAuditReportsPlugin "Conftest" }} +{{- with .Values.conftest }} +{{- if .createConfig }} --- apiVersion: v1 kind: ConfigMap metadata: name: starboard-conftest-config labels: - {{- include "starboard-operator.labels" . | nindent 4 }} + {{- include "starboard-operator.labels" $ | nindent 4 }} data: - conftest.imageRef: {{ required ".Values.conftest.imageRef is required" .Values.conftest.imageRef | quote }} - conftest.resources.requests.cpu: {{ .Values.conftest.resources.requests.cpu | quote }} - conftest.resources.requests.memory: {{ .Values.conftest.resources.requests.memory | quote }} - conftest.resources.limits.cpu: {{ .Values.conftest.resources.limits.cpu | quote }} - conftest.resources.limits.memory: {{ .Values.conftest.resources.limits.memory | quote }} + conftest.imageRef: {{ required ".Values.conftest.imageRef is required" .imageRef | quote }} + {{- with .resources }} + conftest.resources.requests.cpu: {{ .requests.cpu | quote }} + conftest.resources.requests.memory: {{ .requests.memory | quote }} + conftest.resources.limits.cpu: {{ .limits.cpu | quote }} + conftest.resources.limits.memory: {{ .limits.memory | quote }} + {{- end }} + {{- range $key, $val := .library }} + conftest.library.{{ $key }}: {{ $val | quote }} + {{- end }} + {{- range $key, $val := .policy }} + conftest.policy.{{ $key }}.rego: {{ $val.rego | quote }} + conftest.policy.{{ $key }}.kinds: {{ $val.kinds | quote }} + {{- end }} +{{- end }} +{{- end }} {{- end }} {{- if eq .Values.starboard.configAuditReportsPlugin "Polaris" }} +{{- with .Values.polaris }} +{{- if .createConfig }} --- apiVersion: v1 kind: ConfigMap metadata: name: starboard-polaris-config labels: - {{- include "starboard-operator.labels" . | nindent 4 }} + {{- include "starboard-operator.labels" $ | nindent 4 }} data: - polaris.imageRef: {{ required ".Values.polaris.imageRef is required" .Values.polaris.imageRef | quote }} + polaris.imageRef: {{ required ".Values.polaris.imageRef is required" .imageRef | quote }} + {{- with .resources }} + polaris.resources.requests.cpu: {{ .requests.cpu | quote }} + polaris.resources.requests.memory: {{ .requests.memory | quote }} + polaris.resources.limits.cpu: {{ .limits.cpu | quote }} + polaris.resources.limits.memory: {{ .limits.memory | quote }} + {{- end }} polaris.config.yaml: | - {{- toYaml .Values.polaris.config | nindent 4 }} + {{- toYaml .config | nindent 4 }} +{{- end }} +{{- end }} {{- end }} {{- if eq .Values.starboard.vulnerabilityReportsPlugin "Aqua" }} --- diff --git a/deploy/helm/templates/deployment.yaml b/deploy/helm/templates/deployment.yaml index 60414c158..6234957c3 100644 --- a/deploy/helm/templates/deployment.yaml +++ b/deploy/helm/templates/deployment.yaml @@ -26,67 +26,73 @@ metadata: {{- include "starboard-operator.labels" . | nindent 4 }} spec: replicas: {{ .Values.operator.replicas }} + strategy: + type: Recreate selector: matchLabels: {{- include "starboard-operator.selectorLabels" . | nindent 6 }} template: metadata: + {{- with .Values.podAnnotations }} annotations: - {{- with .Values.podAnnotations }} {{- . | toYaml | nindent 8 }} - {{- end }} + {{- end }} labels: {{- include "starboard-operator.selectorLabels" . | nindent 8 }} spec: + serviceAccountName: {{ include "starboard-operator.serviceAccountName" . }} + automountServiceAccountToken: true containers: - - name: "{{ .Chart.Name }}" + - name: {{ .Chart.Name | quote }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + {{- with .Values.image.pullPolicy }} + imagePullPolicy: {{ . }} + {{- end }} env: - name: OPERATOR_NAMESPACE value: {{ .Release.Namespace | quote }} - name: OPERATOR_TARGET_NAMESPACES value: {{ tpl .Values.targetNamespaces . | quote }} - name: OPERATOR_SERVICE_ACCOUNT - value: {{ include "starboard-operator.serviceAccountName" . }} - {{- if gt (int .Values.operator.replicas) 1 }} - - name: OPERATOR_LEADER_ELECTION_ENABLED - value: "true" - {{- end }} - {{- if gt (int .Values.operator.replicas) 1 }} - - name: OPERATOR_LEADER_ELECTION_ID - value: {{ .Values.operator.leaderElectionId | quote }} - {{- end }} + value: {{ include "starboard-operator.serviceAccountName" . | quote }} + - name: OPERATOR_LOG_DEV_MODE + value: {{ .Values.operator.logDevMode | quote }} + - name: OPERATOR_SCAN_JOB_TIMEOUT + value: {{ .Values.operator.scanJobTimeout | quote }} + - name: OPERATOR_CONCURRENT_SCAN_JOBS_LIMIT + value: {{ .Values.operator.scanJobsConcurrentLimit | quote }} + - name: OPERATOR_SCAN_JOB_RETRY_AFTER + value: {{ .Values.operator.scanJobsRetryDelay | quote }} + - name: OPERATOR_BATCH_DELETE_LIMIT + value: {{ .Values.operator.batchDeleteLimit | quote }} + - name: OPERATOR_BATCH_DELETE_DELAY + value: {{ .Values.operator.batchDeleteDelay | quote }} - name: OPERATOR_METRICS_BIND_ADDRESS value: ":8080" - name: OPERATOR_HEALTH_PROBE_BIND_ADDRESS value: ":9090" - - name: OPERATOR_LOG_DEV_MODE - value: {{ .Values.operator.logDevMode | quote }} - name: OPERATOR_CIS_KUBERNETES_BENCHMARK_ENABLED value: {{ .Values.operator.kubernetesBenchmarkEnabled | quote }} - name: OPERATOR_VULNERABILITY_SCANNER_ENABLED value: {{ .Values.operator.vulnerabilityScannerEnabled | quote }} - name: OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED value: {{ .Values.operator.configAuditScannerEnabled | quote }} - - name: OPERATOR_BATCH_DELETE_LIMIT - value: {{ .Values.operator.batchDeleteLimit | quote }} - - name: OPERATOR_BATCH_DELETE_DELAY - value: {{ .Values.operator.batchDeleteDelay | quote }} + {{- if gt (int .Values.operator.replicas) 1 }} + - name: OPERATOR_LEADER_ELECTION_ENABLED + value: "true" + - name: OPERATOR_LEADER_ELECTION_ID + value: {{ .Values.operator.leaderElectionId | quote }} + {{- end }} ports: - # metrics port is exposed by the k8s Service and by default also - # have annotations which will help prometheus as a target for - # scraping of metrics - name: metrics containerPort: 8080 - # probes port is not exposed by the k8s Service and used directly by - # kubelet for the readinessProbe and livenessProbe - name: probes containerPort: 9090 readinessProbe: httpGet: path: /readyz/ port: probes - initialDelaySeconds: 0 + initialDelaySeconds: 5 periodSeconds: 10 successThreshold: 1 failureThreshold: 3 @@ -104,18 +110,12 @@ spec: securityContext: {{- . | toYaml | nindent 12 }} {{- end }} - {{- with .Values.image.pullPolicy }} - imagePullPolicy: {{ . }} - {{- end }} {{- with .Values.image.pullSecrets }} imagePullSecrets: {{- . | toYaml | nindent 8 }} {{- end }} - serviceAccountName: {{ include "starboard-operator.serviceAccountName" . }} - {{- with .Values.podSecurityContext }} securityContext: - {{- . | toYaml | nindent 8 }} - {{- end }} + {{- .Values.podSecurityContext | toYaml | nindent 8 }} {{- with .Values.nodeSelector }} nodeSelector: {{- . | toYaml | nindent 8 }} diff --git a/deploy/helm/values.yaml b/deploy/helm/values.yaml index 6ec32b33e..3ab14883b 100644 --- a/deploy/helm/values.yaml +++ b/deploy/helm/values.yaml @@ -1,8 +1,11 @@ # Default values for the starboard-operator Helm chart, these are used to render # the templates into valid k8s Resources. +# managedBy is similar to .Release.Service but allows to overwrite the value +managedBy: Helm + # targetNamespace defines where you want starboard-operator to operate. By -# default it will only operate in the namespace its installed in, but you can +# default, it will only operate in the namespace its installed in, but you can # specify another namespace, or a comma separated list of namespaces, or set it # to a blank string to let it operate in all namespaces. targetNamespaces: "{{ .Release.Namespace }}" @@ -11,12 +14,25 @@ nameOverride: "" fullnameOverride: "" operator: + # replicas the number of replicas of the operator's pod replicas: 1 + # leaderElectionId determines the name of the resource that leader election # will use for holding the leader lock. - leaderElectionId: "starboard-operator" + leaderElectionId: "starboard-lock" + # logDevMode the flag to enable development mode (more human-readable output, extra stack traces and logging information, etc) logDevMode: false + + # scanJobTimeout the length of time to wait before giving up on a scan job + scanJobTimeout: 5m + + # scanJobsConcurrentLimit the maximum number of scan jobs create by the operator + scanJobsConcurrentLimit: 10 + + # scanJobsRetryDelay the duration to wait before retrying a failed scan job + scanJobsRetryDelay: 30s + # vulnerabilityScannerEnabled the flag to enable vulnerability scanner vulnerabilityScannerEnabled: true # configAuditScannerEnabled the flag to enable configuration audit scanner @@ -28,11 +44,11 @@ operator: # batchDeleteDelay the duration to wait before deleting another batch of config audit reports. batchDeleteDelay: 10s image: - repository: "aquasec/starboard-operator" + repository: "docker.io/aquasec/starboard-operator" # tag is an override of the image tag, which is by default set by the # appVersion field in Chart.yaml. tag: "" - pullPolicy: "" + pullPolicy: IfNotPresent pullSecrets: [] # service only expose a metrics endpoint for prometheus to scrape, @@ -64,6 +80,9 @@ starboard: scanJobAnnotations: "" trivy: + # createConfig indicates whether to create config objects + createConfig: true + # imageRef the Trivy image reference. imageRef: docker.io/aquasec/trivy:0.20.0 @@ -89,7 +108,7 @@ trivy: # ignoreUnfixed is the flag to show only fixed vulnerabilities in # vulnerabilities reported by Trivy. Set to "true" to enable it. # - # ignoreUnfixed: "true" + ignoreUnfixed: "false" # resources resource requests and limits resources: @@ -128,7 +147,12 @@ kubeBench: imageRef: docker.io/aquasec/kube-bench:v0.6.5 polaris: + # createConfig indicates whether to create config objects + createConfig: true + + # imageRef the image reference imageRef: quay.io/fairwinds/polaris:4.2 + # resources resource requests and limits resources: requests: @@ -137,6 +161,7 @@ polaris: limits: cpu: 300m memory: 300M + config: checks: # reliability @@ -323,8 +348,12 @@ polaris: - runAsRootAllowed conftest: + # createConfig indicates whether to create config objects + createConfig: true + # imageRef the image reference imageRef: docker.io/openpolicyagent/conftest:v0.28.2 + # resources resource requests and limits resources: requests: @@ -333,6 +362,20 @@ conftest: limits: cpu: 300m memory: 300M + library: {} + # kubernetes.rego: | + # << REGO >> + # utils.rego: | + # << REGO >> + policy: {} + # access_to_host_pid: + # rego: | + # << REGO >> + # kinds: Workload + # configmap_with_sensitive_data: + # rego: | + # << REGO >> + # kinds: ConfigMap aqua: # imageRef Aqua scanner image reference. The tag determines the version of the scanner binary executable and it must @@ -355,6 +398,7 @@ serviceAccount: # true, a name is generated using the fullname template. name: "" +# podAnnotations annotations added to the operator's pod podAnnotations: {} podSecurityContext: {} diff --git a/deploy/static/03-starboard-operator.config.yaml b/deploy/static/03-starboard-operator.config.yaml index 1f419161d..d280660d1 100644 --- a/deploy/static/03-starboard-operator.config.yaml +++ b/deploy/static/03-starboard-operator.config.yaml @@ -1,6 +1,6 @@ --- apiVersion: v1 -kind: ConfigMap +kind: Secret metadata: name: starboard namespace: starboard-system @@ -9,13 +9,20 @@ metadata: app.kubernetes.io/instance: starboard-operator app.kubernetes.io/version: "0.13.0-rc2" app.kubernetes.io/managed-by: kubectl -data: - vulnerabilityReports.scanner: Trivy - configAuditReports.scanner: Polaris - kube-bench.imageRef: docker.io/aquasec/kube-bench:v0.6.5 --- apiVersion: v1 kind: Secret +metadata: + name: starboard-trivy-config + namespace: starboard-system + labels: + app.kubernetes.io/name: starboard-operator + app.kubernetes.io/instance: starboard-operator + app.kubernetes.io/version: "0.13.0-rc2" + app.kubernetes.io/managed-by: kubectl +--- +apiVersion: v1 +kind: ConfigMap metadata: name: starboard namespace: starboard-system @@ -24,6 +31,10 @@ metadata: app.kubernetes.io/instance: starboard-operator app.kubernetes.io/version: "0.13.0-rc2" app.kubernetes.io/managed-by: kubectl +data: + vulnerabilityReports.scanner: "Trivy" + configAuditReports.scanner: "Polaris" + kube-bench.imageRef: "docker.io/aquasec/kube-bench:v0.6.5" --- apiVersion: v1 kind: ConfigMap @@ -36,9 +47,9 @@ metadata: app.kubernetes.io/version: "0.13.0-rc2" app.kubernetes.io/managed-by: kubectl data: - trivy.imageRef: docker.io/aquasec/trivy:0.20.0 - trivy.severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL - trivy.mode: Standalone + trivy.imageRef: "docker.io/aquasec/trivy:0.20.0" + trivy.mode: "Standalone" + trivy.severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" trivy.resources.requests.cpu: 100m trivy.resources.requests.memory: 100M trivy.resources.limits.cpu: 500m @@ -55,7 +66,7 @@ metadata: app.kubernetes.io/version: "0.13.0-rc2" app.kubernetes.io/managed-by: kubectl data: - polaris.imageRef: quay.io/fairwinds/polaris:4.2 + polaris.imageRef: "quay.io/fairwinds/polaris:4.2" polaris.resources.requests.cpu: "50m" polaris.resources.requests.memory: "50M" polaris.resources.limits.cpu: "300m" diff --git a/deploy/static/04-starboard-operator.deployment.yaml b/deploy/static/04-starboard-operator.deployment.yaml index fef192351..4abd06dce 100644 --- a/deploy/static/04-starboard-operator.deployment.yaml +++ b/deploy/static/04-starboard-operator.deployment.yaml @@ -48,29 +48,29 @@ spec: spec: serviceAccountName: starboard-operator automountServiceAccountToken: true - securityContext: {} containers: - - name: operator - image: docker.io/aquasec/starboard-operator:0.13.0-rc2 + - name: "starboard-operator" + image: "docker.io/aquasec/starboard-operator:0.13.0-rc2" imagePullPolicy: IfNotPresent - securityContext: - privileged: false - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL env: - name: OPERATOR_NAMESPACE value: "starboard-system" - name: OPERATOR_TARGET_NAMESPACES value: "default" + - name: OPERATOR_SERVICE_ACCOUNT + value: "starboard-operator" - name: OPERATOR_LOG_DEV_MODE value: "false" + - name: OPERATOR_SCAN_JOB_TIMEOUT + value: "5m" - name: OPERATOR_CONCURRENT_SCAN_JOBS_LIMIT value: "10" - name: OPERATOR_SCAN_JOB_RETRY_AFTER value: "30s" + - name: OPERATOR_BATCH_DELETE_LIMIT + value: "10" + - name: OPERATOR_BATCH_DELETE_DELAY + value: "10s" - name: OPERATOR_METRICS_BIND_ADDRESS value: ":8080" - name: OPERATOR_HEALTH_PROBE_BIND_ADDRESS @@ -81,10 +81,6 @@ spec: value: "true" - name: OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED value: "true" - - name: OPERATOR_BATCH_DELETE_LIMIT - value: "10" - - name: OPERATOR_BATCH_DELETE_DELAY - value: "10s" ports: - name: metrics containerPort: 8080 @@ -106,3 +102,14 @@ spec: periodSeconds: 10 successThreshold: 1 failureThreshold: 10 + resources: + {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + securityContext: + {} diff --git a/docs/integrations/config-checkers/conftest.md b/docs/integrations/config-checkers/conftest.md index 57bd5edcc..0608f3455 100644 --- a/docs/integrations/config-checkers/conftest.md +++ b/docs/integrations/config-checkers/conftest.md @@ -24,7 +24,10 @@ deny[res] { To integrate Conftest scanner change the value of the `configAuditReports.scanner` property to `Conftest`: ``` -kubectl patch cm starboard -n \ +STARBOARD_NAMESPACE= +``` +``` +kubectl patch cm starboard -n $STARBOARD_NAMESPACE \ --type merge \ -p "$(cat < \ +STARBOARD_NAMESPACE= +``` +``` +kubectl create configmap starboard-conftest-config --namespace $STARBOARD_NAMESPACE \ --from-literal=conftest.imageRef=openpolicyagent/conftest:v0.28.2 \ --from-file=conftest.library.kubernetes.rego=kubernetes/lib/kubernetes.rego \ --from-file=conftest.library.utils.rego=kubernetes/lib/utils.rego \ @@ -67,6 +73,25 @@ kubectl create configmap starboard-conftest-config -n \ --from-literal=conftest.policy.uses_image_tag_latest.kinds=Workload ``` +!!! tip + + For the operator the Helm install command may look as follows. + ``` + STARBOARD_NAMESPACE= + ``` + ``` + helm install starboard-operator aqua/starboard-operator \ + --namespace $STARBOARD_NAMESPACE --create-namespace \ + --set="targetNamespaces=default" \ + --set="starboard.configAuditReportsPlugin=Conftest" \ + --set-file="conftest.library.kubernetes.rego=kubernetes/lib/kubernetes.rego" \ + --set-file="conftest.library.utils.rego=kubernetes/lib/utils.rego" \ + --set-file="conftest.policy.file_system_not_read_only.rego=kubernetes/policies/general/file_system_not_read_only.rego" \ + --set-file="conftest.policy.uses_image_tag_latest.rego=kubernetes/policies/general/uses_image_tag_latest.rego" \ + --set-string="conftest.policy.file_system_not_read_only.kinds=Workload" \ + --set-string="conftest.policy.uses_image_tag_latest.rego=Workload" + ``` + To test this setup out with Starboard CLI you can create the `nginx` Deployment with the latest `nginx` image and check its configuration: @@ -142,7 +167,9 @@ report: | `conftest.resources.requests.memory` | `50M` | The minimum amount of memory required to run Conftest scanner pod. | | `conftest.resources.limits.cpu` | `300m` | The maximum amount of CPU allowed to run Conftest scanner pod. | | `conftest.resources.limits.memory` | `300M` | The maximum amount of memory allowed to run Conftest scanner pod. | - +| `conftest.library..rego` | N/A | Rego library with helper functions | +| `conftest.policy..rego` | N/A | Rego policy with the specified name | +| `conftest.policy..kinds` | N/A | A comma-separated list of Kubernetes kinds applicable to the policy with a given name. You can use `Workload` or `*` as special kinds to represent any Kubernetes workload or any object. | [Open Policy Agent]: https://www.openpolicyagent.org [Conftest]: https://github.com/open-policy-agent/conftest diff --git a/docs/operator/configuration.md b/docs/operator/configuration.md index 35040df84..b7d73ca7b 100644 --- a/docs/operator/configuration.md +++ b/docs/operator/configuration.md @@ -9,15 +9,15 @@ Configuration of the operator's Pod is done via environment variables at startup | `OPERATOR_SCAN_JOB_TIMEOUT` | `5m` | The length of time to wait before giving up on a scan job | | `OPERATOR_CONCURRENT_SCAN_JOBS_LIMIT` | `10` | The maximum number of scan jobs create by the operator | | `OPERATOR_SCAN_JOB_RETRY_AFTER` | `30s` | The duration to wait before retrying a failed scan job | +| `OPERATOR_BATCH_DELETE_LIMIT` | `10` | The maximum number of config audit reports deleted by the operator when the plugin's config has changed. | +| `OPERATOR_BATCH_DELETE_DELAY` | `10s` | The duration to wait before deleting another batch of config audit reports. | | `OPERATOR_METRICS_BIND_ADDRESS` | `:8080` | The TCP address to bind to for serving [Prometheus][prometheus] metrics. It can be set to `0` to disable the metrics serving. | | `OPERATOR_HEALTH_PROBE_BIND_ADDRESS` | `:9090` | The TCP address to bind to for serving health probes, i.e. `/healthz/` and `/readyz/` endpoints. | | `OPERATOR_CIS_KUBERNETES_BENCHMARK_ENABLED` | `true` | The flag to enable CIS Kubernetes Benchmark scanner | | `OPERATOR_VULNERABILITY_SCANNER_ENABLED` | `true` | The flag to enable vulnerability scanner | | `OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED` | `true` | The flag to enable configuration audit scanner | | `OPERATOR_LEADER_ELECTION_ENABLED` | `false` | The flag to enable operator replica leader election | -| `OPERATOR_LEADER_ELECTION_ID` | `starboard-operator` | The name of the resource lock for leader election | -| `OPERATOR_BATCH_DELETE_LIMIT` | `10` | The maximum number of config audit reports deleted by the operator when the plugin's config has changed. | -| `OPERATOR_BATCH_DELETE_DELAY` | `10s` | The duration to wait before deleting another batch of config audit reports. | +| `OPERATOR_LEADER_ELECTION_ID` | `starboard-lock` | The name of the resource lock for leader election | ## Install Modes diff --git a/pkg/operator/etc/config.go b/pkg/operator/etc/config.go index a10ee0382..7ae86d47d 100644 --- a/pkg/operator/etc/config.go +++ b/pkg/operator/etc/config.go @@ -13,19 +13,19 @@ type Config struct { Namespace string `env:"OPERATOR_NAMESPACE"` TargetNamespaces string `env:"OPERATOR_TARGET_NAMESPACES"` ServiceAccount string `env:"OPERATOR_SERVICE_ACCOUNT" envDefault:"starboard-operator"` + LogDevMode bool `env:"OPERATOR_LOG_DEV_MODE" envDefault:"false"` ScanJobTimeout time.Duration `env:"OPERATOR_SCAN_JOB_TIMEOUT" envDefault:"5m"` ConcurrentScanJobsLimit int `env:"OPERATOR_CONCURRENT_SCAN_JOBS_LIMIT" envDefault:"10"` ScanJobRetryAfter time.Duration `env:"OPERATOR_SCAN_JOB_RETRY_AFTER" envDefault:"30s"` + BatchDeleteLimit int `env:"OPERATOR_BATCH_DELETE_LIMIT" envDefault:"10"` + BatchDeleteDelay time.Duration `env:"OPERATOR_BATCH_DELETE_DELAY" envDefault:"10s"` MetricsBindAddress string `env:"OPERATOR_METRICS_BIND_ADDRESS" envDefault:":8080"` HealthProbeBindAddress string `env:"OPERATOR_HEALTH_PROBE_BIND_ADDRESS" envDefault:":9090"` - LogDevMode bool `env:"OPERATOR_LOG_DEV_MODE" envDefault:"false"` CISKubernetesBenchmarkEnabled bool `env:"OPERATOR_CIS_KUBERNETES_BENCHMARK_ENABLED" envDefault:"true"` VulnerabilityScannerEnabled bool `env:"OPERATOR_VULNERABILITY_SCANNER_ENABLED" envDefault:"true"` ConfigAuditScannerEnabled bool `env:"OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED" envDefault:"true"` LeaderElectionEnabled bool `env:"OPERATOR_LEADER_ELECTION_ENABLED" envDefault:"false"` - LeaderElectionID string `env:"OPERATOR_LEADER_ELECTION_ID" envDefault:"starboard-operator"` - BatchDeleteLimit int `env:"OPERATOR_BATCH_DELETE_LIMIT" envDefault:"10"` - BatchDeleteDelay time.Duration `env:"OPERATOR_BATCH_DELETE_DELAY" envDefault:"10s"` + LeaderElectionID string `env:"OPERATOR_LEADER_ELECTION_ID" envDefault:"starboard-lock"` } // GetOperatorConfig loads Config from environment variables.