feat: dynamic compliance reports (aquasecurity#2160)

* feat: dynamic compliance reports Signed-off-by: chenk <hen.keinan@gmail.com> * feat: dynamic compliance reports Signed-off-by: chenk <hen.keinan@gmail.com> * feat: dynamic compliance reports Signed-off-by: chenk <hen.keinan@gmail.com> * feat: dynamic compliance reports Signed-off-by: chenk <hen.keinan@gmail.com> * feat: dynamic compliance reports Signed-off-by: chenk <hen.keinan@gmail.com> * feat: dynamic compliance reports Signed-off-by: chenk <hen.keinan@gmail.com> * feat: dynamic compliance reports Signed-off-by: chenk <hen.keinan@gmail.com> * feat: dynamic compliance reports Signed-off-by: chenk <hen.keinan@gmail.com> * feat: dynamic compliance reports Signed-off-by: chenk <hen.keinan@gmail.com> * feat: dynamic compliance reports Signed-off-by: chenk <hen.keinan@gmail.com> * feat: dynamic compliance reports Signed-off-by: chenk <hen.keinan@gmail.com> * feat: dynamic compliance reports Signed-off-by: chenk <hen.keinan@gmail.com> * feat: dynamic compliance reports Signed-off-by: chenk <hen.keinan@gmail.com> * feat: dynamic compliance reports Signed-off-by: chenk <hen.keinan@gmail.com> * feat: dynamic compliance reports Signed-off-by: chenk <hen.keinan@gmail.com> * feat: dynamic compliance reports Signed-off-by: chenk <hen.keinan@gmail.com> * feat: dynamic compliance reports Signed-off-by: chenk <hen.keinan@gmail.com> * feat: dynamic compliance reports Signed-off-by: chenk <hen.keinan@gmail.com> --------- Signed-off-by: chenk <hen.keinan@gmail.com>
DigitecGalaxus · Jul 2, 2024 · 1d4ec56 · 1d4ec56
1 parent d6632d9
commit 1d4ec56
Show file tree

Hide file tree

Showing 32 changed files with 2,890 additions and 1,234 deletions.
diff --git a/deploy/helm/README.md b/deploy/helm/README.md
@@ -17,6 +17,7 @@ Keeps security report resources updated
 | compliance.cron | string | `"0 */6 * * *"` | cron this flag control the cron interval for compliance report generation |
 | compliance.failEntriesLimit | int | `10` | failEntriesLimit the flag to limit the number of fail entries per control check in the cluster compliance detail report this limit is for preventing the report from being too large per control checks |
 | compliance.reportType | string | `"summary"` | reportType this flag control the type of report generated (summary or all) |
+| compliance.specs | list | `["k8s-cis-1.23","k8s-nsa-1.0","k8s-pss-baseline-0.1","k8s-pss-restricted-0.1"]` | specs is a list of compliance specs to be used by the cluster compliance scanner  - k8s-cis-1.23  - k8s-nsa-1.0  - k8s-pss-baseline-0.1  - k8s-pss-restricted-0.1  - eks-cis-1.4  - rke2-cis-1.24 |
 | excludeNamespaces | string | `""` | excludeNamespaces is a comma separated list of namespaces (or glob patterns) to be excluded from scanning. Only applicable in the all namespaces install mode, i.e. when the targetNamespaces values is a blank string. |
 | fullnameOverride | string | `""` | fullnameOverride override operator full name |
 | global | object | `{"image":{"registry":""}}` | global values provide a centralized configuration for 'image.registry', reducing the potential for errors. If left blank, the chart will default to the individually set 'image.registry' values |
@@ -31,7 +32,7 @@ Keeps security report resources updated
 | nodeCollector.imagePullSecret | string | `nil` | imagePullSecret is the secret name to be used when pulling node-collector image from private registries example : reg-secret It is the user responsibility to create the secret for the private registry in `trivy-operator` namespace |
 | nodeCollector.registry | string | `"ghcr.io"` | registry of the node-collector image |
 | nodeCollector.repository | string | `"aquasecurity/node-collector"` | repository of the node-collector image |
-| nodeCollector.tag | string | `"0.2.1"` | tag version of the node-collector image |
+| nodeCollector.tag | string | `"0.3.1"` | tag version of the node-collector image |
 | nodeCollector.tolerations | list | `[]` | tolerations to be applied to the node-collector so that they can run on nodes with matching taints |
 | nodeCollector.useNodeSelector | bool | `true` | useNodeSelector determine if to use nodeSelector (by auto detecting node name) with node-collector scan job |
 | nodeCollector.volumeMounts | list | `[{"mountPath":"/var/lib/etcd","name":"var-lib-etcd","readOnly":true},{"mountPath":"/var/lib/kubelet","name":"var-lib-kubelet","readOnly":true},{"mountPath":"/var/lib/kube-scheduler","name":"var-lib-kube-scheduler","readOnly":true},{"mountPath":"/var/lib/kube-controller-manager","name":"var-lib-kube-controller-manager","readOnly":true},{"mountPath":"/etc/systemd","name":"etc-systemd","readOnly":true},{"mountPath":"/lib/systemd/","name":"lib-systemd","readOnly":true},{"mountPath":"/etc/kubernetes","name":"etc-kubernetes","readOnly":true},{"mountPath":"/etc/cni/net.d/","name":"etc-cni-netd","readOnly":true}]` | node-collector pod volume mounts definition for collecting config files information |
@@ -144,7 +145,7 @@ Keeps security report resources updated
 | trivy.image.pullPolicy | string | `"IfNotPresent"` | pullPolicy is the imge pull policy used for trivy image , valid values are (Always, Never, IfNotPresent) |
 | trivy.image.registry | string | `"ghcr.io"` | registry of the Trivy image |
 | trivy.image.repository | string | `"aquasecurity/trivy"` | repository of the Trivy image |
-| trivy.image.tag | string | `"0.52.0"` | tag version of the Trivy image |
+| trivy.image.tag | string | `"0.53.0"` | tag version of the Trivy image |
 | trivy.imageScanCacheDir | string | `"/tmp/trivy/.cache"` | imageScanCacheDir the flag to set custom path for trivy image scan `cache-dir` parameter. Only applicable in image scan mode. |
 | trivy.includeDevDeps | bool | `false` | includeDevDeps include development dependencies in the report (supported: npm, yarn) (default: false) note: this flag is only applicable when trivy.command is set to filesystem |
 | trivy.insecureRegistries | object | `{}` | The registry to which insecure connections are allowed. There can be multiple registries with different keys. |

diff --git a/deploy/helm/crds/aquasecurity.github.io_clustercompliancereports.yaml b/deploy/helm/crds/aquasecurity.github.io_clustercompliancereports.yaml
@@ -79,6 +79,18 @@ spec:
                             - id
                             type: object
                           type: array
+                        commands:
+                          items:
+                            description: Commands represent the commands to be executed
+                              by the node-collector
+                            properties:
+                              id:
+                                description: id define the commands id
+                                type: string
+                            required:
+                            - id
+                            type: object
+                          type: array
                         defaultStatus:
                           description: define the default value for check status in
                             case resource not found
@@ -113,20 +125,26 @@ spec:
                     type: string
                   id:
                     type: string
+                  platform:
+                    type: string
                   relatedResources:
                     items:
                       type: string
                     type: array
                   title:
                     type: string
+                  type:
+                    type: string
                   version:
                     type: string
                 required:
                 - controls
                 - description
                 - id
+                - platform
                 - relatedResources
                 - title
+                - type
                 - version
                 type: object
               cron: