release: prepare v0.15.0-rc1 (aquasecurity#1051)

Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>
xhochn · Mar 22, 2022 · 10c07fc · 10c07fc
1 parent d43c923
commit 10c07fc
Show file tree

Hide file tree

Showing 24 changed files with 133 additions and 932 deletions.
diff --git a/RELEASING.md b/RELEASING.md
@@ -33,6 +33,7 @@
       11. [`deploy/static/03-starboard-operator.config.yaml`]
       12. [`deploy/static/02-starboard-operator.rbac.yaml`]
       13. [`deploy/static/01-starboard-operator.ns.yaml`]
+      14. [`deploy/specs/nsa-1.0.yaml`]
    4. Update [`deploy/static/starboard.yaml`] by running the following script:
       ```
       ./hack/update-starboard.yaml.sh
@@ -80,7 +81,8 @@
 [`deploy/static/04-starboard-operator.policies.yaml`]: ./deploy/static/04-starboard-operator.policies.yaml
 [`deploy/static/03-starboard-operator.config.yaml`]: ./deploy/static/03-starboard-operator.config.yaml
 [`deploy/static/02-starboard-operator.rbac.yaml`]: ./deploy/static/02-starboard-operator.rbac.yaml
-[`deploy/static/01-starboard-operator.ns.yaml`]: ./deploy/static/02-starboard-operator.rbac.yaml
+[`deploy/static/01-starboard-operator.ns.yaml`]: ./deploy/static/01-starboard-operator.ns.yaml
+[`deploy/specs/nsa-1.0.yaml`]: ./deploy/specs/nsa-1.0.yaml
 [`deploy/static/starboard.yaml`]: ./deploy/static/starboard.yaml
 [`mkdocs.yml`]: ./mkdocs.yml
 [`.github/workflows/release.yaml`]: ./.github/workflows/release.yaml

diff --git a/deploy/crd/ciskubebenchreports.crd.yaml b/deploy/crd/ciskubebenchreports.crd.yaml
@@ -5,7 +5,7 @@ metadata:
   name: ciskubebenchreports.aquasecurity.github.io
   labels:
     app.kubernetes.io/managed-by: starboard
-    app.kubernetes.io/version: "0.14.1"
+    app.kubernetes.io/version: "0.15.0-rc1"
 spec:
   group: aquasecurity.github.io
   versions:

diff --git a/deploy/crd/clustercompliancedetailreports.crd.yaml b/deploy/crd/clustercompliancedetailreports.crd.yaml
@@ -5,7 +5,7 @@ metadata:
   name: clustercompliancedetailreports.aquasecurity.github.io
   labels:
     app.kubernetes.io/managed-by: starboard
-    app.kubernetes.io/version: "0.14.1"
+    app.kubernetes.io/version: "0.15.0-rc1"
 spec:
   group: aquasecurity.github.io
   versions:

diff --git a/deploy/crd/clustercompliancereports.crd.yaml b/deploy/crd/clustercompliancereports.crd.yaml
@@ -5,7 +5,7 @@ metadata:
   name: clustercompliancereports.aquasecurity.github.io
   labels:
     app.kubernetes.io/managed-by: starboard
-    app.kubernetes.io/version: "0.14.1"
+    app.kubernetes.io/version: "0.15.0-rc1"
 spec:
   group: aquasecurity.github.io
   scope: Cluster

diff --git a/deploy/crd/clusterconfigauditreports.crd.yaml b/deploy/crd/clusterconfigauditreports.crd.yaml
@@ -5,7 +5,7 @@ metadata:
   name: clusterconfigauditreports.aquasecurity.github.io
   labels:
     app.kubernetes.io/managed-by: starboard
-    app.kubernetes.io/version: "0.14.1"
+    app.kubernetes.io/version: "0.15.0-rc1"
 spec:
   group: aquasecurity.github.io
   versions:

diff --git a/deploy/crd/clustervulnerabilityreports.crd.yaml b/deploy/crd/clustervulnerabilityreports.crd.yaml
@@ -5,7 +5,7 @@ metadata:
   name: clustervulnerabilityreports.aquasecurity.github.io
   labels:
     app.kubernetes.io/managed-by: starboard
-    app.kubernetes.io/version: "0.14.1"
+    app.kubernetes.io/version: "0.15.0-rc1"
 spec:
   group: aquasecurity.github.io
   versions:

diff --git a/deploy/crd/configauditreports.crd.yaml b/deploy/crd/configauditreports.crd.yaml
@@ -5,7 +5,7 @@ metadata:
   name: configauditreports.aquasecurity.github.io
   labels:
     app.kubernetes.io/managed-by: starboard
-    app.kubernetes.io/version: "0.14.1"
+    app.kubernetes.io/version: "0.15.0-rc1"
 spec:
   group: aquasecurity.github.io
   versions:

diff --git a/deploy/crd/kubehunterreports.crd.yaml b/deploy/crd/kubehunterreports.crd.yaml
@@ -5,7 +5,7 @@ metadata:
   name: kubehunterreports.aquasecurity.github.io
   labels:
     app.kubernetes.io/managed-by: starboard
-    app.kubernetes.io/version: "0.14.1"
+    app.kubernetes.io/version: "0.15.0-rc1"
 spec:
   group: aquasecurity.github.io
   versions:

diff --git a/deploy/crd/vulnerabilityreports.crd.yaml b/deploy/crd/vulnerabilityreports.crd.yaml
@@ -5,7 +5,7 @@ metadata:
   name: vulnerabilityreports.aquasecurity.github.io
   labels:
     app.kubernetes.io/managed-by: starboard
-    app.kubernetes.io/version: "0.14.1"
+    app.kubernetes.io/version: "0.15.0-rc1"
 spec:
   group: aquasecurity.github.io
   versions:

diff --git a/deploy/helm/Chart.yaml b/deploy/helm/Chart.yaml
@@ -6,12 +6,12 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.9.1
+version: 0.10.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: 0.14.1
+appVersion: 0.15.0-rc1
 
 # kubeVersion: A SemVer range of compatible Kubernetes versions (optional)
 

diff --git a/deploy/helm/templates/NOTES.txt b/deploy/helm/templates/NOTES.txt
@@ -1,9 +1,17 @@
-You have installed Starboard Operator in the "{{ .Release.Namespace }}" namespace.
-It is configured to discover Kubernetes workloads in the namespaces: '{{ tpl .Values.targetNamespaces . | default "(all namespaces)" }}'.
+You have installed Starboard Operator in the {{ .Release.Namespace }} namespace.
+It is configured to discover Kubernetes workloads in the {{ tpl .Values.targetNamespaces . | default "(all)" }} namespace(s).
 
 Inspect created VulnerabilityReports by:
 
-    kubectl get vulnerabilityreports --all-namespaces
+    kubectl get vulnerabilityreports --all-namespaces -o wide
+
+Inspect created ConfigAuditReports by:
+
+    kubectl get configauditreports --all-namespaces -o wide
+
+Inspect created CISKubeBenchReports by:
+
+    kubectl get ciskubebenchreports -o wide
 
 Inspect the work log of starboard-operator by:
 

diff --git a/deploy/helm/templates/deployment.yaml b/deploy/helm/templates/deployment.yaml
@@ -75,8 +75,6 @@ spec:
               value: {{ .Values.operator.kubernetesBenchmarkEnabled | quote }}
             - name: OPERATOR_VULNERABILITY_SCANNER_ENABLED
               value: {{ .Values.operator.vulnerabilityScannerEnabled | quote }}
-            - name: OPERATOR_CLUSTER_COMPLIANCE_ENABLED
-              value: {{ .Values.operator.clusterComplianceEnabled | quote }}
             - name: OPERATOR_VULNERABILITY_SCANNER_SCAN_ONLY_CURRENT_REVISIONS
               value: {{ .Values.operator.vulnerabilityScannerScanOnlyCurrentRevisions | quote }}
             - name: OPERATOR_VULNERABILITY_SCANNER_REPORT_TTL
@@ -85,6 +83,8 @@ spec:
               value: {{ .Values.operator.configAuditScannerEnabled | quote }}
             - name: OPERATOR_CONFIG_AUDIT_SCANNER_BUILTIN
               value: {{ .Values.operator.configAuditScannerBuiltIn | quote }}
+            - name: OPERATOR_CLUSTER_COMPLIANCE_ENABLED
+              value: {{ .Values.operator.clusterComplianceEnabled | quote }}
             {{- if gt (int .Values.operator.replicas) 1 }}
             - name: OPERATOR_LEADER_ELECTION_ENABLED
               value: "true"

diff --git a/deploy/helm/templates/policies.yaml b/deploy/helm/templates/policies.yaml
@@ -606,7 +606,8 @@ data:
     \"v1.0.0\",\n\t\"severity\": \"MEDIUM\",\n\t\"type\": \"Kubernetes Security Check\",\n\t\"description\":
     \"ensure that User pods are not placed in kube-system namespace\",\n\t\"recommended_actions\":
     \"Deploy the use pods into a designated namespace which is not kube-system.\",\n\t\"url\":
-    \"https://kubernetes.io/docs/reference/setup-tools/kubeadm/implementation-details/\",\n}\n\ndeny[res]
+    \"https://kubernetes.io/docs/reference/setup-tools/kubeadm/implementation-details/\",\n}\n\n__rego_input__
+    := {\n\t\"combine\": false,\n\t\"selector\": [{\"type\": \"kubernetes\"}],\n}\n\ndeny[res]
     {\n\tsystemNamespaceInUse(input.metadata, input.spec)\n\tmsg := sprintf(\"%s '%s'
     should not be set with 'kube-system' namespace\", [kubernetes.kind, kubernetes.name])\n\tres
     := {\n\t\t\"msg\": msg,\n\t\t\"id\": __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\":
@@ -625,7 +626,8 @@ data:
     \"v1.0.0\",\n\t\"severity\": \"MEDIUM\",\n\t\"type\": \"Kubernetes Security Check\",\n\t\"description\":
     \"ensure that Pod specifications disable the secret token being mounted by setting
     automountServiceAccountToken: false\",\n\t\"recommended_actions\": \"Remove 'container.apparmor.security.beta.kubernetes.io'
-    annotation or set it to 'runtime/default'.\",\n\t\"url\": \"https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#serviceaccount-admission-controller\",\n}\n\ndeny[res]
+    annotation or set it to 'runtime/default'.\",\n\t\"url\": \"https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#serviceaccount-admission-controller\",\n}\n\n__rego_input__
+    := {\n\t\"combine\": false,\n\t\"selector\": [{\"type\": \"kubernetes\"}],\n}\n\ndeny[res]
     {\n\tmountServiceAccountToken(input.spec)\n\tmsg := kubernetes.format(sprintf(\"Container
     of %s '%s' should set 'spec.automountServiceAccountToken' to false\", [kubernetes.kind,
     kubernetes.name]))\n\n\tres := {\n\t\t\"msg\": msg,\n\t\t\"id\": __rego_metadata__.id,\n\t\t\"title\":
@@ -700,7 +702,8 @@ data:
     \"ensure that network policies selectors are applied to pods or namespaces to
     restricted ingress and egress traffic within the pod network\",\n\t\"recommended_actions\":
     \"create network policies and ensure that pods are selected using the podSelector
-    and/or the namespaceSelector options\",\n\t\"url\": \"https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy/\",\n}\n\ndeny[res]
+    and/or the namespaceSelector options\",\n\t\"url\": \"https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy/\",\n}\n\n__rego_input__
+    := {\n\t\"combine\": false,\n\t\"selector\": [{\"type\": \"kubernetes\"}],\n}\n\ndeny[res]
     {\n\tnot hasSelector(input.spec)\n\tmsg := \"Network policy should uses podSelector
     and/or the namespaceSelector to restrict ingress and egress traffic within the
     Pod network\"\n\tres := {\n\t\t\"msg\": msg,\n\t\t\"id\": __rego_metadata__.id,\n\t\t\"title\":
@@ -859,4 +862,4 @@ data:
     [getContainersWithUntrustedGCRRegistry[_], lower(kubernetes.kind), kubernetes.name,
     kubernetes.namespace]))\n\n\tres := {\n\t\t\"msg\": msg,\n\t\t\"id\": __rego_metadata__.id,\n\t\t\"title\":
     __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\":
-    __rego_metadata__.type,\n\t}\n}\n"
+    __rego_metadata__.type,\n\t}\n}\n"
diff --git a/deploy/specs/nsa-1.0.yaml b/deploy/specs/nsa-1.0.yaml
@@ -6,7 +6,7 @@ metadata:
   labels:
     app.kubernetes.io/name: starboard-operator
     app.kubernetes.io/instance: starboard-operator
-    app.kubernetes.io/version: "0.14.1"
+    app.kubernetes.io/version: "0.15.0-rc1"
     app.kubernetes.io/managed-by: kubectl
 spec:
   name: nsa

diff --git a/deploy/static/01-starboard-operator.ns.yaml b/deploy/static/01-starboard-operator.ns.yaml
@@ -6,5 +6,5 @@ metadata:
   labels:
     app.kubernetes.io/name: starboard-operator
     app.kubernetes.io/instance: starboard-operator
-    app.kubernetes.io/version: "0.14.1"
+    app.kubernetes.io/version: "0.15.0-rc1"
     app.kubernetes.io/managed-by: kubectl
diff --git a/deploy/static/02-starboard-operator.rbac.yaml b/deploy/static/02-starboard-operator.rbac.yaml
@@ -7,7 +7,7 @@ metadata:
   labels:
     app.kubernetes.io/name: starboard-operator
     app.kubernetes.io/instance: starboard-operator
-    app.kubernetes.io/version: "0.14.1"
+    app.kubernetes.io/version: "0.15.0-rc1"
     app.kubernetes.io/managed-by: kubectl
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -17,7 +17,7 @@ metadata:
   labels:
     app.kubernetes.io/name: starboard-operator
     app.kubernetes.io/instance: starboard-operator
-    app.kubernetes.io/version: "0.14.1"
+    app.kubernetes.io/version: "0.15.0-rc1"
     app.kubernetes.io/managed-by: kubectl
 rules:
   - apiGroups:
@@ -166,7 +166,7 @@ metadata:
   labels:
     app.kubernetes.io/name: starboard-operator
     app.kubernetes.io/instance: starboard-operator
-    app.kubernetes.io/version: "0.14.1"
+    app.kubernetes.io/version: "0.15.0-rc1"
     app.kubernetes.io/managed-by: kubectl
 roleRef:
   apiGroup: rbac.authorization.k8s.io

diff --git a/deploy/static/03-starboard-operator.config.yaml b/deploy/static/03-starboard-operator.config.yaml
@@ -7,7 +7,7 @@ metadata:
   labels:
     app.kubernetes.io/name: starboard-operator
     app.kubernetes.io/instance: starboard-operator
-    app.kubernetes.io/version: "0.14.1"
+    app.kubernetes.io/version: "0.15.0-rc1"
     app.kubernetes.io/managed-by: kubectl
 ---
 apiVersion: v1
@@ -18,7 +18,7 @@ metadata:
   labels:
     app.kubernetes.io/name: starboard-operator
     app.kubernetes.io/instance: starboard-operator
-    app.kubernetes.io/version: "0.14.1"
+    app.kubernetes.io/version: "0.15.0-rc1"
     app.kubernetes.io/managed-by: kubectl
 ---
 apiVersion: v1
@@ -29,7 +29,7 @@ metadata:
   labels:
     app.kubernetes.io/name: starboard-operator
     app.kubernetes.io/instance: starboard-operator
-    app.kubernetes.io/version: "0.14.1"
+    app.kubernetes.io/version: "0.15.0-rc1"
     app.kubernetes.io/managed-by: kubectl
 data:
   vulnerabilityReports.scanner: "Trivy"
@@ -44,7 +44,7 @@ metadata:
   labels:
     app.kubernetes.io/name: starboard-operator
     app.kubernetes.io/instance: starboard-operator
-    app.kubernetes.io/version: "0.14.1"
+    app.kubernetes.io/version: "0.15.0-rc1"
     app.kubernetes.io/managed-by: kubectl
 data:
   trivy.imageRef: "docker.io/aquasec/trivy:0.24.2"
@@ -64,7 +64,7 @@ metadata:
   labels:
     app.kubernetes.io/name: starboard-operator
     app.kubernetes.io/instance: starboard-operator
-    app.kubernetes.io/version: "0.14.1"
+    app.kubernetes.io/version: "0.15.0-rc1"
     app.kubernetes.io/managed-by: kubectl
 data:
   polaris.imageRef: "quay.io/fairwinds/polaris:4.2"