web socket to support cronjobs for registry scanning

armosec · Jun 10, 2022 · 4471f76 · 4471f76
1 parent 48d75cd
commit 4471f76
Show file tree

Hide file tree

Showing 3 changed files with 102 additions and 2 deletions.
diff --git a/charts/armo-components/assets/armo-registry-scan-cronjob-ful.yaml b/charts/armo-components/assets/armo-registry-scan-cronjob-ful.yaml
@@ -0,0 +1,53 @@
+apiVersion: batch/v1
+    kind: CronJob
+    metadata:
+      name: {{ .Values.armoRegistryScanScheduler.name }}
+      namespace: {{ .Values.armoNameSpace }}
+      labels:
+        app: {{ .Values.armoRegistryScanScheduler.name }}
+        tier: {{ .Values.global.namespaceTier}}
+        armo.tier: "registry-scan"
+    spec:
+      schedule: "{{ .Values.armoRegistryScanScheduler.scanSchedule }}"
+      jobTemplate:
+        spec:
+          template:
+            metadata:
+              labels:
+                armo.tier: "registry-scan"
+            spec:
+              containers:
+              - name: {{ .Values.armoRegistryScanScheduler.name }}
+                image: "{{ .Values.armoRegistryScanScheduler.image.repository }}:{{ .Values.armoRegistryScanScheduler.image.tag }}"
+                imagePullPolicy: {{ .Values.armoRegistryScanScheduler.image.pullPolicy }}
+                args: 
+                  - -method=post
+                  - -scheme=http
+                  - -host={{ .Values.armoWebsocket.name }}:{{ .Values.armoWebsocket.service.port }}
+                  - -path=v1/triggerAction
+                  - -headers="Content-Type:application/json"
+                  - -path-body=/home/armo/request-body.json
+                volumeMounts:
+                  - name: "request-body-volume"
+                    mountPath: /home/armo/request-body.json
+                    subPath: request-body.json
+                    readOnly: true
+{{- if .Values.volumeMounts }}
+{{ toYaml .Values.volumeMounts | indent 18 }}
+{{- end }}
+{{- if .Values.armoRegistryScanScheduler.volumeMounts }}
+{{ toYaml .Values.armoRegistryScanScheduler.volumeMounts | indent 18 }}
+{{- end }}
+              restartPolicy: Never
+              automountServiceAccountToken: false
+              volumes:
+                - name: "request-body-volume" # placeholder
+                  configMap:
+                    name: {{ .Values.armoRegistryScanScheduler.name }}
+{{- if .Values.volumes }}
+{{ toYaml .Values.volumes | indent 16 }}
+{{- end }}
+{{- if .Values.armoRegistryScanScheduler.volumes }}
+{{ toYaml .Values.armoRegistryScanScheduler.volumes | indent 16 }}
+{{- end }}
+
diff --git a/charts/armo-components/templates/armo-registry-scan-recurring-cronjob-config-map.yaml b/charts/armo-components/templates/armo-registry-scan-recurring-cronjob-config-map.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: {{ .Values.armoNameSpace }}
+  labels:
+    app: {{ .Values.global.beConfig }}
+    tier: {{ .Values.global.namespaceTier }}
+  name: registry-scan-cronjob-template
+data:
+  cronjobTemplate: |-
+    {{ tpl (.Files.Get "assets/armo-registry-scan-cronjob-ful.yaml") . }}
diff --git a/charts/armo-components/values.yaml b/charts/armo-components/values.yaml
@@ -217,7 +217,7 @@ armoWebsocket:
   image:
     # -- source code: https://github.com/armosec/k8s-ca-websocket (private repo)
     repository: quay.io/armosec/action-trigger
-    tag: v0.0.15
+    tag: v0.0.16
     pullPolicy: Always
 
   service:
@@ -231,7 +231,7 @@ armoWebsocket:
        cpu: 50m
        memory: 100Mi
     limits:
-       cpu: 100m
+       cpu: 300m
        memory: 300Mi
   env: {}
   labels: {}
@@ -381,3 +381,39 @@ armoKubescapeHostScanner:
 
   # Additional volumeMounts to be mounted on the Kubescape host scanner
   volumeMounts: []
+
+# registry scan scheduled scan using a CronJob
+armoRegistryScanScheduler:
+
+  # -- enable/disable a kubescape scheduled scan using a CronJob
+  enabled: true
+
+  # scan scheduler container name
+  name: armo-registry-scheduler
+
+           # -- Frequency of running the scan
+           #     ┌───────────── minute (0 - 59)
+           #     │ ┌───────────── hour (0 - 23)
+           #     │ │ ┌───────────── day of the month (1 - 31)
+           #     │ │ │ ┌───────────── month (1 - 12)
+           #     │ │ │ │ ┌───────────── day of the week (0 - 6) (Sunday to Saturday;
+           #     │ │ │ │ │                         7 is also Sunday on some systems)
+           #     │ │ │ │ │
+           #     │ │ │ │ │
+           #     * * * * *
+  # -- scan schedule frequency
+  scanSchedule: "0 0 * * *"
+
+  image:
+    # -- source code: https://github.com/armosec/http-request (public repo)
+    repository: quay.io/armosec/http_request
+    tag: 	v0.0.6
+    pullPolicy: IfNotPresent
+
+  replicaCount: 1
+
+  # Additional volumes to be mounted on the scan scheduler
+  volumes: []
+
+  # Additional volumeMounts to be mounted on the scan scheduler
+  volumeMounts: []