diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md new file mode 100644 index 0000000..2dfc05b --- /dev/null +++ b/CODE_OF_CONDUCT.md @@ -0,0 +1,127 @@ +# Contributor Covenant Code of Conduct + +## Our Pledge + +We as members, contributors, and leaders pledge to make participation in our +community a harassment-free experience for everyone, regardless of age, body +size, visible or invisible disability, ethnicity, sex characteristics, gender +identity and expression, level of experience, education, socio-economic status, +nationality, personal appearance, race, religion, or sexual identity +and orientation. + +We pledge to act and interact in ways that contribute to an open, welcoming, +diverse, inclusive, and healthy community. + +## Our Standards + +Examples of behavior that contributes to a positive environment for our +community include: + +* Demonstrating empathy and kindness toward other people +* Being respectful of differing opinions, viewpoints, and experiences +* Giving and gracefully accepting constructive feedback +* Accepting responsibility and apologizing to those affected by our mistakes, + and learning from the experience +* Focusing on what is best not just for us as individuals, but for the + overall community + +Examples of unacceptable behavior include: + +* The use of sexualized language or imagery, and sexual attention or + advances of any kind +* Trolling, insulting or derogatory comments, and personal or political attacks +* Public or private harassment +* Publishing others' private information, such as a physical or email + address, without their explicit permission +* Other conduct which could reasonably be considered inappropriate in a + professional setting + +## Enforcement Responsibilities + +Community leaders are responsible for clarifying and enforcing our standards of +acceptable behavior and will take appropriate and fair corrective action in +response to any behavior that they deem inappropriate, threatening, offensive, +or harmful. + +Community leaders have the right and responsibility to remove, edit, or reject +comments, commits, code, wiki edits, issues, and other contributions that are +not aligned to this Code of Conduct, and will communicate reasons for moderation +decisions when appropriate. + +## Scope + +This Code of Conduct applies within all community spaces, and also applies when +an individual is officially representing the community in public spaces. +Examples of representing our community include using an official e-mail address, +posting via an official social media account, or acting as an appointed +representative at an online or offline event. + +## Enforcement + +Instances of abusive, harassing, or otherwise unacceptable behavior may be +reported to the community leaders responsible for enforcement [here](mailto:ben@armosec.io). +All complaints will be reviewed and investigated promptly and fairly. + +All community leaders are obligated to respect the privacy and security of the +reporter of any incident. + +## Enforcement Guidelines + +Community leaders will follow these Community Impact Guidelines in determining +the consequences for any action they deem in violation of this Code of Conduct: + +### 1. Correction + +**Community Impact**: Use of inappropriate language or other behavior deemed +unprofessional or unwelcome in the community. + +**Consequence**: A private, written warning from community leaders, providing +clarity around the nature of the violation and an explanation of why the +behavior was inappropriate. A public apology may be requested. + +### 2. Warning + +**Community Impact**: A violation through a single incident or series +of actions. + +**Consequence**: A warning with consequences for continued behavior. No +interaction with the people involved, including unsolicited interaction with +those enforcing the Code of Conduct, for a specified period of time. This +includes avoiding interactions in community spaces as well as external channels +like social media. Violating these terms may lead to a temporary or +permanent ban. + +### 3. Temporary Ban + +**Community Impact**: A serious violation of community standards, including +sustained inappropriate behavior. + +**Consequence**: A temporary ban from any sort of interaction or public +communication with the community for a specified period of time. No public or +private interaction with the people involved, including unsolicited interaction +with those enforcing the Code of Conduct, is allowed during this period. +Violating these terms may lead to a permanent ban. + +### 4. Permanent Ban + +**Community Impact**: Demonstrating a pattern of violation of community +standards, including sustained inappropriate behavior, harassment of an +individual, or aggression toward or disparagement of classes of individuals. + +**Consequence**: A permanent ban from any sort of public interaction within +the community. + +## Attribution + +This Code of Conduct is adapted from the [Contributor Covenant][homepage], +version 2.0, available at +https://www.contributor-covenant.org/version/2/0/code_of_conduct.html. + +Community Impact Guidelines were inspired by [Mozilla's code of conduct +enforcement ladder](https://github.com/mozilla/diversity). + +[homepage]: https://www.contributor-covenant.org + +For answers to common questions about this code of conduct, see the FAQ at +https://www.contributor-covenant.org/faq. Translations are available at +https://www.contributor-covenant.org/translations. diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..ae2ad2d --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,100 @@ +# Contributing + +First, it is awesome that you are considering contributing to Kubescape-helm! Contributing is important and fun and we welcome your efforts. + +When contributing, we categorize contributions into two: +* Small code changes or fixes, whose scope are limited to a single or two files +* Complex features and improvements, whose are not limited + +If you have a small change, feel free to fire up a Pull Request. + +When planning a bigger change, please first discuss the change you wish to make via issue, +email, or any other method with the owners of this repository before making a change. Most likely your changes or features are great, but sometimes we might already going to this direction (or the exact opposite ;-) ) and we don't want to waste your time. + +Please note we have a code of conduct, please follow it in all your interactions with the project. + +## Pull Request Process + +1. Ensure any install or build dependencies are removed before the end of the layer when doing a + build. +2. Update the README.md with details of changes to the interface, this includes new environment + variables, exposed ports, useful file locations and container parameters. +3. Open Pull Request to `dev` branch - we test the component before merging into the `master` branch +4. We will merge the Pull Request in once you have the sign-off. + +## Code of Conduct + +### Our Pledge + +In the interest of fostering an open and welcoming environment, we as +contributors and maintainers pledge to making participation in our project and +our community a harassment-free experience for everyone, regardless of age, body +size, disability, ethnicity, gender identity and expression, level of experience, +nationality, personal appearance, race, religion, or sexual identity and +orientation. + +### Our Standards + +Examples of behavior that contributes to creating a positive environment +include: + +* Using welcoming and inclusive language +* Being respectful of differing viewpoints and experiences +* Gracefully accepting constructive criticism +* Focusing on what is best for the community +* Showing empathy towards other community members + +Examples of unacceptable behavior by participants include: + +* The use of sexualized language or imagery and unwelcome sexual attention or +advances +* Trolling, insulting/derogatory comments, and personal or political attacks +* Public or private harassment +* Publishing others' private information, such as a physical or electronic + address, without explicit permission +* Other conduct which could reasonably be considered inappropriate in a + professional setting + +We will distance those who are constantly adhere to unacceptable behavior. + +### Our Responsibilities + +Project maintainers are responsible for clarifying the standards of acceptable +behavior and are expected to take appropriate and fair corrective action in +response to any instances of unacceptable behavior. + +Project maintainers have the right and responsibility to remove, edit, or +reject comments, commits, code, wiki edits, issues, and other contributions +that are not aligned to this Code of Conduct, or to ban temporarily or +permanently any contributor for other behaviors that they deem inappropriate, +threatening, offensive, or harmful. + +### Scope + +This Code of Conduct applies both within project spaces and in public spaces +when an individual is representing the project or its community. Examples of +representing a project or community include using an official project e-mail +address, posting via an official social media account, or acting as an appointed +representative at an online or offline event. Representation of a project may be +further defined and clarified by project maintainers. + +### Enforcement + +Instances of abusive, harassing, or otherwise unacceptable behavior may be +reported by contacting the project team at [INSERT EMAIL ADDRESS]. All +complaints will be reviewed and investigated and will result in a response that +is deemed necessary and appropriate to the circumstances. The project team is +obligated to maintain confidentiality with regard to the reporter of an incident. +Further details of specific enforcement policies may be posted separately. + +Project maintainers who do not follow or enforce the Code of Conduct in good +faith may face temporary or permanent repercussions as determined by other +members of the project's leadership. + +### Attribution + +This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, +available at [http://contributor-covenant.org/version/1/4][version] + +[homepage]: http://contributor-covenant.org +[version]: http://contributor-covenant.org/version/1/4/ \ No newline at end of file diff --git a/README.md b/README.md index 9efb56a..178061b 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # ARMO cluster components ARMO Vulnerability Scanning -![Version: 1.7.16](https://img.shields.io/badge/Version-1.7.16-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.7.16](https://img.shields.io/badge/AppVersion-v1.7.16-informational?style=flat-square) +![Version: 1.7.17](https://img.shields.io/badge/Version-1.7.17-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.7.17](https://img.shields.io/badge/AppVersion-v1.7.17-informational?style=flat-square) ## [Docs](https://hub.armosec.io/docs/installation-of-armo-in-cluster) @@ -72,8 +72,8 @@ helm upgrade --install armo armo/armo-cluster-components -n armo-system --creat | armoScanScheduler.enabled | bool | `true` | enable/disable image vulnerability a schedule scan using a CronJob | | armoScanScheduler.image.repository | string | `"curlimages/curl"` | image: curlimages/curl | | armoScanScheduler.scanSchedule | string | `"0 0 * * *"` | scan schedule frequency | -| armoKubescapeScanScheduler.volumes | object | `[]` | Additional volumes for scan scheduler | -| armoKubescapeScanScheduler.volumeMounts | object | `[]` | Additional volumeMounts for scan scheduler | +| armoScanScheduler.volumes | object | `[]` | Additional volumes for scan scheduler | +| armoScanScheduler.volumeMounts | object | `[]` | Additional volumeMounts for scan scheduler | | armoVulnScanner.affinity | object | `{}` | Assign custom [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) rules to the deployment | | armoVulnScanner.enabled | bool | `true` | enable/disable image vulnerability scanning | | armoVulnScanner.image.repository | string | `"quay.io/armosec/images-vulnerabilities-scan"` | [source code](https://github.com/armosec/ca-vuln-scan) (private repo) | diff --git a/charts/armo-components/Chart.yaml b/charts/armo-components/Chart.yaml index 4b1bda8..9196fb1 100644 --- a/charts/armo-components/Chart.yaml +++ b/charts/armo-components/Chart.yaml @@ -8,13 +8,13 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.7.16 +version: 1.7.17 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "v1.7.16" +appVersion: "v1.7.17" maintainers: - name: Ben Hirschberg diff --git a/charts/armo-components/assets/armo-vulnscan-cronjob-full.yaml b/charts/armo-components/assets/armo-vulnscan-cronjob-full.yaml new file mode 100644 index 0000000..1bc2178 --- /dev/null +++ b/charts/armo-components/assets/armo-vulnscan-cronjob-full.yaml @@ -0,0 +1,43 @@ +apiVersion: batch/v1 + kind: CronJob + metadata: + name: {{ .Values.armoVulnScanScheduler.name }} + namespace: {{ .Values.armoNameSpace }} + labels: + app: {{ .Values.armoVulnScanScheduler.name }} + tier: {{ .Values.global.namespaceTier}} + armo.tier: "vuln-scan" + spec: + schedule: "{{ .Values.armoScanScheduler.scanSchedule }}" + jobTemplate: + spec: + template: + metadata: + labels: + armo.tier: "vuln-scan" + spec: + containers: + - name: {{ .Values.armoVulnScanScheduler.name }} + image: "{{ .Values.armoVulnScanScheduler.image.repository }}:{{ .Values.armoVulnScanScheduler.image.tag }}" + imagePullPolicy: {{ .Values.armoVulnScanScheduler.image.pullPolicy }} + args: + - -method=post + - -scheme=http + - -host={{ .Values.armoWebsocket.name }}:{{ .Values.armoWebsocket.service.port }} + - -path=v1/triggerAction + - -headers="Content-Type:application/json" + - -path-body=/home/armo/request-body.json + volumeMounts: + - name: "request-body-volume" + mountPath: /home/armo/request-body.json + subPath: request-body.json + readOnly: true + restartPolicy: Never + automountServiceAccountToken: false + volumes: + - name: "request-body-volume" # placeholder + configMap: + name: {{ .Values.armoVulnScanScheduler.name }} + + + \ No newline at end of file diff --git a/charts/armo-components/templates/armo-collector-statefulset.yaml b/charts/armo-components/templates/armo-collector-statefulset.yaml index 6349323..483c584 100644 --- a/charts/armo-components/templates/armo-collector-statefulset.yaml +++ b/charts/armo-components/templates/armo-collector-statefulset.yaml @@ -2,7 +2,7 @@ {{ template "account_guid" . }} {{ template "cluster_name" . }} apiVersion: apps/v1 -# statefulset is needed in order to avoid to pods reporting from the same cluster in parallel. +# statefulset is needed in order to avoid two pods reporting from the same cluster in parallel. # parallel reporting will cause Kubescape SaaS to miss identify the cluster liveness status kind: StatefulSet metadata: @@ -27,12 +27,26 @@ spec: tier: {{ .Values.global.namespaceTier}} app: {{ .Values.armoCollector.name }} helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - helm.sh/revision: "{{ .Release.Revision }}" spec: {{- if .Values.imagePullSecrets }} imagePullSecrets: - name: {{ toYaml .Values.imagePullSecrets }} {{- end }} + initContainers: + - image: bitnami/kubectl:1.24 + name: disconnect-handle + command: + - bash + args: + - -c + - set -xv; kubectl delete deployment armo-collector -n armo-system; dep_exist=$?; echo $dep_exist; while [ $dep_exist -eq 0 ]; do kubectl get deployment armo-collector -n armo-system; dep_exist=$?; echo $dep_exist; done + resources: + limits: + cpu: 10m + memory: 40Mi + requests: + cpu: 10m + memory: 40Mi containers: - name: {{ .Values.armoCollector.name }} image: "{{ .Values.armoCollector.image.repository }}:{{ .Values.armoCollector.image.tag }}" diff --git a/charts/armo-components/templates/armo-notification-service-deployment.yaml b/charts/armo-components/templates/armo-notification-service-deployment.yaml index 416557b..fe7230e 100644 --- a/charts/armo-components/templates/armo-notification-service-deployment.yaml +++ b/charts/armo-components/templates/armo-notification-service-deployment.yaml @@ -27,7 +27,6 @@ spec: app.kubernetes.io/name: {{ .Values.armoNotificationService.name }} app.kubernetes.io/instance: {{ .Release.Name }} helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - helm.sh/revision: "{{ .Release.Revision }}" tier: {{ .Values.global.namespaceTier}} app: {{ .Values.armoNotificationService.name }} spec: diff --git a/charts/armo-components/templates/armo-vuln-scanner-deployment.yaml b/charts/armo-components/templates/armo-vuln-scanner-deployment.yaml index f4bb993..9ba1352 100644 --- a/charts/armo-components/templates/armo-vuln-scanner-deployment.yaml +++ b/charts/armo-components/templates/armo-vuln-scanner-deployment.yaml @@ -28,7 +28,6 @@ spec: app.kubernetes.io/name: {{ .Values.armoVulnScanner.name }} app.kubernetes.io/instance: {{ .Release.Name }} helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - helm.sh/revision: "{{ .Release.Revision }}" tier: {{ .Values.global.namespaceTier}} app: {{ .Values.armoVulnScanner.name }} spec: diff --git a/charts/armo-components/templates/armo-vulnscan-recurring-cronjob-config-map.yaml b/charts/armo-components/templates/armo-vulnscan-recurring-cronjob-config-map.yaml new file mode 100644 index 0000000..4492f92 --- /dev/null +++ b/charts/armo-components/templates/armo-vulnscan-recurring-cronjob-config-map.yaml @@ -0,0 +1,11 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: vulnscan-cronjob-template + namespace: {{ .Values.armoNameSpace }} + labels: + app: {{ .Values.global.beConfig }} + tier: {{ .Values.global.namespaceTier }} +data: + cronjobTemplate: |- + {{ tpl (.Files.Get "assets/armo-vulnscan-cronjob-full.yaml") . }} diff --git a/charts/armo-components/templates/armo-websocket-deployment.yaml b/charts/armo-components/templates/armo-websocket-deployment.yaml index 6f303fb..1f1de0a 100644 --- a/charts/armo-components/templates/armo-websocket-deployment.yaml +++ b/charts/armo-components/templates/armo-websocket-deployment.yaml @@ -26,7 +26,6 @@ spec: app.kubernetes.io/name: {{ .Values.armoWebsocket.name }} app.kubernetes.io/instance: {{ .Release.Name }} helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - helm.sh/revision: "{{ .Release.Revision }}" tier: {{ .Values.global.namespaceTier}} app: {{ .Values.armoWebsocket.name }} spec: diff --git a/charts/armo-components/values.yaml b/charts/armo-components/values.yaml index 8828718..d410d28 100644 --- a/charts/armo-components/values.yaml +++ b/charts/armo-components/values.yaml @@ -216,7 +216,7 @@ armoWebsocket: image: # -- source code: https://github.com/armosec/k8s-ca-websocket (private repo) repository: quay.io/armosec/action-trigger - tag: v0.0.40 + tag: v0.0.45 pullPolicy: Always service: @@ -241,6 +241,36 @@ armoWebsocket: # Additional volumeMounts to be mounted on the websocket volumeMounts: [] +armoVulnScanScheduler: + + ## Schedule Scan using cron + ## + enabled: true + + ## scan scheduler container name + ## + name: armo-vulnscan-scheduler + + # -- Frequency of running the scan + # ┌───────────── minute (0 - 59) + # │ ┌───────────── hour (0 - 23) + # │ │ ┌───────────── day of the month (1 - 31) + # │ │ │ ┌───────────── month (1 - 12) + # │ │ │ │ ┌───────────── day of the week (0 - 6) (Sunday to Saturday; + # │ │ │ │ │ 7 is also Sunday on some systems) + # │ │ │ │ │ + # │ │ │ │ │ + # * * * * * + scanSchedule: "0 0 * * *" + + image: + # source code - https://github.com/armosec/http-request + repository: quay.io/armosec/http_request + tag: v0.0.5 + pullPolicy: IfNotPresent + + replicaCount: 1 + # image vulnerability scanning microservice armoVulnScanner: @@ -304,7 +334,7 @@ armoCollector: image: # -- source code: https://github.com/armosec/k8s-armo-collector (private repo) repository: quay.io/armosec/cluster-collector - tag: v0.0.15 + tag: v0.0.16 pullPolicy: Always replicaCount: 1