Merge pull request #22 from armosec/dev

Support customized host sensor
armosec · Mar 6, 2022 · 99e708e · 99e708e
2 parents fbc4ab4 + e384ba9
commit 99e708e
Show file tree

Hide file tree

Showing 8 changed files with 122 additions and 9 deletions.
diff --git a/charts/armo-components/Chart.yaml b/charts/armo-components/Chart.yaml
@@ -17,13 +17,13 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.6.7
+version: 1.6.8
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "v1.6.7"
+appVersion: "v1.6.8"
 
 maintainers:
     - name: Ben Hirschberg

diff --git a/charts/armo-components/assets/armo-kubescape-cronjob-full.yaml b/charts/armo-components/assets/armo-kubescape-cronjob-full.yaml
@@ -28,6 +28,8 @@ apiVersion: batch/v1
                 - --submit
                 - --logger
                 - debug
+                - --host-scan-yaml
+                - /root/.kubescape/host-sensor.yaml
                 {{ if .Values.armoKubescape.enableHostScan }}
                 - --enable-host-scan
                 {{ end }}
@@ -43,10 +45,16 @@ apiVersion: batch/v1
                 - name: kubescape-config-volume
                   mountPath: /root/.kubescape/config.json
                   subPath: config.json
+                - name: host-sensor-definition
+                  mountPath: /root/.kubescape/host-sensor.yaml
+                  subPath: host-sensor-yaml
               restartPolicy: OnFailure
               serviceAccountName: {{ .Values.global.armoKubescapeServiceAccountName }}
               automountServiceAccountToken: true
               volumes:
               - name: kubescape-config-volume
                 configMap:
                   name: {{ .Values.armoKubescape.name }}-config
+              - name: host-sensor-definition
+                configMap:
+                  name: host-sensor-definition
diff --git a/charts/armo-components/assets/armo-kubescape-job-full.yaml b/charts/armo-components/assets/armo-kubescape-job-full.yaml
@@ -24,7 +24,9 @@ apiVersion: batch/v1
             args: 
             - --submit
             - --logger
-            - debug
+            - debug  
+            - --host-scan-yaml
+            - /root/.kubescape/host-sensor.yaml
             {{ if .Values.armoKubescape.enableHostScan }}
             - --enable-host-scan
             {{ end }}
@@ -37,10 +39,16 @@ apiVersion: batch/v1
             - name: kubescape-config-volume
               mountPath: /root/.kubescape/config.json
               subPath: config.json
+            - name: host-sensor-definition
+              mountPath: /root/.kubescape/host-sensor.yaml
+              subPath: host-sensor-yaml
           restartPolicy: Never
           serviceAccountName: {{ .Values.global.armoKubescapeServiceAccountName }}
           automountServiceAccountToken: true
           volumes:
           - name: kubescape-config-volume
             configMap:
               name: {{ .Values.armoKubescape.name }}-config
+          - name: host-sensor-definition
+            configMap:
+              name: host-sensor-definition
diff --git a/charts/armo-components/assets/host-sensor-definition.yaml b/charts/armo-components/assets/host-sensor-definition.yaml
@@ -0,0 +1,72 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app: kubescape-host-scanner
+    k8s-app: kubescape-host-scanner
+    kubernetes.io/metadata.name: kubescape-host-scanner
+    tier: kubescape-host-scanner-control-plane
+  name: kubescape-host-scanner
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: host-scanner
+  namespace: kubescape-host-scanner
+  labels:
+    app: host-scanner
+    k8s-app: kubescape-host-scanner
+spec:
+  selector:
+    matchLabels:
+      name: host-scanner
+  template:
+    metadata:
+      labels:
+        name: host-scanner
+    spec:
+      tolerations:
+      # this toleration is to have the DaemonDet runnable on master nodes
+      # remove it if your masters can't run pods
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+        effect: NoSchedule
+      containers:
+      - name: host-sensor
+        image: quay.io/armosec/kube-host-sensor:latest
+        securityContext:
+          privileged: true
+          readOnlyRootFilesystem: true
+          procMount: Unmasked
+        ports:
+          - name: scanner # Do not change port name
+            hostPort: 7888
+            containerPort: 7888
+            protocol: TCP
+        resources:
+          limits:
+            cpu: 0.1m
+            memory: 200Mi
+          requests:
+            cpu: 0.1m
+            memory: 200Mi
+        volumeMounts:
+        - mountPath: /host_fs
+          name: host-filesystem
+        readinessProbe:
+          httpGet:
+            path: /kernelVersion
+            port: 7888
+            initialDelaySeconds: 1
+            periodSeconds: 1
+      terminationGracePeriodSeconds: 120
+      dnsPolicy: ClusterFirstWithHostNet
+      automountServiceAccountToken: false
+      volumes:
+      - hostPath:
+          path: /
+          type: Directory
+        name: host-filesystem
+      hostNetwork: true
+      hostPID: true
+      hostIPC: true
diff --git a/charts/armo-components/templates/armo-kubescape-cronjob.yaml b/charts/armo-components/templates/armo-kubescape-cronjob.yaml
@@ -54,7 +54,9 @@ spec:
             - scan
             - --submit
             - --logger
-            - debug
+            - debug    
+            - --host-scan-yaml
+            - /root/.kubescape/host-sensor.yaml
             {{ if .Values.armoKubescape.enableHostScan }}
             - --enable-host-scan
             {{ end }}
@@ -70,10 +72,16 @@ spec:
             - name: kubescape-config-volume
               mountPath: /root/.kubescape/config.json
               subPath: config.json
+            - name: host-sensor-definition
+              mountPath: /root/.kubescape/host-sensor.yaml
+              subPath: host-sensor-yaml
           restartPolicy: OnFailure
           serviceAccountName: {{ .Values.global.armoKubescapeServiceAccountName }}
           automountServiceAccountToken: true
           volumes:
           - name: kubescape-config-volume
             configMap:
               name: {{ .Values.armoKubescape.name }}-config
+          - name: host-sensor-definition
+            configMap:
+              name: host-sensor-definition
diff --git a/charts/armo-components/templates/armo-kubescape-host-sensor-definition-config-map.yaml b/charts/armo-components/templates/armo-kubescape-host-sensor-definition-config-map.yaml
@@ -0,0 +1,11 @@
+kind: ConfigMap 
+apiVersion: v1 
+metadata:
+  name: host-sensor-definition
+  namespace: {{ .Values.armoNameSpace }}
+  labels:
+    app: {{ .Values.global.beConfig }}
+    tier: {{ .Values.global.namespaceTier }}
+data:
+  host-sensor-yaml: |-
+{{ .Files.Get "assets/host-sensor-definition.yaml" | indent 6 }}
diff --git a/charts/armo-components/templates/armo-kubescape-job.yaml b/charts/armo-components/templates/armo-kubescape-job.yaml
@@ -42,7 +42,9 @@ spec:
         - scan
         - --submit
         - --logger
-        - debug
+        - debug        
+        - --host-scan-yaml
+        - /root/.kubescape/host-sensor.yaml
         {{ if .Values.armoKubescape.enableHostScan }}
         - --enable-host-scan
         {{ end }}
@@ -58,10 +60,16 @@ spec:
         - name: kubescape-config-volume
           mountPath: /root/.kubescape/config.json
           subPath: config.json
+        - name: host-sensor-definition
+          mountPath: /root/.kubescape/host-sensor.yaml
+          subPath: host-sensor-yaml
       restartPolicy: OnFailure
       serviceAccountName: {{ .Values.global.armoKubescapeServiceAccountName }}
       automountServiceAccountToken: true
       volumes:
       - name: kubescape-config-volume
         configMap:
           name: {{ .Values.armoKubescape.name }}-config
+      - name: host-sensor-definition
+        configMap:
+          name: host-sensor-definition
diff --git a/charts/armo-components/values.yaml b/charts/armo-components/values.yaml
@@ -99,7 +99,7 @@ armoKubescape:
   scanSchedule:  "0 8 * * *"
   image:
     repository: quay.io/armosec/kubescape
-    tag: v2.0.148
+    tag: v2.0.149
     pullPolicy: Always
 
   resources:
@@ -138,8 +138,6 @@ armoWebsocket:
            #       * * * * *
   scanSchedule: "*/5 * * * *"
 
-  ## armo vulnerability scanner container image
-  ##
   image:
     repository: quay.io/armosec/k8s-ca-websocket-ubi
     tag: 448
@@ -185,7 +183,7 @@ armoVulnScanner:
   ##
   image:
     repository: quay.io/armosec/k8s-ca-vuln-scan-ubi
-    tag: 113
+    tag: 117
     pullPolicy: Always
 
   replicaCount: 1