-
Notifications
You must be signed in to change notification settings - Fork 164
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add wiz manifests #8679
base: dev
Are you sure you want to change the base?
feat: add wiz manifests #8679
Changes from all commits
ec72710
de2a398
a5b89dc
c307aaf
0cdad7a
500acb7
38944d1
4fda53d
a65b322
eb25c7f
ebb156a
3630e94
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
{{ if eq .Cluster.ConfigItems.wiz_enable_runtime_monitoring_daemonset "true"}} | ||
# --- | ||
# # We are using ClusterRole readonly created by default in the cluster instead of creating new one provided by wiz | ||
# # Source: wiz-kubernetes-integration/charts/wiz-kubernetes-connector/templates/service-account-cluster-reader.yaml | ||
# apiVersion: rbac.authorization.k8s.io/v1 | ||
# kind: ClusterRole | ||
# metadata: | ||
# name: wiz-cluster-reader | ||
# labels: | ||
# helm.sh/chart: wiz-kubernetes-connector-3.1.1 | ||
# app.kubernetes.io/name: wiz-kubernetes-connector | ||
# app.kubernetes.io/instance: wiz-connector | ||
# app.kubernetes.io/version: "2.5" | ||
# app.kubernetes.io/managed-by: Helm | ||
# rules: | ||
# - apiGroups: ["*"] | ||
# resources: ["*"] | ||
# verbs: ["get", "list", "watch"] | ||
Comment on lines
+5
to
+18
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Do we want to keep this manifest here? I think the comment is sufficient to communicate that we don't need a global reader role 🤔 |
||
--- | ||
# Source: wiz-kubernetes-integration/charts/wiz-kubernetes-connector/templates/service-account-cluster-reader.yaml | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRoleBinding | ||
metadata: | ||
name: wiz-cluster-reader | ||
labels: | ||
helm.sh/chart: wiz-kubernetes-connector-3.1.1 | ||
app.kubernetes.io/name: wiz-kubernetes-connector | ||
app.kubernetes.io/instance: wiz-connector | ||
app.kubernetes.io/version: "2.5" | ||
app.kubernetes.io/managed-by: Helm | ||
Comment on lines
+25
to
+30
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Are these labels important for the Wiz deployment? I think we might need to remove the ones related to There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I see a similar concern was raised by Martin in another manifest, so let's fix the labels for all manifests 🙂
|
||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: readonly # readonly role created by default in out kubernetes environment | ||
subjects: | ||
- kind: ServiceAccount | ||
name: wiz-cluster-reader | ||
namespace: "wiz" | ||
{{end}} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,81 @@ | ||
{{ if eq .Cluster.ConfigItems.wiz_enable_runtime_monitoring_daemonset "true"}} | ||
--- | ||
# Source: wiz-kubernetes-integration/charts/wiz-kubernetes-connector/charts/wiz-broker/templates/wiz-broker-deployment.yaml | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: wiz-connector-agent | ||
namespace: "wiz" | ||
labels: | ||
helm.sh/chart: wiz-broker-2.1.0 | ||
app.kubernetes.io/name: wiz-broker | ||
app.kubernetes.io/instance: wiz-connector | ||
app.kubernetes.io/version: "2.5" | ||
app.kubernetes.io/managed-by: Helm | ||
vinaythupili marked this conversation as resolved.
Show resolved
Hide resolved
|
||
application: "wiz" | ||
component: "connector" | ||
spec: | ||
replicas: 1 | ||
selector: | ||
matchLabels: | ||
app.kubernetes.io/name: wiz-broker | ||
app.kubernetes.io/instance: wiz-connector | ||
template: | ||
metadata: | ||
annotations: | ||
rollme: "Cd4Gg" | ||
Comment on lines
+25
to
+26
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. What's the purpose of this annotation? Is it to control rolling updates? We already have the CLM perform updates upon manifest changes made in the repository. |
||
labels: | ||
helm.sh/chart: wiz-broker-2.1.0 | ||
app.kubernetes.io/name: wiz-broker | ||
app.kubernetes.io/instance: wiz-connector | ||
app.kubernetes.io/version: "2.5" | ||
app.kubernetes.io/managed-by: Helm | ||
spec: | ||
serviceAccountName: wiz-broker | ||
securityContext: | ||
runAsNonRoot: true | ||
runAsUser: 1000 | ||
volumes: | ||
- name: connector-data | ||
secret: | ||
secretName: wiz-connector-connector | ||
items: | ||
- key: connectorData | ||
path: data | ||
containers: | ||
- name: wiz-broker | ||
securityContext: | ||
allowPrivilegeEscalation: false | ||
runAsNonRoot: true | ||
runAsUser: 1000 | ||
image: "wiziopublic.azurecr.io/wiz-app/wiz-broker:2.5" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. In our environment all images need to come from There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. You probably need to create an internal repository that "republishes" this public image to our internal ECR registry and then use the link as Martin suggests here. I communicated in our internal chat thread. |
||
imagePullPolicy: Always | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Images pulled are always cached by the runtime and reusing the cached image also results in faster pod startup times. This is only set to |
||
volumeMounts: | ||
- name: connector-data | ||
mountPath: /etc/connectorData | ||
readOnly: true | ||
args: [ | ||
/etc/connectorData/data | ||
] | ||
Comment on lines
+57
to
+59
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It's a lot cleaner to specify a list with args:
- /etc/connectorData/data We use the same format in all of the repository, e-g see: https://github.com/zalando-incubator/kubernetes-on-aws/blob/dev/cluster/manifests/role-sync-controller/cronjob.yaml#L31 |
||
env: | ||
- name: LOG_LEVEL | ||
value: info | ||
- name: WIZ_ENV | ||
value: | ||
Comment on lines
+63
to
+64
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Do we want to create an empty environment variable? |
||
- name: WIZ_CLIENT_ID | ||
valueFrom: | ||
secretKeyRef: | ||
name: wiz-api-token | ||
key: clientId | ||
- name: WIZ_CLIENT_TOKEN | ||
valueFrom: | ||
secretKeyRef: | ||
name: wiz-api-token | ||
key: clientToken | ||
- name: TARGET_IP | ||
value: kubernetes.default.svc.cluster.local | ||
- name: TARGET_PORT | ||
value: "443" | ||
resources: | ||
null | ||
{{end}} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,171 @@ | ||
{{ if eq .Cluster.ConfigItems.wiz_enable_runtime_monitoring_daemonset "true"}} | ||
--- | ||
# Source: wiz-kubernetes-integration/charts/wiz-kubernetes-connector/templates/job-create-connector.yaml | ||
apiVersion: batch/v1 | ||
kind: Job | ||
metadata: | ||
name: wiz-kubernetes-connector-create-connector | ||
namespace: "wiz" | ||
labels: | ||
helm.sh/chart: wiz-kubernetes-connector-3.1.1 | ||
app.kubernetes.io/name: wiz-kubernetes-connector | ||
app.kubernetes.io/instance: wiz-connector | ||
app.kubernetes.io/version: "2.5" | ||
app.kubernetes.io/managed-by: Helm | ||
application: "wiz" | ||
component: "connector" | ||
annotations: | ||
"helm.sh/hook": pre-install,pre-upgrade | ||
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded | ||
rollme.wizApiTokenHash: ce8124bc1b0fbc0cb5cd47338ca0c7d5f5446d79936e443a201d96b192a7bd65 | ||
rollme.proxyHash: 9aa53d69075371b3fa23ebeea2fd2416ea81fb533499d071ca2d576f17c7c886 | ||
rollme.brokerHash: 115ba85431eeaf8db3ff2173aee02d16e67df1555d5e1ef74cfa7ac0d812cab2 | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. These values look like they are computed based on the configuration value in order to trigger an update when they change. Having these values static here doesn't provide any value. We do have similar functionality which can be used if it's really needed. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I commented the same on the |
||
|
||
spec: | ||
ttlSecondsAfterFinished: 60 | ||
manualSelector: true | ||
selector: | ||
matchLabels: | ||
app.kubernetes.io/name: wiz-kubernetes-connector | ||
app.kubernetes.io/instance: wiz-connector | ||
Comment on lines
+29
to
+30
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think we probably need to change these labels to |
||
backoffLimit: 1 | ||
template: | ||
metadata: | ||
labels: | ||
|
||
helm.sh/chart: wiz-kubernetes-connector-3.1.1 | ||
app.kubernetes.io/name: wiz-kubernetes-connector | ||
app.kubernetes.io/instance: wiz-connector | ||
app.kubernetes.io/version: "2.5" | ||
app.kubernetes.io/managed-by: Helm | ||
spec: | ||
serviceAccountName: wiz-auto-modify-connector | ||
restartPolicy: "Never" | ||
securityContext: | ||
runAsNonRoot: true | ||
runAsUser: 1000 | ||
containers: | ||
- name: wiz-connector-creator | ||
securityContext: | ||
allowPrivilegeEscalation: false | ||
runAsNonRoot: true | ||
runAsUser: 1000 | ||
image: "wiziopublic.azurecr.io/wiz-app/wiz-broker:2.5" | ||
imagePullPolicy: Always | ||
Comment on lines
+53
to
+54
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Same comments here to update the image URL and |
||
command: | ||
- "wiz-broker" | ||
args: | ||
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. nit: remove empty line |
||
- create-kubernetes-connector | ||
- --api-server-endpoint | ||
- "https://kubernetes.default.svc.cluster.local" | ||
- --secrets-namespace | ||
- "wiz" | ||
- --service-account-token-secret-name | ||
- "wiz-cluster-reader-token" | ||
- --output-secret-name | ||
- "wiz-connector-connector" | ||
- --is-on-prem=true | ||
- --service-type | ||
- "Kubernetes" | ||
- --wait=true | ||
env: | ||
- name: LOG_LEVEL | ||
value: info | ||
- name: WIZ_CLIENT_ID | ||
valueFrom: | ||
secretKeyRef: | ||
name: wiz-api-token | ||
key: clientId | ||
optional: false | ||
- name: WIZ_CLIENT_TOKEN | ||
valueFrom: | ||
secretKeyRef: | ||
name: wiz-api-token | ||
key: clientToken | ||
optional: false | ||
- name: WIZ_ENV | ||
value: | ||
resources: | ||
null | ||
--- | ||
# Source: wiz-kubernetes-integration/charts/wiz-kubernetes-connector/templates/job-delete-connector.yaml | ||
apiVersion: batch/v1 | ||
kind: Job | ||
metadata: | ||
name: wiz-kubernetes-connector-delete-connector | ||
namespace: "wiz" | ||
labels: | ||
helm.sh/chart: wiz-kubernetes-connector-3.1.1 | ||
app.kubernetes.io/name: wiz-kubernetes-connector | ||
app.kubernetes.io/instance: wiz-connector | ||
app.kubernetes.io/version: "2.5" | ||
app.kubernetes.io/managed-by: Helm | ||
application: "wiz" | ||
component: "connector" | ||
annotations: | ||
"helm.sh/hook": pre-delete | ||
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded | ||
rollme.proxyHash: 9aa53d69075371b3fa23ebeea2fd2416ea81fb533499d071ca2d576f17c7c886 | ||
rollme.brokerHash: 115ba85431eeaf8db3ff2173aee02d16e67df1555d5e1ef74cfa7ac0d812cab2 | ||
|
||
spec: | ||
ttlSecondsAfterFinished: 60 | ||
manualSelector: true | ||
selector: | ||
matchLabels: | ||
app.kubernetes.io/name: wiz-kubernetes-connector | ||
app.kubernetes.io/instance: wiz-connector | ||
backoffLimit: 1 | ||
template: | ||
metadata: | ||
labels: | ||
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. nit: remove empty line. |
||
helm.sh/chart: wiz-kubernetes-connector-3.1.1 | ||
app.kubernetes.io/name: wiz-kubernetes-connector | ||
app.kubernetes.io/instance: wiz-connector | ||
app.kubernetes.io/version: "2.5" | ||
app.kubernetes.io/managed-by: Helm | ||
spec: | ||
serviceAccountName: wiz-auto-modify-connector | ||
restartPolicy: "Never" | ||
securityContext: | ||
runAsNonRoot: true | ||
runAsUser: 1000 | ||
containers: | ||
- name: wiz-connector-delete | ||
securityContext: | ||
allowPrivilegeEscalation: false | ||
runAsNonRoot: true | ||
runAsUser: 1000 | ||
image: "wiziopublic.azurecr.io/wiz-app/wiz-broker:2.5" | ||
imagePullPolicy: Always | ||
Comment on lines
+141
to
+142
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. same suggestion here to update this |
||
command: ["/bin/sh", "-c"] | ||
args: | ||
- > | ||
wiz-broker delete-kubernetes-connector | ||
--input-secrets-namespace | ||
"default" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think this namespaces should be I'm looking at the |
||
--input-secret-name | ||
"wiz-connector-connector" | ||
|| true | ||
env: | ||
- name: LOG_LEVEL | ||
value: info | ||
- name: WIZ_CLIENT_ID | ||
valueFrom: | ||
secretKeyRef: | ||
name: wiz-api-token | ||
key: clientId | ||
optional: false | ||
- name: WIZ_CLIENT_TOKEN | ||
valueFrom: | ||
secretKeyRef: | ||
name: wiz-api-token | ||
key: clientToken | ||
optional: false | ||
- name: WIZ_ENV | ||
value: "" | ||
Comment on lines
+167
to
+168
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. do we need an empty env var? |
||
resources: | ||
null | ||
{{end}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: Missing empty line at the end 😅