From ec26cebabf0ecd1b3bdcf5156e941aa8bd3ad999 Mon Sep 17 00:00:00 2001 From: undistrobot Date: Wed, 3 Apr 2024 17:28:09 +0000 Subject: [PATCH] update zora chart --- charts/zora/Chart.yaml | 4 +- charts/zora/README.md | 9 ++- .../zora/templates/operator/deployment.yaml | 1 + charts/zora/templates/plugins/trivy-job.yaml | 63 +++++++++++++++++++ charts/zora/templates/plugins/trivy-pvc.yaml | 29 +++++++++ charts/zora/templates/plugins/trivy.yaml | 1 + charts/zora/values.yaml | 12 ++++ 7 files changed, 115 insertions(+), 4 deletions(-) create mode 100644 charts/zora/templates/plugins/trivy-job.yaml create mode 100644 charts/zora/templates/plugins/trivy-pvc.yaml diff --git a/charts/zora/Chart.yaml b/charts/zora/Chart.yaml index 885958e..c0de9a9 100644 --- a/charts/zora/Chart.yaml +++ b/charts/zora/Chart.yaml @@ -17,7 +17,7 @@ name: zora description: A multi-plugin solution that reports misconfigurations and vulnerabilities by scanning your cluster at scheduled times. icon: https://zora-docs.undistro.io/v0.7/assets/logo.svg type: application -version: 0.8.4-rc3 -appVersion: "v0.8.4-rc3" +version: 0.8.4-rc4 +appVersion: "v0.8.4-rc4" sources: - https://github.com/undistro/zora diff --git a/charts/zora/README.md b/charts/zora/README.md index 0df13ea..7ae60c7 100644 --- a/charts/zora/README.md +++ b/charts/zora/README.md @@ -1,6 +1,6 @@ # Zora Helm Chart -![Version: 0.8.4-rc3](https://img.shields.io/badge/Version-0.8.4--rc3-informational?style=flat-square&color=3CA9DD) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square&color=3CA9DD) ![AppVersion: v0.8.4-rc3](https://img.shields.io/badge/AppVersion-v0.8.4--rc3-informational?style=flat-square&color=3CA9DD) +![Version: 0.8.4-rc4](https://img.shields.io/badge/Version-0.8.4--rc4-informational?style=flat-square&color=3CA9DD) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square&color=3CA9DD) ![AppVersion: v0.8.4-rc4](https://img.shields.io/badge/AppVersion-v0.8.4--rc4-informational?style=flat-square&color=3CA9DD) A multi-plugin solution that reports misconfigurations and vulnerabilities by scanning your cluster at scheduled times. @@ -13,7 +13,7 @@ helm repo add undistro https://charts.undistro.io --force-update helm repo update undistro helm upgrade --install zora undistro/zora \ -n zora-system \ - --version 0.8.4-rc3 \ + --version 0.8.4-rc4 \ --create-namespace \ --wait \ --set clusterName="$(kubectl config current-context)" @@ -120,6 +120,11 @@ The following table lists the configurable parameters of the Zora chart and thei | scan.plugins.trivy.envFrom | list | `[]` | List of sources to populate environment variables in trivy container. | | scan.plugins.trivy.timeout | string | `"10m"` | Trivy timeout | | scan.plugins.trivy.insecure | bool | `false` | Allow insecure server connections for Trivy | +| scan.plugins.trivy.persistence.enabled | bool | `true` | Specifies whether Trivy vulnerabilities database should be persisted between the scans, using PersistentVolumeClaim | +| scan.plugins.trivy.persistence.accessMode | string | `"ReadWriteOnce"` | Persistence access mode | +| scan.plugins.trivy.persistence.storageClass | string | `""` | Persistence storage class. Let it empty for default storage class | +| scan.plugins.trivy.persistence.storageRequest | string | `"1Gi"` | Persistence storage size | +| scan.plugins.trivy.persistence.downloadJavaDB | bool | `false` | Specifies whether Java vulnerability database should be downloaded on helm install/upgrade | | scan.plugins.popeye.skipInternalResources | bool | `false` | Specifies whether the following resources should be skipped by `popeye` scans. 1. resources from `kube-system`, `kube-public` and `kube-node-lease` namespaces; 2. kubernetes system reserved RBAC (prefixed with `system:`); 3. `kube-root-ca.crt` configmaps; 4. `default` namespace; 5. `default` serviceaccounts; 6. Helm secrets (prefixed with `sh.helm.release`); 7. Zora components. See `popeye` configuration file that is used for this case: https://github.com/undistro/zora/blob/main/charts/zora/templates/plugins/popeye-config.yaml | | scan.plugins.popeye.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"250m","memory":"256Mi"}}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `popeye` container | | scan.plugins.popeye.podAnnotations | object | `{}` | Annotations added to the popeye pods | diff --git a/charts/zora/templates/operator/deployment.yaml b/charts/zora/templates/operator/deployment.yaml index 0e629e8..d672515 100644 --- a/charts/zora/templates/operator/deployment.yaml +++ b/charts/zora/templates/operator/deployment.yaml @@ -81,6 +81,7 @@ spec: - --worker-image={{ printf "%s:%s" .Values.scan.worker.image.repository (.Values.scan.worker.image.tag | default .Chart.AppVersion) }} - --cronjob-clusterrolebinding-name=zora-plugins-rolebinding - --cronjob-serviceaccount-name=zora-plugins + - --trivy-db-pvc={{- if .Values.scan.plugins.trivy.persistence.enabled }}trivy-db{{- else }}""{{- end }} {{- if .Values.scan.plugins.annotations}} - --cronjob-serviceaccount-annotations={{ $first := true }}{{- range $key, $value := .Values.scan.plugins.annotations }}{{if not $first}},{{else}}{{$first = false}}{{end}}{{ $key }}={{$value}}{{- end }} {{- end }} diff --git a/charts/zora/templates/plugins/trivy-job.yaml b/charts/zora/templates/plugins/trivy-job.yaml new file mode 100644 index 0000000..a2f6824 --- /dev/null +++ b/charts/zora/templates/plugins/trivy-job.yaml @@ -0,0 +1,63 @@ +# Copyright 2024 Undistro Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{- if .Values.scan.plugins.trivy.persistence.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: trivy-download-db +spec: + ttlSecondsAfterFinished: 0 + template: + spec: + volumes: + - name: trivy-db + persistentVolumeClaim: + claimName: trivy-db + containers: + - name: trivy-download-db + image: "{{ .Values.scan.plugins.trivy.image.repository }}:{{ .Values.scan.plugins.trivy.image.tag }}" + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + privileged: false + volumeMounts: + - mountPath: /tmp/trivy-cache + name: trivy-db + command: + - /bin/sh + - -c + - | + time trivy image \ + --debug \ + --no-progress \ + --cache-dir=/tmp/trivy-cache \ + {{- if .Values.scan.plugins.trivy.insecure }} + --insecure \ + {{- end }} + {{- if .Values.scan.plugins.trivy.persistence.downloadJavaDB }} + --download-java-db-only \ + {{- end }} + --download-db-only + env: + - name: SSL_CERT_DIR + value: "/etc/ssl/:/run/secrets/kubernetes.io/serviceaccount/" + {{- if .Values.httpsProxy }} + - name: HTTPS_PROXY + value: {{ .Values.httpsProxy | quote }} + - name: NO_PROXY + value: {{ .Values.noProxy | quote }} + {{- end }} + restartPolicy: OnFailure +{{- end }} \ No newline at end of file diff --git a/charts/zora/templates/plugins/trivy-pvc.yaml b/charts/zora/templates/plugins/trivy-pvc.yaml new file mode 100644 index 0000000..3b1100d --- /dev/null +++ b/charts/zora/templates/plugins/trivy-pvc.yaml @@ -0,0 +1,29 @@ +# Copyright 2024 Undistro Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{- if .Values.scan.plugins.trivy.persistence.enabled }} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: trivy-db +spec: + {{- if .Values.scan.plugins.trivy.persistence.storageClass }} + storageClassName: {{ .Values.scan.plugins.trivy.persistence.storageClass | quote }} + {{- end }} + accessModes: + - {{ .Values.scan.plugins.trivy.persistence.accessMode }} + resources: + requests: + storage: {{ .Values.scan.plugins.trivy.persistence.storageRequest | quote }} +{{- end }} \ No newline at end of file diff --git a/charts/zora/templates/plugins/trivy.yaml b/charts/zora/templates/plugins/trivy.yaml index c308235..22a2d49 100644 --- a/charts/zora/templates/plugins/trivy.yaml +++ b/charts/zora/templates/plugins/trivy.yaml @@ -28,6 +28,7 @@ spec: mountCustomChecksVolume: false securityContext: allowPrivilegeEscalation: false + privileged: false {{- with .Values.scan.plugins.trivy.envFrom }} envFrom: {{- toYaml . | nindent 4}} diff --git a/charts/zora/values.yaml b/charts/zora/values.yaml index d8dceb1..c776603 100644 --- a/charts/zora/values.yaml +++ b/charts/zora/values.yaml @@ -229,6 +229,18 @@ scan: # -- Allow insecure server connections for Trivy insecure: false + persistence: + # -- Specifies whether Trivy vulnerabilities database should be persisted between the scans, using PersistentVolumeClaim + enabled: true + # -- Persistence access mode + accessMode: ReadWriteOnce + # -- Persistence storage class. Let it empty for default storage class + storageClass: "" + # -- Persistence storage size + storageRequest: 1Gi + # -- Specifies whether Java vulnerability database should be downloaded on helm install/upgrade + downloadJavaDB: false + popeye: # -- Specifies whether the following resources should be skipped by `popeye` scans. # 1. resources from `kube-system`, `kube-public` and `kube-node-lease` namespaces;