Skip to content

Commit 0916778

Browse files
francesco-furlandbonino
francesco-furlan
and
dbonino
authored
chore(cluster-shield,shield,sysdig-deploy): release cluster-shield 1.17.0 (#2422)
Co-authored-by: Dario Bonino <[email protected]> Co-authored-by: francesco-furlan <[email protected]>
1 parent 070e538 commit 0916778

File tree

15 files changed

+365
-12
lines changed

15 files changed

+365
-12
lines changed

charts/cluster-shield/Chart.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,8 +2,8 @@ apiVersion: v2
22
name: cluster-shield
33
description: Cluster Shield Helm Chart for Kubernetes
44
type: application
5-
version: 1.16.1
6-
appVersion: "1.16.1"
5+
version: 1.17.0
6+
appVersion: "1.17.0"
77
maintainers:
88
- name: AlbertoBarba
99
email: [email protected]

charts/cluster-shield/README.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -123,6 +123,8 @@ The following table lists the configurable parameters of the `cluster-shield` ch
123123
| cluster_shield.features.admission_control.excluded_namespaces | The list of namespaces to exclude from the admission control feature | <code>[]</code> |
124124
| cluster_shield.features.admission_control.posture.enabled | Enable the posture feature on the admission control | <code>true</code> |
125125
| cluster_shield.features.admission_control.container_vulnerability_management.enabled | Enable the container vulnerability management feature on the admission control | <code>false</code> |
126+
| cluster_shield.features.admission_control.supply_chain.enabled | Enables the supply_chain feature on the admission control | <code>false</code> |
127+
| cluster_shield.features.admission_control.supply_chain.image_signature.enabled | Enables the image signature verification sub-feature of the supply chain feature | <code>false</code> |
126128
| cluster_shield.features.audit.enabled | Enable the Kubernetes Audit feature | <code>false</code> |
127129
| cluster_shield.features.audit.http_port | The port that will be used to expose the audit endpoints | <code>6443</code> |
128130
| cluster_shield.features.audit.timeout | The timeout for the audit feature | <code>5</code> |

charts/cluster-shield/templates/clusterrole.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -189,7 +189,7 @@ rules:
189189
- list
190190
- watch
191191
{{- end }}
192-
{{- if and (.Values.cluster_shield.features.admission_control.enabled) (.Values.cluster_shield.features.admission_control.container_vulnerability_management.enabled) }}
192+
{{- if and (.Values.cluster_shield.features.admission_control.enabled) (or .Values.cluster_shield.features.admission_control.container_vulnerability_management.enabled (and .Values.cluster_shield.features.admission_control.supply_chain.image_signature.enabled .Values.cluster_shield.features.admission_control.supply_chain.enabled)) }}
193193
- apiGroups:
194194
- ""
195195
resources:

charts/cluster-shield/tests/clusterrole_test.yaml

Lines changed: 181 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1581,3 +1581,184 @@ tests:
15811581
- get
15821582
- watch
15831583
- patch # needed to remove finalizers, which could prevent deletion
1584+
- it: Test image_signature enabled
1585+
set:
1586+
cluster_shield:
1587+
features:
1588+
admission_control:
1589+
enabled: true
1590+
supply_chain:
1591+
enabled: true
1592+
image_signature:
1593+
enabled: true
1594+
asserts:
1595+
- isKind:
1596+
of: ClusterRole
1597+
- isAPIVersion:
1598+
of: rbac.authorization.k8s.io/v1
1599+
- contains:
1600+
path: rules
1601+
content:
1602+
apiGroups:
1603+
- ""
1604+
resources:
1605+
- pods
1606+
- configmaps
1607+
- secrets
1608+
- serviceaccounts
1609+
- namespaces
1610+
verbs:
1611+
- get
1612+
- contains:
1613+
path: rules
1614+
content:
1615+
apiGroups:
1616+
- apps
1617+
resources:
1618+
- daemonsets
1619+
- deployments
1620+
- statefulsets
1621+
verbs:
1622+
- get
1623+
- update
1624+
- watch
1625+
- contains:
1626+
path: rules
1627+
content:
1628+
apiGroups:
1629+
- ""
1630+
resources:
1631+
- pods
1632+
verbs:
1633+
- delete
1634+
- get
1635+
- contains:
1636+
path: rules
1637+
content:
1638+
apiGroups:
1639+
- batch
1640+
resources:
1641+
- jobs
1642+
verbs:
1643+
- get
1644+
- contains:
1645+
path: rules
1646+
content:
1647+
apiGroups:
1648+
- apps
1649+
resources:
1650+
- daemonsets
1651+
- deployments
1652+
- statefulsets
1653+
verbs:
1654+
- get
1655+
- contains:
1656+
path: rules
1657+
content:
1658+
apiGroups:
1659+
- networking.k8s.io
1660+
resources:
1661+
- networkpolicies
1662+
verbs:
1663+
- create
1664+
- contains:
1665+
path: rules
1666+
content:
1667+
apiGroups:
1668+
- networking.k8s.io
1669+
resources:
1670+
- networkpolicies
1671+
verbs:
1672+
- get
1673+
- delete
1674+
- contains:
1675+
path: rules
1676+
content:
1677+
apiGroups:
1678+
- batch
1679+
resources:
1680+
- jobs
1681+
verbs:
1682+
- get
1683+
- contains:
1684+
path: rules
1685+
content:
1686+
apiGroups:
1687+
- apps
1688+
resources:
1689+
- daemonsets
1690+
- deployments
1691+
- statefulsets
1692+
- replicasets
1693+
verbs:
1694+
- get
1695+
- contains:
1696+
path: rules
1697+
content:
1698+
apiGroups:
1699+
- ""
1700+
resources:
1701+
- pods
1702+
verbs:
1703+
- list
1704+
- contains:
1705+
path: rules
1706+
content:
1707+
apiGroups:
1708+
- ""
1709+
resources:
1710+
- pods/log
1711+
verbs:
1712+
- get
1713+
- contains:
1714+
path: rules
1715+
content:
1716+
apiGroups:
1717+
- batch
1718+
resources:
1719+
- jobs
1720+
verbs:
1721+
- get
1722+
- contains:
1723+
path: rules
1724+
content:
1725+
apiGroups:
1726+
- apps
1727+
resources:
1728+
- daemonsets
1729+
- deployments
1730+
- statefulsets
1731+
- replicasets
1732+
verbs:
1733+
- get
1734+
- contains:
1735+
path: rules
1736+
content:
1737+
apiGroups:
1738+
- ""
1739+
resources:
1740+
- pods
1741+
verbs:
1742+
- list
1743+
- contains:
1744+
path: rules
1745+
content:
1746+
apiGroups:
1747+
- snapshot.storage.k8s.io
1748+
resources:
1749+
- volumesnapshots
1750+
verbs:
1751+
- create
1752+
- watch
1753+
- contains:
1754+
path: rules
1755+
content:
1756+
apiGroups:
1757+
- snapshot.storage.k8s.io
1758+
resources:
1759+
- volumesnapshots
1760+
verbs:
1761+
- delete
1762+
- get
1763+
- watch
1764+
- patch

charts/cluster-shield/values.schema.json

Lines changed: 49 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1299,6 +1299,9 @@
12991299
"posture": {
13001300
"$ref": "#/$defs/ClusterShieldConfiguration/$defs/AdmissionControlPosture"
13011301
},
1302+
"supply_chain": {
1303+
"$ref": "#/$defs/ClusterShieldConfiguration/$defs/AdmissionControlSupplyChain"
1304+
},
13021305
"http_port": {
13031306
"type": "integer",
13041307
"default": 8443,
@@ -1414,6 +1417,52 @@
14141417
}
14151418
}
14161419
},
1420+
"AdmissionControlSupplyChain": {
1421+
"type": "object",
1422+
"properties": {
1423+
"enabled": {
1424+
"type": "boolean",
1425+
"description": "Enable Supply Chain checks",
1426+
"default": false
1427+
},
1428+
"image_signature": {
1429+
"type": "object",
1430+
"$ref": "#/$defs/ClusterShieldConfiguration/$defs/AdmissionControlSupplyChainImage"
1431+
}
1432+
}
1433+
},
1434+
"AdmissionControlSupplyChainImage": {
1435+
"type": "object",
1436+
"properties": {
1437+
"enabled": {
1438+
"type": "boolean",
1439+
"description": "Enable Supply Chain checks",
1440+
"default": false
1441+
},
1442+
"cosign": {
1443+
"type": "object",
1444+
"$ref": "#/$defs/ClusterShieldConfiguration/$defs/AdmissionControlSupplyChainImageCosign"
1445+
}
1446+
}
1447+
},
1448+
"AdmissionControlSupplyChainImageCosign": {
1449+
"type": "object",
1450+
"description": "Cosign-like initialization parameters for image signature enforcer",
1451+
"properties": {
1452+
"mirror": {
1453+
"type": "string",
1454+
"description": "The URL of The Update Framework (TUF) server used for retrieving sigstore-compliant trust information. If not specified, the default public sigstore TUF url will be used."
1455+
},
1456+
"root": {
1457+
"type": "string",
1458+
"description": "The filepath or URL where an out-of-the-band copy of The Update Framework (TUF) root JSON file is available. In case a filepath is used, it can be made available through a custom volume mount pointing at a dedicated secret and/or configmap."
1459+
},
1460+
"root_checksum": {
1461+
"type": "string",
1462+
"description": "The checksum for The Update Framework (TUF) root JSON file. Checksum value should be in the format: <algorithm>:<value> where supported algorithms are: sha256 and sha512. If no algorithm is specified, sha256 will be used."
1463+
}
1464+
}
1465+
},
14171466
"Cache": {
14181467
"type": "object",
14191468
"description": "Configuration for the cluster shield cache",

charts/cluster-shield/values.yaml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -107,6 +107,12 @@ cluster_shield:
107107
container_vulnerability_management:
108108
# Enable the container vulnerability management feature on the admission control
109109
enabled: false
110+
supply_chain:
111+
# Enables the supply_chain feature on the admission control
112+
enabled: false
113+
image_signature:
114+
# Enables the image signature verification sub-feature of the supply chain feature
115+
enabled: false
110116
audit:
111117
# Enable the Kubernetes Audit feature
112118
enabled: false

charts/shield/Chart.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,5 +13,5 @@ maintainers:
1313
- name: mavimo
1414
email: [email protected]
1515
type: application
16-
version: 1.21.4
16+
version: 1.22.0
1717
appVersion: "1.0.0"

0 commit comments

Comments
 (0)