From 547990614e1221b092cfafa422c093d2d1d294b2 Mon Sep 17 00:00:00 2001 From: Adi Shaull Date: Tue, 11 Jul 2023 15:21:35 +0300 Subject: [PATCH 1/3] SLK-69062 Update community operator with the new KE deployment requirements --- .../aquastarboard/aquaStarboardHelper.go | 17 ++++++++++++++++- .../aquakubeenforcer/aquaKubeEnforcerHelper.go | 12 ++++++++++++ docs/DeployOpenShiftOperator.md | 2 +- pkg/consts/consts.go | 4 ++-- test/consts/testing_consts.go | 2 +- 5 files changed, 32 insertions(+), 5 deletions(-) diff --git a/controllers/aquasecurity/aquastarboard/aquaStarboardHelper.go b/controllers/aquasecurity/aquastarboard/aquaStarboardHelper.go index b77cbcb8..0ba75de2 100644 --- a/controllers/aquasecurity/aquastarboard/aquaStarboardHelper.go +++ b/controllers/aquasecurity/aquastarboard/aquaStarboardHelper.go @@ -74,6 +74,17 @@ func (enf *AquaStarboardHelper) CreateStarboardClusterRole(name string, namespac "get", "list", "watch", }, }, + { + APIGroups: []string{ + "apps.openshift.io", + }, + Resources: []string{ + "deploymentconfigs", + }, + Verbs: []string{ + "get", "list", "watch", + }, + }, { APIGroups: []string{ "batch", @@ -131,7 +142,7 @@ func (enf *AquaStarboardHelper) CreateStarboardClusterRole(name string, namespac }, { APIGroups: []string{ - "networking.k8s.io", + "networking.k8s.io", "extensions", }, Resources: []string{ "networkpolicies", "ingresses", @@ -573,6 +584,10 @@ func (ebf *AquaStarboardHelper) getStarboardEnvVars(cr *aquasecurityv1alpha1.Aqu Name: "OPERATOR_HEALTH_PROBE_BIND_ADDRESS", Value: consts.OperatorHealthProbeBindAddress, }, + { + Name: "OPERATOR_CONFIG_AUDIT_SCANNER_SCAN_ONLY_CURRENT_REVISIONS", + Value: "true", + }, } operatorLogDevMode := corev1.EnvVar{ Name: "OPERATOR_LOG_DEV_MODE", diff --git a/controllers/operator/aquakubeenforcer/aquaKubeEnforcerHelper.go b/controllers/operator/aquakubeenforcer/aquaKubeEnforcerHelper.go index f818023c..062516b7 100644 --- a/controllers/operator/aquakubeenforcer/aquaKubeEnforcerHelper.go +++ b/controllers/operator/aquakubeenforcer/aquaKubeEnforcerHelper.go @@ -80,6 +80,17 @@ func (enf *AquaKubeEnforcerHelper) CreateKubeEnforcerClusterRole(name string, na "get", "list", "watch", }, }, + { + APIGroups: []string{ + "apps.openshift.io", + }, + Resources: []string{ + "deploymentconfigs", + }, + Verbs: []string{ + "get", "list", "watch", + }, + }, { APIGroups: []string{ "*", @@ -365,6 +376,7 @@ func (enf *AquaKubeEnforcerHelper) CreateValidatingWebhook(cr, namespace, name, Resources: []string{ "pods", "deployments", + "deploymentconfigs", "replicasets", "replicationcontrollers", "statefulsets", diff --git a/docs/DeployOpenShiftOperator.md b/docs/DeployOpenShiftOperator.md index 99699b5d..45d697c2 100644 --- a/docs/DeployOpenShiftOperator.md +++ b/docs/DeployOpenShiftOperator.md @@ -688,7 +688,7 @@ spec: gateway_address: 'aqua-gateway:8443' # Required: provide <> cluster_name: Default-cluster-name # Required: provide your cluster name imagePullSecret: aqua-registry # Required: provide the imagePullSecret name - kubebench_image: 'docker.io/aquasec/kube-bench:v0.6.12' # Optional: KubeBench image name can be replace with custom registry + kubebench_image: 'docker.io/aquasec/kube-bench:v0.6.15' # Optional: KubeBench image name can be replace with custom registry deploy: service: ClusterIP image: diff --git a/pkg/consts/consts.go b/pkg/consts/consts.go index 6091a611..6f5af3f2 100644 --- a/pkg/consts/consts.go +++ b/pkg/consts/consts.go @@ -85,7 +85,7 @@ const ( LatestVersion = "2022.4" // StarboardVersion Latest starboard version - StarboardVersion = "0.15.10" + StarboardVersion = "0.15.13" // CyberCenterAddress Aqua Cybercenter Address CyberCenterAddress = "https://cybercenter5.aquasec.com" @@ -164,7 +164,7 @@ const ( EnforcerConfigMapName = "aqua-csp-enforcer" - KubeBenchImageName = "docker.io/aquasec/kube-bench:v0.6.12" + KubeBenchImageName = "docker.io/aquasec/kube-bench:v0.6.15" LightningEnforcerResources = `resources: limits: diff --git a/test/consts/testing_consts.go b/test/consts/testing_consts.go index 88bd1e59..087057c3 100644 --- a/test/consts/testing_consts.go +++ b/test/consts/testing_consts.go @@ -42,5 +42,5 @@ const ( ScannerToken = "" GatewayAddress = "aqua-gateway:8443" ClusterName = "Default-cluster-name" - KubeBenchName = "docker.io/aquasec/kube-bench:v0.6.12" + KubeBenchName = "docker.io/aquasec/kube-bench:v0.6.15" ) From 26880e720bc8b3bbbed3eb4b67745ddd88b5efd5 Mon Sep 17 00:00:00 2001 From: Adi Shaull Date: Tue, 25 Jul 2023 10:26:44 +0300 Subject: [PATCH 2/3] SLK-69062 Upgrade kube-bench version --- docs/DeployOpenShiftOperator.md | 2 +- pkg/consts/consts.go | 2 +- test/consts/testing_consts.go | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/DeployOpenShiftOperator.md b/docs/DeployOpenShiftOperator.md index 45d697c2..7db59b80 100644 --- a/docs/DeployOpenShiftOperator.md +++ b/docs/DeployOpenShiftOperator.md @@ -688,7 +688,7 @@ spec: gateway_address: 'aqua-gateway:8443' # Required: provide <> cluster_name: Default-cluster-name # Required: provide your cluster name imagePullSecret: aqua-registry # Required: provide the imagePullSecret name - kubebench_image: 'docker.io/aquasec/kube-bench:v0.6.15' # Optional: KubeBench image name can be replace with custom registry + kubebench_image: 'docker.io/aquasec/kube-bench:v0.6.16' # Optional: KubeBench image name can be replace with custom registry deploy: service: ClusterIP image: diff --git a/pkg/consts/consts.go b/pkg/consts/consts.go index 6f5af3f2..8ca7d861 100644 --- a/pkg/consts/consts.go +++ b/pkg/consts/consts.go @@ -164,7 +164,7 @@ const ( EnforcerConfigMapName = "aqua-csp-enforcer" - KubeBenchImageName = "docker.io/aquasec/kube-bench:v0.6.15" + KubeBenchImageName = "docker.io/aquasec/kube-bench:v0.6.16" LightningEnforcerResources = `resources: limits: diff --git a/test/consts/testing_consts.go b/test/consts/testing_consts.go index 087057c3..9190ff1a 100644 --- a/test/consts/testing_consts.go +++ b/test/consts/testing_consts.go @@ -42,5 +42,5 @@ const ( ScannerToken = "" GatewayAddress = "aqua-gateway:8443" ClusterName = "Default-cluster-name" - KubeBenchName = "docker.io/aquasec/kube-bench:v0.6.15" + KubeBenchName = "docker.io/aquasec/kube-bench:v0.6.16" ) From 8df8b4bdf8b74c5b9eb64735b3c3f07f4607733b Mon Sep 17 00:00:00 2001 From: Adi Shaull Date: Tue, 25 Jul 2023 18:19:45 +0300 Subject: [PATCH 3/3] SLK-69062 Upgrade kube-bench version to 0.6.17 --- docs/DeployOpenShiftOperator.md | 2 +- pkg/consts/consts.go | 2 +- test/consts/testing_consts.go | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/DeployOpenShiftOperator.md b/docs/DeployOpenShiftOperator.md index 7db59b80..5937cada 100644 --- a/docs/DeployOpenShiftOperator.md +++ b/docs/DeployOpenShiftOperator.md @@ -688,7 +688,7 @@ spec: gateway_address: 'aqua-gateway:8443' # Required: provide <> cluster_name: Default-cluster-name # Required: provide your cluster name imagePullSecret: aqua-registry # Required: provide the imagePullSecret name - kubebench_image: 'docker.io/aquasec/kube-bench:v0.6.16' # Optional: KubeBench image name can be replace with custom registry + kubebench_image: 'docker.io/aquasec/kube-bench:v0.6.17' # Optional: KubeBench image name can be replace with custom registry deploy: service: ClusterIP image: diff --git a/pkg/consts/consts.go b/pkg/consts/consts.go index 8ca7d861..e4e7bef6 100644 --- a/pkg/consts/consts.go +++ b/pkg/consts/consts.go @@ -164,7 +164,7 @@ const ( EnforcerConfigMapName = "aqua-csp-enforcer" - KubeBenchImageName = "docker.io/aquasec/kube-bench:v0.6.16" + KubeBenchImageName = "docker.io/aquasec/kube-bench:v0.6.17" LightningEnforcerResources = `resources: limits: diff --git a/test/consts/testing_consts.go b/test/consts/testing_consts.go index 9190ff1a..cca29540 100644 --- a/test/consts/testing_consts.go +++ b/test/consts/testing_consts.go @@ -42,5 +42,5 @@ const ( ScannerToken = "" GatewayAddress = "aqua-gateway:8443" ClusterName = "Default-cluster-name" - KubeBenchName = "docker.io/aquasec/kube-bench:v0.6.16" + KubeBenchName = "docker.io/aquasec/kube-bench:v0.6.17" )