From 1ddd56f040defee60878acb683af567d8ae14b5c Mon Sep 17 00:00:00 2001 From: Ankur Kothiwal Date: Sat, 19 Aug 2023 21:27:44 +0530 Subject: [PATCH] include kubearmor installation via helm With this PR KubeArmor will be installed with default configurations with the operator by a single helm install command. Signed-off-by: Ankur Kothiwal --- deployments/helm/KubeArmorOperator/README.md | 28 +++++++++++-------- .../templates/deployment.yaml | 2 +- .../templates/ka-config.yaml | 15 ++++++++++ .../templates/serviceaccount.yaml | 2 +- .../helm/KubeArmorOperator/values.yaml | 23 +++++++++++++++ 5 files changed, 57 insertions(+), 13 deletions(-) create mode 100644 deployments/helm/KubeArmorOperator/templates/ka-config.yaml diff --git a/deployments/helm/KubeArmorOperator/README.md b/deployments/helm/KubeArmorOperator/README.md index bbeafafda8..b1298eaf2f 100644 --- a/deployments/helm/KubeArmorOperator/README.md +++ b/deployments/helm/KubeArmorOperator/README.md @@ -1,18 +1,22 @@ -## Install KubeArmorOperator -Install KubeArmorOperator using the official `kubearmor` Helm chart repo.Also see [values](#Values) for your respective environment. -``` +# Install KubeArmorOperator + +Install KubeArmorOperator using the official `kubearmor` Helm chart repo. Also see [values](#values) for your respective environment. + +```bash helm repo add kubearmor https://kubearmor.github.io/charts helm repo update kubearmor -helm upgrade --install kubearmor-operator kubearmor/kubearmor-operator -n kube-system +helm upgrade --install kubearmor-operator kubearmor/kubearmor-operator -n kubearmor --create-namespace ``` Install KubeArmorOperator using Helm charts locally (for testing) -``` + +```bash cd deployments/helm/KubeArmorOperator -helm upgrade --install kubearmor-operator . -n kube-system +helm upgrade --install kubearmor-operator . -n kubearmor --create-namespace ``` ## Values + | Key | Type | Default | Description | |-----|------|---------|-------------| | kubearmorOperator.name | string | kubearmor-operator | name of the operator's deployment | @@ -20,9 +24,10 @@ helm upgrade --install kubearmor-operator . -n kube-system | kubearmorOperator.image.tag | string | latest | KubeArmorOperator image tag | | kubearmorOperator.imagePullPolicy | string | IfNotPresent | pull policy for operator image | -Once installed, the operator waits for the user to create a `KubeArmorConfig` object. +Once installed, the operator uses [sample configuration](../../../pkg/KubeArmorOperator/config/samples/sample-config.yml) to create `KubeArmorConfig` object. ## KubeArmorConfig specification + ```yaml apiVersion: operator.kubearmor.com/v1 kind: KubeArmorConfig @@ -56,7 +61,7 @@ spec: # KubeArmor relay image and pull policy kubearmorRelayImage: - image: [image-repo:tag] # DEFAULT - kubearmor/kubearmor-relay:latest + image: [image-repo:tag] # DEFAULT - kubearmor/kubearmor-relay-server:latest imagePullPolicy: [image pull policy] # DEFAULT - Always # KubeArmor controller image and pull policy @@ -69,14 +74,13 @@ spec: image: [image-repo:tag] # DEFAULT - gcr.io/kubebuilder/kube-rbac-proxy:v0.12.0 imagePullPolicy: [image pull policy] # DEFAULT - Always ``` -**A [sample configuration](../../../pkg/KubeArmorOperator/config/samples/sample-config.yml) is also available for reference.** ## Verify if all the resources are up and running If a valid configuration is received, the operator will deploy jobs to your nodes to get the environment information and then start installing KubeArmor components. Once done, the following resources related to KubeArmor will exist in your cluster: ``` -$ kubectl get all -n kube-system -l kubearmor-app +$ kubectl get all -n kubearmor -l kubearmor-app NAME READY STATUS RESTARTS AGE pod/kubearmor-operator-66fbff5559-qb7dh 1/1 Running 0 11m pod/kubearmor-relay-557dfcc57b-c8t55 1/1 Running 0 2m53s @@ -105,8 +109,10 @@ NAME COMPLETIONS DURATION AGE job.batch/kubearmor-snitch-lglbd 1/1 3s 11m ``` -## Uninstall The Operator +## Uninstall the Operator + Uninstalling the Operator will also uninstall KubeArmor from all your nodes. To uninstall, just run: + ```bash helm uninstall kubearmor -n kube-system ``` diff --git a/deployments/helm/KubeArmorOperator/templates/deployment.yaml b/deployments/helm/KubeArmorOperator/templates/deployment.yaml index 529269b9f6..e6e28d769b 100644 --- a/deployments/helm/KubeArmorOperator/templates/deployment.yaml +++ b/deployments/helm/KubeArmorOperator/templates/deployment.yaml @@ -2,7 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ .Values.kubearmorOperator.name }} - namespace: {{ .Release.Namespace }} + namespace: {{ .Values.namespace | default "kubearmor" }} labels: kubearmor-app: {{ .Values.kubearmorOperator.name }} spec: diff --git a/deployments/helm/KubeArmorOperator/templates/ka-config.yaml b/deployments/helm/KubeArmorOperator/templates/ka-config.yaml new file mode 100644 index 0000000000..3a08319b11 --- /dev/null +++ b/deployments/helm/KubeArmorOperator/templates/ka-config.yaml @@ -0,0 +1,15 @@ +apiVersion: operator.kubearmor.com/v1 +kind: KubeArmorConfig +metadata: + annotations: + "helm.sh/hook": post-install,post-upgrade + labels: + app.kubernetes.io/name: kubearmorconfig + app.kubernetes.io/instance: kubearmorconfig-sample + app.kubernetes.io/part-of: kubearmoroperator + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/created-by: kubearmoroperator + name: kubearmor + namespace: {{ .Values.namespace | default "kubearmor" }} +spec: + {{- toYaml .Values.kubearmorOperator.configSpec | nindent 4}} diff --git a/deployments/helm/KubeArmorOperator/templates/serviceaccount.yaml b/deployments/helm/KubeArmorOperator/templates/serviceaccount.yaml index 63ad150372..6e893f02f2 100644 --- a/deployments/helm/KubeArmorOperator/templates/serviceaccount.yaml +++ b/deployments/helm/KubeArmorOperator/templates/serviceaccount.yaml @@ -2,4 +2,4 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ .Values.kubearmorOperator.name }} - namespace: {{ .Release.Namespace }} \ No newline at end of file + namespace: {{ .Values.namespace | default "kubearmor" }} diff --git a/deployments/helm/KubeArmorOperator/values.yaml b/deployments/helm/KubeArmorOperator/values.yaml index 29428adb43..696e9795bb 100644 --- a/deployments/helm/KubeArmorOperator/values.yaml +++ b/deployments/helm/KubeArmorOperator/values.yaml @@ -4,3 +4,26 @@ kubearmorOperator: repository: kubearmor/kubearmor-operator tag: latest imagePullPolicy: IfNotPresent + + configSpec: + defaultCapabilitiesPosture: audit + defaultFilePosture: audit + defaultNetworkPosture: audit + + defaultVisibility: process,file,network + + kubearmorImage: + image: kubearmor/kubearmor:stable + imagePullPolicy: Always + + kubearmorInitImage: + image: kubearmor/kubearmor-init:stable + imagePullPolicy: Always + + kubearmorRelayImage: + image: kubearmor/kubearmor-relay-server:latest + imagePullPolicy: Always + + kubearmorControllerImage: + image: kubearmor/kubearmor-controller:latest + imagePullPolicy: Always