From 75e6d8b8df2c13a22aa2e6c4855ad40af4adc63f Mon Sep 17 00:00:00 2001 From: Ankur Kothiwal Date: Sat, 19 Aug 2023 21:27:44 +0530 Subject: [PATCH] include kubearmor installation via helm With this PR KubeArmor will be installed with default configurations with the operator by a single helm install command. Signed-off-by: Ankur Kothiwal --- .../helm/KubeArmorOperator}/.helmignore | 0 deployments/helm/KubeArmorOperator/README.md | 32 +- .../KubeArmorOperator/kubearmor-operator.yaml | 333 ++++++++++++++++++ .../templates/ka-config.yaml | 15 + .../templates/serviceaccount.yaml | 2 +- .../helm/KubeArmorOperator/values.yaml | 23 ++ 6 files changed, 392 insertions(+), 13 deletions(-) rename {pkg/KubeArmorOperator/deployments/helm => deployments/helm/KubeArmorOperator}/.helmignore (100%) create mode 100644 deployments/helm/KubeArmorOperator/kubearmor-operator.yaml create mode 100644 deployments/helm/KubeArmorOperator/templates/ka-config.yaml diff --git a/pkg/KubeArmorOperator/deployments/helm/.helmignore b/deployments/helm/KubeArmorOperator/.helmignore similarity index 100% rename from pkg/KubeArmorOperator/deployments/helm/.helmignore rename to deployments/helm/KubeArmorOperator/.helmignore diff --git a/deployments/helm/KubeArmorOperator/README.md b/deployments/helm/KubeArmorOperator/README.md index bbeafafda8..d63c8506be 100644 --- a/deployments/helm/KubeArmorOperator/README.md +++ b/deployments/helm/KubeArmorOperator/README.md @@ -1,28 +1,35 @@ -## Install KubeArmorOperator -Install KubeArmorOperator using the official `kubearmor` Helm chart repo.Also see [values](#Values) for your respective environment. -``` +# Install KubeArmorOperator + +Install KubeArmorOperator using the official `kubearmor` Helm chart repo. Also see [values](#values) for your respective environment. + +```bash helm repo add kubearmor https://kubearmor.github.io/charts helm repo update kubearmor -helm upgrade --install kubearmor-operator kubearmor/kubearmor-operator -n kube-system +helm upgrade --install kubearmor-operator kubearmor/kubearmor-operator -n kubearmor --create-namespace ``` Install KubeArmorOperator using Helm charts locally (for testing) -``` + +```bash cd deployments/helm/KubeArmorOperator -helm upgrade --install kubearmor-operator . -n kube-system +helm upgrade --install kubearmor-operator . -n kubearmor --create-namespace ``` ## Values + | Key | Type | Default | Description | |-----|------|---------|-------------| | kubearmorOperator.name | string | kubearmor-operator | name of the operator's deployment | | kubearmorOperator.image.repository | string | kubearmor/kubearmor-operator | image repository to pull KubeArmorOperator from | | kubearmorOperator.image.tag | string | latest | KubeArmorOperator image tag | | kubearmorOperator.imagePullPolicy | string | IfNotPresent | pull policy for operator image | +| kubearmorOperator.configSpec | object | [values.yaml](values.yaml) | KubeArmor default configurations | -Once installed, the operator waits for the user to create a `KubeArmorConfig` object. +The operator needs a `KubeArmorConfig` object in order to create resources related to KubeArmor. A default config is present in Helm `values.yaml` which can be overridden during Helm install. +It is possible to specify configuration even after KubeArmor resources have been installed by directly editing the created `KubeArmorConfig` CR. ## KubeArmorConfig specification + ```yaml apiVersion: operator.kubearmor.com/v1 kind: KubeArmorConfig @@ -56,7 +63,7 @@ spec: # KubeArmor relay image and pull policy kubearmorRelayImage: - image: [image-repo:tag] # DEFAULT - kubearmor/kubearmor-relay:latest + image: [image-repo:tag] # DEFAULT - kubearmor/kubearmor-relay-server:latest imagePullPolicy: [image pull policy] # DEFAULT - Always # KubeArmor controller image and pull policy @@ -69,14 +76,13 @@ spec: image: [image-repo:tag] # DEFAULT - gcr.io/kubebuilder/kube-rbac-proxy:v0.12.0 imagePullPolicy: [image pull policy] # DEFAULT - Always ``` -**A [sample configuration](../../../pkg/KubeArmorOperator/config/samples/sample-config.yml) is also available for reference.** ## Verify if all the resources are up and running If a valid configuration is received, the operator will deploy jobs to your nodes to get the environment information and then start installing KubeArmor components. Once done, the following resources related to KubeArmor will exist in your cluster: ``` -$ kubectl get all -n kube-system -l kubearmor-app +$ kubectl get all -n kubearmor -l kubearmor-app NAME READY STATUS RESTARTS AGE pod/kubearmor-operator-66fbff5559-qb7dh 1/1 Running 0 11m pod/kubearmor-relay-557dfcc57b-c8t55 1/1 Running 0 2m53s @@ -105,8 +111,10 @@ NAME COMPLETIONS DURATION AGE job.batch/kubearmor-snitch-lglbd 1/1 3s 11m ``` -## Uninstall The Operator +## Uninstall the Operator + Uninstalling the Operator will also uninstall KubeArmor from all your nodes. To uninstall, just run: + ```bash -helm uninstall kubearmor -n kube-system +helm uninstall kubearmor -n kubearmor ``` diff --git a/deployments/helm/KubeArmorOperator/kubearmor-operator.yaml b/deployments/helm/KubeArmorOperator/kubearmor-operator.yaml new file mode 100644 index 0000000000..885df77290 --- /dev/null +++ b/deployments/helm/KubeArmorOperator/kubearmor-operator.yaml @@ -0,0 +1,333 @@ +--- +# Source: kubearmor-operator/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kubearmor-operator + namespace: kubearmor +--- +# Source: kubearmor-operator/templates/clusterrole-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubearmor-operator-clusterrole +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - watch + - list + - patch +- apiGroups: + - "" + resources: + - pods + verbs: + - list +- apiGroups: + - "" + resources: + - secrets + - serviceaccounts + - services + - configmaps + verbs: + - get + - create + - delete + - update +- apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - list + - get + - create + - delete + - update +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + verbs: + - get + - create + - delete +- apiGroups: + - batch + verbs: + - create + resources: + - jobs +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + - clusterroles + - clusterrolebindings + verbs: + - create + - get +- apiGroups: + - operator.kubearmor.com + resources: + - kubearmorconfigs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - operator.kubearmor.com + resources: + - kubearmorconfigs/status + verbs: + - get + - patch + - update +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - create +--- +# Source: kubearmor-operator/templates/clusterrole-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubearmor-operator-manage-kubearmor-clusterrole +rules: +- apiGroups: + - "" + resources: + - pods + - nodes + - namespaces + - configmaps + verbs: + - get + - patch + - list + - watch + - update +- apiGroups: + - apps + resources: + - deployments + - replicasets + - daemonsets + - statefulsets + verbs: + - get + - patch + - list + - watch + - update +- apiGroups: + - security.kubearmor.com + resources: + - kubearmorpolicies + - kubearmorhostpolicies + verbs: + - get + - list + - watch + - update + - delete +- nonResourceURLs: + - /apis + - /apis/* + verbs: + - get +--- +# Source: kubearmor-operator/templates/clusterrole-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubearmor-operator-manage-controller-clusterrole +rules: +- apiGroups: + - "" + resources: + - pods + - configmaps + verbs: + - create + - delete + - get + - patch + - list + - watch + - update +- apiGroups: + - security.kubearmor.com + resources: + - kubearmorpolicies + - kubearmorhostpolicies + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - security.kubearmor.com + resources: + - kubearmorpolicies/status + - kubearmorhostpolicies/status + verbs: + - get + - patch + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- nonResourceURLs: + - /metrics + verbs: + - get +--- +# Source: kubearmor-operator/templates/clusterrole-binding-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kubearmor-operator-clusterrole-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kubearmor-operator-clusterrole +subjects: +- kind: ServiceAccount + name: kubearmor-operator + namespace: abc +--- +# Source: kubearmor-operator/templates/clusterrole-binding-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kubearmor-operator-manage-kubearmor-clusterrole-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kubearmor-operator-manage-kubearmor-clusterrole +subjects: +- kind: ServiceAccount + name: kubearmor-operator + namespace: abc +--- +# Source: kubearmor-operator/templates/clusterrole-binding-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kubearmor-operator-manage-controller-clusterrole-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kubearmor-operator-manage-controller-clusterrole +subjects: +- kind: ServiceAccount + name: kubearmor-operator + namespace: abc +--- +# Source: kubearmor-operator/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kubearmor-operator + namespace: kubearmor + labels: + kubearmor-app: kubearmor-operator +spec: + selector: + matchLabels: + kubearmor-app: kubearmor-operator + template: + metadata: + labels: + kubearmor-app: kubearmor-operator + spec: + containers: + - command: + - /operator + - kubearmor-operator + env: + - name: KUBEARMOR_OPERATOR_NS + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: kubearmor/kubearmor-operator:latest + imagePullPolicy: IfNotPresent + name: kubearmor-operator + serviceAccountName: kubearmor-operator +--- +# Source: kubearmor-operator/templates/ka-config.yaml +apiVersion: operator.kubearmor.com/v1 +kind: KubeArmorConfig +metadata: + annotations: + "helm.sh/hook": post-install,post-upgrade + labels: + app.kubernetes.io/name: kubearmorconfig + app.kubernetes.io/instance: kubearmorconfig-sample + app.kubernetes.io/part-of: kubearmoroperator + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/created-by: kubearmoroperator + name: kubearmor + namespace: kubearmor +spec: + defaultCapabilitiesPosture: audit + defaultFilePosture: audit + defaultNetworkPosture: audit + defaultVisibility: process,file,network + kubearmorControllerImage: + image: kubearmor/kubearmor-controller:latest + imagePullPolicy: Always + kubearmorImage: + image: kubearmor/kubearmor:stable + imagePullPolicy: Always + kubearmorInitImage: + image: kubearmor/kubearmor-init:stable + imagePullPolicy: Always + kubearmorRelayImage: + image: kubearmor/kubearmor-relay-server:latest + imagePullPolicy: Always diff --git a/deployments/helm/KubeArmorOperator/templates/ka-config.yaml b/deployments/helm/KubeArmorOperator/templates/ka-config.yaml new file mode 100644 index 0000000000..32b8031dff --- /dev/null +++ b/deployments/helm/KubeArmorOperator/templates/ka-config.yaml @@ -0,0 +1,15 @@ +apiVersion: operator.kubearmor.com/v1 +kind: KubeArmorConfig +metadata: + annotations: + "helm.sh/hook": post-install,post-upgrade + labels: + app.kubernetes.io/name: kubearmorconfig + app.kubernetes.io/instance: kubearmorconfig-sample + app.kubernetes.io/part-of: kubearmoroperator + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/created-by: kubearmoroperator + name: kubearmor + namespace: {{ .Release.Namespace }} +spec: + {{- toYaml .Values.kubearmorOperator.configSpec | nindent 4}} diff --git a/deployments/helm/KubeArmorOperator/templates/serviceaccount.yaml b/deployments/helm/KubeArmorOperator/templates/serviceaccount.yaml index 63ad150372..188db56bac 100644 --- a/deployments/helm/KubeArmorOperator/templates/serviceaccount.yaml +++ b/deployments/helm/KubeArmorOperator/templates/serviceaccount.yaml @@ -2,4 +2,4 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ .Values.kubearmorOperator.name }} - namespace: {{ .Release.Namespace }} \ No newline at end of file + namespace: {{ .Release.Namespace }} diff --git a/deployments/helm/KubeArmorOperator/values.yaml b/deployments/helm/KubeArmorOperator/values.yaml index 29428adb43..696e9795bb 100644 --- a/deployments/helm/KubeArmorOperator/values.yaml +++ b/deployments/helm/KubeArmorOperator/values.yaml @@ -4,3 +4,26 @@ kubearmorOperator: repository: kubearmor/kubearmor-operator tag: latest imagePullPolicy: IfNotPresent + + configSpec: + defaultCapabilitiesPosture: audit + defaultFilePosture: audit + defaultNetworkPosture: audit + + defaultVisibility: process,file,network + + kubearmorImage: + image: kubearmor/kubearmor:stable + imagePullPolicy: Always + + kubearmorInitImage: + image: kubearmor/kubearmor-init:stable + imagePullPolicy: Always + + kubearmorRelayImage: + image: kubearmor/kubearmor-relay-server:latest + imagePullPolicy: Always + + kubearmorControllerImage: + image: kubearmor/kubearmor-controller:latest + imagePullPolicy: Always