diff --git a/.github/workflows/ci-test-ginkgo.yml b/.github/workflows/ci-test-ginkgo.yml index 707c7a6d2f..96326e68f3 100644 --- a/.github/workflows/ci-test-ginkgo.yml +++ b/.github/workflows/ci-test-ginkgo.yml @@ -8,6 +8,8 @@ on: - "tests/**" - "protobuf/**" - ".github/workflows/ci-test-ginkgo.yml" + - "pkg/KubeArmorOperator/**" + - "deployments/helm/**" pull_request: branches: [main] paths: @@ -15,6 +17,8 @@ on: - "tests/**" - "protobuf/**" - ".github/workflows/ci-test-ginkgo.yml" + - "pkg/KubeArmorOperator/**" + - "deployments/helm/**" jobs: build: @@ -78,8 +82,6 @@ jobs: helm upgrade --install kubearmor-operator ./deployments/helm/KubeArmorOperator -n kubearmor --create-namespace kubectl wait --for=condition=ready --timeout=5m -n kubearmor pod -l kubearmor-app=kubearmor-operator kubectl get pods -A - kubectl apply -f pkg/KubeArmorOperator/config/samples/kubearmor-test.yaml - kubectl wait -n kubearmor --timeout=5m --for=jsonpath='{.status.phase}'=Running kubearmorconfigs/kubearmorconfig-test kubectl wait --timeout=5m --for=condition=ready pod -l kubearmor-app,kubearmor-app!=kubearmor-snitch -n kubearmor kubectl get pods -A diff --git a/pkg/KubeArmorOperator/deployments/helm/.helmignore b/deployments/helm/KubeArmorOperator/.helmignore similarity index 100% rename from pkg/KubeArmorOperator/deployments/helm/.helmignore rename to deployments/helm/KubeArmorOperator/.helmignore diff --git a/deployments/helm/KubeArmorOperator/README.md b/deployments/helm/KubeArmorOperator/README.md index 8bd827a699..d63c8506be 100644 --- a/deployments/helm/KubeArmorOperator/README.md +++ b/deployments/helm/KubeArmorOperator/README.md @@ -1,28 +1,35 @@ -## Install KubeArmorOperator -Install KubeArmorOperator using the official `kubearmor` Helm chart repo.Also see [values](#Values) for your respective environment. -``` +# Install KubeArmorOperator + +Install KubeArmorOperator using the official `kubearmor` Helm chart repo. Also see [values](#values) for your respective environment. + +```bash helm repo add kubearmor https://kubearmor.github.io/charts helm repo update kubearmor helm upgrade --install kubearmor-operator kubearmor/kubearmor-operator -n kubearmor --create-namespace ``` Install KubeArmorOperator using Helm charts locally (for testing) -``` + +```bash cd deployments/helm/KubeArmorOperator helm upgrade --install kubearmor-operator . -n kubearmor --create-namespace ``` ## Values + | Key | Type | Default | Description | |-----|------|---------|-------------| | kubearmorOperator.name | string | kubearmor-operator | name of the operator's deployment | | kubearmorOperator.image.repository | string | kubearmor/kubearmor-operator | image repository to pull KubeArmorOperator from | | kubearmorOperator.image.tag | string | latest | KubeArmorOperator image tag | | kubearmorOperator.imagePullPolicy | string | IfNotPresent | pull policy for operator image | +| kubearmorOperator.configSpec | object | [values.yaml](values.yaml) | KubeArmor default configurations | -Once installed, the operator waits for the user to create a `KubeArmorConfig` object. +The operator needs a `KubeArmorConfig` object in order to create resources related to KubeArmor. A default config is present in Helm `values.yaml` which can be overridden during Helm install. +It is possible to specify configuration even after KubeArmor resources have been installed by directly editing the created `KubeArmorConfig` CR. ## KubeArmorConfig specification + ```yaml apiVersion: operator.kubearmor.com/v1 kind: KubeArmorConfig @@ -56,7 +63,7 @@ spec: # KubeArmor relay image and pull policy kubearmorRelayImage: - image: [image-repo:tag] # DEFAULT - kubearmor/kubearmor-relay:latest + image: [image-repo:tag] # DEFAULT - kubearmor/kubearmor-relay-server:latest imagePullPolicy: [image pull policy] # DEFAULT - Always # KubeArmor controller image and pull policy @@ -69,7 +76,6 @@ spec: image: [image-repo:tag] # DEFAULT - gcr.io/kubebuilder/kube-rbac-proxy:v0.12.0 imagePullPolicy: [image pull policy] # DEFAULT - Always ``` -**A [sample configuration](../../../pkg/KubeArmorOperator/config/samples/sample-config.yml) is also available for reference.** ## Verify if all the resources are up and running If a valid configuration is received, the operator will deploy jobs to your nodes to get the environment information and then start installing KubeArmor components. @@ -105,8 +111,10 @@ NAME COMPLETIONS DURATION AGE job.batch/kubearmor-snitch-lglbd 1/1 3s 11m ``` -## Uninstall The Operator +## Uninstall the Operator + Uninstalling the Operator will also uninstall KubeArmor from all your nodes. To uninstall, just run: + ```bash helm uninstall kubearmor -n kubearmor ``` diff --git a/deployments/helm/KubeArmorOperator/templates/ka-config.yaml b/deployments/helm/KubeArmorOperator/templates/ka-config.yaml new file mode 100644 index 0000000000..32b8031dff --- /dev/null +++ b/deployments/helm/KubeArmorOperator/templates/ka-config.yaml @@ -0,0 +1,15 @@ +apiVersion: operator.kubearmor.com/v1 +kind: KubeArmorConfig +metadata: + annotations: + "helm.sh/hook": post-install,post-upgrade + labels: + app.kubernetes.io/name: kubearmorconfig + app.kubernetes.io/instance: kubearmorconfig-sample + app.kubernetes.io/part-of: kubearmoroperator + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/created-by: kubearmoroperator + name: kubearmor + namespace: {{ .Release.Namespace }} +spec: + {{- toYaml .Values.kubearmorOperator.configSpec | nindent 4}} diff --git a/deployments/helm/KubeArmorOperator/templates/serviceaccount.yaml b/deployments/helm/KubeArmorOperator/templates/serviceaccount.yaml index 63ad150372..188db56bac 100644 --- a/deployments/helm/KubeArmorOperator/templates/serviceaccount.yaml +++ b/deployments/helm/KubeArmorOperator/templates/serviceaccount.yaml @@ -2,4 +2,4 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ .Values.kubearmorOperator.name }} - namespace: {{ .Release.Namespace }} \ No newline at end of file + namespace: {{ .Release.Namespace }} diff --git a/deployments/helm/KubeArmorOperator/values.yaml b/deployments/helm/KubeArmorOperator/values.yaml index 86571be5f0..29428adb43 100644 --- a/deployments/helm/KubeArmorOperator/values.yaml +++ b/deployments/helm/KubeArmorOperator/values.yaml @@ -3,4 +3,4 @@ kubearmorOperator: image: repository: kubearmor/kubearmor-operator tag: latest - imagePullPolicy: IfNotPresent \ No newline at end of file + imagePullPolicy: IfNotPresent diff --git a/pkg/KubeArmorOperator/config/samples/kubearmor-test.yaml b/pkg/KubeArmorOperator/config/samples/kubearmor-test.yaml deleted file mode 100644 index e7c37652a0..0000000000 --- a/pkg/KubeArmorOperator/config/samples/kubearmor-test.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: operator.kubearmor.com/v1 -kind: KubeArmorConfig -metadata: - labels: - app.kubernetes.io/name: kubearmorconfig - app.kubernetes.io/instance: kubearmorconfig-sample - app.kubernetes.io/part-of: kubearmoroperator - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/created-by: kubearmoroperator - name: kubearmorconfig-test - namespace: kubearmor -spec: - defaultCapabilitiesPosture: block - defaultFilePosture: block - defaultNetworkPosture: block - defaultVisibility: process,file,network,capabilities - kubearmorImage: - image: kubearmor/kubearmor:latest - imagePullPolicy: Never - kubearmorInitImage: - image: kubearmor/kubearmor-init:latest - imagePullPolicy: Never - kubearmorRelayImage: - image: kubearmor/kubearmor-relay-server:latest - imagePullPolicy: Always - kubearmorControllerImage: - image: kubearmor/kubearmor-controller:latest - imagePullPolicy: Always