Add pod hostNetwork for KE

aquasecurity · May 21, 2024 · 27736ed · 27736ed
1 parent bbec888
commit 27736ed
Show file tree

Hide file tree

Showing 6 changed files with 11 additions and 5 deletions.
diff --git a/README.md b/README.md
@@ -30,7 +30,7 @@ This repository includes the following charts; they can be deployed separately:
 | [Server](server/)                   | Deploys the Console, Database, and Gateway components; optionally deploys Envoy component                                                                     | 2022.4.24            |
 | [Enforcer](enforcer/)               | Deploys the Aqua Enforcer daemonset                                                                                                                           | 2022.4.21            |
 | [Scanner](scanner/)                 | Deploys the Aqua Scanner deployment                                                                                                                           | 2022.4.7             |
-| [KubeEnforcer](kube-enforcer/)      | Deploys Aqua KubeEnforcer                                                                                                                                     | 2022.4.45            |
+| [KubeEnforcer](kube-enforcer/)      | Deploys Aqua KubeEnforcer                                                                                                                                     | 2022.4.46            |
 | [Gateway](gateway)                  | Deploys the Aqua Standalone Gateway                                                                                                                           | 2022.4.14            |
 | [Tenant-Manager](tenant-manager/)   | Deploys the Aqua Tenant Manager                                                                                                                               | 2022.4.0             |
 | [Cyber Center](cyber-center/)       | Deploys Aqua CyberCenter offline for air-gap environment                                                                                                      | 2022.4.5             |
@@ -81,7 +81,7 @@ aqua-helm/codesec-agent         1.2.7           2022.4          A Helm chart for
 aqua-helm/cloud-connector       2022.4.4        2022.4          A Helm chart for Aqua Cloud-Connector
 aqua-helm/cyber-center          2022.4.5        2022.4          A Helm chart for Aqua CyberCenter
 aqua-helm/enforcer              2022.4.21       2022.4          A Helm chart for the Aqua Enforcer
-aqua-helm/kube-enforcer         2022.4.45       2022.4          A Helm chart for the Aqua KubeEnforcer Starboard
+aqua-helm/kube-enforcer         2022.4.46       2022.4          A Helm chart for the Aqua KubeEnforcer Starboard
 aqua-helm/gateway               2022.4.14       2022.4          A Helm chart for the Aqua Gateway
 aqua-helm/scanner               2022.4.7        2022.4          A Helm chart for the Aqua Scanner CLI component
 aqua-helm/server                2022.4.24       2022.4          A Helm chart for the Aqua Console components

diff --git a/kube-enforcer/CHANGELOG.md b/kube-enforcer/CHANGELOG.md
@@ -1,6 +1,9 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 
+## 2022.4.46 ( May 21st, 2024 )
+* Add pod hostNetwork option for KE deployment
+
 ## 2022.4.45 ( May 15th, 2024 )
 * upgraded kube-bench version to v0.7.3
 * upgraded trivy-operator version to 0.20.1

diff --git a/kube-enforcer/Chart.yaml b/kube-enforcer/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 appVersion: "2022.4"
 description: A Helm chart for the Aqua KubeEnforcer
 name: kube-enforcer
-version: "2022.4.45"
+version: "2022.4.46"
 dependencies:
   - name: enforcer
     version: "2022.4.22"

diff --git a/kube-enforcer/README.md b/kube-enforcer/README.md
@@ -340,7 +340,7 @@ To perform kube-bench scans in the cluster, the KubeEnforcer needs:
 | `global.imageCredentials.password`                           | Your Docker registry (Docker Hub, etc.) password                                                                                                                                                                                                     | `N/A`                                    | `Yes - New cluster`                                                                              |
 | `serviceAccount.create`                                      | Enable to create serviceAccount                                                                                                                                                                                                                      | `true`                                   | `Yes - New cluster`                                                                              |
 | `serviceAccount.name`                                        | Service account name                                                                                                                                                                                                                                 | `aqua-kube-enforcer-sa`                  | `No`                                                                                             |
-| `global.platform`                                            | Specify the Kubernetes (k8s) platform acronym, allowed values are: aks, eks, gke, gke-autopilot, openshift, tkg, tkgi, k8s, rancher, gs, k3s, mke.                                                                                                                  | `unset`                                  | `YES`                                                                                            |
+| `global.platform`                                            | Specify the Kubernetes (k8s) platform acronym, allowed values are: aks, eks, gke, gke-autopilot, openshift, tkg, tkgi, k8s, rancher, gs, k3s, mke.                                                                                                   | `unset`                                  | `YES`                                                                                            |
 | `global.enforcer.enabled`                                    | Change to true to enable express mode and deploy aqua enforcer along with kube-enforcer                                                                                                                                                              | `false`                                  | `NO`                                                                                             |
 | `global.gateway.address`                                     | Gateway host address. For Saas use the hostname containing `-gw` from your onboarding email.                                                                                                                                                         | `aqua-gateway-svc.aqua`                  | `Yes`                                                                                            |
 | `global.gateway.port`                                        | Gateway host port. Far Saas use port 443                                                                                                                                                                                                             | `8443`                                   | `Yes`                                                                                            |
@@ -350,9 +350,10 @@ To perform kube-bench scans in the cluster, the KubeEnforcer needs:
 | `image.repository`                                           | Kube-enforcer docker image name to use                                                                                                                                                                                                               | `kube-enforcer`                          | `Yes`                                                                                            |
 | `image.tag`                                                  | Kube-enforcer image tag to use.                                                                                                                                                                                                                      | `2022.4`                                 | `Yes`                                                                                            |
 | `image.pullPolicy`                                           | The kubernetes image pull policy.                                                                                                                                                                                                                    | `Always`                                 | `Yes`                                                                                            |
+| `hostNetwork`                                                | Set pod hostNetwork                                                                                                                                                                                                                                  | `false`                                  | `NO`                                                                                             |
 | `microEnforcerImage.repository`                              | MicroEnforcer docker image name                                                                                                                                                                                                                      | `microenforcer`                          | `YES`                                                                                            |
 | `microEnforcerImage.tag`                                     | MicroEnforcer docker image tag                                                                                                                                                                                                                       | `2022.4`                                 | `YES`                                                                                            |
-| `kubebenchImage.repository`                                  | KubeBench docker image name                                                                                                                                                                                                                          | `aquasec/kube-bench`                      | `YES`                                                                                            |
+| `kubebenchImage.repository`                                  | KubeBench docker image name                                                                                                                                                                                                                          | `aquasec/kube-bench`                     | `YES`                                                                                            |
 | `kubebenchImage.tag`                                         | KubeBench docker image tag                                                                                                                                                                                                                           | `v0.6.8`                                 | `YES`                                                                                            |
 | `clusterName`                                                | Cluster name registered with Aqua in Infrastructure tab                                                                                                                                                                                              | `aqua-secure`                            | `No`                                                                                             |
 | `enforcer_ds_name`                                           | AquaEnforcer DaemonSet name for KubEnforcer config map                                                                                                                                                                                               | ``                                       | `No`                                                                                             |

diff --git a/kube-enforcer/templates/kube-enforcer-deployment.yaml b/kube-enforcer/templates/kube-enforcer-deployment.yaml
@@ -35,6 +35,7 @@ spec:
         {{- end }}
 {{ include "aqua.labels" . | indent 8 }}
     spec:
+      hostNetwork: {{ .Values.hostNetwork | quote }}
       {{- if .Values.global.dnsNdots }}
       dnsConfig:
         options:

diff --git a/kube-enforcer/values.yaml b/kube-enforcer/values.yaml
@@ -162,6 +162,7 @@ role:
 roleBinding:
   name: "aqua-kube-enforcer"
 
+hostNetwork: false
 webhooks:
   # set this field true if you're using cert-manager and don't need to pass a caBundle
   certManager: false