Skip to content

Commit

Permalink
Update kube-bench version and update OPERATOR_EXCLUDE_NAMESPACES env …
Browse files Browse the repository at this point in the history 
…var. Resolves: DEVOPS-934, DEVOPS-896 (#924)
  • Loading branch information
@tikolsky
tikolsky authored Feb 19, 2025
1 parent 50882f7 commit d081cd9
Show file tree
Hide file tree
Showing 10 changed files with 19 additions and 10 deletions.
4 changes: 2 additions & 2 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ This repository includes the following charts; they can be deployed separately:
| [Server](server/) | Deploys the Console, Database, and Gateway components; optionally deploys Envoy component | 2022.4.26 |
| [Enforcer](enforcer/) | Deploys the Aqua Enforcer daemonset | 2022.4.21 |
| [Scanner](scanner/) | Deploys the Aqua Scanner deployment | 2022.4.10 |
| [KubeEnforcer](kube-enforcer/) | Deploys Aqua KubeEnforcer | 2022.4.50 |
| [KubeEnforcer](kube-enforcer/) | Deploys Aqua KubeEnforcer | 2022.4.51 |
| [Gateway](gateway) | Deploys the Aqua Standalone Gateway | 2022.4.14 |
| [Tenant-Manager](tenant-manager/) | Deploys the Aqua Tenant Manager | 2022.4.0 |
| [Cyber Center](cyber-center/) | Deploys Aqua CyberCenter offline for air-gap environment | 2022.4.6 |
Expand Down Expand Up @@ -82,7 +82,7 @@ aqua-helm/codesec-agent 1.2.11 2022.4 A Helm chart fo
aqua-helm/cloud-connector 2022.4.4 2022.4 A Helm chart for Aqua Cloud-Connector
aqua-helm/cyber-center 2022.4.6 2022.4 A Helm chart for Aqua CyberCenter
aqua-helm/enforcer 2022.4.23 2022.4 A Helm chart for the Aqua Enforcer
aqua-helm/kube-enforcer 2022.4.50 2022.4 A Helm chart for the Aqua KubeEnforcer Starboard
aqua-helm/kube-enforcer 2022.4.51 2022.4 A Helm chart for the Aqua KubeEnforcer Starboard
aqua-helm/gateway 2022.4.14 2022.4 A Helm chart for the Aqua Gateway
aqua-helm/scanner 2022.4.10 2022.4 A Helm chart for the Aqua Scanner CLI component
aqua-helm/server 2022.4.26 2022.4 A Helm chart for the Aqua Console components
Expand Down
2 changes: 2 additions & 0 deletions aqua-quickstart/templates/kube-enforcer-starboard-deploy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,8 @@ spec:
value: "{{ .Values.starboard.OPERATOR_BATCH_DELETE_LIMIT }}"
- name: OPERATOR_BATCH_DELETE_DELAY
value: "{{ .Values.starboard.OPERATOR_BATCH_DELETE_DELAY }}"
- name: OPERATOR_EXCLUDE_NAMESPACES
value: {{ .Values.starboard.OPERATOR_EXCLUDE_NAMESPACES }}
ports:
- name: metrics
containerPort: {{ .Values.starboard.ports.metricContainerPort }}
Expand Down
1 change: 1 addition & 0 deletions aqua-quickstart/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,7 @@ starboard:
- ALL
OPERATOR_NAMESPACE: "aqua"
OPERATOR_TARGET_NAMESPACES: ""
OPERATOR_EXCLUDE_NAMESPACES: "kube-system"
OPERATOR_LOG_DEV_MODE: "false"
OPERATOR_CONCURRENT_SCAN_JOBS_LIMIT: "10"
OPERATOR_SCAN_JOB_RETRY_AFTER: "30s"
Expand Down
3 changes: 3 additions & 0 deletions kube-enforcer/CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
# Changelog
All notable changes to this project will be documented in this file.

## 2022.4.51 ( Feb 19th, 2025 )
* upgraded kube-bench version to v0.10.2

## 2022.4.50 ( Jan 1st, 2025 )
* upgraded kube-bench version to v0.10.0

Expand Down
2 changes: 1 addition & 1 deletion kube-enforcer/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v2
appVersion: "2022.4"
description: A Helm chart for the Aqua KubeEnforcer
name: kube-enforcer
version: "2022.4.50"
version: "2022.4.51"
dependencies:
- name: enforcer
version: "2022.4.23"
Expand Down
3 changes: 2 additions & 1 deletion kube-enforcer/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -416,7 +416,7 @@ To perform kube-bench scans in the cluster, the KubeEnforcer needs:
| `TLS.privateKey_fileName` | Filename of the private key eg: aqua_ke.key | `nil` | `Yes` <br /> `if gate.TLS.enabled is set to true` |
| `TLS.rootCA_fileName` | Filename of the rootCA, if using self-signed certificates eg: rootCA.crt | `nil` | `No` <br /> `if gate.TLS.enabled is set to true and using self-signed certificates for TLS/mTLS` |
| `starboard.enabled` | Starboard deployment | `true` | `No` |
| `starboard.crds.enabled` | Starboard CRDs installation | `true` | `No` |
| `starboard.crds.enabled` | Starboard CRDs installation | `true` | `No` |
| `starboard.replicaCount` | Starboard replica count | `1` | `Yes` |
| `starboard.appName` | Starboard application name | `starboard-operator` | `Yes` |
| `starboard.serviceAccount.name` | Starboard service account | `starboard-operator` | `Yes` |
Expand All @@ -427,6 +427,7 @@ To perform kube-bench scans in the cluster, the KubeEnforcer needs:
| `starboard.tag` | Starboard image tag | `0.13.0` | `Yes` |
| `starboard.pullPolicy` | Starboard image pullPolicy | `Always` | `Yes` |
| `starboard.OPERATOR_TARGET_NAMESPACES` | This determines the installation mode, which in turn determines the multi-tenancy support of the operator | `(blank)` | `Yes` <br> `(blank string)=> ALLNAMESPACES, foo,bar.baz => specific NAMESPACES` |
| `starboard.OPERATOR_EXCLUDE_NAMESPACES` | This will ensure that Starboard exclude the namespaces during evaluations | `kube-system` | `Yes` <br> `(blank string)=> NO NAMESPACES, foo,bar.baz => specific NAMESPACES` |
| `starboard.OPERATOR_LOG_DEV_MODE` | The flag to use (or not use) development mode (more human-readable output, extra stack traces and logging information, etc.) | `false` | `Yes` |
| `starboard.OPERATOR_CONCURRENT_SCAN_JOBS_LIMIT` | The maximum number of scan jobs create by the operator | `10` | `Yes` |
| `starboard.OPERATOR_SCAN_JOB_RETRY_AFTER` | The time to wait before retrying a failed scan job | `30s` | `Yes` |
Expand Down
1 change: 1 addition & 0 deletions kube-enforcer/templates/starboard-configmap.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ metadata:
data:
OPERATOR_NAMESPACE: {{ .Values.starboard.OPERATOR_NAMESPACE | default .Release.Namespace}}
OPERATOR_TARGET_NAMESPACES: "{{ .Values.starboard.OPERATOR_TARGET_NAMESPACES }}"
OPERATOR_EXCLUDE_NAMESPACES: "{{ .Values.starboard.OPERATOR_EXCLUDE_NAMESPACES }}"
OPERATOR_LOG_DEV_MODE: "{{ .Values.starboard.OPERATOR_LOG_DEV_MODE }}"
OPERATOR_CONCURRENT_SCAN_JOBS_LIMIT: "{{ .Values.starboard.OPERATOR_CONCURRENT_SCAN_JOBS_LIMIT }}"
OPERATOR_SCAN_JOB_RETRY_AFTER: "{{ .Values.starboard.OPERATOR_SCAN_JOB_RETRY_AFTER }}"
Expand Down
2 changes: 1 addition & 1 deletion kube-enforcer/templates/trivy-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ spec:
- name: OPERATOR_TARGET_NAMESPACES
value: ""
- name: OPERATOR_EXCLUDE_NAMESPACES
value: ""
value: "kube-system"
- name: OPERATOR_TARGET_WORKLOADS
value: "pod,replicaset,replicationcontroller,statefulset,daemonset,cronjob,job"
- name: OPERATOR_SERVICE_ACCOUNT
Expand Down
8 changes: 4 additions & 4 deletions kube-enforcer/templates/trivy-resource-definition.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ metadata:
labels:
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
annotations:
controller-gen.kubebuilder.io/version: v0.10.0
controller-gen.kubebuilder.io/version: v0.10.2
spec:
group: aquasecurity.github.io
names:
Expand Down Expand Up @@ -179,7 +179,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.10.0
controller-gen.kubebuilder.io/version: v0.10.2
name: clusterrbacassessmentreports.aquasecurity.github.io
spec:
group: aquasecurity.github.io
Expand Down Expand Up @@ -353,7 +353,7 @@ metadata:
labels:
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
annotations:
controller-gen.kubebuilder.io/version: v0.10.0
controller-gen.kubebuilder.io/version: v0.10.2
spec:
group: aquasecurity.github.io
names:
Expand Down Expand Up @@ -525,7 +525,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.10.0
controller-gen.kubebuilder.io/version: v0.10.2
name: rbacassessmentreports.aquasecurity.github.io
spec:
group: aquasecurity.github.io
Expand Down
3 changes: 2 additions & 1 deletion kube-enforcer/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,7 @@ microEnforcerImage:
# KubeBench Image
kubebenchImage:
repository: "registry.aquasec.com/kube-bench" # Default aqua registry KubeBench repository name
tag: "v0.10.0"
tag: "v0.10.2"

# Enable/Disable KB scanning on tainted nodes
kubeBench:
Expand Down Expand Up @@ -335,6 +335,7 @@ starboard:

OPERATOR_NAMESPACE: ""
OPERATOR_TARGET_NAMESPACES: ""
OPERATOR_EXCLUDE_NAMESPACES: "kube-system"
OPERATOR_LOG_DEV_MODE: "false"
OPERATOR_CONCURRENT_SCAN_JOBS_LIMIT: "10"
OPERATOR_SCAN_JOB_RETRY_AFTER: "30s"
Expand Down

0 comments on commit d081cd9

Please sign in to comment.