Skip to content

Commit

Permalink
fixing cc deployment securitycontext to support latest CC release
Browse files Browse the repository at this point in the history
  • Loading branch information
@KoppulaRajender
KoppulaRajender committed Mar 29, 2024
1 parent 14fc3d0 commit f522ec6
Show file tree
Hide file tree
Showing 7 changed files with 83 additions and 35 deletions.
4 changes: 2 additions & 2 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ This repository includes the following charts; they can be deployed separately:
| [KubeEnforcer](kube-enforcer/) | Deploys Aqua KubeEnforcer | 2022.4.42 |
| [Gateway](gateway) | Deploys the Aqua Standalone Gateway | 2022.4.12 |
| [Tenant-Manager](tenant-manager/) | Deploys the Aqua Tenant Manager | 2022.4.0 |
| [Cyber Center](cyber-center/) | Deploys Aqua CyberCenter offline for air-gap environment | 2022.4.3 |
| [Cyber Center](cyber-center/) | Deploys Aqua CyberCenter offline for air-gap environment | 2022.4.4 |
| [Cloud Connector](cloud-connector/) | Deploys the Aqua Cloud Connector | 2022.4.5 |
| [QuickStart](aqua-quickstart/) | Not for production use (see [below](#quick-start-deployment-not-for-production-purposes)). Deploys the Console, Database, Gateway and KubeEnforcer components | 2022.4.1 |
| [Codesec-Agent](codesec-agent/) | Argon Broker Deployment | 1.2.7 |
Expand Down Expand Up @@ -79,7 +79,7 @@ Example output:
NAME CHART VERSION APP VERSION DESCRIPTION
aqua-helm/codesec-agent 1.2.7 2022.4 A Helm chart for the Argon Broker Deployment
aqua-helm/cloud-connector 2022.4.4 2022.4 A Helm chart for Aqua Cloud-Connector
aqua-helm/cyber-center 2022.4.3 2022.4 A Helm chart for Aqua CyberCenter
aqua-helm/cyber-center 2022.4.4 2022.4 A Helm chart for Aqua CyberCenter
aqua-helm/enforcer 2022.4.20 2022.4 A Helm chart for the Aqua Enforcer
aqua-helm/kube-enforcer 2022.4.42 2022.4 A Helm chart for the Aqua KubeEnforcer Starboard
aqua-helm/gateway 2022.4.12 2022.4 A Helm chart for the Aqua Gateway
Expand Down
2 changes: 2 additions & 0 deletions cyber-center/CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@

All notable changes to this project will be documented in this file.

## 2022.4.4 ( Mar 29th, 2024 )
* Add Openshift scc
## 2022.4.3 ( Jan 8th, 2024 )
* Add deploymentAnnotations
## 2022.4.2 ( Mar 22nd, 2023 )
Expand Down
4 changes: 2 additions & 2 deletions cyber-center/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
apiVersion: v1
name: cyber-center
description: A Helm chart for Aqua CyberCenter
description: A Helm chart for Aqua CyberCenter
appVersion: "2022.4"
version: "2022.4.3"
version: "2022.4.4"
icon: https://avatars3.githubusercontent.com/u/12783832?s=200&v=4
home: https://www.aquasec.com/
maintainers:
Expand Down
63 changes: 32 additions & 31 deletions cyber-center/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,14 +6,14 @@ These are Helm charts for installing and maintaining the Aqua Security CyberCent

## Contents

- [Aqua Security Cyber Center Helm Chart](#aqua-security-cyber-center-helm-chart)
- [Aqua Security CyberCenter Helm Chart](#aqua-security-cybercenter-helm-chart)
- [Contents](#contents)
- [Prerequisites](#prerequisites)
- [Container Registry Credentials](#container-registry-credentials)
- [Installing the Chart](#installing-the-chart)
- [Installing Aqua CyberCenter from Helm Private Repository](#installing-aquacyber-center-from-helm-private-repository)
- [Installing Aqua CyberCenter from Helm Private Repository](#installing-aqua-cybercenter-from-helm-private-repository)
- [Configuring mTLS/TLS](#configuring-mtlstls)
- [How to connect to offline cyber-center from aqua console](#how-to-connect-to-offline-cyber-center-from-aqua-console)
- [How to connect to the offline CyberCenter from the Aqua console](#how-to-connect-to-the-offline-cybercenter-from-the-aqua-console)
- [Configurable Variables for the CyberCenter](#configurable-variables-for-the-cybercenter)
- [Issues and feedback](#issues-and-feedback)

Expand Down Expand Up @@ -102,34 +102,35 @@ For more information, refer to [Link](https://docs.aquasec.com/docs/cybercenter-
## Configurable Variables for the CyberCenter
| Parameter | Description | Default | Mandatory |
|----------------------------------------|------------------------------------------------------------------------------|------------------------|---------------------------------------------------------------------------------------------|
| `imageCredentials.create` | Enable to create new pull image secret | `false` | `YES - New cluster` |
| `imageCredentials.name` | Your Docker pull image secret name | `aqua-registry-secret` | `YES - New cluster` |
| `imageCredentials.repositoryUriPrefix` | Repository URI prefix for Docker Hub set `docker.io` | `registry.aquasec.com` | `YES - New cluster` |
| `imageCredentials.registry` | Set the registry URL for Docker Hub set `index.docker.io/v1/` | `registry.aquasec.com` | `YES - New cluster` |
| `imageCredentials.username` | Your Docker registry (Docker Hub, etc.) username | `aqua-registry-secret` | `YES - New cluster` |
| `imageCredentials.password` | Your Docker registry (Docker Hub, etc.) password | `unset` | `YES - New cluster` |
| `serviceAccount.create` | Enable to create aqua-sa serviceAccount if it is missing in the environment | `false` | `YES - New cluster` |
| `serviceAccount.name` | Service account name | `aqua-sa` | `NO` |
| `image.repository` | Docker image name to use | `cc-standard` | `YES` |
| `image.tag` | Image tag to use | `2022.4` | `YES` |
| `image.pullPolicy` | Kubernetes image pull policy | `Always` | `NO` |
| `service.type` | Kubernetes service type | `ClusterIP` | `NO` |
| `service.annotations` | Service annotations | `{}` | `NO` |
| `service.ports` | Array of ports settings | `array` | `NO` |
| `tolerations` | Kubernetes node tolerations | `[]` | `NO` |
| `deploymentAnnotations` | Kubernetes deployment annotations | `{}` | `NO` |
| `podAnnotations` | Kubernetes pod annotations | `{}` | `NO` |
| `resources` | Resource requests and limits | `{}` | `NO` |
| `nodeSelector` | Kubernetes node selector | `{}` | `NO` |
| `affinity` | Kubernetes node affinity | `{}` | `NO` |
| `TLS.enabled` | If secure channel communication is required | `false` | `NO` |
| `TLS.secretName` | Certificates secret name | `nil` | `YES` <br /> `if TLS.enabled is set to true` |
| `TLS.publicKey_fileName` | Filename of the public key, e.g., aqua_cyber-center.crt | `nil` | `YES` <br /> `if TLS.enabled is set to true` |
| `TLS.privateKey_fileName` | Filename of the private key, e.g., aqua_cyber-center.key | `nil` | `YES` <br /> `if TLS.enabled is set to true` |
| `TLS.rootCA_fileName` | Filename of the rootCA, if using self-signed certificates, e.g., rootCA.crt | `nil` | `NO` <br /> `if TLS.enabled is set to true and using self-signed certificates for TLS/mTLS` |
| Parameter | Description | Default | Mandatory |
|----------------------------------------|-----------------------------------------------------------------------------|------------------------|-----------------------------------------------------------------------------------------------|
| `imageCredentials.create` | Enable to create new pull image secret | `false` | `YES - New cluster` |
| `imageCredentials.name` | Your Docker pull image secret name | `aqua-registry-secret` | `YES - New cluster` |
| `imageCredentials.repositoryUriPrefix` | Repository URI prefix for Docker Hub set `docker.io` | `registry.aquasec.com` | `YES - New cluster` |
| `imageCredentials.registry` | Set the registry URL for Docker Hub set `index.docker.io/v1/` | `registry.aquasec.com` | `YES - New cluster` |
| `imageCredentials.username` | Your Docker registry (Docker Hub, etc.) username | `aqua-registry-secret` | `YES - New cluster` |
| `imageCredentials.password` | Your Docker registry (Docker Hub, etc.) password | `unset` | `YES - New cluster` |
| `serviceAccount.name` | Service account name | `aqua-sa` | `NO` |
| `serviceAccount.create` | Enable to create aqua-sa serviceAccount if it is missing in the environment | `false` | `YES - New cluster` |
| `platform` | Platform name (for Openshift) | `` | `NO` |
| `image.repository` | Docker image name to use | `cc-standard` | `YES` |
| `image.tag` | Image tag to use | `2022.4` | `YES` |
| `image.pullPolicy` | Kubernetes image pull policy | `Always` | `NO` |
| `service.type` | Kubernetes service type | `ClusterIP` | `NO` |
| `service.annotations` | Service annotations | `{}` | `NO` |
| `service.ports` | Array of ports settings | `array` | `NO` |
| `tolerations` | Kubernetes node tolerations | `[]` | `NO` |
| `deploymentAnnotations` | Kubernetes deployment annotations | `{}` | `NO` |
| `podAnnotations` | Kubernetes pod annotations | `{}` | `NO` |
| `resources` | Resource requests and limits | `{}` | `NO` |
| `nodeSelector` | Kubernetes node selector | `{}` | `NO` |
| `affinity` | Kubernetes node affinity | `{}` | `NO` |
| `TLS.enabled` | If secure channel communication is required | `false` | `NO` |
| `TLS.secretName` | Certificates secret name | `nil` | `YES` <br /> `if TLS.enabled is set to true` |
| `TLS.publicKey_fileName` | Filename of the public key, e.g., aqua_cyber-center.crt | `nil` | `YES` <br /> `if TLS.enabled is set to true` |
| `TLS.privateKey_fileName` | Filename of the private key, e.g., aqua_cyber-center.key | `nil` | `YES` <br /> `if TLS.enabled is set to true` |
| `TLS.rootCA_fileName` | Filename of the rootCA, if using self-signed certificates, e.g., rootCA.crt | `nil` | `NO` <br /> `if TLS.enabled is set to true and using self-signed certificates for TLS/mTLS` |
|----------------------------------------|-----------------------------------------------------------------------------|------------------------|-----------------------------------------------------------------------------------------------|
> Note: `imageCredentials.create` is false; if you need to create an image pull secret, update this to true, set the username and password for the registry, and set `serviceAccount.create` to false. If your environment is new or not having aqua-sa serviceAccount, update it to true.
## Issues and feedback
Expand Down
3 changes: 3 additions & 0 deletions cyber-center/templates/cybercenter-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,9 @@ spec:
{{- end }}
image: "{{ .Values.imageCredentials.repositoryUriPrefix }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: "{{ .Values.image.pullPolicy }}"
securityContext:
privileged: false
runAsUser: 0
args:
{{- range $port := .Values.service.ports }}
- --address=:{{ $port.targetPort }}
Expand Down
39 changes: 39 additions & 0 deletions cyber-center/templates/cybercenter-openshift-scc.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
{{- if eq .Values.platform "openshift" }}

---
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
type: RunAsAny
groups: []
kind: SecurityContextConstraints
metadata:
annotations:
"helm.sh/hook": pre-install
kubernetes.io/description: aqua cybcercenter scc provides all features of the
restricted SCC but allows users to run with any root UID and access hostPath.
This is must to run offline-cc in root user in container.
release.openshift.io/create-only: "true"
name: {{ .Release.Name }}-cc-scc
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities:
- MKNOD
runAsUser:
type: RunAsAny
seLinuxContext:
type: MustRunAs
supplementalGroups:
type: RunAsAny
users:
- system:serviceaccount:{{ .Release.Namespace }}:{{ .Release.Namespace }}-sa
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
- hostPath

{{- end }}
3 changes: 3 additions & 0 deletions cyber-center/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ imageCredentials:
username: ""
password: ""

# For Openshift platforms use platform: openshift
platform: ""

serviceaccount:
# make it to true to create service-account
create: false
Expand Down

0 comments on commit f522ec6

Please sign in to comment.