Merge pull request #353 from becitsthere/master

NVSHAS-8597: Treat non-semantic versioning as post 5.3
neuvector · Jan 13, 2024 · 1a6ab94 · 1a6ab94
2 parents d488ccd + ba3eba8
commit 1a6ab94
Show file tree

Hide file tree

Showing 7 changed files with 156 additions and 26 deletions.
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,4 @@
+.*.swp
+.vscode
+*.code-workspace
+*.bak
diff --git a/charts/core/README.md b/charts/core/README.md
@@ -6,7 +6,7 @@ Helm chart for NeuVector container security's core services.
 Because the CRD (Custom Resource Definition) policies can be deployed before NeuVector's core product, a new 'crd' helm chart is created. The crd template in the 'core' chart is kept for the backward compatibility. Please set `crdwebhook.enabled` to false, if you use the new 'crd' chart.
 
 ## Choosing container runtime
-The NeuVector platform supports docker, cri-o and containerd as the container runtime. For a k3s/rke2, or bottlerocket cluster, they have their own runtime socket path. You should enable their runtime options, `k3s.enabled` and `bottlerocket.enabled`, respectively.
+Prior to 5.3 release, the user has to specify the correct container runtime type and its socket path. In 5.3.0 release, the enforcer is able to automatically detect the container runtime at its default socket location. The settings of docker/containerd/crio/k8s/bottlerocket become deprecated. If the container runtime socket is not at the default location, please specify it using 'runtimePath' field. In the meantime, the controller does not require the runtime socket to be mounted any more.
 
 ## Configuration
 
@@ -239,15 +239,16 @@ Parameter | Description | Default | Notes
 `cve.scanner.tolerations` | List of node taints to tolerate | `nil` |
 `cve.scanner.nodeSelector` | Enable and specify nodeSelector labels | `{}` |
 `cve.scanner.runAsUser` | Specify the run as User ID | `nil` |
-`docker.path` | docker path | `/var/run/docker.sock` |
-`containerd.enabled` | Set to true, if the container runtime is containerd | `false` | **Note**: For k3s and rke clusters, set k3s.enabled to true instead
-`containerd.path` | If containerd is enabled, this local containerd socket path will be used | `/var/run/containerd/containerd.sock` |
-`crio.enabled` | Set to true, if the container runtime is cri-o | `false` |
-`crio.path` | If cri-o is enabled, this local cri-o socket path will be used | `/var/run/crio/crio.sock` |
-`k3s.enabled` | Set to true for k3s or rke2 | `false` |
-`k3s.runtimePath` | If k3s is enabled, this local containerd socket path will be used | `/run/k3s/containerd/containerd.sock` |
-`bottlerocket.enabled` | Set to true if using AWS bottlerocket | `false` |
-`bottlerocket.runtimePath` | If bottlerocket is enabled, this local containerd socket path will be used | `/run/dockershim.sock` |
+`runtimePath` | container runtime socket path, if it's not at the default location. | `` |
+`docker.path` | docker path | `/var/run/docker.sock` | Deprecated in 5.3.0
+`containerd.enabled` | Set to true, if the container runtime is containerd | `false` | Deprecated in 5.3.0. Prior to 5.3.0, for k3s and rke clusters, set k3s.enabled to true instead
+`containerd.path` | If containerd is enabled, this local containerd socket path will be used | `/var/run/containerd/containerd.sock` | Deprecated in 5.3.0.
+`crio.enabled` | Set to true, if the container runtime is cri-o | `false` | Deprecated in 5.3.0.
+`crio.path` | If cri-o is enabled, this local cri-o socket path will be used | `/var/run/crio/crio.sock` | Deprecated in 5.3.0.
+`k3s.enabled` | Set to true for k3s or rke2 | `false` | Deprecated in 5.3.0.
+`k3s.runtimePath` | If k3s is enabled, this local containerd socket path will be used | `/run/k3s/containerd/containerd.sock` | Deprecated in 5.3.0.
+`bottlerocket.enabled` | Set to true if using AWS bottlerocket | `false` | Deprecated in 5.3.0.
+`bottlerocket.runtimePath` | If bottlerocket is enabled, this local containerd socket path will be used | `/run/dockershim.sock` | Deprecated in 5.3.0.
 `admissionwebhook.type` | admission webhook type | `ClusterIP` |
 `crdwebhook.enabled` | Enable crd service and create crd related resources | `true` |
 `crdwebhook.type` | crd webhook type | `ClusterIP` |

diff --git a/charts/core/templates/controller-deployment.yaml b/charts/core/templates/controller-deployment.yaml
@@ -1,4 +1,7 @@
-{{- $pre530 := (semverCompare "<5.2.10" .Values.tag) -}}
+{{- $pre530 := false -}}
+{{- if regexMatch "^[0-9]+\\.[0-9]+\\.[0-9]+" .Values.tag }}
+{{- $pre530 = (semverCompare "<5.2.10" .Values.tag) -}}
+{{- end }}
 {{- if .Values.controller.enabled -}}
 {{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
 apiVersion: apps/v1

diff --git a/charts/core/templates/enforcer-daemonset.yaml b/charts/core/templates/enforcer-daemonset.yaml
@@ -1,4 +1,21 @@
-{{- $pre530 := (semverCompare "<5.2.10" .Values.tag) -}}
+{{- $pre530 := false -}}
+{{- if regexMatch "^[0-9]+\\.[0-9]+\\.[0-9]+" .Values.tag }}
+{{- $pre530 = (semverCompare "<5.2.10" .Values.tag) -}}
+{{- end }}
+{{- $runtimePath := "" -}}
+{{- if .Values.runtimePath }}
+{{- $runtimePath = .Values.runtimePath -}}
+{{- else if and .Values.k3s.enabled (ne .Values.k3s.runtimePath "/run/k3s/containerd/containerd.sock") }}
+{{- $runtimePath = .Values.k3s.runtimePath -}}
+{{- else if and .Values.bottlerocket.enabled (ne .Values.bottlerocket.runtimePath "/run/dockershim.sock") }}
+{{- $runtimePath = .Values.bottlerocket.runtimePath -}}
+{{- else if and .Values.containerd.enabled (ne .Values.containerd.path "/var/run/containerd/containerd.sock") }}
+{{- $runtimePath = .Values.containerd.path -}}
+{{- else if and .Values.crio.enabled (ne .Values.crio.path "/var/run/crio/crio.sock") }}
+{{- $runtimePath = .Values.crio.path -}}
+{{- else if ne .Values.docker.path "/var/run/docker.sock" }}
+{{- $runtimePath = .Values.docker.path -}}
+{{- end }}
 {{- if .Values.enforcer.enabled -}}
 {{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
 apiVersion: apps/v1
@@ -112,6 +129,10 @@ spec:
             - mountPath: /host/cgroup
               name: cgroup-vol
               readOnly: true
+          {{- else if $runtimePath }}
+            - mountPath: /run/runtime.sock
+              name: runtime-sock
+              readOnly: true
           {{- end }}
             - mountPath: /lib/modules
               name: modules-vol
@@ -156,6 +177,10 @@ spec:
         - name: cgroup-vol
           hostPath:
             path: /sys/fs/cgroup
+      {{- else if $runtimePath }}
+        - name: runtime-sock
+          hostPath:
+            path: {{ $runtimePath }}
       {{- end }}
         - name: modules-vol
           hostPath:

diff --git a/charts/core/values.yaml b/charts/core/values.yaml
@@ -533,9 +533,6 @@ cve:
         pemFile: tls.crt
         caFile: ca.crt # must be the same CA for all internal.
 
-docker:
-  path: /var/run/docker.sock
-
 resources:
   {}
   # limits:
@@ -545,6 +542,13 @@ resources:
   #   cpu: 100m
   #   memory: 2280Mi
 
+runtimePath:
+
+# The following runtime type and socket location are deprecated after 5.3.0.
+# If the socket path is not at the default location, use above 'runtimePath' to specify the location.
+docker:
+  path: /var/run/docker.sock
+
 k3s:
   enabled: false
   runtimePath: /run/k3s/containerd/containerd.sock

diff --git a/test/daemonset_test.go b/test/daemonset_test.go
@@ -14,7 +14,6 @@ func TestEnforcerDaemonset(t *testing.T) {
 		SetValues: map[string]string{},
 	}
 
-	// Test ingress
 	out := helm.RenderTemplate(t, options, helmChartPath, nvRel, []string{"templates/enforcer-daemonset.yaml"})
 	outs := splitYaml(out)
 
@@ -23,17 +22,40 @@ func TestEnforcerDaemonset(t *testing.T) {
 	}
 }
 
-func TestEnforcerDaemonsetRuntime(t *testing.T) {
+func TestEnforcerDaemonsetPost53(t *testing.T) {
 	helmChartPath := "../charts/core"
 
 	options := &helm.Options{
 		SetValues: map[string]string{
+			"tag": "latest",
+		},
+	}
+
+	out := helm.RenderTemplate(t, options, helmChartPath, nvRel, []string{"templates/enforcer-daemonset.yaml"})
+	outs := splitYaml(out)
+
+	if len(outs) != 1 {
+		t.Errorf("Resource count is wrong. count=%v\n", len(outs))
+	}
+
+	var ds appsv1.DaemonSet
+	helm.UnmarshalK8SYaml(t, outs[0], &ds)
+	if ds.Spec.Template.Spec.Containers[0].VolumeMounts[0].Name != "modules-vol" {
+		t.Errorf("VolumeMounts[0] is wrong, %v\n", ds.Spec.Template.Spec.Containers[0].VolumeMounts[0])
+	}
+}
+
+func TestEnforcerDaemonsetRuntimePre53(t *testing.T) {
+	helmChartPath := "../charts/core"
+
+	options := &helm.Options{
+		SetValues: map[string]string{
+			"tag":          "5.2.0",
 			"crio.enabled": "true",
 			"crio.path":    "/var/run/crio.sock",
 		},
 	}
 
-	// Test ingress
 	out := helm.RenderTemplate(t, options, helmChartPath, nvRel, []string{"templates/enforcer-daemonset.yaml"})
 	outs := splitYaml(out)
 
@@ -66,6 +88,85 @@ func TestEnforcerDaemonsetRuntime(t *testing.T) {
 	}
 }
 
+func TestEnforcerDaemonsetRuntimePost53Default(t *testing.T) {
+	helmChartPath := "../charts/core"
+
+	options := &helm.Options{
+		SetValues: map[string]string{
+			"tag":          "5.3.0-s1",
+			"crio.enabled": "true",
+		},
+	}
+
+	out := helm.RenderTemplate(t, options, helmChartPath, nvRel, []string{"templates/enforcer-daemonset.yaml"})
+	outs := splitYaml(out)
+
+	if len(outs) != 1 {
+		t.Errorf("Resource count is wrong. count=%v\n", len(outs))
+	}
+
+	var ds appsv1.DaemonSet
+	helm.UnmarshalK8SYaml(t, outs[0], &ds)
+
+	if ds.Spec.Template.Spec.Containers[0].VolumeMounts[0].Name != "modules-vol" {
+		t.Errorf("VolumeMounts[0] is wrong, %v\n", ds.Spec.Template.Spec.Containers[0].VolumeMounts[0])
+	}
+}
+
+func TestEnforcerDaemonsetRuntimePost53NonDefaultLegacy(t *testing.T) {
+	helmChartPath := "../charts/core"
+
+	options := &helm.Options{
+		SetValues: map[string]string{
+			"tag":          "5.3.0",
+			"crio.enabled": "true",
+			"crio.path":    "/var/run/crio.sock",
+		},
+	}
+
+	out := helm.RenderTemplate(t, options, helmChartPath, nvRel, []string{"templates/enforcer-daemonset.yaml"})
+	outs := splitYaml(out)
+
+	if len(outs) != 1 {
+		t.Errorf("Resource count is wrong. count=%v\n", len(outs))
+	}
+
+	var ds appsv1.DaemonSet
+	helm.UnmarshalK8SYaml(t, outs[0], &ds)
+
+	if ds.Spec.Template.Spec.Containers[0].VolumeMounts[0].Name != "runtime-sock" {
+		t.Errorf("VolumeMounts[0] is wrong, %v\n", ds.Spec.Template.Spec.Containers[0].VolumeMounts[0])
+	}
+}
+
+func TestEnforcerDaemonsetRuntimePost53NonDefault(t *testing.T) {
+	helmChartPath := "../charts/core"
+
+	options := &helm.Options{
+		SetValues: map[string]string{
+			"tag":         "5.3.0",
+			"runtimePath": "/var/run/crio/crio.sock",
+		},
+	}
+
+	out := helm.RenderTemplate(t, options, helmChartPath, nvRel, []string{"templates/enforcer-daemonset.yaml"})
+	outs := splitYaml(out)
+
+	if len(outs) != 1 {
+		t.Errorf("Resource count is wrong. count=%v\n", len(outs))
+	}
+
+	var ds appsv1.DaemonSet
+	helm.UnmarshalK8SYaml(t, outs[0], &ds)
+
+	if ds.Spec.Template.Spec.Containers[0].VolumeMounts[0].Name != "runtime-sock" {
+		t.Errorf("VolumeMounts[0] is wrong, %v\n", ds.Spec.Template.Spec.Containers[0].VolumeMounts[0])
+	}
+	if ds.Spec.Template.Spec.Volumes[0].HostPath.Path != "/var/run/crio/crio.sock" {
+		t.Errorf("Volume[0] is wrong, %v\n", ds.Spec.Template.Spec.Volumes[0])
+	}
+}
+
 func TestEnforcerDaemonsetLeastPrivilege(t *testing.T) {
 	helmChartPath := "../charts/core"
 
@@ -75,7 +176,6 @@ func TestEnforcerDaemonsetLeastPrivilege(t *testing.T) {
 		},
 	}
 
-	// Test ingress
 	out := helm.RenderTemplate(t, options, helmChartPath, nvRel, []string{"templates/enforcer-daemonset.yaml"})
 	outs := splitYaml(out)
 

diff --git a/test/deployment_test.go b/test/deployment_test.go
@@ -21,7 +21,6 @@ func TestControllerDeployment(t *testing.T) {
 		},
 	}
 
-	// Test ingress
 	out := helm.RenderTemplate(t, options, helmChartPath, nvRel, []string{"templates/controller-deployment.yaml"})
 	outs := splitYaml(out)
 
@@ -39,7 +38,6 @@ func TestControllerDeploymentPre53(t *testing.T) {
 		},
 	}
 
-	// Test ingress
 	out := helm.RenderTemplate(t, options, helmChartPath, nvRel, []string{"templates/controller-deployment.yaml"})
 	outs := splitYaml(out)
 
@@ -66,7 +64,6 @@ func TestControllerDeploymentPost53(t *testing.T) {
 		},
 	}
 
-	// Test ingress
 	out := helm.RenderTemplate(t, options, helmChartPath, nvRel, []string{"templates/controller-deployment.yaml"})
 	outs := splitYaml(out)
 
@@ -97,7 +94,6 @@ func TestControllerDeploymentRegistry(t *testing.T) {
 		},
 	}
 
-	// Test ingress
 	out := helm.RenderTemplate(t, options, helmChartPath, nvRel, []string{"templates/controller-deployment.yaml"})
 	outs := splitYaml(out)
 
@@ -124,7 +120,6 @@ func TestControllerDeploymentOEM(t *testing.T) {
 		},
 	}
 
-	// Test ingress
 	out := helm.RenderTemplate(t, options, helmChartPath, nvRel, []string{"templates/controller-deployment.yaml"})
 	outs := splitYaml(out)
 
@@ -149,7 +144,6 @@ func TestControllerDeploymentCert(t *testing.T) {
 		},
 	}
 
-	// Test ingress
 	out := helm.RenderTemplate(t, options, helmChartPath, nvRel, []string{"templates/controller-deployment.yaml"})
 	outs := splitYaml(out)
 
@@ -168,7 +162,6 @@ func TestControllerDeploymentDisrupt(t *testing.T) {
 		},
 	}
 
-	// Test ingress
 	out := helm.RenderTemplate(t, options, helmChartPath, nvRel, []string{"templates/controller-deployment.yaml"})
 	outs := splitYaml(out)