From 08cb53a63f5842006c49d3df942b25882d50258c Mon Sep 17 00:00:00 2001 From: Adam Roberts Date: Mon, 13 Jan 2025 16:12:22 -0500 Subject: [PATCH] feat(shield): expose dns detections directly Add DNS Detections as a configurable in the 'features.detections' block for enabling the DNS Detections feature in the Host Shield. --- charts/shield/Chart.yaml | 2 +- charts/shield/README.md | 1 + .../templates/host/_configmap_helpers.tpl | 2 +- .../configmap-host-shield-config_test.yaml | 55 +++++++++++++++---- charts/shield/values.schema.json | 13 +++++ charts/shield/values.yaml | 2 + 6 files changed, 62 insertions(+), 13 deletions(-) diff --git a/charts/shield/Chart.yaml b/charts/shield/Chart.yaml index 9f7105ff8..889244d4b 100644 --- a/charts/shield/Chart.yaml +++ b/charts/shield/Chart.yaml @@ -13,5 +13,5 @@ maintainers: - name: mavimo email: marcovito.moscaritolo@sysdig.com type: application -version: 0.5.1 +version: 0.5.2 appVersion: "1.0.0" diff --git a/charts/shield/README.md b/charts/shield/README.md index 0b9f5ea1c..a5b6a0d33 100644 --- a/charts/shield/README.md +++ b/charts/shield/README.md @@ -102,6 +102,7 @@ The following table lists the configurable parameters of the `shield` chart and | features.vulnerability_management.container_vulnerability_management.registry_ssl.verify | If set to false it allows insecure connections to registries, Such as for registries with self-signed or private certificates. | true | | features.vulnerability_management.in_use.enabled | Allows to retrieve the list of running packages. | false | | features.vulnerability_management.in_use.integration_enabled | Allows to store the list of running packages to Sysdig backend. | false | +| features.detections.dns_detections.enabled | | false | | features.detections.drift_control.enabled | | false | | features.detections.malware_control.enabled | | false | | features.detections.ml_policies.enabled | | false | diff --git a/charts/shield/templates/host/_configmap_helpers.tpl b/charts/shield/templates/host/_configmap_helpers.tpl index 798e7d045..ee5983934 100644 --- a/charts/shield/templates/host/_configmap_helpers.tpl +++ b/charts/shield/templates/host/_configmap_helpers.tpl @@ -13,7 +13,7 @@ {{- end }} {{- define "host.configmap.detections" }} -{{- dict "detections" (pick . "ml_policies") | toYaml }} +{{- dict "detections" (pick . "dns_detections" "ml_policies") | toYaml }} {{- end }} {{/* Generate the 'host_shield_config.yaml' content */}} diff --git a/charts/shield/tests/host/configmap-host-shield-config_test.yaml b/charts/shield/tests/host/configmap-host-shield-config_test.yaml index f3412e2d6..004822d0c 100644 --- a/charts/shield/tests/host/configmap-host-shield-config_test.yaml +++ b/charts/shield/tests/host/configmap-host-shield-config_test.yaml @@ -21,6 +21,8 @@ tests: pattern: | features: detections: + dns_detections: + enabled: false ml_policies: enabled: false posture: @@ -48,6 +50,8 @@ tests: pattern: | features: detections: + dns_detections: + enabled: false ml_policies: enabled: false posture: @@ -75,6 +79,8 @@ tests: pattern: | features: detections: + dns_detections: + enabled: false ml_policies: enabled: false posture: @@ -102,6 +108,8 @@ tests: pattern: | features: detections: + dns_detections: + enabled: false ml_policies: enabled: false posture: @@ -129,6 +137,8 @@ tests: pattern: | features: detections: + dns_detections: + enabled: false ml_policies: enabled: false posture: @@ -151,6 +161,8 @@ tests: pattern: | features: detections: + dns_detections: + enabled: false ml_policies: enabled: false posture: @@ -181,6 +193,8 @@ tests: pattern: |- features: detections: + dns_detections: + enabled: false ml_policies: enabled: false posture: @@ -210,6 +224,8 @@ tests: pattern: |- features: detections: + dns_detections: + enabled: false ml_policies: enabled: false posture: @@ -237,6 +253,8 @@ tests: pattern: |- features: detections: + dns_detections: + enabled: false ml_policies: enabled: false posture: @@ -264,17 +282,32 @@ tests: pattern: |- features: detections: + dns_detections: + enabled: false ml_policies: enabled: true - posture: - host_posture: - enabled: false - responding: - rapid_response: - enabled: false - vulnerability_management: - host_vulnerability_management: - enabled: false - in_use: + + - it: Ensure DNS Detections is disabled by default + asserts: + - matchRegex: + path: data['host-shield.yaml'] + pattern: |- + features: + detections: + dns_detections: enabled: false - integration_enabled: false + + - it: Enable DNS Detections + set: + features: + detections: + dns_detections: + enabled: true + asserts: + - matchRegex: + path: data['host-shield.yaml'] + pattern: |- + features: + detections: + dns_detections: + enabled: true diff --git a/charts/shield/values.schema.json b/charts/shield/values.schema.json index 5f8341b32..a7550f3a1 100644 --- a/charts/shield/values.schema.json +++ b/charts/shield/values.schema.json @@ -680,6 +680,9 @@ "type": "object", "additionalProperties": false, "properties": { + "dns_detections": { + "$ref": "#/$defs/FeatureGroupDetections/$defs/DNSDetections" + }, "drift_control": { "$ref": "#/$defs/FeatureGroupDetections/$defs/DriftControl" }, @@ -694,6 +697,16 @@ } }, "$defs": { + "DNSDetections": { + "type": "object", + "additionalProperties": false, + "properties": { + "enabled": { + "type": "boolean", + "description": "Specify if the DNS Detections feature is enabled" + } + } + }, "DriftControl": { "type": "object", "additionalProperties": true, diff --git a/charts/shield/values.yaml b/charts/shield/values.yaml index 37a018e29..6866cdb46 100644 --- a/charts/shield/values.yaml +++ b/charts/shield/values.yaml @@ -89,6 +89,8 @@ features: # Allows to store the list of running packages to Sysdig backend. integration_enabled: false detections: + dns_detections: + enabled: false drift_control: enabled: false malware_control: