Merge pull request #458 from kubescape/feature/admission

Adding helm chart for admission controller
kubescape · Jul 16, 2024 · f1a2ac0 · f1a2ac0
2 parents e384f09 + e34ea87
commit f1a2ac0
Show file tree

Hide file tree

Showing 11 changed files with 297 additions and 71 deletions.
diff --git a/charts/kubescape-operator/templates/_helpers.tpl b/charts/kubescape-operator/templates/_helpers.tpl
@@ -82,3 +82,22 @@ customCaCertificates:
 autoUpdater:
   enabled: {{ eq .Values.capabilities.autoUpgrading "enable" }}
 {{- end -}}
+
+{{- define "admission-certificates" -}}
+{{- $svcName := (printf "kubescape-admission-webhook.%s.svc" .Release.Namespace) -}}
+{{- $ca := dict "Key" "mock-ca-key" "Cert" "mock-ca-cert" -}}
+{{- $cert := dict "Key" "mock-cert-key" "Cert" "mock-cert-cert" -}}
+{{- if not .Values.unittest }}
+  {{- $generatedCA := genCA (printf "*.%s.svc" .Release.Namespace) 1024 -}}
+  {{- $generatedCert := genSignedCert $svcName nil (list $svcName) 1024 $generatedCA -}}
+  {{- $_ := set $ca "Key" $generatedCA.Key -}}
+  {{- $_ := set $ca "Cert" $generatedCA.Cert -}}
+  {{- $_ := set $cert "Key" $generatedCert.Key -}}
+  {{- $_ := set $cert "Cert" $generatedCert.Cert -}}
+{{- end -}}
+{{- $certData := dict "ca" $ca "cert" $cert -}}
+{{- toYaml $certData -}}
+{{- end -}}
+
+
+
diff --git a/charts/kubescape-operator/templates/node-agent/default-rule-binding-namespaced.yaml b/charts/kubescape-operator/templates/node-agent/default-rule-binding-namespaced.yaml
@@ -31,5 +31,7 @@ spec:
     - ruleName: "Unexpected Sensitive File Access"
     - ruleName: "LD_PRELOAD Hook"
     - ruleName: "Hardlink Created Over Sensitive File"
+    - ruleName: "Exec to pod"
+    - ruleName: "Port forward"
 {{- end }}
 
diff --git a/charts/kubescape-operator/templates/node-agent/default-rule-binding.yaml b/charts/kubescape-operator/templates/node-agent/default-rule-binding.yaml
@@ -49,4 +49,6 @@ spec:
     - ruleName: "Unexpected Sensitive File Access"
     - ruleName: "LD_PRELOAD Hook"
     - ruleName: "Hardlink Created Over Sensitive File"
+    - ruleName: "Exec to pod"
+    - ruleName: "Port forward"
 {{- end }}
diff --git a/charts/kubescape-operator/templates/operator/admission-service.yaml b/charts/kubescape-operator/templates/operator/admission-service.yaml
@@ -0,0 +1,20 @@
+{{- $components := fromYaml (include "components" .) }}
+{{- if $components.operator.enabled }}
+{{- if eq .Values.capabilities.admissionController "enable" }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: "kubescape-admission-webhook"
+  namespace: {{ .Values.ksNamespace }}
+  labels:
+    app: {{ .Values.operator.name }}
+    kubescape.io/ignore: "true"
+spec:
+  ports:
+    - port: 443
+      targetPort: 8443
+  selector:
+    app: {{ .Values.operator.name }}
+  type: ClusterIP  # Or use LoadBalancer or NodePort if needed
+{{- end }}
+{{- end }}
diff --git a/charts/kubescape-operator/templates/operator/admission-webhook.yaml b/charts/kubescape-operator/templates/operator/admission-webhook.yaml
@@ -0,0 +1,42 @@
+{{- $components := fromYaml (include "components" .) }}
+{{- if $components.operator.enabled }}
+{{- if eq .Values.capabilities.admissionController "enable" }}
+{{- $svcName := (printf "kubescape-admission-webhook.%s.svc" .Release.Namespace) -}}
+{{- $certData := fromYaml (include "admission-certificates" .) -}}
+{{- $ca := $certData.ca -}}
+{{- $cert := $certData.cert -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $svcName }}-kubescape-tls-pair
+  namespace: {{ .Values.ksNamespace }}
+type: kubernetes.io/tls
+data:
+  tls.key: {{ $cert.Key | b64enc }}
+  tls.crt: {{ $cert.Cert | b64enc }}
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: validation
+webhooks:
+  - name: validation.kubescape.admission
+    clientConfig:
+      service:
+        name: kubescape-admission-webhook
+        namespace: {{ .Values.ksNamespace }}
+        path: /validate
+        port: 443
+      caBundle: {{ $ca.Cert | b64enc }}
+    admissionReviewVersions: ["v1"]
+    sideEffects: None
+    rules:
+      - operations: ["CREATE", "UPDATE", "DELETE", "CONNECT"]
+        apiGroups: ["*"]
+        apiVersions: ["v1"]
+        resources: ["pods", "pods/exec", "pods/portforward", "pods/attach", "clusterrolebindings", "rolebindings"]
+        scope: "*"
+    failurePolicy: Ignore
+{{- end }}
+{{- end }}
diff --git a/charts/kubescape-operator/templates/operator/clusterrole.yaml b/charts/kubescape-operator/templates/operator/clusterrole.yaml
@@ -19,6 +19,9 @@ rules:
   - apiGroups: ["spdx.softwarecomposition.kubescape.io"]
     resources: ["vulnerabilitymanifests", "vulnerabilitymanifestsummaries", "workloadconfigurationscans", "workloadconfigurationscansummaries", "openvulnerabilityexchangecontainers", "sbomsyftfiltereds", "sbomsyfts"]
     verbs: ["get", "watch", "list", "delete"]
+  - apiGroups: ["kubescape.io"]
+    resources: ["runtimerulealertbindings"]
+    verbs: ["list", "watch", "get"]
   - apiGroups: ["kubescape.io"]
     resources: ["servicesscanresults"]
     verbs: ["get", "watch", "list", "create", "update", "delete" ,"patch"]

diff --git a/charts/kubescape-operator/templates/operator/configmap.yaml b/charts/kubescape-operator/templates/operator/configmap.yaml
@@ -17,6 +17,7 @@ data:
         "excludeNamespaces": "{{ .Values.excludeNamespaces }}",
         {{- end }}
         "namespace": "{{ .Values.ksNamespace }}",
-        "triggersecurityframework": {{ .Values.operator.triggerSecurityFramework }}
+        "triggersecurityframework": {{ .Values.operator.triggerSecurityFramework }},
+        "httpExporterConfig": {{- .Values.nodeAgent.config.httpExporterConfig | toJson }}
     }
 {{- end }}
diff --git a/charts/kubescape-operator/templates/operator/deployment.yaml b/charts/kubescape-operator/templates/operator/deployment.yaml
@@ -2,6 +2,7 @@
 {{- $components := fromYaml (include "components" .) }}
 {{- if $components.operator.enabled }}
 {{- $no_proxy_envar_list := (include "no_proxy_envar_list" .) -}}
+{{- $svcName := (printf "kubescape-admission-webhook.%s.svc" .Values.ksNamespace) -}}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -71,6 +72,11 @@ spec:
             - name: "readiness-port"
               containerPort: 8000
               protocol: TCP
+            {{- if eq .Values.capabilities.admissionController "enable" }}
+            - name: "admission-port"
+              containerPort: 8443
+              protocol: TCP
+            {{- end }}
           livenessProbe:
             httpGet:
               path: /v1/liveness
@@ -145,6 +151,11 @@ spec:
               mountPath: /etc/ssl/certs/ca-certificates.crt
               subPath: ca-certificates.crt
             {{- end }}
+            {{- if eq .Values.capabilities.admissionController "enable" }}
+            - name: tls-certs
+              mountPath: /etc/certs
+              readOnly: true
+            {{- end }}
 {{- if .Values.volumeMounts }}
 {{ toYaml .Values.volumeMounts | indent 12 }}
 {{- end }}
@@ -170,6 +181,11 @@ spec:
           secret:
             secretName: {{ $components.customCaCertificates.name }}
         {{- end }}
+        {{- if eq .Values.capabilities.admissionController "enable" }}
+        - name: tls-certs
+          secret:
+            secretName: {{ $svcName }}-kubescape-tls-pair
+        {{- end }}
         - name: tmp-dir
           emptyDir: {}
         - name: {{ .Values.global.cloudConfig }}