diff --git a/charts/shield/Chart.yaml b/charts/shield/Chart.yaml index 065862f49..57e634ca1 100644 --- a/charts/shield/Chart.yaml +++ b/charts/shield/Chart.yaml @@ -13,5 +13,5 @@ maintainers: - name: mavimo email: marcovito.moscaritolo@sysdig.com type: application -version: 0.9.3 +version: 0.9.4 appVersion: "1.0.0" diff --git a/charts/shield/templates/host/_configmap_helpers.tpl b/charts/shield/templates/host/_configmap_helpers.tpl index feab9188d..ead4fd05a 100644 --- a/charts/shield/templates/host/_configmap_helpers.tpl +++ b/charts/shield/templates/host/_configmap_helpers.tpl @@ -1,35 +1,57 @@ {{/* Helper utitlies for generating the Host Shield's various ConfigMaps */}} {{- define "host.configmap.posture" }} -{{- dict "posture" (pick . "host_posture") | toYaml }} +{{- with .posture }} + {{- dict "posture" (pick . "host_posture") | toYaml }} +{{- end }} {{- end }} {{- define "host.configmap.vm" }} -{{- dict "vulnerability_management" (pick . "host_vulnerability_management" "in_use") | toYaml }} +{{- with .vulnerability_management }} + {{- dict "vulnerability_management" (pick . "host_vulnerability_management" "in_use") | toYaml }} +{{- end }} {{- end }} -{{- define "host.configmap.responding" }} -{{- dict "respond" (pick . "rapid_response") | toYaml }} +{{- define "host.configmap.respond" }} +{{- with .respond }} + {{- $config := dict "respond" (pick . "rapid_response") }} + {{- $_ := unset $config.respond.rapid_response "password"}} + {{- $config | toYaml }} +{{- end }} {{- end }} {{- define "host.configmap.detections" }} -{{- dict "detections" (pick . "ml_policies") | toYaml }} +{{- with .detections }} + {{- dict "detections" (pick . "ml_policies") | toYaml }} +{{- end }} {{- end }} -{{/* Generate the 'host_shield_config.yaml' content */}} -{{- define "host.host_shield_config" }} -{{- $config := dict }} -{{- with .Values.features.posture }} -{{- $config = merge $config ((include "host.configmap.posture" .) | fromYaml) }} +{{- define "host.configmap.monitor" }} +{{- with .monitor }} + {{- $config := (pick . "app_checks" "java_management_extensions" "statsd") }} + {{- $config = merge $config (dict "prometheus" (pick .prometheus "enabled")) }} + {{- dict "monitor" $config | toYaml }} +{{- end }} {{- end }} -{{- with .Values.features.vulnerability_management }} -{{- $config = merge $config ((include "host.configmap.vm" .) | fromYaml) }} + +{{- define "host.configmap.investigations" }} +{{- with .investigations }} + {{- $config := (pick . "activity_audit" "live_logs" "network_security") }} + {{- $config = merge $config (dict "event_forwarder" (pick .event_forwarder "enabled")) }} + {{- dict "investigations" $config | toYaml }} {{- end }} -{{- with .Values.features.respond }} -{{- $config = merge $config ((include "host.configmap.responding" .) | fromYaml) }} {{- end }} -{{- with .Values.features.detections }} -{{- $config = merge $config ((include "host.configmap.detections" .) | fromYaml)}} + +{{/* Generate the 'host-shield.yaml' content */}} +{{- define "host.host_shield_yaml" }} +{{- $config := dict }} +{{- with .Values.features }} + {{- $config = merge $config ((include "host.configmap.posture" .) | fromYaml) }} + {{- $config = merge $config ((include "host.configmap.vm" .) | fromYaml) }} + {{- $config = merge $config ((include "host.configmap.respond" .) | fromYaml) }} + {{- $config = merge $config ((include "host.configmap.detections" .) | fromYaml) }} + {{- $config = merge $config ((include "host.configmap.monitor" .) | fromYaml) }} + {{- $config = merge $config ((include "host.configmap.investigations" .) | fromYaml) }} {{- end }} {{- dict "features" $config | toYaml }} {{- end }} @@ -42,10 +64,10 @@ true {{- end }} {{- define "host.features.monitor_enabled" }} -{{- if or (dig (include "host.monitor_key" .) "app_checks" "enabled" false .Values.features) - (dig (include "host.monitor_key" .) "java_management_extensions" "enabled" false .Values.features) - (dig (include "host.monitor_key" .) "prometheus" "enabled" false .Values.features) - (dig (include "host.monitor_key" .) "statsd" "enabled" false .Values.features) +{{- if or .Values.features.monitor.app_checks.enabled + .Values.features.monitor.java_management_extensions.enabled + .Values.features.monitor.prometheus.enabled + .Values.features.monitor.statsd.enabled (dig "app_checks_enabled" false .Values.host.additional_settings) (dig "jmx" "enabled" false .Values.host.additional_settings) (dig "prometheus" "enabled" false .Values.host.additional_settings) @@ -56,12 +78,12 @@ true {{/* Calculate the agent mode based on enabled features */}} {{- define "host.configmap.agent_mode" }} -{{- $mode := "secure_light" }} + {{- $mode := "secure_light" }} {{- if (include "host.features.netsec_enabled" .) }} -{{- $mode = "secure" }} + {{- $mode = "secure" }} {{- end }} {{- if (include "host.features.monitor_enabled" .) }} -{{- $mode = "monitor" }} + {{- $mode = "monitor" }} {{- end }} {{- dict "feature" (dict "mode" $mode) | toYaml -}} {{- end }} @@ -70,33 +92,16 @@ true {{/* TODO: Kubernetes metadata */}} {{- with .Values.features }} {{- $config := dict - "app_checks_enabled" ((dig (include "host.monitor_key" .) "app_checks" "enabled" false .)) "audit_tap" (dict "enabled" .investigations.audit_tap.enabled) - "drift_control" - (dict "enabled" .detections.drift_control.enabled) - "jmx" - (dict "enabled" (dig (include "host.monitor_key" .) "java_management_extensions" "enabled" false .)) - "live_logs" - (dict "enabled" .investigations.live_logs.enabled) - "local_forwarder" - (dict "enabled" .investigations.event_forwarder.enabled) "malware_control" (dict "enabled" .detections.malware_control.enabled) - "network_topology" - (dict "enabled" .investigations.network_security.enabled) - "prometheus" - (dict "enabled" (dig (include "host.monitor_key" .) "prometheus" "enabled" false .)) - "secure_audit_streams" - (dict "enabled" .investigations.activity_audit.enabled) - "statsd" - (dict "enabled" (dig (include "host.monitor_key" .) "statsd" "enabled" false .)) "sysdig_capture_enabled" .investigations.captures.enabled }} {{- $config | toYaml }} {{- end }} {{- end }} -{{- define "host.configmap" }} +{{- define "host.dragent_yaml" }} {{- $config := dict "k8s_cluster_name" .Values.cluster_config.name "collector" (include "common.collector_endpoint" .) @@ -107,26 +112,16 @@ true {{- $_ := set $config "k8s_delegated_nodes" (get $config "k8s_delegated_nodes") }} {{- end }} {{- if .Values.sysdig_endpoint.collector.port }} -{{- $config = merge $config (dict "collector_port" .Values.sysdig_endpoint.collector.port) }} + {{- $config = merge $config (dict "collector_port" .Values.sysdig_endpoint.collector.port) }} {{- end }} -{{- $config = merge $config (dict "sysdig_api_endpoint" (include "common.secure_api_endpoint" .)) }} + {{- $config = merge $config (dict "sysdig_api_endpoint" (include "common.secure_api_endpoint" .)) }} {{- if (include "common.proxy.enabled" . ) }} -{{- $config := merge $config (dict "http_proxy" (include "host.proxy_config" . | fromYaml)) }} -{{- end }} -{{- if (include "host.rapid_response_enabled" .) }} -{{- $config = merge $config (dict "rapid_response" (dict "enabled" true)) }} + {{- $config := merge $config (dict "http_proxy" (include "host.proxy_config" . | fromYaml)) }} {{- end }} {{- $config = merge $config (include "host.parse_features" . | fromYaml) }} -{{/* Host Scanner requires setting the host fs mount path variable, but that - parameter has not been mapped into the new schema yet. As a result, - it still needs to be set in the dragent.yaml file. */}} -{{- if .Values.features.vulnerability_management.host_vulnerability_management.enabled }} -{{/* Currently this pins the path to /host, but that is only because the final location of the - parameters has not been determined. */}} - {{- if and .Values.features.vulnerability_management.host_vulnerability_management.enabled - (not (dig "host_scanner" "host_fs_mount_path" nil .Values.host.additional_settings)) }} - {{- $config = merge $config (dict "host_scanner" (dict "host_fs_mount_path" "/host")) }} - {{- end }} +{{- if and .Values.features.vulnerability_management.host_vulnerability_management.enabled + (not (dig "host_scanner" "host_fs_mount_path" nil .Values.host.additional_settings)) }} +{{- $config = merge $config (dict "host_scanner" (dict "host_fs_mount_path" "/host")) }} {{- end }} {{- if or .Values.features.posture.host_posture.enabled (dig "kspm_analyzer" "enabled" false .Values.host.additional_settings) }} {{- $config = merge $config (dict "kspm_analyzer" (dict "agent_app_name" (include "shield.name" .))) }} @@ -139,13 +134,13 @@ true {{- $_ := set $config "tags" (join "," $tagList) -}} {{- end -}} {{- if .Values.features.investigations.event_forwarder.enabled }} -{{- with .Values.features.investigations.event_forwarder }} -{{- $config = merge $config (dict "local_forwarder" (dict "enabled" .enabled "transmit_message_types" .transmit_message_types)) }} -{{- end }} + {{- with .Values.features.investigations.event_forwarder }} + {{- $config = merge $config (dict "local_forwarder" (dict "enabled" .enabled "transmit_message_types" .transmit_message_types)) }} + {{- end }} {{- end }} {{- $config = merge $config (include "host.configmap.agent_mode" . | fromYaml) }} {{- if .Values.host.additional_settings }} -{{- $config = mergeOverwrite $config (include "host.config_override" . | fromYaml) }} + {{- $config = mergeOverwrite $config (include "host.config_override" . | fromYaml) }} {{- end }} {{- $config | toYaml }} {{- end }} diff --git a/charts/shield/templates/host/_helpers.tpl b/charts/shield/templates/host/_helpers.tpl index d2ecbe09d..45d6a026e 100644 --- a/charts/shield/templates/host/_helpers.tpl +++ b/charts/shield/templates/host/_helpers.tpl @@ -173,51 +173,3 @@ capabilities: {{- include "host.capabilities" . | nindent 4 }} {{- end }} {{- end -}} - -{{- define "host.respond_key" }} -{{- if hasKey . "responding" }} -{{- print "responding" }} -{{- else }} -{{- print "respond" }} -{{- end }} -{{- end }} - -{{- define "host.rapid_response_enabled" }} -{{- with .Values.features }} -{{- if (dig (include "host.respond_key" .) "rapid_response" "enabled" false .) }} -true -{{- end }} -{{- end }} -{{- end }} - -{{- define "host.monitor_key" }} -{{- if hasKey . "monitoring" }} -{{- print "monitoring" }} -{{- else }} -{{- print "monitor" }} -{{- end }} -{{- end }} - -{{- define "host.app_checks_enabled" }} -{{- if dig (include "host.monitor_key" .) "app_checks" "enabled" false . }} -true -{{- end }} -{{- end }} - -{{- define "host.jmx_enabled" }} -{{- if dig (include "host.monitor_key" .) "java_mangement_extensions" "enabled" false . }} -true -{{- end }} -{{- end }} - -{{- define "host.prometheus_enabled" }} -{{- if dig (include "host.monitor_key" .) "prometheus" "enabled" false . }} -true -{{- end }} -{{- end }} - -{{- define "host.statsd_enabled" }} -{{- if dig (include "host.monitor_key" .) "statsd" "enabled" false . }} -true -{{- end }} -{{- end }} diff --git a/charts/shield/templates/host/configmap.yaml b/charts/shield/templates/host/configmap.yaml index a7bf36449..c6ad1c800 100644 --- a/charts/shield/templates/host/configmap.yaml +++ b/charts/shield/templates/host/configmap.yaml @@ -7,17 +7,17 @@ metadata: {{- include "host.labels" . | nindent 4 }} data: host-shield.yaml: | - {{- include "host.host_shield_config" . | nindent 4 }} + {{- include "host.host_shield_yaml" . | nindent 4 }} dragent.yaml: | - {{- include "host.configmap" . | nindent 4 }} + {{- include "host.dragent_yaml" . | nindent 4 }} {{- if .Values.features.investigations.event_forwarder.enabled }} local_forwarder_config.yaml: | integrations: {{- toYaml .Values.features.investigations.event_forwarder.integrations | nindent 6 }} {{- end }} - {{- if (include "host.prometheus_enabled" .Values.features) }} + {{- if .Values.features.monitor.prometheus.enabled}} prometheus.yaml: | {{- with .Values.features }} - {{- toYaml (dig (include "host.monitor_key" .) "prometheus" "prometheus_yaml" list .) | nindent 4 }} + {{- toYaml .monitor.prometheus.prometheus_yaml | nindent 4 }} {{- end }} {{- end }} diff --git a/charts/shield/templates/host/daemonset.yaml b/charts/shield/templates/host/daemonset.yaml index ff3f6a8b6..8658db5ff 100644 --- a/charts/shield/templates/host/daemonset.yaml +++ b/charts/shield/templates/host/daemonset.yaml @@ -134,7 +134,7 @@ spec: {{- include "common.proxy.envs" . | nindent 12 }} {{- end }} {{- include "common.custom_ca.envs" (merge (dict) . (dict "CACertsPath" "/opt/draios/certificates/")) | nindent 12 }} - {{- if (include "host.rapid_response_enabled" .) }} + {{- if .Values.features.respond.rapid_response.enabled }} - name: PASSWORD valueFrom: secretKeyRef: diff --git a/charts/shield/templates/host/secrets.yaml b/charts/shield/templates/host/secrets.yaml index 5387363d8..96d7c2f86 100644 --- a/charts/shield/templates/host/secrets.yaml +++ b/charts/shield/templates/host/secrets.yaml @@ -1,4 +1,4 @@ -{{- if (include "host.rapid_response_enabled" .) }} +{{- if .Values.features.respond.rapid_response.enabled }} --- apiVersion: v1 kind: Secret diff --git a/charts/shield/tests/host/configmap-dragent-yaml_test.yaml b/charts/shield/tests/host/configmap-dragent-yaml_test.yaml index febb8ecc6..f278f42dd 100644 --- a/charts/shield/tests/host/configmap-dragent-yaml_test.yaml +++ b/charts/shield/tests/host/configmap-dragent-yaml_test.yaml @@ -631,77 +631,21 @@ tests: - it: All features disabled by default asserts: - - matchRegex: - path: data['dragent.yaml'] - pattern: | - app_checks_enabled: false - matchRegex: path: data['dragent.yaml'] pattern: | audit_tap: enabled: false - - matchRegex: - path: data['dragent.yaml'] - pattern: | - drift_control: - enabled: false - - matchRegex: - path: data['dragent.yaml'] - pattern: | - jmx: - enabled: false - - matchRegex: - path: data['dragent.yaml'] - pattern: | - live_logs: - enabled: false - - matchRegex: - path: data['dragent.yaml'] - pattern: | - local_forwarder: - enabled: false - matchRegex: path: data['dragent.yaml'] pattern: | malware_control: enabled: false - - matchRegex: - path: data['dragent.yaml'] - pattern: | - network_topology: - enabled: false - - matchRegex: - path: data['dragent.yaml'] - pattern: | - prometheus: - enabled: false - - matchRegex: - path: data['dragent.yaml'] - pattern: | - secure_audit_streams: - enabled: false - - matchRegex: - path: data['dragent.yaml'] - pattern: | - statsd: - enabled: false - matchRegex: path: data['dragent.yaml'] pattern: | sysdig_capture_enabled: false - - it: Enable App Checks - set: - features: - monitor: - app_checks: - enabled: true - asserts: - - matchRegex: - path: data['dragent.yaml'] - pattern: | - app_checks_enabled: true - - it: Enable Audit Tap set: features: @@ -715,58 +659,6 @@ tests: audit_tap: enabled: true - - it: Enable Drift Control - set: - features: - detections: - drift_control: - enabled: true - asserts: - - matchRegex: - path: data['dragent.yaml'] - pattern: | - drift_control: - enabled: true - - - it: Enable JMX - set: - features: - monitor: - java_management_extensions: - enabled: true - asserts: - - matchRegex: - path: data['dragent.yaml'] - pattern: | - jmx: - enabled: true - - - it: Enable Live Logs - set: - features: - investigations: - live_logs: - enabled: true - asserts: - - matchRegex: - path: data['dragent.yaml'] - pattern: | - live_logs: - enabled: true - - - it: Enable Local Forwarder - set: - features: - investigations: - event_forwarder: - enabled: true - asserts: - - matchRegex: - path: data['dragent.yaml'] - pattern: | - local_forwarder: - enabled: true - - it: Enable Malware Control set: features: @@ -780,58 +672,6 @@ tests: malware_control: enabled: true - - it: Enable Network Security - set: - features: - investigations: - network_security: - enabled: true - asserts: - - matchRegex: - path: data['dragent.yaml'] - pattern: | - network_topology: - enabled: true - - - it: Enable Prometheus - set: - features: - monitor: - prometheus: - enabled: true - asserts: - - matchRegex: - path: data['dragent.yaml'] - pattern: | - prometheus: - enabled: true - - - it: Enable Secure Audit Streams - set: - features: - investigations: - activity_audit: - enabled: true - asserts: - - matchRegex: - path: data['dragent.yaml'] - pattern: | - secure_audit_streams: - enabled: true - - - it: Enable StatsD - set: - features: - monitor: - statsd: - enabled: true - asserts: - - matchRegex: - path: data['dragent.yaml'] - pattern: | - statsd: - enabled: true - - it: Enable Captures set: features: diff --git a/charts/shield/tests/host/configmap-host-shield-config_test.yaml b/charts/shield/tests/host/configmap-host-shield-config_test.yaml index 8cf3d1c6c..0f27ecdc6 100644 --- a/charts/shield/tests/host/configmap-host-shield-config_test.yaml +++ b/charts/shield/tests/host/configmap-host-shield-config_test.yaml @@ -19,70 +19,45 @@ tests: - matchRegex: path: data['host-shield.yaml'] pattern: | - features: + .* detections: ml_policies: enabled: false - posture: - host_posture: - enabled: false - respond: - rapid_response: - enabled: false - vulnerability_management: - host_vulnerability_management: - enabled: false - in_use: - enabled: false - integration_enabled: false - - - it: Ensure Posture is enabled when requested - set: - features: - posture: - host_posture: - enabled: true - asserts: + .* - matchRegex: path: data['host-shield.yaml'] pattern: | - features: - detections: - ml_policies: + .* + monitor: + app_checks: enabled: false - posture: - host_posture: - enabled: true - respond: - rapid_response: + java_management_extensions: enabled: false - vulnerability_management: - host_vulnerability_management: + prometheus: enabled: false - in_use: + statsd: enabled: false - integration_enabled: false - - - it: Posture configs are not present when not enabled - set: - features: - posture: - host_posture: - enabled: false - asserts: + .* - matchRegex: path: data['host-shield.yaml'] pattern: | - features: - detections: - ml_policies: - enabled: false + .* posture: host_posture: enabled: false + .* + - matchRegex: + path: data['host-shield.yaml'] + pattern: | + .* respond: rapid_response: enabled: false + .* + - matchRegex: + path: data['host-shield.yaml'] + pattern: | + .* vulnerability_management: host_vulnerability_management: enabled: false @@ -90,78 +65,36 @@ tests: enabled: false integration_enabled: false - - it: Ensure Host Vulnerability Management is enabled when requested + - it: Ensure Posture is enabled when requested set: features: - vulnerability_management: - host_vulnerability_management: + posture: + host_posture: enabled: true asserts: - matchRegex: path: data['host-shield.yaml'] pattern: | - features: - detections: - ml_policies: - enabled: false + .* posture: host_posture: - enabled: false - respond: - rapid_response: - enabled: false - vulnerability_management: - host_vulnerability_management: enabled: true - in_use: - enabled: false - integration_enabled: false + .* - - it: Host Vulnerability Management configs are not present when not enabled + - it: Ensure Host Vulnerability Management is enabled when requested set: features: vulnerability_management: host_vulnerability_management: - enabled: false - asserts: - - matchRegex: - path: data['host-shield.yaml'] - pattern: | - features: - detections: - ml_policies: - enabled: false - posture: - host_posture: - enabled: false - respond: - rapid_response: - enabled: false - vulnerability_management: - host_vulnerability_management: - enabled: false - in_use: - enabled: false - integration_enabled: false - - - it: Host Vulnerability Management is disabled by default + enabled: true asserts: - matchRegex: path: data['host-shield.yaml'] pattern: | - features: - detections: - ml_policies: - enabled: false - posture: - host_posture: - enabled: false - respond: - rapid_response: - enabled: false + .* vulnerability_management: host_vulnerability_management: - enabled: false + enabled: true in_use: enabled: false integration_enabled: false @@ -179,19 +112,21 @@ tests: - matchRegex: path: data['host-shield.yaml'] pattern: |- - features: - detections: - ml_policies: - enabled: false + .* posture: host_posture: enabled: true - respond: - rapid_response: - enabled: false + .* + - matchRegex: + path: data['host-shield.yaml'] + pattern: | + .* vulnerability_management: host_vulnerability_management: enabled: true + in_use: + enabled: false + .* - it: Enable Posture, Vulnerability Management, and set in_use to true set: @@ -208,22 +143,21 @@ tests: - matchRegex: path: data['host-shield.yaml'] pattern: |- - features: - detections: - ml_policies: - enabled: false + .* posture: host_posture: enabled: true - respond: - rapid_response: - enabled: false + .* + - matchRegex: + path: data['host-shield.yaml'] + pattern: | + .* vulnerability_management: host_vulnerability_management: enabled: true in_use: enabled: true - integration_enabled: false + .* - it: Enable Rapid Response set: @@ -235,22 +169,11 @@ tests: - matchRegex: path: data['host-shield.yaml'] pattern: |- - features: - detections: - ml_policies: - enabled: false - posture: - host_posture: - enabled: false + .* respond: rapid_response: enabled: true - vulnerability_management: - host_vulnerability_management: - enabled: false - in_use: - enabled: false - integration_enabled: false + .* - it: Enable ML Policies set: @@ -262,19 +185,128 @@ tests: - matchRegex: path: data['host-shield.yaml'] pattern: |- - features: + .* detections: ml_policies: enabled: true - posture: - host_posture: - enabled: false - respond: - rapid_response: - enabled: false - vulnerability_management: - host_vulnerability_management: - enabled: false - in_use: - enabled: false - integration_enabled: false + .* + + - it: Enable App Checks + set: + features: + monitor: + app_checks: + enabled: true + asserts: + - matchRegex: + path: data['host-shield.yaml'] + pattern: | + .* + app_checks: + enabled: true + .* + + - it: Enable JMX + set: + features: + monitor: + java_management_extensions: + enabled: true + asserts: + - matchRegex: + path: data['host-shield.yaml'] + pattern: | + .* + java_management_extensions: + enabled: true + .* + + - it: Enable Prometheus + set: + features: + monitor: + prometheus: + enabled: true + asserts: + - matchRegex: + path: data['host-shield.yaml'] + pattern: | + .* + prometheus: + enabled: true + .* + + - it: Enable StatsD + set: + features: + monitor: + statsd: + enabled: true + asserts: + - matchRegex: + path: data['host-shield.yaml'] + pattern: | + .* + statsd: + enabled: true + .* + + - it: Enable Activity Audit + set: + features: + investigations: + activity_audit: + enabled: true + asserts: + - matchRegex: + path: data['host-shield.yaml'] + pattern: | + .* + activity_audit: + enabled: true + .* + + - it: Enable Event Forwarder + set: + features: + investigations: + event_forwarder: + enabled: true + asserts: + - matchRegex: + path: data['host-shield.yaml'] + pattern: | + .* + event_forwarder: + enabled: true + .* + + - it: Enable Live Logs + set: + features: + investigations: + live_logs: + enabled: true + asserts: + - matchRegex: + path: data['host-shield.yaml'] + pattern: | + .* + live_logs: + enabled: true + .* + + - it: Enable Network Security + set: + features: + investigations: + network_security: + enabled: true + asserts: + - matchRegex: + path: data['host-shield.yaml'] + pattern: | + .* + network_security: + enabled: true + .*