diff --git a/charts/falcosidekick/CHANGELOG.md b/charts/falcosidekick/CHANGELOG.md index fc78f9af0..146de6a00 100644 --- a/charts/falcosidekick/CHANGELOG.md +++ b/charts/falcosidekick/CHANGELOG.md @@ -5,6 +5,10 @@ numbering uses [semantic versioning](http://semver.org). Before release 0.1.20, the helm chart can be found in `falcosidekick` [repository](https://github.com/falcosecurity/falcosidekick/tree/master/deploy/helm/falcosidekick). +## 0.9.9 + +- Added Azure Workload Identity for Falcosidekick + ## 0.9.8 - Ugrade to Falcosidekick 2.31.1 (fix last release) diff --git a/charts/falcosidekick/Chart.yaml b/charts/falcosidekick/Chart.yaml index b4e2e859f..695d3546f 100644 --- a/charts/falcosidekick/Chart.yaml +++ b/charts/falcosidekick/Chart.yaml @@ -3,7 +3,7 @@ appVersion: 2.31.1 description: Connect Falco to your ecosystem icon: https://raw.githubusercontent.com/falcosecurity/falcosidekick/master/imgs/falcosidekick_color.png name: falcosidekick -version: 0.9.8 +version: 0.9.9 keywords: - monitoring - security diff --git a/charts/falcosidekick/README.md b/charts/falcosidekick/README.md index ae0640e67..74bdcdbbe 100644 --- a/charts/falcosidekick/README.md +++ b/charts/falcosidekick/README.md @@ -220,6 +220,7 @@ The following table lists the main configurable parameters of the Falcosidekick | config.azure.eventHub.namespace | string | `""` | Name of the space the Hub is in | | config.azure.podIdentityClientID | string | `""` | Azure Identity Client ID | | config.azure.podIdentityName | string | `""` | Azure Identity name | +| config.azure.workloadIdentityClientID | string | `""` | Azure Workload Identity Client ID | | config.azure.resourceGroupName | string | `""` | Azure Resource Group name | | config.azure.subscriptionID | string | `""` | Azure Subscription ID | | config.bracketreplacer | string | `""` | if not empty, the brackets in keys of Output Fields are replaced | diff --git a/charts/falcosidekick/templates/deployment.yaml b/charts/falcosidekick/templates/deployment.yaml index 7d8791a7d..dd848fef6 100644 --- a/charts/falcosidekick/templates/deployment.yaml +++ b/charts/falcosidekick/templates/deployment.yaml @@ -31,6 +31,9 @@ spec: {{- if and .Values.config.azure.podIdentityClientID .Values.config.azure.podIdentityName }} aadpodidbinding: {{ include "falcosidekick.fullname" . }} {{- end }} + {{- if .Values.config.azure.workloadIdentityClientID }} + azure.workload.identity/use: "true" + {{- end }} {{- if .Values.podLabels }} {{ toYaml .Values.podLabels | nindent 8 }} {{- end }} diff --git a/charts/falcosidekick/templates/rbac.yaml b/charts/falcosidekick/templates/rbac.yaml index 96d84d5fb..1a838bda6 100644 --- a/charts/falcosidekick/templates/rbac.yaml +++ b/charts/falcosidekick/templates/rbac.yaml @@ -4,6 +4,19 @@ kind: ServiceAccount metadata: name: {{ include "falcosidekick.fullname" . }} namespace: {{ .Release.Namespace }} + {{- if or .Values.config.azure.workloadIdentityClientID (and .Values.config.aws.useirsa .Values.config.aws.rolearn) }} + annotations: + {{- if .Values.config.azure.workloadIdentityClientID }} + azure.workload.identity/client-id: {{ .Values.config.azure.workloadIdentityClientID | quote }} + {{- end }} + {{- if and .Values.config.aws.useirsa .Values.config.aws.rolearn }} + {{- with .Values.customAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + eks.amazonaws.com/role-arn: {{ .Values.config.aws.rolearn | quote }} + {{- end }} + {{- end }} + {{- if and .Values.config.aws.useirsa .Values.config.aws.rolearn }} labels: {{- include "falcosidekick.labels" . | nindent 4 }} @@ -11,11 +24,6 @@ metadata: {{- with .Values.customLabels }} {{- toYaml . | nindent 4 }} {{- end }} - annotations: - {{- with .Values.customAnnotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - eks.amazonaws.com/role-arn: {{ .Values.config.aws.rolearn }} {{- end }} --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/charts/falcosidekick/values.yaml b/charts/falcosidekick/values.yaml index 8043f62c6..83afe879e 100644 --- a/charts/falcosidekick/values.yaml +++ b/charts/falcosidekick/values.yaml @@ -578,6 +578,8 @@ config: podIdentityClientID: "" # -- Azure Identity name podIdentityName: "" + # -- Azure Workload Identity Client ID + workloadIdentityClientID: "" eventHub: # -- Name of the space the Hub is in namespace: ""