diff --git a/charts/kubescape-operator/templates/_helpers.tpl b/charts/kubescape-operator/templates/_helpers.tpl index 112f1096..cef63efc 100644 --- a/charts/kubescape-operator/templates/_helpers.tpl +++ b/charts/kubescape-operator/templates/_helpers.tpl @@ -66,3 +66,15 @@ app.kubernetes.io/name: {{ include "kubescape-operator.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: {{ .app }} {{- end }} + +{{/* +Resolve priorityClassName for a component with customScheduling fallback. +Usage: {{ include "kubescape-operator.priorityClassName" (dict "component" .Values. "global" .Values.customScheduling) }} +*/}} +{{- define "kubescape-operator.priorityClassName" -}} +{{- if .component.priorityClassName }} +priorityClassName: {{ .component.priorityClassName }} +{{- else if .global.priorityClassName }} +priorityClassName: {{ .global.priorityClassName }} +{{- end }} +{{- end }} diff --git a/charts/kubescape-operator/templates/autoupdater/cronjob.yaml b/charts/kubescape-operator/templates/autoupdater/cronjob.yaml index b9f5f9a8..205e2d8c 100644 --- a/charts/kubescape-operator/templates/autoupdater/cronjob.yaml +++ b/charts/kubescape-operator/templates/autoupdater/cronjob.yaml @@ -72,4 +72,5 @@ spec: {{- else if .Values.customScheduling.tolerations }} {{- toYaml .Values.customScheduling.tolerations | nindent 12 }} {{- end }} + {{- include "kubescape-operator.priorityClassName" (dict "component" .Values.helmReleaseUpgrader "global" .Values.customScheduling) | nindent 10 }} {{ end }} diff --git a/charts/kubescape-operator/templates/grype-offline-db/cronjob.yaml b/charts/kubescape-operator/templates/grype-offline-db/cronjob.yaml index 421f21ba..c8e33aa5 100644 --- a/charts/kubescape-operator/templates/grype-offline-db/cronjob.yaml +++ b/charts/kubescape-operator/templates/grype-offline-db/cronjob.yaml @@ -85,6 +85,7 @@ spec: {{- else if .Values.customScheduling.tolerations }} {{- toYaml .Values.customScheduling.tolerations | nindent 12 }} {{- end }} + {{- include "kubescape-operator.priorityClassName" (dict "component" .Values.grypeOfflineDB "global" .Values.customScheduling) | nindent 10 }} {{- if .Values.volumes }} {{ toYaml .Values.volumes | indent 10 }} {{- end }} diff --git a/charts/kubescape-operator/templates/kubescape-scheduler/cronjob.yaml b/charts/kubescape-operator/templates/kubescape-scheduler/cronjob.yaml index e650d918..8159c7c5 100644 --- a/charts/kubescape-operator/templates/kubescape-scheduler/cronjob.yaml +++ b/charts/kubescape-operator/templates/kubescape-scheduler/cronjob.yaml @@ -98,6 +98,7 @@ spec: {{- else if .Values.customScheduling.tolerations }} {{- toYaml .Values.customScheduling.tolerations | nindent 12 }} {{- end }} + {{- include "kubescape-operator.priorityClassName" (dict "component" .Values.kubescapeScheduler "global" .Values.customScheduling) | nindent 10 }} volumes: - name: {{ .Values.kubescapeScheduler.name }} configMap: diff --git a/charts/kubescape-operator/templates/kubescape/deployment.yaml b/charts/kubescape-operator/templates/kubescape/deployment.yaml index e0b7adfa..81609f16 100644 --- a/charts/kubescape-operator/templates/kubescape/deployment.yaml +++ b/charts/kubescape-operator/templates/kubescape/deployment.yaml @@ -407,4 +407,5 @@ spec: {{- else if .Values.customScheduling.tolerations }} {{- toYaml .Values.customScheduling.tolerations | nindent 8 }} {{- end }} + {{- include "kubescape-operator.priorityClassName" (dict "component" .Values.kubescape "global" .Values.customScheduling) | nindent 6 }} {{- end }} diff --git a/charts/kubescape-operator/templates/kubevuln-scheduler/cronjob.yaml b/charts/kubescape-operator/templates/kubevuln-scheduler/cronjob.yaml index 2608e1f1..14ad9fe1 100644 --- a/charts/kubescape-operator/templates/kubevuln-scheduler/cronjob.yaml +++ b/charts/kubescape-operator/templates/kubevuln-scheduler/cronjob.yaml @@ -98,6 +98,7 @@ spec: {{- else if .Values.customScheduling.tolerations }} {{- toYaml .Values.customScheduling.tolerations | nindent 12 }} {{- end }} + {{- include "kubescape-operator.priorityClassName" (dict "component" .Values.kubevulnScheduler "global" .Values.customScheduling) | nindent 10 }} volumes: - name: {{ .Values.kubevulnScheduler.name }} configMap: diff --git a/charts/kubescape-operator/templates/kubevuln/deployment.yaml b/charts/kubescape-operator/templates/kubevuln/deployment.yaml index ce0d0bea..d03e6874 100644 --- a/charts/kubescape-operator/templates/kubevuln/deployment.yaml +++ b/charts/kubescape-operator/templates/kubevuln/deployment.yaml @@ -270,4 +270,5 @@ spec: {{- else if .Values.customScheduling.tolerations }} {{- toYaml .Values.customScheduling.tolerations | nindent 8 }} {{- end }} + {{- include "kubescape-operator.priorityClassName" (dict "component" .Values.kubevuln "global" .Values.customScheduling) | nindent 6 }} {{- end }} diff --git a/charts/kubescape-operator/templates/node-agent/_node-agent.tpl b/charts/kubescape-operator/templates/node-agent/_node-agent.tpl index 34620bab..cfee357f 100644 --- a/charts/kubescape-operator/templates/node-agent/_node-agent.tpl +++ b/charts/kubescape-operator/templates/node-agent/_node-agent.tpl @@ -443,8 +443,12 @@ imagePullSecrets: {{- end }} {{- end }} {{- end }} -{{- if .Values.configurations.priorityClass.enabled }} +{{- if .Values.nodeAgent.priorityClassName }} +priorityClassName: {{ .Values.nodeAgent.priorityClassName }} +{{- else if .Values.configurations.priorityClass.enabled }} priorityClassName: kubescape-critical +{{- else if .Values.customScheduling.priorityClassName }} +priorityClassName: {{ .Values.customScheduling.priorityClassName }} {{- end }} serviceAccountName: {{ .Values.nodeAgent.name }} automountServiceAccountToken: true diff --git a/charts/kubescape-operator/templates/operator/deployment.yaml b/charts/kubescape-operator/templates/operator/deployment.yaml index e66ee725..60c013ca 100644 --- a/charts/kubescape-operator/templates/operator/deployment.yaml +++ b/charts/kubescape-operator/templates/operator/deployment.yaml @@ -269,4 +269,5 @@ spec: {{- else if .Values.customScheduling.tolerations }} {{- toYaml .Values.customScheduling.tolerations | nindent 8 }} {{- end }} + {{- include "kubescape-operator.priorityClassName" (dict "component" .Values.operator "global" .Values.customScheduling) | nindent 6 }} {{- end }} diff --git a/charts/kubescape-operator/templates/prometheus-exporter/deployment.yaml b/charts/kubescape-operator/templates/prometheus-exporter/deployment.yaml index a50000f6..71adba0c 100644 --- a/charts/kubescape-operator/templates/prometheus-exporter/deployment.yaml +++ b/charts/kubescape-operator/templates/prometheus-exporter/deployment.yaml @@ -126,4 +126,5 @@ spec: {{- else if .Values.customScheduling.tolerations }} {{- toYaml .Values.customScheduling.tolerations | nindent 8 }} {{- end }} + {{- include "kubescape-operator.priorityClassName" (dict "component" .Values.prometheusExporter "global" .Values.customScheduling) | nindent 6 }} {{- end }} diff --git a/charts/kubescape-operator/templates/storage/deployment.yaml b/charts/kubescape-operator/templates/storage/deployment.yaml index 48d65a35..5c10cfcb 100644 --- a/charts/kubescape-operator/templates/storage/deployment.yaml +++ b/charts/kubescape-operator/templates/storage/deployment.yaml @@ -124,6 +124,7 @@ spec: {{- else if .Values.customScheduling.tolerations }} {{- toYaml .Values.customScheduling.tolerations | nindent 8 }} {{- end }} + {{- include "kubescape-operator.priorityClassName" (dict "component" .Values.storage "global" .Values.customScheduling) | nindent 6 }} volumes: - name: "data" {{- if eq .Values.configurations.persistence "enable" }} diff --git a/charts/kubescape-operator/templates/synchronizer/deployment.yaml b/charts/kubescape-operator/templates/synchronizer/deployment.yaml index 7028598e..dd0724ae 100644 --- a/charts/kubescape-operator/templates/synchronizer/deployment.yaml +++ b/charts/kubescape-operator/templates/synchronizer/deployment.yaml @@ -250,4 +250,5 @@ spec: {{- else if .Values.customScheduling.tolerations }} {{- toYaml .Values.customScheduling.tolerations | nindent 8 }} {{- end }} + {{- include "kubescape-operator.priorityClassName" (dict "component" .Values.synchronizer "global" .Values.customScheduling) | nindent 6 }} {{- end }} diff --git a/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap b/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap index 243dbd0e..dee6d063 100644 --- a/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap +++ b/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap @@ -30018,6 +30018,4149 @@ multiple node agents: tier: ks-control-plane name: synchronizer namespace: kubescape +priority class scheduling: + 1: |+ + raw: |+ + Thank you for installing kubescape-operator version 1.30.5. + View your cluster's configuration scanning schedule: + > kubectl -n kubescape get cj kubescape-scheduler -o=jsonpath='{.metadata.name}{"\t"}{.spec.schedule}{"\n"}' + + To change the schedule, set `.spec.schedule`: + > kubectl -n kubescape edit cj kubescape-scheduler + View your cluster's image scanning schedule: + > kubectl -n kubescape get cj kubevuln-scheduler -o=jsonpath='{.metadata.name}{"\t"}{.spec.schedule}{"\n"}' + + To change the schedule, edit `.spec.schedule`: + > kubectl -n kubescape edit cj kubevuln-scheduler + + View your image vulnerabilities scan summaries: + > kubectl get vulnerabilitymanifestsummaries -A + + Detailed reports are also available: + > kubectl get vulnerabilitymanifests -A + + kubescape-operator generates suggested network policies. To view them: + > kubectl get generatednetworkpolicies -n + + 2: | + apiVersion: v1 + data: + accessKey: ZjMwNGQ3M2ItZDQzYy00MTJiLTgyZWEtZTRjODU5NDkzY2U2 + account: OWU2YzBjMmMtNmJkMC00OTE5LTgxNWItNTUwMzBkZTdjOWEw + kind: Secret + metadata: + annotations: null + labels: + app: cloud-secret + app.kubernetes.io/component: cloud-secret + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + kubescape.io/infra: credentials + tier: ks-control-plane + name: cloud-secret + namespace: kubescape + type: Opaque + 3: | + apiVersion: v1 + data: + clusterData: | + { + "serviceDiscovery": true, + "vulnScanURL": "kubevuln:8080", + "kubevulnURL": "kubevuln:8080", + "kubescapeURL": "kubescape:8080", + "clusterName": "kind-kind", + "storage": true, + "relevantImageVulnerabilitiesEnabled": true, + "namespace": "kubescape", + "imageVulnerabilitiesScanningEnabled": true, + "postureScanEnabled": true, + "otelCollector": false, + "nodeAgent": "true", + "maxImageSize": 5.36870912e+09, + "maxSBOMSize": 2.097152e+07, + "keepLocal": false, + "scanTimeout": "5m", + "scanEmbeddedSBOMs": false, + "vexGeneration": false, + "useDefaultMatchers": false, + "storeFilteredSbom": false, + "continuousPostureScan": false, + "relevantImageVulnerabilitiesConfiguration": "enable" + } + kind: ConfigMap + metadata: + annotations: null + labels: + app: ks-cloud-config + app.kubernetes.io/component: ks-cloud-config + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + kubescape.io/infra: config + kubescape.io/tier: core + tier: ks-control-plane + name: ks-cloud-config + namespace: kubescape + 4: | + apiVersion: v1 + data: + capabilities: | + { + "capabilities":{"admissionController":"enable","autoUpgrading":"disable","configurationScan":"enable","continuousScan":"disable","httpDetection":"enable","kubescapeOffline":"disable","malwareDetection":"disable","manageWorkloads":"disable","networkEventsStreaming":"enable","networkPolicyService":"enable","nodeProfileService":"enable","nodeSbomGeneration":"enable","nodeScan":"enable","operator":"enable","prometheusExporter":"disable","relevancy":"enable","runtimeDetection":"enable","runtimeObservability":"enable","scanEmbeddedSBOMs":"disable","seccompProfileBackend":"crd","seccompProfileService":"enable","syncSBOM":"disable","testing":{"nodeAgentMultiplication":{"enabled":false,"replicas":5}},"vexGeneration":"disable","vulnerabilityScan":"enable"}, + "components":{"autoUpdater":{"enabled":false},"clamAV":{"enabled":false},"cloudSecret":{"create":true,"name":"cloud-secret"},"customCaCertificates":{"name":"custom-ca-certificates"},"hostScanner":{"enabled":true},"kubescape":{"enabled":true},"kubescapeScheduler":{"enabled":true},"kubevuln":{"enabled":true},"kubevulnScheduler":{"enabled":true},"nodeAgent":{"enabled":true},"operator":{"enabled":true},"otelCollector":{"enabled":false},"prometheusExporter":{"enabled":false},"serviceDiscovery":{"enabled":true},"storage":{"enabled":true},"synchronizer":{"enabled":true}}, + "configurations":{"excludeJsonPaths":null,"otelUrl":null,"persistence":"enable","priorityClass":{"daemonset":100000100,"enabled":true},"prometheusAnnotations":"disable"} , + "serviceScanConfig" :{"enabled":false,"interval":"1h"} + } + kind: ConfigMap + metadata: + annotations: null + labels: + app: ks-capabilities + app.kubernetes.io/component: ks-capabilities + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + kubescape.io/tier: core + tier: ks-control-plane + name: ks-capabilities + namespace: kubescape + 5: | + apiVersion: v1 + data: + matchingRules.json: | + {"match":[{"apiGroups":["apps"],"apiVersions":["v1"],"resources":["deployments"]}],"namespaces":["default"]} + kind: ConfigMap + metadata: + annotations: null + labels: + app: kubescape + app.kubernetes.io/component: kubescape + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + kubescape.io/tier: core + tier: ks-control-plane + name: cs-matching-rules + namespace: kubescape + 6: | + apiVersion: scheduling.k8s.io/v1 + description: This priority class is for node-agent daemonset pods + globalDefault: false + kind: PriorityClass + metadata: + annotations: null + labels: + app: kubescape-critical + app.kubernetes.io/component: kubescape-critical + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + tier: ks-control-plane + name: kubescape-critical + value: 1.000001e+08 + 7: | + apiVersion: v1 + data: + request-body.json: '{"commands":[{"CommandName":"kubescapeScan","args":{"scanV1":{}}}]}' + kind: ConfigMap + metadata: + annotations: null + labels: + app: kubescape-scheduler + app.kubernetes.io/component: kubescape-scheduler + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + kubescape.io/tier: core + tier: ks-control-plane + name: kubescape-scheduler + namespace: kubescape + 8: | + apiVersion: batch/v1 + kind: CronJob + metadata: + annotations: null + labels: + app: kubescape-scheduler + app.kubernetes.io/component: kubescape-scheduler + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + armo.tier: kubescape-scan + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + kubescape.io/tier: core + tier: ks-control-plane + name: kubescape-scheduler + namespace: kubescape + spec: + failedJobsHistoryLimit: 1 + jobTemplate: + spec: + template: + metadata: + annotations: null + labels: + app: kubescape-scheduler + app.kubernetes.io/component: kubescape-scheduler + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + armo.tier: kubescape-scan + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + kubescape.io/tier: core + tier: ks-control-plane + spec: + affinity: null + automountServiceAccountToken: false + containers: + - args: + - -method=post + - -scheme=http + - -host=operator:4002 + - -path=v1/triggerAction + - -headers=Content-Type:application/json + - -path-body=/home/ks/request-body.json + image: quay.io/kubescape/http-request:v0.2.16 + imagePullPolicy: IfNotPresent + name: kubescape-scheduler + resources: + limits: + cpu: 10m + memory: 20Mi + requests: + cpu: 1m + memory: 10Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 100 + volumeMounts: + - mountPath: /home/ks/request-body.json + name: kubescape-scheduler + readOnly: true + subPath: request-body.json + nodeSelector: + kubernetes.io/os: linux + priorityClassName: global-priority + restartPolicy: Never + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: kubescape + tolerations: null + volumes: + - configMap: + name: kubescape-scheduler + name: kubescape-scheduler + schedule: 1 2 3 4 5 + successfulJobsHistoryLimit: 3 + 9: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: null + labels: + app: kubescape + app.kubernetes.io/component: kubescape + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + tier: ks-control-plane + name: kubescape + rules: + - apiGroups: + - "" + resources: + - pods + - pods/proxy + - namespaces + - nodes + - configmaps + - services + - serviceaccounts + - endpoints + - persistentvolumeclaims + - persistentvolumes + - limitranges + - replicationcontrollers + - podtemplates + - resourcequotas + - events + verbs: + - get + - watch + - list + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - watch + - list + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - watch + - list + - apiGroups: + - apiregistration.k8s.io + resources: + - apiservices + verbs: + - get + - watch + - list + - apiGroups: + - apps + resources: + - deployments + - statefulsets + - daemonsets + - replicasets + - controllerrevisions + verbs: + - get + - watch + - list + - apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - get + - watch + - list + - apiGroups: + - batch + resources: + - jobs + - cronjobs + verbs: + - get + - watch + - list + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - watch + - list + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - watch + - list + - apiGroups: + - events.k8s.io + resources: + - events + verbs: + - get + - watch + - list + - apiGroups: + - hostdata.kubescape.cloud + resources: + - APIServerInfo + - ControlPlaneInfo + verbs: + - get + - watch + - list + - apiGroups: + - networking.k8s.io + resources: + - networkpolicies + - Ingress + verbs: + - get + - watch + - list + - apiGroups: + - cilium.io + resources: + - ciliumnetworkpolicies + verbs: + - get + - list + - watch + - apiGroups: + - projectcalico.org + resources: + - networkpolicies + verbs: + - get + - list + - watch + - apiGroups: + - networking.istio.io + resources: + - gateways + - virtualservices + verbs: + - get + - list + - watch + - apiGroups: + - security.istio.io + resources: + - authorizationpolicies + verbs: + - get + - list + - watch + - apiGroups: + - policy + resources: + - poddisruptionbudgets + - podsecuritypolicies + - PodSecurityPolicy + verbs: + - get + - watch + - list + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + - clusterrolebindings + - roles + - rolebindings + verbs: + - get + - watch + - list + - apiGroups: + - storage.k8s.io + resources: + - csistoragecapacities + - storageclasses + verbs: + - get + - watch + - list + - apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - watch + - list + - apiGroups: + - extensions + resources: + - Ingress + verbs: + - get + - watch + - list + - apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes + - gateways + - gatewayclasses + - tcproutes + - tlsroutes + - udproutes + verbs: + - get + - watch + - list + - apiGroups: + - "" + resources: + - namespaces + verbs: + - update + - apiGroups: + - spdx.softwarecomposition.kubescape.io + resources: + - workloadconfigurationscans + - workloadconfigurationscansummaries + verbs: + - create + - get + - update + - patch + - apiGroups: + - kubescape.io + resources: + - servicesscanresults + verbs: + - get + - watch + - list + 10: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + annotations: null + labels: + app: kubescape + app.kubernetes.io/component: kubescape + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + tier: ks-control-plane + name: kubescape + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kubescape + subjects: + - kind: ServiceAccount + name: kubescape + namespace: kubescape + 11: | + apiVersion: apps/v1 + kind: Deployment + metadata: + annotations: null + labels: + app: kubescape + app.kubernetes.io/component: kubescape + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + kubescape.io/tier: core + tier: ks-control-plane + name: kubescape + namespace: kubescape + spec: + replicas: 1 + revisionHistoryLimit: 2 + selector: + matchLabels: + app.kubernetes.io/component: kubescape + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: kubescape-operator + strategy: + rollingUpdate: + maxSurge: 0% + maxUnavailable: 100% + type: RollingUpdate + template: + metadata: + annotations: + checksum/cloud-config: f8f57ee9b7c136ff44014ae152c2ee1d6437058a776ba359547a4d44896626d0 + checksum/cloud-secret: 435193bc039d949c849ba4b141adeb4836e4d0fdcc4bf0b9588d0e36de86c424 + checksum/host-scanner-configmap: 7fc30b6a442d0ae01e83852a7c371492e49e83d6bed3dd0cb6c32935f417ad4d + labels: + app: kubescape + app.kubernetes.io/component: kubescape + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + kubescape.io/tier: core + tier: ks-control-plane + spec: + affinity: null + automountServiceAccountToken: true + containers: + - command: + - ksserver + env: + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + divisor: "1" + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + divisor: "1" + resource: limits.cpu + - name: KS_LOGGER_LEVEL + value: info + - name: KS_LOGGER_NAME + value: zap + - name: KS_DOWNLOAD_ARTIFACTS + value: "true" + - name: RULE_PROCESSING_GOMAXPROCS + value: "" + - name: KS_DEFAULT_CONFIGMAP_NAME + value: kubescape-config + - name: KS_DEFAULT_CONFIGMAP_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: KS_CONTEXT + value: kind-kind + - name: KS_DEFAULT_CLOUD_CONFIGMAP_NAME + value: ks-cloud-config + - name: KS_ENABLE_HOST_SCANNER + value: "true" + - name: KS_SKIP_UPDATE_CHECK + value: "false" + - name: KS_HOST_SCAN_YAML + value: /home/nonroot/.kubescape/host-scanner.yaml + - name: LARGE_CLUSTER_SIZE + value: "1500" + - name: KS_EXCLUDE_NAMESPACES + value: kubescape,kube-system,kube-public,kube-node-lease,kubeconfig,gmp-system,gmp-public + image: quay.io/kubescape/kubescape:v3.0.48 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /livez + port: 8080 + initialDelaySeconds: 3 + periodSeconds: 3 + name: kubescape + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: 8080 + initialDelaySeconds: 3 + periodSeconds: 3 + resources: + limits: + cpu: 600m + memory: 1Gi + requests: + cpu: 250m + memory: 400Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/credentials + name: cloud-secret + readOnly: true + - mountPath: /home/nonroot/.kubescape + name: kubescape-volume + subPath: config.json + - mountPath: /home/nonroot/.kubescape/host-scanner.yaml + name: host-scanner-definition + subPath: host-scanner-yaml + - mountPath: /home/nonroot/results + name: results + - mountPath: /home/nonroot/failed + name: failed + - mountPath: /etc/config/clusterData.json + name: ks-cloud-config + readOnly: true + subPath: clusterData.json + - mountPath: /etc/config/services.json + name: services + readOnly: true + subPath: services.json + initContainers: + - args: + - -method=get + - -scheme=https + - -host=api.armosec.io + - -path=api/v2/servicediscovery + - -path-output=/data/services.json + env: null + image: quay.io/kubescape/http-request:v0.2.16 + imagePullPolicy: IfNotPresent + name: url-discovery + resources: + limits: + cpu: 100m + memory: 50Mi + requests: + cpu: 10m + memory: 10Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + volumeMounts: + - mountPath: /data + name: services + nodeSelector: + kubernetes.io/os: linux + priorityClassName: kubescape-priority + securityContext: + fsGroup: 65532 + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + serviceAccountName: kubescape + tolerations: null + volumes: + - name: cloud-secret + secret: + secretName: cloud-secret + - configMap: + items: + - key: clusterData + path: clusterData.json + name: ks-cloud-config + name: ks-cloud-config + - emptyDir: {} + name: services + - configMap: + name: host-scanner-definition + name: host-scanner-definition + - emptyDir: {} + name: kubescape-volume + - emptyDir: {} + name: results + - emptyDir: {} + name: failed + 12: | + apiVersion: v1 + data: + host-scanner-yaml: "apiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: host-scanner\n namespace: kubescape\n annotations:\n \n argocd.argoproj.io/compare-options: \"IgnoreExtraneous\"\n argocd.argoproj.io/sync-options: \"Prune=false\"\n labels:\n helm.sh/chart: kubescape-operator-1.30.5\n app.kubernetes.io/name: kubescape-operator\n app.kubernetes.io/instance: RELEASE-NAME\n app.kubernetes.io/component: host-scanner\n app.kubernetes.io/version: \"1.30.5\"\n app.kubernetes.io/managed-by: Helm\n app.kubernetes.io/part-of: kubescape\n app: host-scanner\n tier: ks-control-plane\n kubescape.io/ignore: \"true\"\nspec:\n selector:\n matchLabels:\n app.kubernetes.io/name: kubescape-operator\n app.kubernetes.io/instance: RELEASE-NAME\n app.kubernetes.io/component: host-scanner\n template:\n metadata:\n annotations:\n \n argocd.argoproj.io/compare-options: \"IgnoreExtraneous\"\n argocd.argoproj.io/sync-options: \"Prune=false\"\n labels:\n helm.sh/chart: kubescape-operator-1.30.5\n app.kubernetes.io/name: kubescape-operator\n app.kubernetes.io/instance: RELEASE-NAME\n app.kubernetes.io/component: host-scanner\n app.kubernetes.io/version: \"1.30.5\"\n app.kubernetes.io/managed-by: Helm\n app.kubernetes.io/part-of: kubescape\n app: host-scanner\n tier: ks-control-plane\n kubescape.io/ignore: \"true\"\n kubescape.io/tier: \"core\"\n name: host-scanner\n spec:\n nodeSelector:\n kubernetes.io/os: linux\n affinity:\n tolerations:\n - effect: NoSchedule\n key: node-role.kubernetes.io/control-plane\n operator: Exists\n - effect: NoSchedule\n key: node-role.kubernetes.io/master\n operator: Exists\n containers:\n - name: host-sensor\n image: \"quay.io/kubescape/host-scanner:v1.0.78\"\n imagePullPolicy: IfNotPresent\n securityContext:\n allowPrivilegeEscalation: true\n privileged: true\n readOnlyRootFilesystem: true\n env:\n - name: KS_LOGGER_LEVEL\n value: \"info\"\n - name: KS_LOGGER_NAME\n value: \"zap\"\n ports:\n - name: scanner # Do not change port name\n containerPort: 7888\n protocol: TCP\n resources:\n limits:\n cpu: 0.4m\n memory: 400Mi\n requests:\n cpu: 0.1m\n memory: 200Mi\n volumeMounts:\n - mountPath: /host_fs\n name: host-filesystem\n startupProbe:\n httpGet:\n path: /readyz\n port: 7888\n failureThreshold: 30\n periodSeconds: 1\n livenessProbe:\n httpGet:\n path: /healthz\n port: 7888\n periodSeconds: 10\n terminationGracePeriodSeconds: 120\n dnsPolicy: ClusterFirstWithHostNet\n serviceAccountName: node-agent\n automountServiceAccountToken: false\n volumes:\n - hostPath:\n path: /\n type: Directory\n name: host-filesystem\n hostPID: true\n hostIPC: true" + kind: ConfigMap + metadata: + annotations: null + labels: + app: ks-cloud-config + app.kubernetes.io/component: ks-cloud-config + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + kubescape.io/tier: core + tier: ks-control-plane + name: host-scanner-definition + namespace: kubescape + 13: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + annotations: null + labels: + app: kubescape + app.kubernetes.io/component: kubescape + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + tier: ks-control-plane + name: kubescape + namespace: kubescape + rules: + - apiGroups: + - apps + resources: + - daemonsets + verbs: + - create + - get + - update + - watch + - list + - patch + - delete + 14: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + annotations: null + labels: + app: kubescape + app.kubernetes.io/component: kubescape + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + tier: ks-control-plane + name: kubescape + namespace: kubescape + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: kubescape + subjects: + - kind: ServiceAccount + name: kubescape + namespace: kubescape + 15: | + apiVersion: v1 + kind: Service + metadata: + annotations: null + labels: + app: kubescape + app.kubernetes.io/component: kubescape + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + tier: ks-control-plane + name: kubescape + namespace: kubescape + spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 8080 + selector: + app.kubernetes.io/component: kubescape + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: kubescape-operator + type: ClusterIP + 16: | + apiVersion: v1 + automountServiceAccountToken: false + kind: ServiceAccount + metadata: + annotations: null + labels: + app: kubescape + app.kubernetes.io/component: kubescape + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + tier: ks-control-plane + name: kubescape + namespace: kubescape + 17: | + apiVersion: v1 + data: + request-body.json: '{"commands":[{"commandName":"scan","designators":[{"designatorType":"Attributes","attributes":{}}]}]}' + kind: ConfigMap + metadata: + labels: + app: kubevuln-scheduler + app.kubernetes.io/component: kubevuln-scheduler + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + kubescape.io/tier: core + tier: ks-control-plane + name: kubevuln-scheduler + namespace: kubescape + 18: | + apiVersion: batch/v1 + kind: CronJob + metadata: + annotations: null + labels: + app: kubevuln-scheduler + app.kubernetes.io/component: kubevuln-scheduler + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + armo.tier: vuln-scan + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + kubescape.io/tier: core + tier: ks-control-plane + name: kubevuln-scheduler + namespace: kubescape + spec: + failedJobsHistoryLimit: 1 + jobTemplate: + spec: + template: + metadata: + annotations: null + labels: + app: kubevuln-scheduler + app.kubernetes.io/component: kubevuln-scheduler + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + armo.tier: vuln-scan + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + kubescape.io/tier: core + tier: ks-control-plane + spec: + affinity: null + automountServiceAccountToken: false + containers: + - args: + - -method=post + - -scheme=http + - -host=operator:4002 + - -path=v1/triggerAction + - -headers=Content-Type:application/json + - -path-body=/home/ks/request-body.json + image: quay.io/kubescape/http-request:v0.2.16 + imagePullPolicy: IfNotPresent + name: kubevuln-scheduler + resources: + limits: + cpu: 10m + memory: 20Mi + requests: + cpu: 1m + memory: 10Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 100 + volumeMounts: + - mountPath: /home/ks/request-body.json + name: kubevuln-scheduler + readOnly: true + subPath: request-body.json + nodeSelector: + kubernetes.io/os: linux + priorityClassName: global-priority + restartPolicy: Never + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: kubevuln + tolerations: null + volumes: + - configMap: + name: kubevuln-scheduler + name: kubevuln-scheduler + schedule: 1 2 3 4 5 + successfulJobsHistoryLimit: 3 + 19: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: null + labels: + app: kubevuln + app.kubernetes.io/component: kubevuln + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + tier: ks-control-plane + name: kubevuln + rules: + - apiGroups: + - spdx.softwarecomposition.kubescape.io + resources: + - vulnerabilitymanifests + - vulnerabilitymanifestsummaries + - openvulnerabilityexchangecontainers + - sbomsyfts + - sbomsyftfiltereds + verbs: + - create + - get + - update + - watch + - list + - patch + - apiGroups: + - spdx.softwarecomposition.kubescape.io + resources: + - containerprofiles + verbs: + - get + - watch + - list + 20: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + annotations: null + labels: + app: kubevuln + app.kubernetes.io/component: kubevuln + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + tier: ks-control-plane + name: kubevuln + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kubevuln + subjects: + - kind: ServiceAccount + name: kubevuln + namespace: kubescape + 21: | + apiVersion: apps/v1 + kind: Deployment + metadata: + annotations: null + labels: + app: kubevuln + app.kubernetes.io/component: kubevuln + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + kubescape.io/tier: core + tier: ks-control-plane + name: kubevuln + namespace: kubescape + spec: + replicas: 1 + revisionHistoryLimit: 2 + selector: + matchLabels: + app.kubernetes.io/component: kubevuln + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: kubescape-operator + strategy: + type: Recreate + template: + metadata: + annotations: + checksum/cloud-config: f8f57ee9b7c136ff44014ae152c2ee1d6437058a776ba359547a4d44896626d0 + checksum/cloud-secret: 435193bc039d949c849ba4b141adeb4836e4d0fdcc4bf0b9588d0e36de86c424 + labels: + app: kubevuln + app.kubernetes.io/component: kubevuln + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + kubescape.io/tier: core + tier: ks-control-plane + spec: + affinity: null + automountServiceAccountToken: true + containers: + - args: + - -alsologtostderr + - -v=4 + - 2>&1 + env: + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + divisor: "1" + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + divisor: "1" + resource: limits.cpu + - name: KS_LOGGER_LEVEL + value: info + - name: KS_LOGGER_NAME + value: zap + - name: PRINT_POST_JSON + value: "" + - name: CA_MAX_VULN_SCAN_ROUTINES + value: "1" + image: quay.io/kubescape/kubevuln:v0.3.109 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /v1/liveness + port: 8080 + initialDelaySeconds: 3 + periodSeconds: 3 + name: kubevuln + ports: + - containerPort: 8080 + protocol: TCP + readinessProbe: + httpGet: + path: /v1/readiness + port: 8080 + resources: + limits: + cpu: 1500m + ephemeral-storage: 10Gi + memory: 5000Mi + requests: + cpu: 300m + ephemeral-storage: 5Gi + memory: 1000Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/credentials + name: cloud-secret + readOnly: true + - mountPath: /tmp + name: tmp-dir + - mountPath: /home/nonroot/anchore-resources/db + name: grype-db-cache + - mountPath: /etc/config/clusterData.json + name: ks-cloud-config + readOnly: true + subPath: clusterData.json + - mountPath: /etc/config/services.json + name: services + readOnly: true + subPath: services.json + - mountPath: /home/nonroot/.cache/grype + name: grype-db + initContainers: + - args: + - -method=get + - -scheme=https + - -host=api.armosec.io + - -path=api/v2/servicediscovery + - -path-output=/data/services.json + env: null + image: quay.io/kubescape/http-request:v0.2.16 + imagePullPolicy: IfNotPresent + name: url-discovery + resources: + limits: + cpu: 100m + memory: 50Mi + requests: + cpu: 10m + memory: 10Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + volumeMounts: + - mountPath: /data + name: services + nodeSelector: + kubernetes.io/os: linux + priorityClassName: global-priority + securityContext: + fsGroup: 65532 + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + serviceAccountName: kubevuln + tolerations: null + volumes: + - name: cloud-secret + secret: + secretName: cloud-secret + - emptyDir: {} + name: tmp-dir + - emptyDir: {} + name: grype-db-cache + - configMap: + items: + - key: clusterData + path: clusterData.json + name: ks-cloud-config + name: ks-cloud-config + - emptyDir: {} + name: services + - emptyDir: {} + name: grype-db + 22: | + apiVersion: v1 + kind: Service + metadata: + annotations: null + labels: + app: kubevuln + app.kubernetes.io/component: kubevuln + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + tier: ks-control-plane + name: kubevuln + namespace: kubescape + spec: + ports: + - port: 8080 + protocol: TCP + targetPort: 8080 + selector: + app.kubernetes.io/component: kubevuln + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: kubescape-operator + type: ClusterIP + 23: | + apiVersion: v1 + automountServiceAccountToken: false + kind: ServiceAccount + metadata: + annotations: null + labels: + app: kubevuln + app.kubernetes.io/component: kubevuln + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + tier: ks-control-plane + name: kubevuln + namespace: kubescape + 24: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: null + labels: + app: node-agent + app.kubernetes.io/component: node-agent + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + tier: ks-control-plane + name: node-agent + rules: + - apiGroups: + - "" + resources: + - nodes + - nodes/proxy + - services + - endpoints + - namespaces + - configmaps + verbs: + - get + - watch + - list + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - watch + - list + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - get + - watch + - list + - apiGroups: + - batch + resources: + - jobs + - cronjobs + verbs: + - get + - watch + - list + - apiGroups: + - apps + resources: + - deployments + - daemonsets + - statefulsets + - replicasets + verbs: + - get + - watch + - list + - apiGroups: + - spdx.softwarecomposition.kubescape.io + resources: + - applicationprofiles + - networkneighborhoods + verbs: + - get + - watch + - list + - apiGroups: + - kubescape.io + resources: + - seccompprofiles + verbs: + - get + - watch + - list + - apiGroups: + - spdx.softwarecomposition.kubescape.io + resources: + - containerprofiles + - sbomsyfts + verbs: + - create + - get + - update + - watch + - list + - patch + - apiGroups: + - kubescape.io + resources: + - runtimerulealertbindings + verbs: + - list + - watch + - apiGroups: + - kubescape.io + resources: + - operatorcommands + verbs: + - get + - watch + - list + - apiGroups: + - kubescape.io + resources: + - operatorcommands/status + verbs: + - get + - watch + - list + - update + - patch + - apiGroups: + - events.k8s.io + resources: + - events + verbs: + - create + - patch + - get + - apiGroups: + - kubescape.io + resources: + - rules + verbs: + - list + - watch + 25: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + annotations: null + labels: + app: node-agent + app.kubernetes.io/component: node-agent + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + tier: ks-control-plane + name: node-agent + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: node-agent + subjects: + - kind: ServiceAccount + name: node-agent + namespace: kubescape + 26: | + apiVersion: v1 + data: + config.json: | + { + "applicationProfileServiceEnabled": true, + "backendStorageEnabled": false, + "prometheusExporterEnabled": false, + "runtimeDetectionEnabled": true, + "httpDetectionEnabled": true, + "networkServiceEnabled": true, + "malwareDetectionEnabled": false, + "hostMalwareSensorEnabled": false, + "hostNetworkSensorEnabled": false, + "nodeProfileServiceEnabled": true, + "networkStreamingEnabled": true, + "maxImageSize": 5.36870912e+09, + "maxSBOMSize": 2.097152e+07, + "sbomGenerationEnabled": true, + "enableEmbeddedSBOMs": false, + "seccompServiceEnabled": true, + "seccompProfileBackend": "crd", + "initialDelay": "2m", + "updateDataPeriod": "10m", + "nodeProfileInterval": "10m", + "networkStreamingInterval": "2m", + "maxSniffingTimePerContainer": "24h", + "excludeNamespaces": "kubescape,kube-system,kube-public,kube-node-lease,kubeconfig,gmp-system,gmp-public", + "excludeLabels":null, + "exporters": { + "httpExporterConfig":{"maxAlertsPerMinute":1000,"method":"POST","url":"http://synchronizer:8089/apis/v1/kubescape.io"}, + "alertManagerExporterUrls":[], + "stdoutExporter":true, + "syslogExporterURL": "" + }, + "excludeJsonPaths":null, + "ruleCooldown": { + "ruleCooldownDuration": "1h", + "ruleCooldownAfterCount": 1, + "ruleCooldownOnProfileFailure": true, + "ruleCooldownMaxSize": 20000 + } + } + kind: ConfigMap + metadata: + annotations: null + labels: + app: node-agent + app.kubernetes.io/component: node-agent + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + kubescape.io/tier: core + tier: ks-control-plane + name: node-agent + namespace: kubescape + 27: | + apiVersion: apps/v1 + kind: DaemonSet + metadata: + annotations: null + labels: + app: node-agent + app.kubernetes.io/component: node-agent + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + kubescape.io/tier: core + tier: ks-control-plane + name: node-agent + namespace: kubescape + spec: + selector: + matchLabels: + app.kubernetes.io/component: node-agent + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: kubescape-operator + template: + metadata: + annotations: + checksum/cloud-config: f8f57ee9b7c136ff44014ae152c2ee1d6437058a776ba359547a4d44896626d0 + checksum/cloud-secret: 435193bc039d949c849ba4b141adeb4836e4d0fdcc4bf0b9588d0e36de86c424 + checksum/node-agent-config: 97384b74056f9485f57382f907e17c1ccefe56710d91f080e9f997ce70303707 + labels: + app: node-agent + app.kubernetes.io/component: node-agent + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + kubescape.io/tier: core + tier: ks-control-plane + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/os + operator: In + values: + - linux + automountServiceAccountToken: true + containers: + - env: + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + divisor: "1" + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + divisor: "1" + resource: limits.cpu + - name: HOST_ROOT + value: /host + - name: KS_LOGGER_LEVEL + value: info + - name: KS_LOGGER_NAME + value: zap + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NAMESPACE_NAME + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: KUBELET_ROOT + value: /var/lib/kubelet + - name: AGENT_VERSION + value: v0.3.47 + - name: NodeName + valueFrom: + fieldRef: + fieldPath: spec.nodeName + image: quay.io/kubescape/node-agent:v0.3.47 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /livez + port: 7888 + periodSeconds: 3 + name: node-agent + readinessProbe: + httpGet: + path: /readyz + port: 7888 + periodSeconds: 3 + resources: + limits: + cpu: 500m + memory: 1400Mi + requests: + cpu: 100m + memory: 180Mi + securityContext: + capabilities: + add: + - SYS_ADMIN + - SYS_PTRACE + - NET_ADMIN + - SYSLOG + - SYS_RESOURCE + - IPC_LOCK + - NET_RAW + privileged: false + runAsUser: 0 + seLinuxOptions: + type: spc_t + startupProbe: + failureThreshold: 30 + httpGet: + path: /readyz + port: 7888 + periodSeconds: 10 + timeoutSeconds: 1 + volumeMounts: + - mountPath: /host + name: host + readOnly: true + - mountPath: /var/lib/kubelet + name: kubeletdir + - mountPath: /run + name: run + - mountPath: /var + name: var + readOnly: true + - mountPath: /lib/modules + name: modules + readOnly: true + - mountPath: /sys/kernel/debug + name: debugfs + - mountPath: /sys/fs/cgroup + name: cgroup + readOnly: true + - mountPath: /sys/fs/bpf + name: bpffs + - mountPath: /data + name: data + - mountPath: /profiles + name: profiles + - mountPath: /boot + name: boot + readOnly: true + - mountPath: /clamav + name: clamrun + - mountPath: /etc/credentials + name: cloud-secret + readOnly: true + - mountPath: /etc/config/clusterData.json + name: ks-cloud-config + readOnly: true + subPath: clusterData.json + - mountPath: /etc/config/services.json + name: services + readOnly: true + subPath: services.json + - mountPath: /etc/config/config.json + name: config + readOnly: true + subPath: config.json + hostPID: true + initContainers: + - args: + - -method=get + - -scheme=https + - -host=api.armosec.io + - -path=api/v3/servicediscovery + - -path-output=/data/services.json + env: null + image: quay.io/kubescape/http-request:v0.2.16 + imagePullPolicy: IfNotPresent + name: url-discovery + resources: + limits: + cpu: 100m + memory: 50Mi + requests: + cpu: 10m + memory: 10Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /data + name: services + nodeSelector: + kubernetes.io/os: linux + priorityClassName: node-agent-priority + securityContext: + appArmorProfile: + type: Unconfined + serviceAccountName: node-agent + tolerations: null + volumes: + - hostPath: + path: / + name: host + - hostPath: + path: /var/lib/kubelet + name: kubeletdir + - hostPath: + path: /run + name: run + - hostPath: + path: /var + name: var + - hostPath: + path: /sys/fs/cgroup + name: cgroup + - hostPath: + path: /lib/modules + name: modules + - hostPath: + path: /sys/fs/bpf + name: bpffs + - hostPath: + path: /sys/kernel/debug + name: debugfs + - hostPath: + path: /boot + name: boot + - emptyDir: null + name: data + - emptyDir: null + name: profiles + - emptyDir: {} + name: clamdb + - emptyDir: {} + name: clamrun + - configMap: + items: + - key: clamd.conf + path: clamd.conf + - key: freshclam.conf + path: freshclam.conf + name: clamav + name: etc + - name: cloud-secret + secret: + secretName: cloud-secret + - configMap: + items: + - key: clusterData + path: clusterData.json + name: ks-cloud-config + name: ks-cloud-config + - configMap: + items: + - key: config.json + path: config.json + name: node-agent + name: config + - emptyDir: {} + name: services + 28: | + apiVersion: v1 + kind: Service + metadata: + annotations: null + labels: + app: node-agent + app.kubernetes.io/component: node-agent + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + tier: ks-control-plane + name: node-agent + namespace: kubescape + spec: + ports: + - name: prometheus + port: 8080 + protocol: TCP + targetPort: 8080 + selector: + app.kubernetes.io/component: node-agent + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: kubescape-operator + 29: | + apiVersion: v1 + kind: ServiceAccount + metadata: + annotations: null + labels: + app: node-agent + app.kubernetes.io/component: node-agent + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + tier: ks-control-plane + name: node-agent + namespace: kubescape + 30: | + apiVersion: v1 + kind: Service + metadata: + annotations: null + labels: + app: operator + app.kubernetes.io/component: operator + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + tier: ks-control-plane + name: kubescape-admission-webhook + namespace: kubescape + spec: + ports: + - port: 443 + targetPort: 8443 + selector: + app.kubernetes.io/component: operator + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: kubescape-operator + type: ClusterIP + 31: | + apiVersion: v1 + data: + tls.crt: bW9jay1jZXJ0LWNlcnQ= + tls.key: bW9jay1jZXJ0LWtleQ== + kind: Secret + metadata: + annotations: null + labels: + app: operator + app.kubernetes.io/component: operator + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + tier: ks-control-plane + name: kubescape-admission-webhook.kubescape.svc-kubescape-tls-pair + namespace: kubescape + type: kubernetes.io/tls + 32: | + apiVersion: admissionregistration.k8s.io/v1 + kind: ValidatingWebhookConfiguration + metadata: + annotations: null + labels: + app: operator + app.kubernetes.io/component: operator + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + tier: ks-control-plane + name: validation + webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + caBundle: bW9jay1jYS1jZXJ0 + service: + name: kubescape-admission-webhook + namespace: kubescape + path: /validate + port: 443 + failurePolicy: Ignore + name: validation.kubescape.admission + rules: + - apiGroups: + - '*' + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + - DELETE + - CONNECT + resources: + - pods + - pods/exec + - pods/portforward + - pods/attach + - clusterrolebindings + - rolebindings + scope: '*' + sideEffects: None + 33: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: null + labels: + app: operator + app.kubernetes.io/component: operator + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + tier: ks-control-plane + name: operator + rules: + - apiGroups: + - "" + resources: + - pods + - nodes + - namespaces + - configmaps + - services + verbs: + - get + - watch + - list + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - watch + - list + - apiGroups: + - batch + resources: + - jobs + - cronjobs + verbs: + - get + - watch + - list + - create + - update + - delete + - patch + - apiGroups: + - apps + resources: + - deployments + - daemonsets + - statefulsets + - replicasets + verbs: + - get + - watch + - list + - apiGroups: + - spdx.softwarecomposition.kubescape.io + resources: + - vulnerabilitymanifests + - vulnerabilitymanifestsummaries + - workloadconfigurationscans + - workloadconfigurationscansummaries + - openvulnerabilityexchangecontainers + - containerprofiles + - sbomsyfts + verbs: + - get + - watch + - list + - delete + - apiGroups: + - kubescape.io + resources: + - runtimerulealertbindings + verbs: + - list + - watch + - get + - apiGroups: + - kubescape.io + resources: + - servicesscanresults + verbs: + - get + - watch + - list + - create + - update + - delete + - patch + - apiGroups: + - kubescape.io + resources: + - operatorcommands + verbs: + - get + - watch + - list + - create + - update + - patch + - apiGroups: + - kubescape.io + resources: + - operatorcommands/status + verbs: + - get + - watch + - list + - update + - patch + 34: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + annotations: null + labels: + app: operator + app.kubernetes.io/component: operator + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + tier: ks-control-plane + name: operator + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: operator + subjects: + - kind: ServiceAccount + name: operator + namespace: kubescape + 35: | + apiVersion: v1 + data: + config.json: | + { + "excludeNamespaces": "kubescape,kube-system,kube-public,kube-node-lease,kubeconfig,gmp-system,gmp-public", + "namespace": "kubescape", + "triggersecurityframework": true, + "podScanGuardTime": "1h", + "excludeJsonPaths":null, + "httpExporterConfig":{"maxAlertsPerMinute":1000,"method":"POST","url":"http://synchronizer:8089/apis/v1/kubescape.io"}, + "nodeAgentAutoscaler": { + "enabled": false, + "nodeGroupLabel": "node.kubernetes.io/instance-type", + "resourcePercentages": { + "requestCPU": 2, + "requestMemory": 2, + "limitCPU": 5, + "limitMemory": 5 + }, + "minResources": { + "cpu": "100m", + "memory": "600Mi" + }, + "maxResources": { + "cpu": "2000m", + "memory": "4Gi" + }, + "reconcileInterval": "5m", + "templatePath": "/etc/templates/daemonset-template.yaml", + "operatorDeploymentName": "operator" + } + } + kind: ConfigMap + metadata: + annotations: null + labels: + app: operator + app.kubernetes.io/component: operator + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + kubescape.io/tier: core + tier: ks-control-plane + name: operator + namespace: kubescape + 36: | + apiVersion: apps/v1 + kind: Deployment + metadata: + annotations: null + labels: + app: operator + app.kubernetes.io/component: operator + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + kubescape.io/tier: core + tier: ks-control-plane + name: operator + namespace: kubescape + spec: + replicas: 1 + revisionHistoryLimit: 2 + selector: + matchLabels: + app.kubernetes.io/component: operator + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: kubescape-operator + strategy: + rollingUpdate: + maxSurge: 0% + maxUnavailable: 100% + type: RollingUpdate + template: + metadata: + annotations: + checksum/capabilities-config: 282eb82816d6723ffc1fa3f33885252a484104d211ead4ac46d7de25ab6de97b + checksum/cloud-config: f8f57ee9b7c136ff44014ae152c2ee1d6437058a776ba359547a4d44896626d0 + checksum/cloud-secret: 435193bc039d949c849ba4b141adeb4836e4d0fdcc4bf0b9588d0e36de86c424 + checksum/matching-rules-config: c81857b415602f6b161db3199a16461c5acd8ba44ec7572189441f4f294a3614 + checksum/operator-config: 1f69111d6d0f135b994a5cf6538371ea1728b46372f6932eb002a6c6ca7af846 + labels: + app: operator + app.kubernetes.io/component: operator + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + kubescape.io/tier: core + tier: ks-control-plane + spec: + affinity: null + automountServiceAccountToken: true + containers: + - env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: HELM_RELEASE + value: kubescape-operator-1.30.5 + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + divisor: "1" + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + divisor: "1" + resource: limits.cpu + - name: KS_LOGGER_LEVEL + value: info + - name: KS_LOGGER_NAME + value: zap + image: quay.io/kubescape/operator:v0.2.128 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /v1/liveness + port: readiness-port + initialDelaySeconds: 3 + periodSeconds: 3 + name: operator + ports: + - containerPort: 4002 + name: trigger-port + protocol: TCP + - containerPort: 8000 + name: readiness-port + protocol: TCP + - containerPort: 8443 + name: admission-port + protocol: TCP + readinessProbe: + httpGet: + path: /v1/readiness + port: readiness-port + initialDelaySeconds: 10 + periodSeconds: 5 + resources: + limits: + cpu: 300m + memory: 300Mi + requests: + cpu: 50m + memory: 100Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/credentials + name: cloud-secret + readOnly: true + - mountPath: /tmp + name: tmp-dir + - mountPath: /etc/config/clusterData.json + name: ks-cloud-config + readOnly: true + subPath: clusterData.json + - mountPath: /etc/config/capabilities.json + name: ks-capabilities + readOnly: true + subPath: capabilities.json + - mountPath: /etc/config/matchingRules.json + name: cs-matching-rules + readOnly: true + subPath: matchingRules.json + - mountPath: /etc/config/config.json + name: config + readOnly: true + subPath: config.json + - mountPath: /etc/certs + name: tls-certs + readOnly: true + nodeSelector: + kubernetes.io/os: linux + priorityClassName: global-priority + securityContext: + fsGroup: 65532 + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + serviceAccountName: operator + tolerations: null + volumes: + - name: cloud-secret + secret: + secretName: cloud-secret + - name: tls-certs + secret: + secretName: kubescape-admission-webhook.kubescape.svc-kubescape-tls-pair + - emptyDir: {} + name: tmp-dir + - configMap: + items: + - key: clusterData + path: clusterData.json + name: ks-cloud-config + name: ks-cloud-config + - configMap: + items: + - key: capabilities + path: capabilities.json + name: ks-capabilities + name: ks-capabilities + - configMap: + items: + - key: config.json + path: config.json + name: operator + name: config + - configMap: + items: + - key: matchingRules.json + path: matchingRules.json + name: cs-matching-rules + name: cs-matching-rules + 37: | + apiVersion: v1 + data: + cronjobTemplate: |- + apiVersion: batch/v1 + kind: CronJob + metadata: + name: kubescape-scheduler + namespace: kubescape + labels: + app: kubescape-scheduler + tier: ks-control-plane + kubescape.io/tier: "core" + armo.tier: "kubescape-scan" + spec: + schedule: "1 2 3 4 5" + successfulJobsHistoryLimit: 3 + failedJobsHistoryLimit: 1 + jobTemplate: + spec: + template: + metadata: + labels: + armo.tier: "kubescape-scan" + kubescape.io/tier: "core" + spec: + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: kubescape-scheduler + image: "quay.io/kubescape/http-request:v0.2.16" + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 100 + resources: + limits: + cpu: 10m + memory: 20Mi + requests: + cpu: 1m + memory: 10Mi + args: + - -method=post + - -scheme=http + - -host=operator:4002 + - -path=v1/triggerAction + - -headers=Content-Type:application/json + - -path-body=/home/ks/request-body.json + volumeMounts: + - name: "request-body-volume" + mountPath: /home/ks/request-body.json + subPath: request-body.json + readOnly: true + restartPolicy: Never + serviceAccountName: kubescape + automountServiceAccountToken: false + nodeSelector: + kubernetes.io/os: linux + affinity: + tolerations: + volumes: + - name: "request-body-volume" # placeholder + configMap: + name: kubescape-scheduler + kind: ConfigMap + metadata: + annotations: null + labels: + app: ks-cloud-config + app.kubernetes.io/component: ks-cloud-config + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + kubescape.io/tier: core + tier: ks-control-plane + name: kubescape-cronjob-template + namespace: kubescape + 38: | + apiVersion: v1 + data: + cronjobTemplate: |- + apiVersion: batch/v1 + kind: CronJob + metadata: + name: kubevuln-scheduler + namespace: kubescape + labels: + app: kubevuln-scheduler + tier: ks-control-plane + kubescape.io/tier: "core" + armo.tier: "vuln-scan" + spec: + schedule: "1 2 3 4 5" + successfulJobsHistoryLimit: 3 + failedJobsHistoryLimit: 1 + jobTemplate: + spec: + template: + metadata: + labels: + armo.tier: "vuln-scan" + kubescape.io/tier: "core" + spec: + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: kubevuln-scheduler + image: "quay.io/kubescape/http-request:v0.2.16" + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 100 + resources: + limits: + cpu: 10m + memory: 20Mi + requests: + cpu: 1m + memory: 10Mi + args: + - -method=post + - -scheme=http + - -host=operator:4002 + - -path=v1/triggerAction + - -headers=Content-Type:application/json + - -path-body=/home/ks/request-body.json + volumeMounts: + - name: "request-body-volume" + mountPath: /home/ks/request-body.json + subPath: request-body.json + readOnly: true + restartPolicy: Never + serviceAccountName: kubevuln + automountServiceAccountToken: false + nodeSelector: + kubernetes.io/os: linux + affinity: + tolerations: + volumes: + - name: "request-body-volume" # placeholder + configMap: + name: kubevuln-scheduler + kind: ConfigMap + metadata: + annotations: null + labels: + app: ks-cloud-config + app.kubernetes.io/component: ks-cloud-config + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + kubescape.io/tier: core + tier: ks-control-plane + name: kubevuln-cronjob-template + namespace: kubescape + 39: | + apiVersion: v1 + data: + cronjobTemplate: |- + apiVersion: batch/v1 + kind: CronJob + metadata: + name: registry-scheduler + namespace: kubescape + labels: + app: registry-scheduler + kubescape.io/tier: "core" + tier: ks-control-plane + armo.tier: "registry-scan" + spec: + schedule: "0 0 * * *" + successfulJobsHistoryLimit: 3 + failedJobsHistoryLimit: 1 + jobTemplate: + spec: + template: + metadata: + labels: + armo.tier: "registry-scan" + kubescape.io/tier: "core" + spec: + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: registry-scheduler + image: "quay.io/kubescape/http-request:v0.2.16" + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 100 + resources: + limits: + cpu: 10m + memory: 20Mi + requests: + cpu: 1m + memory: 10Mi + args: + - -method=post + - -scheme=http + - -host=operator:4002 + - -path=v1/triggerAction + - -headers=Content-Type:application/json + - -path-body=/home/ks/request-body.json + volumeMounts: + - name: "request-body-volume" + mountPath: /home/ks/request-body.json + subPath: request-body.json + readOnly: true + restartPolicy: Never + serviceAccountName: kubevuln + automountServiceAccountToken: false + nodeSelector: + kubernetes.io/os: linux + affinity: + tolerations: + volumes: + - name: "request-body-volume" # placeholder + configMap: + name: registry-scheduler + kind: ConfigMap + metadata: + annotations: null + labels: + app: ks-cloud-config + app.kubernetes.io/component: ks-cloud-config + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + kubescape.io/tier: core + tier: ks-control-plane + name: registry-scan-cronjob-template + namespace: kubescape + 40: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + annotations: null + labels: + app: operator + app.kubernetes.io/component: operator + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + tier: ks-control-plane + name: operator + namespace: kubescape + rules: + - apiGroups: + - "" + resources: + - configmaps + - secrets + verbs: + - create + - get + - update + - watch + - list + - patch + - delete + - apiGroups: + - batch + resources: + - cronjobs + verbs: + - create + - get + - update + - watch + - list + - patch + - delete + 41: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + annotations: null + labels: + app: operator + app.kubernetes.io/component: operator + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + tier: ks-control-plane + name: operator + namespace: kubescape + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: operator + subjects: + - kind: ServiceAccount + name: operator + namespace: kubescape + 42: | + apiVersion: v1 + kind: Service + metadata: + annotations: null + labels: + app: operator + app.kubernetes.io/component: operator + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + tier: ks-control-plane + name: operator + namespace: kubescape + spec: + ports: + - port: 4002 + protocol: TCP + targetPort: 4002 + selector: + app.kubernetes.io/component: operator + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: kubescape-operator + type: ClusterIP + 43: | + apiVersion: v1 + automountServiceAccountToken: false + kind: ServiceAccount + metadata: + annotations: null + labels: + app: operator + app.kubernetes.io/component: operator + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + tier: ks-control-plane + name: operator + namespace: kubescape + 44: | + apiVersion: apiregistration.k8s.io/v1 + kind: APIService + metadata: + annotations: null + labels: + app: storage + app.kubernetes.io/component: storage + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + tier: ks-control-plane + name: v1beta1.spdx.softwarecomposition.kubescape.io + spec: + caBundle: bW9jay1jYS1jZXJ0 + group: spdx.softwarecomposition.kubescape.io + groupPriorityMinimum: 1000 + service: + name: storage + namespace: kubescape + version: v1beta1 + versionPriority: 15 + 45: | + apiVersion: v1 + data: + ca.crt: bW9jay1jYS1jZXJ0 + tls.crt: bW9jay1jZXJ0LWNlcnQ= + tls.key: bW9jay1jZXJ0LWtleQ== + kind: Secret + metadata: + annotations: null + labels: + app: storage + app.kubernetes.io/component: storage + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + tier: ks-control-plane + name: storage-ca + namespace: kubescape + type: kubernetes.io/tls + 46: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: null + labels: + app: storage + app.kubernetes.io/component: storage + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + tier: ks-control-plane + name: storage + rules: + - apiGroups: + - "" + resources: + - namespaces + - pods + - services + verbs: + - get + - watch + - list + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - watch + - list + - apiGroups: + - apps + resources: + - daemonsets + - deployments + - replicasets + - statefulsets + verbs: + - get + - watch + - list + - apiGroups: + - batch + resources: + - cronjobs + - jobs + verbs: + - get + - watch + - list + - apiGroups: + - flowcontrol.apiserver.k8s.io + resources: + - prioritylevelconfigurations + - flowschemas + verbs: + - get + - watch + - list + 47: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + annotations: null + labels: + app: storage + app.kubernetes.io/component: storage + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + tier: ks-control-plane + name: storage:system:auth-delegator + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator + subjects: + - kind: ServiceAccount + name: storage + namespace: kubescape + 48: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + annotations: null + labels: + app: storage + app.kubernetes.io/component: storage + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + tier: ks-control-plane + name: storage + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: storage + subjects: + - kind: ServiceAccount + name: storage + namespace: kubescape + 49: | + apiVersion: v1 + data: + config.json: | + { + "cleanupInterval": "6h", + "disableVirtualCRDs": true, + "disableSeccompProfileEndpoint": true, + "excludeJsonPaths": null, + "defaultQueueLength": 100, + "defaultWorkerCount": 2, + "defaultMaxObjectSize": 400000, + "queueManagerEnabled": true, + "kindQueues": {"applicationprofiles":{"maxObjectSize":20000000,"queueLength":50,"workerCount":2},"containerprofiles":{"maxObjectSize":2500000,"queueLength":50,"workerCount":2},"networkneighborhoods":{"maxObjectSize":10000000,"queueLength":50,"workerCount":2},"openvulnerabilityexchangecontainers":{"maxObjectSize":500000,"queueLength":50,"workerCount":1},"sbomsyftfiltereds":{"maxObjectSize":50000000,"queueLength":50,"workerCount":1},"sbomsyfts":{"maxObjectSize":100000000,"queueLength":50,"workerCount":1},"vulnerabilitymanifests":{"maxObjectSize":50000000,"queueLength":50,"workerCount":1}}, + "tlsClientCaFile": "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt", + "tlsServerCertFile": "/etc/storage-ca-certificates/tls.crt", + "tlsServerKeyFile": "/etc/storage-ca-certificates/tls.key", + "serverBindPort": "8443" + } + kind: ConfigMap + metadata: + labels: + app: storage + app.kubernetes.io/component: storage + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + kubescape.io/tier: core + tier: ks-control-plane + name: storage + namespace: kubescape + 50: | + apiVersion: apps/v1 + kind: Deployment + metadata: + annotations: null + labels: + app: storage + app.kubernetes.io/component: storage + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + kubescape.io/tier: core + tier: ks-control-plane + name: storage + namespace: kubescape + spec: + replicas: 1 + revisionHistoryLimit: 2 + selector: + matchLabels: + app.kubernetes.io/component: storage + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: kubescape-operator + strategy: + type: Recreate + template: + metadata: + annotations: null + labels: + app: storage + app.kubernetes.io/component: storage + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + kubescape.io/tier: core + tier: ks-control-plane + spec: + affinity: null + containers: + - env: + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + divisor: "1" + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + divisor: "1" + resource: limits.cpu + - name: KS_LOGGER_LEVEL + value: info + - name: KS_LOGGER_NAME + value: zap + image: quay.io/kubescape/storage:v0.0.247 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /livez + port: 8443 + scheme: HTTPS + name: apiserver + readinessProbe: + httpGet: + path: /readyz + port: 8443 + scheme: HTTPS + resources: + limits: + cpu: 1500m + memory: 1500Mi + requests: + cpu: 100m + memory: 400Mi + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + volumeMounts: + - mountPath: /data + name: data + - mountPath: /etc/config/clusterData.json + name: ks-cloud-config + readOnly: true + subPath: clusterData.json + - mountPath: /etc/config/config.json + name: config + readOnly: true + subPath: config.json + - mountPath: /etc/storage-ca-certificates + name: ca-certificates + readOnly: true + nodeSelector: + kubernetes.io/os: linux + priorityClassName: global-priority + securityContext: + fsGroup: 65532 + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + serviceAccountName: storage + tolerations: null + volumes: + - name: data + persistentVolumeClaim: + claimName: kubescape-storage + - configMap: + items: + - key: clusterData + path: clusterData.json + name: ks-cloud-config + name: ks-cloud-config + - configMap: + items: + - key: config.json + path: config.json + name: storage + name: config + - name: ca-certificates + secret: + secretName: storage-ca + 51: | + apiVersion: v1 + kind: PersistentVolumeClaim + metadata: + annotations: null + labels: + app: storage + app.kubernetes.io/component: storage + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + tier: ks-control-plane + name: kubescape-storage + namespace: kubescape + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi + 52: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + annotations: null + labels: + app: storage + app.kubernetes.io/component: storage + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + tier: ks-control-plane + name: storage-auth-reader + namespace: kube-system + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader + subjects: + - kind: ServiceAccount + name: storage + namespace: kubescape + 53: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + annotations: null + labels: + app: seccompprofile + app.kubernetes.io/component: seccompprofile + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + tier: ks-control-plane + name: seccompprofiles.kubescape.io + spec: + group: kubescape.io + names: + kind: SeccompProfile + listKind: SeccompProfileList + plural: seccompprofiles + shortNames: + - scp + singular: seccompprofile + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + containers: + items: + properties: + name: + description: Name of the container + type: string + path: + description: Path to the seccomp profile + type: string + spec: + properties: + architectures: + description: The architecture used for system calls + items: + type: string + type: array + baseProfileName: + description: Name of base profile to union into this profile + type: string + defaultAction: + description: The default action for seccomp + type: string + disabled: + description: Whether the profile is disabled + type: boolean + flags: + description: List of flags to use with seccomp(2) + items: + type: string + type: array + listenerMetadata: + description: Opaque data to pass to the seccomp agent + type: string + listenerPath: + description: Path of UNIX domain socket to contact a seccomp agent + type: string + syscalls: + items: + properties: + action: + description: The action for seccomp rules + type: string + args: + items: + properties: + index: + description: The index for syscall arguments + format: int64 + type: integer + op: + description: The operator for syscall arguments + type: string + value: + description: The value for syscall arguments + format: int64 + type: integer + valueTwo: + description: The second value for syscall arguments + format: int64 + type: integer + type: object + type: array + errnoRet: + description: The errno return code to use + format: int64 + type: integer + names: + description: The names of the syscalls + items: + type: string + type: array + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + ephemeralContainers: + items: + properties: + name: + description: Name of the ephemeral container + type: string + path: + description: Path to the seccomp profile + type: string + spec: + properties: + architectures: + description: The architecture used for system calls + items: + type: string + type: array + baseProfileName: + description: Name of base profile to union into this profile + type: string + defaultAction: + description: The default action for seccomp + type: string + disabled: + description: Whether the profile is disabled + type: boolean + flags: + description: List of flags to use with seccomp(2) + items: + type: string + type: array + listenerMetadata: + description: Opaque data to pass to the seccomp agent + type: string + listenerPath: + description: Path of UNIX domain socket to contact a seccomp agent + type: string + syscalls: + items: + properties: + action: + description: The action for seccomp rules + type: string + args: + items: + properties: + index: + description: The index for syscall arguments + format: int64 + type: integer + op: + description: The operator for syscall arguments + type: string + value: + description: The value for syscall arguments + format: int64 + type: integer + valueTwo: + description: The second value for syscall arguments + format: int64 + type: integer + type: object + type: array + errnoRet: + description: The errno return code to use + format: int64 + type: integer + names: + description: The names of the syscalls + items: + type: string + type: array + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + initContainers: + items: + properties: + name: + description: Name of the init container + type: string + path: + description: Path to the seccomp profile + type: string + spec: + properties: + architectures: + description: The architecture used for system calls + items: + type: string + type: array + baseProfileName: + description: Name of base profile to union into this profile + type: string + defaultAction: + description: The default action for seccomp + type: string + disabled: + description: Whether the profile is disabled + type: boolean + flags: + description: List of flags to use with seccomp(2) + items: + type: string + type: array + listenerMetadata: + description: Opaque data to pass to the seccomp agent + type: string + listenerPath: + description: Path of UNIX domain socket to contact a seccomp agent + type: string + syscalls: + items: + properties: + action: + description: The action for seccomp rules + type: string + args: + items: + properties: + index: + description: The index for syscall arguments + format: int64 + type: integer + op: + description: The operator for syscall arguments + type: string + value: + description: The value for syscall arguments + format: int64 + type: integer + valueTwo: + description: The second value for syscall arguments + format: int64 + type: integer + type: object + type: array + errnoRet: + description: The errno return code to use + format: int64 + type: integer + names: + description: The names of the syscalls + items: + type: string + type: array + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + status: + properties: + containers: + additionalProperties: + properties: + activeWorkloads: + description: Active workloads using this profile + items: + type: string + type: array + conditions: + items: + properties: + lastTransitionTime: + description: Last time this condition transitioned + format: date-time + type: string + message: + description: Message about this condition's last transition + type: string + reason: + description: Reason for this condition's last transition + type: string + status: + description: Status of this condition (True, False, Unknown) + type: string + type: + description: Type of this condition + type: string + type: object + type: array + localhostProfile: + description: Path for securityContext.seccompProfile.localhostProfile + type: string + path: + description: Path to the seccomp profile + type: string + status: + description: Profile state + type: string + type: object + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} + 54: | + apiVersion: v1 + kind: Service + metadata: + annotations: null + labels: + app: storage + app.kubernetes.io/component: storage + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + tier: ks-control-plane + name: storage + namespace: kubescape + spec: + ports: + - name: https + port: 443 + protocol: TCP + targetPort: 8443 + selector: + app.kubernetes.io/component: storage + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: kubescape-operator + 55: | + apiVersion: v1 + kind: ServiceAccount + metadata: + annotations: null + labels: + app: storage + app.kubernetes.io/component: storage + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + tier: ks-control-plane + name: storage + namespace: kubescape + 56: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: null + labels: + app: synchronizer + app.kubernetes.io/component: synchronizer + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + tier: ks-control-plane + name: synchronizer + rules: + - apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch + - apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + - clusterrolebindings + - roles + - clusterroles + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - pods + - namespaces + - nodes + - configmaps + - persistentvolumes + - services + verbs: + - get + - list + - watch + - apiGroups: + - apps + resources: + - deployments + - statefulsets + - daemonsets + - replicasets + verbs: + - get + - list + - watch + - apiGroups: + - batch + resources: + - jobs + - cronjobs + verbs: + - get + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - networkpolicies + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - spdx.softwarecomposition.kubescape.io + resources: + - applicationprofiles + - networkneighborhoods + verbs: + - get + - watch + - list + - create + - update + - patch + - delete + - apiGroups: + - spdx.softwarecomposition.kubescape.io + resources: + - knownservers + verbs: + - get + - watch + - list + - create + - update + - patch + - delete + - apiGroups: + - cilium.io + resources: + - ciliumnetworkpolicies + verbs: + - get + - list + - watch + - apiGroups: + - projectcalico.org + resources: + - networkpolicies + verbs: + - get + - list + - watch + - apiGroups: + - networking.istio.io + resources: + - gateways + - virtualservices + verbs: + - get + - list + - watch + - apiGroups: + - security.istio.io + resources: + - authorizationpolicies + verbs: + - get + - list + - watch + - apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes + - tcproutes + - udproutes + verbs: + - get + - list + - watch + - apiGroups: + - kubescape.io + resources: + - servicesscanresults + verbs: + - get + - watch + - list + - apiGroups: + - kubescape.io + resources: + - operatorcommands + - rules + verbs: + - get + - watch + - list + - create + - update + - patch + - delete + 57: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + labels: + app: synchronizer + app.kubernetes.io/component: synchronizer + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + tier: ks-control-plane + name: synchronizer + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: synchronizer + subjects: + - kind: ServiceAccount + name: synchronizer + namespace: kubescape + 58: | + apiVersion: v1 + data: + config.json: | + { + "inCluster": { + "excludeNamespaces": "kubescape,kube-system,kube-public,kube-node-lease,kubeconfig,gmp-system,gmp-public", + "resources": [ + { + "group": "", + "version": "v1", + "resource": "services", + "strategy": "patch" + }, + { + "group": "networking.k8s.io", + "version": "v1", + "resource": "ingresses", + "strategy": "patch" + }, + { + "group": "gateway.networking.k8s.io", + "version": "v1", + "resource": "httproutes", + "strategy": "patch" + }, + { + "group": "gateway.networking.k8s.io", + "version": "v1", + "resource": "tcproutes", + "strategy": "patch" + }, + { + "group": "gateway.networking.k8s.io", + "version": "v1", + "resource": "udproutes", + "strategy": "patch" + }, + { + "group": "rbac.authorization.k8s.io", + "version": "v1", + "resource": "rolebindings", + "strategy": "patch" + }, + { + "group": "rbac.authorization.k8s.io", + "version": "v1", + "resource": "clusterrolebindings", + "strategy": "patch" + }, + { + "group": "rbac.authorization.k8s.io", + "version": "v1", + "resource": "clusterroles", + "strategy": "patch" + }, + { + "group": "rbac.authorization.k8s.io", + "version": "v1", + "resource": "roles", + "strategy": "patch" + }, + { + "group": "", + "version": "v1", + "resource": "persistentvolumes", + "strategy": "patch" + }, + { + "group": "storage.k8s.io", + "version": "v1", + "resource": "storageclasses", + "strategy": "patch" + }, + { + "group": "apps", + "version": "v1", + "resource": "deployments", + "strategy": "patch" + }, + { + "group": "apps", + "version": "v1", + "resource": "statefulsets", + "strategy": "patch" + }, + { + "group": "apps", + "version": "v1", + "resource": "daemonsets", + "strategy": "patch" + }, + { + "group": "apps", + "version": "v1", + "resource": "replicasets", + "strategy": "patch" + }, + { + "group": "batch", + "version": "v1", + "resource": "jobs", + "strategy": "patch" + }, + { + "group": "batch", + "version": "v1", + "resource": "cronjobs", + "strategy": "patch" + }, + { + "group": "", + "version": "v1", + "resource": "pods", + "strategy": "patch" + }, + { + "group": "", + "version": "v1", + "resource": "namespaces", + "strategy": "patch" + }, + { + "group": "", + "version": "v1", + "resource": "nodes", + "strategy": "patch" + }, + { + "group": "", + "version": "v1", + "resource": "configmaps", + "strategy": "patch" + }, + { + "group": "networking.k8s.io", + "version": "v1", + "resource": "networkpolicies", + "strategy": "patch" + }, + { + "group": "spdx.softwarecomposition.kubescape.io", + "version": "v1beta1", + "resource": "applicationprofiles", + "strategy": "copy" + }, + { + "group": "spdx.softwarecomposition.kubescape.io", + "version": "v1beta1", + "resource": "knownservers", + "strategy": "copy" + }, + { + "group": "spdx.softwarecomposition.kubescape.io", + "version": "v1beta1", + "resource": "networkneighborhoods", + "strategy": "copy" + }, + { + "group": "cilium.io", + "version": "v2", + "resource": "ciliumnetworkpolicies", + "strategy": "patch" + }, + { + "group": "projectcalico.org", + "version": "v3", + "resource": "networkpolicies", + "strategy": "patch" + }, + { + "group": "networking.istio.io", + "version": "v1", + "resource": "gateways", + "strategy": "patch" + }, + { + "group": "networking.istio.io", + "version": "v1", + "resource": "virtualservices", + "strategy": "patch" + }, + { + "group": "security.istio.io", + "version": "v1", + "resource": "authorizationpolicies", + "strategy": "patch" + }, + { + "group": "networking.istio.io", + "version": "v1beta1", + "resource": "gateways", + "strategy": "patch" + }, + { + "group": "networking.istio.io", + "version": "v1beta1", + "resource": "virtualservices", + "strategy": "patch" + }, + { + "group": "security.istio.io", + "version": "v1beta1", + "resource": "authorizationpolicies", + "strategy": "patch" + }, + { + "group": "kubescape.io", + "version": "v1", + "resource": "servicesscanresults", + "strategy": "patch" + }, + { + "group": "kubescape.io", + "version": "v1alpha1", + "resource": "operatorcommands", + "strategy": "copy" + }, + { + "group": "kubescape.io", + "version": "v1", + "resource": "rules", + "strategy": "copy" + } + ] + }, + "httpEndpoint": { + "serverPort": "8089", + "resources": [ + { + "group": "kubescape.io", + "version": "v1", + "resource": "networkstreams", + "strategy": "copy" + }, + { + "group": "kubescape.io", + "version": "v1", + "resource": "nodeprofiles", + "strategy": "copy" + }, + { + "group": "kubescape.io", + "version": "v1", + "resource": "runtimealerts", + "strategy": "copy" + }, + { + "group": "kubescape.io", + "version": "v1", + "resource": "registrystatuses", + "strategy": "copy" + } + ] + } + } + kind: ConfigMap + metadata: + annotations: null + labels: + app: synchronizer + app.kubernetes.io/component: synchronizer + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + kubescape.io/tier: core + tier: ks-control-plane + name: synchronizer + namespace: kubescape + 59: | + apiVersion: apps/v1 + kind: Deployment + metadata: + annotations: null + labels: + app: synchronizer + app.kubernetes.io/component: synchronizer + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + kubescape.io/tier: core + tier: ks-control-plane + name: synchronizer + namespace: kubescape + spec: + replicas: 1 + revisionHistoryLimit: 2 + selector: + matchLabels: + app.kubernetes.io/component: synchronizer + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: kubescape-operator + strategy: + type: Recreate + template: + metadata: + annotations: + checksum/cloud-config: f8f57ee9b7c136ff44014ae152c2ee1d6437058a776ba359547a4d44896626d0 + checksum/cloud-secret: 435193bc039d949c849ba4b141adeb4836e4d0fdcc4bf0b9588d0e36de86c424 + checksum/synchronizer-configmap: eb64af6b773ffb36f4152311f38e3c82c83f20e541bbf0d3470ddd36f814533b + labels: + app: synchronizer + app.kubernetes.io/component: synchronizer + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + kubescape.io/tier: core + tier: ks-control-plane + spec: + affinity: null + automountServiceAccountToken: true + containers: + - command: + - /usr/bin/client + env: + - name: HELM_RELEASE + value: kubescape-operator-1.30.5 + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + divisor: "1" + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + divisor: "1" + resource: limits.cpu + - name: KS_LOGGER_LEVEL + value: info + - name: KS_LOGGER_NAME + value: zap + image: quay.io/kubescape/synchronizer:v0.0.132 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 7888 + initialDelaySeconds: 10 + periodSeconds: 30 + timeoutSeconds: 10 + name: synchronizer + resources: + limits: + cpu: 200m + memory: 500Mi + requests: + cpu: 100m + memory: 250Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/credentials + name: cloud-secret + readOnly: true + - mountPath: /etc/config/clusterData.json + name: ks-cloud-config + readOnly: true + subPath: clusterData.json + - mountPath: /etc/config/services.json + name: services + readOnly: true + subPath: services.json + - mountPath: /etc/config/config.json + name: config + readOnly: true + subPath: config.json + initContainers: + - args: + - -method=get + - -scheme=https + - -host=api.armosec.io + - -path=api/v2/servicediscovery + - -path-output=/data/services.json + env: null + image: quay.io/kubescape/http-request:v0.2.16 + imagePullPolicy: IfNotPresent + name: url-discovery + resources: + limits: + cpu: 100m + memory: 50Mi + requests: + cpu: 10m + memory: 10Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + volumeMounts: + - mountPath: /data + name: services + nodeSelector: + kubernetes.io/os: linux + priorityClassName: global-priority + securityContext: + fsGroup: 65532 + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + serviceAccountName: synchronizer + tolerations: null + volumes: + - name: cloud-secret + secret: + secretName: cloud-secret + - configMap: + items: + - key: clusterData + path: clusterData.json + name: ks-cloud-config + name: ks-cloud-config + - emptyDir: {} + name: services + - configMap: + items: + - key: config.json + path: config.json + name: synchronizer + name: config + 60: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + labels: + app: synchronizer + app.kubernetes.io/component: synchronizer + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + tier: ks-control-plane + name: synchronizer + namespace: kubescape + rules: + - apiGroups: + - "" + resources: + - configmaps + - secrets + verbs: + - create + - get + - update + - watch + - list + - patch + - delete + - apiGroups: + - batch + resources: + - cronjobs + verbs: + - create + - get + - update + - watch + - list + - patch + - delete + 61: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + labels: + app: synchronizer + app.kubernetes.io/component: synchronizer + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + tier: ks-control-plane + name: synchronizer + namespace: kubescape + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: synchronizer + subjects: + - kind: ServiceAccount + name: synchronizer + namespace: kubescape + 62: | + apiVersion: v1 + kind: Service + metadata: + labels: + app: synchronizer + app.kubernetes.io/component: synchronizer + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + tier: ks-control-plane + name: synchronizer + namespace: kubescape + spec: + ports: + - port: 8089 + protocol: TCP + targetPort: 8089 + selector: + app.kubernetes.io/component: synchronizer + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: kubescape-operator + type: ClusterIP + 63: | + apiVersion: v1 + automountServiceAccountToken: false + kind: ServiceAccount + metadata: + labels: + app: synchronizer + app.kubernetes.io/component: synchronizer + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kubescape-operator + app.kubernetes.io/part-of: kubescape + app.kubernetes.io/version: 1.30.5 + helm.sh/chart: kubescape-operator-1.30.5 + kubescape.io/ignore: "true" + tier: ks-control-plane + name: synchronizer + namespace: kubescape relevancy only: 1: |+ raw: |+ diff --git a/charts/kubescape-operator/tests/snapshot_test.yaml b/charts/kubescape-operator/tests/snapshot_test.yaml index 128fb3d5..9abb4238 100644 --- a/charts/kubescape-operator/tests/snapshot_test.yaml +++ b/charts/kubescape-operator/tests/snapshot_test.yaml @@ -512,4 +512,33 @@ tests: storage.forceVirtualCrds: true storage.mtls.enabled: false prometheusExporter: - enableWorkloadMetrics: true \ No newline at end of file + enableWorkloadMetrics: true + - it: priority class scheduling + asserts: + - matchSnapshot: {} + capabilities: + apiVersions: + - batch/v1 + set: + unittest: true + account: 9e6c0c2c-6bd0-4919-815b-55030de7c9a0 + accessKey: f304d73b-d43c-412b-82ea-e4c859493ce6 + server: api.armosec.io + clusterName: kind-kind + kubescapeScheduler.scanSchedule: "1 2 3 4 5" + kubevulnScheduler.scanSchedule: "1 2 3 4 5" + capabilities: + configurationScan: enable + nodeScan: enable + vulnerabilityScan: enable + relevancy: enable + runtimeDetection: enable + # global fallback for all deployments + customScheduling: + priorityClassName: "global-priority" + # per-component override takes precedence over global + kubescape: + priorityClassName: "kubescape-priority" + # node-agent override takes precedence over configurations.priorityClass (kubescape-critical) + nodeAgent: + priorityClassName: "node-agent-priority" \ No newline at end of file diff --git a/charts/kubescape-operator/values.yaml b/charts/kubescape-operator/values.yaml index 0b39012b..e1f56e86 100644 --- a/charts/kubescape-operator/values.yaml +++ b/charts/kubescape-operator/values.yaml @@ -50,6 +50,7 @@ customScheduling: # Define nodeSelector rules here tolerations: # Set tolerations for nodes here + priorityClassName: "" # -- set the image pull secrets for private registry support imagePullSecrets: "" @@ -146,7 +147,7 @@ configurations: priorityClass: enabled: true - daemonset: 100000100 # PriorityClass of the DaemonSet, this should be higher than the other components so the DaemonSet will schedule on all nodes + daemonset: 100000100 # PriorityClass value for the node-agent DaemonSet; higher than other components so it schedules on all nodes. Override the name via nodeAgent.priorityClassName. # List of json paths to exclude from the pod spec hash computation - used for aggregating CronJob generated CRDs excludeJsonPaths: @@ -269,6 +270,7 @@ kubescape: nodeSelector: kubernetes.io/os: linux + priorityClassName: "" podAnnotations: {} podLabels: {} @@ -329,6 +331,7 @@ operator: nodeSelector: kubernetes.io/os: linux + priorityClassName: "" service: type: ClusterIP @@ -377,6 +380,7 @@ kubevuln: nodeSelector: kubernetes.io/os: linux + priorityClassName: "" replicaCount: 1 @@ -484,6 +488,7 @@ storage: nodeSelector: kubernetes.io/os: linux + priorityClassName: "" # cleanup interval is a duration string cleanupInterval: "6h" @@ -736,6 +741,8 @@ nodeAgent: # -- interval for reconciliation loop reconcileInterval: 5m + priorityClassName: "" + # +++++++++++++++++++++++++++++++ ClamAV ++++++++++++++++++++++++++++++++++++++++++++++++ clamav: name: clamav @@ -801,6 +808,7 @@ synchronizer: pullPolicy: IfNotPresent nodeSelector: kubernetes.io/os: linux + priorityClassName: "" podAnnotations: {} podLabels: {} resources: @@ -867,6 +875,7 @@ grypeOfflineDB: nodeSelector: kubernetes.io/os: linux + priorityClassName: "" podAnnotations: {} podLabels: {} @@ -929,6 +938,7 @@ prometheusExporter: nodeSelector: kubernetes.io/os: linux + priorityClassName: "" podAnnotations: {} podLabels: {} @@ -965,6 +975,7 @@ helmReleaseUpgrader: nodeSelector: kubernetes.io/os: linux + priorityClassName: "" # A cron schedule of how often the updating CronJob should run schedule: "0 14 * * *" @@ -1029,6 +1040,7 @@ kubescapeScheduler: nodeSelector: kubernetes.io/os: linux + priorityClassName: "" # Skip SSL certificate verification insecureSkipTLSVerify: false @@ -1076,6 +1088,7 @@ kubevulnScheduler: nodeSelector: kubernetes.io/os: linux + priorityClassName: "" # Skip SSL certificate verification insecureSkipTLSVerify: false