chore(Conftest): Update deployment descriptors (#495)

Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>

CONTRIBUTING.md

@@ -19,6 +19,7 @@ These guidelines will help you get started with the Starboard project.
   - [Prerequisites](#prerequisites)
   - [In Cluster](#in-cluster)
   - [Out of Cluster](#out-of-cluster)
+  - [Uninstall](#uninstall)
 - [Operator Lifecycle Manager (OLM)](#operator-lifecycle-manager-olm)
   - [Install OLM](#install-olm)
   - [Build the Catalog Image](#build-the-catalog-image)
@@ -183,17 +184,27 @@ started with a basic development workflow. For other install modes see [Operator
 
 ### Prerequisites
 
-1. Send custom resource definitions to the Kubernetes API:
+1. Build the operator binary into the Docker image:
 
    ```
-   $ kubectl create -f deploy/crd/vulnerabilityreports.crd.yaml \
+   $ make docker-build-starboard-operator
+   ```
+2. Load the Docker image from host into KIND cluster nodes:
+
+   ```
+   $ kind load docker-image aquasec/starboard-operator:dev
+   ```
+3. Send custom resource definitions to the Kubernetes API:
+
+   ```
+   $ kubectl apply -f deploy/crd/vulnerabilityreports.crd.yaml \
        -f deploy/crd/configauditreports.crd.yaml \
        -f deploy/crd/ciskubebenchreports.crd.yaml
    ```
-2. Send the following Kubernetes objects definitions to the Kubernetes API:
+4. Send the following Kubernetes objects definitions to the Kubernetes API:
 
    ```
-   $ kubectl create -f deploy/static/01-starboard-operator.ns.yaml \
+   $ kubectl apply -f deploy/static/01-starboard-operator.ns.yaml \
        -f deploy/static/02-starboard-operator.sa.yaml \
        -f deploy/static/03-starboard-operator.clusterrole.yaml \
        -f deploy/static/04-starboard-operator.clusterrolebinding.yaml
@@ -202,18 +213,18 @@ started with a basic development workflow. For other install modes see [Operator
    This will create the `starboard-operator` namespace, and the `starboard-operator` service account. Beyond that,
    it will create the `starboard-operator` ClusterRole and bind it to the `starboard-operator` service account in the
    `starboard-operator` namespace via the `starboard-operator` ClusterRoleBinding.
-3. (Optional) Create configuration objects:
+5. (Optional) Create configuration objects:
 
    ```
-   $ kubectl create -f deploy/static/05-starboard-operator.config.yaml
+   $ kubectl apply -f deploy/static/05-starboard-operator.config.yaml
    ```
 
 ### In cluster
 
 1. Create the `starboard-operator` Deployment in the `starboard-operator` namespace to run the operator's container:
 
    ```
-   $ kubectl create -f deploy/static/06-starboard-operator.deployment.yaml
+   $ kubectl apply -k deploy/static
    ```
 
 ### Out of cluster
@@ -232,6 +243,20 @@ started with a basic development workflow. For other install modes see [Operator
      go run cmd/starboard-operator/main.go
    ```
 
+### Uninstall
+
+```
+$ kubectl delete -k deploy/static
+$ kubectl delete -f deploy/static/05-starboard-operator.config.yaml
+$ kubectl delete -f deploy/static/01-starboard-operator.ns.yaml \
+    -f deploy/static/02-starboard-operator.sa.yaml \
+    -f deploy/static/03-starboard-operator.clusterrole.yaml \
+    -f deploy/static/04-starboard-operator.clusterrolebinding.yaml
+$ kubectl delete -f deploy/crd/vulnerabilityreports.crd.yaml \
+    -f deploy/crd/configauditreports.crd.yaml \
+    -f deploy/crd/ciskubebenchreports.crd.yaml
+```
+
 ## Operator Lifecycle Manager (OLM)
 
 ### Install OLM

deploy/helm/templates/config.yaml

@@ -1,13 +1,14 @@
+---
 apiVersion: v1
 kind: ConfigMap
 metadata:
   name: starboard
   labels:
     {{- include "starboard-operator.labels" . | nindent 4 }}
 data:
-  {{- if .Values.trivy.enabled }}
-  vulnerabilityReports.scanner: "Trivy"
-  configAuditReports.scanner: "Polaris"
+  {{- if .Values.operator.vulnerabilityScannerEnabled }}
+  vulnerabilityReports.scanner: {{ .Values.operator.vulnerabilityReportsPlugin | quote }}
+  {{- if eq .Values.operator.vulnerabilityReportsPlugin "Trivy" }}
   trivy.imageRef: "{{ .Values.trivy.imageRef }}"
   trivy.mode: "{{ .Values.trivy.mode }}"
   {{- if eq .Values.trivy.mode "ClientServer" }}
@@ -18,11 +19,27 @@ data:
   trivy.noProxy: "{{ .Values.trivy.noProxy }}"
   trivy.severity: "{{ .Values.trivy.severity }}"
   {{- end }}
-  {{- if .Values.kubeBench.enabled }}
+  {{- end }}
+  {{- if .Values.operator.kubernetesBenchmarkEnabled }}
   kube-bench.imageRef: "{{ .Values.kubeBench.imageRef }}"
   {{- end }}
+  {{- if .Values.operator.configAuditScannerEnabled }}
+  configAuditReports.scanner: {{ .Values.operator.configAuditReportsPlugin | quote }}
+  {{- if eq .Values.operator.configAuditReportsPlugin "Polaris" }}
   polaris.imageRef: "{{ .Values.polaris.imageRef }}"
   polaris.config.yaml: |
     {{- toYaml .Values.polaris.config | nindent 4 }}
-  conftest.imageRef: openpolicyagent/conftest:v0.23.0
-  kube-bench.imageRef: docker.io/aquasec/kube-bench:0.5.0
+  {{- end }}
+  {{- if eq .Values.operator.configAuditReportsPlugin "Conftest" }}
+  conftest.imageRef: {{ .Values.conftest.imageRef | quote }}
+  {{- end }}
+  {{- end }}
+{{- if eq .Values.operator.configAuditReportsPlugin "Conftest" }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: starboard-conftest-config
+  labels:
+    {{- include "starboard-operator.labels" . | nindent 4 }}
+{{- end }}

deploy/helm/templates/deployment.yaml

@@ -41,6 +41,16 @@ spec:
               value: ":8080"
             - name: OPERATOR_HEALTH_PROBE_BIND_ADDRESS
               value: ":9090"
+            - name: OPERATOR_CIS_KUBERNETES_BENCHMARK_ENABLED
+              value: {{ .Values.operator.kubernetesBenchmarkEnabled | quote }}
+            - name: OPERATOR_VULNERABILITY_SCANNER_ENABLED
+              value: {{ .Values.operator.vulnerabilityScannerEnabled | quote }}
+            - name: OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED
+              value: {{ .Values.operator.configAuditScannerEnabled | quote }}
+            - name: OPERATOR_BATCH_DELETE_LIMIT
+              value: {{ .Values.operator.batchDeleteLimit | quote }}
+            - name: OPERATOR_BATCH_DELETE_DELAY
+              value: {{ .Values.operator.batchDeleteDelay | quote }}
             {{- /* Import configuration from passed Helm values */}}
             {{- range $key, $value := .Values.envSecret.stringData }}
             {{- if $value }}

deploy/helm/values.yaml

@@ -15,7 +15,20 @@ operator:
   # leaderElectionId determines the name of the resource that leader election
   # will use for holding the leader lock.
   leaderElectionId: "starboard-operator"
-
+  # vulnerabilityScannerEnabled the flag to enable vulnerability scanner
+  vulnerabilityScannerEnabled: true
+  # configAuditScannerEnabled the flag to enable configuration audit scanner
+  configAuditScannerEnabled: true
+  # kubernetesBenchmarkEnabled the flag to enable CIS Kubernetes Benchmark scanner
+  kubernetesBenchmarkEnabled: true
+  # vulnerabilityReportsPlugin the name of the plugin that generates vulnerability reports. Either `Trivy` or `Aqua`.
+  vulnerabilityReportsPlugin: "Trivy"
+  # configAuditReportsPlugin the name of the plugin that generates config audit reports. Either `Polaris` or `Conftest`.
+  configAuditReportsPlugin: "Polaris"
+  # batchDeleteLimit the maximum number of config audit reports deleted by the operator when the plugin's config has changed.
+  batchDeleteLimit: 10
+  # batchDeleteDelay the duration to wait before deleting another batch of config audit reports.
+  batchDeleteDelay: 10s
 image:
   repository: "aquasec/starboard-operator"
   # tag is an override of the image tag, which is by default set by the
@@ -56,14 +69,8 @@ envSecret:
   #       properly.
   stringData:
     OPERATOR_LOG_DEV_MODE: "false"
-    OPERATOR_CIS_KUBERNETES_BENCHMARK_ENABLED: "true"
-    OPERATOR_VULNERABILITY_SCANNER_ENABLED: "true"
-    OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED: "true"
-    OPERATOR_BATCH_DELETE_LIMIT: "10"
-    OPERATOR_BATCH_DELETE_DELAY: "10s"
 
 trivy:
-  enabled: true
   imageRef: docker.io/aquasec/trivy:0.16.0
   mode: Standalone
   serverURL:
@@ -73,7 +80,6 @@ trivy:
   severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
 
 kubeBench:
-  enabled: true
   imageRef: docker.io/aquasec/kube-bench:0.5.0
 
 polaris:
@@ -263,6 +269,9 @@ polaris:
         rules:
         - runAsRootAllowed
 
+conftest:
+  # imageRef the image reference
+  imageRef: docker.io/openpolicyagent/conftest:v0.23.0
 
 rbac:
   create: true

deploy/static/05-starboard-operator.config.yaml

@@ -204,3 +204,9 @@ kind: Secret
 metadata:
   name: starboard
   namespace: starboard-operator
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: starboard-conftest-config
+  namespace: starboard-operator

deploy/static/kustomization.yaml

@@ -0,0 +1,6 @@
+resources:
+  - 06-starboard-operator.deployment.yaml
+images:
+  - name: docker.io/aquasec/starboard-operator
+    newName: docker.io/aquasec/starboard-operator
+    newTag: dev

docs/operator/configuration.md

@@ -11,11 +11,13 @@ Configuration of the operator's pod is done via environment variables at startup
 | `OPERATOR_SCAN_JOB_RETRY_AFTER`             | `30s`                  | The duration to wait before retrying a failed scan job |
 | `OPERATOR_METRICS_BIND_ADDRESS`             | `:8080`                | The TCP address to bind to for serving [Prometheus][prometheus] metrics. It can be set to `0` to disable the metrics serving. |
 | `OPERATOR_HEALTH_PROBE_BIND_ADDRESS`        | `:9090`                | The TCP address to bind to for serving health probes, i.e. `/healthz/` and `/readyz/` endpoints. |
-| `OPERATOR_CIS_KUBERNETES_BENCHMARK_ENABLED` | `true`                 | The flag to enable CIS Kubernetes Benchmark reconciler |
+| `OPERATOR_CIS_KUBERNETES_BENCHMARK_ENABLED` | `true`                 | The flag to enable CIS Kubernetes Benchmark scanner |
 | `OPERATOR_VULNERABILITY_SCANNER_ENABLED`    | `true`                 | The flag to enable vulnerability scanner |
 | `OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED`     | `true`                 | The flag to enable configuration audit scanner |
 | `OPERATOR_LEADER_ELECTION_ENABLED`          | `false`                | The flag to enable operator replica leader election |
 | `OPERATOR_LEADER_ELECTION_ID`               | `starboard-operator`   | The name of the resource lock for leader election |
+| `OPERATOR_BATCH_DELETE_LIMIT`               | `10`                   | The maximum number of config audit reports deleted by the operator when the plugin's config has changed. |
+| `OPERATOR_BATCH_DELETE_DELAY`               | `10s`                  | The duration to wait before deleting another batch of config audit reports. |
 
 ## Install Modes
 

docs/operator/installation/helm.md

@@ -58,16 +58,16 @@ You can uninstall the operator with the following command:
 helm uninstall starboard-operator -n starboard-operator
 ```
 
-!!! note
-    You have to manually delete custom resource definitions created by the `helm install` command:
+You have to manually delete custom resource definitions created by the `helm install` command:
+
+!!! danger
+    Deleting custom resource definitions will also delete all security reports generated by the operator.
+
     ```
     kubectl delete crd vulnerabilityreports.aquasecurity.github.io
     kubectl delete crd configauditreports.aquasecurity.github.io
     kubectl delete crd ciskubebenchreports.aquasecurity.github.io
     ```
 
-!!! danger
-    Deleting custom resource definitions will also delete all security reports generated by the operator.
-
 [helm]: https://helm.sh/
 [helm-charts]: https://helm.sh/docs/topics/charts/

docs/operator/installation/kubectl.md

@@ -66,11 +66,11 @@ kubectl delete -f https://raw.githubusercontent.com/aquasecurity/starboard/{{ va
 
 Delete custom resources definitions:
 
-```
-kubectl delete -f https://raw.githubusercontent.com/aquasecurity/starboard/{{ var.tag }}/deploy/crd/vulnerabilityreports.crd.yaml \
-  -f https://raw.githubusercontent.com/aquasecurity/starboard/{{ var.tag }}/deploy/crd/configauditreports.crd.yaml \
-  -f https://raw.githubusercontent.com/aquasecurity/starboard/{{ var.tag }}/deploy/crd/ciskubebenchreports.crd.yaml
-```
-
 !!! danger
     Deleting custom resource definitions will also delete all security reports generated by the operator.
+
+    ```
+    kubectl delete -f https://raw.githubusercontent.com/aquasecurity/starboard/{{ var.tag }}/deploy/crd/vulnerabilityreports.crd.yaml \
+      -f https://raw.githubusercontent.com/aquasecurity/starboard/{{ var.tag }}/deploy/crd/configauditreports.crd.yaml \
+      -f https://raw.githubusercontent.com/aquasecurity/starboard/{{ var.tag }}/deploy/crd/ciskubebenchreports.crd.yaml
+    ```

docs/operator/installation/olm.md

@@ -99,14 +99,15 @@ kubectl delete clusterserviceversion starboard-operator.{{ var.tag }} -n starboa
 kubectl delete operatorgroup starboard-operator -n starboard-operator
 ```
 
-!!! note
-    You have to manually delete custom resource definitions created by the OLM operator:
+You have to manually delete custom resource definitions created by the OLM operator:
+
+!!! danger
+    Deleting custom resource definitions will also delete all security reports generated by the operator.
+
     ```
     kubectl delete crd vulnerabilityreports.aquasecurity.github.io
     kubectl delete crd configauditreports.aquasecurity.github.io
+    kubectl delete crd ciskubebenchreports.aquasecurity.github.io
     ```
 
-!!! danger
-    Deleting custom resource definitions will also delete all security reports generated by the operator.
-
 [olm]: https://github.com/operator-framework/operator-lifecycle-manager/

docs/settings.md

@@ -58,7 +58,8 @@ The following tables list available configuration settings with their default va
 
 | CONFIGMAP KEY                  | DEFAULT                                                | DESCRIPTION |
 | ------------------------------ | ------------------------------------------------------ | ----------- |
-| `vulnerabilityReports.scanner` | `Trivy`                                                | The name of the scanner that generates vulnerability reports. Either `Trivy` or `Aqua`. |
+| `vulnerabilityReports.scanner` | `Trivy`                                                | The name of the plugin that generates vulnerability reports. Either `Trivy` or `Aqua`. |
+| `configAuditReports.scanner`   | `Polaris`                                              | The name of the plugin that generates config audit reports. Either `Polaris` or `Conftest`. |
 | `trivy.httpProxy`              | N/A                                                    | The HTTP proxy used by Trivy to download the vulnerabilities database from GitHub. |
 | `trivy.httpsProxy`             | N/A                                                    | The HTTPS proxy used by Trivy to download the vulnerabilities database from GitHub. |
 | `trivy.noProxy`                | N/A                                                    | A comma separated list of IPs and domain names that are not subject to proxy settings. |
@@ -74,6 +75,7 @@ The following tables list available configuration settings with their default va
 | `kube-hunter.quick`            | `"false"`                                              | Whether to use kube-hunter's "quick" scanning mode (subnet 24). Set to `"true"` to enable. |
 | `polaris.imageRef`             | `quay.io/fairwinds/polaris:3.2`                        | Polaris image reference |
 | `polaris.config.yaml`          | [Check the default value here][default-polaris-config] | Polaris configuration file |
+| `conftest.imageRef`            | `docker.io/openpolicyagent/conftest:v0.23.0`           | Conftest image reference |
 
 | SECRET KEY                  | DESCRIPTION |
 | --------------------------- | ----------- |