feat(helm): Add ConfigMap template for plugins configuration (#437)

Resolves: #435
aquasecurity · Mar 19, 2021 · d12f369 · d12f369
1 parent 09c1bc0
commit d12f369
Show file tree

Hide file tree

Showing 2 changed files with 221 additions and 0 deletions.
diff --git a/deploy/helm/templates/configmap.yaml b/deploy/helm/templates/configmap.yaml
@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: starboard
+  labels:
+    {{- include "starboard-operator.labels" . | nindent 4 }}
+data:
+  {{- if .Values.trivy.enabled }}
+  vulnerabilityReports.scanner: "Trivy"
+  trivy.imageRef: "{{ .Values.trivy.imageRef }}"
+  trivy.mode: "{{ .Values.trivy.mode }}"
+  {{- if eq .Values.trivy.mode "ClientServer" }}
+  trivy.serverURL: "{{ .Values.trivy.serverURL }}"
+  {{- end }}
+  {{- if eq .Values.trivy.mode "Standalone" }}
+  trivy.httpProxy: "{{ .Values.trivy.httpProxy }}"
+  {{- end }}
+  trivy.severity: "{{ .Values.trivy.severity }}"
+  {{- end }}
+  polaris.imageRef: "{{ .Values.polaris.imageRef }}"
+  polaris.config.yaml: |
+    {{- toYaml .Values.polaris.config | nindent 4 }}
+
+
+
diff --git a/deploy/helm/values.yaml b/deploy/helm/values.yaml
@@ -52,6 +52,202 @@ envSecret:
     OPERATOR_LOG_DEV_MODE: "false"
     OPERATOR_CIS_KUBERNETES_BENCHMARK_ENABLED: "true"
 
+trivy:
+  enabled: true
+  imageRef: docker.io/aquasec/trivy:0.16.0
+  mode: Standalone
+  serverURL: 
+  httpProxy: 
+  severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
+
+polaris:
+  imageRef: quay.io/fairwinds/polaris:3.0
+  config:
+    checks:
+      # reliability
+      multipleReplicasForDeployment: ignore
+      priorityClassNotSet: ignore
+      # resources
+      cpuRequestsMissing: warning
+      cpuLimitsMissing: warning
+      memoryRequestsMissing: warning
+      memoryLimitsMissing: warning
+      # images
+      tagNotSpecified: danger
+      pullPolicyNotAlways: ignore
+      # healthChecks
+      readinessProbeMissing: warning
+      livenessProbeMissing: warning
+      # networking
+      hostNetworkSet: warning
+      hostPortSet: warning
+      # security
+      hostIPCSet: danger
+      hostPIDSet: danger
+      notReadOnlyRootFilesystem: warning
+      privilegeEscalationAllowed: danger
+      runAsRootAllowed: warning
+      runAsPrivileged: danger
+      dangerousCapabilities: danger
+      insecureCapabilities: warning
+    exemptions:
+      - controllerNames:
+        - kube-apiserver
+        - kube-proxy
+        - kube-scheduler
+        - etcd-manager-events
+        - kube-controller-manager
+        - kube-dns
+        - etcd-manager-main
+        rules:
+        - hostPortSet
+        - hostNetworkSet
+        - readinessProbeMissing
+        - livenessProbeMissing
+        - cpuRequestsMissing
+        - cpuLimitsMissing
+        - memoryRequestsMissing
+        - memoryLimitsMissing
+        - runAsRootAllowed
+        - runAsPrivileged
+        - notReadOnlyRootFilesystem
+        - hostPIDSet
+      - controllerNames:
+        - kube-flannel-ds
+        rules:
+        - notReadOnlyRootFilesystem
+        - runAsRootAllowed
+        - notReadOnlyRootFilesystem
+        - readinessProbeMissing
+        - livenessProbeMissing
+        - cpuLimitsMissing
+      - controllerNames:
+        - cert-manager
+        rules:
+        - notReadOnlyRootFilesystem
+        - runAsRootAllowed
+        - readinessProbeMissing
+        - livenessProbeMissing
+      - controllerNames:
+        - cluster-autoscaler
+        rules:
+        - notReadOnlyRootFilesystem
+        - runAsRootAllowed
+        - readinessProbeMissing
+      - controllerNames:
+        - vpa
+        rules:
+        - runAsRootAllowed
+        - readinessProbeMissing
+        - livenessProbeMissing
+        - notReadOnlyRootFilesystem
+      - controllerNames:
+        - datadog
+        rules:
+        - runAsRootAllowed
+        - readinessProbeMissing
+        - livenessProbeMissing
+        - notReadOnlyRootFilesystem
+      - controllerNames:
+        - nginx-ingress-controller
+        rules:
+        - privilegeEscalationAllowed
+        - insecureCapabilities
+        - runAsRootAllowed
+      - controllerNames:
+        - dns-controller
+        - datadog-datadog
+        - kube-flannel-ds
+        - kube2iam
+        - aws-iam-authenticator
+        - datadog
+        - kube2iam
+        rules:
+        - hostNetworkSet
+      - controllerNames:
+        - aws-iam-authenticator
+        - aws-cluster-autoscaler
+        - kube-state-metrics
+        - dns-controller
+        - external-dns
+        - dnsmasq
+        - autoscaler
+        - kubernetes-dashboard
+        - install-cni
+        - kube2iam
+        rules:
+        - readinessProbeMissing
+        - livenessProbeMissing
+      - controllerNames:
+        - aws-iam-authenticator
+        - nginx-ingress-default-backend
+        - aws-cluster-autoscaler
+        - kube-state-metrics
+        - dns-controller
+        - external-dns
+        - kubedns
+        - dnsmasq
+        - autoscaler
+        - tiller
+        - kube2iam
+        rules:
+        - runAsRootAllowed
+      - controllerNames:
+        - aws-iam-authenticator
+        - nginx-ingress-controller
+        - nginx-ingress-default-backend
+        - aws-cluster-autoscaler
+        - kube-state-metrics
+        - dns-controller
+        - external-dns
+        - kubedns
+        - dnsmasq
+        - autoscaler
+        - tiller
+        - kube2iam
+        rules:
+        - notReadOnlyRootFilesystem
+      - controllerNames:
+        - cert-manager
+        - dns-controller
+        - kubedns
+        - dnsmasq
+        - autoscaler
+        - insights-agent-goldilocks-vpa-install
+        - datadog
+        rules:
+        - cpuRequestsMissing
+        - cpuLimitsMissing
+        - memoryRequestsMissing
+        - memoryLimitsMissing
+      - controllerNames:
+        - kube2iam
+        - kube-flannel-ds
+        rules:
+        - runAsPrivileged
+      - controllerNames:
+        - kube-hunter
+        rules:
+        - hostPIDSet
+      - controllerNames:
+        - polaris
+        - kube-hunter
+        - goldilocks
+        - insights-agent-goldilocks-vpa-install
+        rules:
+        - notReadOnlyRootFilesystem
+      - controllerNames:
+        - insights-agent-goldilocks-controller
+        rules:
+        - livenessProbeMissing
+        - readinessProbeMissing
+      - controllerNames:
+        - insights-agent-goldilocks-vpa-install
+        - kube-hunter
+        rules:
+        - runAsRootAllowed
+
+
 rbac:
   create: true
 serviceAccount: