From 59b9b25de66959bbf87a9fc92956005951c272b6 Mon Sep 17 00:00:00 2001 From: francesco-furlan <10468205+francesco-furlan@users.noreply.github.com> Date: Thu, 26 Jun 2025 16:22:54 +0000 Subject: [PATCH 1/3] chore: Updating cluster-shield --- charts/cluster-shield/Chart.yaml | 4 +- charts/cluster-shield/README.md | 3 + charts/cluster-shield/templates/_helpers.tpl | 36 ++++- .../cluster-shield/templates/clusterrole.yaml | 123 +++++++++++++++ .../templates/poddisruptionbudget.yaml | 14 ++ .../tests/clusterrole_test.yaml | 146 ++++++++++++++++++ .../cluster-shield/tests/configmap_test.yaml | 29 ++++ .../tests/poddisruptionbudget_test.yaml | 43 ++++++ charts/cluster-shield/values.schema.json | 100 +++++++++++- charts/cluster-shield/values.yaml | 13 +- 10 files changed, 506 insertions(+), 5 deletions(-) create mode 100644 charts/cluster-shield/templates/poddisruptionbudget.yaml create mode 100644 charts/cluster-shield/tests/poddisruptionbudget_test.yaml diff --git a/charts/cluster-shield/Chart.yaml b/charts/cluster-shield/Chart.yaml index baa5ffcd7..9fe6d4341 100644 --- a/charts/cluster-shield/Chart.yaml +++ b/charts/cluster-shield/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: cluster-shield description: Cluster Shield Helm Chart for Kubernetes type: application -version: 1.12.1 -appVersion: "1.12.1" +version: 1.13.0 +appVersion: "1.13.0" maintainers: - name: AlbertoBarba email: alberto.barba@sysdig.com diff --git a/charts/cluster-shield/README.md b/charts/cluster-shield/README.md index 9497b7170..7f53edd97 100644 --- a/charts/cluster-shield/README.md +++ b/charts/cluster-shield/README.md @@ -137,6 +137,7 @@ The following table lists the configurable parameters of the `cluster-shield` ch | cluster_shield.features.container_vulnerability_management.registry_ssl.verify | If set to false it allows insecure connections to registries, Such as for registries with self-signed or private certificates. | true | | cluster_shield.features.investigations.network_security.enabled | Enable the network security feature | false | | cluster_shield.features.kubernetes_metadata.enabled | Enable the Kubernetes Metadata feature | false | +| cluster_shield.features.respond.response_actions.enabled | | false | | cluster_shield.features.monitor.kube_state_metrics.enabled | Enable the Kubernetes State Metrics feature | false | | cluster_shield.features.monitor.kubernetes_events.enabled | Enable the Kubernetes Events feature | false | | ca.certs | A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. | [] | @@ -189,6 +190,8 @@ The following table lists the configurable parameters of the `cluster-shield` ch | env | Optional parameter used to add environment variables to the Cluster Shield pods | [] | | volumes | Optional parameter to specify additional host volumes for the Cluster Shield pods | [] | | volumeMounts | Optional parameter to specify additional volume mounts for the Cluster Shield pods | [] | +| podDisruptionBudget.create | Specifies whether a Pod Disruption Budget should be created | true | +| podDisruptionBudget.minAvailable | The minimum number of pods that must be available during a disruption | 1 | ## Running helm unit tests diff --git a/charts/cluster-shield/templates/_helpers.tpl b/charts/cluster-shield/templates/_helpers.tpl index 047cb4d6b..05d254033 100644 --- a/charts/cluster-shield/templates/_helpers.tpl +++ b/charts/cluster-shield/templates/_helpers.tpl @@ -97,7 +97,7 @@ Adds kubernetes related keys to the configuration. {{- if not $conf.sysdig_endpoint.api_url -}} {{- fail "Custom region requires one of global.sysdig.apiHost or cluster_shield.sysdig_endpoint.api_url to be defined." -}} {{- end -}} -{{- if and ($conf.features.kubernetes_metadata.enabled) (not $conf.sysdig_endpoint.collector) -}} +{{- if and (or $conf.features.kubernetes_metadata.enabled (and $conf.features.audit.enabled $conf.features.audit.use_falco)) (not $conf.sysdig_endpoint.collector) -}} {{- fail "Custom region requires cluster_shield.sysdig_endpoint.collector to be defined." -}} {{- end -}} {{- end -}} @@ -489,3 +489,37 @@ run-all-namespaced {{- $tag._0 }}: {{ $tag._1 | quote }} {{ end -}} {{- end -}} + +{{- define "cluster.response_actions_enabled" -}} +{{- with .Values.cluster_shield.features.respond.response_actions.enabled }} + {{- . }} +{{- else }} + false +{{- end }} +{{- end }} + +{{/* +Response Actions: Cluster actions +In the future we will have more complex logic to determine if the action is enabled or not. +*/}} +{{- define "cluster.response_actions.rollout_restart.enabled" }} + {{- include "cluster.response_actions_enabled" . }} +{{- end}} +{{- define "cluster.response_actions.delete_pod.enabled" }} + {{- include "cluster.response_actions_enabled" . }} +{{- end}} +{{- define "cluster.response_actions.isolate_network.enabled" }} + {{- include "cluster.response_actions_enabled" . }} +{{- end}} +{{- define "cluster.response_actions.delete_network_policy.enabled" }} + {{- include "cluster.response_actions_enabled" . }} +{{- end}} +{{- define "cluster.response_actions.get_logs.enabled" }} + {{- include "cluster.response_actions_enabled" . }} +{{- end}} +{{- define "cluster.response_actions.volume_snapshot.enabled" }} + {{- include "cluster.response_actions_enabled" . }} +{{- end}} +{{- define "cluster.response_actions.delete_volume_snapshot.enabled" }} + {{- include "cluster.response_actions_enabled" . }} +{{- end}} diff --git a/charts/cluster-shield/templates/clusterrole.yaml b/charts/cluster-shield/templates/clusterrole.yaml index ceeade2e2..dffcfbdb3 100644 --- a/charts/cluster-shield/templates/clusterrole.yaml +++ b/charts/cluster-shield/templates/clusterrole.yaml @@ -201,3 +201,126 @@ rules: verbs: - get {{- end}} + +{{- if eq "true" (include "cluster.response_actions_enabled" .) }} +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +{{- end }} + +{{- if eq "true" (include "cluster.response_actions.rollout_restart.enabled" .) }} +- apiGroups: ["apps"] + resources: + - daemonsets + - deployments + - statefulsets + verbs: + - get + - update # needed for rollout restart + - watch +{{- end }} + +{{- if eq "true" (include "cluster.response_actions.delete_pod.enabled" .) }} +- apiGroups: + - "" + resources: + - pods + verbs: + - delete + - get +{{- end }} + +{{- if eq "true" (include "cluster.response_actions.isolate_network.enabled" .) }} +- apiGroups: + - apps + resources: + - daemonsets + - deployments + - statefulsets + verbs: + - get # needed to identify the pods to isolate + +- apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - create +{{- end }} + +{{- if eq "true" (include "cluster.response_actions.delete_network_policy.enabled" .) }} +- apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - delete +{{- end }} + +{{- if eq "true" (include "cluster.response_actions.get_logs.enabled" .) }} +- apiGroups: + - apps + resources: + - daemonsets + - deployments + - statefulsets + verbs: + - get # needed to identify the pods to get logs from + +- apiGroups: + - "" + resources: + - pods + verbs: + - list + +- apiGroups: + - "" + resources: + - pods/log + verbs: + - get +{{- end }} + +{{- if eq "true" (include "cluster.response_actions.volume_snapshot.enabled" .) }} +- apiGroups: + - apps + resources: + - daemonsets + - deployments + - statefulsets + verbs: + - get # needed to identify the pods with PVCs + +- apiGroups: + - "" + resources: + - pods + verbs: + - list + +- apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshots + verbs: + - create + - watch +{{- end }} + +{{- if eq "true" (include "cluster.response_actions.delete_volume_snapshot.enabled" .) }} +- apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshots + verbs: + - delete + - get + - watch + - patch # needed to remove finalizers, which could prevent deletion +{{- end }} diff --git a/charts/cluster-shield/templates/poddisruptionbudget.yaml b/charts/cluster-shield/templates/poddisruptionbudget.yaml new file mode 100644 index 000000000..6eaaed02f --- /dev/null +++ b/charts/cluster-shield/templates/poddisruptionbudget.yaml @@ -0,0 +1,14 @@ +{{- if hasKey .Values "podDisruptionBudget" }} +{{- if .Values.podDisruptionBudget.create }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "cluster-shield.fullname" . | trunc 59 }}-pdb + namespace: {{ .Release.Namespace }} +spec: + minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} + selector: + matchLabels: + {{ include "cluster-shield.selectorLabels" . | nindent 6 }} +{{- end }} +{{- end }} diff --git a/charts/cluster-shield/tests/clusterrole_test.yaml b/charts/cluster-shield/tests/clusterrole_test.yaml index 8481ef024..92da6bca5 100644 --- a/charts/cluster-shield/tests/clusterrole_test.yaml +++ b/charts/cluster-shield/tests/clusterrole_test.yaml @@ -167,3 +167,149 @@ tests: - get - list - watch + - it: Test response_actions enabled + set: + cluster_shield: + features: + respond: + response_actions: + enabled: true + asserts: + - isKind: + of: ClusterRole + - isAPIVersion: + of: rbac.authorization.k8s.io/v1 + - contains: + path: rules + content: + apiGroups: + - apps + resources: + - daemonsets + - deployments + - statefulsets + verbs: + - get + - update + - watch + - contains: + path: rules + content: + apiGroups: + - "" + resources: + - pods + verbs: + - delete + - get + - contains: + path: rules + content: + apiGroups: + - apps + resources: + - daemonsets + - deployments + - statefulsets + verbs: + - get + - contains: + path: rules + content: + apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - create + - contains: + path: rules + content: + apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - delete + - contains: + path: rules + content: + apiGroups: + - apps + resources: + - daemonsets + - deployments + - statefulsets + verbs: + - get + - contains: + path: rules + content: + apiGroups: + - "" + resources: + - pods + verbs: + - list + - contains: + path: rules + content: + apiGroups: + - "" + resources: + - pods/log + verbs: + - get + - contains: + path: rules + content: + apiGroups: + - apps + resources: + - daemonsets + - deployments + - statefulsets + verbs: + - get + - contains: + path: rules + content: + apiGroups: + - "" + resources: + - pods + verbs: + - list + - contains: + path: rules + content: + apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshots + verbs: + - create + - watch + - contains: + path: rules + content: + apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshots + verbs: + - delete + - get + - watch + - patch + - contains: + path: rules + content: + apiGroups: + - "" + resources: + - events + verbs: + - create + - patch diff --git a/charts/cluster-shield/tests/configmap_test.yaml b/charts/cluster-shield/tests/configmap_test.yaml index 9233bad98..4a7b09271 100644 --- a/charts/cluster-shield/tests/configmap_test.yaml +++ b/charts/cluster-shield/tests/configmap_test.yaml @@ -246,6 +246,35 @@ tests: - failedTemplate: errorMessage: Custom region requires cluster_shield.sysdig_endpoint.collector to be defined. + - it: Local custom region requires Collector when audit feature is enabled and use_falco is true + set: + cluster_shield: + sysdig_endpoint: + region: "custom" + api_url: "https://www.example.com" + collector: null + features: + audit: + enabled: true + use_falco: true + asserts: + - failedTemplate: + errorMessage: Custom region requires cluster_shield.sysdig_endpoint.collector to be defined. + + - it: Local custom region does not require Collector when audit feature is disabled and use_falco is true + set: + cluster_shield: + sysdig_endpoint: + region: "custom" + api_url: "https://www.example.com" + collector: null + features: + audit: + enabled: false + use_falco: true + asserts: + - notFailedTemplate: {} + - it: Global custom region requires Collector when kubernetes_metadata feature is enabled set: global: diff --git a/charts/cluster-shield/tests/poddisruptionbudget_test.yaml b/charts/cluster-shield/tests/poddisruptionbudget_test.yaml new file mode 100644 index 000000000..b218a2edb --- /dev/null +++ b/charts/cluster-shield/tests/poddisruptionbudget_test.yaml @@ -0,0 +1,43 @@ +suite: Test PodDisruptionBudget +templates: + - templates/poddisruptionbudget.yaml +release: + name: release-name + namespace: shield-namespace +values: + - ../ci/base-values.yaml +tests: + - it: PodDisruptionBudget is created + asserts: + - isKind: + of: PodDisruptionBudget + - isSubset: + path: metadata + content: + name: release-name-cluster-shield-pdb + namespace: shield-namespace + - equal: + path: spec.minAvailable + value: 1 + - isSubset: + path: spec.selector.matchLabels + content: + app.kubernetes.io/instance: release-name + app.kubernetes.io/name: cluster-shield + + - it: PodDisruptionBudget is not created when disabled + set: + podDisruptionBudget: + create: false + asserts: + - hasDocuments: + count: 0 + + - it: PodDisruptionBudget minAvailable is configurable + set: + podDisruptionBudget: + minAvailable: 2 + asserts: + - equal: + path: spec.minAvailable + value: 2 diff --git a/charts/cluster-shield/values.schema.json b/charts/cluster-shield/values.schema.json index b69d41274..19522a819 100644 --- a/charts/cluster-shield/values.schema.json +++ b/charts/cluster-shield/values.schema.json @@ -269,6 +269,25 @@ "mountPath" ] } + }, + "podDisruptionBudget": { + "type": "object", + "description": "Define the Pod Disruption Budget for the Cluster Shield pods", + "properties": { + "create": { + "type": "boolean", + "description": "Create a Pod Disruption Budget for the Cluster Shield pods", + "default": true + }, + "minAvailable": { + "type": [ + "integer", + "string" + ], + "description": "The minimum number of pods that must be available during voluntary disruptions" + } + }, + "additionalProperties": false } }, "allOf": [ @@ -579,7 +598,6 @@ "http_port", "timeout" ], - "additionalProperties": false, "$defs": { "IsEnabled": { "properties": { @@ -587,6 +605,13 @@ "const": true } } + }, + "UseFalco": { + "properties": { + "use_falco": { + "const": true + } + } } } }, @@ -1063,6 +1088,65 @@ } } }, + "RespondResponseActions": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Enable Response Actions", + "default": false + }, + "timeout": { + "type": "integer", + "default": 60, + "minimum": 1, + "maximum": 65535, + "description": "Global timeout in seconds for actions." + }, + "cluster": { + "$ref": "#/$defs/ClusterShieldConfiguration/$defs/RespondResponseActionsCluster" + } + }, + "required": [ + "enabled" + ], + "$defs": { + "IsEnabled": { + "properties": { + "enabled": { + "const": true + } + } + }, + "SetRequired": { + "required": [ + "cluster" + ] + } + } + }, + "RespondResponseActionsCluster": { + "type": "object", + "properties": { + "volume_snapshot_class": { + "type": "string", + "description": "The VolumeSnapshotClass used for snapshots." + } + }, + "required": [ + "volume_snapshot_class" + ], + "additionalProperties": false + }, + "Respond": { + "type": "object", + "properties": { + "response_actions": { + "$ref": "#/$defs/ClusterShieldConfiguration/$defs/RespondResponseActions" + } + }, + "additionalProperties": false + }, "Monitor": { "type": "object", "properties": { @@ -1249,6 +1333,10 @@ "description": "Configurations for the kubernetes metadata feature", "$ref": "#/$defs/ClusterShieldConfiguration/$defs/KubernetesMetadata" }, + "respond": { + "description": "Configurations for the respond feature", + "$ref": "#/$defs/ClusterShieldConfiguration/$defs/Respond" + }, "posture": { "description": "Configurations for the posture feature", "$ref": "#/$defs/ClusterShieldConfiguration/$defs/Posture" @@ -1263,11 +1351,21 @@ "audit", "container_vulnerability_management", "kubernetes_metadata", + "respond", "monitor", "posture", "investigations" ] }, + "Responder": { + "type": "object", + "description": "Configuration for the Responder component", + "properties": { + "resources": { + "$ref": "#/$defs/ClusterShieldConfiguration/$defs/Resources" + } + } + }, "AdmissionControlContainerVulnerabilityManagement": { "type": "object", "properties": { diff --git a/charts/cluster-shield/values.yaml b/charts/cluster-shield/values.yaml index 717ec994c..db3502cd8 100644 --- a/charts/cluster-shield/values.yaml +++ b/charts/cluster-shield/values.yaml @@ -117,7 +117,7 @@ cluster_shield: # The list of namespaces to exclude from the audit feature excluded_namespaces: [] # List of rules used to determine if a request should be audited - webhook_rules: # +doc-gen:break + webhook_rules: # +doc-gen:break - apiGroups: - "" - apps @@ -169,6 +169,10 @@ cluster_shield: kubernetes_metadata: # Enable the Kubernetes Metadata feature enabled: false + respond: + # Enable the responder feature + response_actions: + enabled: false monitor: kube_state_metrics: # Enable the Kubernetes State Metrics feature @@ -324,3 +328,10 @@ volumeMounts: [] # - name: my-volume # mountPath: /host/path/to/mount/folder # readOnly: true + +# Define Pod Disruption Budget +podDisruptionBudget: + # Specifies whether a Pod Disruption Budget should be created + create: true + # The minimum number of pods that must be available during a disruption + minAvailable: 1 From 9870ba7de25327a85b298e77b66f4e817881e0ac Mon Sep 17 00:00:00 2001 From: Francesco Furlan Date: Thu, 26 Jun 2025 18:27:11 +0200 Subject: [PATCH 2/3] chore: bump cluster-shield 1.13.0 --- charts/cluster-shield/values.yaml | 2 +- charts/shield/Chart.yaml | 2 +- charts/shield/README.md | 2 +- charts/shield/values.yaml | 2 +- charts/sysdig-deploy/Chart.yaml | 4 ++-- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/cluster-shield/values.yaml b/charts/cluster-shield/values.yaml index db3502cd8..29658e21a 100644 --- a/charts/cluster-shield/values.yaml +++ b/charts/cluster-shield/values.yaml @@ -117,7 +117,7 @@ cluster_shield: # The list of namespaces to exclude from the audit feature excluded_namespaces: [] # List of rules used to determine if a request should be audited - webhook_rules: # +doc-gen:break + webhook_rules: # +doc-gen:break - apiGroups: - "" - apps diff --git a/charts/shield/Chart.yaml b/charts/shield/Chart.yaml index 73e1d832c..5d04ef352 100644 --- a/charts/shield/Chart.yaml +++ b/charts/shield/Chart.yaml @@ -13,5 +13,5 @@ maintainers: - name: mavimo email: marcovito.moscaritolo@sysdig.com type: application -version: 1.11.1 +version: 1.12.0 appVersion: "1.0.0" diff --git a/charts/shield/README.md b/charts/shield/README.md index fd3202712..a63943d75 100644 --- a/charts/shield/README.md +++ b/charts/shield/README.md @@ -198,7 +198,7 @@ The following table lists the configurable parameters of the `shield` chart and | host.dns_policy | The dns policy for the host shield | | | cluster.image.registry | The registry where the cluster shield image is stored | quay.io | | cluster.image.repository | The repository where the cluster shield image is stored | sysdig/cluster-shield | -| cluster.image.tag | The tag for the cluster shield image | 1.12.1 | +| cluster.image.tag | The tag for the cluster shield image | 1.13.0 | | cluster.image.pull_policy | The pull policy for the cluster shield image | IfNotPresent | | cluster.image.pull_secrets | The pull secrets for the cluster shield image | [] | | cluster.run_mode | The mode in which the cluster shield should run (Accepted Values: single-process, multi-process) | multi-process | diff --git a/charts/shield/values.yaml b/charts/shield/values.yaml index bc19dc7be..9c403d480 100644 --- a/charts/shield/values.yaml +++ b/charts/shield/values.yaml @@ -382,7 +382,7 @@ cluster: # The repository where the cluster shield image is stored repository: sysdig/cluster-shield # The tag for the cluster shield image - tag: 1.12.1 + tag: 1.13.0 # The pull policy for the cluster shield image pull_policy: IfNotPresent # The pull secrets for the cluster shield image diff --git a/charts/sysdig-deploy/Chart.yaml b/charts/sysdig-deploy/Chart.yaml index be69cd638..261bb9a1f 100644 --- a/charts/sysdig-deploy/Chart.yaml +++ b/charts/sysdig-deploy/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: sysdig-deploy description: A chart with various Sysdig components for Kubernetes type: application -version: 1.87.1 +version: 1.88.0 maintainers: - name: AlbertoBarba email: alberto.barba@sysdig.com @@ -60,6 +60,6 @@ dependencies: - name: cluster-shield # repository: https://charts.sysdig.com repository: file://../cluster-shield - version: ~1.12.1 + version: ~1.13.0 alias: clusterShield condition: clusterShield.enabled From 77e239909b4fb03caccf2cdb308fed7362ceaf8b Mon Sep 17 00:00:00 2001 From: Francesco Furlan Date: Thu, 26 Jun 2025 18:56:50 +0200 Subject: [PATCH 3/3] chore(shield): response actions --- charts/shield/templates/cluster/_helpers.tpl | 34 ++++ .../shield/templates/cluster/clusterrole.yaml | 123 +++++++++++++++ .../tests/cluster/clusterrole_test.yaml | 146 ++++++++++++++++++ 3 files changed, 303 insertions(+) diff --git a/charts/shield/templates/cluster/_helpers.tpl b/charts/shield/templates/cluster/_helpers.tpl index b30920766..f5973147b 100644 --- a/charts/shield/templates/cluster/_helpers.tpl +++ b/charts/shield/templates/cluster/_helpers.tpl @@ -126,3 +126,37 @@ If release name contains chart name it will be used as a full name. {{- . | toYaml -}} {{- end -}} {{- end -}} + +{{- define "cluster.response_actions_enabled" -}} +{{- with .Values.features.respond.response_actions.enabled }} + {{- . }} +{{- else }} + false +{{- end }} +{{- end }} + +{{/* +Response Actions: Cluster actions +In the future we will have more complex logic to determine if the action is enabled or not. +*/}} +{{- define "cluster.response_actions.rollout_restart.enabled" }} + {{- include "cluster.response_actions_enabled" . }} +{{- end}} +{{- define "cluster.response_actions.delete_pod.enabled" }} + {{- include "cluster.response_actions_enabled" . }} +{{- end}} +{{- define "cluster.response_actions.isolate_network.enabled" }} + {{- include "cluster.response_actions_enabled" . }} +{{- end}} +{{- define "cluster.response_actions.delete_network_policy.enabled" }} + {{- include "cluster.response_actions_enabled" . }} +{{- end}} +{{- define "cluster.response_actions.get_logs.enabled" }} + {{- include "cluster.response_actions_enabled" . }} +{{- end}} +{{- define "cluster.response_actions.volume_snapshot.enabled" }} + {{- include "cluster.response_actions_enabled" . }} +{{- end}} +{{- define "cluster.response_actions.delete_volume_snapshot.enabled" }} + {{- include "cluster.response_actions_enabled" . }} +{{- end}} diff --git a/charts/shield/templates/cluster/clusterrole.yaml b/charts/shield/templates/cluster/clusterrole.yaml index 31ef6a7bb..846c7553b 100644 --- a/charts/shield/templates/cluster/clusterrole.yaml +++ b/charts/shield/templates/cluster/clusterrole.yaml @@ -219,3 +219,126 @@ rules: - watch {{- end }} {{- end }} + +{{- if eq "true" (include "cluster.response_actions_enabled" .) }} +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +{{- end }} + +{{- if eq "true" (include "cluster.response_actions.rollout_restart.enabled" .) }} +- apiGroups: ["apps"] + resources: + - daemonsets + - deployments + - statefulsets + verbs: + - get + - update # needed for rollout restart + - watch +{{- end }} + +{{- if eq "true" (include "cluster.response_actions.delete_pod.enabled" .) }} +- apiGroups: + - "" + resources: + - pods + verbs: + - delete + - get +{{- end }} + +{{- if eq "true" (include "cluster.response_actions.isolate_network.enabled" .) }} +- apiGroups: + - apps + resources: + - daemonsets + - deployments + - statefulsets + verbs: + - get # needed to identify the pods to isolate + +- apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - create +{{- end }} + +{{- if eq "true" (include "cluster.response_actions.delete_network_policy.enabled" .) }} +- apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - delete +{{- end }} + +{{- if eq "true" (include "cluster.response_actions.get_logs.enabled" .) }} +- apiGroups: + - apps + resources: + - daemonsets + - deployments + - statefulsets + verbs: + - get # needed to identify the pods to get logs from + +- apiGroups: + - "" + resources: + - pods + verbs: + - list + +- apiGroups: + - "" + resources: + - pods/log + verbs: + - get +{{- end }} + +{{- if eq "true" (include "cluster.response_actions.volume_snapshot.enabled" .) }} +- apiGroups: + - apps + resources: + - daemonsets + - deployments + - statefulsets + verbs: + - get # needed to identify the pods with PVCs + +- apiGroups: + - "" + resources: + - pods + verbs: + - list + +- apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshots + verbs: + - create + - watch +{{- end }} + +{{- if eq "true" (include "cluster.response_actions.delete_volume_snapshot.enabled" .) }} +- apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshots + verbs: + - delete + - get + - watch + - patch # needed to remove finalizers, which could prevent deletion +{{- end }} diff --git a/charts/shield/tests/cluster/clusterrole_test.yaml b/charts/shield/tests/cluster/clusterrole_test.yaml index fcd7087da..8a64e2068 100644 --- a/charts/shield/tests/cluster/clusterrole_test.yaml +++ b/charts/shield/tests/cluster/clusterrole_test.yaml @@ -492,3 +492,149 @@ tests: - get - list - watch + + - it: Test response_actions enabled + set: + features: + respond: + response_actions: + enabled: true + asserts: + - isKind: + of: ClusterRole + - isAPIVersion: + of: rbac.authorization.k8s.io/v1 + - contains: + path: rules + content: + apiGroups: + - apps + resources: + - daemonsets + - deployments + - statefulsets + verbs: + - get + - update + - watch + - contains: + path: rules + content: + apiGroups: + - "" + resources: + - pods + verbs: + - delete + - get + - contains: + path: rules + content: + apiGroups: + - apps + resources: + - daemonsets + - deployments + - statefulsets + verbs: + - get + - contains: + path: rules + content: + apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - create + - contains: + path: rules + content: + apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - delete + - contains: + path: rules + content: + apiGroups: + - apps + resources: + - daemonsets + - deployments + - statefulsets + verbs: + - get + - contains: + path: rules + content: + apiGroups: + - "" + resources: + - pods + verbs: + - list + - contains: + path: rules + content: + apiGroups: + - "" + resources: + - pods/log + verbs: + - get + - contains: + path: rules + content: + apiGroups: + - apps + resources: + - daemonsets + - deployments + - statefulsets + verbs: + - get + - contains: + path: rules + content: + apiGroups: + - "" + resources: + - pods + verbs: + - list + - contains: + path: rules + content: + apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshots + verbs: + - create + - watch + - contains: + path: rules + content: + apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshots + verbs: + - delete + - get + - watch + - patch + - contains: + path: rules + content: + apiGroups: + - "" + resources: + - events + verbs: + - create + - patch