Skip to content

chore(cluster-shield,shield,sysdig-deploy): Automatic bump to version 1.13.0 #2297

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Jun 26, 2025
Merged

chore(cluster-shield,shield,sysdig-deploy): Automatic bump to version 1.13.0 #2297

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
59b9b25
chore: Updating cluster-shield
francesco-furlan Jun 26, 2025
9870ba7
chore: bump cluster-shield 1.13.0
francesco-furlan Jun 26, 2025
77e2399
chore(shield): response actions
francesco-furlan Jun 26, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions charts/cluster-shield/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@ apiVersion: v2
name: cluster-shield
description: Cluster Shield Helm Chart for Kubernetes
type: application
version: 1.12.1
appVersion: "1.12.1"
version: 1.13.0
appVersion: "1.13.0"
maintainers:
- name: AlbertoBarba
email: alberto.barba@sysdig.com
Expand Down
3 changes: 3 additions & 0 deletions charts/cluster-shield/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -137,6 +137,7 @@ The following table lists the configurable parameters of the `cluster-shield` ch
| cluster_shield.features.container_vulnerability_management.registry_ssl.verify | If set to false it allows insecure connections to registries, Such as for registries with self-signed or private certificates. | <code>true</code> |
| cluster_shield.features.investigations.network_security.enabled | Enable the network security feature | <code>false</code> |
| cluster_shield.features.kubernetes_metadata.enabled | Enable the Kubernetes Metadata feature | <code>false</code> |
| cluster_shield.features.respond.response_actions.enabled | | <code>false</code> |
| cluster_shield.features.monitor.kube_state_metrics.enabled | Enable the Kubernetes State Metrics feature | <code>false</code> |
| cluster_shield.features.monitor.kubernetes_events.enabled | Enable the Kubernetes Events feature | <code>false</code> |
| ca.certs | A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. | <code>[]</code> |
Expand Down Expand Up @@ -189,6 +190,8 @@ The following table lists the configurable parameters of the `cluster-shield` ch
| env | Optional parameter used to add environment variables to the Cluster Shield pods | <code>[]</code> |
| volumes | Optional parameter to specify additional host volumes for the Cluster Shield pods | <code>[]</code> |
| volumeMounts | Optional parameter to specify additional volume mounts for the Cluster Shield pods | <code>[]</code> |
| podDisruptionBudget.create | Specifies whether a Pod Disruption Budget should be created | <code>true</code> |
| podDisruptionBudget.minAvailable | The minimum number of pods that must be available during a disruption | <code>1</code> |


## Running helm unit tests
Expand Down
36 changes: 35 additions & 1 deletion charts/cluster-shield/templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,7 @@ Adds kubernetes related keys to the configuration.
{{- if not $conf.sysdig_endpoint.api_url -}}
{{- fail "Custom region requires one of global.sysdig.apiHost or cluster_shield.sysdig_endpoint.api_url to be defined." -}}
{{- end -}}
{{- if and ($conf.features.kubernetes_metadata.enabled) (not $conf.sysdig_endpoint.collector) -}}
{{- if and (or $conf.features.kubernetes_metadata.enabled (and $conf.features.audit.enabled $conf.features.audit.use_falco)) (not $conf.sysdig_endpoint.collector) -}}
{{- fail "Custom region requires cluster_shield.sysdig_endpoint.collector to be defined." -}}
{{- end -}}
{{- end -}}
Expand Down Expand Up @@ -489,3 +489,37 @@ run-all-namespaced
{{- $tag._0 }}: {{ $tag._1 | quote }}
{{ end -}}
{{- end -}}

{{- define "cluster.response_actions_enabled" -}}
{{- with .Values.cluster_shield.features.respond.response_actions.enabled }}
{{- . }}
{{- else }}
false
{{- end }}
{{- end }}

{{/*
Response Actions: Cluster actions
In the future we will have more complex logic to determine if the action is enabled or not.
*/}}
{{- define "cluster.response_actions.rollout_restart.enabled" }}
{{- include "cluster.response_actions_enabled" . }}
{{- end}}
{{- define "cluster.response_actions.delete_pod.enabled" }}
{{- include "cluster.response_actions_enabled" . }}
{{- end}}
{{- define "cluster.response_actions.isolate_network.enabled" }}
{{- include "cluster.response_actions_enabled" . }}
{{- end}}
{{- define "cluster.response_actions.delete_network_policy.enabled" }}
{{- include "cluster.response_actions_enabled" . }}
{{- end}}
{{- define "cluster.response_actions.get_logs.enabled" }}
{{- include "cluster.response_actions_enabled" . }}
{{- end}}
{{- define "cluster.response_actions.volume_snapshot.enabled" }}
{{- include "cluster.response_actions_enabled" . }}
{{- end}}
{{- define "cluster.response_actions.delete_volume_snapshot.enabled" }}
{{- include "cluster.response_actions_enabled" . }}
{{- end}}
123 changes: 123 additions & 0 deletions charts/cluster-shield/templates/clusterrole.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -201,3 +201,126 @@ rules:
verbs:
- get
{{- end}}

{{- if eq "true" (include "cluster.response_actions_enabled" .) }}
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
{{- end }}

{{- if eq "true" (include "cluster.response_actions.rollout_restart.enabled" .) }}
- apiGroups: ["apps"]
resources:
- daemonsets
- deployments
- statefulsets
verbs:
- get
- update # needed for rollout restart
- watch
{{- end }}

{{- if eq "true" (include "cluster.response_actions.delete_pod.enabled" .) }}
- apiGroups:
- ""
resources:
- pods
verbs:
- delete
- get
{{- end }}

{{- if eq "true" (include "cluster.response_actions.isolate_network.enabled" .) }}
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- statefulsets
verbs:
- get # needed to identify the pods to isolate

- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- create
{{- end }}

{{- if eq "true" (include "cluster.response_actions.delete_network_policy.enabled" .) }}
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- get
- delete
{{- end }}

{{- if eq "true" (include "cluster.response_actions.get_logs.enabled" .) }}
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- statefulsets
verbs:
- get # needed to identify the pods to get logs from

- apiGroups:
- ""
resources:
- pods
verbs:
- list

- apiGroups:
- ""
resources:
- pods/log
verbs:
- get
{{- end }}

{{- if eq "true" (include "cluster.response_actions.volume_snapshot.enabled" .) }}
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- statefulsets
verbs:
- get # needed to identify the pods with PVCs

- apiGroups:
- ""
resources:
- pods
verbs:
- list

- apiGroups:
- snapshot.storage.k8s.io
resources:
- volumesnapshots
verbs:
- create
- watch
{{- end }}

{{- if eq "true" (include "cluster.response_actions.delete_volume_snapshot.enabled" .) }}
- apiGroups:
- snapshot.storage.k8s.io
resources:
- volumesnapshots
verbs:
- delete
- get
- watch
- patch # needed to remove finalizers, which could prevent deletion
{{- end }}
14 changes: 14 additions & 0 deletions charts/cluster-shield/templates/poddisruptionbudget.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
{{- if hasKey .Values "podDisruptionBudget" }}
{{- if .Values.podDisruptionBudget.create }}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ include "cluster-shield.fullname" . | trunc 59 }}-pdb
namespace: {{ .Release.Namespace }}
spec:
minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
selector:
matchLabels:
{{ include "cluster-shield.selectorLabels" . | nindent 6 }}
{{- end }}
{{- end }}
146 changes: 146 additions & 0 deletions charts/cluster-shield/tests/clusterrole_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -167,3 +167,149 @@ tests:
- get
- list
- watch
- it: Test response_actions enabled
set:
cluster_shield:
features:
respond:
response_actions:
enabled: true
asserts:
- isKind:
of: ClusterRole
- isAPIVersion:
of: rbac.authorization.k8s.io/v1
- contains:
path: rules
content:
apiGroups:
- apps
resources:
- daemonsets
- deployments
- statefulsets
verbs:
- get
- update
- watch
- contains:
path: rules
content:
apiGroups:
- ""
resources:
- pods
verbs:
- delete
- get
- contains:
path: rules
content:
apiGroups:
- apps
resources:
- daemonsets
- deployments
- statefulsets
verbs:
- get
- contains:
path: rules
content:
apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- create
- contains:
path: rules
content:
apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- get
- delete
- contains:
path: rules
content:
apiGroups:
- apps
resources:
- daemonsets
- deployments
- statefulsets
verbs:
- get
- contains:
path: rules
content:
apiGroups:
- ""
resources:
- pods
verbs:
- list
- contains:
path: rules
content:
apiGroups:
- ""
resources:
- pods/log
verbs:
- get
- contains:
path: rules
content:
apiGroups:
- apps
resources:
- daemonsets
- deployments
- statefulsets
verbs:
- get
- contains:
path: rules
content:
apiGroups:
- ""
resources:
- pods
verbs:
- list
- contains:
path: rules
content:
apiGroups:
- snapshot.storage.k8s.io
resources:
- volumesnapshots
verbs:
- create
- watch
- contains:
path: rules
content:
apiGroups:
- snapshot.storage.k8s.io
resources:
- volumesnapshots
verbs:
- delete
- get
- watch
- patch
- contains:
path: rules
content:
apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
Loading
Loading