diff --git a/deployments/helm/KubeArmor/templates/daemonset.yaml b/deployments/helm/KubeArmor/templates/daemonset.yaml index b8e8a2ceeb..799db468f3 100644 --- a/deployments/helm/KubeArmor/templates/daemonset.yaml +++ b/deployments/helm/KubeArmor/templates/daemonset.yaml @@ -20,6 +20,10 @@ spec: imagePullSecrets: {{ toYaml .Values.kubearmor.image.imagePullSecrets | indent 6 }} {{- end }} + {{- if .Values.kubearmor.tolerations }} + tolerations: + {{ toYaml .Values.kubearmor.tolerations | indent 6 }} + {{- end }} containers: - args: - -gRPC=32767 diff --git a/deployments/helm/KubeArmor/templates/deployment.yaml b/deployments/helm/KubeArmor/templates/deployment.yaml index c10de186e8..2d3b661d60 100644 --- a/deployments/helm/KubeArmor/templates/deployment.yaml +++ b/deployments/helm/KubeArmor/templates/deployment.yaml @@ -22,6 +22,10 @@ spec: imagePullSecrets: {{ toYaml .Values.kubearmorRelay.image.imagePullSecrets | indent 6 }} {{- end }} + {{- if .Values.kubearmorRelay.tolerations }} + tolerations: + {{ toYaml .Values.kubearmorRelay.tolerations | indent 6 }} + {{- end }} containers: - args: {{printf "- -tlsEnabled=%t" .Values.tls.enabled}} @@ -86,6 +90,10 @@ spec: {{- if .Values.kubearmorController.image.imagePullSecrets }} imagePullSecrets: {{ toYaml .Values.kubearmorController.image.imagePullSecrets | indent 8 }} + {{- end }} + {{- if .Values.kubearmorController.tolerations }} + tolerations: + {{ toYaml .Values.kubearmorController.tolerations | indent 6 }} {{- end }} livenessProbe: httpGet: diff --git a/deployments/helm/KubeArmor/values.yaml b/deployments/helm/KubeArmor/values.yaml index 9b3870ca43..b708306600 100644 --- a/deployments/helm/KubeArmor/values.yaml +++ b/deployments/helm/KubeArmor/values.yaml @@ -20,6 +20,7 @@ kubearmorRelay: imagePullSecrets: "" # kubearmor-init imagePullPolicy imagePullPolicy: Always + tolerations: "" # Add environment variables for STDOUT logging enableStdoutLogs: "false" @@ -92,6 +93,7 @@ kubearmorController: tag: latest # Optional, but if there are a lot of image pulls required, Docker might be rate-limited. So, it's good to add pull secrets for production. imagePullSecrets: "" + tolerations: "" mutation: # kubearmor-controller failure policy failurePolicy: Ignore @@ -109,6 +111,8 @@ kubearmorConfigMap: #volume mounts and volumes kubearmor: + # https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + tolerations: "" image: # kubearmor daemonset image repo repository: kubearmor/kubearmor diff --git a/deployments/helm/KubeArmorOperator/crds/operator.kubearmor.com_kubearmorconfigs.yaml b/deployments/helm/KubeArmorOperator/crds/operator.kubearmor.com_kubearmorconfigs.yaml index c45e8100c6..408a316f00 100644 --- a/deployments/helm/KubeArmorOperator/crds/operator.kubearmor.com_kubearmorconfigs.yaml +++ b/deployments/helm/KubeArmorOperator/crds/operator.kubearmor.com_kubearmorconfigs.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.4.1 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: kubearmorconfigs.operator.kubearmor.com spec: group: operator.kubearmor.com @@ -25,20 +24,27 @@ spec: description: KubeArmorConfig is the Schema for the KubeArmorConfigs API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: KubeArmorConfigSpec defines the desired state of KubeArmorConfig properties: + alertThrottling: + type: boolean defaultCapabilitiesPosture: enum: - audit @@ -62,9 +68,66 @@ spec: type: boolean enableStdOutMsgs: type: boolean + globalImagePullSecrets: + items: + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + type: object + x-kubernetes-map-type: atomic + type: array + globalTolerations: + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array kubeRbacProxyImage: description: ImageSpec defines the image specifications properties: + args: + items: + type: string + type: array image: type: string imagePullPolicy: @@ -74,10 +137,67 @@ spec: - IfNotPresent - Never type: string + imagePullSecrets: + items: + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + type: object + x-kubernetes-map-type: atomic + type: array + tolerations: + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array type: object kubearmorControllerImage: description: ImageSpec defines the image specifications properties: + args: + items: + type: string + type: array image: type: string imagePullPolicy: @@ -87,10 +207,67 @@ spec: - IfNotPresent - Never type: string + imagePullSecrets: + items: + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + type: object + x-kubernetes-map-type: atomic + type: array + tolerations: + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array type: object kubearmorImage: description: ImageSpec defines the image specifications properties: + args: + items: + type: string + type: array image: type: string imagePullPolicy: @@ -100,10 +277,67 @@ spec: - IfNotPresent - Never type: string + imagePullSecrets: + items: + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + type: object + x-kubernetes-map-type: atomic + type: array + tolerations: + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array type: object kubearmorInitImage: description: ImageSpec defines the image specifications properties: + args: + items: + type: string + type: array image: type: string imagePullPolicy: @@ -113,10 +347,67 @@ spec: - IfNotPresent - Never type: string + imagePullSecrets: + items: + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + type: object + x-kubernetes-map-type: atomic + type: array + tolerations: + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array type: object kubearmorRelayImage: description: ImageSpec defines the image specifications properties: + args: + items: + type: string + type: array image: type: string imagePullPolicy: @@ -126,13 +417,64 @@ spec: - IfNotPresent - Never type: string + imagePullSecrets: + items: + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + type: object + x-kubernetes-map-type: atomic + type: array + tolerations: + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array type: object - seccompEnabled: - type: boolean - alertThrottling: - type: boolean maxAlertPerSec: type: integer + seccompEnabled: + type: boolean throttleSec: type: integer tls: @@ -156,9 +498,6 @@ spec: message: type: string phase: - description: 'INSERT ADDITIONAL STATUS FIELD - define observed state - of cluster Important: Run "make" to regenerate code after modifying - this file' type: string type: object type: object @@ -166,9 +505,3 @@ spec: storage: true subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/deployments/helm/KubeArmorOperator/templates/deployment.yaml b/deployments/helm/KubeArmorOperator/templates/deployment.yaml index a23fdd3b01..4363e9dce2 100644 --- a/deployments/helm/KubeArmorOperator/templates/deployment.yaml +++ b/deployments/helm/KubeArmorOperator/templates/deployment.yaml @@ -18,6 +18,10 @@ spec: imagePullSecrets: {{ toYaml .Values.kubearmorOperator.image.imagePullSecrets | indent 6 }} {{- end }} + {{- if .Values.kubearmorOperator.image.tolerations }} + tolerations: + {{ toYaml .Values.kubearmorOperator.tolerations | indent 6 }} + {{- end }} containers: - name: {{ .Values.kubearmorOperator.name }} env: diff --git a/deployments/helm/KubeArmorOperator/values.yaml b/deployments/helm/KubeArmorOperator/values.yaml index 9a60f30bae..3c7fdb91d2 100644 --- a/deployments/helm/KubeArmorOperator/values.yaml +++ b/deployments/helm/KubeArmorOperator/values.yaml @@ -36,6 +36,8 @@ kubearmorOperator: repository: kubearmor/kubearmor-operator tag: "" imagePullPolicy: IfNotPresent + # https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + tolerations: "" initDeploy: true # Optional, but if there are a lot of image pulls required, Docker might be rate-limited. So, it's good to add pull secrets for production. imagePullSecrets: "" diff --git a/deployments/operator/operator.yaml b/deployments/operator/operator.yaml index 997f2376b7..3d0e9aa854 100644 --- a/deployments/operator/operator.yaml +++ b/deployments/operator/operator.yaml @@ -2,8 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.4.1 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: kubearmorconfigs.operator.kubearmor.com spec: group: operator.kubearmor.com @@ -24,20 +23,27 @@ spec: description: KubeArmorConfig is the Schema for the KubeArmorConfigs API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: KubeArmorConfigSpec defines the desired state of KubeArmorConfig properties: + alertThrottling: + type: boolean defaultCapabilitiesPosture: enum: - audit @@ -61,9 +67,66 @@ spec: type: boolean enableStdOutMsgs: type: boolean + globalImagePullSecrets: + items: + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + type: object + x-kubernetes-map-type: atomic + type: array + globalTolerations: + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array kubeRbacProxyImage: description: ImageSpec defines the image specifications properties: + args: + items: + type: string + type: array image: type: string imagePullPolicy: @@ -73,10 +136,67 @@ spec: - IfNotPresent - Never type: string + imagePullSecrets: + items: + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + type: object + x-kubernetes-map-type: atomic + type: array + tolerations: + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array type: object kubearmorControllerImage: description: ImageSpec defines the image specifications properties: + args: + items: + type: string + type: array image: type: string imagePullPolicy: @@ -86,10 +206,67 @@ spec: - IfNotPresent - Never type: string + imagePullSecrets: + items: + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + type: object + x-kubernetes-map-type: atomic + type: array + tolerations: + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array type: object kubearmorImage: description: ImageSpec defines the image specifications properties: + args: + items: + type: string + type: array image: type: string imagePullPolicy: @@ -99,10 +276,67 @@ spec: - IfNotPresent - Never type: string + imagePullSecrets: + items: + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + type: object + x-kubernetes-map-type: atomic + type: array + tolerations: + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array type: object kubearmorInitImage: description: ImageSpec defines the image specifications properties: + args: + items: + type: string + type: array image: type: string imagePullPolicy: @@ -112,10 +346,67 @@ spec: - IfNotPresent - Never type: string + imagePullSecrets: + items: + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + type: object + x-kubernetes-map-type: atomic + type: array + tolerations: + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array type: object kubearmorRelayImage: description: ImageSpec defines the image specifications properties: + args: + items: + type: string + type: array image: type: string imagePullPolicy: @@ -125,13 +416,64 @@ spec: - IfNotPresent - Never type: string + imagePullSecrets: + items: + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + type: object + x-kubernetes-map-type: atomic + type: array + tolerations: + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array type: object - seccompEnabled: - type: boolean - alertThrottling: - type: boolean maxAlertPerSec: type: integer + seccompEnabled: + type: boolean throttleSec: type: integer tls: @@ -155,9 +497,6 @@ spec: message: type: string phase: - description: 'INSERT ADDITIONAL STATUS FIELD - define observed state - of cluster Important: Run "make" to regenerate code after modifying - this file' type: string type: object type: object @@ -165,12 +504,6 @@ spec: storage: true subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] --- apiVersion: v1 kind: ServiceAccount @@ -290,6 +623,14 @@ rules: - list - watch - update +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch - apiGroups: - security.kubearmor.com resources: @@ -388,6 +729,10 @@ rules: - cronjobs verbs: - get + - patch + - list + - watch + - update - apiGroups: - security.kubearmor.com resources: diff --git a/pkg/KubeArmorOperator/api/operator.kubearmor.com/v1/kubearmorconfig_types.go b/pkg/KubeArmorOperator/api/operator.kubearmor.com/v1/kubearmorconfig_types.go index c6698c2286..412d7b8011 100644 --- a/pkg/KubeArmorOperator/api/operator.kubearmor.com/v1/kubearmorconfig_types.go +++ b/pkg/KubeArmorOperator/api/operator.kubearmor.com/v1/kubearmorconfig_types.go @@ -1,9 +1,11 @@ // SPDX-License-Identifier: Apache-2.0 // Copyright 2023 Authors of KubeArmor +// +kubebuilder:validation:optional package v1 import ( + corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -12,21 +14,26 @@ import ( // ImageSpec defines the image specifications type ImageSpec struct { - // +kubebuilder:validation:optional + Args []string `json:"args,omitempty"` + Image string `json:"image,omitempty"` - // +kubebuilder:validation:optional + // +kubebuilder:validation:Enum=Always;IfNotPresent;Never // +kubebuilder:default:=Always ImagePullPolicy string `json:"imagePullPolicy,omitempty"` + + ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty"` + + Tolerations []corev1.Toleration `json:"tolerations,omitempty"` } type Tls struct { - // +kubebuilder:validation:optional + // +kubebuilder:default:=false Enable bool `json:"enable,omitempty"` - // +kubebuilder:validation:optional + RelayExtraDnsNames []string `json:"extraDnsNames,omitempty"` - // +kubebuilder:validation:optional + RelayExtraIpAddresses []string `json:"extraIpAddresses,omitempty"` } @@ -35,39 +42,42 @@ type KubeArmorConfigSpec struct { // INSERT ADDITIONAL SPEC FIELDS - desired state of cluster // Important: Run "make" to regenerate code after modifying this file - // +kubebuilder:validation:optional DefaultFilePosture PostureType `json:"defaultFilePosture,omitempty"` - // +kubebuilder:validation:optional + DefaultCapabilitiesPosture PostureType `json:"defaultCapabilitiesPosture,omitempty"` - // +kubebuilder:validation:optional + DefaultNetworkPosture PostureType `json:"defaultNetworkPosture,omitempty"` - // +kubebuilder:validation:optional + DefaultVisibility string `json:"defaultVisibility,omitempty"` - // +kubebuilder:validation:optional + + GloabalImagePullSecrets []corev1.LocalObjectReference `json:"globalImagePullSecrets,omitempty"` + + GlobalTolerations []corev1.Toleration `json:"globalTolerations,omitempty"` + KubeArmorImage ImageSpec `json:"kubearmorImage,omitempty"` - // +kubebuilder:validation:optional + KubeArmorInitImage ImageSpec `json:"kubearmorInitImage,omitempty"` - // +kubebuilder:validation:optional + KubeArmorRelayImage ImageSpec `json:"kubearmorRelayImage,omitempty"` - // +kubebuilder:validation:optional + KubeArmorControllerImage ImageSpec `json:"kubearmorControllerImage,omitempty"` - // +kubebuilder:validation:optional + KubeRbacProxyImage ImageSpec `json:"kubeRbacProxyImage,omitempty"` - // +kubebuilder:validation:optional + Tls Tls `json:"tls,omitempty"` - // +kubebuilder:validation:optional + EnableStdOutLogs bool `json:"enableStdOutLogs,omitempty"` - // +kubebuilder:validation:optional + EnableStdOutAlerts bool `json:"enableStdOutAlerts,omitempty"` - // +kubebuilder:validation:optional + EnableStdOutMsgs bool `json:"enableStdOutMsgs,omitempty"` - // +kubebuilder:validation:Optional + SeccompEnabled bool `json:"seccompEnabled,omitempty"` - // +kubebuilder:validation:Optional + AlertThrottling bool `json:"alertThrottling,omitempty"` - // +kubebuilder:validation:Optional + MaxAlertPerSec int `json:"maxAlertPerSec,omitempty"` - // +kubebuilder:validation:Optional + ThrottleSec int `json:"throttleSec,omitempty"` } @@ -75,9 +85,9 @@ type KubeArmorConfigSpec struct { type KubeArmorConfigStatus struct { // INSERT ADDITIONAL STATUS FIELD - define observed state of cluster // Important: Run "make" to regenerate code after modifying this file - // +kubebuilder:validation:optional + Phase string `json:"phase,omitempty"` - // +kubebuilder:validation:optional + Message string `json:"message,omitempty"` } diff --git a/pkg/KubeArmorOperator/api/operator.kubearmor.com/v1/zz_generated.deepcopy.go b/pkg/KubeArmorOperator/api/operator.kubearmor.com/v1/zz_generated.deepcopy.go index 6f75313572..7bb62699b4 100644 --- a/pkg/KubeArmorOperator/api/operator.kubearmor.com/v1/zz_generated.deepcopy.go +++ b/pkg/KubeArmorOperator/api/operator.kubearmor.com/v1/zz_generated.deepcopy.go @@ -8,12 +8,30 @@ package v1 import ( + corev1 "k8s.io/api/core/v1" runtime "k8s.io/apimachinery/pkg/runtime" ) // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ImageSpec) DeepCopyInto(out *ImageSpec) { *out = *in + if in.Args != nil { + in, out := &in.Args, &out.Args + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.ImagePullSecrets != nil { + in, out := &in.ImagePullSecrets, &out.ImagePullSecrets + *out = make([]corev1.LocalObjectReference, len(*in)) + copy(*out, *in) + } + if in.Tolerations != nil { + in, out := &in.Tolerations, &out.Tolerations + *out = make([]corev1.Toleration, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageSpec. @@ -88,11 +106,23 @@ func (in *KubeArmorConfigList) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *KubeArmorConfigSpec) DeepCopyInto(out *KubeArmorConfigSpec) { *out = *in - out.KubeArmorImage = in.KubeArmorImage - out.KubeArmorInitImage = in.KubeArmorInitImage - out.KubeArmorRelayImage = in.KubeArmorRelayImage - out.KubeArmorControllerImage = in.KubeArmorControllerImage - out.KubeRbacProxyImage = in.KubeRbacProxyImage + if in.GloabalImagePullSecrets != nil { + in, out := &in.GloabalImagePullSecrets, &out.GloabalImagePullSecrets + *out = make([]corev1.LocalObjectReference, len(*in)) + copy(*out, *in) + } + if in.GlobalTolerations != nil { + in, out := &in.GlobalTolerations, &out.GlobalTolerations + *out = make([]corev1.Toleration, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + in.KubeArmorImage.DeepCopyInto(&out.KubeArmorImage) + in.KubeArmorInitImage.DeepCopyInto(&out.KubeArmorInitImage) + in.KubeArmorRelayImage.DeepCopyInto(&out.KubeArmorRelayImage) + in.KubeArmorControllerImage.DeepCopyInto(&out.KubeArmorControllerImage) + in.KubeRbacProxyImage.DeepCopyInto(&out.KubeRbacProxyImage) in.Tls.DeepCopyInto(&out.Tls) } diff --git a/pkg/KubeArmorOperator/common/defaults.go b/pkg/KubeArmorOperator/common/defaults.go index f84e360454..5ec52e8cb4 100644 --- a/pkg/KubeArmorOperator/common/defaults.go +++ b/pkg/KubeArmorOperator/common/defaults.go @@ -85,6 +85,8 @@ var ( ConfigMaxAlertPerSec string = "maxAlertPerSec" ConfigThrottleSec string = "throttleSec" + GlobalImagePullSecrets []corev1.LocalObjectReference = []corev1.LocalObjectReference{} + GlobalTolerations []corev1.Toleration = []corev1.Toleration{} //KubearmorRelayEnvVariables EnableStdOutAlerts string = "enableStdOutAlerts" @@ -92,23 +94,40 @@ var ( EnableStdOutMsgs string = "enableStdOutMsgs" // Images - KubeArmorName string = "kubearmor" - KubeArmorImage string = "kubearmor/kubearmor:stable" - KubeArmorImagePullPolicy string = "Always" - KubeArmorInitName string = "kubearmor-init" - KubeArmorInitImage string = "kubearmor/kubearmor-init:stable" - KubeArmorInitImagePullPolicy string = "Always" - KubeArmorRelayName string = "kubearmor-relay" - KubeArmorRelayImage string = "kubearmor/kubearmor-relay-server:latest" - KubeArmorRelayImagePullPolicy string = "Always" - KubeArmorControllerName string = "kubearmor-controller" - KubeArmorControllerImage string = "kubearmor/kubearmor-controller:latest" - KubeArmorControllerImagePullPolicy string = "Always" - KubeRbacProxyName string = "kube-rbac-proxy" - KubeRbacProxyImage string = "gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0" - KubeRbacProxyImagePullPolicy string = "Always" - SeccompProfile = "kubearmor-seccomp.json" - SeccompInitProfile = "kubearmor-init-seccomp.json" + KubeArmorName string = "kubearmor" + KubeArmorArgs []string = []string{} + KubeArmorImage string = "kubearmor/kubearmor:stable" + KubeArmorImagePullPolicy string = "Always" + KubeArmorImagePullSecrets []corev1.LocalObjectReference = []corev1.LocalObjectReference{} + KubeArmorTolerations []corev1.Toleration = []corev1.Toleration{} + + KubeArmorInitName string = "kubearmor-init" + KubeArmorInitArgs []string = []string{} + KubeArmorInitImage string = "kubearmor/kubearmor-init:stable" + KubeArmorInitImagePullPolicy string = "Always" + KubeArmorInitImagePullSecrets []corev1.LocalObjectReference = []corev1.LocalObjectReference{} + KubeArmorInitTolerations []corev1.Toleration = []corev1.Toleration{} + + KubeArmorRelayName string = "kubearmor-relay" + KubeArmorRelayArgs []string = []string{} + KubeArmorRelayImage string = "kubearmor/kubearmor-relay-server:latest" + KubeArmorRelayImagePullPolicy string = "Always" + KubeArmorRelayImagePullSecrets []corev1.LocalObjectReference = []corev1.LocalObjectReference{} + KubeArmorRelayTolerations []corev1.Toleration = []corev1.Toleration{} + + KubeArmorControllerName string = "kubearmor-controller" + KubeArmorControllerArgs []string = []string{} + KubeArmorControllerImage string = "kubearmor/kubearmor-controller:latest" + KubeArmorControllerImagePullPolicy string = "Always" + KubeArmorControllerImagePullSecrets []corev1.LocalObjectReference = []corev1.LocalObjectReference{} + KubeArmorControllerTolerations []corev1.Toleration = []corev1.Toleration{} + + KubeRbacProxyName string = "kube-rbac-proxy" + KubeRbacProxyImage string = "gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0" + KubeRbacProxyImagePullPolicy string = "Always" + + SeccompProfile = "kubearmor-seccomp.json" + SeccompInitProfile = "kubearmor-init-seccomp.json" // tls EnableTls bool = false @@ -469,7 +488,7 @@ func IsCertifiedOperator() bool { if certified == "" { return false } - return true + return true // +kubebuilder:validation:optional } func CopyStrMap(src map[string]string) map[string]string { diff --git a/pkg/KubeArmorOperator/config/crd/bases/operator.kubearmor.com_kubearmorconfigs.yaml b/pkg/KubeArmorOperator/config/crd/bases/operator.kubearmor.com_kubearmorconfigs.yaml index 1e1c4434ec..408a316f00 100644 --- a/pkg/KubeArmorOperator/config/crd/bases/operator.kubearmor.com_kubearmorconfigs.yaml +++ b/pkg/KubeArmorOperator/config/crd/bases/operator.kubearmor.com_kubearmorconfigs.yaml @@ -1,11 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.4.1 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: kubearmorconfigs.operator.kubearmor.com spec: group: operator.kubearmor.com @@ -26,20 +24,27 @@ spec: description: KubeArmorConfig is the Schema for the KubeArmorConfigs API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: KubeArmorConfigSpec defines the desired state of KubeArmorConfig properties: + alertThrottling: + type: boolean defaultCapabilitiesPosture: enum: - audit @@ -63,9 +68,66 @@ spec: type: boolean enableStdOutMsgs: type: boolean + globalImagePullSecrets: + items: + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + type: object + x-kubernetes-map-type: atomic + type: array + globalTolerations: + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array kubeRbacProxyImage: description: ImageSpec defines the image specifications properties: + args: + items: + type: string + type: array image: type: string imagePullPolicy: @@ -75,10 +137,67 @@ spec: - IfNotPresent - Never type: string + imagePullSecrets: + items: + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + type: object + x-kubernetes-map-type: atomic + type: array + tolerations: + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array type: object kubearmorControllerImage: description: ImageSpec defines the image specifications properties: + args: + items: + type: string + type: array image: type: string imagePullPolicy: @@ -88,10 +207,67 @@ spec: - IfNotPresent - Never type: string + imagePullSecrets: + items: + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + type: object + x-kubernetes-map-type: atomic + type: array + tolerations: + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array type: object kubearmorImage: description: ImageSpec defines the image specifications properties: + args: + items: + type: string + type: array image: type: string imagePullPolicy: @@ -101,10 +277,67 @@ spec: - IfNotPresent - Never type: string + imagePullSecrets: + items: + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + type: object + x-kubernetes-map-type: atomic + type: array + tolerations: + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array type: object kubearmorInitImage: description: ImageSpec defines the image specifications properties: + args: + items: + type: string + type: array image: type: string imagePullPolicy: @@ -114,10 +347,67 @@ spec: - IfNotPresent - Never type: string + imagePullSecrets: + items: + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + type: object + x-kubernetes-map-type: atomic + type: array + tolerations: + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array type: object kubearmorRelayImage: description: ImageSpec defines the image specifications properties: + args: + items: + type: string + type: array image: type: string imagePullPolicy: @@ -127,13 +417,64 @@ spec: - IfNotPresent - Never type: string + imagePullSecrets: + items: + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + type: object + x-kubernetes-map-type: atomic + type: array + tolerations: + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array type: object - seccompEnabled: - type: boolean - alertThrottling: - type: boolean maxAlertPerSec: type: integer + seccompEnabled: + type: boolean throttleSec: type: integer tls: @@ -157,9 +498,6 @@ spec: message: type: string phase: - description: 'INSERT ADDITIONAL STATUS FIELD - define observed state - of cluster Important: Run "make" to regenerate code after modifying - this file' type: string type: object type: object @@ -167,9 +505,3 @@ spec: storage: true subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/pkg/KubeArmorOperator/internal/controller/cluster.go b/pkg/KubeArmorOperator/internal/controller/cluster.go index fd1e5af0af..58956d178b 100644 --- a/pkg/KubeArmorOperator/internal/controller/cluster.go +++ b/pkg/KubeArmorOperator/internal/controller/cluster.go @@ -7,6 +7,7 @@ import ( "bytes" "context" "fmt" + "slices" "strconv" "strings" "sync" @@ -367,6 +368,22 @@ func (clusterWatcher *ClusterWatcher) WatchConfigCrd() { } } +func updateImagePullSecretFromGlobal(global []corev1.LocalObjectReference, dst *[]corev1.LocalObjectReference) { + for _, sec := range global { + if !slices.Contains(*dst, sec) { + *dst = append(*dst, sec) + } + } +} + +func updateTolerationFromGlobal(global []corev1.Toleration, dst *[]corev1.Toleration) { + for _, tol := range global { + if !slices.Contains(*dst, tol) { + *dst = append(*dst, tol) + } + } +} + func (clusterWatcher *ClusterWatcher) UpdateKubeArmorImages(images []string) error { var res error for _, img := range images { @@ -381,10 +398,22 @@ func (clusterWatcher *ClusterWatcher) UpdateKubeArmorImages(images []string) err } else { for _, ds := range dsList.Items { ds.Spec.Template.Spec.Containers[0].Image = common.GetApplicationImage(common.KubeArmorName) - ds.Spec.Template.Spec.Containers[0].ImagePullPolicy = corev1.PullPolicy(common.KubeArmorInitImagePullPolicy) + ds.Spec.Template.Spec.Containers[0].ImagePullPolicy = corev1.PullPolicy(common.KubeArmorImagePullPolicy) + ds.Spec.Template.Spec.Containers[0].Args = common.KubeArmorArgs + ds.Spec.Template.Spec.ImagePullSecrets = common.KubeArmorImagePullSecrets + if len(ds.Spec.Template.Spec.ImagePullSecrets) < 1 { + updateImagePullSecretFromGlobal(common.GlobalImagePullSecrets, &ds.Spec.Template.Spec.ImagePullSecrets) + } + ds.Spec.Template.Spec.Tolerations = common.KubeArmorTolerations + if len(ds.Spec.Template.Spec.Tolerations) < 1 { + updateTolerationFromGlobal(common.GlobalTolerations, &ds.Spec.Template.Spec.Tolerations) + } if len(ds.Spec.Template.Spec.InitContainers) != 0 { ds.Spec.Template.Spec.InitContainers[0].Image = common.GetApplicationImage(common.KubeArmorInitName) ds.Spec.Template.Spec.InitContainers[0].ImagePullPolicy = corev1.PullPolicy(common.KubeArmorInitImagePullPolicy) + ds.Spec.Template.Spec.InitContainers[0].Args = common.KubeArmorInitArgs + ds.Spec.Template.Spec.ImagePullSecrets = append(ds.Spec.Template.Spec.ImagePullSecrets, common.KubeArmorInitImagePullSecrets...) + ds.Spec.Template.Spec.Tolerations = append(ds.Spec.Template.Spec.Tolerations, common.KubeArmorInitTolerations...) } _, err = clusterWatcher.Client.AppsV1().DaemonSets(common.Namespace).Update(context.Background(), &ds, v1.UpdateOptions{}) if err != nil { @@ -403,6 +432,15 @@ func (clusterWatcher *ClusterWatcher) UpdateKubeArmorImages(images []string) err } else { relay.Spec.Template.Spec.Containers[0].Image = common.GetApplicationImage(common.KubeArmorRelayName) relay.Spec.Template.Spec.Containers[0].ImagePullPolicy = corev1.PullPolicy(common.KubeArmorRelayImagePullPolicy) + relay.Spec.Template.Spec.Containers[0].Args = common.KubeArmorRelayArgs + relay.Spec.Template.Spec.ImagePullSecrets = common.KubeArmorRelayImagePullSecrets + if len(relay.Spec.Template.Spec.ImagePullSecrets) < 1 { + updateImagePullSecretFromGlobal(common.GlobalImagePullSecrets, &relay.Spec.Template.Spec.ImagePullSecrets) + } + relay.Spec.Template.Spec.Tolerations = common.KubeArmorRelayTolerations + if len(relay.Spec.Template.Spec.Tolerations) < 1 { + updateTolerationFromGlobal(common.GlobalTolerations, &relay.Spec.Template.Spec.Tolerations) + } _, err = clusterWatcher.Client.AppsV1().Deployments(common.Namespace).Update(context.Background(), relay, v1.UpdateOptions{}) if err != nil { clusterWatcher.Log.Warnf("Cannot update deployment=%s error=%s", deployments.RelayDeploymentName, err.Error()) @@ -418,11 +456,20 @@ func (clusterWatcher *ClusterWatcher) UpdateKubeArmorImages(images []string) err clusterWatcher.Log.Warnf("Cannot get deployment=%s error=%s", deployments.KubeArmorControllerDeploymentName, err.Error()) res = err } else { + controller.Spec.Template.Spec.ImagePullSecrets = common.KubeArmorControllerImagePullSecrets + if len(controller.Spec.Template.Spec.ImagePullSecrets) < 1 { + updateImagePullSecretFromGlobal(common.GlobalImagePullSecrets, &controller.Spec.Template.Spec.ImagePullSecrets) + } + controller.Spec.Template.Spec.Tolerations = common.KubeArmorControllerTolerations + if len(controller.Spec.Template.Spec.Tolerations) < 1 { + updateTolerationFromGlobal(common.GlobalTolerations, &controller.Spec.Template.Spec.Tolerations) + } containers := &controller.Spec.Template.Spec.Containers for i, container := range *containers { if container.Name == "manager" { (*containers)[i].Image = common.GetApplicationImage(common.KubeArmorControllerName) (*containers)[i].ImagePullPolicy = corev1.PullPolicy(common.KubeArmorControllerImagePullPolicy) + (*containers)[i].Args = common.KubeArmorControllerArgs } else { (*containers)[i].Image = common.GetApplicationImage(common.KubeRbacProxyName) } @@ -520,26 +567,80 @@ func UpdateIfDefinedAndUpdated(common *string, in string) bool { return false } +func UpdateArgsIfDefinedAndUpdated(common *[]string, in []string) bool { + if len(in) != len(*common) { + *common = in + return true + } + for _, arg := range in { + if !slices.Contains(*common, arg) { + *common = in + return true + } + } + return false +} + +func UpdateImagePullSecretsIfDefinedAndUpdated(common *[]corev1.LocalObjectReference, in []corev1.LocalObjectReference) bool { + if len(in) != len(*common) { + *common = in + return true + } + for _, sec := range in { + if !slices.Contains(*common, sec) { + *common = in + return true + } + } + return false +} + +func UpdateTolerationsIfDefinedAndUpdated(common *[]corev1.Toleration, in []corev1.Toleration) bool { + if len(in) != len(*common) { + *common = in + return true + } + for _, sec := range in { + if !slices.Contains(*common, sec) { + *common = in + return true + } + } + return false +} + func UpdateImages(config *opv1.KubeArmorConfigSpec) []string { updatedImages := []string{} // if kubearmor image or imagePullPolicy got updated if UpdateIfDefinedAndUpdated(&common.KubeArmorImage, config.KubeArmorImage.Image) || - UpdateIfDefinedAndUpdated(&common.KubeArmorImagePullPolicy, config.KubeArmorImage.ImagePullPolicy) { + UpdateIfDefinedAndUpdated(&common.KubeArmorImagePullPolicy, config.KubeArmorImage.ImagePullPolicy) || + UpdateArgsIfDefinedAndUpdated(&common.KubeArmorArgs, config.KubeArmorImage.Args) || + UpdateImagePullSecretsIfDefinedAndUpdated(&common.KubeArmorImagePullSecrets, config.KubeArmorImage.ImagePullSecrets) || + UpdateTolerationsIfDefinedAndUpdated(&common.KubeArmorTolerations, config.KubeArmorImage.Tolerations) { updatedImages = append(updatedImages, "kubearmor") } // if kubearmor-init image or imagePullPolicy got updated if UpdateIfDefinedAndUpdated(&common.KubeArmorInitImage, config.KubeArmorInitImage.Image) || - UpdateIfDefinedAndUpdated(&common.KubeArmorInitImagePullPolicy, config.KubeArmorInitImage.ImagePullPolicy) { + UpdateIfDefinedAndUpdated(&common.KubeArmorInitImagePullPolicy, config.KubeArmorInitImage.ImagePullPolicy) || + UpdateArgsIfDefinedAndUpdated(&common.KubeArmorInitArgs, config.KubeArmorInitImage.Args) || + UpdateImagePullSecretsIfDefinedAndUpdated(&common.KubeArmorInitImagePullSecrets, config.KubeArmorInitImage.ImagePullSecrets) || + UpdateTolerationsIfDefinedAndUpdated(&common.KubeArmorInitTolerations, config.KubeArmorInitImage.Tolerations) { updatedImages = append(updatedImages, "init") } // kubearmor-relay image or imagePullPolicy got updated if UpdateIfDefinedAndUpdated(&common.KubeArmorRelayImage, config.KubeArmorRelayImage.Image) || - UpdateIfDefinedAndUpdated(&common.KubeArmorRelayImagePullPolicy, config.KubeArmorRelayImage.ImagePullPolicy) { + UpdateIfDefinedAndUpdated(&common.KubeArmorRelayImagePullPolicy, config.KubeArmorRelayImage.ImagePullPolicy) || + UpdateArgsIfDefinedAndUpdated(&common.KubeArmorRelayArgs, config.KubeArmorRelayImage.Args) || + UpdateImagePullSecretsIfDefinedAndUpdated(&common.KubeArmorRelayImagePullSecrets, config.KubeArmorRelayImage.ImagePullSecrets) || + UpdateTolerationsIfDefinedAndUpdated(&common.KubeArmorRelayTolerations, config.KubeArmorRelayImage.Tolerations) { updatedImages = append(updatedImages, "relay") } // if kubearmor-controller image or imagePullPolicy got updated if UpdateIfDefinedAndUpdated(&common.KubeArmorControllerImage, config.KubeArmorControllerImage.Image) || - UpdateIfDefinedAndUpdated(&common.KubeArmorControllerImagePullPolicy, config.KubeArmorControllerImage.ImagePullPolicy) { + UpdateIfDefinedAndUpdated(&common.KubeArmorControllerImagePullPolicy, config.KubeArmorControllerImage.ImagePullPolicy) || + UpdateArgsIfDefinedAndUpdated(&common.KubeArmorControllerArgs, config.KubeArmorControllerImage.Args) || + UpdateImagePullSecretsIfDefinedAndUpdated(&common.KubeArmorControllerImagePullSecrets, config.KubeArmorControllerImage.ImagePullSecrets) || + UpdateTolerationsIfDefinedAndUpdated(&common.KubeArmorControllerTolerations, config.KubeArmorControllerImage.Tolerations) { updatedImages = append(updatedImages, "controller") } // if kube-rbac-proxy image or imagePullPolicy got updated @@ -547,6 +648,12 @@ func UpdateImages(config *opv1.KubeArmorConfigSpec) []string { UpdateIfDefinedAndUpdated(&common.KubeRbacProxyImagePullPolicy, config.KubeRbacProxyImage.ImagePullPolicy) { updatedImages = append(updatedImages, "rbac") } + + // if globalImagePullSecret or globalToleration updated + if UpdateImagePullSecretsIfDefinedAndUpdated(&common.GlobalImagePullSecrets, config.GloabalImagePullSecrets) || + UpdateTolerationsIfDefinedAndUpdated(&common.GlobalTolerations, config.GlobalTolerations) { + updatedImages = []string{"kubearmor", "init", "relay", "controller"} + } return updatedImages }