From 03aae24aa73bc10da0b3657863a69186bc3dd4b6 Mon Sep 17 00:00:00 2001 From: BenRub Date: Wed, 20 Sep 2023 10:40:37 +0300 Subject: [PATCH 1/5] Update README.md --- README.md | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/README.md b/README.md index 5bc7536d..198e787a 100644 --- a/README.md +++ b/README.md @@ -501,3 +501,37 @@ volumes: users: - system:serviceaccount:cbcontainers-dataplane:cbcontainers-agent-node ``` + +### Uninstalling on Openshift + +```yaml +kind: SecurityContextConstraints +apiVersion: security.openshift.io/v1 +metadata: + name: scc-edr-cleaner +runAsUser: + type: RunAsAny +allowHostPID: true +allowHostPorts: false +allowHostNetwork: true +allowHostDirVolumePlugin: true +allowHostIPC: false +allowPrivilegedContainer: true +readOnlyRootFilesystem: false +seLinuxContext: + type: RunAsAny +fsGroup: + type: RunAsAny +supplementalGroups: + type: RunAsAny +volumes: +- configMap +- downwardAPI +- emptyDir +- hostPath +- persistentVolumeClaim +- projected +- secret +users: +- system:serviceaccount:cbcontainers-edr-sensor-cleaners:cbcontainers-edr-sensor-cleaner +``` From bfa8900a09cf55bb560c61110d5083a1ce7b438a Mon Sep 17 00:00:00 2001 From: BenRub Date: Wed, 20 Sep 2023 10:54:04 +0300 Subject: [PATCH 2/5] Update README.md --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 198e787a..95bc43b5 100644 --- a/README.md +++ b/README.md @@ -504,6 +504,9 @@ users: ### Uninstalling on Openshift +Add this SecurityContextConstraints +before running the operator uninstall command + ```yaml kind: SecurityContextConstraints apiVersion: security.openshift.io/v1 From 320fd678bb497a0e5eee7e9967d77430f9355f5c Mon Sep 17 00:00:00 2001 From: skostov Date: Tue, 26 Sep 2023 16:04:54 +0300 Subject: [PATCH 3/5] add /lib/modules and /usr/src as volume mounts. --- .../state/components/sensor_daemon_set.go | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/cbcontainers/state/components/sensor_daemon_set.go b/cbcontainers/state/components/sensor_daemon_set.go index f67a3f89..647e0b20 100644 --- a/cbcontainers/state/components/sensor_daemon_set.go +++ b/cbcontainers/state/components/sensor_daemon_set.go @@ -78,6 +78,8 @@ var ( hostPathFile = coreV1.HostPathFile cndrHostPaths = map[string]*coreV1.HostPathVolumeSource{ "boot": {Path: "/boot", Type: &hostPathDirectory}, + "modules": {Path: "/lib/modules", Type: &hostPathDirectory}, + "src": {Path: "/usr/src", Type: &hostPathDirectory}, "cb-data-dir": {Path: "/var/opt/carbonblack", Type: &hostPathDirectoryOrCreate}, "os-release": {Path: "/etc/os-release", Type: &hostPathFile}, "root": {Path: "/", Type: &hostPathDirectory}, @@ -90,6 +92,8 @@ var ( cndrReadOnlyMounts = map[string]struct{}{ "root": {}, "boot": {}, + "modules": {}, + "src": {}, "os-release": {}, } ) @@ -123,7 +127,7 @@ func (obj *SensorDaemonSetK8sObject) MutateK8sObject(k8sObject client.Object, ag obj.initiateDaemonSet(daemonSet, agentSpec) - if commonState.IsEnabled(runtimeProtection.Enabled) || isCndrEnbaled(agentSpec.Components.Cndr) { + if commonState.IsEnabled(runtimeProtection.Enabled) || isCndrEnabled(agentSpec.Components.Cndr) { daemonSet.Spec.Template.Spec.DNSPolicy = runtimeSensorDNSPolicy daemonSet.Spec.Template.Spec.HostNetwork = runtimeSensorHostNetwork daemonSet.Spec.Template.Spec.HostPID = runtimeSensorHostPID @@ -211,14 +215,14 @@ func (obj *SensorDaemonSetK8sObject) mutateAnnotations(daemonSet *appsV1.DaemonS } } -func isCndrEnbaled(cndrSpec *cbContainersV1.CBContainersCndrSpec) bool { +func isCndrEnabled(cndrSpec *cbContainersV1.CBContainersCndrSpec) bool { return cndrSpec != nil && commonState.IsEnabled(cndrSpec.Enabled) } func (obj *SensorDaemonSetK8sObject) getExpectedVolumeCount(agentSpec *cbContainersV1.CBContainersAgentSpec) int { expectedVolumesCount := 0 - if commonState.IsEnabled(agentSpec.Components.ClusterScanning.Enabled) || isCndrEnbaled(agentSpec.Components.Cndr) { + if commonState.IsEnabled(agentSpec.Components.ClusterScanning.Enabled) || isCndrEnabled(agentSpec.Components.Cndr) { expectedVolumesCount += len(supportedContainerRuntimes) } @@ -233,7 +237,7 @@ func (obj *SensorDaemonSetK8sObject) getExpectedVolumeCount(agentSpec *cbContain expectedVolumesCount += 3 } - if isCndrEnbaled(agentSpec.Components.Cndr) { + if isCndrEnabled(agentSpec.Components.Cndr) { expectedVolumesCount += len(cndrHostPaths) } @@ -251,7 +255,7 @@ func (obj *SensorDaemonSetK8sObject) mutateVolumes(daemonSet *appsV1.DaemonSet, templatePodSpec.Volumes = make([]coreV1.Volume, 0, expectedVolumeCount) } - if commonState.IsEnabled(agentSpec.Components.ClusterScanning.Enabled) || isCndrEnbaled(agentSpec.Components.Cndr) { + if commonState.IsEnabled(agentSpec.Components.ClusterScanning.Enabled) || isCndrEnabled(agentSpec.Components.Cndr) { obj.mutateContainerRuntimesVolumes(&daemonSet.Spec.Template.Spec) } @@ -259,7 +263,7 @@ func (obj *SensorDaemonSetK8sObject) mutateVolumes(daemonSet *appsV1.DaemonSet, obj.mutateClusterScannerVolumes(&daemonSet.Spec.Template.Spec, &agentSpec.Components.ClusterScanning.ClusterScannerAgent) } - if isCndrEnbaled(agentSpec.Components.Cndr) { + if isCndrEnabled(agentSpec.Components.Cndr) { obj.mutateCndrVolumes(&daemonSet.Spec.Template.Spec, &agentSpec.Components.Cndr.Sensor) } @@ -311,7 +315,7 @@ func (obj *SensorDaemonSetK8sObject) mutateContainersList(daemonSet *appsV1.Daem desiredContainers = append(desiredContainers, clusterScannerContainer) } - if isCndrEnbaled(agentSpec.Components.Cndr) { + if isCndrEnabled(agentSpec.Components.Cndr) { cndrEnabled = true if cndrContainerLocation := obj.findContainerLocationByName(templatePodSpec.Containers, CndrContainerName); cndrContainerLocation == -1 { cndrMissing = true @@ -339,7 +343,7 @@ func (obj *SensorDaemonSetK8sObject) mutateContainersList(daemonSet *appsV1.Daem agentSpec) } - if isCndrEnbaled(agentSpec.Components.Cndr) { + if isCndrEnabled(agentSpec.Components.Cndr) { obj.mutateCndrContainer( &templatePodSpec.Containers[obj.findContainerLocationByName(templatePodSpec.Containers, CndrContainerName)], agentSpec) From db098b351383328fc70463a54821bd2e215c7291 Mon Sep 17 00:00:00 2001 From: benrub Date: Thu, 19 Oct 2023 12:17:06 +0300 Subject: [PATCH 4/5] Revert "add /lib/modules and /usr/src as volume mounts." This reverts commit 03862c787068b10c287374c41817c2e24bac2483. --- .../state/components/sensor_daemon_set.go | 20 ++++++++----------- 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/cbcontainers/state/components/sensor_daemon_set.go b/cbcontainers/state/components/sensor_daemon_set.go index 647e0b20..f67a3f89 100644 --- a/cbcontainers/state/components/sensor_daemon_set.go +++ b/cbcontainers/state/components/sensor_daemon_set.go @@ -78,8 +78,6 @@ var ( hostPathFile = coreV1.HostPathFile cndrHostPaths = map[string]*coreV1.HostPathVolumeSource{ "boot": {Path: "/boot", Type: &hostPathDirectory}, - "modules": {Path: "/lib/modules", Type: &hostPathDirectory}, - "src": {Path: "/usr/src", Type: &hostPathDirectory}, "cb-data-dir": {Path: "/var/opt/carbonblack", Type: &hostPathDirectoryOrCreate}, "os-release": {Path: "/etc/os-release", Type: &hostPathFile}, "root": {Path: "/", Type: &hostPathDirectory}, @@ -92,8 +90,6 @@ var ( cndrReadOnlyMounts = map[string]struct{}{ "root": {}, "boot": {}, - "modules": {}, - "src": {}, "os-release": {}, } ) @@ -127,7 +123,7 @@ func (obj *SensorDaemonSetK8sObject) MutateK8sObject(k8sObject client.Object, ag obj.initiateDaemonSet(daemonSet, agentSpec) - if commonState.IsEnabled(runtimeProtection.Enabled) || isCndrEnabled(agentSpec.Components.Cndr) { + if commonState.IsEnabled(runtimeProtection.Enabled) || isCndrEnbaled(agentSpec.Components.Cndr) { daemonSet.Spec.Template.Spec.DNSPolicy = runtimeSensorDNSPolicy daemonSet.Spec.Template.Spec.HostNetwork = runtimeSensorHostNetwork daemonSet.Spec.Template.Spec.HostPID = runtimeSensorHostPID @@ -215,14 +211,14 @@ func (obj *SensorDaemonSetK8sObject) mutateAnnotations(daemonSet *appsV1.DaemonS } } -func isCndrEnabled(cndrSpec *cbContainersV1.CBContainersCndrSpec) bool { +func isCndrEnbaled(cndrSpec *cbContainersV1.CBContainersCndrSpec) bool { return cndrSpec != nil && commonState.IsEnabled(cndrSpec.Enabled) } func (obj *SensorDaemonSetK8sObject) getExpectedVolumeCount(agentSpec *cbContainersV1.CBContainersAgentSpec) int { expectedVolumesCount := 0 - if commonState.IsEnabled(agentSpec.Components.ClusterScanning.Enabled) || isCndrEnabled(agentSpec.Components.Cndr) { + if commonState.IsEnabled(agentSpec.Components.ClusterScanning.Enabled) || isCndrEnbaled(agentSpec.Components.Cndr) { expectedVolumesCount += len(supportedContainerRuntimes) } @@ -237,7 +233,7 @@ func (obj *SensorDaemonSetK8sObject) getExpectedVolumeCount(agentSpec *cbContain expectedVolumesCount += 3 } - if isCndrEnabled(agentSpec.Components.Cndr) { + if isCndrEnbaled(agentSpec.Components.Cndr) { expectedVolumesCount += len(cndrHostPaths) } @@ -255,7 +251,7 @@ func (obj *SensorDaemonSetK8sObject) mutateVolumes(daemonSet *appsV1.DaemonSet, templatePodSpec.Volumes = make([]coreV1.Volume, 0, expectedVolumeCount) } - if commonState.IsEnabled(agentSpec.Components.ClusterScanning.Enabled) || isCndrEnabled(agentSpec.Components.Cndr) { + if commonState.IsEnabled(agentSpec.Components.ClusterScanning.Enabled) || isCndrEnbaled(agentSpec.Components.Cndr) { obj.mutateContainerRuntimesVolumes(&daemonSet.Spec.Template.Spec) } @@ -263,7 +259,7 @@ func (obj *SensorDaemonSetK8sObject) mutateVolumes(daemonSet *appsV1.DaemonSet, obj.mutateClusterScannerVolumes(&daemonSet.Spec.Template.Spec, &agentSpec.Components.ClusterScanning.ClusterScannerAgent) } - if isCndrEnabled(agentSpec.Components.Cndr) { + if isCndrEnbaled(agentSpec.Components.Cndr) { obj.mutateCndrVolumes(&daemonSet.Spec.Template.Spec, &agentSpec.Components.Cndr.Sensor) } @@ -315,7 +311,7 @@ func (obj *SensorDaemonSetK8sObject) mutateContainersList(daemonSet *appsV1.Daem desiredContainers = append(desiredContainers, clusterScannerContainer) } - if isCndrEnabled(agentSpec.Components.Cndr) { + if isCndrEnbaled(agentSpec.Components.Cndr) { cndrEnabled = true if cndrContainerLocation := obj.findContainerLocationByName(templatePodSpec.Containers, CndrContainerName); cndrContainerLocation == -1 { cndrMissing = true @@ -343,7 +339,7 @@ func (obj *SensorDaemonSetK8sObject) mutateContainersList(daemonSet *appsV1.Daem agentSpec) } - if isCndrEnabled(agentSpec.Components.Cndr) { + if isCndrEnbaled(agentSpec.Components.Cndr) { obj.mutateCndrContainer( &templatePodSpec.Containers[obj.findContainerLocationByName(templatePodSpec.Containers, CndrContainerName)], agentSpec) From ffdc9e5079c4f9808dff167127a532f3ac05a9a1 Mon Sep 17 00:00:00 2001 From: benrub Date: Tue, 12 Sep 2023 15:36:58 +0300 Subject: [PATCH 5/5] Edit the version strings to v6.0.2 --- README.md | 4 ++-- charts/cbcontainers-agent/cbcontainers-agent-chart/Chart.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 95bc43b5..5ab9e6bd 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,7 @@ The Carbon Black Cloud Container Operator utilizes the operator-framework to cre | Operator version | Kubernetes Sensor Component Version | Minimum Kubernetes Version | |------------------|-------------------------------------|----------------------------| -| v6.0.x | 2.10.0, 2.11.0, 2.12.0, 3.0.0 | 1.18 | +| v6.0.x | 2.10.0, 2.11.0, 2.12.0, 3.0.X | 1.18 | | v5.6.x | 2.10.0, 2.11.0, 2.12.0 | 1.16 | | v5.5.x | 2.10.0, 2.11.0 | 1.16 | @@ -27,7 +27,7 @@ Kubernetes 1.18+ is supported. ### From script: ``` -export OPERATOR_VERSION=v6.0.1 +export OPERATOR_VERSION=v6.0.2 export OPERATOR_SCRIPT_URL=https://setup.containers.carbonblack.io/$OPERATOR_VERSION/operator-apply.sh curl -s $OPERATOR_SCRIPT_URL | bash ``` diff --git a/charts/cbcontainers-agent/cbcontainers-agent-chart/Chart.yaml b/charts/cbcontainers-agent/cbcontainers-agent-chart/Chart.yaml index 143fb0c2..45bd4a3a 100644 --- a/charts/cbcontainers-agent/cbcontainers-agent-chart/Chart.yaml +++ b/charts/cbcontainers-agent/cbcontainers-agent-chart/Chart.yaml @@ -3,4 +3,4 @@ name: cbcontainers-agent description: A Helm chart for installing the CBContainers Agent type: application version: 2.0.0 -appVersion: "main" +appVersion: "3.0.2"