Skip to content

Commit

Permalink
add globalimagepullsecret configuration
Browse files Browse the repository at this point in the history
Signed-off-by: rksharma95 <[email protected]>
  • Loading branch information
rksharma95 committed Nov 5, 2024
1 parent fd94d6f commit 37bdfeb
Show file tree
Hide file tree
Showing 4 changed files with 81 additions and 84 deletions.
17 changes: 15 additions & 2 deletions deployments/helm/KubeArmor/templates/_helpers.tpl
Original file line number Diff line number Diff line change
@@ -1,3 +1,16 @@
# template to add imagePullSecrets

{{- define "imagePullSecrets" -}}
imagePullSecrets:
{{- range .globalImagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- range .imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end -}}


# template to check if a node is present with apparmor as enforcer
{{- define "hasApparmorEnforcer" -}}
{{- $nodes := index . 0 -}}
Expand Down Expand Up @@ -197,8 +210,8 @@ spec:
{{- end }}
{{- toYaml $.Values.volumeMounts.init.bpf | trim | nindent 10 }}
{{- end }}
{{- if $.Values.kubearmor.imagePullSecrets -}}
{{- toYaml $.Values.kubearmor.imagePullSecrets | trim | nindent 6 }}
{{- if or $.Values.globalImagePullSecrets .Values.kubearmor.imagePullSecrets }}
{{- include "imagePullSecrets" (dict "globalImagePullSecrets" $.Values.globalImagePullSecrets "imagePullSecrets" $.Values.kubearmor.imagePullSecrets) | trim | nindent 6 }}
{{- end }}
nodeSelector:
kubernetes.io/os: linux
Expand Down
8 changes: 4 additions & 4 deletions deployments/helm/KubeArmor/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -43,8 +43,8 @@ spec:
volumeMounts:
{{- toYaml .Values.kubearmorRelay.tls.certVolumeMount | trim | nindent 10 }}
{{- end}}
{{- if .Values.kubearmorRelay.imagePullSecrets -}}
{{- toYaml .Values.kubearmorRelay.imagePullSecrets | trim | nindent 6 }}
{{- if or .Values.globalImagePullSecrets .Values.kubearmorRelay.imagePullSecrets }}
{{- include "imagePullSecrets" (dict "globalImagePullSecrets" .Values.globalImagePullSecrets "imagePullSecrets" .Values.kubearmorRelay.imagePullSecrets) | trim | nindent 6 }}
{{- end }}
nodeSelector:
kubernetes.io/os: linux
Expand Down Expand Up @@ -157,8 +157,8 @@ spec:
capabilities:
drop:
- ALL
{{- if .Values.kubearmorController.imagePullSecrets -}}
{{- toYaml .Values.kubearmorController.imagePullSecrets | trim | nindent 6 }}
{{- if or .Values.globalImagePullSecrets .Values.kubearmorController.imagePullSecrets }}
{{- include "imagePullSecrets" (dict "globalImagePullSecrets" .Values.globalImagePullSecrets "imagePullSecrets" .Values.kubearmorController.imagePullSecrets) | trim | nindent 6 }}
{{- end }}
securityContext:
runAsNonRoot: true
Expand Down
131 changes: 58 additions & 73 deletions deployments/helm/KubeArmor/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -26,16 +26,14 @@ globalRegistry: kubearmor
# it would be useful in cases where all the container images should be
# used from a particular registry for example on marketplaces
useGlobalRegistryForVendorImages: false

globalImagePullSecrets: []
seccomp:
enabled: false
profiles:
kubearmor: kubearmor-seccomp.json
kubearmorInit: kubearmor-init-seccomp.json

tls:
enabled: false

kubearmorRelay:
# to enable/disable kubearmor-relay
enabled: true
Expand Down Expand Up @@ -64,40 +62,37 @@ kubearmorRelay:
enableStdoutLogs: "false"
enableStdoutAlerts: "false"
enableStdoutMsg: "false"

tls:
extraDnsNames: ["localhost"]
extraIpAddresses: ["127.0.0.1"]
tlsCertPath: /var/lib/kubearmor/tls
tlsCertProvider: external
certSecretName: kubearmor-relay-server-certs
certVolumeMount:
- mountPath: /var/lib/kubearmor/tls
name: kubearmor-relay-certs-secrets
readOnly: true
- mountPath: /var/lib/kubearmor/tls
name: kubearmor-relay-certs-secrets
readOnly: true
certVolume:
- name: kubearmor-relay-certs-secrets
projected:
defaultMode: 0444
sources:
- secret:
name: kubearmor-relay-server-certs
items:
- key: tls.crt
path: server.crt
- key: tls.key
path: server.key
- key: ca.crt
path: ca.crt
- secret:
name: kubearmor-client-certs
items:
- key: tls.crt
path: client.crt
- key: tls.key
path: client.key


- name: kubearmor-relay-certs-secrets
projected:
defaultMode: 0444
sources:
- secret:
name: kubearmor-relay-server-certs
items:
- key: tls.crt
path: server.crt
- key: tls.key
path: server.key
- key: ca.crt
path: ca.crt
- secret:
name: kubearmor-client-certs
items:
- key: tls.crt
path: client.crt
- key: tls.key
path: client.key
kubearmorInit:
deploy: true
image:
Expand All @@ -110,8 +105,6 @@ kubearmorInit:
# kubearmor-init imagePullPolicy
imagePullPolicy: Always
args: []


kubeRbacProxy:
image:
# it will be override if
Expand All @@ -124,7 +117,6 @@ kubeRbacProxy:
# kube-rbac-proxy imagePullPolicy
imagePullPolicy: Always
args: []

kubearmorController:
name: kubearmor-controller
# kubearmor-controller replicas
Expand All @@ -149,8 +141,6 @@ kubearmorController:
tolerations: []
# https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/
priorityClassName: ""


kubearmorConfigMap:
defaultFilePosture: audit
defaultCapabilitiesPosture: audit
Expand All @@ -159,7 +149,6 @@ kubearmorConfigMap:
alertThrottling: true
maxAlertPerSec: 10
throttleSec: 30

#volume mounts and volumes
kubearmor:
image:
Expand All @@ -169,7 +158,6 @@ kubearmor:
repository: kubearmor
# kubearmor daemonset image tag
tag: stable

# kubearmor daemonset imagePullPolicy
imagePullPolicy: Always
# imagePullSecrets:
Expand All @@ -181,29 +169,27 @@ kubearmor:
tolerations: []
# https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/
priorityClassName: ""

tls:
tlsCertPath: /var/lib/kubearmor/tls
tlsCertProvider: self
caSecretName: kubearmor-ca
clientCertSecretName: kubearmor-client-certs
kubearmorCACertVolumeMount:
- mountPath: /var/lib/kubearmor/tls
name: kubearmor-ca-secret
readOnly: true
- mountPath: /var/lib/kubearmor/tls
name: kubearmor-ca-secret
readOnly: true
kubearmorCACertVolume:
- name: kubearmor-ca-secret
projected:
defaultMode: 0444
sources:
- secret:
name: kubearmor-ca
items:
- key: tls.crt
path: ca.crt
- key: tls.key
path: ca.key

- name: kubearmor-ca-secret
projected:
defaultMode: 0444
sources:
- secret:
name: kubearmor-ca
items:
- key: tls.crt
path: ca.crt
- key: tls.key
path: ca.key
volumes:
common:
- hostPath:
Expand All @@ -218,18 +204,17 @@ volumes:
name: etc-apparmor-d-path
init:
bpf:
- emptyDir: {}
name: bpf
kernelHeader:
- hostPath:
path: /lib/modules
type: DirectoryOrCreate
name: lib-modules-path
- hostPath:
path: /usr/src
type: Directory
name: usr-src-path

- emptyDir: {}
name: bpf
kernelHeader:
- hostPath:
path: /lib/modules
type: DirectoryOrCreate
name: lib-modules-path
- hostPath:
path: /usr/src
type: Directory
name: usr-src-path
volumeMounts:
common:
- mountPath: /sys/kernel/debug
Expand All @@ -253,12 +238,12 @@ volumeMounts:
readOnly: true
init:
bpf:
- mountPath: /opt/kubearmor/BPF
name: bpf
kernelHeader:
- mountPath: /lib/modules
name: lib-modules-path
readOnly: true
- mountPath: /usr/src
name: usr-src-path
readOnly: true
- mountPath: /opt/kubearmor/BPF
name: bpf
kernelHeader:
- mountPath: /lib/modules
name: lib-modules-path
readOnly: true
- mountPath: /usr/src
name: usr-src-path
readOnly: true
9 changes: 4 additions & 5 deletions deployments/helm/KubeArmorOperator/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ imagePinning: false
# on marketplaces, in-general kubearmorconfig is recommended
# to set image references
oci_meta:
# assing as registry/repo
repo: kubearmor
images:
kubearmor:
Expand All @@ -30,11 +31,10 @@ oci_meta:
tag: latest
kubeRbacProxy:
image: kube-rbac-proxy
tag: v0.15.0

tag: v0.15.0 # if changed, change version in ../../Makefile as well
snitch:
name: kubearmor-snitch
image:
image:
repository: kubearmor/kubearmor-snitch
tag: latest
imagePullPolicy: IfNotPresent
Expand Down Expand Up @@ -80,12 +80,11 @@ kubearmorConfig:
alertThrottling: true
maxAlertPerSec: 10
throttleSec: 30

# DO NOT CHANGE THIS VALUES
# changing these values will require code changes with the operator
# these secret names should match with the secrets managed by the operator
tlsSecrets:
kubearmorCa: kubearmor-ca
kubearmorClient: kubearmor-client-certs
relayServer: kubearmor-relay-server-certs
controllerWebhook: kubearmor-controller-webhook-server-cert
controllerWebhook: kubearmor-controller-webhook-server-cert

0 comments on commit 37bdfeb

Please sign in to comment.