2.29.0: Runtime Protection daemon 1.16.2: enhancements (#148)

Runtime Protection daemon 1.16.2
- Improved File Reputation Blade for Reduced False Positives
- Improved memory management

checkpoint/cloudguard/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 2.28.0
+appVersion: 2.29.0
 description: A Helm chart for Check Point CloudGuard Workload Security
 home: https://portal.checkpoint.com
 icon: https://www.checkpoint.com/wp-content/uploads/icon-cloudguard-nav.png
@@ -34,4 +34,4 @@ keywords:
 - gke
 - autopilot
 name: cloudguard
-version: 2.28.0
+version: 2.29.0

checkpoint/cloudguard/README.md

@@ -192,6 +192,17 @@ The following table list the configurable parameters of this chart and their def
 | `addons.imageScan.list.tolerations`                        | List of node taints to tolerate                                 | `[]`                                             |
 | `addons.imageScan.list.affinity`                           | Affinity setting                                                | `{}`                                             |
 | `addons.imageScan.list.podAnnotations.custom`              | Custom Pod annotations (for Pods of this agent)                 | `{}`                                             |
+| `addons.imageScan.armon.enabled`               | Specifies whether the Image Access Runtime Monitor addon should be installed        | `false`                                          |
+| `addons.imageScan.armon.image`                 | Specify image for the agent                                     | `checkpoint/consec-imagescan-armon`             |
+| `addons.imageScan.armon.tag`                   | Specify image tag for the agent                                 | see defaults.yaml                                           |
+| `addons.imageScan.armon.serviceAccountName`    | Specify custom Service Account for the agent                    | ``                                               |
+| `addons.imageScan.armon.env`                   | Additional environmental variables for the agent                | `{}`                                             |
+| `addons.imageScan.armon.resources`             | Resources restriction (e.g. CPU, memory)                        | see defaults.yaml                                             |
+| `addons.imageScan.armon.nodeSelector`          | Node labels for pod assignment                                  | see below                                             |
+| `addons.imageScan.armon.tolerations`           | List of node taints to tolerate                                 | `operator: Exists`                               |
+| `addons.imageScan.armon.affinity`              | Affinity setting                                                | see below                                             |
+| `addons.imageScan.armon.podAnnotations.custom` | Custom Pod annotations (for Pods of this agent)                 | `{}`                                             |
+| `addons.imageScan.armon.priorityClassName`     | Specifies custom priorityClassName (for Pods of this daemonset) | `system-node-critical`                           |
 | `addons.imageScan.daemonConfigurationOverrides`            | Overrides for multiple daemonSets with different configuration values                | see below                                              |
 | `addons.flowLogs.enabled`                                  | Specifies whether the Flow Logs addon should be installed       | `false`                                          |
 | `addons.flowLogs.priorityClassName`                        | Specifies custom priorityClassName                              | `system-cluster-critical`                        |

checkpoint/cloudguard/defaults.yaml

@@ -107,6 +107,7 @@ addons:
     enabled: false
     mountPodman : false
     priorityClassName: "system-cluster-critical"
+
     daemon:
       priorityClassName: "system-node-critical"
       ## Specify image and tag
@@ -230,6 +231,42 @@ addons:
       podAnnotations:
         custom: {}
 
+    # Image Access Runtime Monitor
+    armon:
+      enabled: false
+      priorityClassName: "system-node-critical"
+      ## Specify image and tag
+      image: checkpoint/consec-imagescan-armon
+      tag: 0.1.2
+
+      ## Specify existing service account name ("" to create)
+      serviceAccountName: ""
+
+
+      ## Extra environment variables passed to the container
+      env: []
+
+      ## Configure resource requests and limits
+      ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
+      resources:
+        requests:
+          cpu: 100m
+          memory: 500Mi
+        limits:
+          cpu: 100m
+          memory: 500Mi
+
+      ## Configuration options for nodeSelector, tolerations and affinity for pod
+      ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+      nodeSelector:
+        kubernetes.io/os: linux
+        kubernetes.io/arch: amd64
+      tolerations:
+      - operator: Exists
+      affinity: {}
+      podAnnotations:
+        custom: {}
+
 
 ## Flow Logs Add-on
   flowLogs:
@@ -351,7 +388,7 @@ addons:
       ## Main container settings
       ## Specify image and tag
       image: checkpoint/consec-runtime-daemon
-      tag: 1.14.0
+      tag: 1.16.2
 
       ## Specify existing service account name ("" to create)
       serviceAccountName: ""

checkpoint/cloudguard/templates/imagescan/armon/_helpers.tpl

@@ -0,0 +1,10 @@
+{{- define "imagescan.armon.config" -}}
+{{- $config := (include "get.root" .) | fromYaml -}}
+{{- $_ := set $config "featureName" "imagescan" -}}
+{{- $_ := set $config "agentName" "armon" -}}
+{{- $_ := set $config "featureConfig" $config.Values.addons.imageScan -}}
+{{- /*  special Case for fileaccess daemonSet name to be different than daemon*/ -}}
+{{- $_ := set $config "daemonConfigName" "armon" -}}
+{{- $_ := set $config "agentConfig" $config.Values.addons.imageScan.armon -}}
+{{- $config | toYaml -}}
+{{- end -}}

checkpoint/cloudguard/templates/imagescan/armon/clusterrole.yaml

@@ -0,0 +1,22 @@
+{{- $config := fromYaml (include "imagescan.armon.config" .) -}}
+{{- if and $config.featureConfig.enabled $config.agentConfig.enabled -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "agent.resource.name" $config }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+{{ include "common.labels.with.chart" $config | indent 4 }}
+rules:
+- apiGroups: [""]
+  resources: [ "pods", "nodes"]
+  verbs: [ "list", "get" ]
+
+- apiGroups: ["apps"]
+  resources: [ "daemonsets", "deployments", "replicasets", "statefulsets"]
+  verbs: [ "list", "get" ]
+
+- apiGroups: [ "batch" ]
+  resources: [ "jobs", "cronjobs" ]
+  verbs: [ "list", "get" ]
+{{- end -}}

checkpoint/cloudguard/templates/imagescan/armon/clusterrolebinding.yaml

@@ -0,0 +1,18 @@
+{{- $config := fromYaml (include "imagescan.armon.config" .) -}}
+{{- if and $config.featureConfig.enabled $config.agentConfig.enabled -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "agent.resource.name" $config }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+{{ include "common.labels.with.chart" $config | indent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "agent.resource.name" $config }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "agent.service.account.name" $config }}
+  namespace: {{ .Release.Namespace }}
+{{- end -}}

checkpoint/cloudguard/templates/imagescan/armon/daemonset.yaml

@@ -0,0 +1,96 @@
+{{- $config := fromYaml (include "imagescan.armon.config" .) -}}
+{{- /* Make ".Files" of the chart accessible and properly formatted when accessed via $config' */ -}}
+{{- $_ := set $config "Files" $.Files -}}
+{{- if and $config.featureConfig.enabled $config.agentConfig.enabled -}}
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ include "daemonset.daemon.resource.name" $config }}
+  namespace: {{ $.Release.Namespace }}
+  labels:
+{{ include "common.labels.with.chart" $config | indent 4 }}
+spec:
+  selector:
+    matchLabels:
+{{ include "common.labels" $config | indent 6 }}
+{{ include "daemonset.updateStrategy" $config | indent 2}}
+  template:
+    metadata:
+      annotations:
+{{ include "common.pod.annotations" $config | indent 8 }}
+      labels:
+{{ include "common.labels" $config | indent 8 }}
+    spec:
+{{ include "common.pod.properties" $config | indent 6 }}
+      containers:
+      - name: {{ $config.agentName }}
+        image: {{ template "agent.main.image" $config }}
+        imagePullPolicy: {{ $config.Values.imagePullPolicy }}
+        securityContext:
+        {{- if contains "openshift" $config.platform }}
+          seLinuxOptions:
+              type: spc_t
+        {{- end }}  
+          runAsUser: 0
+          capabilities:
+            add:
+            - SYS_RESOURCE  # setrlimit
+            - SYS_ADMIN     # bpf
+            - IPC_LOCK      # lock memory for bpf kernel >= 5.11
+        volumeMounts:
+        - name: secret-volume
+          mountPath: /etc/secret-volume
+        {{- if eq $config.containerRuntime "docker" }}
+        - mountPath: /var/run/docker.sock
+          name: docker-sock
+          readOnly: true
+        {{- else if eq $config.containerRuntime "containerd" }}
+        - mountPath: /run/containerd/containerd.sock
+          name: containerd-sock
+          readOnly: true
+        {{- else if eq $config.containerRuntime "cri-o" }}
+        - mountPath: /var/run/crio/crio.sock
+          name: crio-sock
+          readOnly: true
+        {{- end }}
+{{- if $config.agentConfig.resources }}
+        resources:
+{{ toYaml $config.agentConfig.resources | indent 10 }}
+{{- end }}
+        env: 
+        - name: REPORT_USE_DOME9_AGENT_CFG
+          value: "1"
+        - name: "REPORT_POST_ENDPOINT"
+          value: "/imageaccessruntimemonitor" 
+        - name: "TELEMETRY_URL"
+          value: "https://eptelemetry.epmgmt.checkpoint.com/gwstats/services/antimalware/1_0_0/log"   
+        - name: "CONTAINERS_RUNTIME"
+          value: {{ $config.containerRuntime }}
+
+{{ include "common.env" $config | indent 8 }}
+      volumes:
+      - name: secret-volume
+        secret:
+          secretName: {{ template "cg.creds.secret.name" $config }}
+      {{- if eq $config.containerRuntime "docker" }}
+      - name: docker-sock
+        hostPath:
+        {{- if eq $config.platform "tanzu" }}
+          path: /var/vcap/sys/run/docker/docker.sock
+        {{- else }}
+          path: /var/run/docker.sock
+        {{- end }}
+          type: Socket
+      {{- else if eq $config.containerRuntime "containerd" }}
+      - name: containerd-sock
+        hostPath:
+          path: {{ include "containerd.sock.path" $config }}
+          type: Socket
+      {{- else if eq $config.containerRuntime "cri-o" }}
+      - name: crio-sock
+        hostPath:
+          path: /run/crio/crio.sock
+          type: Socket
+      {{- end }}   
+---        
+{{- end -}}

checkpoint/cloudguard/templates/imagescan/armon/role.yaml

@@ -0,0 +1,21 @@
+{{- $config := fromYaml (include "imagescan.armon.config" .) -}}
+{{- if and $config.featureConfig.enabled $config.agentConfig.enabled -}}
+{{- if (contains "openshift" $config.platform) -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "agent.resource.name" $config }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+{{ include "common.labels.with.chart" $config | indent 4 }}
+rules:
+- apiGroups:
+  - security.openshift.io 
+  resourceNames:
+  - {{ template "agent.resource.name" $config }}
+  resources:
+  - securitycontextconstraints 
+  verbs: 
+  - use
+{{- end -}}
+{{- end -}}

checkpoint/cloudguard/templates/imagescan/armon/rolebinding.yaml

@@ -0,0 +1,20 @@
+{{- $config := fromYaml (include "imagescan.armon.config" .) -}}
+{{- if and $config.featureConfig.enabled $config.agentConfig.enabled -}}
+{{- if (contains "openshift" $config.platform) -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ template "agent.resource.name" $config }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+{{ include "common.labels.with.chart" $config | indent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "agent.resource.name" $config }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "agent.service.account.name" $config }}
+  namespace: {{ .Release.Namespace }}
+{{- end -}}
+{{- end -}}

checkpoint/cloudguard/templates/imagescan/armon/securitycontextconstraints.yaml

@@ -0,0 +1,31 @@
+{{- $config := fromYaml (include "imagescan.armon.config" .) -}}
+{{- if and $config.featureConfig.enabled $config.agentConfig.enabled -}}
+{{- if (contains "openshift" $config.platform) -}}
+apiVersion: security.openshift.io/v1
+kind: SecurityContextConstraints
+metadata:
+  name: {{ template "agent.resource.name" $config }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+{{ include "common.labels.with.chart" $config | indent 4 }}
+allowPrivilegedContainer: false
+allowHostDirVolumePlugin: true
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: RunAsAny
+fsGroup:
+  type: RunAsAny
+supplementalGroups:
+  type: RunAsAny
+users:
+    - system:serviceaccount
+allowedCapabilities:
+    - SYS_RESOURCE  
+    - SYS_ADMIN  
+    - IPC_LOCK 
+volumes:
+    - hostPath
+    - secret
+{{- end -}}
+{{- end -}}

checkpoint/cloudguard/templates/imagescan/armon/serviceaccount.yaml

@@ -0,0 +1,10 @@
+{{- $config := fromYaml (include "imagescan.armon.config" .) -}}
+{{- if and $config.featureConfig.enabled $config.agentConfig.enabled (not $config.agentConfig.serviceAccountName) -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "agent.resource.name" $config }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+{{ include "common.labels.with.chart" $config | indent 4 }}
+{{- end -}}