Skip to content

Commit

Permalink
2.15.1: k8s 1.25 adjustments; custom annotations; daemonsets rollout (#…
Browse files Browse the repository at this point in the history 
…102)

* inventory agent 1.7.1:
- adjust support for PSP and CronJobs in k8s 1.25
- fix memory footprint issue in large clusters
* support for custom pod annotations for cloudguard agents
* improve daemonsets rollout
  • Loading branch information
@chkp-alexgl
chkp-alexgl authored Oct 18, 2022
1 parent 2f87491 commit 8b8b9a1
Show file tree
Hide file tree
Showing 10 changed files with 145 additions and 55 deletions.
4 changes: 2 additions & 2 deletions checkpoint/cloudguard/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
apiVersion: v2
appVersion: 2.15.0
appVersion: 2.15.1
description: A Helm chart for Check Point CloudGuard Workload Security
home: https://portal.checkpoint.com
icon: https://www.checkpoint.com/wp-content/uploads/icon-cloudguard-nav.png
Expand All @@ -20,4 +20,4 @@ keywords:
- ecr
- ecs
name: cloudguard
version: 2.15.0
version: 2.15.1
19 changes: 18 additions & 1 deletion checkpoint/cloudguard/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,12 @@ Specify each parameter by adding `--set key=value[,key=value]` to the `helm inst
$ helm install my-release checkpoint/cloudguard --set varname=value
```

For parameters which are dictionaries or arrays, make sure to use the proper syntax, for example:

```bash
$ ... --set addons.admissionControl.enforcer.podAnnotations.custom."aa\.bb/cc-dd"="ee\.ff/gg-hh"
```

Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,

```bash
Expand Down Expand Up @@ -132,16 +138,19 @@ The following table list the configurable parameters of this chart and their def
| `seccompProfile` | Computer Security facility profile. (to be used in kubernetes 1.19 and up) | `RuntimeDefault` |
| `podAnnotations.seccomp` | Computer Security facility profile. (to be used in kubernetes below 1.19) | `runtime/default` |
| `podAnnotations.apparmor` | Apparmor Linux kernel security module profile. | `{}` |
| `podAnnotations.custom` | Custom Pod annotations (for all agent Pods) | `{}` |
| `priorityClassName` | Specifies custom priorityClassName | `` |
| `daemonSetStrategy.rollingUpdate.maxUnavailable` | Maximum unavailabe daemonset pods during a rolling update | `50%` |
| `inventory.agent.image` | Specify image for the agent | `checkpoint/consec-inventory-agent` |
| `inventory.agent.tag` | Specify image tag for the agent | `1.6.1` |
| `inventory.agent.tag` | Specify image tag for the agent | `1.7.1` |
| `inventory.agent.serviceAccountName` | Specify custom Service Account for the Inventory agent | `` |
| `inventory.agent.replicaCount` | Number of Inventory agent instances to be deployed | `1` |
| `inventory.agent.env` | Additional environmental variables for Inventory agent | `{}` |
| `inventory.agent.resources` | Resources restriction (e.g. CPU, memory) for Inventory agent | `{}` |
| `inventory.agent.nodeSelector` | Node labels for pod assignment for Inventory agent | `{}` |
| `inventory.agent.tolerations` | List of node taints to tolerate for Inventory agent | `[]` |
| `inventory.agent.affinity` | Affinity settings for Inventory agent | `{}` |
| `inventory.agent.podAnnotations.custom` | Custom Pod annotations (for Pods of this agent) | `{}` |
| `inventory.priorityClassName` | Specifies custom priorityClassName | `` |
| `addons.imageScan.enabled` | Specifies whether the Image Scan addon should be installed | `false` |
| `addons.imageScan.priorityClassName` | Specifies custom priorityClassName | `` |
Expand All @@ -154,6 +163,7 @@ The following table list the configurable parameters of this chart and their def
| `addons.imageScan.daemon.nodeSelector` | Node labels for pod assignment | `{}` |
| `addons.imageScan.daemon.tolerations` | List of node taints to tolerate | `operator: Exists` |
| `addons.imageScan.daemon.affinity` | Affinity setting | `{}` |
| `addons.imageScan.daemon.podAnnotations.custom` | Custom Pod annotations (for Pods of this agent) | `{}` |
| `addons.imageScan.daemon.shim.image` | Specify image for the shim container | `checkpoint/consec-imagescan-shim` |
| `addons.imageScan.daemon.shim.tag` | Specify image tag for the shim container |`2.15.0` |
| `addons.imageScan.daemon.shim.env` | Additional environmental variables for the shim container | `{}` |
Expand All @@ -167,6 +177,7 @@ The following table list the configurable parameters of this chart and their def
| `addons.imageScan.engine.nodeSelector` | Node labels for pod assignment | `{}` |
| `addons.imageScan.engine.tolerations` | List of node taints to tolerate | `[]` |
| `addons.imageScan.engine.affinity` | Affinity setting | `{}` |
| `addons.imageScan.engine.podAnnotations.custom` | Custom Pod annotations (for Pods of this agent) | `{}` |
| `addons.imageScan.list.image` | Specify image for the agent | `checkpoint/consec-imagescan-engine` |
| `addons.imageScan.list.tag` | Specify image tag for the agent |`2.15.0` |
| `addons.imageScan.list.serviceAccountName` | Specify custom Service Account for the agent | `` |
Expand All @@ -175,6 +186,7 @@ The following table list the configurable parameters of this chart and their def
| `addons.imageScan.list.nodeSelector` | Node labels for pod assignment | `{}` |
| `addons.imageScan.list.tolerations` | List of node taints to tolerate | `[]` |
| `addons.imageScan.list.affinity` | Affinity setting | `{}` |
| `addons.imageScan.list.podAnnotations.custom` | Custom Pod annotations (for Pods of this agent) | `{}` |
| `addons.flowLogs.enabled` | Specifies whether the Flow Logs addon should be installed | `false` |
| `addons.flowLogs.priorityClassName` | Specifies custom priorityClassName | `` |
| `addons.flowLogs.daemon.image` | Specify image for the agent | `checkpoint/consec-flowlogs-daemon` |
Expand All @@ -186,6 +198,7 @@ The following table list the configurable parameters of this chart and their def
| `addons.flowLogs.daemon.nodeSelector` | Node labels for pod assignment | `{}` |
| `addons.flowLogs.daemon.tolerations` | List of node taints to tolerate | `operator: Exists` |
| `addons.flowLogs.daemon.affinity` | Affinity setting | `{}` |
| `addons.flowLogs.daemon.podAnnotations.custom` | Custom Pod annotations (for Pods of this agent) | `{}` |
| `addons.admissionControl.enabled` | Specify whether the Admission Control addon should be installed | `false` |
| `addons.admissionControl.priorityClassName` | Specifies custom priorityClassName | `` |
| `addons.admissionControl.policy.image` | Specify image for the agent | `checkpoint/consec-admission-policy` |
Expand All @@ -196,6 +209,7 @@ The following table list the configurable parameters of this chart and their def
| `addons.admissionControl.policy.nodeSelector` | Node labels for pod assignment | `{}` |
| `addons.admissionControl.policy.tolerations` | List of node taints to tolerate | `[]` |
| `addons.admissionControl.policy.affinity` | Affinity setting | `{}` |
| `addons.admissionControl.policy.podAnnotations.custom` | Custom Pod annotations (for Pods of this agent) | `{}` |
| `addons.admissionControl.enforcer.image` | Specify image for the agent | `checkpoint/consec-admission-enforcer` |
| `addons.admissionControl.enforcer.tag` | Specify image tag for the agent |`2.2.0` |
| `addons.admissionControl.enforcer.serviceAccountName` | Specify custom Service Account for the agent | `` |
Expand All @@ -205,6 +219,7 @@ The following table list the configurable parameters of this chart and their def
| `addons.admissionControl.enforcer.nodeSelector` | Node labels for pod assignment | `{}` |
| `addons.admissionControl.enforcer.tolerations` | List of node taints to tolerate | `[]` |
| `addons.admissionControl.enforcer.affinity` | Affinity setting | `{}` |
| `addons.admissionControl.enforcer.podAnnotations.custom` | Custom Pod annotations (for Pods of this agent) | `{}` |
| `addons.runtimeProtection.enabled` | Specifies whether the Runtime Protection addon should be installed | `false` |
| `addons.runtimeProtection.priorityClassName` | Specifies custom priorityClassName | `` |
| `addons.runtimeProtection.daemon.image` | Specify image for the agent | `checkpoint/consec-runtime-daemon` |
Expand All @@ -224,6 +239,7 @@ The following table list the configurable parameters of this chart and their def
| `addons.runtimeProtection.daemon.nodeSelector` | Node labels for pod assignment | `beta.kubernetes.io/os: linux ` |
| `addons.runtimeProtection.daemon.tolerations` | List of node taints to tolerate | `operator: Exists` |
| `addons.runtimeProtection.daemon.affinity` | Affinity setting | `{}` |
| `addons.runtimeProtection.daemon.podAnnotations.custom` | Custom Pod annotations (for Pods of this agent) | `{}` |
| `addons.runtimeProtection.policy.image` | Specify image for the agent | `checkpoint/consec-runtime-policy` |
| `addons.runtimeProtection.policy.tag` | Specify image tag for the agent |`1.2.0` |
| `addons.runtimeProtection.policy.serviceAccountName` | Specify custom Service Account for the agent | `` |
Expand All @@ -232,3 +248,4 @@ The following table list the configurable parameters of this chart and their def
| `addons.runtimeProtection.policy.nodeSelector` | Node labels for pod assignment | `{}` |
| `addons.runtimeProtection.policy.tolerations` | List of node taints to tolerate | `[]` |
| `addons.runtimeProtection.policy.affinity` | Affinity setting | `{}` |
| `addons.runtimeProtection.policy.podAnnotations.custom` | Custom Pod annotations (for Pods of this agent) | `{}` |
25 changes: 24 additions & 1 deletion checkpoint/cloudguard/defaults.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@ imagePullPolicy: Always
podAnnotations:
seccomp: runtime/default
apparmor: {}
custom: {}

## Proxy settings
## Examples:
Expand All @@ -55,13 +56,17 @@ platform: kubernetes # kubernetes, openshift, openshift.v3 or tanzu
seccompProfile:
type: RuntimeDefault

daemonSetStrategy:
rollingUpdate:
maxUnavailable: 50%

### Inventory agent settings
inventory:
agent:

## Specify image and tag
image: checkpoint/consec-inventory-agent
tag: 1.6.1
tag: 1.7.1

## Specify existing service account name ("" to create)
serviceAccountName: ""
Expand All @@ -86,6 +91,8 @@ inventory:
nodeSelector: {}
tolerations: []
affinity: {}
podAnnotations:
custom: {}

### Addons configuration
### Each addon may be disabled
Expand Down Expand Up @@ -148,6 +155,8 @@ addons:
tolerations:
- operator: Exists
affinity: {}
podAnnotations:
custom: {}


engine:
Expand Down Expand Up @@ -178,6 +187,8 @@ addons:
nodeSelector: {}
tolerations: []
affinity: {}
podAnnotations:
custom: {}

list:
## Specify image and tag
Expand Down Expand Up @@ -205,6 +216,8 @@ addons:
nodeSelector: { }
tolerations: [ ]
affinity: { }
podAnnotations:
custom: {}


## Flow Logs Add-on
Expand Down Expand Up @@ -241,6 +254,8 @@ addons:
tolerations:
- operator: Exists
affinity: {}
podAnnotations:
custom: {}

## Admission Control Add-on
admissionControl:
Expand Down Expand Up @@ -271,6 +286,8 @@ addons:
nodeSelector: {}
affinity: {}
tolerations: []
podAnnotations:
custom: {}

enforcer:
## Specify image and tag
Expand Down Expand Up @@ -301,6 +318,8 @@ addons:
nodeSelector: {}
tolerations: []
affinity: {}
podAnnotations:
custom: {}


## Runtime Protection Add-on
Expand Down Expand Up @@ -368,6 +387,8 @@ addons:
tolerations:
- operator: Exists
affinity: {}
podAnnotations:
custom: {}

policy:
## Main container settings
Expand Down Expand Up @@ -397,3 +418,5 @@ addons:
nodeSelector: {}
tolerations: []
affinity: {}
podAnnotations:
custom: {}
16 changes: 16 additions & 0 deletions checkpoint/cloudguard/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,16 @@ seccomp.security.alpha.kubernetes.io/pod: {{ .Values.podAnnotations.seccomp }}
container.apparmor.security.beta.kubernetes.io/{{ template "agent.resource.name" . }}:
{{ toYaml .Values.podAnnotations.apparmor | indent 2 }}
{{- end }}
{{- if .Values.podAnnotations }}
{{- if .Values.podAnnotations.custom }}
{{ toYaml .Values.podAnnotations.custom }}
{{- end }}
{{- end }}
{{- if .agentConfig.podAnnotations }}
{{- if .agentConfig.podAnnotations.custom }}
{{ toYaml .agentConfig.podAnnotations.custom }}
{{- end }}
{{- end }}
{{- end -}}

{{- /* Pod properties commonly used in agents */ -}}
Expand Down Expand Up @@ -443,3 +453,9 @@ true
{{- fail $err -}}
{{- end -}}
{{- end -}}

{{- define "daemonset.updateStrategy" }}
updateStrategy:
rollingUpdate:
maxUnavailable: {{ .Values.daemonSetStrategy.rollingUpdate.maxUnavailable }}
{{- end -}}
1 change: 1 addition & 0 deletions checkpoint/cloudguard/templates/flowlogs/daemon/daemonset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ spec:
selector:
matchLabels:
{{ include "common.labels" $config | indent 6 }}
{{ include "daemonset.updateStrategy" $config | indent 2}}
template:
metadata:
annotations:
Expand Down
1 change: 1 addition & 0 deletions checkpoint/cloudguard/templates/imagescan/daemon/daemonset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ spec:
selector:
matchLabels:
{{ include "common.labels" $config | indent 6 }}
{{ include "daemonset.updateStrategy" $config | indent 2}}
template:
metadata:
annotations:
Expand Down
6 changes: 5 additions & 1 deletion checkpoint/cloudguard/templates/inventory/agent/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,8 +46,12 @@ spec:
- name: USE_CRONJOB_BETA
value: "true"
{{- end }}
{{- if or (has "policy/v1beta1/PodSecurityPolicy" .Capabilities.APIVersions) (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version) }}
- name: USE_POD_SECURITY_POLICY
value: "true"
{{- end }}
{{ include "common.env" $config | indent 8 }}
volumes:
- name: secret-volume
secret:
secretName: {{ .Release.Name }}-cp-cloudguard-creds
secretName: {{ .Release.Name }}-cp-cloudguard-creds
1 change: 1 addition & 0 deletions checkpoint/cloudguard/templates/runtime/daemon/daemonset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ spec:
selector:
matchLabels:
{{ include "common.labels" $config | indent 6 }}
{{ include "daemonset.updateStrategy" $config | indent 2}}
template:
metadata:
annotations:
Expand Down
Binary file added repository/cloudguard-2.15.1.tgz
View file
Binary file not shown.
Loading

0 comments on commit 8b8b9a1

Please sign in to comment.