From e0af6fe30d83fedede265f136c467f5ac4b380b7 Mon Sep 17 00:00:00 2001 From: Adam Roberts Date: Wed, 30 Oct 2024 16:35:32 -0400 Subject: [PATCH] feat(rh-shield-operator): initial commit of the rh-shield-operator (#1991) --- rh-shield-operator/Dockerfile | 7 + rh-shield-operator/Makefile | 227 +++++++ rh-shield-operator/PROJECT | 20 + rh-shield-operator/bundle.Dockerfile | 20 + ...er-manager-metrics-service_v1_service.yaml | 19 + ...c.authorization.k8s.io_v1_clusterrole.yaml | 13 + ...c.authorization.k8s.io_v1_clusterrole.yaml | 27 + ...c.authorization.k8s.io_v1_clusterrole.yaml | 23 + ...shield-operator.clusterserviceversion.yaml | 605 ++++++++++++++++++ .../manifests/shield.sysdig.com_shields.yaml | 50 ++ .../bundle/metadata/annotations.yaml | 14 + .../bundle/tests/scorecard/config.yaml | 70 ++ .../crd/bases/shield.sysdig.com_shields.yaml | 44 ++ .../config/crd/kustomization.yaml | 6 + .../config/default/kustomization.yaml | 28 + .../default/manager_auth_proxy_patch.yaml | 40 ++ .../config/default/manager_config_patch.yaml | 10 + .../config/manager/kustomization.yaml | 2 + .../config/manager/manager.yaml | 93 +++ ...shield-operator.clusterserviceversion.yaml | 72 +++ .../config/manifests/kustomization.yaml | 7 + .../config/prometheus/kustomization.yaml | 2 + .../config/prometheus/monitor.yaml | 21 + .../rbac/auth_proxy_client_clusterrole.yaml | 12 + .../config/rbac/auth_proxy_role.yaml | 20 + .../config/rbac/auth_proxy_role_binding.yaml | 15 + .../config/rbac/auth_proxy_service.yaml | 17 + .../config/rbac/kustomization.yaml | 24 + .../config/rbac/leader_election_role.yaml | 40 ++ .../rbac/leader_election_role_binding.yaml | 15 + rh-shield-operator/config/rbac/role.yaml | 79 +++ .../config/rbac/role_binding.yaml | 15 + .../config/rbac/service_account.yaml | 8 + .../config/rbac/shield_editor_role.yaml | 27 + .../config/rbac/shield_viewer_role.yaml | 23 + .../config/samples/kustomization.yaml | 4 + .../samples/shield_v1alpha1_shield.yaml | 269 ++++++++ .../config/scorecard/bases/config.yaml | 7 + .../config/scorecard/kustomization.yaml | 16 + .../scorecard/patches/basic.config.yaml | 10 + .../config/scorecard/patches/olm.config.yaml | 50 ++ rh-shield-operator/helm-charts/shield | 1 + rh-shield-operator/watches.yaml | 6 + 43 files changed, 2078 insertions(+) create mode 100644 rh-shield-operator/Dockerfile create mode 100644 rh-shield-operator/Makefile create mode 100644 rh-shield-operator/PROJECT create mode 100644 rh-shield-operator/bundle.Dockerfile create mode 100644 rh-shield-operator/bundle/manifests/rh-shield-operator-controller-manager-metrics-service_v1_service.yaml create mode 100644 rh-shield-operator/bundle/manifests/rh-shield-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml create mode 100644 rh-shield-operator/bundle/manifests/rh-shield-operator-shield-editor-role_rbac.authorization.k8s.io_v1_clusterrole.yaml create mode 100644 rh-shield-operator/bundle/manifests/rh-shield-operator-shield-viewer-role_rbac.authorization.k8s.io_v1_clusterrole.yaml create mode 100644 rh-shield-operator/bundle/manifests/rh-shield-operator.clusterserviceversion.yaml create mode 100644 rh-shield-operator/bundle/manifests/shield.sysdig.com_shields.yaml create mode 100644 rh-shield-operator/bundle/metadata/annotations.yaml create mode 100644 rh-shield-operator/bundle/tests/scorecard/config.yaml create mode 100644 rh-shield-operator/config/crd/bases/shield.sysdig.com_shields.yaml create mode 100644 rh-shield-operator/config/crd/kustomization.yaml create mode 100644 rh-shield-operator/config/default/kustomization.yaml create mode 100644 rh-shield-operator/config/default/manager_auth_proxy_patch.yaml create mode 100644 rh-shield-operator/config/default/manager_config_patch.yaml create mode 100644 rh-shield-operator/config/manager/kustomization.yaml create mode 100644 rh-shield-operator/config/manager/manager.yaml create mode 100644 rh-shield-operator/config/manifests/bases/rh-shield-operator.clusterserviceversion.yaml create mode 100644 rh-shield-operator/config/manifests/kustomization.yaml create mode 100644 rh-shield-operator/config/prometheus/kustomization.yaml create mode 100644 rh-shield-operator/config/prometheus/monitor.yaml create mode 100644 rh-shield-operator/config/rbac/auth_proxy_client_clusterrole.yaml create mode 100644 rh-shield-operator/config/rbac/auth_proxy_role.yaml create mode 100644 rh-shield-operator/config/rbac/auth_proxy_role_binding.yaml create mode 100644 rh-shield-operator/config/rbac/auth_proxy_service.yaml create mode 100644 rh-shield-operator/config/rbac/kustomization.yaml create mode 100644 rh-shield-operator/config/rbac/leader_election_role.yaml create mode 100644 rh-shield-operator/config/rbac/leader_election_role_binding.yaml create mode 100644 rh-shield-operator/config/rbac/role.yaml create mode 100644 rh-shield-operator/config/rbac/role_binding.yaml create mode 100644 rh-shield-operator/config/rbac/service_account.yaml create mode 100644 rh-shield-operator/config/rbac/shield_editor_role.yaml create mode 100644 rh-shield-operator/config/rbac/shield_viewer_role.yaml create mode 100644 rh-shield-operator/config/samples/kustomization.yaml create mode 100644 rh-shield-operator/config/samples/shield_v1alpha1_shield.yaml create mode 100644 rh-shield-operator/config/scorecard/bases/config.yaml create mode 100644 rh-shield-operator/config/scorecard/kustomization.yaml create mode 100644 rh-shield-operator/config/scorecard/patches/basic.config.yaml create mode 100644 rh-shield-operator/config/scorecard/patches/olm.config.yaml create mode 120000 rh-shield-operator/helm-charts/shield create mode 100644 rh-shield-operator/watches.yaml diff --git a/rh-shield-operator/Dockerfile b/rh-shield-operator/Dockerfile new file mode 100644 index 000000000..fd6210a4c --- /dev/null +++ b/rh-shield-operator/Dockerfile @@ -0,0 +1,7 @@ +# Build the manager binary +FROM quay.io/operator-framework/helm-operator:v1.36.1 + +ENV HOME=/opt/helm +COPY watches.yaml ${HOME}/watches.yaml +COPY helm-charts ${HOME}/helm-charts +WORKDIR ${HOME} diff --git a/rh-shield-operator/Makefile b/rh-shield-operator/Makefile new file mode 100644 index 000000000..a6666cdcf --- /dev/null +++ b/rh-shield-operator/Makefile @@ -0,0 +1,227 @@ +# VERSION defines the project version for the bundle. +# Update this value when you upgrade the version of your project. +# To re-generate a bundle for another specific version without changing the standard setup, you can: +# - use the VERSION as arg of the bundle target (e.g make bundle VERSION=0.0.2) +# - use environment variables to overwrite this value (e.g export VERSION=0.0.2) +VERSION ?= 0.1.0 + +# CHANNELS define the bundle channels used in the bundle. +# Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable") +# To re-generate a bundle for other specific channels without changing the standard setup, you can: +# - use the CHANNELS as arg of the bundle target (e.g make bundle CHANNELS=candidate,fast,stable) +# - use environment variables to overwrite this value (e.g export CHANNELS="candidate,fast,stable") +ifneq ($(origin CHANNELS), undefined) +BUNDLE_CHANNELS := --channels=$(CHANNELS) +endif + +# DEFAULT_CHANNEL defines the default channel used in the bundle. +# Add a new line here if you would like to change its default config. (E.g DEFAULT_CHANNEL = "stable") +# To re-generate a bundle for any other default channel without changing the default setup, you can: +# - use the DEFAULT_CHANNEL as arg of the bundle target (e.g make bundle DEFAULT_CHANNEL=stable) +# - use environment variables to overwrite this value (e.g export DEFAULT_CHANNEL="stable") +ifneq ($(origin DEFAULT_CHANNEL), undefined) +BUNDLE_DEFAULT_CHANNEL := --default-channel=$(DEFAULT_CHANNEL) +endif +BUNDLE_METADATA_OPTS ?= $(BUNDLE_CHANNELS) $(BUNDLE_DEFAULT_CHANNEL) + +# IMAGE_TAG_BASE defines the docker.io namespace and part of the image name for remote images. +# This variable is used to construct full image tags for bundle and catalog images. +# +# For example, running 'make bundle-build bundle-push catalog-build catalog-push' will build and push both +# quay.io/sysdig/rh-shield-operator-bundle:$VERSION and quay.io/sysdig/rh-shield-operator-catalog:$VERSION. +IMAGE_TAG_BASE ?= quay.io/sysdig/rh-shield-operator + +# BUNDLE_IMG defines the image:tag used for the bundle. +# You can use it as an arg. (E.g make bundle-build BUNDLE_IMG=/:) +BUNDLE_IMG ?= $(IMAGE_TAG_BASE)-bundle:v$(VERSION) + +# BUNDLE_GEN_FLAGS are the flags passed to the operator-sdk generate bundle command +BUNDLE_GEN_FLAGS ?= -q --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS) + +# USE_IMAGE_DIGESTS defines if images are resolved via tags or digests +# You can enable this value if you would like to use SHA Based Digests +# To enable set flag to true +USE_IMAGE_DIGESTS ?= false +ifeq ($(USE_IMAGE_DIGESTS), true) + BUNDLE_GEN_FLAGS += --use-image-digests +endif + +# Set the Operator SDK version to use. By default, what is installed on the system is used. +# This is useful for CI or a project to utilize a specific version of the operator-sdk toolkit. +OPERATOR_SDK_VERSION ?= v1.36.1 + +# Image URL to use all building/pushing image targets +IMG ?= ${IMAGE_TAG_BASE}:v${VERSION} + +.PHONY: all +all: docker-build + +##@ General + +# The help target prints out all targets with their descriptions organized +# beneath their categories. The categories are represented by '##@' and the +# target descriptions by '##'. The awk commands is responsible for reading the +# entire set of makefiles included in this invocation, looking for lines of the +# file as xyz: ## something, and then pretty-format the target and help. Then, +# if there's a line with ##@ something, that gets pretty-printed as a category. +# More info on the usage of ANSI control characters for terminal formatting: +# https://en.wikipedia.org/wiki/ANSI_escape_code#SGR_parameters +# More info on the awk command: +# http://linuxcommand.org/lc3_adv_awk.php + +.PHONY: help +help: ## Display this help. + @awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST) + +##@ Build + +.PHONY: run +run: helm-operator ## Run against the configured Kubernetes cluster in ~/.kube/config + $(HELM_OPERATOR) run + +.PHONY: docker-build +docker-build: ## Build docker image with the manager. + tar -czh . | docker build -t ${IMG} - + +.PHONY: docker-push +docker-push: ## Push docker image with the manager. + docker push ${IMG} + +# PLATFORMS defines the target platforms for the manager image be build to provide support to multiple +# architectures. (i.e. make docker-buildx IMG=myregistry/mypoperator:0.0.1). To use this option you need to: +# - able to use docker buildx . More info: https://docs.docker.com/build/buildx/ +# - have enable BuildKit, More info: https://docs.docker.com/develop/develop-images/build_enhancements/ +# - be able to push the image for your registry (i.e. if you do not inform a valid value via IMG=> than the export will fail) +# To properly provided solutions that supports more than one platform you should use this option. +PLATFORMS ?= linux/arm64,linux/amd64,linux/s390x,linux/ppc64le +.PHONY: docker-buildx +docker-buildx: ## Build and push docker image for the manager for cross-platform support + - docker buildx create --name project-v3-builder + docker buildx use project-v3-builder + - docker buildx build --push --platform=$(PLATFORMS) --tag ${IMG} -f Dockerfile . + - docker buildx rm project-v3-builder + +##@ Deployment + +.PHONY: install +install: kustomize ## Install CRDs into the K8s cluster specified in ~/.kube/config. + $(KUSTOMIZE) build config/crd | kubectl apply -f - + +.PHONY: uninstall +uninstall: kustomize ## Uninstall CRDs from the K8s cluster specified in ~/.kube/config. + $(KUSTOMIZE) build config/crd | kubectl delete -f - + +.PHONY: deploy +deploy: kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config. + cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG} + $(KUSTOMIZE) build config/default | kubectl apply -f - + +.PHONY: undeploy +undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. + $(KUSTOMIZE) build config/default | kubectl delete -f - + +OS := $(shell uname -s | tr '[:upper:]' '[:lower:]') +ARCH := $(shell uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/') + +.PHONY: kustomize +KUSTOMIZE = $(shell pwd)/bin/kustomize +kustomize: ## Download kustomize locally if necessary. +ifeq (,$(wildcard $(KUSTOMIZE))) +ifeq (,$(shell which kustomize 2>/dev/null)) + @{ \ + set -e ;\ + mkdir -p $(dir $(KUSTOMIZE)) ;\ + curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v5.3.0/kustomize_v5.3.0_$(OS)_$(ARCH).tar.gz | \ + tar xzf - -C bin/ ;\ + } +else +KUSTOMIZE = $(shell which kustomize) +endif +endif + +.PHONY: helm-operator +HELM_OPERATOR = $(shell pwd)/bin/helm-operator +helm-operator: ## Download helm-operator locally if necessary, preferring the $(pwd)/bin path over global if both exist. +ifeq (,$(wildcard $(HELM_OPERATOR))) +ifeq (,$(shell which helm-operator 2>/dev/null)) + @{ \ + set -e ;\ + mkdir -p $(dir $(HELM_OPERATOR)) ;\ + curl -sSLo $(HELM_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.36.1/helm-operator_$(OS)_$(ARCH) ;\ + chmod +x $(HELM_OPERATOR) ;\ + } +else +HELM_OPERATOR = $(shell which helm-operator) +endif +endif + +.PHONY: operator-sdk +OPERATOR_SDK ?= $(LOCALBIN)/operator-sdk +operator-sdk: ## Download operator-sdk locally if necessary. +ifeq (,$(wildcard $(OPERATOR_SDK))) +ifeq (, $(shell which operator-sdk 2>/dev/null)) + @{ \ + set -e ;\ + mkdir -p $(dir $(OPERATOR_SDK)) ;\ + curl -sSLo $(OPERATOR_SDK) https://github.com/operator-framework/operator-sdk/releases/download/$(OPERATOR_SDK_VERSION)/operator-sdk_$(OS)_$(ARCH) ;\ + chmod +x $(OPERATOR_SDK) ;\ + } +else +OPERATOR_SDK = $(shell which operator-sdk) +endif +endif + +.PHONY: bundle +bundle: kustomize operator-sdk ## Generate bundle manifests and metadata, then validate generated files. + $(OPERATOR_SDK) generate kustomize manifests -q + cd config/manager && $(KUSTOMIZE) edit set image controller=$(IMG) + $(KUSTOMIZE) build config/manifests | $(OPERATOR_SDK) generate bundle $(BUNDLE_GEN_FLAGS) + $(OPERATOR_SDK) bundle validate ./bundle + +.PHONY: bundle-build +bundle-build: ## Build the bundle image. + docker build -f bundle.Dockerfile -t $(BUNDLE_IMG) . + +.PHONY: bundle-push +bundle-push: ## Push the bundle image. + $(MAKE) docker-push IMG=$(BUNDLE_IMG) + +.PHONY: opm +OPM = $(LOCALBIN)/opm +opm: ## Download opm locally if necessary. +ifeq (,$(wildcard $(OPM))) +ifeq (,$(shell which opm 2>/dev/null)) + @{ \ + set -e ;\ + mkdir -p $(dir $(OPM)) ;\ + curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.23.0/$(OS)-$(ARCH)-opm ;\ + chmod +x $(OPM) ;\ + } +else +OPM = $(shell which opm) +endif +endif + +# A comma-separated list of bundle images (e.g. make catalog-build BUNDLE_IMGS=example.com/operator-bundle:v0.1.0,example.com/operator-bundle:v0.2.0). +# These images MUST exist in a registry and be pull-able. +BUNDLE_IMGS ?= $(BUNDLE_IMG) + +# The image tag given to the resulting catalog image (e.g. make catalog-build CATALOG_IMG=example.com/operator-catalog:v0.2.0). +CATALOG_IMG ?= $(IMAGE_TAG_BASE)-catalog:v$(VERSION) + +# Set CATALOG_BASE_IMG to an existing catalog image tag to add $BUNDLE_IMGS to that image. +ifneq ($(origin CATALOG_BASE_IMG), undefined) +FROM_INDEX_OPT := --from-index $(CATALOG_BASE_IMG) +endif + +# Build a catalog image by adding bundle images to an empty catalog using the operator package manager tool, 'opm'. +# This recipe invokes 'opm' in 'semver' bundle add mode. For more information on add modes, see: +# https://github.com/operator-framework/community-operators/blob/7f1438c/docs/packaging-operator.md#updating-your-existing-operator +.PHONY: catalog-build +catalog-build: opm ## Build a catalog image. + $(OPM) index add --container-tool docker --mode semver --tag $(CATALOG_IMG) --bundles $(BUNDLE_IMGS) $(FROM_INDEX_OPT) + +# Push the catalog image. +.PHONY: catalog-push +catalog-push: ## Push a catalog image. + $(MAKE) docker-push IMG=$(CATALOG_IMG) diff --git a/rh-shield-operator/PROJECT b/rh-shield-operator/PROJECT new file mode 100644 index 000000000..891d2255b --- /dev/null +++ b/rh-shield-operator/PROJECT @@ -0,0 +1,20 @@ +# Code generated by tool. DO NOT EDIT. +# This file is used to track the info used to scaffold your project +# and allow the plugins properly work. +# More info: https://book.kubebuilder.io/reference/project-config.html +domain: sysdig.com +layout: +- helm.sdk.operatorframework.io/v1 +plugins: + manifests.sdk.operatorframework.io/v2: {} + scorecard.sdk.operatorframework.io/v2: {} +projectName: rh-shield-operator +resources: +- api: + crdVersion: v1 + namespaced: true + domain: sysdig.com + group: shield + kind: Shield + version: v1alpha1 +version: "3" diff --git a/rh-shield-operator/bundle.Dockerfile b/rh-shield-operator/bundle.Dockerfile new file mode 100644 index 000000000..6ce6a423c --- /dev/null +++ b/rh-shield-operator/bundle.Dockerfile @@ -0,0 +1,20 @@ +FROM scratch + +# Core bundle labels. +LABEL operators.operatorframework.io.bundle.mediatype.v1=registry+v1 +LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/ +LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/ +LABEL operators.operatorframework.io.bundle.package.v1=rh-shield-operator +LABEL operators.operatorframework.io.bundle.channels.v1=alpha +LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.36.1 +LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1 +LABEL operators.operatorframework.io.metrics.project_layout=helm.sdk.operatorframework.io/v1 + +# Labels for testing. +LABEL operators.operatorframework.io.test.mediatype.v1=scorecard+v1 +LABEL operators.operatorframework.io.test.config.v1=tests/scorecard/ + +# Copy files to locations specified by labels. +COPY bundle/manifests /manifests/ +COPY bundle/metadata /metadata/ +COPY bundle/tests/scorecard /tests/scorecard/ diff --git a/rh-shield-operator/bundle/manifests/rh-shield-operator-controller-manager-metrics-service_v1_service.yaml b/rh-shield-operator/bundle/manifests/rh-shield-operator-controller-manager-metrics-service_v1_service.yaml new file mode 100644 index 000000000..bee7f3817 --- /dev/null +++ b/rh-shield-operator/bundle/manifests/rh-shield-operator-controller-manager-metrics-service_v1_service.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: rh-shield-operator + control-plane: controller-manager + name: rh-shield-operator-controller-manager-metrics-service +spec: + ports: + - name: https + port: 8443 + protocol: TCP + targetPort: https + selector: + control-plane: controller-manager +status: + loadBalancer: {} diff --git a/rh-shield-operator/bundle/manifests/rh-shield-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml b/rh-shield-operator/bundle/manifests/rh-shield-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 000000000..66619265d --- /dev/null +++ b/rh-shield-operator/bundle/manifests/rh-shield-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: rh-shield-operator + name: rh-shield-operator-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get diff --git a/rh-shield-operator/bundle/manifests/rh-shield-operator-shield-editor-role_rbac.authorization.k8s.io_v1_clusterrole.yaml b/rh-shield-operator/bundle/manifests/rh-shield-operator-shield-editor-role_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 000000000..47c2311a3 --- /dev/null +++ b/rh-shield-operator/bundle/manifests/rh-shield-operator-shield-editor-role_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,27 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: rh-shield-operator + name: rh-shield-operator-shield-editor-role +rules: +- apiGroups: + - shield.sysdig.com + resources: + - shields + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - shield.sysdig.com + resources: + - shields/status + verbs: + - get diff --git a/rh-shield-operator/bundle/manifests/rh-shield-operator-shield-viewer-role_rbac.authorization.k8s.io_v1_clusterrole.yaml b/rh-shield-operator/bundle/manifests/rh-shield-operator-shield-viewer-role_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 000000000..4bab2a093 --- /dev/null +++ b/rh-shield-operator/bundle/manifests/rh-shield-operator-shield-viewer-role_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,23 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: rh-shield-operator + name: rh-shield-operator-shield-viewer-role +rules: +- apiGroups: + - shield.sysdig.com + resources: + - shields + verbs: + - get + - list + - watch +- apiGroups: + - shield.sysdig.com + resources: + - shields/status + verbs: + - get diff --git a/rh-shield-operator/bundle/manifests/rh-shield-operator.clusterserviceversion.yaml b/rh-shield-operator/bundle/manifests/rh-shield-operator.clusterserviceversion.yaml new file mode 100644 index 000000000..73b164fd8 --- /dev/null +++ b/rh-shield-operator/bundle/manifests/rh-shield-operator.clusterserviceversion.yaml @@ -0,0 +1,605 @@ +apiVersion: operators.coreos.com/v1alpha1 +kind: ClusterServiceVersion +metadata: + annotations: + alm-examples: |- + [ + { + "apiVersion": "shield.sysdig.com/v1alpha1", + "kind": "Shield", + "metadata": { + "name": "shield-sample" + }, + "spec": { + "affinity": {}, + "cluster": { + "additional_settings": { + "log_level": "info", + "monitoring_port": 8080 + }, + "admissionregistration": { + "create": true + }, + "affinity": {}, + "dns_policy": null, + "enable_prometheus_scraping": true, + "env": [], + "host_network": false, + "image": { + "pull_policy": "IfNotPresent", + "pull_secrets": [], + "registry": "quay.io", + "repository": "sysdig/cluster-shield", + "tag": "1.4.0" + }, + "node_selector": {}, + "pod_annotations": {}, + "pod_labels": {}, + "priority_class": { + "annotations": {}, + "create": false, + "labels": {}, + "name": null, + "value": 10 + }, + "probes": { + "liveness": { + "failureThreshold": 9, + "initialDelaySeconds": 5, + "periodSeconds": 5 + }, + "readiness": { + "failureThreshold": 9, + "initialDelaySeconds": 10, + "periodSeconds": 5 + } + }, + "rbac": { + "annotations": {}, + "create": true, + "labels": {}, + "service_account_name": null + }, + "replica_count": 2, + "resources": { + "limits": { + "cpu": "1500m", + "memory": "1536Mi" + }, + "requests": { + "cpu": "500m", + "memory": "512Mi" + } + }, + "run_mode": "multi-process", + "tls_certificates": { + "create": true, + "secret_name": null + }, + "tolerations": [], + "update_strategy": { + "rollingUpdate": {}, + "type": "RollingUpdate" + }, + "volume_mounts": [], + "volumes": [], + "workload_annotations": {}, + "workload_labels": {} + }, + "cluster_config": { + "cluster_domain": "cluster.local", + "cluster_type": "other", + "name": "test", + "root_namespace": "kube-system", + "tags": {} + }, + "env": [], + "features": { + "admission_control": { + "container_vulnerability_management": { + "enabled": false + }, + "deny_on_error": false, + "dry_run": true, + "enabled": false, + "excluded_namespaces": [], + "http_port": 8443, + "timeout": 10 + }, + "detections": { + "drift_control": { + "enabled": false + }, + "kubernetes_audit": { + "enabled": false, + "excluded_namespaces": [], + "http_port": 6443, + "timeout": 10 + }, + "malware_control": { + "enabled": false + }, + "ml_policies": { + "enabled": false + } + }, + "investigations": { + "activity_audit": { + "enabled": false + }, + "audit_tap": { + "enabled": false + }, + "captures": { + "enabled": false + }, + "event_forwarder": { + "enabled": false, + "integrations": [], + "transmit_message_types": [] + }, + "live_logs": { + "enabled": false + }, + "network_security": { + "enabled": false + } + }, + "kubernetes_metadata": { + "enabled": false + }, + "monitoring": { + "app_checks": { + "enabled": false + }, + "java_management_extensions": { + "enabled": false + }, + "prometheus": { + "enabled": false + }, + "statsd": { + "enabled": false + } + }, + "posture": { + "cluster_posture": { + "enabled": false + }, + "host_posture": { + "enabled": false + } + }, + "responding": { + "rapid_response": { + "enabled": false + } + }, + "vulnerability_management": { + "container_vulnerability_management": { + "enabled": false, + "local_cluster": { + "registry_secrets": [] + }, + "platform_services_enabled": true, + "registry_ssl": { + "verify": true + } + }, + "host_vulnerability_management": { + "enabled": false + }, + "in_use": { + "enabled": false, + "integration_enabled": false + } + } + }, + "fullname_override": null, + "host": { + "additional_settings": {}, + "affinity": { + "nodeAffinity": { + "requiredDuringSchedulingIgnoredDuringExecution": { + "nodeSelectorTerms": [ + { + "matchExpressions": [ + { + "key": "kubernetes.io/arch", + "operator": "In", + "values": [ + "amd64", + "arm64", + "ppc64le", + "s390x" + ] + }, + { + "key": "kubernetes.io/os", + "operator": "In", + "values": [ + "linux" + ] + } + ] + } + ] + } + } + }, + "driver": "kmod", + "env": [], + "image": { + "kmodule_name": "agent-kmodule", + "pull_policy": "IfNotPresent", + "pull_secrets": [], + "registry": "quay.io", + "repository": "sysdig", + "shield_name": "agent-slim", + "tag": "13.4.0" + }, + "node_selector": {}, + "pod_annotations": {}, + "pod_labels": {}, + "priority_class": { + "annotations": {}, + "create": false, + "labels": {}, + "name": null, + "value": 10 + }, + "privileged": true, + "probes": { + "liveness": { + "failureThreshold": 9, + "initialDelaySeconds": 90, + "periodSeconds": 10 + }, + "readiness": { + "failureThreshold": 9, + "initialDelaySeconds": 90, + "periodSeconds": 10 + } + }, + "rbac": { + "annotations": {}, + "create": true, + "labels": {}, + "service_account_name": null + }, + "resources": { + "kmodule": { + "limits": { + "cpu": "1000m", + "memory": "1Gi" + }, + "requests": { + "cpu": "250m", + "memory": "384Mi" + } + }, + "shield": { + "limits": { + "cpu": "1000m", + "memory": "1Gi" + }, + "requests": { + "cpu": "250m", + "memory": "384Mi" + } + } + }, + "tolerations": [ + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/master" + }, + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/control-plane" + }, + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/controlplane", + "operator": "Equal", + "value": "true" + }, + { + "effect": "NoExecute", + "key": "node-role.kubernetes.io/etcd", + "operator": "Equal", + "value": "true" + }, + { + "effect": "NoExecute", + "key": "CriticalAddonsOnly", + "operator": "Equal", + "value": "true" + } + ], + "update_strategy": { + "rollingUpdate": {}, + "type": "RollingUpdate" + }, + "volume_mounts": [], + "volumes": [], + "workload_annotations": {}, + "workload_labels": {} + }, + "name_override": null, + "node_selector": {}, + "on_prem_version": null, + "pod_annotations": {}, + "pod_labels": {}, + "proxy": { + "http_proxy": null, + "http_proxy_existing_secret": null, + "https_proxy": null, + "https_proxy_existing_secret": null, + "no_proxy": null, + "no_proxy_existing_secret": null + }, + "ssl": { + "ca": { + "certs": [], + "existing_ca_secret": null, + "existing_ca_secret_key_name": null, + "key_name": null + }, + "verify": true + }, + "sysdig_endpoint": { + "access_key": "abcd", + "access_key_existing_secret": null, + "api_url": "https://x.com", + "collector": { + "host": "y.com", + "port": 666 + }, + "region": "custom", + "secure_api_token": null, + "secure_api_token_existing_secret": null + }, + "tolerations": [], + "volume_mounts": [], + "volumes": [], + "workload_annotations": {}, + "workload_labels": {} + } + } + ] + capabilities: Basic Install + createdAt: "2024-10-23T18:42:52Z" + operators.operatorframework.io/builder: operator-sdk-v1.36.1 + operators.operatorframework.io/project_layout: helm.sdk.operatorframework.io/v1 + name: rh-shield-operator.v0.0.1 + namespace: placeholder +spec: + apiservicedefinitions: {} + customresourcedefinitions: + owned: + - kind: Shield + name: shields.shield.sysdig.com + version: v1alpha1 + description: Openshift Operator based on the shield Helm chart by Sysdig + displayName: rh-shield-operator + icon: + - base64data: "" + mediatype: "" + install: + spec: + clusterPermissions: + - rules: + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - apiGroups: + - "" + resources: + - secrets + verbs: + - '*' + - apiGroups: + - "" + resources: + - events + verbs: + - create + - apiGroups: + - shield.sysdig.com + resources: + - shields + - shields/status + - shields/finalizers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + verbs: + - '*' + - apiGroups: + - "" + resources: + - configmaps + - secrets + - serviceaccounts + - services + verbs: + - '*' + - apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + - roles + verbs: + - '*' + - apiGroups: + - apps + resources: + - daemonsets + - deployments + verbs: + - '*' + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + serviceAccountName: rh-shield-operator-controller-manager + deployments: + - label: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: rh-shield-operator + control-plane: controller-manager + name: rh-shield-operator-controller-manager + spec: + replicas: 1 + selector: + matchLabels: + control-plane: controller-manager + strategy: {} + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: manager + labels: + control-plane: controller-manager + spec: + containers: + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=0 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 5m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + - --leader-election-id=rh-shield-operator + image: localhost:5000/rh-shield-operator:v0.0.1 + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + serviceAccountName: rh-shield-operator-controller-manager + terminationGracePeriodSeconds: 10 + permissions: + - rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + serviceAccountName: rh-shield-operator-controller-manager + strategy: deployment + installModes: + - supported: false + type: OwnNamespace + - supported: false + type: SingleNamespace + - supported: false + type: MultiNamespace + - supported: true + type: AllNamespaces + keywords: + - sysdig + - shield + - security + - monitoring + links: + - name: Rh Shield Operator + url: https://rh-shield-operator.domain + maintainers: + - email: adam.roberts@sysdig.com + name: Adam Roberts + maturity: alpha + provider: + name: Sysdig + url: https://sysdig.com + version: 0.0.1 diff --git a/rh-shield-operator/bundle/manifests/shield.sysdig.com_shields.yaml b/rh-shield-operator/bundle/manifests/shield.sysdig.com_shields.yaml new file mode 100644 index 000000000..cb1462287 --- /dev/null +++ b/rh-shield-operator/bundle/manifests/shield.sysdig.com_shields.yaml @@ -0,0 +1,50 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: shields.shield.sysdig.com +spec: + group: shield.sysdig.com + names: + kind: Shield + listKind: ShieldList + plural: shields + singular: shield + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Shield is the Schema for the shields API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of Shield + type: object + x-kubernetes-preserve-unknown-fields: true + status: + description: Status defines the observed state of Shield + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/rh-shield-operator/bundle/metadata/annotations.yaml b/rh-shield-operator/bundle/metadata/annotations.yaml new file mode 100644 index 000000000..a3898fdff --- /dev/null +++ b/rh-shield-operator/bundle/metadata/annotations.yaml @@ -0,0 +1,14 @@ +annotations: + # Core bundle annotations. + operators.operatorframework.io.bundle.mediatype.v1: registry+v1 + operators.operatorframework.io.bundle.manifests.v1: manifests/ + operators.operatorframework.io.bundle.metadata.v1: metadata/ + operators.operatorframework.io.bundle.package.v1: rh-shield-operator + operators.operatorframework.io.bundle.channels.v1: alpha + operators.operatorframework.io.metrics.builder: operator-sdk-v1.36.1 + operators.operatorframework.io.metrics.mediatype.v1: metrics+v1 + operators.operatorframework.io.metrics.project_layout: helm.sdk.operatorframework.io/v1 + + # Annotations for testing. + operators.operatorframework.io.test.mediatype.v1: scorecard+v1 + operators.operatorframework.io.test.config.v1: tests/scorecard/ diff --git a/rh-shield-operator/bundle/tests/scorecard/config.yaml b/rh-shield-operator/bundle/tests/scorecard/config.yaml new file mode 100644 index 000000000..b020daff7 --- /dev/null +++ b/rh-shield-operator/bundle/tests/scorecard/config.yaml @@ -0,0 +1,70 @@ +apiVersion: scorecard.operatorframework.io/v1alpha3 +kind: Configuration +metadata: + name: config +stages: +- parallel: true + tests: + - entrypoint: + - scorecard-test + - basic-check-spec + image: quay.io/operator-framework/scorecard-test:v1.36.1 + labels: + suite: basic + test: basic-check-spec-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-bundle-validation + image: quay.io/operator-framework/scorecard-test:v1.36.1 + labels: + suite: olm + test: olm-bundle-validation-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-crds-have-validation + image: quay.io/operator-framework/scorecard-test:v1.36.1 + labels: + suite: olm + test: olm-crds-have-validation-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-crds-have-resources + image: quay.io/operator-framework/scorecard-test:v1.36.1 + labels: + suite: olm + test: olm-crds-have-resources-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-spec-descriptors + image: quay.io/operator-framework/scorecard-test:v1.36.1 + labels: + suite: olm + test: olm-spec-descriptors-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-status-descriptors + image: quay.io/operator-framework/scorecard-test:v1.36.1 + labels: + suite: olm + test: olm-status-descriptors-test + storage: + spec: + mountPath: {} +storage: + spec: + mountPath: {} diff --git a/rh-shield-operator/config/crd/bases/shield.sysdig.com_shields.yaml b/rh-shield-operator/config/crd/bases/shield.sysdig.com_shields.yaml new file mode 100644 index 000000000..175f8ec3c --- /dev/null +++ b/rh-shield-operator/config/crd/bases/shield.sysdig.com_shields.yaml @@ -0,0 +1,44 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: shields.shield.sysdig.com +spec: + group: shield.sysdig.com + names: + kind: Shield + listKind: ShieldList + plural: shields + singular: shield + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Shield is the Schema for the shields API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of Shield + type: object + x-kubernetes-preserve-unknown-fields: true + status: + description: Status defines the observed state of Shield + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} diff --git a/rh-shield-operator/config/crd/kustomization.yaml b/rh-shield-operator/config/crd/kustomization.yaml new file mode 100644 index 000000000..8fea62db7 --- /dev/null +++ b/rh-shield-operator/config/crd/kustomization.yaml @@ -0,0 +1,6 @@ +# This kustomization.yaml is not intended to be run by itself, +# since it depends on service name and namespace that are out of this kustomize package. +# It should be run by config/default +resources: +- bases/shield.sysdig.com_shields.yaml +#+kubebuilder:scaffold:crdkustomizeresource diff --git a/rh-shield-operator/config/default/kustomization.yaml b/rh-shield-operator/config/default/kustomization.yaml new file mode 100644 index 000000000..a7b66c903 --- /dev/null +++ b/rh-shield-operator/config/default/kustomization.yaml @@ -0,0 +1,28 @@ +# Adds namespace to all resources. +namespace: rh-shield-operator-system + +# Value of this field is prepended to the +# names of all resources, e.g. a deployment named +# "wordpress" becomes "alices-wordpress". +# Note that it should also match with the prefix (text before '-') of the namespace +# field above. +namePrefix: rh-shield-operator- + +# Labels to add to all resources and selectors. +#labels: +#- includeSelectors: true +# pairs: +# someName: someValue + +resources: +- ../crd +- ../rbac +- ../manager +# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. +#- ../prometheus + +patches: +# Protect the /metrics endpoint by putting it behind auth. +# If you want your controller-manager to expose the /metrics +# endpoint w/o any authn/z, please comment the following line. +- path: manager_auth_proxy_patch.yaml diff --git a/rh-shield-operator/config/default/manager_auth_proxy_patch.yaml b/rh-shield-operator/config/default/manager_auth_proxy_patch.yaml new file mode 100644 index 000000000..f953f8d0e --- /dev/null +++ b/rh-shield-operator/config/default/manager_auth_proxy_patch.yaml @@ -0,0 +1,40 @@ +# This patch inject a sidecar container which is a HTTP proxy for the +# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: kube-rbac-proxy + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 + args: + - "--secure-listen-address=0.0.0.0:8443" + - "--upstream=http://127.0.0.1:8080/" + - "--logtostderr=true" + - "--v=0" + ports: + - containerPort: 8443 + protocol: TCP + name: https + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 5m + memory: 64Mi + - name: manager + args: + - "--health-probe-bind-address=:8081" + - "--metrics-bind-address=127.0.0.1:8080" + - "--leader-elect" + - "--leader-election-id=rh-shield-operator" diff --git a/rh-shield-operator/config/default/manager_config_patch.yaml b/rh-shield-operator/config/default/manager_config_patch.yaml new file mode 100644 index 000000000..f6f589169 --- /dev/null +++ b/rh-shield-operator/config/default/manager_config_patch.yaml @@ -0,0 +1,10 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager diff --git a/rh-shield-operator/config/manager/kustomization.yaml b/rh-shield-operator/config/manager/kustomization.yaml new file mode 100644 index 000000000..5c5f0b84c --- /dev/null +++ b/rh-shield-operator/config/manager/kustomization.yaml @@ -0,0 +1,2 @@ +resources: +- manager.yaml diff --git a/rh-shield-operator/config/manager/manager.yaml b/rh-shield-operator/config/manager/manager.yaml new file mode 100644 index 000000000..5f9974413 --- /dev/null +++ b/rh-shield-operator/config/manager/manager.yaml @@ -0,0 +1,93 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + control-plane: controller-manager + app.kubernetes.io/name: rh-shield-operator + app.kubernetes.io/managed-by: kustomize + name: system +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system + labels: + control-plane: controller-manager + app.kubernetes.io/name: rh-shield-operator + app.kubernetes.io/managed-by: kustomize +spec: + selector: + matchLabels: + control-plane: controller-manager + replicas: 1 + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: manager + labels: + control-plane: controller-manager + spec: + # TODO(user): Uncomment the following code to configure the nodeAffinity expression + # according to the platforms which are supported by your solution. + # It is considered best practice to support multiple architectures. You can + # build your manager image using the makefile target docker-buildx. + # affinity: + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: kubernetes.io/arch + # operator: In + # values: + # - amd64 + # - arm64 + # - ppc64le + # - s390x + # - key: kubernetes.io/os + # operator: In + # values: + # - linux + securityContext: + runAsNonRoot: true + # TODO(user): For common cases that do not require escalating privileges + # it is recommended to ensure that all your Pods/Containers are restrictive. + # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted + # Please uncomment the following code if your project does NOT have to work on old Kubernetes + # versions < 1.19 or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ). + # seccompProfile: + # type: RuntimeDefault + containers: + - args: + - --leader-elect + - --leader-election-id=rh-shield-operator + image: controller:latest + name: manager + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + # TODO(user): Configure the resources accordingly based on the project requirements. + # More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + serviceAccountName: controller-manager + terminationGracePeriodSeconds: 10 diff --git a/rh-shield-operator/config/manifests/bases/rh-shield-operator.clusterserviceversion.yaml b/rh-shield-operator/config/manifests/bases/rh-shield-operator.clusterserviceversion.yaml new file mode 100644 index 000000000..a9bb52dd7 --- /dev/null +++ b/rh-shield-operator/config/manifests/bases/rh-shield-operator.clusterserviceversion.yaml @@ -0,0 +1,72 @@ +apiVersion: operators.coreos.com/v1alpha1 +kind: ClusterServiceVersion +metadata: + annotations: + alm-examples: '[]' + capabilities: SeamlessUpgrades + categories: Security, Monitoring + description: | + The Sysdig Shield Operator provides a way to deploy Sysdig Shield components on an OpenShift cluster. + repository: https://github.com/sysdiglabs/charts + support: https://sysdig.com + name: rh-shield-operator.v0.0.0 + namespace: placeholder +spec: + apiservicedefinitions: {} + customresourcedefinitions: {} + description: | + [Sysdig](https://www.sysdig.com/) is a unified platform for container and + microservices monitoring, troubleshooting, security, and forensics. Sysdig + platform has been built on top of the [Sysdig tool](https://sysdig.com/opensource/sysdig/) and + [Sysdig Inspect](https://sysdig.com/blog/sysdig-inspect/) open-source technologies. + This operator installs the Sysdig Cluster and Host Shields for + [Sysdig Monitor](https://sysdig.com/product/monitor/) and + [Sysdig Secure](https://sysdig.com/product/secure/). + displayName: Sysdig Shield Operator + icon: + - base64data: "PHN2ZyBpZD0iTGF5ZXJfMSIgZGF0YS1uYW1lPSJMYXllciAxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2aWV3Qm94PSIwIDAgMjE3IDIwOCI+PGRlZnM+PHN0eWxlPi5jbHMtMSwuY2xzLTQsLmNscy01e2ZpbGw6bm9uZTt9LmNscy0ye2ZpbGw6I2ZmZjt9LmNscy0ze2ZpbGw6IzAwYjRjODt9LmNscy00LC5jbHMtNXtzdHJva2U6IzBlMGYyNjtzdHJva2UtbWl0ZXJsaW1pdDoxMDt9LmNscy00e3N0cm9rZS13aWR0aDo1cHg7fS5jbHMtNXtzdHJva2Utd2lkdGg6MS41OHB4O30uY2xzLTZ7Y2xpcC1wYXRoOnVybCgjY2xpcC1wYXRoKTt9PC9zdHlsZT48Y2xpcFBhdGggaWQ9ImNsaXAtcGF0aCI+PHBhdGggY2xhc3M9ImNscy0xIiBkPSJNMTY5LjUyLDE2My4yNWwtMTEuNTgsMTEuNTktMzQtMzQsMy40Ny0zLjQ5LTE3Ljc3LTE3Ljc3TDg2Ljg1LDE0Mi40LDU4LjMzLDExMy44OGMtMjgtMjgtMTEuNjYtNzMuNDctMTEuNjYtNzMuNDdaIi8+PC9jbGlwUGF0aD48L2RlZnM+PHRpdGxlPkFydGJvYXJkIDE8L3RpdGxlPjxwb2x5Z29uIGNsYXNzPSJjbHMtMiIgcG9pbnRzPSIxNDYuODkgMTE4LjkgMTIzLjk1IDE0MC44NSAxNTcuOTQgMTc0Ljg0IDE4MS4xIDE1MS42NyAxNDYuODkgMTE4LjkiLz48cGF0aCBjbGFzcz0iY2xzLTIiIGQ9Ik0xNDMuNjIsMTIxLjE2bC0xNy43Ny0xNy43NywyMi44Mi0yMi44MUwxMjAuMTUsNTIuMDZjLTI4LTI4LTczLjQ4LTExLjY1LTczLjQ4LTExLjY1UzMwLjMzLDg1Ljg5LDU4LjMzLDExMy44OEw4Ni44NSwxNDIuNGwyMi44LTIyLjgxLDE3Ljc3LDE3Ljc3WiIvPjxwYXRoIGNsYXNzPSJjbHMtMiIgZD0iTTY0LjMsNThjLTEuODgsMTEuMy0yLjQ2LDI5LjE4LDkuMTIsNDAuNzZsMTMuNDMsMTMuNDMiLz48cGF0aCBjbGFzcz0iY2xzLTMiIGQ9Ik0xNjkuNTIsMTYzLjI1bC0xMS41OCwxMS41OS0zNC0zNCwzLjQ3LTMuNDktMTcuNzctMTcuNzdMODYuODUsMTQyLjQsNTguMzMsMTEzLjg4Yy0yOC0yOC0xMS42Ni03My40Ny0xMS42Ni03My40N1oiLz48cGF0aCBjbGFzcz0iY2xzLTQiIGQ9Ik0xNDMuNjIsMTIxLjE2bC0xNy43Ny0xNy43NywyMi44Mi0yMi44MUwxMjAuMTUsNTIuMDZjLTI4LTI4LTczLjQ4LTExLjY1LTczLjQ4LTExLjY1UzMwLjMzLDg1Ljg5LDU4LjMzLDExMy44OEw4Ni44NSwxNDIuNGwyMi44LTIyLjgxLDE3Ljc3LDE3Ljc3WiIvPjxyZWN0IGNsYXNzPSJjbHMtNSIgeD0iMTM2LjE0IiB5PSIxMjIuMjMiIHdpZHRoPSIzMi43NiIgaGVpZ2h0PSI0OC4wNiIgdHJhbnNmb3JtPSJ0cmFuc2xhdGUoMzYzLjggMTQxLjgzKSByb3RhdGUoMTM1KSIvPjxyZWN0IGNsYXNzPSJjbHMtNCIgeD0iMTM2LjE0IiB5PSIxMjIuMjMiIHdpZHRoPSIzMi43NiIgaGVpZ2h0PSI0OC4wNiIgdHJhbnNmb3JtPSJ0cmFuc2xhdGUoMzYzLjggMTQxLjgzKSByb3RhdGUoMTM1KSIvPjxnIGNsYXNzPSJjbHMtNiI+PHBhdGggY2xhc3M9ImNscy00IiBkPSJNNzIuNzQsMzcuODQsNjcuNjMsNTAuMDVhNTMuNTksNTMuNTksMCwwLDAtNCwyNi40MmMuODYsNy45MywzLjU3LDE2LDkuODQsMjIuMzJsMTMuNDMsMTMuNDMiLz48L2c+PC9zdmc+" + mediatype: "image/svg+xml" + install: + spec: + deployments: null + strategy: "" + installModes: + - supported: true + type: OwnNamespace + - supported: true + type: SingleNamespace + - supported: false + type: MultiNamespace + - supported: true + type: AllNamespaces + keywords: + - monitoring + - security + - alerting + - metrics + - troubleshooting + - runtime + - syscall + links: + - name: Shield Operator + url: https://github.com/sysdiglabs/charts/tree/main/rh-shield-operator + - name: Helm Chart + url: https://github.com/sysdiglabs/charts/tree/main/charts/shield + - name: Sysdig + url: https://sysdig.com + maintainers: + - email: adam.roberts@sysdig.com + name: Adam Roberts + - email: alberto.barba@sysdig.com + name: Alberto Barba + - email: francesco.furlan@sysdig.com + name: Franceso Furlan + - email: gerlando.falauto@sysdig.com + name: Gerlando Falauto + - email: marcovito.moscaritolo@sysdig.com + name: Marco Moscaritolo + maturity: alpha + provider: + name: Sysdig + url: https://sysdig.com + version: 0.0.0 diff --git a/rh-shield-operator/config/manifests/kustomization.yaml b/rh-shield-operator/config/manifests/kustomization.yaml new file mode 100644 index 000000000..0c0261b08 --- /dev/null +++ b/rh-shield-operator/config/manifests/kustomization.yaml @@ -0,0 +1,7 @@ +# These resources constitute the fully configured set of manifests +# used to generate the 'manifests/' directory in a bundle. +resources: +- bases/rh-shield-operator.clusterserviceversion.yaml +- ../default +- ../samples +- ../scorecard diff --git a/rh-shield-operator/config/prometheus/kustomization.yaml b/rh-shield-operator/config/prometheus/kustomization.yaml new file mode 100644 index 000000000..ed137168a --- /dev/null +++ b/rh-shield-operator/config/prometheus/kustomization.yaml @@ -0,0 +1,2 @@ +resources: +- monitor.yaml diff --git a/rh-shield-operator/config/prometheus/monitor.yaml b/rh-shield-operator/config/prometheus/monitor.yaml new file mode 100644 index 000000000..4b0c3da7f --- /dev/null +++ b/rh-shield-operator/config/prometheus/monitor.yaml @@ -0,0 +1,21 @@ +# Prometheus Monitor Service (Metrics) +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + labels: + control-plane: controller-manager + app.kubernetes.io/name: rh-shield-operator + app.kubernetes.io/managed-by: kustomize + name: controller-manager-metrics-monitor + namespace: system +spec: + endpoints: + - path: /metrics + port: https + scheme: https + bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token + tlsConfig: + insecureSkipVerify: true + selector: + matchLabels: + control-plane: controller-manager diff --git a/rh-shield-operator/config/rbac/auth_proxy_client_clusterrole.yaml b/rh-shield-operator/config/rbac/auth_proxy_client_clusterrole.yaml new file mode 100644 index 000000000..5e9b23f0f --- /dev/null +++ b/rh-shield-operator/config/rbac/auth_proxy_client_clusterrole.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: rh-shield-operator + app.kubernetes.io/managed-by: kustomize + name: metrics-reader +rules: +- nonResourceURLs: + - "/metrics" + verbs: + - get diff --git a/rh-shield-operator/config/rbac/auth_proxy_role.yaml b/rh-shield-operator/config/rbac/auth_proxy_role.yaml new file mode 100644 index 000000000..9c8ad9d0b --- /dev/null +++ b/rh-shield-operator/config/rbac/auth_proxy_role.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: rh-shield-operator + app.kubernetes.io/managed-by: kustomize + name: proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create diff --git a/rh-shield-operator/config/rbac/auth_proxy_role_binding.yaml b/rh-shield-operator/config/rbac/auth_proxy_role_binding.yaml new file mode 100644 index 000000000..320294d82 --- /dev/null +++ b/rh-shield-operator/config/rbac/auth_proxy_role_binding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: rh-shield-operator + app.kubernetes.io/managed-by: kustomize + name: proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: proxy-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: system diff --git a/rh-shield-operator/config/rbac/auth_proxy_service.yaml b/rh-shield-operator/config/rbac/auth_proxy_service.yaml new file mode 100644 index 000000000..fb1498d98 --- /dev/null +++ b/rh-shield-operator/config/rbac/auth_proxy_service.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + control-plane: controller-manager + app.kubernetes.io/name: rh-shield-operator + app.kubernetes.io/managed-by: kustomize + name: controller-manager-metrics-service + namespace: system +spec: + ports: + - name: https + port: 8443 + protocol: TCP + targetPort: https + selector: + control-plane: controller-manager diff --git a/rh-shield-operator/config/rbac/kustomization.yaml b/rh-shield-operator/config/rbac/kustomization.yaml new file mode 100644 index 000000000..7bebc8ad6 --- /dev/null +++ b/rh-shield-operator/config/rbac/kustomization.yaml @@ -0,0 +1,24 @@ +resources: +# All RBAC will be applied under this service account in +# the deployment namespace. You may comment out this resource +# if your manager will use a service account that exists at +# runtime. Be sure to update RoleBinding and ClusterRoleBinding +# subjects if changing service account names. +- service_account.yaml +- role.yaml +- role_binding.yaml +- leader_election_role.yaml +- leader_election_role_binding.yaml +# Comment the following 4 lines if you want to disable +# the auth proxy (https://github.com/brancz/kube-rbac-proxy) +# which protects your /metrics endpoint. +- auth_proxy_service.yaml +- auth_proxy_role.yaml +- auth_proxy_role_binding.yaml +- auth_proxy_client_clusterrole.yaml +# For each CRD, "Editor" and "Viewer" roles are scaffolded by +# default, aiding admins in cluster management. Those roles are +# not used by the Project itself. You can comment the following lines +# if you do not want those helpers be installed with your Project. +- shield_editor_role.yaml +- shield_viewer_role.yaml diff --git a/rh-shield-operator/config/rbac/leader_election_role.yaml b/rh-shield-operator/config/rbac/leader_election_role.yaml new file mode 100644 index 000000000..c03198c86 --- /dev/null +++ b/rh-shield-operator/config/rbac/leader_election_role.yaml @@ -0,0 +1,40 @@ +# permissions to do leader election. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/name: rh-shield-operator + app.kubernetes.io/managed-by: kustomize + name: leader-election-role +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch diff --git a/rh-shield-operator/config/rbac/leader_election_role_binding.yaml b/rh-shield-operator/config/rbac/leader_election_role_binding.yaml new file mode 100644 index 000000000..530ec1033 --- /dev/null +++ b/rh-shield-operator/config/rbac/leader_election_role_binding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: rh-shield-operator + app.kubernetes.io/managed-by: kustomize + name: leader-election-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: leader-election-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: system diff --git a/rh-shield-operator/config/rbac/role.yaml b/rh-shield-operator/config/rbac/role.yaml new file mode 100644 index 000000000..01825cbd5 --- /dev/null +++ b/rh-shield-operator/config/rbac/role.yaml @@ -0,0 +1,79 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: manager-role +rules: +## +## Base operator rules +## +# We need to get namespaces so the operator can read namespaces to ensure they exist +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +# We need to manage Helm release secrets +- apiGroups: + - "" + resources: + - secrets + verbs: + - "*" +# We need to create events on CRs about things happening during reconciliation +- apiGroups: + - "" + resources: + - events + verbs: + - create + +## +## Rules for shield.sysdig.com/v1alpha1, Kind: Shield +## +- apiGroups: + - shield.sysdig.com + resources: + - shields + - shields/status + - shields/finalizers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- verbs: + - "*" + apiGroups: + - "rbac.authorization.k8s.io" + resources: + - "clusterrolebindings" + - "clusterroles" +- verbs: + - "*" + apiGroups: + - "" + resources: + - "configmaps" + - "secrets" + - "serviceaccounts" + - "services" +- verbs: + - "*" + apiGroups: + - "rbac.authorization.k8s.io" + resources: + - "rolebindings" + - "roles" +- verbs: + - "*" + apiGroups: + - "apps" + resources: + - "daemonsets" + - "deployments" + +#+kubebuilder:scaffold:rules diff --git a/rh-shield-operator/config/rbac/role_binding.yaml b/rh-shield-operator/config/rbac/role_binding.yaml new file mode 100644 index 000000000..ef8d1cc6c --- /dev/null +++ b/rh-shield-operator/config/rbac/role_binding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: rh-shield-operator + app.kubernetes.io/managed-by: kustomize + name: manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: manager-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: system diff --git a/rh-shield-operator/config/rbac/service_account.yaml b/rh-shield-operator/config/rbac/service_account.yaml new file mode 100644 index 000000000..7f05a1a48 --- /dev/null +++ b/rh-shield-operator/config/rbac/service_account.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/name: rh-shield-operator + app.kubernetes.io/managed-by: kustomize + name: controller-manager + namespace: system diff --git a/rh-shield-operator/config/rbac/shield_editor_role.yaml b/rh-shield-operator/config/rbac/shield_editor_role.yaml new file mode 100644 index 000000000..8eb579110 --- /dev/null +++ b/rh-shield-operator/config/rbac/shield_editor_role.yaml @@ -0,0 +1,27 @@ +# permissions for end users to edit shields. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: rh-shield-operator + app.kubernetes.io/managed-by: kustomize + name: shield-editor-role +rules: +- apiGroups: + - shield.sysdig.com + resources: + - shields + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - shield.sysdig.com + resources: + - shields/status + verbs: + - get diff --git a/rh-shield-operator/config/rbac/shield_viewer_role.yaml b/rh-shield-operator/config/rbac/shield_viewer_role.yaml new file mode 100644 index 000000000..eee2c857c --- /dev/null +++ b/rh-shield-operator/config/rbac/shield_viewer_role.yaml @@ -0,0 +1,23 @@ +# permissions for end users to view shields. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: rh-shield-operator + app.kubernetes.io/managed-by: kustomize + name: shield-viewer-role +rules: +- apiGroups: + - shield.sysdig.com + resources: + - shields + verbs: + - get + - list + - watch +- apiGroups: + - shield.sysdig.com + resources: + - shields/status + verbs: + - get diff --git a/rh-shield-operator/config/samples/kustomization.yaml b/rh-shield-operator/config/samples/kustomization.yaml new file mode 100644 index 000000000..057e6a06b --- /dev/null +++ b/rh-shield-operator/config/samples/kustomization.yaml @@ -0,0 +1,4 @@ +## Append samples of your project ## +resources: +- shield_v1alpha1_shield.yaml +#+kubebuilder:scaffold:manifestskustomizesamples diff --git a/rh-shield-operator/config/samples/shield_v1alpha1_shield.yaml b/rh-shield-operator/config/samples/shield_v1alpha1_shield.yaml new file mode 100644 index 000000000..2811893d4 --- /dev/null +++ b/rh-shield-operator/config/samples/shield_v1alpha1_shield.yaml @@ -0,0 +1,269 @@ +apiVersion: shield.sysdig.com/v1alpha1 +kind: Shield +metadata: + name: shield-sample +spec: + # Default values copied from /helm-charts/shield/values.yaml + affinity: {} + cluster: + additional_settings: + log_level: info + monitoring_port: 8080 + admissionregistration: + create: true + affinity: {} + dns_policy: null + enable_prometheus_scraping: true + env: [] + host_network: false + image: + pull_policy: IfNotPresent + pull_secrets: [] + registry: quay.io + repository: sysdig/cluster-shield + tag: 1.4.0 + node_selector: {} + pod_annotations: {} + pod_labels: {} + priority_class: + annotations: {} + create: false + labels: {} + name: null + value: 10 + probes: + liveness: + failureThreshold: 9 + initialDelaySeconds: 5 + periodSeconds: 5 + readiness: + failureThreshold: 9 + initialDelaySeconds: 10 + periodSeconds: 5 + rbac: + annotations: {} + create: true + labels: {} + service_account_name: null + replica_count: 2 + resources: + limits: + cpu: 1500m + memory: 1536Mi + requests: + cpu: 500m + memory: 512Mi + run_mode: multi-process + tls_certificates: + create: true + secret_name: null + tolerations: [] + update_strategy: + rollingUpdate: {} + type: RollingUpdate + volume_mounts: [] + volumes: [] + workload_annotations: {} + workload_labels: {} + cluster_config: + cluster_domain: cluster.local + cluster_type: other + name: null + root_namespace: kube-system + tags: {} + env: [] + features: + admission_control: + container_vulnerability_management: + enabled: false + deny_on_error: false + dry_run: true + enabled: false + excluded_namespaces: [] + http_port: 8443 + timeout: 10 + detections: + drift_control: + enabled: false + kubernetes_audit: + enabled: false + excluded_namespaces: [] + http_port: 6443 + timeout: 10 + malware_control: + enabled: false + ml_policies: + enabled: false + investigations: + activity_audit: + enabled: false + audit_tap: + enabled: false + captures: + enabled: false + event_forwarder: + enabled: false + integrations: [] + transmit_message_types: [] + live_logs: + enabled: false + network_security: + enabled: false + kubernetes_metadata: + enabled: false + monitoring: + app_checks: + enabled: false + java_management_extensions: + enabled: false + prometheus: + enabled: false + statsd: + enabled: false + posture: + cluster_posture: + enabled: false + host_posture: + enabled: false + responding: + rapid_response: + enabled: false + vulnerability_management: + container_vulnerability_management: + enabled: false + local_cluster: + registry_secrets: [] + platform_services_enabled: true + registry_ssl: + verify: true + host_vulnerability_management: + enabled: false + in_use: + enabled: false + integration_enabled: false + fullname_override: null + host: + additional_settings: {} + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - ppc64le + - s390x + - key: kubernetes.io/os + operator: In + values: + - linux + driver: kmod + env: [] + image: + kmodule_name: agent-kmodule + pull_policy: IfNotPresent + pull_secrets: [] + registry: quay.io + repository: sysdig + shield_name: agent-slim + tag: 13.4.0 + node_selector: {} + pod_annotations: {} + pod_labels: {} + priority_class: + annotations: {} + create: false + labels: {} + name: null + value: 10 + privileged: true + probes: + liveness: + failureThreshold: 9 + initialDelaySeconds: 90 + periodSeconds: 10 + readiness: + failureThreshold: 9 + initialDelaySeconds: 90 + periodSeconds: 10 + rbac: + annotations: {} + create: true + labels: {} + service_account_name: null + resources: + kmodule: + limits: + cpu: 1000m + memory: 1Gi + requests: + cpu: 250m + memory: 384Mi + shield: + limits: + cpu: 1000m + memory: 1Gi + requests: + cpu: 250m + memory: 384Mi + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + - effect: NoSchedule + key: node-role.kubernetes.io/controlplane + operator: Equal + value: "true" + - effect: NoExecute + key: node-role.kubernetes.io/etcd + operator: Equal + value: "true" + - effect: NoExecute + key: CriticalAddonsOnly + operator: Equal + value: "true" + update_strategy: + rollingUpdate: {} + type: RollingUpdate + volume_mounts: [] + volumes: [] + workload_annotations: {} + workload_labels: {} + name_override: null + node_selector: {} + on_prem_version: null + pod_annotations: {} + pod_labels: {} + proxy: + http_proxy: null + http_proxy_existing_secret: null + https_proxy: null + https_proxy_existing_secret: null + no_proxy: null + no_proxy_existing_secret: null + ssl: + ca: + certs: [] + existing_ca_secret: null + existing_ca_secret_key_name: null + key_name: null + verify: true + sysdig_endpoint: + access_key: null + access_key_existing_secret: null + api_url: null + collector: + host: null + port: null + region: custom + secure_api_token: null + secure_api_token_existing_secret: null + tolerations: [] + volume_mounts: [] + volumes: [] + workload_annotations: {} + workload_labels: {} diff --git a/rh-shield-operator/config/scorecard/bases/config.yaml b/rh-shield-operator/config/scorecard/bases/config.yaml new file mode 100644 index 000000000..c77047841 --- /dev/null +++ b/rh-shield-operator/config/scorecard/bases/config.yaml @@ -0,0 +1,7 @@ +apiVersion: scorecard.operatorframework.io/v1alpha3 +kind: Configuration +metadata: + name: config +stages: +- parallel: true + tests: [] diff --git a/rh-shield-operator/config/scorecard/kustomization.yaml b/rh-shield-operator/config/scorecard/kustomization.yaml new file mode 100644 index 000000000..50cd2d084 --- /dev/null +++ b/rh-shield-operator/config/scorecard/kustomization.yaml @@ -0,0 +1,16 @@ +resources: +- bases/config.yaml +patchesJson6902: +- path: patches/basic.config.yaml + target: + group: scorecard.operatorframework.io + version: v1alpha3 + kind: Configuration + name: config +- path: patches/olm.config.yaml + target: + group: scorecard.operatorframework.io + version: v1alpha3 + kind: Configuration + name: config +#+kubebuilder:scaffold:patchesJson6902 diff --git a/rh-shield-operator/config/scorecard/patches/basic.config.yaml b/rh-shield-operator/config/scorecard/patches/basic.config.yaml new file mode 100644 index 000000000..d6d858adb --- /dev/null +++ b/rh-shield-operator/config/scorecard/patches/basic.config.yaml @@ -0,0 +1,10 @@ +- op: add + path: /stages/0/tests/- + value: + entrypoint: + - scorecard-test + - basic-check-spec + image: quay.io/operator-framework/scorecard-test:v1.36.1 + labels: + suite: basic + test: basic-check-spec-test diff --git a/rh-shield-operator/config/scorecard/patches/olm.config.yaml b/rh-shield-operator/config/scorecard/patches/olm.config.yaml new file mode 100644 index 000000000..b4325b782 --- /dev/null +++ b/rh-shield-operator/config/scorecard/patches/olm.config.yaml @@ -0,0 +1,50 @@ +- op: add + path: /stages/0/tests/- + value: + entrypoint: + - scorecard-test + - olm-bundle-validation + image: quay.io/operator-framework/scorecard-test:v1.36.1 + labels: + suite: olm + test: olm-bundle-validation-test +- op: add + path: /stages/0/tests/- + value: + entrypoint: + - scorecard-test + - olm-crds-have-validation + image: quay.io/operator-framework/scorecard-test:v1.36.1 + labels: + suite: olm + test: olm-crds-have-validation-test +- op: add + path: /stages/0/tests/- + value: + entrypoint: + - scorecard-test + - olm-crds-have-resources + image: quay.io/operator-framework/scorecard-test:v1.36.1 + labels: + suite: olm + test: olm-crds-have-resources-test +- op: add + path: /stages/0/tests/- + value: + entrypoint: + - scorecard-test + - olm-spec-descriptors + image: quay.io/operator-framework/scorecard-test:v1.36.1 + labels: + suite: olm + test: olm-spec-descriptors-test +- op: add + path: /stages/0/tests/- + value: + entrypoint: + - scorecard-test + - olm-status-descriptors + image: quay.io/operator-framework/scorecard-test:v1.36.1 + labels: + suite: olm + test: olm-status-descriptors-test diff --git a/rh-shield-operator/helm-charts/shield b/rh-shield-operator/helm-charts/shield new file mode 120000 index 000000000..a5629ab80 --- /dev/null +++ b/rh-shield-operator/helm-charts/shield @@ -0,0 +1 @@ +../../charts/shield/ \ No newline at end of file diff --git a/rh-shield-operator/watches.yaml b/rh-shield-operator/watches.yaml new file mode 100644 index 000000000..89f0a838d --- /dev/null +++ b/rh-shield-operator/watches.yaml @@ -0,0 +1,6 @@ +# Use the 'create api' subcommand to add watches to this file. +- group: shield.sysdig.com + version: v1alpha1 + kind: Shield + chart: helm-charts/shield +#+kubebuilder:scaffold:watch