From 0cfcdbbddd5785d5ff78fb478aac993d65d35c2d Mon Sep 17 00:00:00 2001 From: jsecchiero Date: Thu, 21 Nov 2024 11:28:07 +0100 Subject: [PATCH] feat(agent): add option to override security.openshift.io/v1 API presence --- charts/agent/Chart.yaml | 2 +- charts/agent/README.md | 3 +++ charts/agent/templates/securitycontextconstraint.yaml | 3 ++- .../tests/security_context_constraints_test.yaml | 11 +++++++++++ charts/agent/values.yaml | 3 +++ charts/sysdig-deploy/Chart.yaml | 4 ++-- 6 files changed, 22 insertions(+), 4 deletions(-) diff --git a/charts/agent/Chart.yaml b/charts/agent/Chart.yaml index 9234445bf..085990c10 100644 --- a/charts/agent/Chart.yaml +++ b/charts/agent/Chart.yaml @@ -30,4 +30,4 @@ sources: - https://app.sysdigcloud.com/#/settings/user - https://github.com/draios/sysdig type: application -version: 1.31.0 +version: 1.31.1 diff --git a/charts/agent/README.md b/charts/agent/README.md index c1b175875..fa0f15e8f 100644 --- a/charts/agent/README.md +++ b/charts/agent/README.md @@ -97,6 +97,9 @@ The following table lists the configurable parameters of the Sysdig chart and th | `global.gke.autopilot` | If true, overrides the agent configuration to run on GKE Autopilot clusters. | `false` | | `global.image.pullSecrets` | Global pull secrets. | [] | | `global.image.pullPolicy` | Global pull policy. | `IfNotPresent` | + +| hasAPISecurityOpenshiftV1Override | Overrides `security.openshift.io/v1` API detection | `false` | + | `namespace` | Overrides the global namespace setting and release namespace for components. | `""` | | `image.registry` | Sysdig Agent image registry. | `quay.io` | | `image.repository` | Sets the image repository to pull the agent image from. | `sysdig/agent` | diff --git a/charts/agent/templates/securitycontextconstraint.yaml b/charts/agent/templates/securitycontextconstraint.yaml index 252a2bce3..afc6337ce 100644 --- a/charts/agent/templates/securitycontextconstraint.yaml +++ b/charts/agent/templates/securitycontextconstraint.yaml @@ -1,4 +1,5 @@ -{{- if and .Values.scc.create (.Capabilities.APIVersions.Has "security.openshift.io/v1") }} +{{- $hasAPISecurityOpenshiftV1 := default (.Capabilities.APIVersions.Has "security.openshift.io/v1") .Values.hasAPISecurityOpenshiftV1Override }} +{{- if and .Values.scc.create ($hasAPISecurityOpenshiftV1) }} apiVersion: security.openshift.io/v1 kind: SecurityContextConstraints metadata: diff --git a/charts/agent/tests/security_context_constraints_test.yaml b/charts/agent/tests/security_context_constraints_test.yaml index 62971e94a..b3ce7561d 100644 --- a/charts/agent/tests/security_context_constraints_test.yaml +++ b/charts/agent/tests/security_context_constraints_test.yaml @@ -139,3 +139,14 @@ tests: - equal: path: allowHostPorts value: true + + - it: Testing that SCS is created when security.openshift.io/v1 api are overridden + set: + scc: + create: true + hasAPISecurityOpenshiftV1Override: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: SecurityContextConstraints diff --git a/charts/agent/values.yaml b/charts/agent/values.yaml index 2e50fcd49..f2005b482 100644 --- a/charts/agent/values.yaml +++ b/charts/agent/values.yaml @@ -404,3 +404,6 @@ tests: tag: 1.31.2 # Allow to modify DNS policy dnsPolicy: null +# Overrides `security.openshift.io/v1` API detection +# useful while using "helm template" and to generate security context constraints +hasAPISecurityOpenshiftV1Override: false diff --git a/charts/sysdig-deploy/Chart.yaml b/charts/sysdig-deploy/Chart.yaml index dafb30ece..cf2a59692 100644 --- a/charts/sysdig-deploy/Chart.yaml +++ b/charts/sysdig-deploy/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: sysdig-deploy description: A chart with various Sysdig components for Kubernetes type: application -version: 1.68.1 +version: 1.68.2 maintainers: - name: AlbertoBarba email: alberto.barba@sysdig.com @@ -26,7 +26,7 @@ dependencies: - name: agent # repository: https://charts.sysdig.com repository: file://../agent - version: ~1.31.0 + version: ~1.31.1 alias: agent condition: agent.enabled - name: common