Skip to content

Commit

Permalink
Fix/upgrade 0 2.0 (#338)
Browse files Browse the repository at this point in the history 
* Upgrading to version 2.0.0

* Upgrade bundle to 0.2.0
  • Loading branch information
Kugamoorthy Gajananan authored May 20, 2021
1 parent 6375fa4 commit 086ed88
Show file tree
Hide file tree
Showing 15 changed files with 1,006 additions and 251 deletions.
2 changes: 1 addition & 1 deletion develop/local-deploy/operator_local.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ spec:
containers:
- name: integrity-shield-operator
# Replace this with the built image name
image: integrity-shield-operator:0.1.6
image: integrity-shield-operator:0.2.0
command:
- integrity-shield-operator
imagePullPolicy: IfNotPresent
Expand Down
4 changes: 2 additions & 2 deletions docs/ACM/README_DISABLE_ISHIELD_PROTECTION_ACM_ENV.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,9 +39,9 @@ You will use `policy-integrity-shield` to disable Integrity Shield protection in
name: integrity-shield-server
spec:
logger:
image: quay.io/open-cluster-management/integrity-shield-logging:0.1.6
image: quay.io/open-cluster-management/integrity-shield-logging:0.2.0
server:
image: quay.io/open-cluster-management/integrity-shield-server:0.1.6
image: quay.io/open-cluster-management/integrity-shield-server:0.2.0
```
3. Create signature annotation in `policy-integrity-shield.yaml` as below.

Expand Down
4 changes: 2 additions & 2 deletions integrity-shield-operator/Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
# limitations under the License.
#
# Current Operator version
VERSION ?= 0.1.6
VERSION ?= 0.2.0
# Default bundle image tag
BUNDLE_IMG ?= controller-bundle:$(VERSION)
# Options for 'bundle-build'
Expand All @@ -27,7 +27,7 @@ endif
BUNDLE_METADATA_OPTS ?= $(BUNDLE_CHANNELS) $(BUNDLE_DEFAULT_CHANNEL)

# Image URL to use all building/pushing image targets
IMG ?= quay.io/open-cluster-management/integrity-shield-operator:0.1.6
IMG ?= quay.io/open-cluster-management/integrity-shield-operator:0.2.0
# Produce CRDs that work back to Kubernetes 1.11 (no version conversion)
CRD_OPTIONS ?= "crd:trivialVersions=true"

Expand Down
114 changes: 114 additions & 0 deletions integrity-shield-operator/bundle/manifests/apis.integrityshield.io_integrityshields.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -390,6 +390,8 @@ spec:
type: string
name:
type: string
namespace:
type: string
operation:
type: string
scope:
Expand Down Expand Up @@ -419,6 +421,8 @@ spec:
type: string
name:
type: string
namespace:
type: string
operation:
type: string
scope:
Expand All @@ -441,6 +445,8 @@ spec:
type: string
name:
type: string
namespace:
type: string
operation:
type: string
scope:
Expand Down Expand Up @@ -601,6 +607,18 @@ spec:
description: User is a SELinux user label that applies to the container.
type: string
type: object
seccompProfile:
description: The seccomp options to use by this container. If seccomp options are provided at both the pod & container level, the container options override the pod options.
properties:
localhostProfile:
description: localhostProfile indicates a profile defined in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet's configured seccomp profile location. Must only be set if type is "Localhost".
type: string
type:
description: "type indicates which kind of seccomp profile will be applied. Valid options are: \n Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied."
type: string
required:
- type
type: object
windowsOptions:
description: The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
properties:
Expand Down Expand Up @@ -723,6 +741,18 @@ spec:
description: User is a SELinux user label that applies to the container.
type: string
type: object
seccompProfile:
description: The seccomp options to use by this container. If seccomp options are provided at both the pod & container level, the container options override the pod options.
properties:
localhostProfile:
description: localhostProfile indicates a profile defined in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet's configured seccomp profile location. Must only be set if type is "Localhost".
type: string
type:
description: "type indicates which kind of seccomp profile will be applied. Valid options are: \n Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied."
type: string
required:
- type
type: object
windowsOptions:
description: The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
properties:
Expand All @@ -739,6 +769,7 @@ spec:
type: object
type: object
regKeySecret:
description: Inspector InspectorContainer `json:"inspector,omitempty"` Checker CheckerContainer `json:"checker,omitempty"`
properties:
name:
type: string
Expand Down Expand Up @@ -769,6 +800,8 @@ spec:
type: string
name:
type: string
namespace:
type: string
operation:
type: string
scope:
Expand All @@ -791,6 +824,8 @@ spec:
type: string
name:
type: string
namespace:
type: string
operation:
type: string
scope:
Expand Down Expand Up @@ -822,6 +857,8 @@ spec:
type: string
name:
type: string
namespace:
type: string
operation:
type: string
scope:
Expand Down Expand Up @@ -849,6 +886,8 @@ spec:
type: string
name:
type: string
namespace:
type: string
operation:
type: string
scope:
Expand All @@ -871,6 +910,8 @@ spec:
type: string
name:
type: string
namespace:
type: string
operation:
type: string
scope:
Expand Down Expand Up @@ -937,6 +978,8 @@ spec:
type: string
name:
type: string
namespace:
type: string
operation:
type: string
scope:
Expand Down Expand Up @@ -964,6 +1007,8 @@ spec:
type: string
name:
type: string
namespace:
type: string
operation:
type: string
scope:
Expand All @@ -986,6 +1031,8 @@ spec:
type: string
name:
type: string
namespace:
type: string
operation:
type: string
scope:
Expand Down Expand Up @@ -1059,6 +1106,8 @@ spec:
type: string
name:
type: string
namespace:
type: string
operation:
type: string
scope:
Expand Down Expand Up @@ -1141,6 +1190,18 @@ spec:
description: User is a SELinux user label that applies to the container.
type: string
type: object
seccompProfile:
description: The seccomp options to use by the containers in this pod.
properties:
localhostProfile:
description: localhostProfile indicates a profile defined in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet's configured seccomp profile location. Must only be set if type is "Localhost".
type: string
type:
description: "type indicates which kind of seccomp profile will be applied. Valid options are: \n Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied."
type: string
required:
- type
type: object
supplementalGroups:
description: A list of groups applied to the first process run in each container, in addition to the container's primary GID. If unspecified, no groups will be added to any container.
items:
Expand Down Expand Up @@ -1282,6 +1343,18 @@ spec:
description: User is a SELinux user label that applies to the container.
type: string
type: object
seccompProfile:
description: The seccomp options to use by this container. If seccomp options are provided at both the pod & container level, the container options override the pod options.
properties:
localhostProfile:
description: localhostProfile indicates a profile defined in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet's configured seccomp profile location. Must only be set if type is "Localhost".
type: string
type:
description: "type indicates which kind of seccomp profile will be applied. Valid options are: \n Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied."
type: string
required:
- type
type: object
windowsOptions:
description: The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
properties:
Expand Down Expand Up @@ -1352,6 +1425,8 @@ spec:
type: string
name:
type: string
namespace:
type: string
operation:
type: string
scope:
Expand Down Expand Up @@ -1379,6 +1454,8 @@ spec:
type: string
name:
type: string
namespace:
type: string
operation:
type: string
scope:
Expand All @@ -1401,6 +1478,8 @@ spec:
type: string
name:
type: string
namespace:
type: string
operation:
type: string
scope:
Expand Down Expand Up @@ -1487,6 +1566,15 @@ spec:
type: string
type: object
type: array
imageVerificationConfig:
properties:
enabled:
type: boolean
options:
additionalProperties:
type: string
type: object
type: object
inScopeNamespaceSelector:
properties:
exclude:
Expand Down Expand Up @@ -1690,8 +1778,34 @@ spec:
type: array
profileNamespace:
type: string
sideEffect:
properties:
createDenyEvent:
description: Event
type: boolean
createIShieldResourceEvent:
type: boolean
updateRSPStatusForDeniedRequest:
description: RSP
type: boolean
required:
- createDenyEvent
- createIShieldResourceEvent
- updateRSPStatusForDeniedRequest
type: object
signatureNamespace:
type: string
sigstoreConfig:
properties:
defaultRootCertURL:
type: string
enabled:
type: boolean
rekorServerURL:
type: string
useDefaultRootCert:
type: boolean
type: object
type: object
shieldConfigCrName:
type: string
Expand Down
20 changes: 15 additions & 5 deletions ...ity-shield-operator/bundle/manifests/integrity-shield-operator.clusterserviceversion.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,14 +66,14 @@ metadata:
capabilities: Basic Install
categories: Security
certified: "false"
containerImage: quay.io/open-cluster-management/integrity-shield-operator:0.1.6
containerImage: quay.io/open-cluster-management/integrity-shield-operator:0.2.0
createdAt: "2021-01-13T18:00:00Z"
description: K8s Integrity Shield is a tool for built-in preventive integrity control for regulated cloud workloads.
operators.operatorframework.io/builder: operator-sdk-v1.4.2
operators.operatorframework.io/project_layout: go.kubebuilder.io/v2
repository: https://github.com/open-cluster-management/integrity-shield
support: Community
name: integrity-shield-operator.v0.1.6
name: integrity-shield-operator.v0.2.0
namespace: placeholder
spec:
apiservicedefinitions: {}
Expand Down Expand Up @@ -272,6 +272,16 @@ spec:
- patch
- update
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- delete
- get
- list
- update
- apiGroups:
- ""
resources:
Expand Down Expand Up @@ -341,7 +351,7 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: quay.io/open-cluster-management/integrity-shield-operator:0.1.6
image: quay.io/open-cluster-management/integrity-shield-operator:0.2.0
imagePullPolicy: Always
lifecycle:
postStart:
Expand Down Expand Up @@ -427,5 +437,5 @@ spec:
maturity: alpha
provider:
name: Community
replaces: integrity-shield-operator.v0.1.5
version: 0.1.6
replaces: integrity-shield-operator.v0.1.6
version: 0.2.0
Loading

0 comments on commit 086ed88

Please sign in to comment.