Merge pull request #259 from viccuad/main

feat: Add questions, move auditScanner out of experimental
kubewarden · Jul 13, 2023 · d556c01 · d556c01
2 parents 30e47f6 + 9aacc61
commit d556c01
Show file tree

Hide file tree

Showing 13 changed files with 132 additions and 83 deletions.
diff --git a/charts/kubewarden-controller/chart-values.yaml b/charts/kubewarden-controller/chart-values.yaml
@@ -87,26 +87,25 @@ resources:
     requests:
       cpu: 250m
       memory: 50Mi
-# experimental Kubewarden features. These features are not recommended for
-# production yet, and are not covered by SemVer guarantees.
-experimental:
-  auditScanner:
-    enable: false
-    # The default audit-scanner ServiceAccount is bound to the ClusterRoles:
-    # - view: Allows read-only access to most objects in a namespace.
-    #   Does not allow viewing secrets, roles or role bindings.
-    # - audit-scanner-cluster-role: Allows read-write to Kubewarden resources
-    #   and PolicyReports
-    serviceAccountName: audit-scanner
-    image:
-      # The registry is defined in the common.cattle.systemDefaultRegistry value
-      # kubectl image to be used in the pre-delete helm hook
-      repository: "kubewarden/audit-scanner"
-      tag: "latest"
-      pullPolicy: IfNotPresent
-    cronJob:
-      schedule: "*/60 * * * *" # every 60 minutes
-      failedJobsHistoryLimit: 5
-      successfulJobsHistoryLimit: 3
-    containerRestartPolicy: Never
-    skipAdditionalNamespaces: []
+
+auditScanner:
+  enable: false
+  # The default audit-scanner ServiceAccount is bound to the ClusterRoles:
+  # - view: Allows read-only access to most objects in a namespace.
+  #   Does not allow viewing secrets, roles or role bindings.
+  # - audit-scanner-cluster-role: Allows read-write to Kubewarden resources
+  #   and PolicyReports
+  serviceAccountName: audit-scanner
+  image:
+    # The registry is defined in the common.cattle.systemDefaultRegistry value
+    # kubectl image to be used in the pre-delete helm hook
+    repository: "kubewarden/audit-scanner"
+    tag: "v1.7.0-rc1"
+    pullPolicy: IfNotPresent
+  cronJob:
+    schedule: "*/60 * * * *" # every 60 minutes
+    failedJobsHistoryLimit: 5
+    successfulJobsHistoryLimit: 3
+  containerRestartPolicy: Never
+  # Additional namespaces that the audit scanner will not scan:
+  skipAdditionalNamespaces: []
diff --git a/charts/kubewarden-controller/questions.yaml b/charts/kubewarden-controller/questions.yaml
@@ -0,0 +1,51 @@
+# This is a Rancher questions file
+---
+questions:
+- variable: "auditScanner.enable"
+  type: boolean
+  default: false
+  required: true
+  label: Enable Background Audit check
+  description: |
+    The Background Audit Check looks at existing Kubernetes resources and
+    periodically determines whether they are still compliant with regards to the
+    policies that are currently defined.
+  group: "Features"
+- variable: "auditScanner.cronJob.schedule"
+  type: string
+  default: "*/60 * * * *"
+  show_if: auditScanner.enable=true
+  label: Schedule
+  description: |
+    Schedule of the Background Audit check. Follows the Unix-cron syntax.
+  group: "Features"
+- variable: "auditScanner.serviceAccountName"
+  type: string
+  default: "audit-scanner"
+  show_if: auditScanner.enable=true
+  label: ServiceAccount name
+  description: |
+    The default audit-scanner ServiceAccount is bound to the ClusterRoles
+    "view" (allows read-only access to most objects in a namespace, does not
+    allow viewing secrets, roles or role bindings), and "audit-scanner-cluster-role"
+    (allows read-write to Kubewarden resources and PolicyReports).
+  group: "Features"
+- variable: tls.source
+  default: "cert-manager-self-signed"
+  description: "Source for TLS certificates"
+  label: TLS certificates source
+  type: enum
+  options:
+  - "cert-manager-self-signed"
+  - "cert-manager"
+  show_subquestion_if: "cert-manager"
+  group: "Certificates"
+  subquestions:
+  - variable: "tls.certManagerIssuerName"
+    type: string
+    default: ""
+    label: cert-manager Issuer name
+    description: |
+      Name of cert-manager Issuer
+    group: "Certificates"
+    show_if: "tls.source=cert-manager"
diff --git a/charts/kubewarden-controller/templates/_helpers.tpl b/charts/kubewarden-controller/templates/_helpers.tpl
@@ -104,7 +104,7 @@ Create the name of the service account to use for kubewarden-controller
 {{- range .Values.global.skipNamespaces }}
 - {{ printf "-i %s" . }}
 {{- end -}}
-{{- range .Values.experimental.auditScanner.skipAdditionalNamespaces }}
+{{- range .Values.auditScanner.skipAdditionalNamespaces }}
 - {{ printf "-i %s" . }}
 {{- end -}}
 {{- end -}}
diff --git a/charts/kubewarden-controller/templates/cronjob.yaml b/charts/kubewarden-controller/templates/cronjob.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.experimental.auditScanner.enable }}
+{{- if .Values.auditScanner.enable }}
 apiVersion: batch/v1
 kind: CronJob
 metadata:
@@ -9,15 +9,15 @@ metadata:
   annotations:
     {{- include "kubewarden-controller.annotations" . | nindent 4 }}
 spec:
-  schedule: {{ .Values.experimental.auditScanner.cronJob.schedule | quote }}
+  schedule: {{ .Values.auditScanner.cronJob.schedule | quote }}
   concurrencyPolicy: Forbid
-  failedJobsHistoryLimit: {{ .Values.experimental.auditScanner.cronJob.failedJobsHistoryLimit }}
-  successfulJobsHistoryLimit: {{ .Values.experimental.auditScanner.cronJob.successfulJobsHistoryLimit }}
+  failedJobsHistoryLimit: {{ .Values.auditScanner.cronJob.failedJobsHistoryLimit }}
+  successfulJobsHistoryLimit: {{ .Values.auditScanner.cronJob.successfulJobsHistoryLimit }}
   jobTemplate:
     spec:
       template:
         spec:
-          serviceAccountName: {{ .Values.experimental.auditScanner.serviceAccountName }}
+          serviceAccountName: {{ .Values.auditScanner.serviceAccountName }}
           {{- with .Values.podSecurityContext }}
           securityContext:
           {{- toYaml . | nindent 12 }}
@@ -26,11 +26,11 @@ spec:
           imagePullSecrets:
           {{- toYaml .Values.imagePullSecrets | nindent 12 }}
           {{- end }}
-          restartPolicy: {{ .Values.experimental.auditScanner.containerRestartPolicy }}
+          restartPolicy: {{ .Values.auditScanner.containerRestartPolicy }}
           containers:
           - name: audit-scanner
-            image: '{{ template "system_default_registry" . }}{{ .Values.experimental.auditScanner.image.repository }}:{{ .Values.experimental.auditScanner.image.tag }}'
-            imagePullPolicy: {{ .Values.experimental.auditScanner.image.pullPolicy }}
+            image: '{{ template "system_default_registry" . }}{{ .Values.auditScanner.image.repository }}:{{ .Values.auditScanner.image.tag }}'
+            imagePullPolicy: {{ .Values.auditScanner.image.pullPolicy }}
             command:
               {{- include "audit-scanner.command" . | nindent 14 -}}
             {{- with .Values.containerSecurityContext }}

diff --git a/charts/kubewarden-controller/templates/rbac.yaml b/charts/kubewarden-controller/templates/rbac.yaml
@@ -204,7 +204,7 @@ rules:
   - subjectaccessreviews
   verbs:
   - create
-{{- if eq .Values.experimental.auditScanner.serviceAccountName  "audit-scanner" }}
+{{- if eq .Values.auditScanner.serviceAccountName  "audit-scanner" }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -312,7 +312,7 @@ subjects:
 - kind: ServiceAccount
   name: {{ include "kubewarden-controller.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
-{{- if eq .Values.experimental.auditScanner.serviceAccountName "audit-scanner" }}
+{{- if eq .Values.auditScanner.serviceAccountName "audit-scanner" }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -328,7 +328,7 @@ roleRef:
   name: view
 subjects:
 - kind: ServiceAccount
-  name: {{ .Values.experimental.auditScanner.serviceAccountName }}
+  name: {{ .Values.auditScanner.serviceAccountName }}
   namespace: {{ .Release.Namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -345,6 +345,6 @@ roleRef:
   name: audit-scanner-cluster-role
 subjects:
 - kind: ServiceAccount
-  name: {{ .Values.experimental.auditScanner.serviceAccountName }}
+  name: {{ .Values.auditScanner.serviceAccountName }}
   namespace: {{ .Release.Namespace }}
 {{ end }}
diff --git a/charts/kubewarden-controller/templates/serviceaccount.yaml b/charts/kubewarden-controller/templates/serviceaccount.yaml
@@ -8,12 +8,12 @@ metadata:
   annotations:
     {{- include "kubewarden-controller.annotations" . | nindent 4 }}
 
-{{- if eq .Values.experimental.auditScanner.serviceAccountName "audit-scanner" }}
+{{- if eq .Values.auditScanner.serviceAccountName "audit-scanner" }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ .Values.experimental.auditScanner.serviceAccountName }}
+  name: {{ .Values.auditScanner.serviceAccountName }}
   namespace: {{ .Release.Namespace }}
   labels:
     {{- include "kubewarden-controller.labels" . | nindent 4 }}

diff --git a/charts/kubewarden-controller/values.yaml b/charts/kubewarden-controller/values.yaml
@@ -123,26 +123,25 @@ resources:
     requests:
       cpu: 250m
       memory: 50Mi
-# experimental Kubewarden features. These features are not recommended for
-# production yet, and are not covered by SemVer guarantees.
-experimental:
-  auditScanner:
-    enable: false
-    # The default audit-scanner ServiceAccount is bound to the ClusterRoles:
-    # - view: Allows read-only access to most objects in a namespace.
-    #   Does not allow viewing secrets, roles or role bindings.
-    # - audit-scanner-cluster-role: Allows read-write to Kubewarden resources
-    #   and PolicyReports
-    serviceAccountName: audit-scanner
-    image:
-      # The registry is defined in the common.cattle.systemDefaultRegistry value
-      # kubectl image to be used in the pre-delete helm hook
-      repository: "kubewarden/audit-scanner"
-      tag: "latest"
-      pullPolicy: IfNotPresent
-    cronJob:
-      schedule: "*/60 * * * *" # every 60 minutes
-      failedJobsHistoryLimit: 5
-      successfulJobsHistoryLimit: 3
-    containerRestartPolicy: Never
-    skipAdditionalNamespaces: []
+
+auditScanner:
+  enable: false
+  # The default audit-scanner ServiceAccount is bound to the ClusterRoles:
+  # - view: Allows read-only access to most objects in a namespace.
+  #   Does not allow viewing secrets, roles or role bindings.
+  # - audit-scanner-cluster-role: Allows read-write to Kubewarden resources
+  #   and PolicyReports
+  serviceAccountName: audit-scanner
+  image:
+    # The registry is defined in the common.cattle.systemDefaultRegistry value
+    # kubectl image to be used in the pre-delete helm hook
+    repository: "kubewarden/audit-scanner"
+    tag: "v1.7.0-rc1"
+    pullPolicy: IfNotPresent
+  cronJob:
+    schedule: "*/60 * * * *" # every 60 minutes
+    failedJobsHistoryLimit: 5
+    successfulJobsHistoryLimit: 3
+  containerRestartPolicy: Never
+  # Additional namespaces that the audit scanner will not scan:
+  skipAdditionalNamespaces: []
diff --git a/charts/kubewarden-crds/chart-values.yaml b/charts/kubewarden-crds/chart-values.yaml
@@ -1,4 +1,3 @@
-policyReports:
-  # deploy policyreports.wgpolicyk8s.io, clusterpolicyreports.wgpolicyk8s.io CRDs
-  # Set to false if they are already in the cluster
-  enable: true
+# deploy policyreports.wgpolicyk8s.io, clusterpolicyreports.wgpolicyk8s.io CRDs
+# Set to false if they are already defined inside of the cluster
+installPolicyReportCRDs: true
diff --git a/charts/kubewarden-crds/templates/clusterpolicyreports.yaml b/charts/kubewarden-crds/templates/clusterpolicyreports.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.policyReports.enable }}
+{{- if .Values.installPolicyReportCRDs }}
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition

diff --git a/charts/kubewarden-crds/templates/policyreports.yaml b/charts/kubewarden-crds/templates/policyreports.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.policyReports.enable }}
+{{- if .Values.installPolicyReportCRDs }}
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition

diff --git a/charts/kubewarden-crds/values.yaml b/charts/kubewarden-crds/values.yaml
@@ -1,6 +1,5 @@
 # This file was autogenerated.
 
-policyReports:
-  # deploy policyreports.wgpolicyk8s.io, clusterpolicyreports.wgpolicyk8s.io CRDs
-  # Set to false if they are already in the cluster
-  enable: true
+# deploy policyreports.wgpolicyk8s.io, clusterpolicyreports.wgpolicyk8s.io CRDs
+# Set to false if they are already defined inside of the cluster
+installPolicyReportCRDs: true
diff --git a/charts/kubewarden-defaults/chart-values.yaml b/charts/kubewarden-defaults/chart-values.yaml
@@ -67,28 +67,29 @@ recommendedPolicies:
   # not support OCI artifacts.
   # If this field is not defined, the systemDefaultRegistry is used by default.
   defaultPoliciesRegistry: ""
+  # Additional namespaces that recommended policies will not apply to:
   skipAdditionalNamespaces: []
   defaultPolicyMode: "monitor"
   allowPrivilegeEscalationPolicy:
-    module: "kubewarden/policies/allow-privilege-escalation-psp:v0.2.5"
+    module: "kubewarden/policies/allow-privilege-escalation-psp:v0.2.6"
     name: "no-privilege-escalation"
   hostNamespacePolicy:
-    module: "kubewarden/policies/host-namespaces-psp:v0.1.5"
+    module: "kubewarden/policies/host-namespaces-psp:v0.1.6"
     name: "no-host-namespace-sharing"
   podPrivilegedPolicy:
-    module: "kubewarden/policies/pod-privileged:v0.2.5"
+    module: "kubewarden/policies/pod-privileged:v0.2.7"
     name: "no-privileged-pod"
   userGroupPolicy:
-    module: "kubewarden/policies/user-group-psp:v0.4.7"
+    module: "kubewarden/policies/user-group-psp:v0.4.9"
     name: "do-not-run-as-root"
   hostPathsPolicy:
-    module: "kubewarden/policies/hostpaths-psp:v0.1.8"
+    module: "kubewarden/policies/hostpaths-psp:v0.1.9"
     name: "do-not-share-host-paths"
     paths:
       - pathPrefix: "/tmp"
         readOnly: true
   capabilitiesPolicy:
-    module: "kubewarden/policies/capabilities-psp:v0.1.11"
+    module: "kubewarden/policies/capabilities-psp:v0.1.13"
     name: "drop-capabilities"
     allowed_capabilities: []
     required_drop_capabilities:

diff --git a/charts/kubewarden-defaults/values.yaml b/charts/kubewarden-defaults/values.yaml
@@ -103,28 +103,29 @@ recommendedPolicies:
   # not support OCI artifacts.
   # If this field is not defined, the systemDefaultRegistry is used by default.
   defaultPoliciesRegistry: ""
+  # Additional namespaces that recommended policies will not apply to:
   skipAdditionalNamespaces: []
   defaultPolicyMode: "monitor"
   allowPrivilegeEscalationPolicy:
-    module: "kubewarden/policies/allow-privilege-escalation-psp:v0.2.5"
+    module: "kubewarden/policies/allow-privilege-escalation-psp:v0.2.6"
     name: "no-privilege-escalation"
   hostNamespacePolicy:
-    module: "kubewarden/policies/host-namespaces-psp:v0.1.5"
+    module: "kubewarden/policies/host-namespaces-psp:v0.1.6"
     name: "no-host-namespace-sharing"
   podPrivilegedPolicy:
-    module: "kubewarden/policies/pod-privileged:v0.2.5"
+    module: "kubewarden/policies/pod-privileged:v0.2.7"
     name: "no-privileged-pod"
   userGroupPolicy:
-    module: "kubewarden/policies/user-group-psp:v0.4.7"
+    module: "kubewarden/policies/user-group-psp:v0.4.9"
     name: "do-not-run-as-root"
   hostPathsPolicy:
-    module: "kubewarden/policies/hostpaths-psp:v0.1.8"
+    module: "kubewarden/policies/hostpaths-psp:v0.1.9"
     name: "do-not-share-host-paths"
     paths:
       - pathPrefix: "/tmp"
         readOnly: true
   capabilitiesPolicy:
-    module: "kubewarden/policies/capabilities-psp:v0.1.11"
+    module: "kubewarden/policies/capabilities-psp:v0.1.13"
     name: "drop-capabilities"
     allowed_capabilities: []
     required_drop_capabilities: