diff --git a/charts/kubescape-operator/.helmignore b/charts/kubescape-operator/.helmignore index 2b29f276..4c4f163e 100644 --- a/charts/kubescape-operator/.helmignore +++ b/charts/kubescape-operator/.helmignore @@ -1 +1,2 @@ tests +templates/node-agent-crds/README.md diff --git a/charts/kubescape-operator/README.md b/charts/kubescape-operator/README.md index 5def37c3..caa3a210 100644 --- a/charts/kubescape-operator/README.md +++ b/charts/kubescape-operator/README.md @@ -157,8 +157,6 @@ However, we recommend that you give Kubescape no less than 500m CPU no matter th | operator.nodeSelector | object | `{}` | [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) | | operator.volumes | object | `[]` | Additional volumes for the web socket | | operator.volumeMounts | object | `[]` | Additional volumeMounts for the web socket | -| hostScanner.volumes | object | `[]` | Additional volumes for the host scanner | -| hostScanner.volumeMounts | object | `[]` | Additional volumeMounts for the host scanner | | awsIamRoleArn | string | `nil` | AWS IAM arn role | | cloudProviderMetadata.secretRef.name | string | `nil` | secret name to define values for the provider's metadata | | cloudProviderMetadata.cloudRegion | string or through `cloudProviderMetadata.secretRef.cloudRegionKey` if `cloudProviderMetadata.secretRef.name` is set | `nil` | cloud region | diff --git a/charts/kubescape-operator/assets/host-scanner-definition.yaml b/charts/kubescape-operator/assets/host-scanner-definition.yaml deleted file mode 100644 index db5103c7..00000000 --- a/charts/kubescape-operator/assets/host-scanner-definition.yaml +++ /dev/null @@ -1,129 +0,0 @@ -{{- $components := fromYaml (include "components" .) -}} -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: {{ .Values.hostScanner.name }} - namespace: {{ .Values.ksNamespace }} - annotations: - {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 4 }} - argocd.argoproj.io/compare-options: "IgnoreExtraneous" - argocd.argoproj.io/sync-options: "Prune=false" - labels: - {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.hostScanner.name "tier" .Values.global.namespaceTier) | nindent 4 }} -spec: - selector: - matchLabels: - {{- include "kubescape-operator.selectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.hostScanner.name) | nindent 6 }} - template: - metadata: - annotations: - {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 8 }} - argocd.argoproj.io/compare-options: "IgnoreExtraneous" - argocd.argoproj.io/sync-options: "Prune=false" - labels: - {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.hostScanner.name "tier" .Values.global.namespaceTier) | nindent 8 }} - kubescape.io/tier: "core" - name: host-scanner - {{- if $components.otelCollector.enabled }} - otel: enabled - {{- end }} - spec: - nodeSelector: - {{- if .Values.hostScanner.nodeSelector }} - {{- toYaml .Values.hostScanner.nodeSelector | nindent 8 }} - {{- else if .Values.customScheduling.nodeSelector }} - {{- toYaml .Values.customScheduling.nodeSelector | nindent 8 }} - {{- end }} - affinity: - {{- if .Values.hostScanner.affinity }} - {{- toYaml .Values.hostScanner.affinity | nindent 8 }} - {{- else if .Values.customScheduling.affinity }} - {{- toYaml .Values.customScheduling.affinity | nindent 8 }} - {{- end }} - tolerations: - {{- if .Values.hostScanner.tolerations }} - {{- toYaml .Values.hostScanner.tolerations | nindent 8 }} - {{- else if .Values.customScheduling.tolerations }} - {{- toYaml .Values.customScheduling.tolerations | nindent 8 }} - {{- end }} - {{- if .Values.imagePullSecrets }} - imagePullSecrets: - {{- if kindIs "string" .Values.imagePullSecrets }} - - name: {{ .Values.imagePullSecrets }} - {{- else }} - {{- range .Values.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} - {{- end }} - containers: - - name: host-sensor - image: "{{ .Values.hostScanner.image.repository }}:{{ .Values.hostScanner.image.tag }}" - imagePullPolicy: {{ .Values.hostScanner.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: true - privileged: true - readOnlyRootFilesystem: true - env: - - name: KS_LOGGER_LEVEL - value: "{{ .Values.logger.level }}" - - name: KS_LOGGER_NAME - value: "{{ .Values.logger.name }}" - {{- if $components.otelCollector.enabled }} - - name: ACCOUNT_ID - valueFrom: - secretKeyRef: - name: {{ $components.cloudSecret.name }} - key: account - - name: CLUSTER_NAME - value: "{{ regexReplaceAll "\\W+" .Values.clusterName "-" }}" - - name: OTEL_COLLECTOR_SVC - value: "otel-collector.kubescape.svc:4318" - {{- end }} - {{- if .Values.configurations.otelUrl }} - - name: OTEL_COLLECTOR_SVC - value: {{ .Values.configurations.otelUrl }} - {{- end }} - ports: - - name: scanner # Do not change port name - containerPort: 7888 - protocol: TCP - resources: -{{ toYaml .Values.hostScanner.resources | indent 10 }} - volumeMounts: - - mountPath: /host_fs - name: host-filesystem -{{- if .Values.volumeMounts }} -{{ toYaml .Values.volumeMounts | indent 8 }} -{{- end }} -{{- if .Values.hostScanner.volumeMounts }} -{{ toYaml .Values.hostScanner.volumeMounts | nindent 8 }} -{{- end }} - startupProbe: - httpGet: - path: /readyz - port: 7888 - failureThreshold: 30 - periodSeconds: 1 - livenessProbe: - httpGet: - path: /healthz - port: 7888 - periodSeconds: 10 - terminationGracePeriodSeconds: 120 - dnsPolicy: ClusterFirstWithHostNet - serviceAccountName: {{ .Values.nodeAgent.name }} - automountServiceAccountToken: false - volumes: - - hostPath: - path: / - type: Directory - name: host-filesystem -{{- if .Values.volumes }} -{{ toYaml .Values.volumes | indent 6 }} -{{- end }} -{{- if .Values.hostScanner.volumes }} -{{ toYaml .Values.hostScanner.volumes | nindent 6 }} -{{- end }} - hostPID: true - hostIPC: true diff --git a/charts/kubescape-operator/templates/_common.tpl b/charts/kubescape-operator/templates/_common.tpl index 5953e343..1ddb340d 100644 --- a/charts/kubescape-operator/templates/_common.tpl +++ b/charts/kubescape-operator/templates/_common.tpl @@ -7,7 +7,6 @@ capabilitiesConfig: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.configMapsDirectory "components-configmap.yaml") . | replace .Chart.AppVersion "" | sha256sum }} cloudConfig: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.configMapsDirectory "cloudapi-configmap.yaml") . | replace .Chart.AppVersion "" | sha256sum }} cloudSecret: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.configMapsDirectory "cloud-secret.yaml" ) . | replace .Chart.AppVersion "" | sha256sum }} -hostScannerConfig: {{ include (printf "%s/kubescape/host-scanner-definition-configmap.yaml" $.Template.BasePath ) . | replace .Chart.AppVersion "" | sha256sum }} matchingRulesConfig: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.configMapsDirectory "matchingRules-configmap.yaml") . | replace .Chart.AppVersion "" | sha256sum }} nodeAgentConfig: {{ include (printf "%s/node-agent/configmap.yaml" $.Template.BasePath) . | replace .Chart.AppVersion "" | sha256sum }} operatorConfig: {{ include (printf "%s/operator/configmap.yaml" $.Template.BasePath) . | replace .Chart.AppVersion "" | sha256sum }} @@ -50,8 +49,6 @@ submit: {{ $submit }} {{- $nodeScanEnabled := and (eq .Values.capabilities.nodeScan "enable") (not $configurations.backendStorageEnabled) }} {{- $configurationScanEnabled := and (eq .Values.capabilities.configurationScan "enable") (not $configurations.backendStorageEnabled) }} {{- $vulnerabilityScanEnabled := and (eq .Values.capabilities.vulnerabilityScan "enable") (not $configurations.backendStorageEnabled) }} -hostScanner: - enabled: {{ $nodeScanEnabled }} kubescape: enabled: {{ $configurationScanEnabled }} kubescapeScheduler: diff --git a/charts/kubescape-operator/templates/kubescape/clusterrole.yaml b/charts/kubescape-operator/templates/kubescape/clusterrole.yaml index 98dc0569..3e03eb71 100644 --- a/charts/kubescape-operator/templates/kubescape/clusterrole.yaml +++ b/charts/kubescape-operator/templates/kubescape/clusterrole.yaml @@ -86,4 +86,20 @@ rules: - apiGroups: ["kubescape.io"] resources: ["servicesscanresults"] verbs: ["get", "watch", "list"] +{{- if .Values.nodeAgent.config.hostSensor.enabled }} +- apiGroups: ["hostdata.kubescape.cloud"] + resources: + - osreleasefiles + - kernelversions + - linuxsecurityhardeningstatuses + - openportslists + - linuxkernelvariables + - kubeletinfos + - kubeproxyinfos + - controlplaneinfos + - cloudproviderinfos + - cniinfos + verbs: ["get", "list", "watch"] +{{- end }} + {{ end }} diff --git a/charts/kubescape-operator/templates/kubescape/deployment.yaml b/charts/kubescape-operator/templates/kubescape/deployment.yaml index 23db58ee..e1df026a 100644 --- a/charts/kubescape-operator/templates/kubescape/deployment.yaml +++ b/charts/kubescape-operator/templates/kubescape/deployment.yaml @@ -29,7 +29,6 @@ spec: annotations: {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 8 }} {{- with .Values.kubescape.podAnnotations }}{{- toYaml . | nindent 8 }}{{- end }} - checksum/host-scanner-configmap: {{ $checksums.hostScannerConfig }} checksum/cloud-secret: {{ $checksums.cloudSecret }} checksum/cloud-config: {{ $checksums.cloudConfig }} {{- if ne .Values.global.proxySecretFile "" }} @@ -146,7 +145,7 @@ spec: - name: KS_DEFAULT_CLOUD_CONFIGMAP_NAME value: {{ .Values.global.cloudConfig }} - name: KS_ENABLE_HOST_SCANNER - value: "{{ $components.hostScanner.enabled }}" + value: "{{ .Values.nodeAgent.config.hostSensor.enabled }}" - name: KS_SKIP_UPDATE_CHECK value: "{{ .Values.kubescape.skipUpdateCheck }}" - name: KS_HOST_SCAN_YAML diff --git a/charts/kubescape-operator/templates/node-agent-crds/README.md b/charts/kubescape-operator/templates/node-agent-crds/README.md new file mode 100644 index 00000000..7e9f517f --- /dev/null +++ b/charts/kubescape-operator/templates/node-agent-crds/README.md @@ -0,0 +1,7 @@ +### CRDs location inside the chart tree +These CRDs are placed in the `templates/` directory instead of the standard `crds/` directory to allow Helm to manage their full lifecycle. +This ensures they are updated during `helm upgrade` and removed during `helm uninstall`, supporting the evolving sensing capabilities of the node-agent. +No need to install them before kubescape operator chart since they are about to be used only after node-agent is up and running. + +### tech debt +1. move CRDs group from `kubescape.cloud` to `kubescape.io` \ No newline at end of file diff --git a/charts/kubescape-operator/templates/node-agent-crds/cloudproviderinfo-crd.yaml b/charts/kubescape-operator/templates/node-agent-crds/cloudproviderinfo-crd.yaml new file mode 100644 index 00000000..127eaf10 --- /dev/null +++ b/charts/kubescape-operator/templates/node-agent-crds/cloudproviderinfo-crd.yaml @@ -0,0 +1,38 @@ +{{- $components := fromYaml (include "components" .) }} +{{- if $components.nodeAgent.enabled }} +{{- if .Values.nodeAgent.config.hostSensor.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: cloudproviderinfos.hostdata.kubescape.cloud +spec: + group: hostdata.kubescape.cloud + names: + kind: CloudProviderInfo + listKind: CloudProviderInfoList + plural: cloudproviderinfos + singular: cloudproviderinfo + scope: Cluster + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - name: Node + type: string + jsonPath: .spec.nodeName + - name: Last Sensed + type: string + jsonPath: .status.lastSensed +{{- end }} +{{- end }} diff --git a/charts/kubescape-operator/templates/node-agent-crds/cniinfo-crd.yaml b/charts/kubescape-operator/templates/node-agent-crds/cniinfo-crd.yaml new file mode 100644 index 00000000..9ecaeff1 --- /dev/null +++ b/charts/kubescape-operator/templates/node-agent-crds/cniinfo-crd.yaml @@ -0,0 +1,38 @@ +{{- $components := fromYaml (include "components" .) }} +{{- if $components.nodeAgent.enabled }} +{{- if .Values.nodeAgent.config.hostSensor.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: cniinfos.hostdata.kubescape.cloud +spec: + group: hostdata.kubescape.cloud + names: + kind: CNIInfo + listKind: CNIInfoList + plural: cniinfos + singular: cniinfo + scope: Cluster + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - name: Node + type: string + jsonPath: .spec.nodeName + - name: Last Sensed + type: string + jsonPath: .status.lastSensed +{{- end }} +{{- end }} diff --git a/charts/kubescape-operator/templates/node-agent-crds/controlplaneinfo-crd.yaml b/charts/kubescape-operator/templates/node-agent-crds/controlplaneinfo-crd.yaml new file mode 100644 index 00000000..a8e88f38 --- /dev/null +++ b/charts/kubescape-operator/templates/node-agent-crds/controlplaneinfo-crd.yaml @@ -0,0 +1,38 @@ +{{- $components := fromYaml (include "components" .) }} +{{- if $components.nodeAgent.enabled }} +{{- if .Values.nodeAgent.config.hostSensor.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: controlplaneinfos.hostdata.kubescape.cloud +spec: + group: hostdata.kubescape.cloud + names: + kind: ControlPlaneInfo + listKind: ControlPlaneInfoList + plural: controlplaneinfos + singular: controlplaneinfo + scope: Cluster + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - name: Node + type: string + jsonPath: .spec.nodeName + - name: Last Sensed + type: string + jsonPath: .status.lastSensed +{{- end }} +{{- end }} diff --git a/charts/kubescape-operator/templates/node-agent-crds/kernelversion-crd.yaml b/charts/kubescape-operator/templates/node-agent-crds/kernelversion-crd.yaml new file mode 100644 index 00000000..38afb57d --- /dev/null +++ b/charts/kubescape-operator/templates/node-agent-crds/kernelversion-crd.yaml @@ -0,0 +1,38 @@ +{{- $components := fromYaml (include "components" .) }} +{{- if $components.nodeAgent.enabled }} +{{- if .Values.nodeAgent.config.hostSensor.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: kernelversions.hostdata.kubescape.cloud +spec: + group: hostdata.kubescape.cloud + names: + kind: KernelVersion + listKind: KernelVersionList + plural: kernelversions + singular: kernelversion + scope: Cluster + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - name: Node + type: string + jsonPath: .spec.nodeName + - name: Last Sensed + type: string + jsonPath: .status.lastSensed +{{- end }} +{{- end }} diff --git a/charts/kubescape-operator/templates/node-agent-crds/kubeletinfo-crd.yaml b/charts/kubescape-operator/templates/node-agent-crds/kubeletinfo-crd.yaml new file mode 100644 index 00000000..bf3dc32a --- /dev/null +++ b/charts/kubescape-operator/templates/node-agent-crds/kubeletinfo-crd.yaml @@ -0,0 +1,38 @@ +{{- $components := fromYaml (include "components" .) }} +{{- if $components.nodeAgent.enabled }} +{{- if .Values.nodeAgent.config.hostSensor.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: kubeletinfos.hostdata.kubescape.cloud +spec: + group: hostdata.kubescape.cloud + names: + kind: KubeletInfo + listKind: KubeletInfoList + plural: kubeletinfos + singular: kubeletinfo + scope: Cluster + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - name: Node + type: string + jsonPath: .spec.nodeName + - name: Last Sensed + type: string + jsonPath: .status.lastSensed +{{- end }} +{{- end }} diff --git a/charts/kubescape-operator/templates/node-agent-crds/kubeproxyinfo-crd.yaml b/charts/kubescape-operator/templates/node-agent-crds/kubeproxyinfo-crd.yaml new file mode 100644 index 00000000..46c7af78 --- /dev/null +++ b/charts/kubescape-operator/templates/node-agent-crds/kubeproxyinfo-crd.yaml @@ -0,0 +1,38 @@ +{{- $components := fromYaml (include "components" .) }} +{{- if $components.nodeAgent.enabled }} +{{- if .Values.nodeAgent.config.hostSensor.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: kubeproxyinfos.hostdata.kubescape.cloud +spec: + group: hostdata.kubescape.cloud + names: + kind: KubeProxyInfo + listKind: KubeProxyInfoList + plural: kubeproxyinfos + singular: kubeproxyinfo + scope: Cluster + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - name: Node + type: string + jsonPath: .spec.nodeName + - name: Last Sensed + type: string + jsonPath: .status.lastSensed +{{- end }} +{{- end }} diff --git a/charts/kubescape-operator/templates/node-agent-crds/linuxkernelvariables-crd.yaml b/charts/kubescape-operator/templates/node-agent-crds/linuxkernelvariables-crd.yaml new file mode 100644 index 00000000..ed6df2e1 --- /dev/null +++ b/charts/kubescape-operator/templates/node-agent-crds/linuxkernelvariables-crd.yaml @@ -0,0 +1,38 @@ +{{- $components := fromYaml (include "components" .) }} +{{- if $components.nodeAgent.enabled }} +{{- if .Values.nodeAgent.config.hostSensor.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: linuxkernelvariables.hostdata.kubescape.cloud +spec: + group: hostdata.kubescape.cloud + names: + kind: LinuxKernelVariables + listKind: LinuxKernelVariablesList + plural: linuxkernelvariables + singular: linuxkernelvariable + scope: Cluster + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - name: Node + type: string + jsonPath: .spec.nodeName + - name: Last Sensed + type: string + jsonPath: .status.lastSensed +{{- end }} +{{- end }} diff --git a/charts/kubescape-operator/templates/node-agent-crds/linuxsecurityhardening-crd.yaml b/charts/kubescape-operator/templates/node-agent-crds/linuxsecurityhardening-crd.yaml new file mode 100644 index 00000000..2beab23e --- /dev/null +++ b/charts/kubescape-operator/templates/node-agent-crds/linuxsecurityhardening-crd.yaml @@ -0,0 +1,38 @@ +{{- $components := fromYaml (include "components" .) }} +{{- if $components.nodeAgent.enabled }} +{{- if .Values.nodeAgent.config.hostSensor.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: linuxsecurityhardeningstatuses.hostdata.kubescape.cloud +spec: + group: hostdata.kubescape.cloud + names: + kind: LinuxSecurityHardeningStatus + listKind: LinuxSecurityHardeningStatusList + plural: linuxsecurityhardeningstatuses + singular: linuxsecurityhardeningstatus + scope: Cluster + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - name: Node + type: string + jsonPath: .spec.nodeName + - name: Last Sensed + type: string + jsonPath: .status.lastSensed +{{- end }} +{{- end }} diff --git a/charts/kubescape-operator/templates/node-agent-crds/openports-crd.yaml b/charts/kubescape-operator/templates/node-agent-crds/openports-crd.yaml new file mode 100644 index 00000000..35211cac --- /dev/null +++ b/charts/kubescape-operator/templates/node-agent-crds/openports-crd.yaml @@ -0,0 +1,38 @@ +{{- $components := fromYaml (include "components" .) }} +{{- if $components.nodeAgent.enabled }} +{{- if .Values.nodeAgent.config.hostSensor.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: openportslists.hostdata.kubescape.cloud +spec: + group: hostdata.kubescape.cloud + names: + kind: OpenPortsList + listKind: OpenPortsListList + plural: openportslists + singular: openportslist + scope: Cluster + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - name: Node + type: string + jsonPath: .spec.nodeName + - name: Last Sensed + type: string + jsonPath: .status.lastSensed +{{- end }} +{{- end }} diff --git a/charts/kubescape-operator/templates/node-agent-crds/osreleasefile-crd.yaml b/charts/kubescape-operator/templates/node-agent-crds/osreleasefile-crd.yaml new file mode 100644 index 00000000..5dc64b5f --- /dev/null +++ b/charts/kubescape-operator/templates/node-agent-crds/osreleasefile-crd.yaml @@ -0,0 +1,67 @@ +{{- $components := fromYaml (include "components" .) }} +{{- if $components.nodeAgent.enabled }} +{{- if .Values.nodeAgent.config.hostSensor.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: osreleasefiles.hostdata.kubescape.cloud + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 +spec: + group: hostdata.kubescape.cloud + names: + kind: OsReleaseFile + listKind: OsReleaseFileList + plural: osreleasefiles + singular: osreleasefile + scope: Cluster + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + description: OsReleaseFile contains the OS release information from a node + type: object + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object.' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents.' + type: string + metadata: + type: object + spec: + description: OsReleaseFileSpec contains the actual OS release file content + type: object + properties: + content: + description: Content is the raw content of the OS release file + type: string + nodeName: + description: NodeName is the name of the node this data came from + type: string + status: + description: OsReleaseFileStatus contains status information about the sensing + type: object + properties: + lastSensed: + description: LastSensed is the timestamp when this data was last collected + type: string + format: date-time + error: + description: Error contains any error message from the last sensing attempt + type: string + additionalPrinterColumns: + - name: Node + type: string + jsonPath: .spec.nodeName + - name: Last Sensed + type: string + jsonPath: .status.lastSensed + - name: Age + type: date + jsonPath: .metadata.creationTimestamp +{{- end }} +{{- end }} diff --git a/charts/kubescape-operator/templates/node-agent/clusterrole.yaml b/charts/kubescape-operator/templates/node-agent/clusterrole.yaml index c2b4360d..c4b337e6 100644 --- a/charts/kubescape-operator/templates/node-agent/clusterrole.yaml +++ b/charts/kubescape-operator/templates/node-agent/clusterrole.yaml @@ -54,4 +54,20 @@ rules: - apiGroups: ["kubescape.io"] resources: ["rules"] verbs: ["list", "watch"] +{{- if .Values.nodeAgent.config.hostSensor.enabled }} +- apiGroups: ["hostdata.kubescape.cloud"] + resources: + - osreleasefiles + - kernelversions + - linuxsecurityhardeningstatuses + - openportslists + - linuxkernelvariables + - kubeletinfos + - kubeproxyinfos + - controlplaneinfos + - cloudproviderinfos + - cniinfos + verbs: ["create", "get", "update", "patch", "list", "watch"] +{{- end }} + {{- end }} diff --git a/charts/kubescape-operator/templates/node-agent/configmap.yaml b/charts/kubescape-operator/templates/node-agent/configmap.yaml index a6c195be..09a70a77 100644 --- a/charts/kubescape-operator/templates/node-agent/configmap.yaml +++ b/charts/kubescape-operator/templates/node-agent/configmap.yaml @@ -29,6 +29,8 @@ data: "malwareDetectionEnabled": {{ eq .Values.capabilities.malwareDetection "enable" }}, "hostMalwareSensorEnabled": {{ eq .Values.nodeAgent.config.hostMalwareSensor "enable" }}, "hostNetworkSensorEnabled": {{ eq .Values.nodeAgent.config.hostNetworkSensor "enable" }}, + "hostSensorEnabled": {{ .Values.nodeAgent.config.hostSensor.enabled }}, + "hostSensorInterval": "{{ .Values.nodeAgent.config.hostSensor.interval }}", "nodeProfileServiceEnabled": {{ and $components.synchronizer.enabled (eq .Values.capabilities.nodeProfileService "enable") }}, "networkStreamingEnabled": {{ and $configurations.submit (eq .Values.capabilities.networkEventsStreaming "enable") }}, "maxImageSize": {{ .Values.kubevuln.config.maxImageSize }}, diff --git a/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap b/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap index 18e9eb40..9b3e0eef 100644 --- a/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap +++ b/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap @@ -300,7 +300,7 @@ all capabilities: capabilities: | { "capabilities":{"admissionController":"enable","autoUpgrading":"enable","configurationScan":"enable","continuousScan":"enable","httpDetection":"enable","kubescapeOffline":"disable","malwareDetection":"enable","manageWorkloads":"enable","networkEventsStreaming":"enable","networkPolicyService":"enable","nodeProfileService":"enable","nodeSbomGeneration":"enable","nodeScan":"enable","operator":"enable","prometheusExporter":"enable","relevancy":"enable","riskAcceptance":"enable","runtimeDetection":"enable","runtimeObservability":"enable","scanEmbeddedSBOMs":"enable","seccompProfileBackend":"crd","seccompProfileService":"enable","syncSBOM":"enable","testing":{"nodeAgentMultiplication":{"enabled":false,"replicas":5}},"vexGeneration":"enable","vulnerabilityScan":"enable"}, - "components":{"autoUpdater":{"enabled":true},"clamAV":{"enabled":true},"cloudSecret":{"create":true,"name":"cloud-secret"},"customCaCertificates":{"name":"custom-ca-certificates"},"hostScanner":{"enabled":true},"kubescape":{"enabled":true},"kubescapeScheduler":{"enabled":true},"kubevuln":{"enabled":true},"kubevulnScheduler":{"enabled":true},"nodeAgent":{"enabled":true},"operator":{"enabled":true},"otelCollector":{"enabled":false},"prometheusExporter":{"enabled":true},"sbomScanner":{"enabled":false},"serviceDiscovery":{"enabled":true},"storage":{"enabled":true},"synchronizer":{"enabled":true}}, + "components":{"autoUpdater":{"enabled":true},"clamAV":{"enabled":true},"cloudSecret":{"create":true,"name":"cloud-secret"},"customCaCertificates":{"name":"custom-ca-certificates"},"kubescape":{"enabled":true},"kubescapeScheduler":{"enabled":true},"kubevuln":{"enabled":true},"kubevulnScheduler":{"enabled":true},"nodeAgent":{"enabled":true},"operator":{"enabled":true},"otelCollector":{"enabled":false},"prometheusExporter":{"enabled":true},"sbomScanner":{"enabled":false},"serviceDiscovery":{"enabled":true},"storage":{"enabled":true},"synchronizer":{"enabled":true}}, "configurations":{"excludeJsonPaths":[".containers[*].env[?(@.name==\"KUBECONFIG\")]"],"otelUrl":"otelCollector.svc.monitoring:4317","persistence":"enable","priorityClass":{"daemonset":100000100,"enabled":true},"prometheusAnnotations":"disable"} , "serviceScanConfig" :{"enabled":false,"interval":"1h"} } @@ -1096,6 +1096,23 @@ all capabilities: - get - watch - list + - apiGroups: + - hostdata.kubescape.cloud + resources: + - osreleasefiles + - kernelversions + - linuxsecurityhardeningstatuses + - openportslists + - linuxkernelvariables + - kubeletinfos + - kubeproxyinfos + - controlplaneinfos + - cloudproviderinfos + - cniinfos + verbs: + - get + - list + - watch 24: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -1158,7 +1175,6 @@ all capabilities: annotations: checksum/cloud-config: aaeeb6b6b35a5ebbb0893822c4bf9cd860fba6d3df3bc4e77c8dbdd5841db120 checksum/cloud-secret: 435193bc039d949c849ba4b141adeb4836e4d0fdcc4bf0b9588d0e36de86c424 - checksum/host-scanner-configmap: 9302798150edd358576dc2e4929bd5b68fd140217b3cc0bc4689932bf8cea86e checksum/proxy-config: c03b6781aa61faaacfa84a96809236591dde0cbd43a204e05d5ba3044bb9d5d8 labels: app: kubescape @@ -1373,7 +1389,7 @@ all capabilities: 26: | apiVersion: v1 data: - host-scanner-yaml: "apiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: host-scanner\n namespace: kubescape\n annotations:\n \n argocd.argoproj.io/compare-options: \"IgnoreExtraneous\"\n argocd.argoproj.io/sync-options: \"Prune=false\"\n labels:\n helm.sh/chart: kubescape-operator-1.30.7\n app.kubernetes.io/name: kubescape-operator\n app.kubernetes.io/instance: RELEASE-NAME\n app.kubernetes.io/component: host-scanner\n app.kubernetes.io/version: \"1.30.7\"\n app.kubernetes.io/managed-by: Helm\n app.kubernetes.io/part-of: kubescape\n app: host-scanner\n tier: ks-control-plane\n kubescape.io/ignore: \"true\"\nspec:\n selector:\n matchLabels:\n app.kubernetes.io/name: kubescape-operator\n app.kubernetes.io/instance: RELEASE-NAME\n app.kubernetes.io/component: host-scanner\n template:\n metadata:\n annotations:\n \n argocd.argoproj.io/compare-options: \"IgnoreExtraneous\"\n argocd.argoproj.io/sync-options: \"Prune=false\"\n labels:\n helm.sh/chart: kubescape-operator-1.30.7\n app.kubernetes.io/name: kubescape-operator\n app.kubernetes.io/instance: RELEASE-NAME\n app.kubernetes.io/component: host-scanner\n app.kubernetes.io/version: \"1.30.7\"\n app.kubernetes.io/managed-by: Helm\n app.kubernetes.io/part-of: kubescape\n app: host-scanner\n tier: ks-control-plane\n kubescape.io/ignore: \"true\"\n kubescape.io/tier: \"core\"\n name: host-scanner\n spec:\n nodeSelector:\n kubernetes.io/os: linux\n affinity:\n tolerations:\n - effect: NoSchedule\n key: node-role.kubernetes.io/control-plane\n operator: Exists\n - effect: NoSchedule\n key: node-role.kubernetes.io/master\n operator: Exists\n imagePullSecrets:\n - name: foo\n - name: bar\n containers:\n - name: host-sensor\n image: \"quay.io/kubescape/host-scanner:v1.0.78\"\n imagePullPolicy: IfNotPresent\n securityContext:\n allowPrivilegeEscalation: true\n privileged: true\n readOnlyRootFilesystem: true\n env:\n - name: KS_LOGGER_LEVEL\n value: \"info\"\n - name: KS_LOGGER_NAME\n value: \"zap\"\n - name: OTEL_COLLECTOR_SVC\n value: otelCollector.svc.monitoring:4317\n ports:\n - name: scanner # Do not change port name\n containerPort: 7888\n protocol: TCP\n resources:\n limits:\n cpu: 0.4m\n memory: 400Mi\n requests:\n cpu: 0.1m\n memory: 200Mi\n volumeMounts:\n - mountPath: /host_fs\n name: host-filesystem\n startupProbe:\n httpGet:\n path: /readyz\n port: 7888\n failureThreshold: 30\n periodSeconds: 1\n livenessProbe:\n httpGet:\n path: /healthz\n port: 7888\n periodSeconds: 10\n terminationGracePeriodSeconds: 120\n dnsPolicy: ClusterFirstWithHostNet\n serviceAccountName: node-agent\n automountServiceAccountToken: false\n volumes:\n - hostPath:\n path: /\n type: Directory\n name: host-filesystem\n hostPID: true\n hostIPC: true" + host-scanner-yaml: "" kind: ConfigMap metadata: annotations: null @@ -2247,6 +2263,375 @@ all capabilities: name: kubevuln namespace: kubescape 45: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: cloudproviderinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: CloudProviderInfo + listKind: CloudProviderInfoList + plural: cloudproviderinfos + singular: cloudproviderinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 46: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: cniinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: CNIInfo + listKind: CNIInfoList + plural: cniinfos + singular: cniinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 47: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: controlplaneinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: ControlPlaneInfo + listKind: ControlPlaneInfoList + plural: controlplaneinfos + singular: controlplaneinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 48: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: kernelversions.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: KernelVersion + listKind: KernelVersionList + plural: kernelversions + singular: kernelversion + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 49: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: kubeletinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: KubeletInfo + listKind: KubeletInfoList + plural: kubeletinfos + singular: kubeletinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 50: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: kubeproxyinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: KubeProxyInfo + listKind: KubeProxyInfoList + plural: kubeproxyinfos + singular: kubeproxyinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 51: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: linuxkernelvariables.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: LinuxKernelVariables + listKind: LinuxKernelVariablesList + plural: linuxkernelvariables + singular: linuxkernelvariable + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 52: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: linuxsecurityhardeningstatuses.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: LinuxSecurityHardeningStatus + listKind: LinuxSecurityHardeningStatusList + plural: linuxsecurityhardeningstatuses + singular: linuxsecurityhardeningstatus + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 53: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: openportslists.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: OpenPortsList + listKind: OpenPortsListList + plural: openportslists + singular: openportslist + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 54: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + name: osreleasefiles.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: OsReleaseFile + listKind: OsReleaseFileList + plural: osreleasefiles + singular: osreleasefile + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: OsReleaseFile contains the OS release information from a node + properties: + apiVersion: + description: APIVersion defines the versioned schema of this representation of an object. + type: string + kind: + description: Kind is a string value representing the REST resource this object represents. + type: string + metadata: + type: object + spec: + description: OsReleaseFileSpec contains the actual OS release file content + properties: + content: + description: Content is the raw content of the OS release file + type: string + nodeName: + description: NodeName is the name of the node this data came from + type: string + type: object + status: + description: OsReleaseFileStatus contains status information about the sensing + properties: + error: + description: Error contains any error message from the last sensing attempt + type: string + lastSensed: + description: LastSensed is the timestamp when this data was last collected + format: date-time + type: string + type: object + type: object + served: true + storage: true + 55: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -2383,7 +2768,27 @@ all capabilities: verbs: - list - watch - 46: | + - apiGroups: + - hostdata.kubescape.cloud + resources: + - osreleasefiles + - kernelversions + - linuxsecurityhardeningstatuses + - openportslists + - linuxkernelvariables + - kubeletinfos + - kubeproxyinfos + - controlplaneinfos + - cloudproviderinfos + - cniinfos + verbs: + - create + - get + - update + - patch + - list + - watch + 56: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -2408,7 +2813,7 @@ all capabilities: - kind: ServiceAccount name: node-agent namespace: kubescape - 47: | + 57: | apiVersion: v1 data: config.json: | @@ -2422,6 +2827,8 @@ all capabilities: "malwareDetectionEnabled": true, "hostMalwareSensorEnabled": false, "hostNetworkSensorEnabled": false, + "hostSensorEnabled": true, + "hostSensorInterval": "5m", "nodeProfileServiceEnabled": true, "networkStreamingEnabled": true, "maxImageSize": 5.36870912e+09, @@ -2468,7 +2875,7 @@ all capabilities: tier: ks-control-plane name: node-agent namespace: kubescape - 48: | + 58: | apiVersion: v1 data: clamd.conf: |- @@ -2505,7 +2912,7 @@ all capabilities: metadata: name: clamav namespace: kubescape - 49: | + 59: | apiVersion: apps/v1 kind: DaemonSet metadata: @@ -2535,7 +2942,7 @@ all capabilities: annotations: checksum/cloud-config: aaeeb6b6b35a5ebbb0893822c4bf9cd860fba6d3df3bc4e77c8dbdd5841db120 checksum/cloud-secret: 435193bc039d949c849ba4b141adeb4836e4d0fdcc4bf0b9588d0e36de86c424 - checksum/node-agent-config: 926b706ae266d1126c65565bc4729b35c679682ea75202583f4a9786e7b5de2a + checksum/node-agent-config: 9f743d9aac5148b4e8f7ae0369f163d738b845e84581d2b06b06d02a6c6e6043 checksum/proxy-config: c03b6781aa61faaacfa84a96809236591dde0cbd43a204e05d5ba3044bb9d5d8 container.apparmor.security.beta.kubernetes.io/node-agent: unconfined labels: @@ -2792,6 +3199,10 @@ all capabilities: name: data - emptyDir: null name: profiles + - hostPath: + path: / + type: Directory + name: host-filesystem - emptyDir: {} name: clamdb - emptyDir: {} @@ -2827,7 +3238,7 @@ all capabilities: - name: custom-ca-certificates secret: secretName: custom-ca-certificates - 50: | + 60: | apiVersion: kubescape.io/v1 kind: RuntimeRuleAlertBinding metadata: @@ -2878,7 +3289,7 @@ all capabilities: - ruleName: Unexpected Egress Network Traffic - ruleName: Malicious Ptrace Usage - ruleName: Unexpected io_uring Operation Detected - 51: | + 61: | apiVersion: kubescape.io/v1 kind: Rules metadata: @@ -3560,7 +3971,7 @@ all capabilities: - syscalls - io_uring - applicationprofile - 52: | + 62: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -3625,7 +4036,7 @@ all capabilities: app.kubernetes.io/name: kubescape-operator policyTypes: - Egress - 53: | + 63: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -3651,7 +4062,7 @@ all capabilities: - kind: ServiceAccount name: node-agent namespace: kubescape - 54: | + 64: | apiVersion: v1 kind: Service metadata: @@ -3679,7 +4090,7 @@ all capabilities: app.kubernetes.io/component: node-agent app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator - 55: | + 65: | apiVersion: v1 kind: ServiceAccount metadata: @@ -3697,7 +4108,7 @@ all capabilities: tier: ks-control-plane name: node-agent namespace: kubescape - 56: | + 66: | apiVersion: v1 kind: Service metadata: @@ -3724,7 +4135,7 @@ all capabilities: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 57: | + 67: | apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: @@ -3772,7 +4183,7 @@ all capabilities: - rolebindings scope: '*' sideEffects: None - 58: | + 68: | apiVersion: v1 data: tls.crt: bW9jay1jYS1jZXJ0 @@ -3795,7 +4206,7 @@ all capabilities: name: kubescape-admission-webhook-ca namespace: kubescape type: kubernetes.io/tls - 59: | + 69: | apiVersion: v1 data: ca.crt: bW9jay1jYS1jZXJ0 @@ -3818,7 +4229,7 @@ all capabilities: name: kubescape-admission-webhook-tls namespace: kubescape type: kubernetes.io/tls - 60: | + 70: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -3952,7 +4363,7 @@ all capabilities: - get - list - watch - 61: | + 71: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -3977,7 +4388,7 @@ all capabilities: - kind: ServiceAccount name: operator namespace: kubescape - 62: | + 72: | apiVersion: v1 data: config.json: | @@ -4028,7 +4439,7 @@ all capabilities: tier: ks-control-plane name: operator namespace: kubescape - 63: | + 73: | apiVersion: apps/v1 kind: Deployment metadata: @@ -4063,7 +4474,7 @@ all capabilities: template: metadata: annotations: - checksum/capabilities-config: b0b4eb6ecb26f9be060912ffbe5f36704226a6c2c443b5cffb1049ab3553d740 + checksum/capabilities-config: 59a962f6d5626eef232330ebf8392ff351e1cc9edbd0858281a08a2997d805a1 checksum/cloud-config: aaeeb6b6b35a5ebbb0893822c4bf9cd860fba6d3df3bc4e77c8dbdd5841db120 checksum/cloud-secret: 435193bc039d949c849ba4b141adeb4836e4d0fdcc4bf0b9588d0e36de86c424 checksum/matching-rules-config: c81857b415602f6b161db3199a16461c5acd8ba44ec7572189441f4f294a3614 @@ -4225,7 +4636,7 @@ all capabilities: path: matchingRules.json name: cs-matching-rules name: cs-matching-rules - 64: | + 74: | apiVersion: v1 data: cronjobTemplate: |- @@ -4313,7 +4724,7 @@ all capabilities: tier: ks-control-plane name: kubescape-cronjob-template namespace: kubescape - 65: | + 75: | apiVersion: v1 data: cronjobTemplate: |- @@ -4401,7 +4812,7 @@ all capabilities: tier: ks-control-plane name: kubevuln-cronjob-template namespace: kubescape - 66: | + 76: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -4508,7 +4919,7 @@ all capabilities: policyTypes: - Ingress - Egress - 67: | + 77: | apiVersion: v1 data: cronjobTemplate: |- @@ -4596,7 +5007,7 @@ all capabilities: tier: ks-control-plane name: registry-scan-cronjob-template namespace: kubescape - 68: | + 78: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -4640,7 +5051,7 @@ all capabilities: - list - patch - delete - 69: | + 79: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -4666,7 +5077,7 @@ all capabilities: - kind: ServiceAccount name: operator namespace: kubescape - 70: | + 80: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -4692,7 +5103,7 @@ all capabilities: - kind: ServiceAccount name: operator namespace: kubescape - 71: | + 81: | apiVersion: v1 kind: Service metadata: @@ -4720,7 +5131,7 @@ all capabilities: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 72: | + 82: | apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount @@ -4739,7 +5150,7 @@ all capabilities: tier: ks-control-plane name: operator namespace: kubescape - 73: | + 83: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -4767,7 +5178,7 @@ all capabilities: - get - watch - list - 74: | + 84: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -4791,7 +5202,7 @@ all capabilities: - kind: ServiceAccount name: prometheus-exporter namespace: kubescape - 75: | + 85: | apiVersion: apps/v1 kind: Deployment metadata: @@ -4898,7 +5309,7 @@ all capabilities: path: clusterData.json name: ks-cloud-config name: ks-cloud-config - 76: | + 86: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -4968,7 +5379,7 @@ all capabilities: policyTypes: - Ingress - Egress - 77: | + 87: | apiVersion: v1 kind: Service metadata: @@ -4995,7 +5406,7 @@ all capabilities: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: null - 78: | + 88: | apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount @@ -5013,7 +5424,7 @@ all capabilities: tier: ks-control-plane name: prometheus-exporter namespace: kubescape - 79: | + 89: | apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: @@ -5044,7 +5455,7 @@ all capabilities: app.kubernetes.io/component: prometheus-exporter app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator - 80: | + 90: | apiVersion: v1 data: proxy.crt: foo @@ -5068,7 +5479,7 @@ all capabilities: name: kubescape-proxy-certificate namespace: kubescape type: Opaque - 81: | + 91: | apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: @@ -5094,7 +5505,7 @@ all capabilities: namespace: kubescape version: v1beta1 versionPriority: 15 - 82: | + 92: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -5160,7 +5571,7 @@ all capabilities: - get - watch - list - 83: | + 93: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -5185,7 +5596,7 @@ all capabilities: - kind: ServiceAccount name: storage namespace: kubescape - 84: | + 94: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -5210,7 +5621,7 @@ all capabilities: - kind: ServiceAccount name: storage namespace: kubescape - 85: | + 95: | apiVersion: v1 data: config.json: | @@ -5242,7 +5653,7 @@ all capabilities: tier: ks-control-plane name: storage namespace: kubescape - 86: | + 96: | apiVersion: apps/v1 kind: Deployment metadata: @@ -5362,7 +5773,7 @@ all capabilities: path: config.json name: storage name: config - 87: | + 97: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -5432,7 +5843,7 @@ all capabilities: policyTypes: - Ingress - Egress - 88: | + 98: | apiVersion: v1 kind: PersistentVolumeClaim metadata: @@ -5456,7 +5867,7 @@ all capabilities: resources: requests: storage: 5Gi - 89: | + 99: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -5482,7 +5893,7 @@ all capabilities: - kind: ServiceAccount name: storage namespace: kubescape - 90: | + 100: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -5508,7 +5919,7 @@ all capabilities: - kind: ServiceAccount name: storage namespace: kubescape - 91: | + 101: | apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -5832,7 +6243,7 @@ all capabilities: storage: true subresources: status: {} - 92: | + 102: | apiVersion: v1 kind: Service metadata: @@ -5861,7 +6272,7 @@ all capabilities: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 93: | + 103: | apiVersion: v1 kind: ServiceAccount metadata: @@ -5879,7 +6290,7 @@ all capabilities: tier: ks-control-plane name: storage namespace: kubescape - 94: | + 104: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -6117,7 +6528,7 @@ all capabilities: verbs: - update - patch - 95: | + 105: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -6141,7 +6552,7 @@ all capabilities: - kind: ServiceAccount name: synchronizer namespace: kubescape - 96: | + 106: | apiVersion: v1 data: config.json: | @@ -6438,7 +6849,7 @@ all capabilities: tier: ks-control-plane name: synchronizer namespace: kubescape - 97: | + 107: | apiVersion: apps/v1 kind: Deployment metadata: @@ -6621,7 +7032,7 @@ all capabilities: path: config.json name: synchronizer name: config - 98: | + 108: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -6700,7 +7111,7 @@ all capabilities: policyTypes: - Ingress - Egress - 99: | + 109: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -6743,7 +7154,7 @@ all capabilities: - list - patch - delete - 100: | + 110: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -6768,7 +7179,7 @@ all capabilities: - kind: ServiceAccount name: synchronizer namespace: kubescape - 101: | + 111: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -6793,7 +7204,7 @@ all capabilities: - kind: ServiceAccount name: synchronizer namespace: kubescape - 102: | + 112: | apiVersion: v1 kind: Service metadata: @@ -6820,7 +7231,7 @@ all capabilities: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 103: | + 113: | apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount @@ -6937,7 +7348,7 @@ autoscaler mode with sbom sidecar: capabilities: | { "capabilities":{"admissionController":"enable","autoUpgrading":"disable","configurationScan":"enable","continuousScan":"disable","httpDetection":"enable","kubescapeOffline":"disable","malwareDetection":"disable","manageWorkloads":"disable","networkEventsStreaming":"enable","networkPolicyService":"enable","nodeProfileService":"enable","nodeSbomGeneration":"enable","nodeScan":"enable","operator":"enable","prometheusExporter":"disable","relevancy":"enable","riskAcceptance":"disable","runtimeDetection":"enable","runtimeObservability":"enable","scanEmbeddedSBOMs":"disable","seccompProfileBackend":"crd","seccompProfileService":"enable","syncSBOM":"disable","testing":{"nodeAgentMultiplication":{"enabled":false,"replicas":5}},"vexGeneration":"disable","vulnerabilityScan":"enable"}, - "components":{"autoUpdater":{"enabled":false},"clamAV":{"enabled":false},"cloudSecret":{"create":true,"name":"cloud-secret"},"customCaCertificates":{"name":"custom-ca-certificates"},"hostScanner":{"enabled":true},"kubescape":{"enabled":true},"kubescapeScheduler":{"enabled":true},"kubevuln":{"enabled":true},"kubevulnScheduler":{"enabled":true},"nodeAgent":{"enabled":true},"operator":{"enabled":true},"otelCollector":{"enabled":false},"prometheusExporter":{"enabled":false},"sbomScanner":{"enabled":true},"serviceDiscovery":{"enabled":true},"storage":{"enabled":true},"synchronizer":{"enabled":true}}, + "components":{"autoUpdater":{"enabled":false},"clamAV":{"enabled":false},"cloudSecret":{"create":true,"name":"cloud-secret"},"customCaCertificates":{"name":"custom-ca-certificates"},"kubescape":{"enabled":true},"kubescapeScheduler":{"enabled":true},"kubevuln":{"enabled":true},"kubevulnScheduler":{"enabled":true},"nodeAgent":{"enabled":true},"operator":{"enabled":true},"otelCollector":{"enabled":false},"prometheusExporter":{"enabled":false},"sbomScanner":{"enabled":true},"serviceDiscovery":{"enabled":true},"storage":{"enabled":true},"synchronizer":{"enabled":true}}, "configurations":{"excludeJsonPaths":null,"otelUrl":null,"persistence":"enable","priorityClass":{"daemonset":100000100,"enabled":true},"prometheusAnnotations":"disable"} , "serviceScanConfig" :{"enabled":false,"interval":"1h"} } @@ -7359,6 +7770,23 @@ autoscaler mode with sbom sidecar: - get - watch - list + - apiGroups: + - hostdata.kubescape.cloud + resources: + - osreleasefiles + - kernelversions + - linuxsecurityhardeningstatuses + - openportslists + - linuxkernelvariables + - kubeletinfos + - kubeproxyinfos + - controlplaneinfos + - cloudproviderinfos + - cniinfos + verbs: + - get + - list + - watch 10: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -7421,7 +7849,6 @@ autoscaler mode with sbom sidecar: annotations: checksum/cloud-config: f8f57ee9b7c136ff44014ae152c2ee1d6437058a776ba359547a4d44896626d0 checksum/cloud-secret: 435193bc039d949c849ba4b141adeb4836e4d0fdcc4bf0b9588d0e36de86c424 - checksum/host-scanner-configmap: 7fc30b6a442d0ae01e83852a7c371492e49e83d6bed3dd0cb6c32935f417ad4d labels: app: kubescape app.kubernetes.io/component: kubescape @@ -7582,7 +8009,7 @@ autoscaler mode with sbom sidecar: 12: | apiVersion: v1 data: - host-scanner-yaml: "apiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: host-scanner\n namespace: kubescape\n annotations:\n \n argocd.argoproj.io/compare-options: \"IgnoreExtraneous\"\n argocd.argoproj.io/sync-options: \"Prune=false\"\n labels:\n helm.sh/chart: kubescape-operator-1.30.7\n app.kubernetes.io/name: kubescape-operator\n app.kubernetes.io/instance: RELEASE-NAME\n app.kubernetes.io/component: host-scanner\n app.kubernetes.io/version: \"1.30.7\"\n app.kubernetes.io/managed-by: Helm\n app.kubernetes.io/part-of: kubescape\n app: host-scanner\n tier: ks-control-plane\n kubescape.io/ignore: \"true\"\nspec:\n selector:\n matchLabels:\n app.kubernetes.io/name: kubescape-operator\n app.kubernetes.io/instance: RELEASE-NAME\n app.kubernetes.io/component: host-scanner\n template:\n metadata:\n annotations:\n \n argocd.argoproj.io/compare-options: \"IgnoreExtraneous\"\n argocd.argoproj.io/sync-options: \"Prune=false\"\n labels:\n helm.sh/chart: kubescape-operator-1.30.7\n app.kubernetes.io/name: kubescape-operator\n app.kubernetes.io/instance: RELEASE-NAME\n app.kubernetes.io/component: host-scanner\n app.kubernetes.io/version: \"1.30.7\"\n app.kubernetes.io/managed-by: Helm\n app.kubernetes.io/part-of: kubescape\n app: host-scanner\n tier: ks-control-plane\n kubescape.io/ignore: \"true\"\n kubescape.io/tier: \"core\"\n name: host-scanner\n spec:\n nodeSelector:\n kubernetes.io/os: linux\n affinity:\n tolerations:\n - effect: NoSchedule\n key: node-role.kubernetes.io/control-plane\n operator: Exists\n - effect: NoSchedule\n key: node-role.kubernetes.io/master\n operator: Exists\n containers:\n - name: host-sensor\n image: \"quay.io/kubescape/host-scanner:v1.0.78\"\n imagePullPolicy: IfNotPresent\n securityContext:\n allowPrivilegeEscalation: true\n privileged: true\n readOnlyRootFilesystem: true\n env:\n - name: KS_LOGGER_LEVEL\n value: \"info\"\n - name: KS_LOGGER_NAME\n value: \"zap\"\n ports:\n - name: scanner # Do not change port name\n containerPort: 7888\n protocol: TCP\n resources:\n limits:\n cpu: 0.4m\n memory: 400Mi\n requests:\n cpu: 0.1m\n memory: 200Mi\n volumeMounts:\n - mountPath: /host_fs\n name: host-filesystem\n startupProbe:\n httpGet:\n path: /readyz\n port: 7888\n failureThreshold: 30\n periodSeconds: 1\n livenessProbe:\n httpGet:\n path: /healthz\n port: 7888\n periodSeconds: 10\n terminationGracePeriodSeconds: 120\n dnsPolicy: ClusterFirstWithHostNet\n serviceAccountName: node-agent\n automountServiceAccountToken: false\n volumes:\n - hostPath:\n path: /\n type: Directory\n name: host-filesystem\n hostPID: true\n hostIPC: true" + host-scanner-yaml: "" kind: ConfigMap metadata: annotations: null @@ -8088,6 +8515,375 @@ autoscaler mode with sbom sidecar: name: kubevuln namespace: kubescape 24: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: cloudproviderinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: CloudProviderInfo + listKind: CloudProviderInfoList + plural: cloudproviderinfos + singular: cloudproviderinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 25: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: cniinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: CNIInfo + listKind: CNIInfoList + plural: cniinfos + singular: cniinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 26: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: controlplaneinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: ControlPlaneInfo + listKind: ControlPlaneInfoList + plural: controlplaneinfos + singular: controlplaneinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 27: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: kernelversions.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: KernelVersion + listKind: KernelVersionList + plural: kernelversions + singular: kernelversion + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 28: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: kubeletinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: KubeletInfo + listKind: KubeletInfoList + plural: kubeletinfos + singular: kubeletinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 29: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: kubeproxyinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: KubeProxyInfo + listKind: KubeProxyInfoList + plural: kubeproxyinfos + singular: kubeproxyinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 30: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: linuxkernelvariables.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: LinuxKernelVariables + listKind: LinuxKernelVariablesList + plural: linuxkernelvariables + singular: linuxkernelvariable + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 31: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: linuxsecurityhardeningstatuses.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: LinuxSecurityHardeningStatus + listKind: LinuxSecurityHardeningStatusList + plural: linuxsecurityhardeningstatuses + singular: linuxsecurityhardeningstatus + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 32: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: openportslists.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: OpenPortsList + listKind: OpenPortsListList + plural: openportslists + singular: openportslist + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 33: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + name: osreleasefiles.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: OsReleaseFile + listKind: OsReleaseFileList + plural: osreleasefiles + singular: osreleasefile + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: OsReleaseFile contains the OS release information from a node + properties: + apiVersion: + description: APIVersion defines the versioned schema of this representation of an object. + type: string + kind: + description: Kind is a string value representing the REST resource this object represents. + type: string + metadata: + type: object + spec: + description: OsReleaseFileSpec contains the actual OS release file content + properties: + content: + description: Content is the raw content of the OS release file + type: string + nodeName: + description: NodeName is the name of the node this data came from + type: string + type: object + status: + description: OsReleaseFileStatus contains status information about the sensing + properties: + error: + description: Error contains any error message from the last sensing attempt + type: string + lastSensed: + description: LastSensed is the timestamp when this data was last collected + format: date-time + type: string + type: object + type: object + served: true + storage: true + 34: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -8224,7 +9020,27 @@ autoscaler mode with sbom sidecar: verbs: - list - watch - 25: | + - apiGroups: + - hostdata.kubescape.cloud + resources: + - osreleasefiles + - kernelversions + - linuxsecurityhardeningstatuses + - openportslists + - linuxkernelvariables + - kubeletinfos + - kubeproxyinfos + - controlplaneinfos + - cloudproviderinfos + - cniinfos + verbs: + - create + - get + - update + - patch + - list + - watch + 35: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -8249,7 +9065,7 @@ autoscaler mode with sbom sidecar: - kind: ServiceAccount name: node-agent namespace: kubescape - 26: | + 36: | apiVersion: v1 data: config.json: | @@ -8263,6 +9079,8 @@ autoscaler mode with sbom sidecar: "malwareDetectionEnabled": false, "hostMalwareSensorEnabled": false, "hostNetworkSensorEnabled": false, + "hostSensorEnabled": true, + "hostSensorInterval": "5m", "nodeProfileServiceEnabled": true, "networkStreamingEnabled": true, "maxImageSize": 5.36870912e+09, @@ -8309,7 +9127,7 @@ autoscaler mode with sbom sidecar: tier: ks-control-plane name: node-agent namespace: kubescape - 27: | + 37: | apiVersion: v1 kind: Service metadata: @@ -8337,7 +9155,7 @@ autoscaler mode with sbom sidecar: app.kubernetes.io/component: node-agent app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator - 28: | + 38: | apiVersion: v1 kind: ServiceAccount metadata: @@ -8355,10 +9173,10 @@ autoscaler mode with sbom sidecar: tier: ks-control-plane name: node-agent namespace: kubescape - 29: | + 39: | apiVersion: v1 data: - daemonset-template.yaml: "apiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: \"{{ .Name }}\"\n namespace: kubescape\n annotations:\n \n labels:\n helm.sh/chart: kubescape-operator-1.30.7\n app.kubernetes.io/name: kubescape-operator\n app.kubernetes.io/instance: RELEASE-NAME\n app.kubernetes.io/component: node-agent\n app.kubernetes.io/version: \"1.30.7\"\n app.kubernetes.io/managed-by: Helm\n app.kubernetes.io/part-of: kubescape\n app: node-agent\n tier: ks-control-plane\n kubescape.io/ignore: \"true\"\n kubescape.io/tier: \"core\"\n kubescape.io/managed-by: operator-autoscaler\n kubescape.io/node-group: \"{{ .NodeGroupLabel }}\"\nspec:\n selector:\n matchLabels:\n app.kubernetes.io/name: kubescape-operator\n app.kubernetes.io/instance: RELEASE-NAME\n app.kubernetes.io/component: node-agent\n kubescape.io/node-group: \"{{ .NodeGroupLabel }}\"\n template:\n metadata:\n annotations:\n \n checksum/node-agent-config: 97384b74056f9485f57382f907e17c1ccefe56710d91f080e9f997ce70303707\n checksum/cloud-secret: 435193bc039d949c849ba4b141adeb4836e4d0fdcc4bf0b9588d0e36de86c424\n checksum/cloud-config: f8f57ee9b7c136ff44014ae152c2ee1d6437058a776ba359547a4d44896626d0\n container.apparmor.security.beta.kubernetes.io/node-agent: unconfined\n labels:\n helm.sh/chart: kubescape-operator-1.30.7\n app.kubernetes.io/name: kubescape-operator\n app.kubernetes.io/instance: RELEASE-NAME\n app.kubernetes.io/component: node-agent\n app.kubernetes.io/version: \"1.30.7\"\n app.kubernetes.io/managed-by: Helm\n app.kubernetes.io/part-of: kubescape\n app: node-agent\n tier: ks-control-plane\n kubescape.io/ignore: \"true\"\n kubescape.io/tier: \"core\"\n kubescape.io/node-group: \"{{ .NodeGroupLabel }}\"\n spec:\n securityContext:\n priorityClassName: kubescape-critical\n serviceAccountName: node-agent\n automountServiceAccountToken: true\n hostPID: true\n initContainers:\n \n - name: url-discovery\n image: \"quay.io/kubescape/http-request:v0.2.19\"\n imagePullPolicy: IfNotPresent\n securityContext:\n allowPrivilegeEscalation: false\n readOnlyRootFilesystem: true\n resources:\n limits:\n cpu: 100m\n memory: 50Mi\n requests:\n cpu: 10m\n memory: 10Mi\n env:\n args:\n - -method=get\n - -scheme=https\n - -host=api.armosec.io\n - -path=api/v3/servicediscovery\n - -path-output=/data/services.json\n volumeMounts:\n - name: services\n mountPath: /data\n volumes:\n \n - hostPath:\n path: /\n name: host\n - hostPath:\n path: /var/lib/kubelet\n name: kubeletdir\n - hostPath:\n path: /run\n name: run\n - hostPath:\n path: /var\n name: var\n - hostPath:\n path: /sys/fs/cgroup\n name: cgroup\n - hostPath:\n path: /lib/modules\n name: modules\n - hostPath:\n path: /sys/fs/bpf\n name: bpffs\n - hostPath:\n path: /sys/kernel/debug\n name: debugfs\n - hostPath:\n path: /boot\n name: boot\n - emptyDir: null\n name: data\n - emptyDir: null\n name: profiles\n - emptyDir: {}\n name: clamdb\n - emptyDir: {}\n name: clamrun\n - configMap:\n items:\n - key: clamd.conf\n path: clamd.conf\n - key: freshclam.conf\n path: freshclam.conf\n name: clamav\n name: etc\n - emptyDir:\n medium: Memory\n sizeLimit: 10Mi\n name: sbom-comm\n - emptyDir: {}\n name: sbom-scanner-tmp\n - name: cloud-secret\n secret:\n secretName: cloud-secret\n - name: ks-cloud-config\n configMap:\n name: ks-cloud-config\n items:\n - key: \"clusterData\"\n path: \"clusterData.json\"\n - name: config\n configMap:\n name: node-agent\n items:\n - key: \"config.json\"\n path: \"config.json\"\n - name: \"services\"\n emptyDir: {}\n containers:\n \n - name: sbom-scanner\n image: \"quay.io/kubescape/node-agent:v0.3.108\"\n imagePullPolicy: IfNotPresent\n command: \n - /usr/bin/sbom-scanner\n securityContext:\n runAsUser: 0\n readOnlyRootFilesystem: true\n capabilities:\n drop: [\"ALL\"]\n resources:\n limits:\n cpu: 1000m\n memory: 4Gi\n requests:\n cpu: 50m\n memory: 256Mi\n env:\n - name: GOMEMLIMIT\n value: \"3276MiB\"\n - name: SOCKET_PATH\n value: \"/sbom-comm/scanner.sock\"\n - name: HOST_ROOT\n value: \"/host\"\n volumeMounts:\n - mountPath: /sbom-comm\n name: sbom-comm\n - mountPath: /host\n name: host\n readOnly: true\n - mountPath: /tmp\n name: sbom-scanner-tmp\n \n - name: node-agent\n image: \"quay.io/kubescape/node-agent:v0.3.108\"\n imagePullPolicy: IfNotPresent\n livenessProbe:\n httpGet:\n path: /livez\n port: 7888\n periodSeconds: 3\n readinessProbe:\n httpGet:\n path: /readyz\n port: 7888\n periodSeconds: 3\n startupProbe:\n httpGet:\n path: /readyz\n port: 7888\n periodSeconds: 10\n failureThreshold: 30\n timeoutSeconds: 1\n resources:\n \n requests:\n cpu: \"{{ .Resources.Requests.CPU }}\"\n memory: \"{{ .Resources.Requests.Memory }}\"\n limits:\n cpu: \"{{ .Resources.Limits.CPU }}\"\n memory: \"{{ .Resources.Limits.Memory }}\"\n env:\n \n - name: GOMEMLIMIT\n value: \"{{ .GoMemLimit }}\"\n - name: HOST_ROOT\n value: \"/host\"\n - name: KS_LOGGER_LEVEL\n value: \"info\"\n - name: KS_LOGGER_NAME\n value: \"zap\"\n - name: SBOM_SCANNER_SOCKET\n value: \"/sbom-comm/scanner.sock\"\n - name: SCANNER_MEMORY_LIMIT\n value: \"4Gi\"\n - name: NODE_NAME\n valueFrom:\n fieldRef:\n fieldPath: spec.nodeName\n - name: POD_NAME\n valueFrom:\n fieldRef:\n fieldPath: metadata.name\n - name: NAMESPACE_NAME\n valueFrom:\n fieldRef:\n fieldPath: metadata.namespace\n - name: KUBELET_ROOT\n value: \"/var/lib/kubelet\"\n - name: AGENT_VERSION\n value: \"v0.3.108\"\n - name: NodeName\n valueFrom:\n fieldRef:\n fieldPath: spec.nodeName\n securityContext:\n runAsUser: 0\n privileged: false\n capabilities:\n add:\n - SYS_ADMIN\n - SYS_PTRACE\n - NET_ADMIN\n - SYSLOG\n - SYS_RESOURCE\n - IPC_LOCK\n - NET_RAW\n seLinuxOptions:\n type: spc_t\n volumeMounts:\n \n - mountPath: /host\n name: host\n readOnly: true\n - mountPath: /var/lib/kubelet\n name: kubeletdir\n - mountPath: /run\n name: run\n - mountPath: /var\n name: var\n readOnly: true\n - mountPath: /lib/modules\n name: modules\n readOnly: true\n - mountPath: /sys/kernel/debug\n name: debugfs\n - mountPath: /sys/fs/cgroup\n name: cgroup\n readOnly: true\n - mountPath: /sys/fs/bpf\n name: bpffs\n - mountPath: /data\n name: data\n - mountPath: /profiles\n name: profiles\n - mountPath: /boot\n name: boot\n readOnly: true\n - mountPath: /clamav\n name: clamrun\n - name: sbom-comm\n mountPath: /sbom-comm\n - name: cloud-secret\n mountPath: /etc/credentials\n readOnly: true\n - name: ks-cloud-config\n mountPath: /etc/config/clusterData.json\n readOnly: true\n subPath: \"clusterData.json\"\n - name: \"services\"\n mountPath: /etc/config/services.json\n readOnly: true\n subPath: \"services.json\"\n - name: config\n mountPath: /etc/config/config.json\n readOnly: true\n subPath: \"config.json\"\n nodeSelector:\n kubernetes.io/os: linux\n node.kubernetes.io/instance-type: \"{{ .NodeGroupLabel }}\"\n affinity:\n \n nodeAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n nodeSelectorTerms:\n - matchExpressions:\n - key: kubernetes.io/os\n operator: In\n values:\n - linux\n tolerations:\n" + daemonset-template.yaml: "apiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: \"{{ .Name }}\"\n namespace: kubescape\n annotations:\n \n labels:\n helm.sh/chart: kubescape-operator-1.30.7\n app.kubernetes.io/name: kubescape-operator\n app.kubernetes.io/instance: RELEASE-NAME\n app.kubernetes.io/component: node-agent\n app.kubernetes.io/version: \"1.30.7\"\n app.kubernetes.io/managed-by: Helm\n app.kubernetes.io/part-of: kubescape\n app: node-agent\n tier: ks-control-plane\n kubescape.io/ignore: \"true\"\n kubescape.io/tier: \"core\"\n kubescape.io/managed-by: operator-autoscaler\n kubescape.io/node-group: \"{{ .NodeGroupLabel }}\"\nspec:\n selector:\n matchLabels:\n app.kubernetes.io/name: kubescape-operator\n app.kubernetes.io/instance: RELEASE-NAME\n app.kubernetes.io/component: node-agent\n kubescape.io/node-group: \"{{ .NodeGroupLabel }}\"\n template:\n metadata:\n annotations:\n \n checksum/node-agent-config: 921a39bfca3fd64ae481a3b3b37e9c48df1332841321f999bd0cf0896ae88136\n checksum/cloud-secret: 435193bc039d949c849ba4b141adeb4836e4d0fdcc4bf0b9588d0e36de86c424\n checksum/cloud-config: f8f57ee9b7c136ff44014ae152c2ee1d6437058a776ba359547a4d44896626d0\n container.apparmor.security.beta.kubernetes.io/node-agent: unconfined\n labels:\n helm.sh/chart: kubescape-operator-1.30.7\n app.kubernetes.io/name: kubescape-operator\n app.kubernetes.io/instance: RELEASE-NAME\n app.kubernetes.io/component: node-agent\n app.kubernetes.io/version: \"1.30.7\"\n app.kubernetes.io/managed-by: Helm\n app.kubernetes.io/part-of: kubescape\n app: node-agent\n tier: ks-control-plane\n kubescape.io/ignore: \"true\"\n kubescape.io/tier: \"core\"\n kubescape.io/node-group: \"{{ .NodeGroupLabel }}\"\n spec:\n securityContext:\n priorityClassName: kubescape-critical\n serviceAccountName: node-agent\n automountServiceAccountToken: true\n hostPID: true\n initContainers:\n \n - name: url-discovery\n image: \"quay.io/kubescape/http-request:v0.2.19\"\n imagePullPolicy: IfNotPresent\n securityContext:\n allowPrivilegeEscalation: false\n readOnlyRootFilesystem: true\n resources:\n limits:\n cpu: 100m\n memory: 50Mi\n requests:\n cpu: 10m\n memory: 10Mi\n env:\n args:\n - -method=get\n - -scheme=https\n - -host=api.armosec.io\n - -path=api/v3/servicediscovery\n - -path-output=/data/services.json\n volumeMounts:\n - name: services\n mountPath: /data\n volumes:\n \n - hostPath:\n path: /\n name: host\n - hostPath:\n path: /var/lib/kubelet\n name: kubeletdir\n - hostPath:\n path: /run\n name: run\n - hostPath:\n path: /var\n name: var\n - hostPath:\n path: /sys/fs/cgroup\n name: cgroup\n - hostPath:\n path: /lib/modules\n name: modules\n - hostPath:\n path: /sys/fs/bpf\n name: bpffs\n - hostPath:\n path: /sys/kernel/debug\n name: debugfs\n - hostPath:\n path: /boot\n name: boot\n - emptyDir: null\n name: data\n - emptyDir: null\n name: profiles\n - hostPath:\n path: /\n type: Directory\n name: host-filesystem\n - emptyDir: {}\n name: clamdb\n - emptyDir: {}\n name: clamrun\n - configMap:\n items:\n - key: clamd.conf\n path: clamd.conf\n - key: freshclam.conf\n path: freshclam.conf\n name: clamav\n name: etc\n - emptyDir:\n medium: Memory\n sizeLimit: 10Mi\n name: sbom-comm\n - emptyDir: {}\n name: sbom-scanner-tmp\n - name: cloud-secret\n secret:\n secretName: cloud-secret\n - name: ks-cloud-config\n configMap:\n name: ks-cloud-config\n items:\n - key: \"clusterData\"\n path: \"clusterData.json\"\n - name: config\n configMap:\n name: node-agent\n items:\n - key: \"config.json\"\n path: \"config.json\"\n - name: \"services\"\n emptyDir: {}\n containers:\n \n - name: sbom-scanner\n image: \"quay.io/kubescape/node-agent:v0.3.108\"\n imagePullPolicy: IfNotPresent\n command: \n - /usr/bin/sbom-scanner\n securityContext:\n runAsUser: 0\n readOnlyRootFilesystem: true\n capabilities:\n drop: [\"ALL\"]\n resources:\n limits:\n cpu: 1000m\n memory: 4Gi\n requests:\n cpu: 50m\n memory: 256Mi\n env:\n - name: GOMEMLIMIT\n value: \"3276MiB\"\n - name: SOCKET_PATH\n value: \"/sbom-comm/scanner.sock\"\n - name: HOST_ROOT\n value: \"/host\"\n volumeMounts:\n - mountPath: /sbom-comm\n name: sbom-comm\n - mountPath: /host\n name: host\n readOnly: true\n - mountPath: /tmp\n name: sbom-scanner-tmp\n \n - name: node-agent\n image: \"quay.io/kubescape/node-agent:v0.3.108\"\n imagePullPolicy: IfNotPresent\n livenessProbe:\n httpGet:\n path: /livez\n port: 7888\n periodSeconds: 3\n readinessProbe:\n httpGet:\n path: /readyz\n port: 7888\n periodSeconds: 3\n startupProbe:\n httpGet:\n path: /readyz\n port: 7888\n periodSeconds: 10\n failureThreshold: 30\n timeoutSeconds: 1\n resources:\n \n requests:\n cpu: \"{{ .Resources.Requests.CPU }}\"\n memory: \"{{ .Resources.Requests.Memory }}\"\n limits:\n cpu: \"{{ .Resources.Limits.CPU }}\"\n memory: \"{{ .Resources.Limits.Memory }}\"\n env:\n \n - name: GOMEMLIMIT\n value: \"{{ .GoMemLimit }}\"\n - name: HOST_ROOT\n value: \"/host\"\n - name: KS_LOGGER_LEVEL\n value: \"info\"\n - name: KS_LOGGER_NAME\n value: \"zap\"\n - name: SBOM_SCANNER_SOCKET\n value: \"/sbom-comm/scanner.sock\"\n - name: SCANNER_MEMORY_LIMIT\n value: \"4Gi\"\n - name: NODE_NAME\n valueFrom:\n fieldRef:\n fieldPath: spec.nodeName\n - name: POD_NAME\n valueFrom:\n fieldRef:\n fieldPath: metadata.name\n - name: NAMESPACE_NAME\n valueFrom:\n fieldRef:\n fieldPath: metadata.namespace\n - name: KUBELET_ROOT\n value: \"/var/lib/kubelet\"\n - name: AGENT_VERSION\n value: \"v0.3.108\"\n - name: NodeName\n valueFrom:\n fieldRef:\n fieldPath: spec.nodeName\n securityContext:\n runAsUser: 0\n privileged: false\n capabilities:\n add:\n - SYS_ADMIN\n - SYS_PTRACE\n - NET_ADMIN\n - SYSLOG\n - SYS_RESOURCE\n - IPC_LOCK\n - NET_RAW\n seLinuxOptions:\n type: spc_t\n volumeMounts:\n \n - mountPath: /host\n name: host\n readOnly: true\n - mountPath: /var/lib/kubelet\n name: kubeletdir\n - mountPath: /run\n name: run\n - mountPath: /var\n name: var\n readOnly: true\n - mountPath: /lib/modules\n name: modules\n readOnly: true\n - mountPath: /sys/kernel/debug\n name: debugfs\n - mountPath: /sys/fs/cgroup\n name: cgroup\n readOnly: true\n - mountPath: /sys/fs/bpf\n name: bpffs\n - mountPath: /data\n name: data\n - mountPath: /profiles\n name: profiles\n - mountPath: /boot\n name: boot\n readOnly: true\n - mountPath: /clamav\n name: clamrun\n - name: sbom-comm\n mountPath: /sbom-comm\n - name: cloud-secret\n mountPath: /etc/credentials\n readOnly: true\n - name: ks-cloud-config\n mountPath: /etc/config/clusterData.json\n readOnly: true\n subPath: \"clusterData.json\"\n - name: \"services\"\n mountPath: /etc/config/services.json\n readOnly: true\n subPath: \"services.json\"\n - name: config\n mountPath: /etc/config/config.json\n readOnly: true\n subPath: \"config.json\"\n nodeSelector:\n kubernetes.io/os: linux\n node.kubernetes.io/instance-type: \"{{ .NodeGroupLabel }}\"\n affinity:\n \n nodeAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n nodeSelectorTerms:\n - matchExpressions:\n - key: kubernetes.io/os\n operator: In\n values:\n - linux\n tolerations:\n" kind: ConfigMap metadata: annotations: null @@ -8376,7 +9194,7 @@ autoscaler mode with sbom sidecar: tier: ks-control-plane name: node-agent-daemonset-template namespace: kubescape - 30: | + 40: | apiVersion: v1 kind: Service metadata: @@ -8403,7 +9221,7 @@ autoscaler mode with sbom sidecar: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 31: | + 41: | apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: @@ -8451,7 +9269,7 @@ autoscaler mode with sbom sidecar: - rolebindings scope: '*' sideEffects: None - 32: | + 42: | apiVersion: v1 data: tls.crt: bW9jay1jYS1jZXJ0 @@ -8474,7 +9292,7 @@ autoscaler mode with sbom sidecar: name: kubescape-admission-webhook-ca namespace: kubescape type: kubernetes.io/tls - 33: | + 43: | apiVersion: v1 data: ca.crt: bW9jay1jYS1jZXJ0 @@ -8497,7 +9315,7 @@ autoscaler mode with sbom sidecar: name: kubescape-admission-webhook-tls namespace: kubescape type: kubernetes.io/tls - 34: | + 44: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -8622,7 +9440,7 @@ autoscaler mode with sbom sidecar: - list - update - patch - 35: | + 45: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -8647,7 +9465,7 @@ autoscaler mode with sbom sidecar: - kind: ServiceAccount name: operator namespace: kubescape - 36: | + 46: | apiVersion: v1 data: config.json: | @@ -8698,7 +9516,7 @@ autoscaler mode with sbom sidecar: tier: ks-control-plane name: operator namespace: kubescape - 37: | + 47: | apiVersion: apps/v1 kind: Deployment metadata: @@ -8733,7 +9551,7 @@ autoscaler mode with sbom sidecar: template: metadata: annotations: - checksum/capabilities-config: 84c5eb603b5d899ea83672530c30a0e7862d8b8ad76557b56a4f124eca35bed6 + checksum/capabilities-config: 90f38255212fe42544b844cc7bc6e351fc77df1e970ee36e5350aa357a2e00c7 checksum/cloud-config: f8f57ee9b7c136ff44014ae152c2ee1d6437058a776ba359547a4d44896626d0 checksum/cloud-secret: 435193bc039d949c849ba4b141adeb4836e4d0fdcc4bf0b9588d0e36de86c424 checksum/matching-rules-config: c81857b415602f6b161db3199a16461c5acd8ba44ec7572189441f4f294a3614 @@ -8879,7 +9697,7 @@ autoscaler mode with sbom sidecar: - configMap: name: node-agent-daemonset-template name: node-agent-template - 38: | + 48: | apiVersion: v1 data: cronjobTemplate: |- @@ -8964,7 +9782,7 @@ autoscaler mode with sbom sidecar: tier: ks-control-plane name: kubescape-cronjob-template namespace: kubescape - 39: | + 49: | apiVersion: v1 data: cronjobTemplate: |- @@ -9049,7 +9867,7 @@ autoscaler mode with sbom sidecar: tier: ks-control-plane name: kubevuln-cronjob-template namespace: kubescape - 40: | + 50: | apiVersion: v1 data: cronjobTemplate: |- @@ -9134,7 +9952,7 @@ autoscaler mode with sbom sidecar: tier: ks-control-plane name: registry-scan-cronjob-template namespace: kubescape - 41: | + 51: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -9190,7 +10008,7 @@ autoscaler mode with sbom sidecar: - update - delete - patch - 42: | + 52: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -9216,7 +10034,7 @@ autoscaler mode with sbom sidecar: - kind: ServiceAccount name: operator namespace: kubescape - 43: | + 53: | apiVersion: v1 kind: Service metadata: @@ -9244,7 +10062,7 @@ autoscaler mode with sbom sidecar: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 44: | + 54: | apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount @@ -9263,7 +10081,7 @@ autoscaler mode with sbom sidecar: tier: ks-control-plane name: operator namespace: kubescape - 45: | + 55: | apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: @@ -9289,7 +10107,7 @@ autoscaler mode with sbom sidecar: namespace: kubescape version: v1beta1 versionPriority: 15 - 46: | + 56: | apiVersion: v1 data: tls.crt: bW9jay1jYS1jZXJ0 @@ -9312,7 +10130,7 @@ autoscaler mode with sbom sidecar: name: storage-tls-ca namespace: kubescape type: kubernetes.io/tls - 47: | + 57: | apiVersion: v1 data: ca.crt: bW9jay1jYS1jZXJ0 @@ -9335,7 +10153,7 @@ autoscaler mode with sbom sidecar: name: storage-tls namespace: kubescape type: kubernetes.io/tls - 48: | + 58: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -9401,7 +10219,7 @@ autoscaler mode with sbom sidecar: - get - watch - list - 49: | + 59: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -9426,7 +10244,7 @@ autoscaler mode with sbom sidecar: - kind: ServiceAccount name: storage namespace: kubescape - 50: | + 60: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -9451,7 +10269,7 @@ autoscaler mode with sbom sidecar: - kind: ServiceAccount name: storage namespace: kubescape - 51: | + 61: | apiVersion: v1 data: config.json: | @@ -9486,7 +10304,7 @@ autoscaler mode with sbom sidecar: tier: ks-control-plane name: storage namespace: kubescape - 52: | + 62: | apiVersion: apps/v1 kind: Deployment metadata: @@ -9607,7 +10425,7 @@ autoscaler mode with sbom sidecar: - name: ca-certificates secret: secretName: storage-tls - 53: | + 63: | apiVersion: v1 kind: PersistentVolumeClaim metadata: @@ -9631,7 +10449,7 @@ autoscaler mode with sbom sidecar: resources: requests: storage: 5Gi - 54: | + 64: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -9657,7 +10475,7 @@ autoscaler mode with sbom sidecar: - kind: ServiceAccount name: storage namespace: kubescape - 55: | + 65: | apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -9981,7 +10799,7 @@ autoscaler mode with sbom sidecar: storage: true subresources: status: {} - 56: | + 66: | apiVersion: v1 kind: Service metadata: @@ -10010,7 +10828,7 @@ autoscaler mode with sbom sidecar: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 57: | + 67: | apiVersion: v1 kind: ServiceAccount metadata: @@ -10028,7 +10846,7 @@ autoscaler mode with sbom sidecar: tier: ks-control-plane name: storage namespace: kubescape - 58: | + 68: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -10197,7 +11015,7 @@ autoscaler mode with sbom sidecar: - update - patch - delete - 59: | + 69: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -10221,7 +11039,7 @@ autoscaler mode with sbom sidecar: - kind: ServiceAccount name: synchronizer namespace: kubescape - 60: | + 70: | apiVersion: v1 data: config.json: | @@ -10500,7 +11318,7 @@ autoscaler mode with sbom sidecar: tier: ks-control-plane name: synchronizer namespace: kubescape - 61: | + 71: | apiVersion: apps/v1 kind: Deployment metadata: @@ -10654,7 +11472,7 @@ autoscaler mode with sbom sidecar: path: config.json name: synchronizer name: config - 62: | + 72: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -10697,7 +11515,7 @@ autoscaler mode with sbom sidecar: - list - patch - delete - 63: | + 73: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -10722,7 +11540,7 @@ autoscaler mode with sbom sidecar: - kind: ServiceAccount name: synchronizer namespace: kubescape - 64: | + 74: | apiVersion: v1 kind: Service metadata: @@ -10749,7 +11567,7 @@ autoscaler mode with sbom sidecar: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 65: | + 75: | apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount @@ -10866,7 +11684,7 @@ autoscaler mode without sbom sidecar: capabilities: | { "capabilities":{"admissionController":"enable","autoUpgrading":"disable","configurationScan":"enable","continuousScan":"disable","httpDetection":"enable","kubescapeOffline":"disable","malwareDetection":"disable","manageWorkloads":"disable","networkEventsStreaming":"enable","networkPolicyService":"enable","nodeProfileService":"enable","nodeSbomGeneration":"enable","nodeScan":"enable","operator":"enable","prometheusExporter":"disable","relevancy":"enable","riskAcceptance":"disable","runtimeDetection":"enable","runtimeObservability":"enable","scanEmbeddedSBOMs":"disable","seccompProfileBackend":"crd","seccompProfileService":"enable","syncSBOM":"disable","testing":{"nodeAgentMultiplication":{"enabled":false,"replicas":5}},"vexGeneration":"disable","vulnerabilityScan":"enable"}, - "components":{"autoUpdater":{"enabled":false},"clamAV":{"enabled":false},"cloudSecret":{"create":true,"name":"cloud-secret"},"customCaCertificates":{"name":"custom-ca-certificates"},"hostScanner":{"enabled":true},"kubescape":{"enabled":true},"kubescapeScheduler":{"enabled":true},"kubevuln":{"enabled":true},"kubevulnScheduler":{"enabled":true},"nodeAgent":{"enabled":true},"operator":{"enabled":true},"otelCollector":{"enabled":false},"prometheusExporter":{"enabled":false},"sbomScanner":{"enabled":false},"serviceDiscovery":{"enabled":true},"storage":{"enabled":true},"synchronizer":{"enabled":true}}, + "components":{"autoUpdater":{"enabled":false},"clamAV":{"enabled":false},"cloudSecret":{"create":true,"name":"cloud-secret"},"customCaCertificates":{"name":"custom-ca-certificates"},"kubescape":{"enabled":true},"kubescapeScheduler":{"enabled":true},"kubevuln":{"enabled":true},"kubevulnScheduler":{"enabled":true},"nodeAgent":{"enabled":true},"operator":{"enabled":true},"otelCollector":{"enabled":false},"prometheusExporter":{"enabled":false},"sbomScanner":{"enabled":false},"serviceDiscovery":{"enabled":true},"storage":{"enabled":true},"synchronizer":{"enabled":true}}, "configurations":{"excludeJsonPaths":null,"otelUrl":null,"persistence":"enable","priorityClass":{"daemonset":100000100,"enabled":true},"prometheusAnnotations":"disable"} , "serviceScanConfig" :{"enabled":false,"interval":"1h"} } @@ -11288,6 +12106,23 @@ autoscaler mode without sbom sidecar: - get - watch - list + - apiGroups: + - hostdata.kubescape.cloud + resources: + - osreleasefiles + - kernelversions + - linuxsecurityhardeningstatuses + - openportslists + - linuxkernelvariables + - kubeletinfos + - kubeproxyinfos + - controlplaneinfos + - cloudproviderinfos + - cniinfos + verbs: + - get + - list + - watch 10: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -11350,7 +12185,6 @@ autoscaler mode without sbom sidecar: annotations: checksum/cloud-config: f8f57ee9b7c136ff44014ae152c2ee1d6437058a776ba359547a4d44896626d0 checksum/cloud-secret: 435193bc039d949c849ba4b141adeb4836e4d0fdcc4bf0b9588d0e36de86c424 - checksum/host-scanner-configmap: 7fc30b6a442d0ae01e83852a7c371492e49e83d6bed3dd0cb6c32935f417ad4d labels: app: kubescape app.kubernetes.io/component: kubescape @@ -11511,7 +12345,7 @@ autoscaler mode without sbom sidecar: 12: | apiVersion: v1 data: - host-scanner-yaml: "apiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: host-scanner\n namespace: kubescape\n annotations:\n \n argocd.argoproj.io/compare-options: \"IgnoreExtraneous\"\n argocd.argoproj.io/sync-options: \"Prune=false\"\n labels:\n helm.sh/chart: kubescape-operator-1.30.7\n app.kubernetes.io/name: kubescape-operator\n app.kubernetes.io/instance: RELEASE-NAME\n app.kubernetes.io/component: host-scanner\n app.kubernetes.io/version: \"1.30.7\"\n app.kubernetes.io/managed-by: Helm\n app.kubernetes.io/part-of: kubescape\n app: host-scanner\n tier: ks-control-plane\n kubescape.io/ignore: \"true\"\nspec:\n selector:\n matchLabels:\n app.kubernetes.io/name: kubescape-operator\n app.kubernetes.io/instance: RELEASE-NAME\n app.kubernetes.io/component: host-scanner\n template:\n metadata:\n annotations:\n \n argocd.argoproj.io/compare-options: \"IgnoreExtraneous\"\n argocd.argoproj.io/sync-options: \"Prune=false\"\n labels:\n helm.sh/chart: kubescape-operator-1.30.7\n app.kubernetes.io/name: kubescape-operator\n app.kubernetes.io/instance: RELEASE-NAME\n app.kubernetes.io/component: host-scanner\n app.kubernetes.io/version: \"1.30.7\"\n app.kubernetes.io/managed-by: Helm\n app.kubernetes.io/part-of: kubescape\n app: host-scanner\n tier: ks-control-plane\n kubescape.io/ignore: \"true\"\n kubescape.io/tier: \"core\"\n name: host-scanner\n spec:\n nodeSelector:\n kubernetes.io/os: linux\n affinity:\n tolerations:\n - effect: NoSchedule\n key: node-role.kubernetes.io/control-plane\n operator: Exists\n - effect: NoSchedule\n key: node-role.kubernetes.io/master\n operator: Exists\n containers:\n - name: host-sensor\n image: \"quay.io/kubescape/host-scanner:v1.0.78\"\n imagePullPolicy: IfNotPresent\n securityContext:\n allowPrivilegeEscalation: true\n privileged: true\n readOnlyRootFilesystem: true\n env:\n - name: KS_LOGGER_LEVEL\n value: \"info\"\n - name: KS_LOGGER_NAME\n value: \"zap\"\n ports:\n - name: scanner # Do not change port name\n containerPort: 7888\n protocol: TCP\n resources:\n limits:\n cpu: 0.4m\n memory: 400Mi\n requests:\n cpu: 0.1m\n memory: 200Mi\n volumeMounts:\n - mountPath: /host_fs\n name: host-filesystem\n startupProbe:\n httpGet:\n path: /readyz\n port: 7888\n failureThreshold: 30\n periodSeconds: 1\n livenessProbe:\n httpGet:\n path: /healthz\n port: 7888\n periodSeconds: 10\n terminationGracePeriodSeconds: 120\n dnsPolicy: ClusterFirstWithHostNet\n serviceAccountName: node-agent\n automountServiceAccountToken: false\n volumes:\n - hostPath:\n path: /\n type: Directory\n name: host-filesystem\n hostPID: true\n hostIPC: true" + host-scanner-yaml: "" kind: ConfigMap metadata: annotations: null @@ -12017,6 +12851,375 @@ autoscaler mode without sbom sidecar: name: kubevuln namespace: kubescape 24: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: cloudproviderinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: CloudProviderInfo + listKind: CloudProviderInfoList + plural: cloudproviderinfos + singular: cloudproviderinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 25: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: cniinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: CNIInfo + listKind: CNIInfoList + plural: cniinfos + singular: cniinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 26: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: controlplaneinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: ControlPlaneInfo + listKind: ControlPlaneInfoList + plural: controlplaneinfos + singular: controlplaneinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 27: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: kernelversions.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: KernelVersion + listKind: KernelVersionList + plural: kernelversions + singular: kernelversion + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 28: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: kubeletinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: KubeletInfo + listKind: KubeletInfoList + plural: kubeletinfos + singular: kubeletinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 29: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: kubeproxyinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: KubeProxyInfo + listKind: KubeProxyInfoList + plural: kubeproxyinfos + singular: kubeproxyinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 30: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: linuxkernelvariables.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: LinuxKernelVariables + listKind: LinuxKernelVariablesList + plural: linuxkernelvariables + singular: linuxkernelvariable + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 31: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: linuxsecurityhardeningstatuses.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: LinuxSecurityHardeningStatus + listKind: LinuxSecurityHardeningStatusList + plural: linuxsecurityhardeningstatuses + singular: linuxsecurityhardeningstatus + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 32: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: openportslists.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: OpenPortsList + listKind: OpenPortsListList + plural: openportslists + singular: openportslist + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 33: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + name: osreleasefiles.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: OsReleaseFile + listKind: OsReleaseFileList + plural: osreleasefiles + singular: osreleasefile + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: OsReleaseFile contains the OS release information from a node + properties: + apiVersion: + description: APIVersion defines the versioned schema of this representation of an object. + type: string + kind: + description: Kind is a string value representing the REST resource this object represents. + type: string + metadata: + type: object + spec: + description: OsReleaseFileSpec contains the actual OS release file content + properties: + content: + description: Content is the raw content of the OS release file + type: string + nodeName: + description: NodeName is the name of the node this data came from + type: string + type: object + status: + description: OsReleaseFileStatus contains status information about the sensing + properties: + error: + description: Error contains any error message from the last sensing attempt + type: string + lastSensed: + description: LastSensed is the timestamp when this data was last collected + format: date-time + type: string + type: object + type: object + served: true + storage: true + 34: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -12153,7 +13356,27 @@ autoscaler mode without sbom sidecar: verbs: - list - watch - 25: | + - apiGroups: + - hostdata.kubescape.cloud + resources: + - osreleasefiles + - kernelversions + - linuxsecurityhardeningstatuses + - openportslists + - linuxkernelvariables + - kubeletinfos + - kubeproxyinfos + - controlplaneinfos + - cloudproviderinfos + - cniinfos + verbs: + - create + - get + - update + - patch + - list + - watch + 35: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -12178,7 +13401,7 @@ autoscaler mode without sbom sidecar: - kind: ServiceAccount name: node-agent namespace: kubescape - 26: | + 36: | apiVersion: v1 data: config.json: | @@ -12192,6 +13415,8 @@ autoscaler mode without sbom sidecar: "malwareDetectionEnabled": false, "hostMalwareSensorEnabled": false, "hostNetworkSensorEnabled": false, + "hostSensorEnabled": true, + "hostSensorInterval": "5m", "nodeProfileServiceEnabled": true, "networkStreamingEnabled": true, "maxImageSize": 5.36870912e+09, @@ -12238,7 +13463,7 @@ autoscaler mode without sbom sidecar: tier: ks-control-plane name: node-agent namespace: kubescape - 27: | + 37: | apiVersion: v1 kind: Service metadata: @@ -12266,7 +13491,7 @@ autoscaler mode without sbom sidecar: app.kubernetes.io/component: node-agent app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator - 28: | + 38: | apiVersion: v1 kind: ServiceAccount metadata: @@ -12284,10 +13509,10 @@ autoscaler mode without sbom sidecar: tier: ks-control-plane name: node-agent namespace: kubescape - 29: | + 39: | apiVersion: v1 data: - daemonset-template.yaml: "apiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: \"{{ .Name }}\"\n namespace: kubescape\n annotations:\n \n labels:\n helm.sh/chart: kubescape-operator-1.30.7\n app.kubernetes.io/name: kubescape-operator\n app.kubernetes.io/instance: RELEASE-NAME\n app.kubernetes.io/component: node-agent\n app.kubernetes.io/version: \"1.30.7\"\n app.kubernetes.io/managed-by: Helm\n app.kubernetes.io/part-of: kubescape\n app: node-agent\n tier: ks-control-plane\n kubescape.io/ignore: \"true\"\n kubescape.io/tier: \"core\"\n kubescape.io/managed-by: operator-autoscaler\n kubescape.io/node-group: \"{{ .NodeGroupLabel }}\"\nspec:\n selector:\n matchLabels:\n app.kubernetes.io/name: kubescape-operator\n app.kubernetes.io/instance: RELEASE-NAME\n app.kubernetes.io/component: node-agent\n kubescape.io/node-group: \"{{ .NodeGroupLabel }}\"\n template:\n metadata:\n annotations:\n \n checksum/node-agent-config: 97384b74056f9485f57382f907e17c1ccefe56710d91f080e9f997ce70303707\n checksum/cloud-secret: 435193bc039d949c849ba4b141adeb4836e4d0fdcc4bf0b9588d0e36de86c424\n checksum/cloud-config: f8f57ee9b7c136ff44014ae152c2ee1d6437058a776ba359547a4d44896626d0\n container.apparmor.security.beta.kubernetes.io/node-agent: unconfined\n labels:\n helm.sh/chart: kubescape-operator-1.30.7\n app.kubernetes.io/name: kubescape-operator\n app.kubernetes.io/instance: RELEASE-NAME\n app.kubernetes.io/component: node-agent\n app.kubernetes.io/version: \"1.30.7\"\n app.kubernetes.io/managed-by: Helm\n app.kubernetes.io/part-of: kubescape\n app: node-agent\n tier: ks-control-plane\n kubescape.io/ignore: \"true\"\n kubescape.io/tier: \"core\"\n kubescape.io/node-group: \"{{ .NodeGroupLabel }}\"\n spec:\n securityContext:\n priorityClassName: kubescape-critical\n serviceAccountName: node-agent\n automountServiceAccountToken: true\n hostPID: true\n initContainers:\n \n - name: url-discovery\n image: \"quay.io/kubescape/http-request:v0.2.19\"\n imagePullPolicy: IfNotPresent\n securityContext:\n allowPrivilegeEscalation: false\n readOnlyRootFilesystem: true\n resources:\n limits:\n cpu: 100m\n memory: 50Mi\n requests:\n cpu: 10m\n memory: 10Mi\n env:\n args:\n - -method=get\n - -scheme=https\n - -host=api.armosec.io\n - -path=api/v3/servicediscovery\n - -path-output=/data/services.json\n volumeMounts:\n - name: services\n mountPath: /data\n volumes:\n \n - hostPath:\n path: /\n name: host\n - hostPath:\n path: /var/lib/kubelet\n name: kubeletdir\n - hostPath:\n path: /run\n name: run\n - hostPath:\n path: /var\n name: var\n - hostPath:\n path: /sys/fs/cgroup\n name: cgroup\n - hostPath:\n path: /lib/modules\n name: modules\n - hostPath:\n path: /sys/fs/bpf\n name: bpffs\n - hostPath:\n path: /sys/kernel/debug\n name: debugfs\n - hostPath:\n path: /boot\n name: boot\n - emptyDir: null\n name: data\n - emptyDir: null\n name: profiles\n - emptyDir: {}\n name: clamdb\n - emptyDir: {}\n name: clamrun\n - configMap:\n items:\n - key: clamd.conf\n path: clamd.conf\n - key: freshclam.conf\n path: freshclam.conf\n name: clamav\n name: etc\n - name: cloud-secret\n secret:\n secretName: cloud-secret\n - name: ks-cloud-config\n configMap:\n name: ks-cloud-config\n items:\n - key: \"clusterData\"\n path: \"clusterData.json\"\n - name: config\n configMap:\n name: node-agent\n items:\n - key: \"config.json\"\n path: \"config.json\"\n - name: \"services\"\n emptyDir: {}\n containers:\n \n - name: node-agent\n image: \"quay.io/kubescape/node-agent:v0.3.108\"\n imagePullPolicy: IfNotPresent\n livenessProbe:\n httpGet:\n path: /livez\n port: 7888\n periodSeconds: 3\n readinessProbe:\n httpGet:\n path: /readyz\n port: 7888\n periodSeconds: 3\n startupProbe:\n httpGet:\n path: /readyz\n port: 7888\n periodSeconds: 10\n failureThreshold: 30\n timeoutSeconds: 1\n resources:\n \n requests:\n cpu: \"{{ .Resources.Requests.CPU }}\"\n memory: \"{{ .Resources.Requests.Memory }}\"\n limits:\n cpu: \"{{ .Resources.Limits.CPU }}\"\n memory: \"{{ .Resources.Limits.Memory }}\"\n env:\n \n - name: GOMEMLIMIT\n value: \"{{ .GoMemLimit }}\"\n - name: HOST_ROOT\n value: \"/host\"\n - name: KS_LOGGER_LEVEL\n value: \"info\"\n - name: KS_LOGGER_NAME\n value: \"zap\"\n - name: NODE_NAME\n valueFrom:\n fieldRef:\n fieldPath: spec.nodeName\n - name: POD_NAME\n valueFrom:\n fieldRef:\n fieldPath: metadata.name\n - name: NAMESPACE_NAME\n valueFrom:\n fieldRef:\n fieldPath: metadata.namespace\n - name: KUBELET_ROOT\n value: \"/var/lib/kubelet\"\n - name: AGENT_VERSION\n value: \"v0.3.108\"\n - name: NodeName\n valueFrom:\n fieldRef:\n fieldPath: spec.nodeName\n securityContext:\n runAsUser: 0\n privileged: false\n capabilities:\n add:\n - SYS_ADMIN\n - SYS_PTRACE\n - NET_ADMIN\n - SYSLOG\n - SYS_RESOURCE\n - IPC_LOCK\n - NET_RAW\n seLinuxOptions:\n type: spc_t\n volumeMounts:\n \n - mountPath: /host\n name: host\n readOnly: true\n - mountPath: /var/lib/kubelet\n name: kubeletdir\n - mountPath: /run\n name: run\n - mountPath: /var\n name: var\n readOnly: true\n - mountPath: /lib/modules\n name: modules\n readOnly: true\n - mountPath: /sys/kernel/debug\n name: debugfs\n - mountPath: /sys/fs/cgroup\n name: cgroup\n readOnly: true\n - mountPath: /sys/fs/bpf\n name: bpffs\n - mountPath: /data\n name: data\n - mountPath: /profiles\n name: profiles\n - mountPath: /boot\n name: boot\n readOnly: true\n - mountPath: /clamav\n name: clamrun\n - name: cloud-secret\n mountPath: /etc/credentials\n readOnly: true\n - name: ks-cloud-config\n mountPath: /etc/config/clusterData.json\n readOnly: true\n subPath: \"clusterData.json\"\n - name: \"services\"\n mountPath: /etc/config/services.json\n readOnly: true\n subPath: \"services.json\"\n - name: config\n mountPath: /etc/config/config.json\n readOnly: true\n subPath: \"config.json\"\n nodeSelector:\n kubernetes.io/os: linux\n node.kubernetes.io/instance-type: \"{{ .NodeGroupLabel }}\"\n affinity:\n \n nodeAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n nodeSelectorTerms:\n - matchExpressions:\n - key: kubernetes.io/os\n operator: In\n values:\n - linux\n tolerations:\n" + daemonset-template.yaml: "apiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: \"{{ .Name }}\"\n namespace: kubescape\n annotations:\n \n labels:\n helm.sh/chart: kubescape-operator-1.30.7\n app.kubernetes.io/name: kubescape-operator\n app.kubernetes.io/instance: RELEASE-NAME\n app.kubernetes.io/component: node-agent\n app.kubernetes.io/version: \"1.30.7\"\n app.kubernetes.io/managed-by: Helm\n app.kubernetes.io/part-of: kubescape\n app: node-agent\n tier: ks-control-plane\n kubescape.io/ignore: \"true\"\n kubescape.io/tier: \"core\"\n kubescape.io/managed-by: operator-autoscaler\n kubescape.io/node-group: \"{{ .NodeGroupLabel }}\"\nspec:\n selector:\n matchLabels:\n app.kubernetes.io/name: kubescape-operator\n app.kubernetes.io/instance: RELEASE-NAME\n app.kubernetes.io/component: node-agent\n kubescape.io/node-group: \"{{ .NodeGroupLabel }}\"\n template:\n metadata:\n annotations:\n \n checksum/node-agent-config: 921a39bfca3fd64ae481a3b3b37e9c48df1332841321f999bd0cf0896ae88136\n checksum/cloud-secret: 435193bc039d949c849ba4b141adeb4836e4d0fdcc4bf0b9588d0e36de86c424\n checksum/cloud-config: f8f57ee9b7c136ff44014ae152c2ee1d6437058a776ba359547a4d44896626d0\n container.apparmor.security.beta.kubernetes.io/node-agent: unconfined\n labels:\n helm.sh/chart: kubescape-operator-1.30.7\n app.kubernetes.io/name: kubescape-operator\n app.kubernetes.io/instance: RELEASE-NAME\n app.kubernetes.io/component: node-agent\n app.kubernetes.io/version: \"1.30.7\"\n app.kubernetes.io/managed-by: Helm\n app.kubernetes.io/part-of: kubescape\n app: node-agent\n tier: ks-control-plane\n kubescape.io/ignore: \"true\"\n kubescape.io/tier: \"core\"\n kubescape.io/node-group: \"{{ .NodeGroupLabel }}\"\n spec:\n securityContext:\n priorityClassName: kubescape-critical\n serviceAccountName: node-agent\n automountServiceAccountToken: true\n hostPID: true\n initContainers:\n \n - name: url-discovery\n image: \"quay.io/kubescape/http-request:v0.2.19\"\n imagePullPolicy: IfNotPresent\n securityContext:\n allowPrivilegeEscalation: false\n readOnlyRootFilesystem: true\n resources:\n limits:\n cpu: 100m\n memory: 50Mi\n requests:\n cpu: 10m\n memory: 10Mi\n env:\n args:\n - -method=get\n - -scheme=https\n - -host=api.armosec.io\n - -path=api/v3/servicediscovery\n - -path-output=/data/services.json\n volumeMounts:\n - name: services\n mountPath: /data\n volumes:\n \n - hostPath:\n path: /\n name: host\n - hostPath:\n path: /var/lib/kubelet\n name: kubeletdir\n - hostPath:\n path: /run\n name: run\n - hostPath:\n path: /var\n name: var\n - hostPath:\n path: /sys/fs/cgroup\n name: cgroup\n - hostPath:\n path: /lib/modules\n name: modules\n - hostPath:\n path: /sys/fs/bpf\n name: bpffs\n - hostPath:\n path: /sys/kernel/debug\n name: debugfs\n - hostPath:\n path: /boot\n name: boot\n - emptyDir: null\n name: data\n - emptyDir: null\n name: profiles\n - hostPath:\n path: /\n type: Directory\n name: host-filesystem\n - emptyDir: {}\n name: clamdb\n - emptyDir: {}\n name: clamrun\n - configMap:\n items:\n - key: clamd.conf\n path: clamd.conf\n - key: freshclam.conf\n path: freshclam.conf\n name: clamav\n name: etc\n - name: cloud-secret\n secret:\n secretName: cloud-secret\n - name: ks-cloud-config\n configMap:\n name: ks-cloud-config\n items:\n - key: \"clusterData\"\n path: \"clusterData.json\"\n - name: config\n configMap:\n name: node-agent\n items:\n - key: \"config.json\"\n path: \"config.json\"\n - name: \"services\"\n emptyDir: {}\n containers:\n \n - name: node-agent\n image: \"quay.io/kubescape/node-agent:v0.3.108\"\n imagePullPolicy: IfNotPresent\n livenessProbe:\n httpGet:\n path: /livez\n port: 7888\n periodSeconds: 3\n readinessProbe:\n httpGet:\n path: /readyz\n port: 7888\n periodSeconds: 3\n startupProbe:\n httpGet:\n path: /readyz\n port: 7888\n periodSeconds: 10\n failureThreshold: 30\n timeoutSeconds: 1\n resources:\n \n requests:\n cpu: \"{{ .Resources.Requests.CPU }}\"\n memory: \"{{ .Resources.Requests.Memory }}\"\n limits:\n cpu: \"{{ .Resources.Limits.CPU }}\"\n memory: \"{{ .Resources.Limits.Memory }}\"\n env:\n \n - name: GOMEMLIMIT\n value: \"{{ .GoMemLimit }}\"\n - name: HOST_ROOT\n value: \"/host\"\n - name: KS_LOGGER_LEVEL\n value: \"info\"\n - name: KS_LOGGER_NAME\n value: \"zap\"\n - name: NODE_NAME\n valueFrom:\n fieldRef:\n fieldPath: spec.nodeName\n - name: POD_NAME\n valueFrom:\n fieldRef:\n fieldPath: metadata.name\n - name: NAMESPACE_NAME\n valueFrom:\n fieldRef:\n fieldPath: metadata.namespace\n - name: KUBELET_ROOT\n value: \"/var/lib/kubelet\"\n - name: AGENT_VERSION\n value: \"v0.3.108\"\n - name: NodeName\n valueFrom:\n fieldRef:\n fieldPath: spec.nodeName\n securityContext:\n runAsUser: 0\n privileged: false\n capabilities:\n add:\n - SYS_ADMIN\n - SYS_PTRACE\n - NET_ADMIN\n - SYSLOG\n - SYS_RESOURCE\n - IPC_LOCK\n - NET_RAW\n seLinuxOptions:\n type: spc_t\n volumeMounts:\n \n - mountPath: /host\n name: host\n readOnly: true\n - mountPath: /var/lib/kubelet\n name: kubeletdir\n - mountPath: /run\n name: run\n - mountPath: /var\n name: var\n readOnly: true\n - mountPath: /lib/modules\n name: modules\n readOnly: true\n - mountPath: /sys/kernel/debug\n name: debugfs\n - mountPath: /sys/fs/cgroup\n name: cgroup\n readOnly: true\n - mountPath: /sys/fs/bpf\n name: bpffs\n - mountPath: /data\n name: data\n - mountPath: /profiles\n name: profiles\n - mountPath: /boot\n name: boot\n readOnly: true\n - mountPath: /clamav\n name: clamrun\n - name: cloud-secret\n mountPath: /etc/credentials\n readOnly: true\n - name: ks-cloud-config\n mountPath: /etc/config/clusterData.json\n readOnly: true\n subPath: \"clusterData.json\"\n - name: \"services\"\n mountPath: /etc/config/services.json\n readOnly: true\n subPath: \"services.json\"\n - name: config\n mountPath: /etc/config/config.json\n readOnly: true\n subPath: \"config.json\"\n nodeSelector:\n kubernetes.io/os: linux\n node.kubernetes.io/instance-type: \"{{ .NodeGroupLabel }}\"\n affinity:\n \n nodeAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n nodeSelectorTerms:\n - matchExpressions:\n - key: kubernetes.io/os\n operator: In\n values:\n - linux\n tolerations:\n" kind: ConfigMap metadata: annotations: null @@ -12305,7 +13530,7 @@ autoscaler mode without sbom sidecar: tier: ks-control-plane name: node-agent-daemonset-template namespace: kubescape - 30: | + 40: | apiVersion: v1 kind: Service metadata: @@ -12332,7 +13557,7 @@ autoscaler mode without sbom sidecar: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 31: | + 41: | apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: @@ -12380,7 +13605,7 @@ autoscaler mode without sbom sidecar: - rolebindings scope: '*' sideEffects: None - 32: | + 42: | apiVersion: v1 data: tls.crt: bW9jay1jYS1jZXJ0 @@ -12403,7 +13628,7 @@ autoscaler mode without sbom sidecar: name: kubescape-admission-webhook-ca namespace: kubescape type: kubernetes.io/tls - 33: | + 43: | apiVersion: v1 data: ca.crt: bW9jay1jYS1jZXJ0 @@ -12426,7 +13651,7 @@ autoscaler mode without sbom sidecar: name: kubescape-admission-webhook-tls namespace: kubescape type: kubernetes.io/tls - 34: | + 44: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -12551,7 +13776,7 @@ autoscaler mode without sbom sidecar: - list - update - patch - 35: | + 45: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -12576,7 +13801,7 @@ autoscaler mode without sbom sidecar: - kind: ServiceAccount name: operator namespace: kubescape - 36: | + 46: | apiVersion: v1 data: config.json: | @@ -12627,7 +13852,7 @@ autoscaler mode without sbom sidecar: tier: ks-control-plane name: operator namespace: kubescape - 37: | + 47: | apiVersion: apps/v1 kind: Deployment metadata: @@ -12662,7 +13887,7 @@ autoscaler mode without sbom sidecar: template: metadata: annotations: - checksum/capabilities-config: 14a3d2e7673c697ad37106c42861561b8f6cf49667951eeb96a7416211294f1a + checksum/capabilities-config: 4d135943a61a1c434a5c5d83fcb7f634490965fe346dc0336c5c8f5afd8345d3 checksum/cloud-config: f8f57ee9b7c136ff44014ae152c2ee1d6437058a776ba359547a4d44896626d0 checksum/cloud-secret: 435193bc039d949c849ba4b141adeb4836e4d0fdcc4bf0b9588d0e36de86c424 checksum/matching-rules-config: c81857b415602f6b161db3199a16461c5acd8ba44ec7572189441f4f294a3614 @@ -12808,7 +14033,7 @@ autoscaler mode without sbom sidecar: - configMap: name: node-agent-daemonset-template name: node-agent-template - 38: | + 48: | apiVersion: v1 data: cronjobTemplate: |- @@ -12893,7 +14118,7 @@ autoscaler mode without sbom sidecar: tier: ks-control-plane name: kubescape-cronjob-template namespace: kubescape - 39: | + 49: | apiVersion: v1 data: cronjobTemplate: |- @@ -12978,7 +14203,7 @@ autoscaler mode without sbom sidecar: tier: ks-control-plane name: kubevuln-cronjob-template namespace: kubescape - 40: | + 50: | apiVersion: v1 data: cronjobTemplate: |- @@ -13063,7 +14288,7 @@ autoscaler mode without sbom sidecar: tier: ks-control-plane name: registry-scan-cronjob-template namespace: kubescape - 41: | + 51: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -13119,7 +14344,7 @@ autoscaler mode without sbom sidecar: - update - delete - patch - 42: | + 52: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -13145,7 +14370,7 @@ autoscaler mode without sbom sidecar: - kind: ServiceAccount name: operator namespace: kubescape - 43: | + 53: | apiVersion: v1 kind: Service metadata: @@ -13173,7 +14398,7 @@ autoscaler mode without sbom sidecar: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 44: | + 54: | apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount @@ -13192,7 +14417,7 @@ autoscaler mode without sbom sidecar: tier: ks-control-plane name: operator namespace: kubescape - 45: | + 55: | apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: @@ -13218,7 +14443,7 @@ autoscaler mode without sbom sidecar: namespace: kubescape version: v1beta1 versionPriority: 15 - 46: | + 56: | apiVersion: v1 data: tls.crt: bW9jay1jYS1jZXJ0 @@ -13241,7 +14466,7 @@ autoscaler mode without sbom sidecar: name: storage-tls-ca namespace: kubescape type: kubernetes.io/tls - 47: | + 57: | apiVersion: v1 data: ca.crt: bW9jay1jYS1jZXJ0 @@ -13264,7 +14489,7 @@ autoscaler mode without sbom sidecar: name: storage-tls namespace: kubescape type: kubernetes.io/tls - 48: | + 58: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -13330,7 +14555,7 @@ autoscaler mode without sbom sidecar: - get - watch - list - 49: | + 59: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -13355,7 +14580,7 @@ autoscaler mode without sbom sidecar: - kind: ServiceAccount name: storage namespace: kubescape - 50: | + 60: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -13380,7 +14605,7 @@ autoscaler mode without sbom sidecar: - kind: ServiceAccount name: storage namespace: kubescape - 51: | + 61: | apiVersion: v1 data: config.json: | @@ -13415,7 +14640,7 @@ autoscaler mode without sbom sidecar: tier: ks-control-plane name: storage namespace: kubescape - 52: | + 62: | apiVersion: apps/v1 kind: Deployment metadata: @@ -13536,7 +14761,7 @@ autoscaler mode without sbom sidecar: - name: ca-certificates secret: secretName: storage-tls - 53: | + 63: | apiVersion: v1 kind: PersistentVolumeClaim metadata: @@ -13560,7 +14785,7 @@ autoscaler mode without sbom sidecar: resources: requests: storage: 5Gi - 54: | + 64: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -13586,7 +14811,7 @@ autoscaler mode without sbom sidecar: - kind: ServiceAccount name: storage namespace: kubescape - 55: | + 65: | apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -13910,7 +15135,7 @@ autoscaler mode without sbom sidecar: storage: true subresources: status: {} - 56: | + 66: | apiVersion: v1 kind: Service metadata: @@ -13939,7 +15164,7 @@ autoscaler mode without sbom sidecar: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 57: | + 67: | apiVersion: v1 kind: ServiceAccount metadata: @@ -13957,7 +15182,7 @@ autoscaler mode without sbom sidecar: tier: ks-control-plane name: storage namespace: kubescape - 58: | + 68: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -14126,7 +15351,7 @@ autoscaler mode without sbom sidecar: - update - patch - delete - 59: | + 69: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -14150,7 +15375,7 @@ autoscaler mode without sbom sidecar: - kind: ServiceAccount name: synchronizer namespace: kubescape - 60: | + 70: | apiVersion: v1 data: config.json: | @@ -14429,7 +15654,7 @@ autoscaler mode without sbom sidecar: tier: ks-control-plane name: synchronizer namespace: kubescape - 61: | + 71: | apiVersion: apps/v1 kind: Deployment metadata: @@ -14583,7 +15808,7 @@ autoscaler mode without sbom sidecar: path: config.json name: synchronizer name: config - 62: | + 72: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -14626,7 +15851,7 @@ autoscaler mode without sbom sidecar: - list - patch - delete - 63: | + 73: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -14651,7 +15876,7 @@ autoscaler mode without sbom sidecar: - kind: ServiceAccount name: synchronizer namespace: kubescape - 64: | + 74: | apiVersion: v1 kind: Service metadata: @@ -14678,7 +15903,7 @@ autoscaler mode without sbom sidecar: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 65: | + 75: | apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount @@ -14787,7 +16012,7 @@ backend-storage enabled disables scanning capabilities: capabilities: | { "capabilities":{"admissionController":"enable","autoUpgrading":"disable","backend-storage":"enable","configurationScan":"enable","continuousScan":"disable","httpDetection":"enable","kubescapeOffline":"disable","malwareDetection":"disable","manageWorkloads":"disable","networkEventsStreaming":"enable","networkPolicyService":"enable","nodeProfileService":"enable","nodeSbomGeneration":"enable","nodeScan":"enable","operator":"enable","prometheusExporter":"disable","relevancy":"enable","riskAcceptance":"disable","runtimeDetection":"disable","runtimeObservability":"enable","scanEmbeddedSBOMs":"disable","seccompProfileBackend":"crd","seccompProfileService":"enable","syncSBOM":"disable","testing":{"nodeAgentMultiplication":{"enabled":false,"replicas":5}},"vexGeneration":"disable","vulnerabilityScan":"enable"}, - "components":{"autoUpdater":{"enabled":false},"clamAV":{"enabled":false},"cloudSecret":{"create":true,"name":"cloud-secret"},"customCaCertificates":{"name":"custom-ca-certificates"},"hostScanner":{"enabled":false},"kubescape":{"enabled":false},"kubescapeScheduler":{"enabled":false},"kubevuln":{"enabled":false},"kubevulnScheduler":{"enabled":false},"nodeAgent":{"enabled":true},"operator":{"enabled":true},"otelCollector":{"enabled":false},"prometheusExporter":{"enabled":false},"sbomScanner":{"enabled":false},"serviceDiscovery":{"enabled":true},"storage":{"enabled":false},"synchronizer":{"enabled":true}}, + "components":{"autoUpdater":{"enabled":false},"clamAV":{"enabled":false},"cloudSecret":{"create":true,"name":"cloud-secret"},"customCaCertificates":{"name":"custom-ca-certificates"},"kubescape":{"enabled":false},"kubescapeScheduler":{"enabled":false},"kubevuln":{"enabled":false},"kubevulnScheduler":{"enabled":false},"nodeAgent":{"enabled":true},"operator":{"enabled":true},"otelCollector":{"enabled":false},"prometheusExporter":{"enabled":false},"sbomScanner":{"enabled":false},"serviceDiscovery":{"enabled":true},"storage":{"enabled":false},"synchronizer":{"enabled":true}}, "configurations":{"excludeJsonPaths":null,"otelUrl":null,"persistence":"enable","priorityClass":{"daemonset":100000100,"enabled":true},"prometheusAnnotations":"disable"} , "serviceScanConfig" :{"enabled":false,"interval":"1h"} } @@ -14851,6 +16076,375 @@ backend-storage enabled disables scanning capabilities: name: kubescape-critical value: 1.000001e+08 7: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: cloudproviderinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: CloudProviderInfo + listKind: CloudProviderInfoList + plural: cloudproviderinfos + singular: cloudproviderinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 8: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: cniinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: CNIInfo + listKind: CNIInfoList + plural: cniinfos + singular: cniinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 9: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: controlplaneinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: ControlPlaneInfo + listKind: ControlPlaneInfoList + plural: controlplaneinfos + singular: controlplaneinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 10: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: kernelversions.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: KernelVersion + listKind: KernelVersionList + plural: kernelversions + singular: kernelversion + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 11: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: kubeletinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: KubeletInfo + listKind: KubeletInfoList + plural: kubeletinfos + singular: kubeletinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 12: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: kubeproxyinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: KubeProxyInfo + listKind: KubeProxyInfoList + plural: kubeproxyinfos + singular: kubeproxyinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 13: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: linuxkernelvariables.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: LinuxKernelVariables + listKind: LinuxKernelVariablesList + plural: linuxkernelvariables + singular: linuxkernelvariable + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 14: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: linuxsecurityhardeningstatuses.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: LinuxSecurityHardeningStatus + listKind: LinuxSecurityHardeningStatusList + plural: linuxsecurityhardeningstatuses + singular: linuxsecurityhardeningstatus + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 15: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: openportslists.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: OpenPortsList + listKind: OpenPortsListList + plural: openportslists + singular: openportslist + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 16: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + name: osreleasefiles.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: OsReleaseFile + listKind: OsReleaseFileList + plural: osreleasefiles + singular: osreleasefile + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: OsReleaseFile contains the OS release information from a node + properties: + apiVersion: + description: APIVersion defines the versioned schema of this representation of an object. + type: string + kind: + description: Kind is a string value representing the REST resource this object represents. + type: string + metadata: + type: object + spec: + description: OsReleaseFileSpec contains the actual OS release file content + properties: + content: + description: Content is the raw content of the OS release file + type: string + nodeName: + description: NodeName is the name of the node this data came from + type: string + type: object + status: + description: OsReleaseFileStatus contains status information about the sensing + properties: + error: + description: Error contains any error message from the last sensing attempt + type: string + lastSensed: + description: LastSensed is the timestamp when this data was last collected + format: date-time + type: string + type: object + type: object + served: true + storage: true + 17: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -14987,7 +16581,27 @@ backend-storage enabled disables scanning capabilities: verbs: - list - watch - 8: | + - apiGroups: + - hostdata.kubescape.cloud + resources: + - osreleasefiles + - kernelversions + - linuxsecurityhardeningstatuses + - openportslists + - linuxkernelvariables + - kubeletinfos + - kubeproxyinfos + - controlplaneinfos + - cloudproviderinfos + - cniinfos + verbs: + - create + - get + - update + - patch + - list + - watch + 18: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -15012,7 +16626,7 @@ backend-storage enabled disables scanning capabilities: - kind: ServiceAccount name: node-agent namespace: kubescape - 9: | + 19: | apiVersion: v1 data: config.json: | @@ -15026,6 +16640,8 @@ backend-storage enabled disables scanning capabilities: "malwareDetectionEnabled": false, "hostMalwareSensorEnabled": false, "hostNetworkSensorEnabled": false, + "hostSensorEnabled": true, + "hostSensorInterval": "5m", "nodeProfileServiceEnabled": true, "networkStreamingEnabled": true, "maxImageSize": 5.36870912e+09, @@ -15072,7 +16688,7 @@ backend-storage enabled disables scanning capabilities: tier: ks-control-plane name: node-agent namespace: kubescape - 10: | + 20: | apiVersion: apps/v1 kind: DaemonSet metadata: @@ -15102,7 +16718,7 @@ backend-storage enabled disables scanning capabilities: annotations: checksum/cloud-config: a86d5156181591681a79c39bb2816f8428bbaa9e3de0ea3bcdba0d21a148debd checksum/cloud-secret: 435193bc039d949c849ba4b141adeb4836e4d0fdcc4bf0b9588d0e36de86c424 - checksum/node-agent-config: 3e7dca2c6ef859c06b761011229d2e4e3b67517b47cb8e9f156cbd52c6bf5f3d + checksum/node-agent-config: 5b096b629100ed01a91caa6427465d14f7d22879e70eb05d643ddfb608dcef74 container.apparmor.security.beta.kubernetes.io/node-agent: unconfined labels: app: node-agent @@ -15306,6 +16922,10 @@ backend-storage enabled disables scanning capabilities: name: data - emptyDir: null name: profiles + - hostPath: + path: / + type: Directory + name: host-filesystem - emptyDir: {} name: clamdb - emptyDir: {} @@ -15335,7 +16955,7 @@ backend-storage enabled disables scanning capabilities: name: config - emptyDir: {} name: services - 11: | + 21: | apiVersion: kubescape.io/v1 kind: RuntimeRuleAlertBinding metadata: @@ -15389,7 +17009,7 @@ backend-storage enabled disables scanning capabilities: - ruleName: Unexpected Egress Network Traffic - ruleName: Malicious Ptrace Usage - ruleName: Unexpected io_uring Operation Detected - 12: | + 22: | apiVersion: kubescape.io/v1 kind: Rules metadata: @@ -16071,7 +17691,7 @@ backend-storage enabled disables scanning capabilities: - syscalls - io_uring - applicationprofile - 13: | + 23: | apiVersion: v1 kind: Service metadata: @@ -16099,7 +17719,7 @@ backend-storage enabled disables scanning capabilities: app.kubernetes.io/component: node-agent app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator - 14: | + 24: | apiVersion: v1 kind: ServiceAccount metadata: @@ -16117,7 +17737,7 @@ backend-storage enabled disables scanning capabilities: tier: ks-control-plane name: node-agent namespace: kubescape - 15: | + 25: | apiVersion: v1 kind: Service metadata: @@ -16144,7 +17764,7 @@ backend-storage enabled disables scanning capabilities: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 16: | + 26: | apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: @@ -16192,7 +17812,7 @@ backend-storage enabled disables scanning capabilities: - rolebindings scope: '*' sideEffects: None - 17: | + 27: | apiVersion: v1 data: tls.crt: bW9jay1jYS1jZXJ0 @@ -16215,7 +17835,7 @@ backend-storage enabled disables scanning capabilities: name: kubescape-admission-webhook-ca namespace: kubescape type: kubernetes.io/tls - 18: | + 28: | apiVersion: v1 data: ca.crt: bW9jay1jYS1jZXJ0 @@ -16238,7 +17858,7 @@ backend-storage enabled disables scanning capabilities: name: kubescape-admission-webhook-tls namespace: kubescape type: kubernetes.io/tls - 19: | + 29: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -16363,7 +17983,7 @@ backend-storage enabled disables scanning capabilities: - list - update - patch - 20: | + 30: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -16388,7 +18008,7 @@ backend-storage enabled disables scanning capabilities: - kind: ServiceAccount name: operator namespace: kubescape - 21: | + 31: | apiVersion: v1 data: config.json: | @@ -16439,7 +18059,7 @@ backend-storage enabled disables scanning capabilities: tier: ks-control-plane name: operator namespace: kubescape - 22: | + 32: | apiVersion: apps/v1 kind: Deployment metadata: @@ -16474,7 +18094,7 @@ backend-storage enabled disables scanning capabilities: template: metadata: annotations: - checksum/capabilities-config: 3010c794c6f0dfdbb330fba2c2e3e3abc826155e21b84389e61983489b61a964 + checksum/capabilities-config: 47983baad55de40bf510f8a28c7b4d26e353a04625a68e557e76864aa7464287 checksum/cloud-config: a86d5156181591681a79c39bb2816f8428bbaa9e3de0ea3bcdba0d21a148debd checksum/cloud-secret: 435193bc039d949c849ba4b141adeb4836e4d0fdcc4bf0b9588d0e36de86c424 checksum/matching-rules-config: c81857b415602f6b161db3199a16461c5acd8ba44ec7572189441f4f294a3614 @@ -16614,7 +18234,7 @@ backend-storage enabled disables scanning capabilities: path: matchingRules.json name: cs-matching-rules name: cs-matching-rules - 23: | + 33: | apiVersion: v1 data: cronjobTemplate: |- @@ -16699,7 +18319,7 @@ backend-storage enabled disables scanning capabilities: tier: ks-control-plane name: kubescape-cronjob-template namespace: kubescape - 24: | + 34: | apiVersion: v1 data: cronjobTemplate: |- @@ -16784,7 +18404,7 @@ backend-storage enabled disables scanning capabilities: tier: ks-control-plane name: kubevuln-cronjob-template namespace: kubescape - 25: | + 35: | apiVersion: v1 data: cronjobTemplate: |- @@ -16869,7 +18489,7 @@ backend-storage enabled disables scanning capabilities: tier: ks-control-plane name: registry-scan-cronjob-template namespace: kubescape - 26: | + 36: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -16913,7 +18533,7 @@ backend-storage enabled disables scanning capabilities: - list - patch - delete - 27: | + 37: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -16939,7 +18559,7 @@ backend-storage enabled disables scanning capabilities: - kind: ServiceAccount name: operator namespace: kubescape - 28: | + 38: | apiVersion: v1 kind: Service metadata: @@ -16967,7 +18587,7 @@ backend-storage enabled disables scanning capabilities: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 29: | + 39: | apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount @@ -16986,7 +18606,7 @@ backend-storage enabled disables scanning capabilities: tier: ks-control-plane name: operator namespace: kubescape - 30: | + 40: | apiVersion: v1 data: tls.crt: bW9jay1jYS1jZXJ0 @@ -17009,7 +18629,7 @@ backend-storage enabled disables scanning capabilities: name: storage-tls-ca namespace: kubescape type: kubernetes.io/tls - 31: | + 41: | apiVersion: v1 data: ca.crt: bW9jay1jYS1jZXJ0 @@ -17032,7 +18652,7 @@ backend-storage enabled disables scanning capabilities: name: storage-tls namespace: kubescape type: kubernetes.io/tls - 32: | + 42: | apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -17356,7 +18976,7 @@ backend-storage enabled disables scanning capabilities: storage: true subresources: status: {} - 33: | + 43: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -17525,7 +19145,7 @@ backend-storage enabled disables scanning capabilities: - update - patch - delete - 34: | + 44: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -17549,7 +19169,7 @@ backend-storage enabled disables scanning capabilities: - kind: ServiceAccount name: synchronizer namespace: kubescape - 35: | + 45: | apiVersion: v1 data: config.json: | @@ -17810,7 +19430,7 @@ backend-storage enabled disables scanning capabilities: tier: ks-control-plane name: synchronizer namespace: kubescape - 36: | + 46: | apiVersion: apps/v1 kind: Deployment metadata: @@ -17964,7 +19584,7 @@ backend-storage enabled disables scanning capabilities: path: config.json name: synchronizer name: config - 37: | + 47: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -18007,7 +19627,7 @@ backend-storage enabled disables scanning capabilities: - list - patch - delete - 38: | + 48: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -18032,7 +19652,7 @@ backend-storage enabled disables scanning capabilities: - kind: ServiceAccount name: synchronizer namespace: kubescape - 39: | + 49: | apiVersion: v1 kind: Service metadata: @@ -18059,7 +19679,7 @@ backend-storage enabled disables scanning capabilities: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 40: | + 50: | apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount @@ -18113,7 +19733,7 @@ cert strategy hook, admission disabled, mtls disabled: template: metadata: annotations: - checksum/capabilities-config: 641513b3eecc87a56282819e54f06a74a3c286f6650db8c8850327eca568ce64 + checksum/capabilities-config: 1fbd1b1814d6546acd0c0c507fd34e9038765f55bfd98f2357a8f48dcd7a47d2 checksum/cloud-config: eed6cf63425e937a79012dbe144357fc4e6bb0bf4932b499653898a83fa57b20 checksum/cloud-secret: 3248919273cee6d6f750f97ea378fc79fff1f03b131f21d584a00258bf475a80 checksum/matching-rules-config: c81857b415602f6b161db3199a16461c5acd8ba44ec7572189441f4f294a3614 @@ -18421,7 +20041,7 @@ cert strategy hook, admission disabled, mtls enabled: template: metadata: annotations: - checksum/capabilities-config: 641513b3eecc87a56282819e54f06a74a3c286f6650db8c8850327eca568ce64 + checksum/capabilities-config: 1fbd1b1814d6546acd0c0c507fd34e9038765f55bfd98f2357a8f48dcd7a47d2 checksum/cloud-config: eed6cf63425e937a79012dbe144357fc4e6bb0bf4932b499653898a83fa57b20 checksum/cloud-secret: 3248919273cee6d6f750f97ea378fc79fff1f03b131f21d584a00258bf475a80 checksum/matching-rules-config: c81857b415602f6b161db3199a16461c5acd8ba44ec7572189441f4f294a3614 @@ -19298,7 +20918,7 @@ cert strategy hook, admission enabled, mtls disabled: template: metadata: annotations: - checksum/capabilities-config: 203a84cd63d8c75350cf508da9de6efb7ae4d984dd5b8158b9d64e44ecb64289 + checksum/capabilities-config: 2527ca06cbf9e89c06d229969c0c5bdd60d88f6e17dc4389cfc7cf59fecc2d91 checksum/cloud-config: eed6cf63425e937a79012dbe144357fc4e6bb0bf4932b499653898a83fa57b20 checksum/cloud-secret: 3248919273cee6d6f750f97ea378fc79fff1f03b131f21d584a00258bf475a80 checksum/matching-rules-config: c81857b415602f6b161db3199a16461c5acd8ba44ec7572189441f4f294a3614 @@ -19920,7 +21540,7 @@ cert strategy hook, admission enabled, mtls enabled: template: metadata: annotations: - checksum/capabilities-config: 203a84cd63d8c75350cf508da9de6efb7ae4d984dd5b8158b9d64e44ecb64289 + checksum/capabilities-config: 2527ca06cbf9e89c06d229969c0c5bdd60d88f6e17dc4389cfc7cf59fecc2d91 checksum/cloud-config: eed6cf63425e937a79012dbe144357fc4e6bb0bf4932b499653898a83fa57b20 checksum/cloud-secret: 3248919273cee6d6f750f97ea378fc79fff1f03b131f21d584a00258bf475a80 checksum/matching-rules-config: c81857b415602f6b161db3199a16461c5acd8ba44ec7572189441f4f294a3614 @@ -20501,7 +22121,7 @@ cert strategy template, admission disabled, mtls disabled: template: metadata: annotations: - checksum/capabilities-config: 641513b3eecc87a56282819e54f06a74a3c286f6650db8c8850327eca568ce64 + checksum/capabilities-config: 1fbd1b1814d6546acd0c0c507fd34e9038765f55bfd98f2357a8f48dcd7a47d2 checksum/cloud-config: eed6cf63425e937a79012dbe144357fc4e6bb0bf4932b499653898a83fa57b20 checksum/cloud-secret: 3248919273cee6d6f750f97ea378fc79fff1f03b131f21d584a00258bf475a80 checksum/matching-rules-config: c81857b415602f6b161db3199a16461c5acd8ba44ec7572189441f4f294a3614 @@ -20809,7 +22429,7 @@ cert strategy template, admission disabled, mtls enabled: template: metadata: annotations: - checksum/capabilities-config: 641513b3eecc87a56282819e54f06a74a3c286f6650db8c8850327eca568ce64 + checksum/capabilities-config: 1fbd1b1814d6546acd0c0c507fd34e9038765f55bfd98f2357a8f48dcd7a47d2 checksum/cloud-config: eed6cf63425e937a79012dbe144357fc4e6bb0bf4932b499653898a83fa57b20 checksum/cloud-secret: 3248919273cee6d6f750f97ea378fc79fff1f03b131f21d584a00258bf475a80 checksum/matching-rules-config: c81857b415602f6b161db3199a16461c5acd8ba44ec7572189441f4f294a3614 @@ -21263,7 +22883,7 @@ cert strategy template, admission enabled, mtls disabled: template: metadata: annotations: - checksum/capabilities-config: 203a84cd63d8c75350cf508da9de6efb7ae4d984dd5b8158b9d64e44ecb64289 + checksum/capabilities-config: 2527ca06cbf9e89c06d229969c0c5bdd60d88f6e17dc4389cfc7cf59fecc2d91 checksum/cloud-config: eed6cf63425e937a79012dbe144357fc4e6bb0bf4932b499653898a83fa57b20 checksum/cloud-secret: 3248919273cee6d6f750f97ea378fc79fff1f03b131f21d584a00258bf475a80 checksum/matching-rules-config: c81857b415602f6b161db3199a16461c5acd8ba44ec7572189441f4f294a3614 @@ -21674,7 +23294,7 @@ cert strategy template, admission enabled, mtls enabled: template: metadata: annotations: - checksum/capabilities-config: 203a84cd63d8c75350cf508da9de6efb7ae4d984dd5b8158b9d64e44ecb64289 + checksum/capabilities-config: 2527ca06cbf9e89c06d229969c0c5bdd60d88f6e17dc4389cfc7cf59fecc2d91 checksum/cloud-config: eed6cf63425e937a79012dbe144357fc4e6bb0bf4932b499653898a83fa57b20 checksum/cloud-secret: 3248919273cee6d6f750f97ea378fc79fff1f03b131f21d584a00258bf475a80 checksum/matching-rules-config: c81857b415602f6b161db3199a16461c5acd8ba44ec7572189441f4f294a3614 @@ -22107,7 +23727,7 @@ default capabilities: capabilities: | { "capabilities":{"admissionController":"disable","autoUpgrading":"disable","configurationScan":"enable","continuousScan":"disable","httpDetection":"disable","kubescapeOffline":"disable","malwareDetection":"disable","manageWorkloads":"disable","networkEventsStreaming":"enable","networkPolicyService":"enable","nodeProfileService":"disable","nodeSbomGeneration":"enable","nodeScan":"enable","operator":"enable","prometheusExporter":"disable","relevancy":"enable","riskAcceptance":"disable","runtimeDetection":"disable","runtimeObservability":"enable","scanEmbeddedSBOMs":"disable","seccompProfileBackend":"crd","seccompProfileService":"enable","syncSBOM":"disable","testing":{"nodeAgentMultiplication":{"enabled":false,"replicas":5}},"vexGeneration":"disable","vulnerabilityScan":"enable"}, - "components":{"autoUpdater":{"enabled":false},"clamAV":{"enabled":false},"cloudSecret":{"create":true,"name":"cloud-secret"},"customCaCertificates":{"name":"custom-ca-certificates"},"hostScanner":{"enabled":true},"kubescape":{"enabled":true},"kubescapeScheduler":{"enabled":true},"kubevuln":{"enabled":true},"kubevulnScheduler":{"enabled":true},"nodeAgent":{"enabled":true},"operator":{"enabled":true},"otelCollector":{"enabled":false},"prometheusExporter":{"enabled":false},"sbomScanner":{"enabled":false},"serviceDiscovery":{"enabled":true},"storage":{"enabled":true},"synchronizer":{"enabled":true}}, + "components":{"autoUpdater":{"enabled":false},"clamAV":{"enabled":false},"cloudSecret":{"create":true,"name":"cloud-secret"},"customCaCertificates":{"name":"custom-ca-certificates"},"kubescape":{"enabled":true},"kubescapeScheduler":{"enabled":true},"kubevuln":{"enabled":true},"kubevulnScheduler":{"enabled":true},"nodeAgent":{"enabled":true},"operator":{"enabled":true},"otelCollector":{"enabled":false},"prometheusExporter":{"enabled":false},"sbomScanner":{"enabled":false},"serviceDiscovery":{"enabled":true},"storage":{"enabled":true},"synchronizer":{"enabled":true}}, "configurations":{"excludeJsonPaths":null,"otelUrl":null,"persistence":"enable","priorityClass":{"daemonset":100000100,"enabled":true},"prometheusAnnotations":"disable"} , "serviceScanConfig" :{"enabled":false,"interval":"1h"} } @@ -22719,6 +24339,23 @@ default capabilities: - get - watch - list + - apiGroups: + - hostdata.kubescape.cloud + resources: + - osreleasefiles + - kernelversions + - linuxsecurityhardeningstatuses + - openportslists + - linuxkernelvariables + - kubeletinfos + - kubeproxyinfos + - controlplaneinfos + - cloudproviderinfos + - cniinfos + verbs: + - get + - list + - watch 14: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -22781,7 +24418,6 @@ default capabilities: annotations: checksum/cloud-config: 8e6c3d6c7321da0fccdb7ce24882e7bcf831736b163bb916902ed635fd2809eb checksum/cloud-secret: 435193bc039d949c849ba4b141adeb4836e4d0fdcc4bf0b9588d0e36de86c424 - checksum/host-scanner-configmap: 7fc30b6a442d0ae01e83852a7c371492e49e83d6bed3dd0cb6c32935f417ad4d checksum/proxy-config: c03b6781aa61faaacfa84a96809236591dde0cbd43a204e05d5ba3044bb9d5d8 labels: app: kubescape @@ -22961,7 +24597,7 @@ default capabilities: 16: | apiVersion: v1 data: - host-scanner-yaml: "apiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: host-scanner\n namespace: kubescape\n annotations:\n \n argocd.argoproj.io/compare-options: \"IgnoreExtraneous\"\n argocd.argoproj.io/sync-options: \"Prune=false\"\n labels:\n helm.sh/chart: kubescape-operator-1.30.7\n app.kubernetes.io/name: kubescape-operator\n app.kubernetes.io/instance: RELEASE-NAME\n app.kubernetes.io/component: host-scanner\n app.kubernetes.io/version: \"1.30.7\"\n app.kubernetes.io/managed-by: Helm\n app.kubernetes.io/part-of: kubescape\n app: host-scanner\n tier: ks-control-plane\n kubescape.io/ignore: \"true\"\nspec:\n selector:\n matchLabels:\n app.kubernetes.io/name: kubescape-operator\n app.kubernetes.io/instance: RELEASE-NAME\n app.kubernetes.io/component: host-scanner\n template:\n metadata:\n annotations:\n \n argocd.argoproj.io/compare-options: \"IgnoreExtraneous\"\n argocd.argoproj.io/sync-options: \"Prune=false\"\n labels:\n helm.sh/chart: kubescape-operator-1.30.7\n app.kubernetes.io/name: kubescape-operator\n app.kubernetes.io/instance: RELEASE-NAME\n app.kubernetes.io/component: host-scanner\n app.kubernetes.io/version: \"1.30.7\"\n app.kubernetes.io/managed-by: Helm\n app.kubernetes.io/part-of: kubescape\n app: host-scanner\n tier: ks-control-plane\n kubescape.io/ignore: \"true\"\n kubescape.io/tier: \"core\"\n name: host-scanner\n spec:\n nodeSelector:\n kubernetes.io/os: linux\n affinity:\n tolerations:\n - effect: NoSchedule\n key: node-role.kubernetes.io/control-plane\n operator: Exists\n - effect: NoSchedule\n key: node-role.kubernetes.io/master\n operator: Exists\n containers:\n - name: host-sensor\n image: \"quay.io/kubescape/host-scanner:v1.0.78\"\n imagePullPolicy: IfNotPresent\n securityContext:\n allowPrivilegeEscalation: true\n privileged: true\n readOnlyRootFilesystem: true\n env:\n - name: KS_LOGGER_LEVEL\n value: \"info\"\n - name: KS_LOGGER_NAME\n value: \"zap\"\n ports:\n - name: scanner # Do not change port name\n containerPort: 7888\n protocol: TCP\n resources:\n limits:\n cpu: 0.4m\n memory: 400Mi\n requests:\n cpu: 0.1m\n memory: 200Mi\n volumeMounts:\n - mountPath: /host_fs\n name: host-filesystem\n startupProbe:\n httpGet:\n path: /readyz\n port: 7888\n failureThreshold: 30\n periodSeconds: 1\n livenessProbe:\n httpGet:\n path: /healthz\n port: 7888\n periodSeconds: 10\n terminationGracePeriodSeconds: 120\n dnsPolicy: ClusterFirstWithHostNet\n serviceAccountName: node-agent\n automountServiceAccountToken: false\n volumes:\n - hostPath:\n path: /\n type: Directory\n name: host-filesystem\n hostPID: true\n hostIPC: true" + host-scanner-yaml: "" kind: ConfigMap metadata: annotations: null @@ -23713,6 +25349,375 @@ default capabilities: name: kubevuln namespace: kubescape 32: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: cloudproviderinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: CloudProviderInfo + listKind: CloudProviderInfoList + plural: cloudproviderinfos + singular: cloudproviderinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 33: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: cniinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: CNIInfo + listKind: CNIInfoList + plural: cniinfos + singular: cniinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 34: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: controlplaneinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: ControlPlaneInfo + listKind: ControlPlaneInfoList + plural: controlplaneinfos + singular: controlplaneinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 35: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: kernelversions.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: KernelVersion + listKind: KernelVersionList + plural: kernelversions + singular: kernelversion + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 36: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: kubeletinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: KubeletInfo + listKind: KubeletInfoList + plural: kubeletinfos + singular: kubeletinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 37: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: kubeproxyinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: KubeProxyInfo + listKind: KubeProxyInfoList + plural: kubeproxyinfos + singular: kubeproxyinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 38: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: linuxkernelvariables.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: LinuxKernelVariables + listKind: LinuxKernelVariablesList + plural: linuxkernelvariables + singular: linuxkernelvariable + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 39: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: linuxsecurityhardeningstatuses.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: LinuxSecurityHardeningStatus + listKind: LinuxSecurityHardeningStatusList + plural: linuxsecurityhardeningstatuses + singular: linuxsecurityhardeningstatus + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 40: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: openportslists.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: OpenPortsList + listKind: OpenPortsListList + plural: openportslists + singular: openportslist + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 41: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + name: osreleasefiles.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: OsReleaseFile + listKind: OsReleaseFileList + plural: osreleasefiles + singular: osreleasefile + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: OsReleaseFile contains the OS release information from a node + properties: + apiVersion: + description: APIVersion defines the versioned schema of this representation of an object. + type: string + kind: + description: Kind is a string value representing the REST resource this object represents. + type: string + metadata: + type: object + spec: + description: OsReleaseFileSpec contains the actual OS release file content + properties: + content: + description: Content is the raw content of the OS release file + type: string + nodeName: + description: NodeName is the name of the node this data came from + type: string + type: object + status: + description: OsReleaseFileStatus contains status information about the sensing + properties: + error: + description: Error contains any error message from the last sensing attempt + type: string + lastSensed: + description: LastSensed is the timestamp when this data was last collected + format: date-time + type: string + type: object + type: object + served: true + storage: true + 42: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -23849,7 +25854,27 @@ default capabilities: verbs: - list - watch - 33: | + - apiGroups: + - hostdata.kubescape.cloud + resources: + - osreleasefiles + - kernelversions + - linuxsecurityhardeningstatuses + - openportslists + - linuxkernelvariables + - kubeletinfos + - kubeproxyinfos + - controlplaneinfos + - cloudproviderinfos + - cniinfos + verbs: + - create + - get + - update + - patch + - list + - watch + 43: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -23874,7 +25899,7 @@ default capabilities: - kind: ServiceAccount name: node-agent namespace: kubescape - 34: | + 44: | apiVersion: v1 data: config.json: | @@ -23888,6 +25913,8 @@ default capabilities: "malwareDetectionEnabled": false, "hostMalwareSensorEnabled": false, "hostNetworkSensorEnabled": false, + "hostSensorEnabled": true, + "hostSensorInterval": "5m", "nodeProfileServiceEnabled": false, "networkStreamingEnabled": true, "maxImageSize": 5.36870912e+09, @@ -23934,7 +25961,7 @@ default capabilities: tier: ks-control-plane name: node-agent namespace: kubescape - 35: | + 45: | apiVersion: apps/v1 kind: DaemonSet metadata: @@ -23964,7 +25991,7 @@ default capabilities: annotations: checksum/cloud-config: 8e6c3d6c7321da0fccdb7ce24882e7bcf831736b163bb916902ed635fd2809eb checksum/cloud-secret: 435193bc039d949c849ba4b141adeb4836e4d0fdcc4bf0b9588d0e36de86c424 - checksum/node-agent-config: 8b6c5600a04400282794130d3ef5c04da9ff3ead0e79f1d91ba0a8d9d7d5750c + checksum/node-agent-config: 41f6b1ea1a381f48674d910146caccf2061a27d75507c5aa4597892061d791ab checksum/proxy-config: c03b6781aa61faaacfa84a96809236591dde0cbd43a204e05d5ba3044bb9d5d8 container.apparmor.security.beta.kubernetes.io/node-agent: unconfined labels: @@ -24184,6 +26211,10 @@ default capabilities: name: data - emptyDir: null name: profiles + - hostPath: + path: / + type: Directory + name: host-filesystem - emptyDir: {} name: clamdb - emptyDir: {} @@ -24219,7 +26250,7 @@ default capabilities: - name: extra-ca-certificates secret: secretName: extra-certificates - 36: | + 46: | apiVersion: kubescape.io/v1 kind: RuntimeRuleAlertBinding metadata: @@ -24276,7 +26307,7 @@ default capabilities: - ruleName: Unexpected Egress Network Traffic - ruleName: Malicious Ptrace Usage - ruleName: Unexpected io_uring Operation Detected - 37: | + 47: | apiVersion: kubescape.io/v1 kind: Rules metadata: @@ -24958,7 +26989,7 @@ default capabilities: - syscalls - io_uring - applicationprofile - 38: | + 48: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -25012,7 +27043,7 @@ default capabilities: app.kubernetes.io/name: kubescape-operator policyTypes: - Egress - 39: | + 49: | apiVersion: v1 kind: Service metadata: @@ -25040,7 +27071,7 @@ default capabilities: app.kubernetes.io/component: node-agent app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator - 40: | + 50: | apiVersion: v1 kind: ServiceAccount metadata: @@ -25058,7 +27089,7 @@ default capabilities: tier: ks-control-plane name: node-agent namespace: kubescape - 41: | + 51: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -25183,7 +27214,7 @@ default capabilities: - list - update - patch - 42: | + 52: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -25208,7 +27239,7 @@ default capabilities: - kind: ServiceAccount name: operator namespace: kubescape - 43: | + 53: | apiVersion: v1 data: config.json: | @@ -25259,7 +27290,7 @@ default capabilities: tier: ks-control-plane name: operator namespace: kubescape - 44: | + 54: | apiVersion: apps/v1 kind: Deployment metadata: @@ -25294,7 +27325,7 @@ default capabilities: template: metadata: annotations: - checksum/capabilities-config: 3d31ed2e2c7d18155db83bd252b0c42d3398882b194102f4bb936f7131804a45 + checksum/capabilities-config: c5584872a72c3f078f3587eb9f2b298a53e224d4933a5fdc5312e2f90351960f checksum/cloud-config: 8e6c3d6c7321da0fccdb7ce24882e7bcf831736b163bb916902ed635fd2809eb checksum/cloud-secret: 435193bc039d949c849ba4b141adeb4836e4d0fdcc4bf0b9588d0e36de86c424 checksum/matching-rules-config: c81857b415602f6b161db3199a16461c5acd8ba44ec7572189441f4f294a3614 @@ -25441,7 +27472,7 @@ default capabilities: path: matchingRules.json name: cs-matching-rules name: cs-matching-rules - 45: | + 55: | apiVersion: v1 data: cronjobTemplate: |- @@ -25526,7 +27557,7 @@ default capabilities: tier: ks-control-plane name: kubescape-cronjob-template namespace: kubescape - 46: | + 56: | apiVersion: v1 data: cronjobTemplate: |- @@ -25611,7 +27642,7 @@ default capabilities: tier: ks-control-plane name: kubevuln-cronjob-template namespace: kubescape - 47: | + 57: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -25704,7 +27735,7 @@ default capabilities: policyTypes: - Ingress - Egress - 48: | + 58: | apiVersion: v1 data: cronjobTemplate: |- @@ -25789,7 +27820,7 @@ default capabilities: tier: ks-control-plane name: registry-scan-cronjob-template namespace: kubescape - 49: | + 59: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -25833,7 +27864,7 @@ default capabilities: - list - patch - delete - 50: | + 60: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -25859,7 +27890,7 @@ default capabilities: - kind: ServiceAccount name: operator namespace: kubescape - 51: | + 61: | apiVersion: v1 kind: Service metadata: @@ -25887,7 +27918,7 @@ default capabilities: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 52: | + 62: | apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount @@ -25906,7 +27937,7 @@ default capabilities: tier: ks-control-plane name: operator namespace: kubescape - 53: | + 63: | apiVersion: v1 data: proxy.crt: foo @@ -25930,7 +27961,7 @@ default capabilities: name: kubescape-proxy-certificate namespace: kubescape type: Opaque - 54: | + 64: | apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: @@ -25956,7 +27987,7 @@ default capabilities: namespace: kubescape version: v1beta1 versionPriority: 15 - 55: | + 65: | apiVersion: v1 data: tls.crt: bW9jay1jYS1jZXJ0 @@ -25979,7 +28010,7 @@ default capabilities: name: storage-tls-ca namespace: kubescape type: kubernetes.io/tls - 56: | + 66: | apiVersion: v1 data: ca.crt: bW9jay1jYS1jZXJ0 @@ -26002,7 +28033,7 @@ default capabilities: name: storage-tls namespace: kubescape type: kubernetes.io/tls - 57: | + 67: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -26068,7 +28099,7 @@ default capabilities: - get - watch - list - 58: | + 68: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -26093,7 +28124,7 @@ default capabilities: - kind: ServiceAccount name: storage namespace: kubescape - 59: | + 69: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -26118,7 +28149,7 @@ default capabilities: - kind: ServiceAccount name: storage namespace: kubescape - 60: | + 70: | apiVersion: v1 data: config.json: | @@ -26153,7 +28184,7 @@ default capabilities: tier: ks-control-plane name: storage namespace: kubescape - 61: | + 71: | apiVersion: apps/v1 kind: Deployment metadata: @@ -26274,7 +28305,7 @@ default capabilities: - name: ca-certificates secret: secretName: storage-tls - 62: | + 72: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -26336,7 +28367,7 @@ default capabilities: policyTypes: - Ingress - Egress - 63: | + 73: | apiVersion: v1 kind: PersistentVolumeClaim metadata: @@ -26360,7 +28391,7 @@ default capabilities: resources: requests: storage: 5Gi - 64: | + 74: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -26386,7 +28417,7 @@ default capabilities: - kind: ServiceAccount name: storage namespace: kubescape - 65: | + 75: | apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -26710,7 +28741,7 @@ default capabilities: storage: true subresources: status: {} - 66: | + 76: | apiVersion: v1 kind: Service metadata: @@ -26739,7 +28770,7 @@ default capabilities: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 67: | + 77: | apiVersion: v1 kind: ServiceAccount metadata: @@ -26757,7 +28788,7 @@ default capabilities: tier: ks-control-plane name: storage namespace: kubescape - 68: | + 78: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -26926,7 +28957,7 @@ default capabilities: - update - patch - delete - 69: | + 79: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -26950,7 +28981,7 @@ default capabilities: - kind: ServiceAccount name: synchronizer namespace: kubescape - 70: | + 80: | apiVersion: v1 data: config.json: | @@ -27229,7 +29260,7 @@ default capabilities: tier: ks-control-plane name: synchronizer namespace: kubescape - 71: | + 81: | apiVersion: apps/v1 kind: Deployment metadata: @@ -27402,7 +29433,7 @@ default capabilities: path: config.json name: synchronizer name: config - 72: | + 82: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -27470,7 +29501,7 @@ default capabilities: policyTypes: - Ingress - Egress - 73: | + 83: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -27513,7 +29544,7 @@ default capabilities: - list - patch - delete - 74: | + 84: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -27538,7 +29569,7 @@ default capabilities: - kind: ServiceAccount name: synchronizer namespace: kubescape - 75: | + 85: | apiVersion: v1 kind: Service metadata: @@ -27565,7 +29596,7 @@ default capabilities: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 76: | + 86: | apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount @@ -27682,7 +29713,7 @@ disable otel: capabilities: | { "capabilities":{"admissionController":"enable","autoUpgrading":"disable","configurationScan":"enable","continuousScan":"disable","httpDetection":"enable","kubescapeOffline":"disable","malwareDetection":"disable","manageWorkloads":"disable","networkEventsStreaming":"enable","networkPolicyService":"enable","nodeProfileService":"enable","nodeSbomGeneration":"enable","nodeScan":"enable","operator":"enable","prometheusExporter":"disable","relevancy":"enable","riskAcceptance":"disable","runtimeDetection":"disable","runtimeObservability":"enable","scanEmbeddedSBOMs":"disable","seccompProfileBackend":"crd","seccompProfileService":"enable","syncSBOM":"disable","testing":{"nodeAgentMultiplication":{"enabled":false,"replicas":5}},"vexGeneration":"disable","vulnerabilityScan":"enable"}, - "components":{"autoUpdater":{"enabled":false},"clamAV":{"enabled":false},"cloudSecret":{"create":true,"name":"cloud-secret"},"customCaCertificates":{"name":"custom-ca-certificates"},"hostScanner":{"enabled":true},"kubescape":{"enabled":true},"kubescapeScheduler":{"enabled":true},"kubevuln":{"enabled":true},"kubevulnScheduler":{"enabled":true},"nodeAgent":{"enabled":true},"operator":{"enabled":true},"otelCollector":{"enabled":false},"prometheusExporter":{"enabled":false},"sbomScanner":{"enabled":false},"serviceDiscovery":{"enabled":true},"storage":{"enabled":true},"synchronizer":{"enabled":true}}, + "components":{"autoUpdater":{"enabled":false},"clamAV":{"enabled":false},"cloudSecret":{"create":true,"name":"cloud-secret"},"customCaCertificates":{"name":"custom-ca-certificates"},"kubescape":{"enabled":true},"kubescapeScheduler":{"enabled":true},"kubevuln":{"enabled":true},"kubevulnScheduler":{"enabled":true},"nodeAgent":{"enabled":true},"operator":{"enabled":true},"otelCollector":{"enabled":false},"prometheusExporter":{"enabled":false},"sbomScanner":{"enabled":false},"serviceDiscovery":{"enabled":true},"storage":{"enabled":true},"synchronizer":{"enabled":true}}, "configurations":{"excludeJsonPaths":null,"otelUrl":null,"persistence":"enable","priorityClass":{"daemonset":100000100,"enabled":true},"prometheusAnnotations":"disable"} , "serviceScanConfig" :{"enabled":false,"interval":"1h"} } @@ -28104,6 +30135,23 @@ disable otel: - get - watch - list + - apiGroups: + - hostdata.kubescape.cloud + resources: + - osreleasefiles + - kernelversions + - linuxsecurityhardeningstatuses + - openportslists + - linuxkernelvariables + - kubeletinfos + - kubeproxyinfos + - controlplaneinfos + - cloudproviderinfos + - cniinfos + verbs: + - get + - list + - watch 10: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -28166,7 +30214,6 @@ disable otel: annotations: checksum/cloud-config: f8f57ee9b7c136ff44014ae152c2ee1d6437058a776ba359547a4d44896626d0 checksum/cloud-secret: 435193bc039d949c849ba4b141adeb4836e4d0fdcc4bf0b9588d0e36de86c424 - checksum/host-scanner-configmap: 7fc30b6a442d0ae01e83852a7c371492e49e83d6bed3dd0cb6c32935f417ad4d labels: app: kubescape app.kubernetes.io/component: kubescape @@ -28327,7 +30374,7 @@ disable otel: 12: | apiVersion: v1 data: - host-scanner-yaml: "apiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: host-scanner\n namespace: kubescape\n annotations:\n \n argocd.argoproj.io/compare-options: \"IgnoreExtraneous\"\n argocd.argoproj.io/sync-options: \"Prune=false\"\n labels:\n helm.sh/chart: kubescape-operator-1.30.7\n app.kubernetes.io/name: kubescape-operator\n app.kubernetes.io/instance: RELEASE-NAME\n app.kubernetes.io/component: host-scanner\n app.kubernetes.io/version: \"1.30.7\"\n app.kubernetes.io/managed-by: Helm\n app.kubernetes.io/part-of: kubescape\n app: host-scanner\n tier: ks-control-plane\n kubescape.io/ignore: \"true\"\nspec:\n selector:\n matchLabels:\n app.kubernetes.io/name: kubescape-operator\n app.kubernetes.io/instance: RELEASE-NAME\n app.kubernetes.io/component: host-scanner\n template:\n metadata:\n annotations:\n \n argocd.argoproj.io/compare-options: \"IgnoreExtraneous\"\n argocd.argoproj.io/sync-options: \"Prune=false\"\n labels:\n helm.sh/chart: kubescape-operator-1.30.7\n app.kubernetes.io/name: kubescape-operator\n app.kubernetes.io/instance: RELEASE-NAME\n app.kubernetes.io/component: host-scanner\n app.kubernetes.io/version: \"1.30.7\"\n app.kubernetes.io/managed-by: Helm\n app.kubernetes.io/part-of: kubescape\n app: host-scanner\n tier: ks-control-plane\n kubescape.io/ignore: \"true\"\n kubescape.io/tier: \"core\"\n name: host-scanner\n spec:\n nodeSelector:\n kubernetes.io/os: linux\n affinity:\n tolerations:\n - effect: NoSchedule\n key: node-role.kubernetes.io/control-plane\n operator: Exists\n - effect: NoSchedule\n key: node-role.kubernetes.io/master\n operator: Exists\n containers:\n - name: host-sensor\n image: \"quay.io/kubescape/host-scanner:v1.0.78\"\n imagePullPolicy: IfNotPresent\n securityContext:\n allowPrivilegeEscalation: true\n privileged: true\n readOnlyRootFilesystem: true\n env:\n - name: KS_LOGGER_LEVEL\n value: \"info\"\n - name: KS_LOGGER_NAME\n value: \"zap\"\n ports:\n - name: scanner # Do not change port name\n containerPort: 7888\n protocol: TCP\n resources:\n limits:\n cpu: 0.4m\n memory: 400Mi\n requests:\n cpu: 0.1m\n memory: 200Mi\n volumeMounts:\n - mountPath: /host_fs\n name: host-filesystem\n startupProbe:\n httpGet:\n path: /readyz\n port: 7888\n failureThreshold: 30\n periodSeconds: 1\n livenessProbe:\n httpGet:\n path: /healthz\n port: 7888\n periodSeconds: 10\n terminationGracePeriodSeconds: 120\n dnsPolicy: ClusterFirstWithHostNet\n serviceAccountName: node-agent\n automountServiceAccountToken: false\n volumes:\n - hostPath:\n path: /\n type: Directory\n name: host-filesystem\n hostPID: true\n hostIPC: true" + host-scanner-yaml: "" kind: ConfigMap metadata: annotations: null @@ -28833,6 +30880,375 @@ disable otel: name: kubevuln namespace: kubescape 24: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: cloudproviderinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: CloudProviderInfo + listKind: CloudProviderInfoList + plural: cloudproviderinfos + singular: cloudproviderinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 25: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: cniinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: CNIInfo + listKind: CNIInfoList + plural: cniinfos + singular: cniinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 26: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: controlplaneinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: ControlPlaneInfo + listKind: ControlPlaneInfoList + plural: controlplaneinfos + singular: controlplaneinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 27: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: kernelversions.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: KernelVersion + listKind: KernelVersionList + plural: kernelversions + singular: kernelversion + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 28: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: kubeletinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: KubeletInfo + listKind: KubeletInfoList + plural: kubeletinfos + singular: kubeletinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 29: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: kubeproxyinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: KubeProxyInfo + listKind: KubeProxyInfoList + plural: kubeproxyinfos + singular: kubeproxyinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 30: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: linuxkernelvariables.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: LinuxKernelVariables + listKind: LinuxKernelVariablesList + plural: linuxkernelvariables + singular: linuxkernelvariable + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 31: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: linuxsecurityhardeningstatuses.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: LinuxSecurityHardeningStatus + listKind: LinuxSecurityHardeningStatusList + plural: linuxsecurityhardeningstatuses + singular: linuxsecurityhardeningstatus + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 32: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: openportslists.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: OpenPortsList + listKind: OpenPortsListList + plural: openportslists + singular: openportslist + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 33: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + name: osreleasefiles.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: OsReleaseFile + listKind: OsReleaseFileList + plural: osreleasefiles + singular: osreleasefile + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: OsReleaseFile contains the OS release information from a node + properties: + apiVersion: + description: APIVersion defines the versioned schema of this representation of an object. + type: string + kind: + description: Kind is a string value representing the REST resource this object represents. + type: string + metadata: + type: object + spec: + description: OsReleaseFileSpec contains the actual OS release file content + properties: + content: + description: Content is the raw content of the OS release file + type: string + nodeName: + description: NodeName is the name of the node this data came from + type: string + type: object + status: + description: OsReleaseFileStatus contains status information about the sensing + properties: + error: + description: Error contains any error message from the last sensing attempt + type: string + lastSensed: + description: LastSensed is the timestamp when this data was last collected + format: date-time + type: string + type: object + type: object + served: true + storage: true + 34: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -28969,7 +31385,27 @@ disable otel: verbs: - list - watch - 25: | + - apiGroups: + - hostdata.kubescape.cloud + resources: + - osreleasefiles + - kernelversions + - linuxsecurityhardeningstatuses + - openportslists + - linuxkernelvariables + - kubeletinfos + - kubeproxyinfos + - controlplaneinfos + - cloudproviderinfos + - cniinfos + verbs: + - create + - get + - update + - patch + - list + - watch + 35: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -28994,7 +31430,7 @@ disable otel: - kind: ServiceAccount name: node-agent namespace: kubescape - 26: | + 36: | apiVersion: v1 data: config.json: | @@ -29008,6 +31444,8 @@ disable otel: "malwareDetectionEnabled": false, "hostMalwareSensorEnabled": false, "hostNetworkSensorEnabled": false, + "hostSensorEnabled": true, + "hostSensorInterval": "5m", "nodeProfileServiceEnabled": true, "networkStreamingEnabled": true, "maxImageSize": 5.36870912e+09, @@ -29054,7 +31492,7 @@ disable otel: tier: ks-control-plane name: node-agent namespace: kubescape - 27: | + 37: | apiVersion: apps/v1 kind: DaemonSet metadata: @@ -29084,7 +31522,7 @@ disable otel: annotations: checksum/cloud-config: f8f57ee9b7c136ff44014ae152c2ee1d6437058a776ba359547a4d44896626d0 checksum/cloud-secret: 435193bc039d949c849ba4b141adeb4836e4d0fdcc4bf0b9588d0e36de86c424 - checksum/node-agent-config: 3f5c33a6776d0a686542e38bfd6ea361a07d9bef5d01e2a1501268a06842a60f + checksum/node-agent-config: de39e483c7670abf6a50b51d07213c35f9cc80c06fa7ff204269dfd51de16794 container.apparmor.security.beta.kubernetes.io/node-agent: unconfined labels: app: node-agent @@ -29288,6 +31726,10 @@ disable otel: name: data - emptyDir: null name: profiles + - hostPath: + path: / + type: Directory + name: host-filesystem - emptyDir: {} name: clamdb - emptyDir: {} @@ -29317,7 +31759,7 @@ disable otel: name: config - emptyDir: {} name: services - 28: | + 38: | apiVersion: v1 kind: Service metadata: @@ -29345,7 +31787,7 @@ disable otel: app.kubernetes.io/component: node-agent app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator - 29: | + 39: | apiVersion: v1 kind: ServiceAccount metadata: @@ -29363,7 +31805,7 @@ disable otel: tier: ks-control-plane name: node-agent namespace: kubescape - 30: | + 40: | apiVersion: v1 kind: Service metadata: @@ -29390,7 +31832,7 @@ disable otel: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 31: | + 41: | apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: @@ -29438,7 +31880,7 @@ disable otel: - rolebindings scope: '*' sideEffects: None - 32: | + 42: | apiVersion: v1 data: tls.crt: bW9jay1jYS1jZXJ0 @@ -29461,7 +31903,7 @@ disable otel: name: kubescape-admission-webhook-ca namespace: kubescape type: kubernetes.io/tls - 33: | + 43: | apiVersion: v1 data: ca.crt: bW9jay1jYS1jZXJ0 @@ -29484,7 +31926,7 @@ disable otel: name: kubescape-admission-webhook-tls namespace: kubescape type: kubernetes.io/tls - 34: | + 44: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -29609,7 +32051,7 @@ disable otel: - list - update - patch - 35: | + 45: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -29634,7 +32076,7 @@ disable otel: - kind: ServiceAccount name: operator namespace: kubescape - 36: | + 46: | apiVersion: v1 data: config.json: | @@ -29685,7 +32127,7 @@ disable otel: tier: ks-control-plane name: operator namespace: kubescape - 37: | + 47: | apiVersion: apps/v1 kind: Deployment metadata: @@ -29720,7 +32162,7 @@ disable otel: template: metadata: annotations: - checksum/capabilities-config: 61d30cd5e973ad112768a6a808b15f76374a779cff9362a3b6668b6fd65c4255 + checksum/capabilities-config: efacfd9f9350e7c5cb7ab703d87fa37b1e44f8caaacc28fa9b34f9b15c75e51a checksum/cloud-config: f8f57ee9b7c136ff44014ae152c2ee1d6437058a776ba359547a4d44896626d0 checksum/cloud-secret: 435193bc039d949c849ba4b141adeb4836e4d0fdcc4bf0b9588d0e36de86c424 checksum/matching-rules-config: c81857b415602f6b161db3199a16461c5acd8ba44ec7572189441f4f294a3614 @@ -29860,7 +32302,7 @@ disable otel: path: matchingRules.json name: cs-matching-rules name: cs-matching-rules - 38: | + 48: | apiVersion: v1 data: cronjobTemplate: |- @@ -29945,7 +32387,7 @@ disable otel: tier: ks-control-plane name: kubescape-cronjob-template namespace: kubescape - 39: | + 49: | apiVersion: v1 data: cronjobTemplate: |- @@ -30030,7 +32472,7 @@ disable otel: tier: ks-control-plane name: kubevuln-cronjob-template namespace: kubescape - 40: | + 50: | apiVersion: v1 data: cronjobTemplate: |- @@ -30115,7 +32557,7 @@ disable otel: tier: ks-control-plane name: registry-scan-cronjob-template namespace: kubescape - 41: | + 51: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -30159,7 +32601,7 @@ disable otel: - list - patch - delete - 42: | + 52: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -30185,7 +32627,7 @@ disable otel: - kind: ServiceAccount name: operator namespace: kubescape - 43: | + 53: | apiVersion: v1 kind: Service metadata: @@ -30213,7 +32655,7 @@ disable otel: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 44: | + 54: | apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount @@ -30232,7 +32674,7 @@ disable otel: tier: ks-control-plane name: operator namespace: kubescape - 45: | + 55: | apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: @@ -30258,7 +32700,7 @@ disable otel: namespace: kubescape version: v1beta1 versionPriority: 15 - 46: | + 56: | apiVersion: v1 data: tls.crt: bW9jay1jYS1jZXJ0 @@ -30281,7 +32723,7 @@ disable otel: name: storage-tls-ca namespace: kubescape type: kubernetes.io/tls - 47: | + 57: | apiVersion: v1 data: ca.crt: bW9jay1jYS1jZXJ0 @@ -30304,7 +32746,7 @@ disable otel: name: storage-tls namespace: kubescape type: kubernetes.io/tls - 48: | + 58: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -30370,7 +32812,7 @@ disable otel: - get - watch - list - 49: | + 59: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -30395,7 +32837,7 @@ disable otel: - kind: ServiceAccount name: storage namespace: kubescape - 50: | + 60: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -30420,7 +32862,7 @@ disable otel: - kind: ServiceAccount name: storage namespace: kubescape - 51: | + 61: | apiVersion: v1 data: config.json: | @@ -30455,7 +32897,7 @@ disable otel: tier: ks-control-plane name: storage namespace: kubescape - 52: | + 62: | apiVersion: apps/v1 kind: Deployment metadata: @@ -30576,7 +33018,7 @@ disable otel: - name: ca-certificates secret: secretName: storage-tls - 53: | + 63: | apiVersion: v1 kind: PersistentVolumeClaim metadata: @@ -30600,7 +33042,7 @@ disable otel: resources: requests: storage: 5Gi - 54: | + 64: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -30626,7 +33068,7 @@ disable otel: - kind: ServiceAccount name: storage namespace: kubescape - 55: | + 65: | apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -30950,7 +33392,7 @@ disable otel: storage: true subresources: status: {} - 56: | + 66: | apiVersion: v1 kind: Service metadata: @@ -30979,7 +33421,7 @@ disable otel: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 57: | + 67: | apiVersion: v1 kind: ServiceAccount metadata: @@ -30997,7 +33439,7 @@ disable otel: tier: ks-control-plane name: storage namespace: kubescape - 58: | + 68: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -31166,7 +33608,7 @@ disable otel: - update - patch - delete - 59: | + 69: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -31190,7 +33632,7 @@ disable otel: - kind: ServiceAccount name: synchronizer namespace: kubescape - 60: | + 70: | apiVersion: v1 data: config.json: | @@ -31469,7 +33911,7 @@ disable otel: tier: ks-control-plane name: synchronizer namespace: kubescape - 61: | + 71: | apiVersion: apps/v1 kind: Deployment metadata: @@ -31623,7 +34065,7 @@ disable otel: path: config.json name: synchronizer name: config - 62: | + 72: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -31666,7 +34108,7 @@ disable otel: - list - patch - delete - 63: | + 73: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -31691,7 +34133,7 @@ disable otel: - kind: ServiceAccount name: synchronizer namespace: kubescape - 64: | + 74: | apiVersion: v1 kind: Service metadata: @@ -31718,7 +34160,7 @@ disable otel: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 65: | + 75: | apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount @@ -31835,7 +34277,7 @@ minimal capabilities: capabilities: | { "capabilities":{"admissionController":"enable","autoUpgrading":"disable","configurationScan":"enable","continuousScan":"disable","httpDetection":"enable","kubescapeOffline":"disable","malwareDetection":"disable","manageWorkloads":"disable","networkEventsStreaming":"enable","networkPolicyService":"enable","nodeProfileService":"enable","nodeSbomGeneration":"enable","nodeScan":"enable","operator":"enable","prometheusExporter":"disable","relevancy":"enable","riskAcceptance":"disable","runtimeDetection":"disable","runtimeObservability":"enable","scanEmbeddedSBOMs":"disable","seccompProfileBackend":"crd","seccompProfileService":"enable","syncSBOM":"disable","testing":{"nodeAgentMultiplication":{"enabled":false,"replicas":5}},"vexGeneration":"disable","vulnerabilityScan":"enable"}, - "components":{"autoUpdater":{"enabled":false},"clamAV":{"enabled":false},"cloudSecret":{"create":true,"name":"cloud-secret"},"customCaCertificates":{"name":"custom-ca-certificates"},"hostScanner":{"enabled":true},"kubescape":{"enabled":true},"kubescapeScheduler":{"enabled":true},"kubevuln":{"enabled":true},"kubevulnScheduler":{"enabled":true},"nodeAgent":{"enabled":true},"operator":{"enabled":true},"otelCollector":{"enabled":false},"prometheusExporter":{"enabled":false},"sbomScanner":{"enabled":false},"serviceDiscovery":{"enabled":false},"storage":{"enabled":true},"synchronizer":{"enabled":false}}, + "components":{"autoUpdater":{"enabled":false},"clamAV":{"enabled":false},"cloudSecret":{"create":true,"name":"cloud-secret"},"customCaCertificates":{"name":"custom-ca-certificates"},"kubescape":{"enabled":true},"kubescapeScheduler":{"enabled":true},"kubevuln":{"enabled":true},"kubevulnScheduler":{"enabled":true},"nodeAgent":{"enabled":true},"operator":{"enabled":true},"otelCollector":{"enabled":false},"prometheusExporter":{"enabled":false},"sbomScanner":{"enabled":false},"serviceDiscovery":{"enabled":false},"storage":{"enabled":true},"synchronizer":{"enabled":false}}, "configurations":{"excludeJsonPaths":null,"otelUrl":"otelCollector.svc.monitoring:4317","persistence":"enable","priorityClass":{"daemonset":100000100,"enabled":true},"prometheusAnnotations":"disable"} , "serviceScanConfig" :{"enabled":false,"interval":"1h"} } @@ -32257,6 +34699,23 @@ minimal capabilities: - get - watch - list + - apiGroups: + - hostdata.kubescape.cloud + resources: + - osreleasefiles + - kernelversions + - linuxsecurityhardeningstatuses + - openportslists + - linuxkernelvariables + - kubeletinfos + - kubeproxyinfos + - controlplaneinfos + - cloudproviderinfos + - cniinfos + verbs: + - get + - list + - watch 10: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -32319,7 +34778,6 @@ minimal capabilities: annotations: checksum/cloud-config: 8f40f001a3e31db9895e7bbb06ab070f25ab66c83b31d1929b273cfd22402097 checksum/cloud-secret: 3248919273cee6d6f750f97ea378fc79fff1f03b131f21d584a00258bf475a80 - checksum/host-scanner-configmap: b50934a9adf6fe2a85d37b7c08598824bb113c888aa360f711f2d682309751ff labels: app: kubescape app.kubernetes.io/component: kubescape @@ -32449,7 +34907,7 @@ minimal capabilities: 12: | apiVersion: v1 data: - host-scanner-yaml: "apiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: host-scanner\n namespace: kubescape\n annotations:\n \n argocd.argoproj.io/compare-options: \"IgnoreExtraneous\"\n argocd.argoproj.io/sync-options: \"Prune=false\"\n labels:\n helm.sh/chart: kubescape-operator-1.30.7\n app.kubernetes.io/name: kubescape-operator\n app.kubernetes.io/instance: RELEASE-NAME\n app.kubernetes.io/component: host-scanner\n app.kubernetes.io/version: \"1.30.7\"\n app.kubernetes.io/managed-by: Helm\n app.kubernetes.io/part-of: kubescape\n app: host-scanner\n tier: ks-control-plane\n kubescape.io/ignore: \"true\"\nspec:\n selector:\n matchLabels:\n app.kubernetes.io/name: kubescape-operator\n app.kubernetes.io/instance: RELEASE-NAME\n app.kubernetes.io/component: host-scanner\n template:\n metadata:\n annotations:\n \n argocd.argoproj.io/compare-options: \"IgnoreExtraneous\"\n argocd.argoproj.io/sync-options: \"Prune=false\"\n labels:\n helm.sh/chart: kubescape-operator-1.30.7\n app.kubernetes.io/name: kubescape-operator\n app.kubernetes.io/instance: RELEASE-NAME\n app.kubernetes.io/component: host-scanner\n app.kubernetes.io/version: \"1.30.7\"\n app.kubernetes.io/managed-by: Helm\n app.kubernetes.io/part-of: kubescape\n app: host-scanner\n tier: ks-control-plane\n kubescape.io/ignore: \"true\"\n kubescape.io/tier: \"core\"\n name: host-scanner\n spec:\n nodeSelector:\n kubernetes.io/os: linux\n affinity:\n tolerations:\n - effect: NoSchedule\n key: node-role.kubernetes.io/control-plane\n operator: Exists\n - effect: NoSchedule\n key: node-role.kubernetes.io/master\n operator: Exists\n containers:\n - name: host-sensor\n image: \"quay.io/kubescape/host-scanner:v1.0.78\"\n imagePullPolicy: IfNotPresent\n securityContext:\n allowPrivilegeEscalation: true\n privileged: true\n readOnlyRootFilesystem: true\n env:\n - name: KS_LOGGER_LEVEL\n value: \"info\"\n - name: KS_LOGGER_NAME\n value: \"zap\"\n - name: OTEL_COLLECTOR_SVC\n value: otelCollector.svc.monitoring:4317\n ports:\n - name: scanner # Do not change port name\n containerPort: 7888\n protocol: TCP\n resources:\n limits:\n cpu: 0.4m\n memory: 400Mi\n requests:\n cpu: 0.1m\n memory: 200Mi\n volumeMounts:\n - mountPath: /host_fs\n name: host-filesystem\n startupProbe:\n httpGet:\n path: /readyz\n port: 7888\n failureThreshold: 30\n periodSeconds: 1\n livenessProbe:\n httpGet:\n path: /healthz\n port: 7888\n periodSeconds: 10\n terminationGracePeriodSeconds: 120\n dnsPolicy: ClusterFirstWithHostNet\n serviceAccountName: node-agent\n automountServiceAccountToken: false\n volumes:\n - hostPath:\n path: /\n type: Directory\n name: host-filesystem\n hostPID: true\n hostIPC: true" + host-scanner-yaml: "" kind: ConfigMap metadata: annotations: null @@ -32926,6 +35384,375 @@ minimal capabilities: name: kubevuln namespace: kubescape 24: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: cloudproviderinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: CloudProviderInfo + listKind: CloudProviderInfoList + plural: cloudproviderinfos + singular: cloudproviderinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 25: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: cniinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: CNIInfo + listKind: CNIInfoList + plural: cniinfos + singular: cniinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 26: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: controlplaneinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: ControlPlaneInfo + listKind: ControlPlaneInfoList + plural: controlplaneinfos + singular: controlplaneinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 27: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: kernelversions.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: KernelVersion + listKind: KernelVersionList + plural: kernelversions + singular: kernelversion + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 28: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: kubeletinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: KubeletInfo + listKind: KubeletInfoList + plural: kubeletinfos + singular: kubeletinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 29: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: kubeproxyinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: KubeProxyInfo + listKind: KubeProxyInfoList + plural: kubeproxyinfos + singular: kubeproxyinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 30: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: linuxkernelvariables.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: LinuxKernelVariables + listKind: LinuxKernelVariablesList + plural: linuxkernelvariables + singular: linuxkernelvariable + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 31: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: linuxsecurityhardeningstatuses.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: LinuxSecurityHardeningStatus + listKind: LinuxSecurityHardeningStatusList + plural: linuxsecurityhardeningstatuses + singular: linuxsecurityhardeningstatus + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 32: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: openportslists.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: OpenPortsList + listKind: OpenPortsListList + plural: openportslists + singular: openportslist + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 33: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + name: osreleasefiles.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: OsReleaseFile + listKind: OsReleaseFileList + plural: osreleasefiles + singular: osreleasefile + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: OsReleaseFile contains the OS release information from a node + properties: + apiVersion: + description: APIVersion defines the versioned schema of this representation of an object. + type: string + kind: + description: Kind is a string value representing the REST resource this object represents. + type: string + metadata: + type: object + spec: + description: OsReleaseFileSpec contains the actual OS release file content + properties: + content: + description: Content is the raw content of the OS release file + type: string + nodeName: + description: NodeName is the name of the node this data came from + type: string + type: object + status: + description: OsReleaseFileStatus contains status information about the sensing + properties: + error: + description: Error contains any error message from the last sensing attempt + type: string + lastSensed: + description: LastSensed is the timestamp when this data was last collected + format: date-time + type: string + type: object + type: object + served: true + storage: true + 34: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -33062,7 +35889,27 @@ minimal capabilities: verbs: - list - watch - 25: | + - apiGroups: + - hostdata.kubescape.cloud + resources: + - osreleasefiles + - kernelversions + - linuxsecurityhardeningstatuses + - openportslists + - linuxkernelvariables + - kubeletinfos + - kubeproxyinfos + - controlplaneinfos + - cloudproviderinfos + - cniinfos + verbs: + - create + - get + - update + - patch + - list + - watch + 35: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -33087,7 +35934,7 @@ minimal capabilities: - kind: ServiceAccount name: node-agent namespace: kubescape - 26: | + 36: | apiVersion: v1 data: config.json: | @@ -33101,6 +35948,8 @@ minimal capabilities: "malwareDetectionEnabled": false, "hostMalwareSensorEnabled": false, "hostNetworkSensorEnabled": false, + "hostSensorEnabled": true, + "hostSensorInterval": "5m", "nodeProfileServiceEnabled": false, "networkStreamingEnabled": false, "maxImageSize": 5.36870912e+09, @@ -33145,7 +35994,7 @@ minimal capabilities: tier: ks-control-plane name: node-agent namespace: kubescape - 27: | + 37: | apiVersion: apps/v1 kind: DaemonSet metadata: @@ -33175,7 +36024,7 @@ minimal capabilities: annotations: checksum/cloud-config: 8f40f001a3e31db9895e7bbb06ab070f25ab66c83b31d1929b273cfd22402097 checksum/cloud-secret: 3248919273cee6d6f750f97ea378fc79fff1f03b131f21d584a00258bf475a80 - checksum/node-agent-config: 683ef396f450d48784d5fe5a6edc657e2a8f545ac9b7e7eab33d9b92604427a7 + checksum/node-agent-config: 5a3f0a030b37748c121f49ffb2536eb1a2a9c7a4d3e26173883e4bd2f7691b32 container.apparmor.security.beta.kubernetes.io/node-agent: unconfined labels: app: node-agent @@ -33353,6 +36202,10 @@ minimal capabilities: name: data - emptyDir: null name: profiles + - hostPath: + path: / + type: Directory + name: host-filesystem - emptyDir: {} name: clamdb - emptyDir: {} @@ -33380,7 +36233,7 @@ minimal capabilities: path: config.json name: node-agent name: config - 28: | + 38: | apiVersion: v1 kind: Service metadata: @@ -33408,7 +36261,7 @@ minimal capabilities: app.kubernetes.io/component: node-agent app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator - 29: | + 39: | apiVersion: v1 kind: ServiceAccount metadata: @@ -33426,7 +36279,7 @@ minimal capabilities: tier: ks-control-plane name: node-agent namespace: kubescape - 30: | + 40: | apiVersion: v1 kind: Service metadata: @@ -33453,7 +36306,7 @@ minimal capabilities: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 31: | + 41: | apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: @@ -33501,7 +36354,7 @@ minimal capabilities: - rolebindings scope: '*' sideEffects: None - 32: | + 42: | apiVersion: v1 data: tls.crt: bW9jay1jYS1jZXJ0 @@ -33524,7 +36377,7 @@ minimal capabilities: name: kubescape-admission-webhook-ca namespace: kubescape type: kubernetes.io/tls - 33: | + 43: | apiVersion: v1 data: ca.crt: bW9jay1jYS1jZXJ0 @@ -33547,7 +36400,7 @@ minimal capabilities: name: kubescape-admission-webhook-tls namespace: kubescape type: kubernetes.io/tls - 34: | + 44: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -33672,7 +36525,7 @@ minimal capabilities: - list - update - patch - 35: | + 45: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -33697,7 +36550,7 @@ minimal capabilities: - kind: ServiceAccount name: operator namespace: kubescape - 36: | + 46: | apiVersion: v1 data: config.json: | @@ -33747,7 +36600,7 @@ minimal capabilities: tier: ks-control-plane name: operator namespace: kubescape - 37: | + 47: | apiVersion: apps/v1 kind: Deployment metadata: @@ -33782,7 +36635,7 @@ minimal capabilities: template: metadata: annotations: - checksum/capabilities-config: 894c0fba0437543c0f7ab523984c6741a1669fc2e12c49348a562c18e0483a9b + checksum/capabilities-config: 05153fd2adbb5dfd8ef4b7e316175a2ea2dda40dde83856cfc432670804ae761 checksum/cloud-config: 8f40f001a3e31db9895e7bbb06ab070f25ab66c83b31d1929b273cfd22402097 checksum/cloud-secret: 3248919273cee6d6f750f97ea378fc79fff1f03b131f21d584a00258bf475a80 checksum/matching-rules-config: c81857b415602f6b161db3199a16461c5acd8ba44ec7572189441f4f294a3614 @@ -33924,7 +36777,7 @@ minimal capabilities: path: matchingRules.json name: cs-matching-rules name: cs-matching-rules - 38: | + 48: | apiVersion: v1 data: cronjobTemplate: |- @@ -34009,7 +36862,7 @@ minimal capabilities: tier: ks-control-plane name: kubescape-cronjob-template namespace: kubescape - 39: | + 49: | apiVersion: v1 data: cronjobTemplate: |- @@ -34094,7 +36947,7 @@ minimal capabilities: tier: ks-control-plane name: kubevuln-cronjob-template namespace: kubescape - 40: | + 50: | apiVersion: v1 data: cronjobTemplate: |- @@ -34179,7 +37032,7 @@ minimal capabilities: tier: ks-control-plane name: registry-scan-cronjob-template namespace: kubescape - 41: | + 51: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -34223,7 +37076,7 @@ minimal capabilities: - list - patch - delete - 42: | + 52: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -34249,7 +37102,7 @@ minimal capabilities: - kind: ServiceAccount name: operator namespace: kubescape - 43: | + 53: | apiVersion: v1 kind: Service metadata: @@ -34277,7 +37130,7 @@ minimal capabilities: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 44: | + 54: | apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount @@ -34296,7 +37149,7 @@ minimal capabilities: tier: ks-control-plane name: operator namespace: kubescape - 45: | + 55: | apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: @@ -34322,7 +37175,7 @@ minimal capabilities: namespace: kubescape version: v1beta1 versionPriority: 15 - 46: | + 56: | apiVersion: v1 data: tls.crt: bW9jay1jYS1jZXJ0 @@ -34345,7 +37198,7 @@ minimal capabilities: name: storage-tls-ca namespace: kubescape type: kubernetes.io/tls - 47: | + 57: | apiVersion: v1 data: ca.crt: bW9jay1jYS1jZXJ0 @@ -34368,7 +37221,7 @@ minimal capabilities: name: storage-tls namespace: kubescape type: kubernetes.io/tls - 48: | + 58: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -34434,7 +37287,7 @@ minimal capabilities: - get - watch - list - 49: | + 59: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -34459,7 +37312,7 @@ minimal capabilities: - kind: ServiceAccount name: storage namespace: kubescape - 50: | + 60: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -34484,7 +37337,7 @@ minimal capabilities: - kind: ServiceAccount name: storage namespace: kubescape - 51: | + 61: | apiVersion: v1 data: config.json: | @@ -34519,7 +37372,7 @@ minimal capabilities: tier: ks-control-plane name: storage namespace: kubescape - 52: | + 62: | apiVersion: apps/v1 kind: Deployment metadata: @@ -34642,7 +37495,7 @@ minimal capabilities: - name: ca-certificates secret: secretName: storage-tls - 53: | + 63: | apiVersion: v1 kind: PersistentVolumeClaim metadata: @@ -34666,7 +37519,7 @@ minimal capabilities: resources: requests: storage: 5Gi - 54: | + 64: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -34692,7 +37545,7 @@ minimal capabilities: - kind: ServiceAccount name: storage namespace: kubescape - 55: | + 65: | apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -35016,7 +37869,7 @@ minimal capabilities: storage: true subresources: status: {} - 56: | + 66: | apiVersion: v1 kind: Service metadata: @@ -35045,7 +37898,7 @@ minimal capabilities: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 57: | + 67: | apiVersion: v1 kind: ServiceAccount metadata: @@ -35365,7 +38218,7 @@ multiple node agents: capabilities: | { "capabilities":{"admissionController":"enable","autoUpgrading":"enable","configurationScan":"enable","continuousScan":"enable","httpDetection":"enable","kubescapeOffline":"disable","malwareDetection":"enable","manageWorkloads":"enable","networkEventsStreaming":"enable","networkPolicyService":"enable","nodeProfileService":"enable","nodeSbomGeneration":"enable","nodeScan":"enable","operator":"enable","prometheusExporter":"enable","relevancy":"enable","riskAcceptance":"enable","runtimeDetection":"enable","runtimeObservability":"enable","scanEmbeddedSBOMs":"enable","seccompProfileBackend":"crd","seccompProfileService":"enable","syncSBOM":"enable","testing":{"nodeAgentMultiplication":{"enabled":false,"replicas":5}},"vexGeneration":"enable","vulnerabilityScan":"enable"}, - "components":{"autoUpdater":{"enabled":true},"clamAV":{"enabled":true},"cloudSecret":{"create":true,"name":"cloud-secret"},"customCaCertificates":{"name":"custom-ca-certificates"},"hostScanner":{"enabled":true},"kubescape":{"enabled":true},"kubescapeScheduler":{"enabled":true},"kubevuln":{"enabled":true},"kubevulnScheduler":{"enabled":true},"nodeAgent":{"enabled":true},"operator":{"enabled":true},"otelCollector":{"enabled":false},"prometheusExporter":{"enabled":true},"sbomScanner":{"enabled":false},"serviceDiscovery":{"enabled":true},"storage":{"enabled":true},"synchronizer":{"enabled":true}}, + "components":{"autoUpdater":{"enabled":true},"clamAV":{"enabled":true},"cloudSecret":{"create":true,"name":"cloud-secret"},"customCaCertificates":{"name":"custom-ca-certificates"},"kubescape":{"enabled":true},"kubescapeScheduler":{"enabled":true},"kubevuln":{"enabled":true},"kubevulnScheduler":{"enabled":true},"nodeAgent":{"enabled":true},"operator":{"enabled":true},"otelCollector":{"enabled":false},"prometheusExporter":{"enabled":true},"sbomScanner":{"enabled":false},"serviceDiscovery":{"enabled":true},"storage":{"enabled":true},"synchronizer":{"enabled":true}}, "configurations":{"excludeJsonPaths":[".containers[*].env[?(@.name==\"KUBECONFIG\")]"],"otelUrl":"otelCollector.svc.monitoring:4317","persistence":"enable","priorityClass":{"daemonset":100000100,"enabled":true},"prometheusAnnotations":"disable"} , "serviceScanConfig" :{"enabled":false,"interval":"1h"} } @@ -36161,6 +39014,23 @@ multiple node agents: - get - watch - list + - apiGroups: + - hostdata.kubescape.cloud + resources: + - osreleasefiles + - kernelversions + - linuxsecurityhardeningstatuses + - openportslists + - linuxkernelvariables + - kubeletinfos + - kubeproxyinfos + - controlplaneinfos + - cloudproviderinfos + - cniinfos + verbs: + - get + - list + - watch 24: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -36223,7 +39093,6 @@ multiple node agents: annotations: checksum/cloud-config: aaeeb6b6b35a5ebbb0893822c4bf9cd860fba6d3df3bc4e77c8dbdd5841db120 checksum/cloud-secret: 435193bc039d949c849ba4b141adeb4836e4d0fdcc4bf0b9588d0e36de86c424 - checksum/host-scanner-configmap: 9302798150edd358576dc2e4929bd5b68fd140217b3cc0bc4689932bf8cea86e checksum/proxy-config: c03b6781aa61faaacfa84a96809236591dde0cbd43a204e05d5ba3044bb9d5d8 labels: app: kubescape @@ -36438,7 +39307,7 @@ multiple node agents: 26: | apiVersion: v1 data: - host-scanner-yaml: "apiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: host-scanner\n namespace: kubescape\n annotations:\n \n argocd.argoproj.io/compare-options: \"IgnoreExtraneous\"\n argocd.argoproj.io/sync-options: \"Prune=false\"\n labels:\n helm.sh/chart: kubescape-operator-1.30.7\n app.kubernetes.io/name: kubescape-operator\n app.kubernetes.io/instance: RELEASE-NAME\n app.kubernetes.io/component: host-scanner\n app.kubernetes.io/version: \"1.30.7\"\n app.kubernetes.io/managed-by: Helm\n app.kubernetes.io/part-of: kubescape\n app: host-scanner\n tier: ks-control-plane\n kubescape.io/ignore: \"true\"\nspec:\n selector:\n matchLabels:\n app.kubernetes.io/name: kubescape-operator\n app.kubernetes.io/instance: RELEASE-NAME\n app.kubernetes.io/component: host-scanner\n template:\n metadata:\n annotations:\n \n argocd.argoproj.io/compare-options: \"IgnoreExtraneous\"\n argocd.argoproj.io/sync-options: \"Prune=false\"\n labels:\n helm.sh/chart: kubescape-operator-1.30.7\n app.kubernetes.io/name: kubescape-operator\n app.kubernetes.io/instance: RELEASE-NAME\n app.kubernetes.io/component: host-scanner\n app.kubernetes.io/version: \"1.30.7\"\n app.kubernetes.io/managed-by: Helm\n app.kubernetes.io/part-of: kubescape\n app: host-scanner\n tier: ks-control-plane\n kubescape.io/ignore: \"true\"\n kubescape.io/tier: \"core\"\n name: host-scanner\n spec:\n nodeSelector:\n kubernetes.io/os: linux\n affinity:\n tolerations:\n - effect: NoSchedule\n key: node-role.kubernetes.io/control-plane\n operator: Exists\n - effect: NoSchedule\n key: node-role.kubernetes.io/master\n operator: Exists\n imagePullSecrets:\n - name: foo\n - name: bar\n containers:\n - name: host-sensor\n image: \"quay.io/kubescape/host-scanner:v1.0.78\"\n imagePullPolicy: IfNotPresent\n securityContext:\n allowPrivilegeEscalation: true\n privileged: true\n readOnlyRootFilesystem: true\n env:\n - name: KS_LOGGER_LEVEL\n value: \"info\"\n - name: KS_LOGGER_NAME\n value: \"zap\"\n - name: OTEL_COLLECTOR_SVC\n value: otelCollector.svc.monitoring:4317\n ports:\n - name: scanner # Do not change port name\n containerPort: 7888\n protocol: TCP\n resources:\n limits:\n cpu: 0.4m\n memory: 400Mi\n requests:\n cpu: 0.1m\n memory: 200Mi\n volumeMounts:\n - mountPath: /host_fs\n name: host-filesystem\n startupProbe:\n httpGet:\n path: /readyz\n port: 7888\n failureThreshold: 30\n periodSeconds: 1\n livenessProbe:\n httpGet:\n path: /healthz\n port: 7888\n periodSeconds: 10\n terminationGracePeriodSeconds: 120\n dnsPolicy: ClusterFirstWithHostNet\n serviceAccountName: node-agent\n automountServiceAccountToken: false\n volumes:\n - hostPath:\n path: /\n type: Directory\n name: host-filesystem\n hostPID: true\n hostIPC: true" + host-scanner-yaml: "" kind: ConfigMap metadata: annotations: null @@ -37312,6 +40181,375 @@ multiple node agents: name: kubevuln namespace: kubescape 45: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: cloudproviderinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: CloudProviderInfo + listKind: CloudProviderInfoList + plural: cloudproviderinfos + singular: cloudproviderinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 46: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: cniinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: CNIInfo + listKind: CNIInfoList + plural: cniinfos + singular: cniinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 47: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: controlplaneinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: ControlPlaneInfo + listKind: ControlPlaneInfoList + plural: controlplaneinfos + singular: controlplaneinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 48: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: kernelversions.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: KernelVersion + listKind: KernelVersionList + plural: kernelversions + singular: kernelversion + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 49: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: kubeletinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: KubeletInfo + listKind: KubeletInfoList + plural: kubeletinfos + singular: kubeletinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 50: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: kubeproxyinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: KubeProxyInfo + listKind: KubeProxyInfoList + plural: kubeproxyinfos + singular: kubeproxyinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 51: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: linuxkernelvariables.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: LinuxKernelVariables + listKind: LinuxKernelVariablesList + plural: linuxkernelvariables + singular: linuxkernelvariable + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 52: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: linuxsecurityhardeningstatuses.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: LinuxSecurityHardeningStatus + listKind: LinuxSecurityHardeningStatusList + plural: linuxsecurityhardeningstatuses + singular: linuxsecurityhardeningstatus + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 53: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: openportslists.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: OpenPortsList + listKind: OpenPortsListList + plural: openportslists + singular: openportslist + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 54: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + name: osreleasefiles.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: OsReleaseFile + listKind: OsReleaseFileList + plural: osreleasefiles + singular: osreleasefile + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: OsReleaseFile contains the OS release information from a node + properties: + apiVersion: + description: APIVersion defines the versioned schema of this representation of an object. + type: string + kind: + description: Kind is a string value representing the REST resource this object represents. + type: string + metadata: + type: object + spec: + description: OsReleaseFileSpec contains the actual OS release file content + properties: + content: + description: Content is the raw content of the OS release file + type: string + nodeName: + description: NodeName is the name of the node this data came from + type: string + type: object + status: + description: OsReleaseFileStatus contains status information about the sensing + properties: + error: + description: Error contains any error message from the last sensing attempt + type: string + lastSensed: + description: LastSensed is the timestamp when this data was last collected + format: date-time + type: string + type: object + type: object + served: true + storage: true + 55: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -37448,7 +40686,27 @@ multiple node agents: verbs: - list - watch - 46: | + - apiGroups: + - hostdata.kubescape.cloud + resources: + - osreleasefiles + - kernelversions + - linuxsecurityhardeningstatuses + - openportslists + - linuxkernelvariables + - kubeletinfos + - kubeproxyinfos + - controlplaneinfos + - cloudproviderinfos + - cniinfos + verbs: + - create + - get + - update + - patch + - list + - watch + 56: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -37473,7 +40731,7 @@ multiple node agents: - kind: ServiceAccount name: node-agent namespace: kubescape - 47: | + 57: | apiVersion: v1 data: config.json: | @@ -37487,6 +40745,8 @@ multiple node agents: "malwareDetectionEnabled": true, "hostMalwareSensorEnabled": false, "hostNetworkSensorEnabled": false, + "hostSensorEnabled": true, + "hostSensorInterval": "5m", "nodeProfileServiceEnabled": true, "networkStreamingEnabled": true, "maxImageSize": 5.36870912e+09, @@ -37533,7 +40793,7 @@ multiple node agents: tier: ks-control-plane name: node-agent namespace: kubescape - 48: | + 58: | apiVersion: v1 data: clamd.conf: |- @@ -37570,7 +40830,7 @@ multiple node agents: metadata: name: clamav namespace: kubescape - 49: | + 59: | apiVersion: apps/v1 kind: DaemonSet metadata: @@ -37600,7 +40860,7 @@ multiple node agents: annotations: checksum/cloud-config: aaeeb6b6b35a5ebbb0893822c4bf9cd860fba6d3df3bc4e77c8dbdd5841db120 checksum/cloud-secret: 435193bc039d949c849ba4b141adeb4836e4d0fdcc4bf0b9588d0e36de86c424 - checksum/node-agent-config: 926b706ae266d1126c65565bc4729b35c679682ea75202583f4a9786e7b5de2a + checksum/node-agent-config: 9f743d9aac5148b4e8f7ae0369f163d738b845e84581d2b06b06d02a6c6e6043 checksum/proxy-config: c03b6781aa61faaacfa84a96809236591dde0cbd43a204e05d5ba3044bb9d5d8 container.apparmor.security.beta.kubernetes.io/node-agent: unconfined labels: @@ -37858,6 +41118,10 @@ multiple node agents: name: data - emptyDir: null name: profiles + - hostPath: + path: / + type: Directory + name: host-filesystem - emptyDir: {} name: clamdb - emptyDir: {} @@ -37893,7 +41157,7 @@ multiple node agents: - name: custom-ca-certificates secret: secretName: custom-ca-certificates - 50: | + 60: | apiVersion: apps/v1 kind: DaemonSet metadata: @@ -37923,7 +41187,7 @@ multiple node agents: annotations: checksum/cloud-config: aaeeb6b6b35a5ebbb0893822c4bf9cd860fba6d3df3bc4e77c8dbdd5841db120 checksum/cloud-secret: 435193bc039d949c849ba4b141adeb4836e4d0fdcc4bf0b9588d0e36de86c424 - checksum/node-agent-config: 926b706ae266d1126c65565bc4729b35c679682ea75202583f4a9786e7b5de2a + checksum/node-agent-config: 9f743d9aac5148b4e8f7ae0369f163d738b845e84581d2b06b06d02a6c6e6043 checksum/proxy-config: c03b6781aa61faaacfa84a96809236591dde0cbd43a204e05d5ba3044bb9d5d8 container.apparmor.security.beta.kubernetes.io/node-agent: unconfined labels: @@ -38181,6 +41445,10 @@ multiple node agents: name: data - emptyDir: null name: profiles + - hostPath: + path: / + type: Directory + name: host-filesystem - emptyDir: {} name: clamdb - emptyDir: {} @@ -38216,7 +41484,7 @@ multiple node agents: - name: custom-ca-certificates secret: secretName: custom-ca-certificates - 51: | + 61: | apiVersion: kubescape.io/v1 kind: RuntimeRuleAlertBinding metadata: @@ -38267,7 +41535,7 @@ multiple node agents: - ruleName: Unexpected Egress Network Traffic - ruleName: Malicious Ptrace Usage - ruleName: Unexpected io_uring Operation Detected - 52: | + 62: | apiVersion: kubescape.io/v1 kind: Rules metadata: @@ -38949,7 +42217,7 @@ multiple node agents: - syscalls - io_uring - applicationprofile - 53: | + 63: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -39014,7 +42282,7 @@ multiple node agents: app.kubernetes.io/name: kubescape-operator policyTypes: - Egress - 54: | + 64: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -39040,7 +42308,7 @@ multiple node agents: - kind: ServiceAccount name: node-agent namespace: kubescape - 55: | + 65: | apiVersion: v1 kind: Service metadata: @@ -39068,7 +42336,7 @@ multiple node agents: app.kubernetes.io/component: node-agent app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator - 56: | + 66: | apiVersion: v1 kind: ServiceAccount metadata: @@ -39086,7 +42354,7 @@ multiple node agents: tier: ks-control-plane name: node-agent namespace: kubescape - 57: | + 67: | apiVersion: v1 kind: Service metadata: @@ -39113,7 +42381,7 @@ multiple node agents: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 58: | + 68: | apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: @@ -39161,7 +42429,7 @@ multiple node agents: - rolebindings scope: '*' sideEffects: None - 59: | + 69: | apiVersion: v1 data: tls.crt: bW9jay1jYS1jZXJ0 @@ -39184,7 +42452,7 @@ multiple node agents: name: kubescape-admission-webhook-ca namespace: kubescape type: kubernetes.io/tls - 60: | + 70: | apiVersion: v1 data: ca.crt: bW9jay1jYS1jZXJ0 @@ -39207,7 +42475,7 @@ multiple node agents: name: kubescape-admission-webhook-tls namespace: kubescape type: kubernetes.io/tls - 61: | + 71: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -39341,7 +42609,7 @@ multiple node agents: - get - list - watch - 62: | + 72: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -39366,7 +42634,7 @@ multiple node agents: - kind: ServiceAccount name: operator namespace: kubescape - 63: | + 73: | apiVersion: v1 data: config.json: | @@ -39417,7 +42685,7 @@ multiple node agents: tier: ks-control-plane name: operator namespace: kubescape - 64: | + 74: | apiVersion: apps/v1 kind: Deployment metadata: @@ -39452,7 +42720,7 @@ multiple node agents: template: metadata: annotations: - checksum/capabilities-config: b0b4eb6ecb26f9be060912ffbe5f36704226a6c2c443b5cffb1049ab3553d740 + checksum/capabilities-config: 59a962f6d5626eef232330ebf8392ff351e1cc9edbd0858281a08a2997d805a1 checksum/cloud-config: aaeeb6b6b35a5ebbb0893822c4bf9cd860fba6d3df3bc4e77c8dbdd5841db120 checksum/cloud-secret: 435193bc039d949c849ba4b141adeb4836e4d0fdcc4bf0b9588d0e36de86c424 checksum/matching-rules-config: c81857b415602f6b161db3199a16461c5acd8ba44ec7572189441f4f294a3614 @@ -39614,7 +42882,7 @@ multiple node agents: path: matchingRules.json name: cs-matching-rules name: cs-matching-rules - 65: | + 75: | apiVersion: v1 data: cronjobTemplate: |- @@ -39702,7 +42970,7 @@ multiple node agents: tier: ks-control-plane name: kubescape-cronjob-template namespace: kubescape - 66: | + 76: | apiVersion: v1 data: cronjobTemplate: |- @@ -39790,7 +43058,7 @@ multiple node agents: tier: ks-control-plane name: kubevuln-cronjob-template namespace: kubescape - 67: | + 77: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -39897,7 +43165,7 @@ multiple node agents: policyTypes: - Ingress - Egress - 68: | + 78: | apiVersion: v1 data: cronjobTemplate: |- @@ -39985,7 +43253,7 @@ multiple node agents: tier: ks-control-plane name: registry-scan-cronjob-template namespace: kubescape - 69: | + 79: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -40029,7 +43297,7 @@ multiple node agents: - list - patch - delete - 70: | + 80: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -40055,7 +43323,7 @@ multiple node agents: - kind: ServiceAccount name: operator namespace: kubescape - 71: | + 81: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -40081,7 +43349,7 @@ multiple node agents: - kind: ServiceAccount name: operator namespace: kubescape - 72: | + 82: | apiVersion: v1 kind: Service metadata: @@ -40109,7 +43377,7 @@ multiple node agents: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 73: | + 83: | apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount @@ -40128,7 +43396,7 @@ multiple node agents: tier: ks-control-plane name: operator namespace: kubescape - 74: | + 84: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -40156,7 +43424,7 @@ multiple node agents: - get - watch - list - 75: | + 85: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -40180,7 +43448,7 @@ multiple node agents: - kind: ServiceAccount name: prometheus-exporter namespace: kubescape - 76: | + 86: | apiVersion: apps/v1 kind: Deployment metadata: @@ -40287,7 +43555,7 @@ multiple node agents: path: clusterData.json name: ks-cloud-config name: ks-cloud-config - 77: | + 87: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -40357,7 +43625,7 @@ multiple node agents: policyTypes: - Ingress - Egress - 78: | + 88: | apiVersion: v1 kind: Service metadata: @@ -40384,7 +43652,7 @@ multiple node agents: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: null - 79: | + 89: | apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount @@ -40402,7 +43670,7 @@ multiple node agents: tier: ks-control-plane name: prometheus-exporter namespace: kubescape - 80: | + 90: | apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: @@ -40433,7 +43701,7 @@ multiple node agents: app.kubernetes.io/component: prometheus-exporter app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator - 81: | + 91: | apiVersion: v1 data: proxy.crt: foo @@ -40457,7 +43725,7 @@ multiple node agents: name: kubescape-proxy-certificate namespace: kubescape type: Opaque - 82: | + 92: | apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: @@ -40483,7 +43751,7 @@ multiple node agents: namespace: kubescape version: v1beta1 versionPriority: 15 - 83: | + 93: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -40549,7 +43817,7 @@ multiple node agents: - get - watch - list - 84: | + 94: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -40574,7 +43842,7 @@ multiple node agents: - kind: ServiceAccount name: storage namespace: kubescape - 85: | + 95: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -40599,7 +43867,7 @@ multiple node agents: - kind: ServiceAccount name: storage namespace: kubescape - 86: | + 96: | apiVersion: v1 data: config.json: | @@ -40631,7 +43899,7 @@ multiple node agents: tier: ks-control-plane name: storage namespace: kubescape - 87: | + 97: | apiVersion: apps/v1 kind: Deployment metadata: @@ -40751,7 +44019,7 @@ multiple node agents: path: config.json name: storage name: config - 88: | + 98: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -40821,7 +44089,7 @@ multiple node agents: policyTypes: - Ingress - Egress - 89: | + 99: | apiVersion: v1 kind: PersistentVolumeClaim metadata: @@ -40845,7 +44113,7 @@ multiple node agents: resources: requests: storage: 5Gi - 90: | + 100: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -40871,7 +44139,7 @@ multiple node agents: - kind: ServiceAccount name: storage namespace: kubescape - 91: | + 101: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -40897,7 +44165,7 @@ multiple node agents: - kind: ServiceAccount name: storage namespace: kubescape - 92: | + 102: | apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -41221,7 +44489,7 @@ multiple node agents: storage: true subresources: status: {} - 93: | + 103: | apiVersion: v1 kind: Service metadata: @@ -41250,7 +44518,7 @@ multiple node agents: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 94: | + 104: | apiVersion: v1 kind: ServiceAccount metadata: @@ -41268,7 +44536,7 @@ multiple node agents: tier: ks-control-plane name: storage namespace: kubescape - 95: | + 105: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -41506,7 +44774,7 @@ multiple node agents: verbs: - update - patch - 96: | + 106: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -41530,7 +44798,7 @@ multiple node agents: - kind: ServiceAccount name: synchronizer namespace: kubescape - 97: | + 107: | apiVersion: v1 data: config.json: | @@ -41827,7 +45095,7 @@ multiple node agents: tier: ks-control-plane name: synchronizer namespace: kubescape - 98: | + 108: | apiVersion: apps/v1 kind: Deployment metadata: @@ -42010,7 +45278,7 @@ multiple node agents: path: config.json name: synchronizer name: config - 99: | + 109: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -42089,7 +45357,7 @@ multiple node agents: policyTypes: - Ingress - Egress - 100: | + 110: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -42132,7 +45400,7 @@ multiple node agents: - list - patch - delete - 101: | + 111: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -42157,7 +45425,7 @@ multiple node agents: - kind: ServiceAccount name: synchronizer namespace: kubescape - 102: | + 112: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -42182,7 +45450,7 @@ multiple node agents: - kind: ServiceAccount name: synchronizer namespace: kubescape - 103: | + 113: | apiVersion: v1 kind: Service metadata: @@ -42209,7 +45477,7 @@ multiple node agents: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 104: | + 114: | apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount @@ -42326,7 +45594,7 @@ priority class scheduling: capabilities: | { "capabilities":{"admissionController":"enable","autoUpgrading":"disable","configurationScan":"enable","continuousScan":"disable","httpDetection":"enable","kubescapeOffline":"disable","malwareDetection":"disable","manageWorkloads":"disable","networkEventsStreaming":"enable","networkPolicyService":"enable","nodeProfileService":"enable","nodeSbomGeneration":"enable","nodeScan":"enable","operator":"enable","prometheusExporter":"disable","relevancy":"enable","riskAcceptance":"disable","runtimeDetection":"enable","runtimeObservability":"enable","scanEmbeddedSBOMs":"disable","seccompProfileBackend":"crd","seccompProfileService":"enable","syncSBOM":"disable","testing":{"nodeAgentMultiplication":{"enabled":false,"replicas":5}},"vexGeneration":"disable","vulnerabilityScan":"enable"}, - "components":{"autoUpdater":{"enabled":false},"clamAV":{"enabled":false},"cloudSecret":{"create":true,"name":"cloud-secret"},"customCaCertificates":{"name":"custom-ca-certificates"},"hostScanner":{"enabled":true},"kubescape":{"enabled":true},"kubescapeScheduler":{"enabled":true},"kubevuln":{"enabled":true},"kubevulnScheduler":{"enabled":true},"nodeAgent":{"enabled":true},"operator":{"enabled":true},"otelCollector":{"enabled":false},"prometheusExporter":{"enabled":false},"sbomScanner":{"enabled":false},"serviceDiscovery":{"enabled":true},"storage":{"enabled":true},"synchronizer":{"enabled":true}}, + "components":{"autoUpdater":{"enabled":false},"clamAV":{"enabled":false},"cloudSecret":{"create":true,"name":"cloud-secret"},"customCaCertificates":{"name":"custom-ca-certificates"},"kubescape":{"enabled":true},"kubescapeScheduler":{"enabled":true},"kubevuln":{"enabled":true},"kubevulnScheduler":{"enabled":true},"nodeAgent":{"enabled":true},"operator":{"enabled":true},"otelCollector":{"enabled":false},"prometheusExporter":{"enabled":false},"sbomScanner":{"enabled":false},"serviceDiscovery":{"enabled":true},"storage":{"enabled":true},"synchronizer":{"enabled":true}}, "configurations":{"excludeJsonPaths":null,"otelUrl":null,"persistence":"enable","priorityClass":{"daemonset":100000100,"enabled":true},"prometheusAnnotations":"disable"} , "serviceScanConfig" :{"enabled":false,"interval":"1h"} } @@ -42749,6 +46017,23 @@ priority class scheduling: - get - watch - list + - apiGroups: + - hostdata.kubescape.cloud + resources: + - osreleasefiles + - kernelversions + - linuxsecurityhardeningstatuses + - openportslists + - linuxkernelvariables + - kubeletinfos + - kubeproxyinfos + - controlplaneinfos + - cloudproviderinfos + - cniinfos + verbs: + - get + - list + - watch 10: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -42811,7 +46096,6 @@ priority class scheduling: annotations: checksum/cloud-config: f8f57ee9b7c136ff44014ae152c2ee1d6437058a776ba359547a4d44896626d0 checksum/cloud-secret: 435193bc039d949c849ba4b141adeb4836e4d0fdcc4bf0b9588d0e36de86c424 - checksum/host-scanner-configmap: 7fc30b6a442d0ae01e83852a7c371492e49e83d6bed3dd0cb6c32935f417ad4d labels: app: kubescape app.kubernetes.io/component: kubescape @@ -42973,7 +46257,7 @@ priority class scheduling: 12: | apiVersion: v1 data: - host-scanner-yaml: "apiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: host-scanner\n namespace: kubescape\n annotations:\n \n argocd.argoproj.io/compare-options: \"IgnoreExtraneous\"\n argocd.argoproj.io/sync-options: \"Prune=false\"\n labels:\n helm.sh/chart: kubescape-operator-1.30.7\n app.kubernetes.io/name: kubescape-operator\n app.kubernetes.io/instance: RELEASE-NAME\n app.kubernetes.io/component: host-scanner\n app.kubernetes.io/version: \"1.30.7\"\n app.kubernetes.io/managed-by: Helm\n app.kubernetes.io/part-of: kubescape\n app: host-scanner\n tier: ks-control-plane\n kubescape.io/ignore: \"true\"\nspec:\n selector:\n matchLabels:\n app.kubernetes.io/name: kubescape-operator\n app.kubernetes.io/instance: RELEASE-NAME\n app.kubernetes.io/component: host-scanner\n template:\n metadata:\n annotations:\n \n argocd.argoproj.io/compare-options: \"IgnoreExtraneous\"\n argocd.argoproj.io/sync-options: \"Prune=false\"\n labels:\n helm.sh/chart: kubescape-operator-1.30.7\n app.kubernetes.io/name: kubescape-operator\n app.kubernetes.io/instance: RELEASE-NAME\n app.kubernetes.io/component: host-scanner\n app.kubernetes.io/version: \"1.30.7\"\n app.kubernetes.io/managed-by: Helm\n app.kubernetes.io/part-of: kubescape\n app: host-scanner\n tier: ks-control-plane\n kubescape.io/ignore: \"true\"\n kubescape.io/tier: \"core\"\n name: host-scanner\n spec:\n nodeSelector:\n kubernetes.io/os: linux\n affinity:\n tolerations:\n - effect: NoSchedule\n key: node-role.kubernetes.io/control-plane\n operator: Exists\n - effect: NoSchedule\n key: node-role.kubernetes.io/master\n operator: Exists\n containers:\n - name: host-sensor\n image: \"quay.io/kubescape/host-scanner:v1.0.78\"\n imagePullPolicy: IfNotPresent\n securityContext:\n allowPrivilegeEscalation: true\n privileged: true\n readOnlyRootFilesystem: true\n env:\n - name: KS_LOGGER_LEVEL\n value: \"info\"\n - name: KS_LOGGER_NAME\n value: \"zap\"\n ports:\n - name: scanner # Do not change port name\n containerPort: 7888\n protocol: TCP\n resources:\n limits:\n cpu: 0.4m\n memory: 400Mi\n requests:\n cpu: 0.1m\n memory: 200Mi\n volumeMounts:\n - mountPath: /host_fs\n name: host-filesystem\n startupProbe:\n httpGet:\n path: /readyz\n port: 7888\n failureThreshold: 30\n periodSeconds: 1\n livenessProbe:\n httpGet:\n path: /healthz\n port: 7888\n periodSeconds: 10\n terminationGracePeriodSeconds: 120\n dnsPolicy: ClusterFirstWithHostNet\n serviceAccountName: node-agent\n automountServiceAccountToken: false\n volumes:\n - hostPath:\n path: /\n type: Directory\n name: host-filesystem\n hostPID: true\n hostIPC: true" + host-scanner-yaml: "" kind: ConfigMap metadata: annotations: null @@ -43481,6 +46765,375 @@ priority class scheduling: name: kubevuln namespace: kubescape 24: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: cloudproviderinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: CloudProviderInfo + listKind: CloudProviderInfoList + plural: cloudproviderinfos + singular: cloudproviderinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 25: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: cniinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: CNIInfo + listKind: CNIInfoList + plural: cniinfos + singular: cniinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 26: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: controlplaneinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: ControlPlaneInfo + listKind: ControlPlaneInfoList + plural: controlplaneinfos + singular: controlplaneinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 27: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: kernelversions.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: KernelVersion + listKind: KernelVersionList + plural: kernelversions + singular: kernelversion + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 28: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: kubeletinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: KubeletInfo + listKind: KubeletInfoList + plural: kubeletinfos + singular: kubeletinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 29: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: kubeproxyinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: KubeProxyInfo + listKind: KubeProxyInfoList + plural: kubeproxyinfos + singular: kubeproxyinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 30: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: linuxkernelvariables.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: LinuxKernelVariables + listKind: LinuxKernelVariablesList + plural: linuxkernelvariables + singular: linuxkernelvariable + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 31: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: linuxsecurityhardeningstatuses.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: LinuxSecurityHardeningStatus + listKind: LinuxSecurityHardeningStatusList + plural: linuxsecurityhardeningstatuses + singular: linuxsecurityhardeningstatus + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 32: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: openportslists.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: OpenPortsList + listKind: OpenPortsListList + plural: openportslists + singular: openportslist + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 33: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + name: osreleasefiles.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: OsReleaseFile + listKind: OsReleaseFileList + plural: osreleasefiles + singular: osreleasefile + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: OsReleaseFile contains the OS release information from a node + properties: + apiVersion: + description: APIVersion defines the versioned schema of this representation of an object. + type: string + kind: + description: Kind is a string value representing the REST resource this object represents. + type: string + metadata: + type: object + spec: + description: OsReleaseFileSpec contains the actual OS release file content + properties: + content: + description: Content is the raw content of the OS release file + type: string + nodeName: + description: NodeName is the name of the node this data came from + type: string + type: object + status: + description: OsReleaseFileStatus contains status information about the sensing + properties: + error: + description: Error contains any error message from the last sensing attempt + type: string + lastSensed: + description: LastSensed is the timestamp when this data was last collected + format: date-time + type: string + type: object + type: object + served: true + storage: true + 34: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -43617,7 +47270,27 @@ priority class scheduling: verbs: - list - watch - 25: | + - apiGroups: + - hostdata.kubescape.cloud + resources: + - osreleasefiles + - kernelversions + - linuxsecurityhardeningstatuses + - openportslists + - linuxkernelvariables + - kubeletinfos + - kubeproxyinfos + - controlplaneinfos + - cloudproviderinfos + - cniinfos + verbs: + - create + - get + - update + - patch + - list + - watch + 35: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -43642,7 +47315,7 @@ priority class scheduling: - kind: ServiceAccount name: node-agent namespace: kubescape - 26: | + 36: | apiVersion: v1 data: config.json: | @@ -43656,6 +47329,8 @@ priority class scheduling: "malwareDetectionEnabled": false, "hostMalwareSensorEnabled": false, "hostNetworkSensorEnabled": false, + "hostSensorEnabled": true, + "hostSensorInterval": "5m", "nodeProfileServiceEnabled": true, "networkStreamingEnabled": true, "maxImageSize": 5.36870912e+09, @@ -43702,7 +47377,7 @@ priority class scheduling: tier: ks-control-plane name: node-agent namespace: kubescape - 27: | + 37: | apiVersion: apps/v1 kind: DaemonSet metadata: @@ -43732,7 +47407,7 @@ priority class scheduling: annotations: checksum/cloud-config: f8f57ee9b7c136ff44014ae152c2ee1d6437058a776ba359547a4d44896626d0 checksum/cloud-secret: 435193bc039d949c849ba4b141adeb4836e4d0fdcc4bf0b9588d0e36de86c424 - checksum/node-agent-config: 97384b74056f9485f57382f907e17c1ccefe56710d91f080e9f997ce70303707 + checksum/node-agent-config: 921a39bfca3fd64ae481a3b3b37e9c48df1332841321f999bd0cf0896ae88136 container.apparmor.security.beta.kubernetes.io/node-agent: unconfined labels: app: node-agent @@ -43936,6 +47611,10 @@ priority class scheduling: name: data - emptyDir: null name: profiles + - hostPath: + path: / + type: Directory + name: host-filesystem - emptyDir: {} name: clamdb - emptyDir: {} @@ -43965,7 +47644,7 @@ priority class scheduling: name: config - emptyDir: {} name: services - 28: | + 38: | apiVersion: v1 kind: Service metadata: @@ -43993,7 +47672,7 @@ priority class scheduling: app.kubernetes.io/component: node-agent app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator - 29: | + 39: | apiVersion: v1 kind: ServiceAccount metadata: @@ -44011,7 +47690,7 @@ priority class scheduling: tier: ks-control-plane name: node-agent namespace: kubescape - 30: | + 40: | apiVersion: v1 kind: Service metadata: @@ -44038,7 +47717,7 @@ priority class scheduling: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 31: | + 41: | apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: @@ -44086,7 +47765,7 @@ priority class scheduling: - rolebindings scope: '*' sideEffects: None - 32: | + 42: | apiVersion: v1 data: tls.crt: bW9jay1jYS1jZXJ0 @@ -44109,7 +47788,7 @@ priority class scheduling: name: kubescape-admission-webhook-ca namespace: kubescape type: kubernetes.io/tls - 33: | + 43: | apiVersion: v1 data: ca.crt: bW9jay1jYS1jZXJ0 @@ -44132,7 +47811,7 @@ priority class scheduling: name: kubescape-admission-webhook-tls namespace: kubescape type: kubernetes.io/tls - 34: | + 44: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -44257,7 +47936,7 @@ priority class scheduling: - list - update - patch - 35: | + 45: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -44282,7 +47961,7 @@ priority class scheduling: - kind: ServiceAccount name: operator namespace: kubescape - 36: | + 46: | apiVersion: v1 data: config.json: | @@ -44333,7 +48012,7 @@ priority class scheduling: tier: ks-control-plane name: operator namespace: kubescape - 37: | + 47: | apiVersion: apps/v1 kind: Deployment metadata: @@ -44368,7 +48047,7 @@ priority class scheduling: template: metadata: annotations: - checksum/capabilities-config: 14a3d2e7673c697ad37106c42861561b8f6cf49667951eeb96a7416211294f1a + checksum/capabilities-config: 4d135943a61a1c434a5c5d83fcb7f634490965fe346dc0336c5c8f5afd8345d3 checksum/cloud-config: f8f57ee9b7c136ff44014ae152c2ee1d6437058a776ba359547a4d44896626d0 checksum/cloud-secret: 435193bc039d949c849ba4b141adeb4836e4d0fdcc4bf0b9588d0e36de86c424 checksum/matching-rules-config: c81857b415602f6b161db3199a16461c5acd8ba44ec7572189441f4f294a3614 @@ -44509,7 +48188,7 @@ priority class scheduling: path: matchingRules.json name: cs-matching-rules name: cs-matching-rules - 38: | + 48: | apiVersion: v1 data: cronjobTemplate: |- @@ -44594,7 +48273,7 @@ priority class scheduling: tier: ks-control-plane name: kubescape-cronjob-template namespace: kubescape - 39: | + 49: | apiVersion: v1 data: cronjobTemplate: |- @@ -44679,7 +48358,7 @@ priority class scheduling: tier: ks-control-plane name: kubevuln-cronjob-template namespace: kubescape - 40: | + 50: | apiVersion: v1 data: cronjobTemplate: |- @@ -44764,7 +48443,7 @@ priority class scheduling: tier: ks-control-plane name: registry-scan-cronjob-template namespace: kubescape - 41: | + 51: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -44808,7 +48487,7 @@ priority class scheduling: - list - patch - delete - 42: | + 52: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -44834,7 +48513,7 @@ priority class scheduling: - kind: ServiceAccount name: operator namespace: kubescape - 43: | + 53: | apiVersion: v1 kind: Service metadata: @@ -44862,7 +48541,7 @@ priority class scheduling: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 44: | + 54: | apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount @@ -44881,7 +48560,7 @@ priority class scheduling: tier: ks-control-plane name: operator namespace: kubescape - 45: | + 55: | apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: @@ -44907,7 +48586,7 @@ priority class scheduling: namespace: kubescape version: v1beta1 versionPriority: 15 - 46: | + 56: | apiVersion: v1 data: tls.crt: bW9jay1jYS1jZXJ0 @@ -44930,7 +48609,7 @@ priority class scheduling: name: storage-tls-ca namespace: kubescape type: kubernetes.io/tls - 47: | + 57: | apiVersion: v1 data: ca.crt: bW9jay1jYS1jZXJ0 @@ -44953,7 +48632,7 @@ priority class scheduling: name: storage-tls namespace: kubescape type: kubernetes.io/tls - 48: | + 58: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -45019,7 +48698,7 @@ priority class scheduling: - get - watch - list - 49: | + 59: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -45044,7 +48723,7 @@ priority class scheduling: - kind: ServiceAccount name: storage namespace: kubescape - 50: | + 60: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -45069,7 +48748,7 @@ priority class scheduling: - kind: ServiceAccount name: storage namespace: kubescape - 51: | + 61: | apiVersion: v1 data: config.json: | @@ -45104,7 +48783,7 @@ priority class scheduling: tier: ks-control-plane name: storage namespace: kubescape - 52: | + 62: | apiVersion: apps/v1 kind: Deployment metadata: @@ -45226,7 +48905,7 @@ priority class scheduling: - name: ca-certificates secret: secretName: storage-tls - 53: | + 63: | apiVersion: v1 kind: PersistentVolumeClaim metadata: @@ -45250,7 +48929,7 @@ priority class scheduling: resources: requests: storage: 5Gi - 54: | + 64: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -45276,7 +48955,7 @@ priority class scheduling: - kind: ServiceAccount name: storage namespace: kubescape - 55: | + 65: | apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -45600,7 +49279,7 @@ priority class scheduling: storage: true subresources: status: {} - 56: | + 66: | apiVersion: v1 kind: Service metadata: @@ -45629,7 +49308,7 @@ priority class scheduling: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 57: | + 67: | apiVersion: v1 kind: ServiceAccount metadata: @@ -45647,7 +49326,7 @@ priority class scheduling: tier: ks-control-plane name: storage namespace: kubescape - 58: | + 68: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -45816,7 +49495,7 @@ priority class scheduling: - update - patch - delete - 59: | + 69: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -45840,7 +49519,7 @@ priority class scheduling: - kind: ServiceAccount name: synchronizer namespace: kubescape - 60: | + 70: | apiVersion: v1 data: config.json: | @@ -46119,7 +49798,7 @@ priority class scheduling: tier: ks-control-plane name: synchronizer namespace: kubescape - 61: | + 71: | apiVersion: apps/v1 kind: Deployment metadata: @@ -46274,7 +49953,7 @@ priority class scheduling: path: config.json name: synchronizer name: config - 62: | + 72: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -46317,7 +49996,7 @@ priority class scheduling: - list - patch - delete - 63: | + 73: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -46342,7 +50021,7 @@ priority class scheduling: - kind: ServiceAccount name: synchronizer namespace: kubescape - 64: | + 74: | apiVersion: v1 kind: Service metadata: @@ -46369,7 +50048,7 @@ priority class scheduling: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 65: | + 75: | apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount @@ -46485,7 +50164,7 @@ relevancy only: capabilities: | { "capabilities":{"admissionController":"disable","autoUpgrading":"disable","configurationScan":"enable","continuousScan":"disable","httpDetection":"disable","kubescapeOffline":"disable","malwareDetection":"disable","manageWorkloads":"disable","networkEventsStreaming":"disable","networkPolicyService":"disable","nodeProfileService":"disable","nodeSbomGeneration":"disable","nodeScan":"enable","operator":"enable","prometheusExporter":"disable","relevancy":"enable","riskAcceptance":"disable","runtimeDetection":"disable","runtimeObservability":"disable","scanEmbeddedSBOMs":"disable","seccompProfileBackend":"crd","seccompProfileService":"disable","syncSBOM":"disable","testing":{"nodeAgentMultiplication":{"enabled":false,"replicas":5}},"vexGeneration":"disable","vulnerabilityScan":"enable"}, - "components":{"autoUpdater":{"enabled":false},"clamAV":{"enabled":false},"cloudSecret":{"create":true,"name":"cloud-secret"},"customCaCertificates":{"name":"custom-ca-certificates"},"hostScanner":{"enabled":true},"kubescape":{"enabled":true},"kubescapeScheduler":{"enabled":true},"kubevuln":{"enabled":true},"kubevulnScheduler":{"enabled":true},"nodeAgent":{"enabled":true},"operator":{"enabled":true},"otelCollector":{"enabled":false},"prometheusExporter":{"enabled":false},"sbomScanner":{"enabled":false},"serviceDiscovery":{"enabled":false},"storage":{"enabled":true},"synchronizer":{"enabled":false}}, + "components":{"autoUpdater":{"enabled":false},"clamAV":{"enabled":false},"cloudSecret":{"create":true,"name":"cloud-secret"},"customCaCertificates":{"name":"custom-ca-certificates"},"kubescape":{"enabled":true},"kubescapeScheduler":{"enabled":true},"kubevuln":{"enabled":true},"kubevulnScheduler":{"enabled":true},"nodeAgent":{"enabled":true},"operator":{"enabled":true},"otelCollector":{"enabled":false},"prometheusExporter":{"enabled":false},"sbomScanner":{"enabled":false},"serviceDiscovery":{"enabled":false},"storage":{"enabled":true},"synchronizer":{"enabled":false}}, "configurations":{"excludeJsonPaths":null,"otelUrl":"otelCollector.svc.monitoring:4317","persistence":"enable","priorityClass":{"daemonset":100000100,"enabled":true},"prometheusAnnotations":"disable"} , "serviceScanConfig" :{"enabled":false,"interval":"1h"} } @@ -46907,6 +50586,23 @@ relevancy only: - get - watch - list + - apiGroups: + - hostdata.kubescape.cloud + resources: + - osreleasefiles + - kernelversions + - linuxsecurityhardeningstatuses + - openportslists + - linuxkernelvariables + - kubeletinfos + - kubeproxyinfos + - controlplaneinfos + - cloudproviderinfos + - cniinfos + verbs: + - get + - list + - watch 10: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -46969,7 +50665,6 @@ relevancy only: annotations: checksum/cloud-config: 8f40f001a3e31db9895e7bbb06ab070f25ab66c83b31d1929b273cfd22402097 checksum/cloud-secret: 3248919273cee6d6f750f97ea378fc79fff1f03b131f21d584a00258bf475a80 - checksum/host-scanner-configmap: b50934a9adf6fe2a85d37b7c08598824bb113c888aa360f711f2d682309751ff labels: app: kubescape app.kubernetes.io/component: kubescape @@ -47099,7 +50794,7 @@ relevancy only: 12: | apiVersion: v1 data: - host-scanner-yaml: "apiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: host-scanner\n namespace: kubescape\n annotations:\n \n argocd.argoproj.io/compare-options: \"IgnoreExtraneous\"\n argocd.argoproj.io/sync-options: \"Prune=false\"\n labels:\n helm.sh/chart: kubescape-operator-1.30.7\n app.kubernetes.io/name: kubescape-operator\n app.kubernetes.io/instance: RELEASE-NAME\n app.kubernetes.io/component: host-scanner\n app.kubernetes.io/version: \"1.30.7\"\n app.kubernetes.io/managed-by: Helm\n app.kubernetes.io/part-of: kubescape\n app: host-scanner\n tier: ks-control-plane\n kubescape.io/ignore: \"true\"\nspec:\n selector:\n matchLabels:\n app.kubernetes.io/name: kubescape-operator\n app.kubernetes.io/instance: RELEASE-NAME\n app.kubernetes.io/component: host-scanner\n template:\n metadata:\n annotations:\n \n argocd.argoproj.io/compare-options: \"IgnoreExtraneous\"\n argocd.argoproj.io/sync-options: \"Prune=false\"\n labels:\n helm.sh/chart: kubescape-operator-1.30.7\n app.kubernetes.io/name: kubescape-operator\n app.kubernetes.io/instance: RELEASE-NAME\n app.kubernetes.io/component: host-scanner\n app.kubernetes.io/version: \"1.30.7\"\n app.kubernetes.io/managed-by: Helm\n app.kubernetes.io/part-of: kubescape\n app: host-scanner\n tier: ks-control-plane\n kubescape.io/ignore: \"true\"\n kubescape.io/tier: \"core\"\n name: host-scanner\n spec:\n nodeSelector:\n kubernetes.io/os: linux\n affinity:\n tolerations:\n - effect: NoSchedule\n key: node-role.kubernetes.io/control-plane\n operator: Exists\n - effect: NoSchedule\n key: node-role.kubernetes.io/master\n operator: Exists\n containers:\n - name: host-sensor\n image: \"quay.io/kubescape/host-scanner:v1.0.78\"\n imagePullPolicy: IfNotPresent\n securityContext:\n allowPrivilegeEscalation: true\n privileged: true\n readOnlyRootFilesystem: true\n env:\n - name: KS_LOGGER_LEVEL\n value: \"info\"\n - name: KS_LOGGER_NAME\n value: \"zap\"\n - name: OTEL_COLLECTOR_SVC\n value: otelCollector.svc.monitoring:4317\n ports:\n - name: scanner # Do not change port name\n containerPort: 7888\n protocol: TCP\n resources:\n limits:\n cpu: 0.4m\n memory: 400Mi\n requests:\n cpu: 0.1m\n memory: 200Mi\n volumeMounts:\n - mountPath: /host_fs\n name: host-filesystem\n startupProbe:\n httpGet:\n path: /readyz\n port: 7888\n failureThreshold: 30\n periodSeconds: 1\n livenessProbe:\n httpGet:\n path: /healthz\n port: 7888\n periodSeconds: 10\n terminationGracePeriodSeconds: 120\n dnsPolicy: ClusterFirstWithHostNet\n serviceAccountName: node-agent\n automountServiceAccountToken: false\n volumes:\n - hostPath:\n path: /\n type: Directory\n name: host-filesystem\n hostPID: true\n hostIPC: true" + host-scanner-yaml: "" kind: ConfigMap metadata: annotations: null @@ -47576,6 +51271,375 @@ relevancy only: name: kubevuln namespace: kubescape 24: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: cloudproviderinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: CloudProviderInfo + listKind: CloudProviderInfoList + plural: cloudproviderinfos + singular: cloudproviderinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 25: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: cniinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: CNIInfo + listKind: CNIInfoList + plural: cniinfos + singular: cniinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 26: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: controlplaneinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: ControlPlaneInfo + listKind: ControlPlaneInfoList + plural: controlplaneinfos + singular: controlplaneinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 27: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: kernelversions.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: KernelVersion + listKind: KernelVersionList + plural: kernelversions + singular: kernelversion + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 28: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: kubeletinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: KubeletInfo + listKind: KubeletInfoList + plural: kubeletinfos + singular: kubeletinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 29: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: kubeproxyinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: KubeProxyInfo + listKind: KubeProxyInfoList + plural: kubeproxyinfos + singular: kubeproxyinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 30: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: linuxkernelvariables.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: LinuxKernelVariables + listKind: LinuxKernelVariablesList + plural: linuxkernelvariables + singular: linuxkernelvariable + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 31: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: linuxsecurityhardeningstatuses.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: LinuxSecurityHardeningStatus + listKind: LinuxSecurityHardeningStatusList + plural: linuxsecurityhardeningstatuses + singular: linuxsecurityhardeningstatus + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 32: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: openportslists.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: OpenPortsList + listKind: OpenPortsListList + plural: openportslists + singular: openportslist + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 33: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + name: osreleasefiles.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: OsReleaseFile + listKind: OsReleaseFileList + plural: osreleasefiles + singular: osreleasefile + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: OsReleaseFile contains the OS release information from a node + properties: + apiVersion: + description: APIVersion defines the versioned schema of this representation of an object. + type: string + kind: + description: Kind is a string value representing the REST resource this object represents. + type: string + metadata: + type: object + spec: + description: OsReleaseFileSpec contains the actual OS release file content + properties: + content: + description: Content is the raw content of the OS release file + type: string + nodeName: + description: NodeName is the name of the node this data came from + type: string + type: object + status: + description: OsReleaseFileStatus contains status information about the sensing + properties: + error: + description: Error contains any error message from the last sensing attempt + type: string + lastSensed: + description: LastSensed is the timestamp when this data was last collected + format: date-time + type: string + type: object + type: object + served: true + storage: true + 34: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -47712,7 +51776,27 @@ relevancy only: verbs: - list - watch - 25: | + - apiGroups: + - hostdata.kubescape.cloud + resources: + - osreleasefiles + - kernelversions + - linuxsecurityhardeningstatuses + - openportslists + - linuxkernelvariables + - kubeletinfos + - kubeproxyinfos + - controlplaneinfos + - cloudproviderinfos + - cniinfos + verbs: + - create + - get + - update + - patch + - list + - watch + 35: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -47737,7 +51821,7 @@ relevancy only: - kind: ServiceAccount name: node-agent namespace: kubescape - 26: | + 36: | apiVersion: v1 data: config.json: | @@ -47751,6 +51835,8 @@ relevancy only: "malwareDetectionEnabled": false, "hostMalwareSensorEnabled": false, "hostNetworkSensorEnabled": false, + "hostSensorEnabled": true, + "hostSensorInterval": "5m", "nodeProfileServiceEnabled": false, "networkStreamingEnabled": false, "maxImageSize": 5.36870912e+09, @@ -47795,7 +51881,7 @@ relevancy only: tier: ks-control-plane name: node-agent namespace: kubescape - 27: | + 37: | apiVersion: apps/v1 kind: DaemonSet metadata: @@ -47825,7 +51911,7 @@ relevancy only: annotations: checksum/cloud-config: 8f40f001a3e31db9895e7bbb06ab070f25ab66c83b31d1929b273cfd22402097 checksum/cloud-secret: 3248919273cee6d6f750f97ea378fc79fff1f03b131f21d584a00258bf475a80 - checksum/node-agent-config: 29251d5187f530a949ad1d450d865c61766b396844cf905f3b0cf719cb281497 + checksum/node-agent-config: 99f1f6115838344bd0d9a74c2c478e2f21e4379683317052a77e85e6f12f20f9 container.apparmor.security.beta.kubernetes.io/node-agent: unconfined labels: app: node-agent @@ -48003,6 +52089,10 @@ relevancy only: name: data - emptyDir: null name: profiles + - hostPath: + path: / + type: Directory + name: host-filesystem - emptyDir: {} name: clamdb - emptyDir: {} @@ -48030,7 +52120,7 @@ relevancy only: path: config.json name: node-agent name: config - 28: | + 38: | apiVersion: v1 kind: Service metadata: @@ -48058,7 +52148,7 @@ relevancy only: app.kubernetes.io/component: node-agent app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator - 29: | + 39: | apiVersion: v1 kind: ServiceAccount metadata: @@ -48076,7 +52166,7 @@ relevancy only: tier: ks-control-plane name: node-agent namespace: kubescape - 30: | + 40: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -48201,7 +52291,7 @@ relevancy only: - list - update - patch - 31: | + 41: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -48226,7 +52316,7 @@ relevancy only: - kind: ServiceAccount name: operator namespace: kubescape - 32: | + 42: | apiVersion: v1 data: config.json: | @@ -48276,7 +52366,7 @@ relevancy only: tier: ks-control-plane name: operator namespace: kubescape - 33: | + 43: | apiVersion: apps/v1 kind: Deployment metadata: @@ -48311,7 +52401,7 @@ relevancy only: template: metadata: annotations: - checksum/capabilities-config: 239c59df3fce21d6eeb7c9043c7fa53b3b6885314407175c00b21047eab2aeda + checksum/capabilities-config: 083334cc4f1124cc9d12328762a48bbc3c6aad8a8f1d96eeca79e93f12fd300e checksum/cloud-config: 8f40f001a3e31db9895e7bbb06ab070f25ab66c83b31d1929b273cfd22402097 checksum/cloud-secret: 3248919273cee6d6f750f97ea378fc79fff1f03b131f21d584a00258bf475a80 checksum/matching-rules-config: c81857b415602f6b161db3199a16461c5acd8ba44ec7572189441f4f294a3614 @@ -48444,7 +52534,7 @@ relevancy only: path: matchingRules.json name: cs-matching-rules name: cs-matching-rules - 34: | + 44: | apiVersion: v1 data: cronjobTemplate: |- @@ -48529,7 +52619,7 @@ relevancy only: tier: ks-control-plane name: kubescape-cronjob-template namespace: kubescape - 35: | + 45: | apiVersion: v1 data: cronjobTemplate: |- @@ -48614,7 +52704,7 @@ relevancy only: tier: ks-control-plane name: kubevuln-cronjob-template namespace: kubescape - 36: | + 46: | apiVersion: v1 data: cronjobTemplate: |- @@ -48699,7 +52789,7 @@ relevancy only: tier: ks-control-plane name: registry-scan-cronjob-template namespace: kubescape - 37: | + 47: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -48743,7 +52833,7 @@ relevancy only: - list - patch - delete - 38: | + 48: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -48769,7 +52859,7 @@ relevancy only: - kind: ServiceAccount name: operator namespace: kubescape - 39: | + 49: | apiVersion: v1 kind: Service metadata: @@ -48797,7 +52887,7 @@ relevancy only: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 40: | + 50: | apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount @@ -48816,7 +52906,7 @@ relevancy only: tier: ks-control-plane name: operator namespace: kubescape - 41: | + 51: | apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: @@ -48842,7 +52932,7 @@ relevancy only: namespace: kubescape version: v1beta1 versionPriority: 15 - 42: | + 52: | apiVersion: v1 data: tls.crt: bW9jay1jYS1jZXJ0 @@ -48865,7 +52955,7 @@ relevancy only: name: storage-tls-ca namespace: kubescape type: kubernetes.io/tls - 43: | + 53: | apiVersion: v1 data: ca.crt: bW9jay1jYS1jZXJ0 @@ -48888,7 +52978,7 @@ relevancy only: name: storage-tls namespace: kubescape type: kubernetes.io/tls - 44: | + 54: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -48954,7 +53044,7 @@ relevancy only: - get - watch - list - 45: | + 55: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -48979,7 +53069,7 @@ relevancy only: - kind: ServiceAccount name: storage namespace: kubescape - 46: | + 56: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -49004,7 +53094,7 @@ relevancy only: - kind: ServiceAccount name: storage namespace: kubescape - 47: | + 57: | apiVersion: v1 data: config.json: | @@ -49039,7 +53129,7 @@ relevancy only: tier: ks-control-plane name: storage namespace: kubescape - 48: | + 58: | apiVersion: apps/v1 kind: Deployment metadata: @@ -49162,7 +53252,7 @@ relevancy only: - name: ca-certificates secret: secretName: storage-tls - 49: | + 59: | apiVersion: v1 kind: PersistentVolumeClaim metadata: @@ -49186,7 +53276,7 @@ relevancy only: resources: requests: storage: 5Gi - 50: | + 60: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -49212,7 +53302,7 @@ relevancy only: - kind: ServiceAccount name: storage namespace: kubescape - 51: | + 61: | apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -49536,7 +53626,7 @@ relevancy only: storage: true subresources: status: {} - 52: | + 62: | apiVersion: v1 kind: Service metadata: @@ -49565,7 +53655,7 @@ relevancy only: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 53: | + 63: | apiVersion: v1 kind: ServiceAccount metadata: @@ -49885,7 +53975,7 @@ skipPersistence enabled: capabilities: | { "capabilities":{"admissionController":"enable","autoUpgrading":"enable","configurationScan":"enable","continuousScan":"enable","httpDetection":"enable","kubescapeOffline":"disable","malwareDetection":"enable","manageWorkloads":"enable","networkEventsStreaming":"enable","networkPolicyService":"enable","nodeProfileService":"enable","nodeSbomGeneration":"enable","nodeScan":"enable","operator":"enable","prometheusExporter":"enable","relevancy":"enable","riskAcceptance":"enable","runtimeDetection":"enable","runtimeObservability":"enable","scanEmbeddedSBOMs":"enable","seccompProfileBackend":"crd","seccompProfileService":"enable","syncSBOM":"enable","testing":{"nodeAgentMultiplication":{"enabled":false,"replicas":5}},"vexGeneration":"enable","vulnerabilityScan":"enable"}, - "components":{"autoUpdater":{"enabled":true},"clamAV":{"enabled":true},"cloudSecret":{"create":true,"name":"cloud-secret"},"customCaCertificates":{"name":"custom-ca-certificates"},"hostScanner":{"enabled":true},"kubescape":{"enabled":true},"kubescapeScheduler":{"enabled":true},"kubevuln":{"enabled":true},"kubevulnScheduler":{"enabled":true},"nodeAgent":{"enabled":true},"operator":{"enabled":true},"otelCollector":{"enabled":false},"prometheusExporter":{"enabled":true},"sbomScanner":{"enabled":false},"serviceDiscovery":{"enabled":true},"storage":{"enabled":true},"synchronizer":{"enabled":true}}, + "components":{"autoUpdater":{"enabled":true},"clamAV":{"enabled":true},"cloudSecret":{"create":true,"name":"cloud-secret"},"customCaCertificates":{"name":"custom-ca-certificates"},"kubescape":{"enabled":true},"kubescapeScheduler":{"enabled":true},"kubevuln":{"enabled":true},"kubevulnScheduler":{"enabled":true},"nodeAgent":{"enabled":true},"operator":{"enabled":true},"otelCollector":{"enabled":false},"prometheusExporter":{"enabled":true},"sbomScanner":{"enabled":false},"serviceDiscovery":{"enabled":true},"storage":{"enabled":true},"synchronizer":{"enabled":true}}, "configurations":{"excludeJsonPaths":[".containers[*].env[?(@.name==\"KUBECONFIG\")]"],"otelUrl":"otelCollector.svc.monitoring:4317","persistence":"enable","priorityClass":{"daemonset":100000100,"enabled":true},"prometheusAnnotations":"disable"} , "serviceScanConfig" :{"enabled":false,"interval":"1h"} } @@ -50681,6 +54771,23 @@ skipPersistence enabled: - get - watch - list + - apiGroups: + - hostdata.kubescape.cloud + resources: + - osreleasefiles + - kernelversions + - linuxsecurityhardeningstatuses + - openportslists + - linuxkernelvariables + - kubeletinfos + - kubeproxyinfos + - controlplaneinfos + - cloudproviderinfos + - cniinfos + verbs: + - get + - list + - watch 24: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -50743,7 +54850,6 @@ skipPersistence enabled: annotations: checksum/cloud-config: aaeeb6b6b35a5ebbb0893822c4bf9cd860fba6d3df3bc4e77c8dbdd5841db120 checksum/cloud-secret: 435193bc039d949c849ba4b141adeb4836e4d0fdcc4bf0b9588d0e36de86c424 - checksum/host-scanner-configmap: 9302798150edd358576dc2e4929bd5b68fd140217b3cc0bc4689932bf8cea86e checksum/proxy-config: c03b6781aa61faaacfa84a96809236591dde0cbd43a204e05d5ba3044bb9d5d8 labels: app: kubescape @@ -50958,7 +55064,7 @@ skipPersistence enabled: 26: | apiVersion: v1 data: - host-scanner-yaml: "apiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: host-scanner\n namespace: kubescape\n annotations:\n \n argocd.argoproj.io/compare-options: \"IgnoreExtraneous\"\n argocd.argoproj.io/sync-options: \"Prune=false\"\n labels:\n helm.sh/chart: kubescape-operator-1.30.7\n app.kubernetes.io/name: kubescape-operator\n app.kubernetes.io/instance: RELEASE-NAME\n app.kubernetes.io/component: host-scanner\n app.kubernetes.io/version: \"1.30.7\"\n app.kubernetes.io/managed-by: Helm\n app.kubernetes.io/part-of: kubescape\n app: host-scanner\n tier: ks-control-plane\n kubescape.io/ignore: \"true\"\nspec:\n selector:\n matchLabels:\n app.kubernetes.io/name: kubescape-operator\n app.kubernetes.io/instance: RELEASE-NAME\n app.kubernetes.io/component: host-scanner\n template:\n metadata:\n annotations:\n \n argocd.argoproj.io/compare-options: \"IgnoreExtraneous\"\n argocd.argoproj.io/sync-options: \"Prune=false\"\n labels:\n helm.sh/chart: kubescape-operator-1.30.7\n app.kubernetes.io/name: kubescape-operator\n app.kubernetes.io/instance: RELEASE-NAME\n app.kubernetes.io/component: host-scanner\n app.kubernetes.io/version: \"1.30.7\"\n app.kubernetes.io/managed-by: Helm\n app.kubernetes.io/part-of: kubescape\n app: host-scanner\n tier: ks-control-plane\n kubescape.io/ignore: \"true\"\n kubescape.io/tier: \"core\"\n name: host-scanner\n spec:\n nodeSelector:\n kubernetes.io/os: linux\n affinity:\n tolerations:\n - effect: NoSchedule\n key: node-role.kubernetes.io/control-plane\n operator: Exists\n - effect: NoSchedule\n key: node-role.kubernetes.io/master\n operator: Exists\n imagePullSecrets:\n - name: foo\n - name: bar\n containers:\n - name: host-sensor\n image: \"quay.io/kubescape/host-scanner:v1.0.78\"\n imagePullPolicy: IfNotPresent\n securityContext:\n allowPrivilegeEscalation: true\n privileged: true\n readOnlyRootFilesystem: true\n env:\n - name: KS_LOGGER_LEVEL\n value: \"info\"\n - name: KS_LOGGER_NAME\n value: \"zap\"\n - name: OTEL_COLLECTOR_SVC\n value: otelCollector.svc.monitoring:4317\n ports:\n - name: scanner # Do not change port name\n containerPort: 7888\n protocol: TCP\n resources:\n limits:\n cpu: 0.4m\n memory: 400Mi\n requests:\n cpu: 0.1m\n memory: 200Mi\n volumeMounts:\n - mountPath: /host_fs\n name: host-filesystem\n startupProbe:\n httpGet:\n path: /readyz\n port: 7888\n failureThreshold: 30\n periodSeconds: 1\n livenessProbe:\n httpGet:\n path: /healthz\n port: 7888\n periodSeconds: 10\n terminationGracePeriodSeconds: 120\n dnsPolicy: ClusterFirstWithHostNet\n serviceAccountName: node-agent\n automountServiceAccountToken: false\n volumes:\n - hostPath:\n path: /\n type: Directory\n name: host-filesystem\n hostPID: true\n hostIPC: true" + host-scanner-yaml: "" kind: ConfigMap metadata: annotations: null @@ -51835,6 +55941,375 @@ skipPersistence enabled: name: kubevuln namespace: kubescape 45: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: cloudproviderinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: CloudProviderInfo + listKind: CloudProviderInfoList + plural: cloudproviderinfos + singular: cloudproviderinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 46: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: cniinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: CNIInfo + listKind: CNIInfoList + plural: cniinfos + singular: cniinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 47: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: controlplaneinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: ControlPlaneInfo + listKind: ControlPlaneInfoList + plural: controlplaneinfos + singular: controlplaneinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 48: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: kernelversions.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: KernelVersion + listKind: KernelVersionList + plural: kernelversions + singular: kernelversion + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 49: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: kubeletinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: KubeletInfo + listKind: KubeletInfoList + plural: kubeletinfos + singular: kubeletinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 50: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: kubeproxyinfos.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: KubeProxyInfo + listKind: KubeProxyInfoList + plural: kubeproxyinfos + singular: kubeproxyinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 51: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: linuxkernelvariables.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: LinuxKernelVariables + listKind: LinuxKernelVariablesList + plural: linuxkernelvariables + singular: linuxkernelvariable + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 52: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: linuxsecurityhardeningstatuses.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: LinuxSecurityHardeningStatus + listKind: LinuxSecurityHardeningStatusList + plural: linuxsecurityhardeningstatuses + singular: linuxsecurityhardeningstatus + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 53: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + name: openportslists.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: OpenPortsList + listKind: OpenPortsListList + plural: openportslists + singular: openportslist + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + 54: | + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + name: osreleasefiles.hostdata.kubescape.cloud + spec: + group: hostdata.kubescape.cloud + names: + kind: OsReleaseFile + listKind: OsReleaseFileList + plural: osreleasefiles + singular: osreleasefile + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .status.lastSensed + name: Last Sensed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: OsReleaseFile contains the OS release information from a node + properties: + apiVersion: + description: APIVersion defines the versioned schema of this representation of an object. + type: string + kind: + description: Kind is a string value representing the REST resource this object represents. + type: string + metadata: + type: object + spec: + description: OsReleaseFileSpec contains the actual OS release file content + properties: + content: + description: Content is the raw content of the OS release file + type: string + nodeName: + description: NodeName is the name of the node this data came from + type: string + type: object + status: + description: OsReleaseFileStatus contains status information about the sensing + properties: + error: + description: Error contains any error message from the last sensing attempt + type: string + lastSensed: + description: LastSensed is the timestamp when this data was last collected + format: date-time + type: string + type: object + type: object + served: true + storage: true + 55: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -51971,7 +56446,27 @@ skipPersistence enabled: verbs: - list - watch - 46: | + - apiGroups: + - hostdata.kubescape.cloud + resources: + - osreleasefiles + - kernelversions + - linuxsecurityhardeningstatuses + - openportslists + - linuxkernelvariables + - kubeletinfos + - kubeproxyinfos + - controlplaneinfos + - cloudproviderinfos + - cniinfos + verbs: + - create + - get + - update + - patch + - list + - watch + 56: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -51996,7 +56491,7 @@ skipPersistence enabled: - kind: ServiceAccount name: node-agent namespace: kubescape - 47: | + 57: | apiVersion: v1 data: config.json: | @@ -52010,6 +56505,8 @@ skipPersistence enabled: "malwareDetectionEnabled": true, "hostMalwareSensorEnabled": false, "hostNetworkSensorEnabled": false, + "hostSensorEnabled": true, + "hostSensorInterval": "5m", "nodeProfileServiceEnabled": true, "networkStreamingEnabled": true, "maxImageSize": 5.36870912e+09, @@ -52056,7 +56553,7 @@ skipPersistence enabled: tier: ks-control-plane name: node-agent namespace: kubescape - 48: | + 58: | apiVersion: v1 data: clamd.conf: |- @@ -52093,7 +56590,7 @@ skipPersistence enabled: metadata: name: clamav namespace: kubescape - 49: | + 59: | apiVersion: apps/v1 kind: DaemonSet metadata: @@ -52123,7 +56620,7 @@ skipPersistence enabled: annotations: checksum/cloud-config: aaeeb6b6b35a5ebbb0893822c4bf9cd860fba6d3df3bc4e77c8dbdd5841db120 checksum/cloud-secret: 435193bc039d949c849ba4b141adeb4836e4d0fdcc4bf0b9588d0e36de86c424 - checksum/node-agent-config: 926b706ae266d1126c65565bc4729b35c679682ea75202583f4a9786e7b5de2a + checksum/node-agent-config: 9f743d9aac5148b4e8f7ae0369f163d738b845e84581d2b06b06d02a6c6e6043 checksum/proxy-config: c03b6781aa61faaacfa84a96809236591dde0cbd43a204e05d5ba3044bb9d5d8 container.apparmor.security.beta.kubernetes.io/node-agent: unconfined labels: @@ -52380,6 +56877,10 @@ skipPersistence enabled: name: data - emptyDir: null name: profiles + - hostPath: + path: / + type: Directory + name: host-filesystem - emptyDir: {} name: clamdb - emptyDir: {} @@ -52415,7 +56916,7 @@ skipPersistence enabled: - name: custom-ca-certificates secret: secretName: custom-ca-certificates - 50: | + 60: | apiVersion: kubescape.io/v1 kind: RuntimeRuleAlertBinding metadata: @@ -52466,7 +56967,7 @@ skipPersistence enabled: - ruleName: Unexpected Egress Network Traffic - ruleName: Malicious Ptrace Usage - ruleName: Unexpected io_uring Operation Detected - 51: | + 61: | apiVersion: kubescape.io/v1 kind: Rules metadata: @@ -53148,7 +57649,7 @@ skipPersistence enabled: - syscalls - io_uring - applicationprofile - 52: | + 62: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -53213,7 +57714,7 @@ skipPersistence enabled: app.kubernetes.io/name: kubescape-operator policyTypes: - Egress - 53: | + 63: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -53239,7 +57740,7 @@ skipPersistence enabled: - kind: ServiceAccount name: node-agent namespace: kubescape - 54: | + 64: | apiVersion: v1 kind: Service metadata: @@ -53267,7 +57768,7 @@ skipPersistence enabled: app.kubernetes.io/component: node-agent app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator - 55: | + 65: | apiVersion: v1 kind: ServiceAccount metadata: @@ -53285,7 +57786,7 @@ skipPersistence enabled: tier: ks-control-plane name: node-agent namespace: kubescape - 56: | + 66: | apiVersion: v1 kind: Service metadata: @@ -53312,7 +57813,7 @@ skipPersistence enabled: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 57: | + 67: | apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: @@ -53360,7 +57861,7 @@ skipPersistence enabled: - rolebindings scope: '*' sideEffects: None - 58: | + 68: | apiVersion: v1 data: tls.crt: bW9jay1jYS1jZXJ0 @@ -53383,7 +57884,7 @@ skipPersistence enabled: name: kubescape-admission-webhook-ca namespace: kubescape type: kubernetes.io/tls - 59: | + 69: | apiVersion: v1 data: ca.crt: bW9jay1jYS1jZXJ0 @@ -53406,7 +57907,7 @@ skipPersistence enabled: name: kubescape-admission-webhook-tls namespace: kubescape type: kubernetes.io/tls - 60: | + 70: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -53540,7 +58041,7 @@ skipPersistence enabled: - get - list - watch - 61: | + 71: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -53565,7 +58066,7 @@ skipPersistence enabled: - kind: ServiceAccount name: operator namespace: kubescape - 62: | + 72: | apiVersion: v1 data: config.json: | @@ -53616,7 +58117,7 @@ skipPersistence enabled: tier: ks-control-plane name: operator namespace: kubescape - 63: | + 73: | apiVersion: apps/v1 kind: Deployment metadata: @@ -53651,7 +58152,7 @@ skipPersistence enabled: template: metadata: annotations: - checksum/capabilities-config: b0b4eb6ecb26f9be060912ffbe5f36704226a6c2c443b5cffb1049ab3553d740 + checksum/capabilities-config: 59a962f6d5626eef232330ebf8392ff351e1cc9edbd0858281a08a2997d805a1 checksum/cloud-config: aaeeb6b6b35a5ebbb0893822c4bf9cd860fba6d3df3bc4e77c8dbdd5841db120 checksum/cloud-secret: 435193bc039d949c849ba4b141adeb4836e4d0fdcc4bf0b9588d0e36de86c424 checksum/matching-rules-config: c81857b415602f6b161db3199a16461c5acd8ba44ec7572189441f4f294a3614 @@ -53813,7 +58314,7 @@ skipPersistence enabled: path: matchingRules.json name: cs-matching-rules name: cs-matching-rules - 64: | + 74: | apiVersion: v1 data: cronjobTemplate: |- @@ -53901,7 +58402,7 @@ skipPersistence enabled: tier: ks-control-plane name: kubescape-cronjob-template namespace: kubescape - 65: | + 75: | apiVersion: v1 data: cronjobTemplate: |- @@ -53989,7 +58490,7 @@ skipPersistence enabled: tier: ks-control-plane name: kubevuln-cronjob-template namespace: kubescape - 66: | + 76: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -54096,7 +58597,7 @@ skipPersistence enabled: policyTypes: - Ingress - Egress - 67: | + 77: | apiVersion: v1 data: cronjobTemplate: |- @@ -54184,7 +58685,7 @@ skipPersistence enabled: tier: ks-control-plane name: registry-scan-cronjob-template namespace: kubescape - 68: | + 78: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -54228,7 +58729,7 @@ skipPersistence enabled: - list - patch - delete - 69: | + 79: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -54254,7 +58755,7 @@ skipPersistence enabled: - kind: ServiceAccount name: operator namespace: kubescape - 70: | + 80: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -54280,7 +58781,7 @@ skipPersistence enabled: - kind: ServiceAccount name: operator namespace: kubescape - 71: | + 81: | apiVersion: v1 kind: Service metadata: @@ -54308,7 +58809,7 @@ skipPersistence enabled: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 72: | + 82: | apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount @@ -54327,7 +58828,7 @@ skipPersistence enabled: tier: ks-control-plane name: operator namespace: kubescape - 73: | + 83: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -54355,7 +58856,7 @@ skipPersistence enabled: - get - watch - list - 74: | + 84: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -54379,7 +58880,7 @@ skipPersistence enabled: - kind: ServiceAccount name: prometheus-exporter namespace: kubescape - 75: | + 85: | apiVersion: apps/v1 kind: Deployment metadata: @@ -54486,7 +58987,7 @@ skipPersistence enabled: path: clusterData.json name: ks-cloud-config name: ks-cloud-config - 76: | + 86: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -54556,7 +59057,7 @@ skipPersistence enabled: policyTypes: - Ingress - Egress - 77: | + 87: | apiVersion: v1 kind: Service metadata: @@ -54583,7 +59084,7 @@ skipPersistence enabled: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: null - 78: | + 88: | apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount @@ -54601,7 +59102,7 @@ skipPersistence enabled: tier: ks-control-plane name: prometheus-exporter namespace: kubescape - 79: | + 89: | apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: @@ -54632,7 +59133,7 @@ skipPersistence enabled: app.kubernetes.io/component: prometheus-exporter app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator - 80: | + 90: | apiVersion: v1 data: proxy.crt: foo @@ -54656,7 +59157,7 @@ skipPersistence enabled: name: kubescape-proxy-certificate namespace: kubescape type: Opaque - 81: | + 91: | apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: @@ -54682,7 +59183,7 @@ skipPersistence enabled: namespace: kubescape version: v1beta1 versionPriority: 15 - 82: | + 92: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -54748,7 +59249,7 @@ skipPersistence enabled: - get - watch - list - 83: | + 93: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -54773,7 +59274,7 @@ skipPersistence enabled: - kind: ServiceAccount name: storage namespace: kubescape - 84: | + 94: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -54798,7 +59299,7 @@ skipPersistence enabled: - kind: ServiceAccount name: storage namespace: kubescape - 85: | + 95: | apiVersion: v1 data: config.json: | @@ -54830,7 +59331,7 @@ skipPersistence enabled: tier: ks-control-plane name: storage namespace: kubescape - 86: | + 96: | apiVersion: apps/v1 kind: Deployment metadata: @@ -54950,7 +59451,7 @@ skipPersistence enabled: path: config.json name: storage name: config - 87: | + 97: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -55020,7 +59521,7 @@ skipPersistence enabled: policyTypes: - Ingress - Egress - 88: | + 98: | apiVersion: v1 kind: PersistentVolumeClaim metadata: @@ -55044,7 +59545,7 @@ skipPersistence enabled: resources: requests: storage: 5Gi - 89: | + 99: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -55070,7 +59571,7 @@ skipPersistence enabled: - kind: ServiceAccount name: storage namespace: kubescape - 90: | + 100: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -55096,7 +59597,7 @@ skipPersistence enabled: - kind: ServiceAccount name: storage namespace: kubescape - 91: | + 101: | apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -55420,7 +59921,7 @@ skipPersistence enabled: storage: true subresources: status: {} - 92: | + 102: | apiVersion: v1 kind: Service metadata: @@ -55449,7 +59950,7 @@ skipPersistence enabled: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 93: | + 103: | apiVersion: v1 kind: ServiceAccount metadata: @@ -55467,7 +59968,7 @@ skipPersistence enabled: tier: ks-control-plane name: storage namespace: kubescape - 94: | + 104: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -55705,7 +60206,7 @@ skipPersistence enabled: verbs: - update - patch - 95: | + 105: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -55729,7 +60230,7 @@ skipPersistence enabled: - kind: ServiceAccount name: synchronizer namespace: kubescape - 96: | + 106: | apiVersion: v1 data: config.json: | @@ -56026,7 +60527,7 @@ skipPersistence enabled: tier: ks-control-plane name: synchronizer namespace: kubescape - 97: | + 107: | apiVersion: apps/v1 kind: Deployment metadata: @@ -56209,7 +60710,7 @@ skipPersistence enabled: path: config.json name: synchronizer name: config - 98: | + 108: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -56288,7 +60789,7 @@ skipPersistence enabled: policyTypes: - Ingress - Egress - 99: | + 109: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -56331,7 +60832,7 @@ skipPersistence enabled: - list - patch - delete - 100: | + 110: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -56356,7 +60857,7 @@ skipPersistence enabled: - kind: ServiceAccount name: synchronizer namespace: kubescape - 101: | + 111: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -56381,7 +60882,7 @@ skipPersistence enabled: - kind: ServiceAccount name: synchronizer namespace: kubescape - 102: | + 112: | apiVersion: v1 kind: Service metadata: @@ -56408,7 +60909,7 @@ skipPersistence enabled: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: kubescape-operator type: ClusterIP - 103: | + 113: | apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount diff --git a/charts/kubescape-operator/values.yaml b/charts/kubescape-operator/values.yaml index ba83156d..b7f25fed 100644 --- a/charts/kubescape-operator/values.yaml +++ b/charts/kubescape-operator/values.yaml @@ -495,43 +495,6 @@ kubevuln: cpu: 1000m memory: 5Gi -# +++++++++++++++++++++++++++++++ Host-scanner ++++++++++++++++++++++++++++++++++++++++++++++++ - -hostScanner: - name: host-scanner - image: - # -- source code: https://github.com/kubescape/host-scanner (public repo) - repository: quay.io/kubescape/host-scanner - tag: v1.0.78 - pullPolicy: IfNotPresent - - nodeSelector: - kubernetes.io/os: linux - - # Additional volumes to be mounted on the Kubescape host scanner - volumes: [] - - # Additional volumeMounts to be mounted on the Kubescape host scanner - volumeMounts: [] - - tolerations: - # this toleration is to have the DaemonDet runnable on master nodes - # remove it if your masters can't run pods - - key: node-role.kubernetes.io/control-plane - operator: Exists - effect: NoSchedule - - key: node-role.kubernetes.io/master - operator: Exists - effect: NoSchedule - - resources: - limits: - cpu: 0.4m - memory: 400Mi - requests: - cpu: 0.1m - memory: 200Mi - # +++++++++++++++++++++++++++++++ Storage ++++++++++++++++++++++++++++++++++++++++++++++++ # Values for the Kubescape Storage service that Kubescape uses for its internal @@ -661,6 +624,10 @@ nodeAgent: ruleCooldownAfterCount: 1 ruleCooldownOnProfileFailure: true ruleCooldownMaxSize: 20000 + # Host sensor configuration + hostSensor: + enabled: true + interval: 5m # duration string # GKE Autopilot allowlist gke: @@ -735,7 +702,6 @@ nodeAgent: - mountPath: /clamav name: clamrun # readOnly: false # EmptyDir volume - volumes: - hostPath: path: / @@ -768,6 +734,10 @@ nodeAgent: name: data - emptyDir: name: profiles + - hostPath: + path: / + type: Directory + name: host-filesystem affinity: nodeAffinity: