Replace host sensor with node agent sensing

charts/kubescape-operator/.helmignore

@@ -1 +1,2 @@
 tests
+templates/node-agent-crds/README.md

charts/kubescape-operator/README.md

@@ -157,8 +157,6 @@ However, we recommend that you give Kubescape no less than 500m CPU no matter th
 | operator.nodeSelector | object | `{}` | [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) |
 | operator.volumes | object | `[]` | Additional volumes for the web socket |
 | operator.volumeMounts | object | `[]` | Additional volumeMounts for the web socket |
-| hostScanner.volumes | object | `[]` | Additional volumes for the host scanner |
-| hostScanner.volumeMounts | object | `[]` | Additional volumeMounts for the host scanner |
 | awsIamRoleArn | string | `nil` | AWS IAM arn role |
 | cloudProviderMetadata.secretRef.name | string | `nil` | secret name to define values for the provider's metadata |
 | cloudProviderMetadata.cloudRegion | string or through `cloudProviderMetadata.secretRef.cloudRegionKey` if `cloudProviderMetadata.secretRef.name` is set | `nil` | cloud region |

charts/kubescape-operator/templates/_common.tpl

@@ -7,7 +7,6 @@
 capabilitiesConfig: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.configMapsDirectory "components-configmap.yaml") . | replace .Chart.AppVersion "" | sha256sum }}
 cloudConfig: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.configMapsDirectory "cloudapi-configmap.yaml") . | replace .Chart.AppVersion "" | sha256sum }}
 cloudSecret: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.configMapsDirectory "cloud-secret.yaml" ) . | replace .Chart.AppVersion "" | sha256sum }}
-hostScannerConfig: {{ include (printf "%s/kubescape/host-scanner-definition-configmap.yaml" $.Template.BasePath ) . | replace .Chart.AppVersion "" | sha256sum }}
 matchingRulesConfig: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.configMapsDirectory "matchingRules-configmap.yaml") . | replace .Chart.AppVersion "" | sha256sum }}
 nodeAgentConfig: {{ include (printf "%s/node-agent/configmap.yaml" $.Template.BasePath) . | replace .Chart.AppVersion "" | sha256sum }}
 operatorConfig: {{ include (printf "%s/operator/configmap.yaml" $.Template.BasePath) . | replace .Chart.AppVersion "" | sha256sum }}
@@ -50,8 +49,6 @@ submit: {{ $submit }}
 {{- $nodeScanEnabled := and (eq .Values.capabilities.nodeScan "enable") (not $configurations.backendStorageEnabled) }}
 {{- $configurationScanEnabled := and (eq .Values.capabilities.configurationScan "enable") (not $configurations.backendStorageEnabled) }}
 {{- $vulnerabilityScanEnabled := and (eq .Values.capabilities.vulnerabilityScan "enable") (not $configurations.backendStorageEnabled) }}
-hostScanner:
-  enabled: {{ $nodeScanEnabled }}
 kubescape:
   enabled: {{ $configurationScanEnabled }}
 kubescapeScheduler:

charts/kubescape-operator/templates/kubescape/clusterrole.yaml

@@ -86,4 +86,20 @@ rules:
 - apiGroups: ["kubescape.io"]
   resources: ["servicesscanresults"]
   verbs: ["get", "watch", "list"]
+{{- if .Values.nodeAgent.config.hostSensor.enabled }}
+- apiGroups: ["hostdata.kubescape.cloud"]
+  resources:
+    - osreleasefiles
+    - kernelversions
+    - linuxsecurityhardeningstatuses
+    - openportslists
+    - linuxkernelvariables
+    - kubeletinfos
+    - kubeproxyinfos
+    - controlplaneinfos
+    - cloudproviderinfos
+    - cniinfos
+  verbs: ["get", "list", "watch"]
+{{- end }}
+
 {{ end }}

charts/kubescape-operator/templates/kubescape/deployment.yaml

@@ -29,7 +29,6 @@ spec:
       annotations:
         {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 8 }}
         {{- with .Values.kubescape.podAnnotations }}{{- toYaml . | nindent 8 }}{{- end }}
-        checksum/host-scanner-configmap: {{ $checksums.hostScannerConfig }}
         checksum/cloud-secret: {{ $checksums.cloudSecret }}
         checksum/cloud-config: {{ $checksums.cloudConfig }}
       {{- if ne .Values.global.proxySecretFile "" }}
@@ -146,7 +145,7 @@ spec:
         - name: KS_DEFAULT_CLOUD_CONFIGMAP_NAME
           value: {{ .Values.global.cloudConfig }}
         - name: KS_ENABLE_HOST_SCANNER
-          value: "{{ $components.hostScanner.enabled }}"
+          value: "{{ .Values.nodeAgent.config.hostSensor.enabled }}"
         - name: KS_SKIP_UPDATE_CHECK
           value: "{{ .Values.kubescape.skipUpdateCheck }}"
         - name: KS_HOST_SCAN_YAML

charts/kubescape-operator/templates/node-agent-crds/README.md

@@ -0,0 +1,7 @@
+### CRDs location inside the chart tree
+These CRDs are placed in the `templates/` directory instead of the standard `crds/` directory to allow Helm to manage their full lifecycle. 
+This ensures they are updated during `helm upgrade` and removed during `helm uninstall`, supporting the evolving sensing capabilities of the node-agent.
+No need to install them before kubescape operator chart since they are about to be used only after node-agent is up and running.
+
+### tech debt
+1. move CRDs group from `kubescape.cloud` to `kubescape.io`

charts/kubescape-operator/templates/node-agent-crds/cloudproviderinfo-crd.yaml

@@ -0,0 +1,38 @@
+{{- $components := fromYaml (include "components" .) }}
+{{- if $components.nodeAgent.enabled }}
+{{- if .Values.nodeAgent.config.hostSensor.enabled }}
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: cloudproviderinfos.hostdata.kubescape.cloud
+spec:
+  group: hostdata.kubescape.cloud
+  names:
+    kind: CloudProviderInfo
+    listKind: CloudProviderInfoList
+    plural: cloudproviderinfos
+    singular: cloudproviderinfo
+  scope: Cluster
+  versions:
+  - name: v1beta1
+    served: true
+    storage: true
+    schema:
+      openAPIV3Schema:
+        type: object
+        properties:
+          spec:
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+          status:
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+    additionalPrinterColumns:
+    - name: Node
+      type: string
+      jsonPath: .spec.nodeName
+    - name: Last Sensed
+      type: string
+      jsonPath: .status.lastSensed
+{{- end }}
+{{- end }}

charts/kubescape-operator/templates/node-agent-crds/cniinfo-crd.yaml

@@ -0,0 +1,38 @@
+{{- $components := fromYaml (include "components" .) }}
+{{- if $components.nodeAgent.enabled }}
+{{- if .Values.nodeAgent.config.hostSensor.enabled }}
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: cniinfos.hostdata.kubescape.cloud
+spec:
+  group: hostdata.kubescape.cloud
+  names:
+    kind: CNIInfo
+    listKind: CNIInfoList
+    plural: cniinfos
+    singular: cniinfo
+  scope: Cluster
+  versions:
+  - name: v1beta1
+    served: true
+    storage: true
+    schema:
+      openAPIV3Schema:
+        type: object
+        properties:
+          spec:
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+          status:
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+    additionalPrinterColumns:
+    - name: Node
+      type: string
+      jsonPath: .spec.nodeName
+    - name: Last Sensed
+      type: string
+      jsonPath: .status.lastSensed
+{{- end }}
+{{- end }}

charts/kubescape-operator/templates/node-agent-crds/controlplaneinfo-crd.yaml

@@ -0,0 +1,38 @@
+{{- $components := fromYaml (include "components" .) }}
+{{- if $components.nodeAgent.enabled }}
+{{- if .Values.nodeAgent.config.hostSensor.enabled }}
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: controlplaneinfos.hostdata.kubescape.cloud
+spec:
+  group: hostdata.kubescape.cloud
+  names:
+    kind: ControlPlaneInfo
+    listKind: ControlPlaneInfoList
+    plural: controlplaneinfos
+    singular: controlplaneinfo
+  scope: Cluster
+  versions:
+  - name: v1beta1
+    served: true
+    storage: true
+    schema:
+      openAPIV3Schema:
+        type: object
+        properties:
+          spec:
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+          status:
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+    additionalPrinterColumns:
+    - name: Node
+      type: string
+      jsonPath: .spec.nodeName
+    - name: Last Sensed
+      type: string
+      jsonPath: .status.lastSensed
+{{- end }}
+{{- end }}

charts/kubescape-operator/templates/node-agent-crds/kernelversion-crd.yaml

@@ -0,0 +1,38 @@
+{{- $components := fromYaml (include "components" .) }}
+{{- if $components.nodeAgent.enabled }}
+{{- if .Values.nodeAgent.config.hostSensor.enabled }}
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: kernelversions.hostdata.kubescape.cloud
+spec:
+  group: hostdata.kubescape.cloud
+  names:
+    kind: KernelVersion
+    listKind: KernelVersionList
+    plural: kernelversions
+    singular: kernelversion
+  scope: Cluster
+  versions:
+  - name: v1beta1
+    served: true
+    storage: true
+    schema:
+      openAPIV3Schema:
+        type: object
+        properties:
+          spec:
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+          status:
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+    additionalPrinterColumns:
+    - name: Node
+      type: string
+      jsonPath: .spec.nodeName
+    - name: Last Sensed
+      type: string
+      jsonPath: .status.lastSensed
+{{- end }}
+{{- end }}