forked from armosec/armo-helm
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request armosec#60 from armosec/dev
Adding many functionalities using values
- Loading branch information
Showing
19 changed files
with
232 additions
and
128 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,21 +1,74 @@ | ||
# ARMO cluster components | ||
ARMO Vulnerability Scanning | ||
|
||
![Version: 1.7.7](https://img.shields.io/badge/Version-1.7.7-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.7.7](https://img.shields.io/badge/AppVersion-v1.7.7-informational?style=flat-square) | ||
|
||
# Installing ARMO cluster components in a Kubernetes cluster Using Helm: | ||
============================================================= | ||
## [Docs](https://hub.armo.cloud/docs/installation-of-armo-in-cluster) | ||
|
||
## Installing ARMO cluster components in a Kubernetes cluster Using Helm: | ||
|
||
1. Add the Vulnerability Scanning Helm Repo | ||
``` | ||
helm repo add armo https://armosec.github.io/armo-helm/ | ||
``` | ||
|
||
2. Get Your Account ID from ARMO | ||
2. Update helm repo | ||
``` | ||
kubescape config local get customerGUID | ||
helm repo update | ||
``` | ||
|
||
3. Install the Helm Chart, use your account ID and give your cluster a name | ||
|
||
if you ran kubescape cli tool and submitted, you cam get your Account ID from the local cache: | ||
``` | ||
kubescape config view | grep -i accountID | ||
``` | ||
helm upgrade --install armo armo/armo-cluster-components -n armo-system --create-namespace --set accountGuid=<my_account_guid> --set clusterName=`kubectl config current-context` | ||
Otherwise, get the account ID from the [kubescape SaaS](https://hub.armo.cloud/docs/installation-of-armo-in-cluster#install-a-pre-registered-cluster) | ||
|
||
Run the install command: | ||
``` | ||
helm upgrade --install armo armo/armo-cluster-components -n armo-system --create-namespace --set accountGuid=<my_account_guid> --set clusterName=`kubectl config current-context` | ||
``` | ||
|
||
> Add `--set clientID=<generated client id> --set secretKey=<generated secret key>` if you have [generated an auth key](https://hub.armo.cloud/docs/authentication) | ||
> Add `--set armoKubescape.serviceMonitor.enabled=true` for installing the Prometheus service monitor, [read more about Prometheus integration](https://hub.armo.cloud/docs/prometheus-exporter) | ||
## Chart support | ||
|
||
### Values | ||
|
||
| Key | Type | Default | Description | | ||
|-----|------|---------|-------------| | ||
| armoCollector.enabled | bool | `true` | enable/disable the armoCollector | | ||
| armoCollector.env[0] | object | `{"name":"PRINT_REPORT","value":"false"}` | print in verbose mode (print all reported data) | | ||
| armoCollector.image.repository | string | `"quay.io/armosec/cluster-collector"` | [source code](https://github.com/armosec/k8s-armo-collector) (private repo) | | ||
| armoKubescape.downloadArtifacts | bool | `true` | download policies every scan, we recommend it should remain true, you should change to 'false' when running in an air-gapped environment or when scanning with high frequency (when running with Prometheus) | | ||
| armoKubescape.enableHostScan | bool | `true` | enable [host scanner feature](https://hub.armo.cloud/docs/host-sensor) | | ||
| armoKubescape.enabled | bool | `true` | enable/disable kubescape scanning | | ||
| armoKubescape.image.repository | string | `"quay.io/armosec/kubescape"` | [source code](https://github.com/armosec/kubescape/tree/master/httphandler) (public repo) | | ||
| armoKubescape.serviceMonitor.enabled | bool | `false` | enable/disable service monitor for prometheus (operator) integration | | ||
| armoKubescape.skipUpdateCheck | bool | `false` | skip check for a newer version | | ||
| armoKubescape.submit | bool | `true` | submit results to ARMO SaaS: https://portal.armo.cloud/ | | ||
| armoKubescapeScanScheduler.enabled | bool | `true` | enable/disable a kubescape scheduled scan using a CronJob | | ||
| armoKubescapeScanScheduler.image.repository | string | `"quay.io/armosec/http_request"` | [source code](https://github.com/armosec/http-request) (public repo) | | ||
| armoKubescapeScanScheduler.scanSchedule | string | `"0 0 * * *"` | scan schedule frequency | | ||
| armoNotificationService.enabled | bool | `true` | enable/disable passing notifications from ARMO SaaS to the armo-web-socket microservice. The notifications are the onDemand scanning and the scanning schedule settings | | ||
| armoNotificationService.image.repository | string | `"quay.io/armosec/notification-server"` | [source code](https://github.com/armosec/capostman) (private repo) | | ||
| armoScanScheduler.enabled | bool | `true` | enable/disable image vulnerability a schedule scan using a CronJob | | ||
| armoScanScheduler.image.repository | string | `"curlimages/curl"` | image: curlimages/curl | | ||
| armoScanScheduler.scanSchedule | string | `"0 0 * * *"` | scan schedule frequency | | ||
| armoVulnScanner.enabled | bool | `true` | enable/disable image vulnerability scanning | | ||
| armoVulnScanner.image.repository | string | `"quay.io/armosec/images-vulnerabilities-scan"` | [source code](https://github.com/armosec/ca-vuln-scan) (private repo) | | ||
| armoWebsocket.enabled | bool | `true` | enable/disable kubescape and image vulnerability scanning | | ||
| armoWebsocket.image.repository | string | `"quay.io/armosec/action-trigger"` | [source code](https://github.com/armosec/k8s-ca-websocket) (private repo) | | ||
| aws_iam_role_arn | string | `nil` | AWS IAM arn role | | ||
| clientID | string | `""` | client ID, [read more](https://hub.armo.cloud/docs/authentication) | | ||
| cloudRegion | string | `nil` | cloud region | | ||
| cloud_provider_engine | string | `nil` | cloud provider engine | | ||
| gkeProject | string | `nil` | GKE project | | ||
| gke_service_account | string | `nil` | GKE service account | | ||
| secretKey | string | `""` | secret key, [read more](https://hub.armo.cloud/docs/authentication) | | ||
| triggerNewImageScan | string | `"disable"` | enable/disable trigger image scan for new images | | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,44 +1,30 @@ | ||
apiVersion: v2 | ||
name: armo-cluster-components | ||
description: | ||
A Helm chart for ARMO cluster components | ||
|
||
# A chart can be either an 'application' or a 'library' chart. | ||
# | ||
# Application charts are a collection of templates that can be packaged into versioned archives | ||
# to be deployed. | ||
# | ||
# Library charts provide useful utilities or functions for the chart developer. They're included as | ||
# a dependency of application charts to inject those utilities and functions into the rendering | ||
# pipeline. Library charts do not define any templates and therefore cannot be deployed. | ||
ARMO Vulnerability Scanning | ||
|
||
type: application | ||
|
||
# This is the chart version. This version number should be incremented each time you make changes | ||
# to the chart and its templates, including the app version. | ||
# Versions are expected to follow Semantic Versioning (https://semver.org/) | ||
version: 1.7.6 | ||
version: 1.7.7 | ||
|
||
# This is the version number of the application being deployed. This version number should be | ||
# incremented each time you make changes to the application. Versions are not expected to | ||
# follow Semantic Versioning. They should reflect the version the application is using. | ||
# It is recommended to use it with quotes. | ||
appVersion: "v1.7.6" | ||
appVersion: "v1.7.7" | ||
|
||
maintainers: | ||
- name: Ben Hirschberg | ||
email: ben@armosec.io | ||
url: https://www.linkedin.com/in/benyamin-ben-hirschberg-66141890 | ||
- name: David Wertenteil | ||
email: dw@armosec.io | ||
url: https://www.linkedin.com/in/david-wertenteil-0ba277b9 | ||
- name: Bezalel Brandwine | ||
email: bez@armosec.io | ||
url: https://www.linkedin.com/in/bezalel-brandwine | ||
|
||
home: https://www.armosec.io/ | ||
|
||
|
||
# List all charts to deploy | ||
#dependencies: | ||
# - name: armo-global | ||
# version: "1.0.0" | ||
# - name: armo-websocket | ||
# version: "1.0.0" | ||
# condition: armoWebsocket.enabled |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
24 changes: 24 additions & 0 deletions
24
charts/armo-components/templates/armo-kubescape-servicemonitor.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
{{ if and .Values.armoKubescape.serviceMonitor.enabled .Values.armoKubescape.enabled }} | ||
apiVersion: monitoring.coreos.com/v1 | ||
kind: ServiceMonitor | ||
metadata: | ||
name: {{ .Values.armoKubescape.name }}-monitor | ||
{{- if .Values.armoKubescape.serviceMonitor.namespace }} | ||
namespace: {{ .Values.armoKubescape.serviceMonitor.namespace }} | ||
{{- end }} | ||
labels: | ||
app: {{ .Values.armoKubescape.name }} | ||
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} | ||
spec: | ||
namespaceSelector: | ||
matchNames: | ||
- {{ .Values.armoNameSpace }} | ||
selector: | ||
matchLabels: | ||
app: {{ .Values.armoKubescape.name }} | ||
endpoints: | ||
- port: http | ||
path: /v1/metrics | ||
interval: 120s | ||
scrapeTimeout: 100s | ||
{{ end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
charts/armo-components/templates/armo-notification-service-deployment.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
charts/armo-components/templates/armo-notification-service-service.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
charts/armo-components/templates/armo-vuln-scanner-deployment.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
charts/armo-components/templates/armo-websocket-deployment.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.