Skip to content

ROX-9589 - Remove scanner slim prefixes #820

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
SimonBaeumer merged 5 commits into from
Mar 7, 2022
Merged

ROX-9589 - Remove scanner slim prefixes #820

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
b70bd9a
X-Smart-Branch-Parent: master
SimonBaeumer Mar 4, 2022
30624c8
remove scanner-slim resource names
SimonBaeumer Mar 4, 2022
5110fc6
Disable support to deploy scanner within the same ns as central
SimonBaeumer Mar 4, 2022
0764658
fix it
SimonBaeumer Mar 4, 2022
c3f5e3a
fix cr
SimonBaeumer Mar 7, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion image/templates/helm/shared/config-templates/scanner/config.yaml.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ scanner:
options:
# PostgreSQL Connection string
# https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-CONNSTRING
source: host={{ ._rox.scanner.name }}-db.{{ .Release.Namespace }}.svc port=5432 user=postgres sslmode={{- if eq .Release.Namespace "stackrox" }}verify-full{{- else }}verify-ca{{- end }} statement_timeout=60000
source: host=scanner-db.{{ .Release.Namespace }}.svc port=5432 user=postgres sslmode={{- if eq .Release.Namespace "stackrox" }}verify-full{{- else }}verify-ca{{- end }} statement_timeout=60000

# Number of elements kept in the cache
# Values unlikely to change (e.g. namespaces) are cached in order to save prevent needless roundtrips to the database.
Expand Down
6 changes: 3 additions & 3 deletions image/templates/helm/shared/templates/02-scanner-00-serviceaccount.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,12 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ ._rox.scanner.name }}
name: scanner
namespace: {{ .Release.Namespace }}
labels:
{{- include "srox.labels" (list . "serviceaccount" ._rox.scanner.name) | nindent 4 }}
{{- include "srox.labels" (list . "serviceaccount" "scanner") | nindent 4 }}
annotations:
{{- include "srox.annotations" (list . "serviceaccount" ._rox.scanner.name) | nindent 4 }}
{{- include "srox.annotations" (list . "serviceaccount" "scanner") | nindent 4 }}
imagePullSecrets:
{{- range $secretName := ._rox.imagePullSecrets._names }}
- name: {{ quote $secretName }}
Expand Down
50 changes: 25 additions & 25 deletions image/templates/helm/shared/templates/02-scanner-01-security.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,18 +5,18 @@
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ include "srox.globalResourceName" (list . (print "stackrox-" ._rox.scanner.name "-psp")) }}
name: {{ include "srox.globalResourceName" (list . "stackrox-scanner-psp") }}
labels:
{{- include "srox.labels" (list . "clusterrole" (print "stackrox-" ._rox.scanner.name "-psp")) | nindent 4 }}
{{- include "srox.labels" (list . "clusterrole" "stackrox-scanner-psp") | nindent 4 }}
annotations:
{{- include "srox.annotations" (list . "clusterrole" (print "stackrox-" ._rox.scanner.name "-psp")) | nindent 4 }}
{{- include "srox.annotations" (list . "clusterrole" "stackrox-scanner-psp") | nindent 4 }}
rules:
- apiGroups:
- policy
resources:
- podsecuritypolicies
resourceNames:
- {{ include "srox.globalResourceName" (list . (print "stackrox-" ._rox.scanner.name)) }}
- {{ include "srox.globalResourceName" (list . "stackrox-scanner") }}
verbs:
- use

Expand All @@ -25,31 +25,31 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: stackrox-{{ ._rox.scanner.name }}-psp
name: stackrox-scanner-psp
namespace: {{ .Release.Namespace }}
labels:
{{- include "srox.labels" (list . "rolebinding" (print "stackrox-" ._rox.scanner.name "-psp")) | nindent 4 }}
{{- include "srox.labels" (list . "rolebinding" "stackrox-scanner-psp") | nindent 4 }}
annotations:
{{- include "srox.annotations" (list . "rolebinding" (print "stackrox-" ._rox.scanner.name "-psp")) | nindent 4 }}
{{- include "srox.annotations" (list . "rolebinding" "stackrox-scanner-psp") | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "srox.globalResourceName" (list . (print "stackrox-" ._rox.scanner.name "-psp")) }}
name: {{ include "srox.globalResourceName" (list . "stackrox-scanner-psp") }}
subjects:
- kind: ServiceAccount
name: {{ ._rox.scanner.name }}
name: scanner
namespace: {{ .Release.Namespace }}

---

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ include "srox.globalResourceName" (list . (print "stackrox-" ._rox.scanner.name)) }}
name: {{ include "srox.globalResourceName" (list . "stackrox-scanner") }}
labels:
{{- include "srox.labels" (list . "podsecuritypolicy" (print "stackrox-" ._rox.scanner.name)) | nindent 4 }}
{{- include "srox.labels" (list . "podsecuritypolicy" "stackrox-scanner") | nindent 4 }}
annotations:
{{- include "srox.annotations" (list . "podsecuritypolicy" (print "stackrox-" ._rox.scanner.name)) | nindent 4 }}
{{- include "srox.annotations" (list . "podsecuritypolicy" "stackrox-scanner") | nindent 4 }}
spec:
privileged: false
allowPrivilegeEscalation: false
Expand Down Expand Up @@ -78,12 +78,12 @@ spec:
kind: SecurityContextConstraints
apiVersion: security.openshift.io/v1
metadata:
name: {{ include "srox.globalResourceName" (list . (print "stackrox-" ._rox.scanner.name)) }}
name: {{ include "srox.globalResourceName" (list . "stackrox-scanner") }}
labels:
{{- include "srox.labels" (list . "securitycontextconstraints" (print "stackrox-" ._rox.scanner.name)) | nindent 4 }}
{{- include "srox.labels" (list . "securitycontextconstraints" "stackrox-scanner") | nindent 4 }}
annotations:
{{- include "srox.annotations" (list . "securitycontextconstraints" (print "stackrox-" ._rox.scanner.name)) | nindent 4 }}
kubernetes.io/description: stackrox-{{ ._rox.scanner.name }} is the security constraint for the Scanner container
{{- include "srox.annotations" (list . "securitycontextconstraints" "stackrox-scanner") | nindent 4 }}
kubernetes.io/description: stackrox-scanner is the security constraint for the Scanner container
priority: 0
runAsUser:
type: RunAsAny
Expand All @@ -92,7 +92,7 @@ seLinuxContext:
seccompProfiles:
- '*'
users:
- system:serviceaccount:{{ .Release.Namespace }}:{{ ._rox.scanner.name }}
- system:serviceaccount:{{ .Release.Namespace }}:scanner
volumes:
- '*'
allowHostDirVolumePlugin: false
Expand All @@ -114,12 +114,12 @@ requiredDropCapabilities: []
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: use-{{ ._rox.scanner.name }}-scc
name: use-scanner-scc
namespace: {{ .Release.Namespace }}
labels:
{{- include "srox.labels" (list . "role" (print "use-" ._rox.scanner.name "-scc")) | nindent 4 }}
{{- include "srox.labels" (list . "role" "use-scanner-scc") | nindent 4 }}
annotations:
{{- include "srox.annotations" (list . "role" (print "use-" ._rox.scanner.name "-scc")) | nindent 4 }}
{{- include "srox.annotations" (list . "role" "use-scanner-scc") | nindent 4 }}
rules:
- apiGroups:
- security.openshift.io
Expand All @@ -133,19 +133,19 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ ._rox.scanner.name }}-use-scc
name: scanner-use-scc
namespace: {{ .Release.Namespace }}
labels:
{{- include "srox.labels" (list . "rolebinding" (print ._rox.scanner.name "-use-scc")) | nindent 4 }}
{{- include "srox.labels" (list . "rolebinding" "scanner-use-scc") | nindent 4 }}
annotations:
{{- include "srox.annotations" (list . "rolebinding" (print ._rox.scanner.name "-use-scc")) | nindent 4 }}
{{- include "srox.annotations" (list . "rolebinding" "scanner-use-scc") | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: use-{{ ._rox.scanner.name }}-scc
name: use-scanner-scc
subjects:
- kind: ServiceAccount
name: {{ ._rox.scanner.name }}
name: scanner
namespace: {{ .Release.Namespace }}
{{ end -}}

Expand Down
6 changes: 3 additions & 3 deletions image/templates/helm/shared/templates/02-scanner-02-db-password-secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,12 +8,12 @@
apiVersion: v1
kind: Secret
metadata:
name: {{ ._rox.scanner.name }}-db-password
name: scanner-db-password
namespace: {{ .Release.Namespace }}
labels:
{{- include "srox.labels" (list . "secret" (print ._rox.scanner.name "-db-password")) | nindent 4 }}
{{- include "srox.labels" (list . "secret" "scanner-db-password") | nindent 4 }}
annotations:
{{- include "srox.annotations" (list . "secret" (print ._rox.scanner.name "-db-password")) | nindent 4 }}
{{- include "srox.annotations" (list . "secret" "scanner-db-password") | nindent 4 }}
"helm.sh/hook": "pre-install,pre-upgrade"
"helm.sh/resource-policy": keep
type: Opaque
Expand Down
12 changes: 6 additions & 6 deletions image/templates/helm/shared/templates/02-scanner-03-tls-secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,12 +7,12 @@
apiVersion: v1
kind: Secret
metadata:
name: {{ ._rox.scanner.name }}-tls
name: scanner-tls
namespace: {{ .Release.Namespace }}
labels:
{{- include "srox.labels" (list . "secret" (print ._rox.scanner.name "-tls")) | nindent 4 }}
{{- include "srox.labels" (list . "secret" "scanner-tls") | nindent 4 }}
annotations:
{{- include "srox.annotations" (list . "secret" (print ._rox.scanner.name "-tls")) | nindent 4 }}
{{- include "srox.annotations" (list . "secret" "scanner-tls") | nindent 4 }}
"helm.sh/hook": "pre-install,pre-upgrade"
"helm.sh/resource-policy": keep
type: Opaque
Expand All @@ -33,12 +33,12 @@ stringData:
apiVersion: v1
kind: Secret
metadata:
name: {{ ._rox.scanner.name }}-db-tls
name: scanner-db-tls
namespace: {{ .Release.Namespace }}
labels:
{{- include "srox.labels" (list . "secret" (print ._rox.scanner.name "-db-tls")) | nindent 4 }}
{{- include "srox.labels" (list . "secret" "scanner-db-tls") | nindent 4 }}
annotations:
{{- include "srox.annotations" (list . "secret" (print ._rox.scanner.name "-db-tls")) | nindent 4 }}
{{- include "srox.annotations" (list . "secret" "scanner-db-tls") | nindent 4 }}
"helm.sh/hook": "pre-install,pre-upgrade"
"helm.sh/resource-policy": "keep"
type: Opaque
Expand Down
6 changes: 3 additions & 3 deletions image/templates/helm/shared/templates/02-scanner-04-scanner-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,12 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ ._rox.scanner.name }}-config
name: scanner-config
namespace: {{ .Release.Namespace }}
labels:
{{- include "srox.labels" (list . "configmap" (print ._rox.scanner.name "-config")) | nindent 4 }}
{{- include "srox.labels" (list . "configmap" "scanner-config") | nindent 4 }}
annotations:
{{- include "srox.annotations" (list . "configmap" (print ._rox.scanner.name "-config")) | nindent 4 }}
{{- include "srox.annotations" (list . "configmap" "scanner-config") | nindent 4 }}
data:
config.yaml: |
{{- tpl (.Files.Get "config-templates/scanner/config.yaml.tpl") . | nindent 4 }}
Expand Down
18 changes: 9 additions & 9 deletions image/templates/helm/shared/templates/02-scanner-05-network-policy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,16 +5,16 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ ._rox.scanner.name }}
name: scanner
namespace: {{ .Release.Namespace }}
labels:
{{- include "srox.labels" (list . "networkpolicy" ._rox.scanner.name) | nindent 4 }}
{{- include "srox.labels" (list . "networkpolicy" "scanner") | nindent 4 }}
annotations:
{{- include "srox.annotations" (list . "networkpolicy" ._rox.scanner.name) | nindent 4 }}
{{- include "srox.annotations" (list . "networkpolicy" "scanner") | nindent 4 }}
spec:
podSelector:
matchLabels:
app: {{ ._rox.scanner.name }}
app: scanner
ingress:
- from:
- podSelector:
Expand All @@ -39,21 +39,21 @@ spec:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ ._rox.scanner.name }}-db
name: scanner-db
namespace: {{ .Release.Namespace }}
labels:
{{- include "srox.labels" (list . "networkpolicy" (print ._rox.scanner.name "-db")) | nindent 4 }}
{{- include "srox.labels" (list . "networkpolicy" "scanner-db") | nindent 4 }}
annotations:
{{- include "srox.annotations" (list . "networkpolicy" (print ._rox.scanner.name "-db")) | nindent 4 }}
{{- include "srox.annotations" (list . "networkpolicy" "scanner-db") | nindent 4 }}
spec:
podSelector:
matchLabels:
app: {{ ._rox.scanner.name }}-db
app: scanner-db
ingress:
- from:
- podSelector:
matchLabels:
app: {{ ._rox.scanner.name }}
app: scanner
ports:
- port: 5432
protocol: TCP
Expand Down
Loading