From b70bd9a22599e9e3bbc6483d7c885fbaad9087a9 Mon Sep 17 00:00:00 2001 From: Simon Baeumer Date: Fri, 4 Mar 2022 13:07:21 +0100 Subject: [PATCH 1/5] X-Smart-Branch-Parent: master From 30624c8a80d0dfa39320e476b1dafbbb93e5effc Mon Sep 17 00:00:00 2001 From: Simon Baeumer Date: Fri, 4 Mar 2022 13:43:08 +0100 Subject: [PATCH 2/5] remove scanner-slim resource names --- .../config-templates/scanner/config.yaml.tpl | 2 +- .../02-scanner-00-serviceaccount.yaml | 6 +- .../templates/02-scanner-01-security.yaml | 50 ++++++++--------- .../02-scanner-02-db-password-secret.yaml | 6 +- .../templates/02-scanner-03-tls-secret.yaml | 12 ++-- .../02-scanner-04-scanner-config.yaml | 6 +- .../02-scanner-05-network-policy.yaml | 18 +++--- .../02-scanner-06-deployment.yaml.htpl | 56 +++++++++---------- .../templates/02-scanner-07-service.yaml | 32 +++++------ .../shared/templates/02-scanner-08-hpa.yaml | 8 +-- .../shared/templates/_scanner_init.tpl.htpl | 4 -- pkg/env/sensor.go | 2 +- .../scanner-slim/scanner-slim.test.yaml | 40 ++++++------- .../service_certificates_repository.go | 4 +- .../localscanner/tls_issuer_test.go | 18 +++--- 15 files changed, 128 insertions(+), 136 deletions(-) diff --git a/image/templates/helm/shared/config-templates/scanner/config.yaml.tpl b/image/templates/helm/shared/config-templates/scanner/config.yaml.tpl index 40b24a06e17ca..6d3aa4243a0d1 100644 --- a/image/templates/helm/shared/config-templates/scanner/config.yaml.tpl +++ b/image/templates/helm/shared/config-templates/scanner/config.yaml.tpl @@ -15,7 +15,7 @@ scanner: options: # PostgreSQL Connection string # https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-CONNSTRING - source: host={{ ._rox.scanner.name }}-db.{{ .Release.Namespace }}.svc port=5432 user=postgres sslmode={{- if eq .Release.Namespace "stackrox" }}verify-full{{- else }}verify-ca{{- end }} statement_timeout=60000 + source: host=scanner-db.{{ .Release.Namespace }}.svc port=5432 user=postgres sslmode={{- if eq .Release.Namespace "stackrox" }}verify-full{{- else }}verify-ca{{- end }} statement_timeout=60000 # Number of elements kept in the cache # Values unlikely to change (e.g. namespaces) are cached in order to save prevent needless roundtrips to the database. diff --git a/image/templates/helm/shared/templates/02-scanner-00-serviceaccount.yaml b/image/templates/helm/shared/templates/02-scanner-00-serviceaccount.yaml index 73d47ba949b95..a27c602723a43 100644 --- a/image/templates/helm/shared/templates/02-scanner-00-serviceaccount.yaml +++ b/image/templates/helm/shared/templates/02-scanner-00-serviceaccount.yaml @@ -5,12 +5,12 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: {{ ._rox.scanner.name }} + name: scanner namespace: {{ .Release.Namespace }} labels: - {{- include "srox.labels" (list . "serviceaccount" ._rox.scanner.name) | nindent 4 }} + {{- include "srox.labels" (list . "serviceaccount" "scanner") | nindent 4 }} annotations: - {{- include "srox.annotations" (list . "serviceaccount" ._rox.scanner.name) | nindent 4 }} + {{- include "srox.annotations" (list . "serviceaccount" "scanner") | nindent 4 }} imagePullSecrets: {{- range $secretName := ._rox.imagePullSecrets._names }} - name: {{ quote $secretName }} diff --git a/image/templates/helm/shared/templates/02-scanner-01-security.yaml b/image/templates/helm/shared/templates/02-scanner-01-security.yaml index eaf256d89c7c6..72bd6fe15e9f2 100644 --- a/image/templates/helm/shared/templates/02-scanner-01-security.yaml +++ b/image/templates/helm/shared/templates/02-scanner-01-security.yaml @@ -5,18 +5,18 @@ kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: {{ include "srox.globalResourceName" (list . (print "stackrox-" ._rox.scanner.name "-psp")) }} + name: {{ include "srox.globalResourceName" (list . "stackrox-scanner-psp") }} labels: - {{- include "srox.labels" (list . "clusterrole" (print "stackrox-" ._rox.scanner.name "-psp")) | nindent 4 }} + {{- include "srox.labels" (list . "clusterrole" "stackrox-scanner-psp") | nindent 4 }} annotations: - {{- include "srox.annotations" (list . "clusterrole" (print "stackrox-" ._rox.scanner.name "-psp")) | nindent 4 }} + {{- include "srox.annotations" (list . "clusterrole" "stackrox-scanner-psp") | nindent 4 }} rules: - apiGroups: - policy resources: - podsecuritypolicies resourceNames: - - {{ include "srox.globalResourceName" (list . (print "stackrox-" ._rox.scanner.name)) }} + - {{ include "srox.globalResourceName" (list . "stackrox-scanner") }} verbs: - use @@ -25,19 +25,19 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: stackrox-{{ ._rox.scanner.name }}-psp + name: stackrox-scanner-psp namespace: {{ .Release.Namespace }} labels: - {{- include "srox.labels" (list . "rolebinding" (print "stackrox-" ._rox.scanner.name "-psp")) | nindent 4 }} + {{- include "srox.labels" (list . "rolebinding" "stackrox-scanner-psp") | nindent 4 }} annotations: - {{- include "srox.annotations" (list . "rolebinding" (print "stackrox-" ._rox.scanner.name "-psp")) | nindent 4 }} + {{- include "srox.annotations" (list . "rolebinding" "stackrox-scanner-psp") | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: {{ include "srox.globalResourceName" (list . (print "stackrox-" ._rox.scanner.name "-psp")) }} + name: {{ include "srox.globalResourceName" (list . "stackrox-scanner-psp") }} subjects: - kind: ServiceAccount - name: {{ ._rox.scanner.name }} + name: scanner namespace: {{ .Release.Namespace }} --- @@ -45,11 +45,11 @@ subjects: apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: - name: {{ include "srox.globalResourceName" (list . (print "stackrox-" ._rox.scanner.name)) }} + name: {{ include "srox.globalResourceName" (list . "stackrox-scanner") }} labels: - {{- include "srox.labels" (list . "podsecuritypolicy" (print "stackrox-" ._rox.scanner.name)) | nindent 4 }} + {{- include "srox.labels" (list . "podsecuritypolicy" "stackrox-scanner") | nindent 4 }} annotations: - {{- include "srox.annotations" (list . "podsecuritypolicy" (print "stackrox-" ._rox.scanner.name)) | nindent 4 }} + {{- include "srox.annotations" (list . "podsecuritypolicy" "stackrox-scanner") | nindent 4 }} spec: privileged: false allowPrivilegeEscalation: false @@ -78,12 +78,12 @@ spec: kind: SecurityContextConstraints apiVersion: security.openshift.io/v1 metadata: - name: {{ include "srox.globalResourceName" (list . (print "stackrox-" ._rox.scanner.name)) }} + name: {{ include "srox.globalResourceName" (list . "stackrox-scanner") }} labels: - {{- include "srox.labels" (list . "securitycontextconstraints" (print "stackrox-" ._rox.scanner.name)) | nindent 4 }} + {{- include "srox.labels" (list . "securitycontextconstraints" "stackrox-scanner") | nindent 4 }} annotations: - {{- include "srox.annotations" (list . "securitycontextconstraints" (print "stackrox-" ._rox.scanner.name)) | nindent 4 }} - kubernetes.io/description: stackrox-{{ ._rox.scanner.name }} is the security constraint for the Scanner container + {{- include "srox.annotations" (list . "securitycontextconstraints" "stackrox-scanner") | nindent 4 }} + kubernetes.io/description: stackrox-scanner is the security constraint for the Scanner container priority: 0 runAsUser: type: RunAsAny @@ -92,7 +92,7 @@ seLinuxContext: seccompProfiles: - '*' users: - - system:serviceaccount:{{ .Release.Namespace }}:{{ ._rox.scanner.name }} + - system:serviceaccount:{{ .Release.Namespace }}:scanner volumes: - '*' allowHostDirVolumePlugin: false @@ -114,12 +114,12 @@ requiredDropCapabilities: [] apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: use-{{ ._rox.scanner.name }}-scc + name: use-scanner-scc namespace: {{ .Release.Namespace }} labels: - {{- include "srox.labels" (list . "role" (print "use-" ._rox.scanner.name "-scc")) | nindent 4 }} + {{- include "srox.labels" (list . "role" "use-scanner-scc") | nindent 4 }} annotations: - {{- include "srox.annotations" (list . "role" (print "use-" ._rox.scanner.name "-scc")) | nindent 4 }} + {{- include "srox.annotations" (list . "role" "use-scanner-scc") | nindent 4 }} rules: - apiGroups: - security.openshift.io @@ -133,19 +133,19 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ ._rox.scanner.name }}-use-scc + name: scanner-use-scc namespace: {{ .Release.Namespace }} labels: - {{- include "srox.labels" (list . "rolebinding" (print ._rox.scanner.name "-use-scc")) | nindent 4 }} + {{- include "srox.labels" (list . "rolebinding" "scanner-use-scc") | nindent 4 }} annotations: - {{- include "srox.annotations" (list . "rolebinding" (print ._rox.scanner.name "-use-scc")) | nindent 4 }} + {{- include "srox.annotations" (list . "rolebinding" "scanner-use-scc") | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: use-{{ ._rox.scanner.name }}-scc + name: use-scanner-scc subjects: - kind: ServiceAccount - name: {{ ._rox.scanner.name }} + name: scanner namespace: {{ .Release.Namespace }} {{ end -}} diff --git a/image/templates/helm/shared/templates/02-scanner-02-db-password-secret.yaml b/image/templates/helm/shared/templates/02-scanner-02-db-password-secret.yaml index eb6586b4b6212..c6c0bc176c023 100644 --- a/image/templates/helm/shared/templates/02-scanner-02-db-password-secret.yaml +++ b/image/templates/helm/shared/templates/02-scanner-02-db-password-secret.yaml @@ -8,12 +8,12 @@ apiVersion: v1 kind: Secret metadata: - name: {{ ._rox.scanner.name }}-db-password + name: scanner-db-password namespace: {{ .Release.Namespace }} labels: - {{- include "srox.labels" (list . "secret" (print ._rox.scanner.name "-db-password")) | nindent 4 }} + {{- include "srox.labels" (list . "secret" "scanner-db-password") | nindent 4 }} annotations: - {{- include "srox.annotations" (list . "secret" (print ._rox.scanner.name "-db-password")) | nindent 4 }} + {{- include "srox.annotations" (list . "secret" "scanner-db-password") | nindent 4 }} "helm.sh/hook": "pre-install,pre-upgrade" "helm.sh/resource-policy": keep type: Opaque diff --git a/image/templates/helm/shared/templates/02-scanner-03-tls-secret.yaml b/image/templates/helm/shared/templates/02-scanner-03-tls-secret.yaml index 983c6365bc458..7c590fffe59f9 100644 --- a/image/templates/helm/shared/templates/02-scanner-03-tls-secret.yaml +++ b/image/templates/helm/shared/templates/02-scanner-03-tls-secret.yaml @@ -7,12 +7,12 @@ apiVersion: v1 kind: Secret metadata: - name: {{ ._rox.scanner.name }}-tls + name: scanner-tls namespace: {{ .Release.Namespace }} labels: - {{- include "srox.labels" (list . "secret" (print ._rox.scanner.name "-tls")) | nindent 4 }} + {{- include "srox.labels" (list . "secret" "scanner-tls") | nindent 4 }} annotations: - {{- include "srox.annotations" (list . "secret" (print ._rox.scanner.name "-tls")) | nindent 4 }} + {{- include "srox.annotations" (list . "secret" "scanner-tls") | nindent 4 }} "helm.sh/hook": "pre-install,pre-upgrade" "helm.sh/resource-policy": keep type: Opaque @@ -33,12 +33,12 @@ stringData: apiVersion: v1 kind: Secret metadata: - name: {{ ._rox.scanner.name }}-db-tls + name: scanner-db-tls namespace: {{ .Release.Namespace }} labels: - {{- include "srox.labels" (list . "secret" (print ._rox.scanner.name "-db-tls")) | nindent 4 }} + {{- include "srox.labels" (list . "secret" "scanner-db-tls") | nindent 4 }} annotations: - {{- include "srox.annotations" (list . "secret" (print ._rox.scanner.name "-db-tls")) | nindent 4 }} + {{- include "srox.annotations" (list . "secret" "scanner-db-tls") | nindent 4 }} "helm.sh/hook": "pre-install,pre-upgrade" "helm.sh/resource-policy": "keep" type: Opaque diff --git a/image/templates/helm/shared/templates/02-scanner-04-scanner-config.yaml b/image/templates/helm/shared/templates/02-scanner-04-scanner-config.yaml index 9b1fa7036f894..4ed16c779e60b 100644 --- a/image/templates/helm/shared/templates/02-scanner-04-scanner-config.yaml +++ b/image/templates/helm/shared/templates/02-scanner-04-scanner-config.yaml @@ -5,12 +5,12 @@ apiVersion: v1 kind: ConfigMap metadata: - name: {{ ._rox.scanner.name }}-config + name: scanner-config namespace: {{ .Release.Namespace }} labels: - {{- include "srox.labels" (list . "configmap" (print ._rox.scanner.name "-config")) | nindent 4 }} + {{- include "srox.labels" (list . "configmap" "scanner-config") | nindent 4 }} annotations: - {{- include "srox.annotations" (list . "configmap" (print ._rox.scanner.name "-config")) | nindent 4 }} + {{- include "srox.annotations" (list . "configmap" "scanner-config") | nindent 4 }} data: config.yaml: | {{- tpl (.Files.Get "config-templates/scanner/config.yaml.tpl") . | nindent 4 }} diff --git a/image/templates/helm/shared/templates/02-scanner-05-network-policy.yaml b/image/templates/helm/shared/templates/02-scanner-05-network-policy.yaml index 44482d3d60ea9..ca0fb17c5cff9 100644 --- a/image/templates/helm/shared/templates/02-scanner-05-network-policy.yaml +++ b/image/templates/helm/shared/templates/02-scanner-05-network-policy.yaml @@ -5,16 +5,16 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: {{ ._rox.scanner.name }} + name: scanner namespace: {{ .Release.Namespace }} labels: - {{- include "srox.labels" (list . "networkpolicy" ._rox.scanner.name) | nindent 4 }} + {{- include "srox.labels" (list . "networkpolicy" "scanner") | nindent 4 }} annotations: - {{- include "srox.annotations" (list . "networkpolicy" ._rox.scanner.name) | nindent 4 }} + {{- include "srox.annotations" (list . "networkpolicy" "scanner") | nindent 4 }} spec: podSelector: matchLabels: - app: {{ ._rox.scanner.name }} + app: scanner ingress: - from: - podSelector: @@ -39,21 +39,21 @@ spec: apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: {{ ._rox.scanner.name }}-db + name: scanner-db namespace: {{ .Release.Namespace }} labels: - {{- include "srox.labels" (list . "networkpolicy" (print ._rox.scanner.name "-db")) | nindent 4 }} + {{- include "srox.labels" (list . "networkpolicy" "scanner-db") | nindent 4 }} annotations: - {{- include "srox.annotations" (list . "networkpolicy" (print ._rox.scanner.name "-db")) | nindent 4 }} + {{- include "srox.annotations" (list . "networkpolicy" "scanner-db") | nindent 4 }} spec: podSelector: matchLabels: - app: {{ ._rox.scanner.name }}-db + app: scanner-db ingress: - from: - podSelector: matchLabels: - app: {{ ._rox.scanner.name }} + app: scanner ports: - port: 5432 protocol: TCP diff --git a/image/templates/helm/shared/templates/02-scanner-06-deployment.yaml.htpl b/image/templates/helm/shared/templates/02-scanner-06-deployment.yaml.htpl index 0fe59a1f27cfe..15979bf8310a8 100644 --- a/image/templates/helm/shared/templates/02-scanner-06-deployment.yaml.htpl +++ b/image/templates/helm/shared/templates/02-scanner-06-deployment.yaml.htpl @@ -5,30 +5,30 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: {{ ._rox.scanner.name }} + name: scanner namespace: {{ .Release.Namespace }} labels: - app: {{ ._rox.scanner.name }} - {{- include "srox.labels" (list . "deployment" ._rox.scanner.name) | nindent 4 }} + app: scanner + {{- include "srox.labels" (list . "deployment" "scanner") | nindent 4 }} annotations: - {{- include "srox.annotations" (list . "deployment" ._rox.scanner.name) | nindent 4 }} + {{- include "srox.annotations" (list . "deployment" "scanner") | nindent 4 }} spec: replicas: {{ ._rox.scanner.replicas }} minReadySeconds: 15 selector: matchLabels: - app: {{ ._rox.scanner.name }} + app: scanner strategy: type: Recreate template: metadata: namespace: {{ .Release.Namespace }} labels: - app: {{ ._rox.scanner.name }} - {{- include "srox.podLabels" (list . "deployment" ._rox.scanner.name) | nindent 8 }} + app: scanner + {{- include "srox.podLabels" (list . "deployment" "scanner") | nindent 8 }} annotations: traffic.sidecar.istio.io/excludeInboundPorts: "8080,8443" - {{- include "srox.podAnnotations" (list . "deployment" ._rox.scanner.name) | nindent 8 }} + {{- include "srox.podAnnotations" (list . "deployment" "scanner") | nindent 8 }} spec: {{- if ._rox.scanner._nodeSelector }} nodeSelector: @@ -45,7 +45,7 @@ spec: podAffinityTerm: labelSelector: matchLabels: - app: {{ ._rox.scanner.name }} + app: scanner topologyKey: kubernetes.io/hostname {{- if ._rox.env.openshift }} nodeAffinity: @@ -96,7 +96,7 @@ spec: - name: ROX_OPENSHIFT_API value: "true" {{- end}} - {{- include "srox.envVars" (list . "deployment" ._rox.scanner.name ._rox.scanner.name) | nindent 8 }} + {{- include "srox.envVars" (list . "deployment" "scanner" "scanner") | nindent 8 }} resources: {{- ._rox.scanner._resources | nindent 10 }} command: @@ -141,7 +141,7 @@ spec: - name: scanner-db-password mountPath: /run/secrets/stackrox.io/secrets {{- include "srox.injectedCABundleVolumeMount" . | nindent 8 }} - serviceAccountName: {{ ._rox.scanner.name }} + serviceAccountName: scanner volumes: - name: additional-ca-volume secret: @@ -154,10 +154,10 @@ spec: name: scanner-etc-pki-volume - name: scanner-config-volume configMap: - name: {{ ._rox.scanner.name }}-config + name: scanner-config - name: scanner-tls-volume secret: - secretName: {{ ._rox.scanner.name }}-tls + secretName: scanner-tls - name: vuln-temp-db emptyDir: {} - name: proxy-config-volume @@ -166,37 +166,37 @@ spec: optional: true - name: scanner-db-password secret: - secretName: {{ ._rox.scanner.name }}-db-password + secretName: scanner-db-password {{- include "srox.injectedCABundleVolume" . | nindent 6 }} --- apiVersion: apps/v1 kind: Deployment metadata: - name: {{ ._rox.scanner.name }}-db + name: scanner-db namespace: {{ .Release.Namespace }} labels: - app: {{ ._rox.scanner.name }}-db - {{- include "srox.labels" (list . "deployment" (print ._rox.scanner.name "-db")) | nindent 4 }} + app: scanner-db + {{- include "srox.labels" (list . "deployment" "scanner-db") | nindent 4 }} annotations: - {{- include "srox.annotations" (list . "deployment" (print ._rox.scanner.name "-db")) | nindent 4 }} + {{- include "srox.annotations" (list . "deployment" "scanner-db") | nindent 4 }} spec: replicas: 1 minReadySeconds: 15 selector: matchLabels: - app: {{ ._rox.scanner.name }}-db + app: scanner-db strategy: type: Recreate template: metadata: namespace: {{ .Release.Namespace }} labels: - app: {{ ._rox.scanner.name }}-db - {{- include "srox.podLabels" (list . "deployment" (print ._rox.scanner.name "-db")) | nindent 8 }} + app: scanner-db + {{- include "srox.podLabels" (list . "deployment" "scanner-db") | nindent 8 }} annotations: traffic.sidecar.istio.io/excludeInboundPorts: "5432" - {{- include "srox.podAnnotations" (list . "deployment" (print ._rox.scanner.name "-db")) | nindent 8 }} + {{- include "srox.podAnnotations" (list . "deployment" "scanner-db") | nindent 8 }} spec: {{- if ._rox.scanner._dbNodeSelector }} nodeSelector: @@ -281,7 +281,7 @@ spec: resources: {{- ._rox.scanner._dbResources | nindent 10 }} env: - {{- include "srox.envVars" (list . "deployment" (print ._rox.scanner.name "-db") "db") | nindent 10 }} + {{- include "srox.envVars" (list . "deployment" "scanner-db" "db") | nindent 10 }} securityContext: runAsUser: 70 runAsGroup: 70 @@ -292,19 +292,19 @@ spec: mountPath: /run/secrets/stackrox.io/certs - name: scanner-db-password mountPath: /run/secrets/stackrox.io/secrets - serviceAccountName: {{ ._rox.scanner.name }} + serviceAccountName: scanner securityContext: fsGroup: 70 volumes: - name: scanner-config-volume configMap: - name: {{ ._rox.scanner.name }}-config + name: scanner-config - name: scanner-tls-volume secret: - secretName: {{ ._rox.scanner.name }}-tls + secretName: scanner-tls - name: scanner-db-tls-volume secret: - secretName: {{ ._rox.scanner.name }}-db-tls + secretName: scanner-db-tls defaultMode: 0640 items: - key: cert.pem @@ -317,6 +317,6 @@ spec: emptyDir: {} - name: scanner-db-password secret: - secretName: {{ ._rox.scanner.name }}-db-password + secretName: scanner-db-password {{ end -}} diff --git a/image/templates/helm/shared/templates/02-scanner-07-service.yaml b/image/templates/helm/shared/templates/02-scanner-07-service.yaml index 55b5bf25250d4..6c6ad04bcdc63 100644 --- a/image/templates/helm/shared/templates/02-scanner-07-service.yaml +++ b/image/templates/helm/shared/templates/02-scanner-07-service.yaml @@ -5,12 +5,12 @@ apiVersion: v1 kind: Service metadata: - name: {{ ._rox.scanner.name }} + name: scanner namespace: {{ .Release.Namespace }} labels: - {{- include "srox.labels" (list . "service" ._rox.scanner.name) | nindent 4 }} + {{- include "srox.labels" (list . "service" "scanner") | nindent 4 }} annotations: - {{- include "srox.annotations" (list . "service" ._rox.scanner.name) | nindent 4 }} + {{- include "srox.annotations" (list . "service" "scanner") | nindent 4 }} spec: ports: - name: https-scanner @@ -20,7 +20,7 @@ spec: port: 8443 targetPort: 8443 selector: - app: {{ ._rox.scanner.name }} + app: scanner type: ClusterIP --- @@ -28,19 +28,19 @@ spec: apiVersion: v1 kind: Service metadata: - name: {{ ._rox.scanner.name }}-db + name: scanner-db namespace: {{ .Release.Namespace }} labels: - {{- include "srox.labels" (list . "service" (print ._rox.scanner.name "-db")) | nindent 4 }} + {{- include "srox.labels" (list . "service" "scanner-db") | nindent 4 }} annotations: - {{- include "srox.annotations" (list . "service" (print ._rox.scanner.name "-db")) | nindent 4 }} + {{- include "srox.annotations" (list . "service" "scanner-db") | nindent 4 }} spec: ports: - name: tcp-db port: 5432 targetPort: 5432 selector: - app: {{ ._rox.scanner.name }}-db + app: scanner-db type: ClusterIP {{ if ._rox.env.istio }} @@ -49,15 +49,15 @@ spec: apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: - name: {{ ._rox.scanner.name }}-internal-no-istio-mtls + name: scanner-internal-no-istio-mtls namespace: {{ .Release.Namespace }} labels: - {{- include "srox.labels" (list . "destinationrule" (print ._rox.scanner.name "-internal-no-istio-mtls")) | nindent 4 }} + {{- include "srox.labels" (list . "destinationrule" "scanner-internal-no-istio-mtls") | nindent 4 }} annotations: stackrox.io/description: "Disable Istio mTLS for ports 8080 and 8443, since StackRox services use built-in mTLS." - {{- include "srox.annotations" (list . "destinationrule" (print ._rox.scanner.name "-internal-no-istio-mtls")) | nindent 4 }} + {{- include "srox.annotations" (list . "destinationrule" "scanner-internal-no-istio-mtls") | nindent 4 }} spec: - host: {{ ._rox.scanner.name }}.{{ .Release.Namespace }}.svc.cluster.local + host: scanner.{{ .Release.Namespace }}.svc.cluster.local trafficPolicy: portLevelSettings: - port: @@ -74,15 +74,15 @@ spec: apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: - name: {{ ._rox.scanner.name }}-db-internal-no-istio-mtls + name: scanner-db-internal-no-istio-mtls namespace: {{ .Release.Namespace }} labels: - {{- include "srox.labels" (list . "destinationrule" (print ._rox.scanner.name "-db-internal-no-istio-mtls")) | nindent 4 }} + {{- include "srox.labels" (list . "destinationrule" "scanner-db-internal-no-istio-mtls") | nindent 4 }} annotations: stackrox.io/description: "Disable Istio mTLS for port 5432, since StackRox services use built-in mTLS." - {{- include "srox.annotations" (list . "destinationrule" (print ._rox.scanner.name "-db-internal-no-istio-mtls")) | nindent 4 }} + {{- include "srox.annotations" (list . "destinationrule" "scanner-db-internal-no-istio-mtls") | nindent 4 }} spec: - host: {{ ._rox.scanner.name }}-db.{{ .Release.Namespace }}.svc.cluster.local + host: scanner-db.{{ .Release.Namespace }}.svc.cluster.local trafficPolicy: portLevelSettings: - port: diff --git a/image/templates/helm/shared/templates/02-scanner-08-hpa.yaml b/image/templates/helm/shared/templates/02-scanner-08-hpa.yaml index 148d6ac46e061..c7af476a189f9 100644 --- a/image/templates/helm/shared/templates/02-scanner-08-hpa.yaml +++ b/image/templates/helm/shared/templates/02-scanner-08-hpa.yaml @@ -6,19 +6,19 @@ apiVersion: autoscaling/v1 kind: HorizontalPodAutoscaler metadata: - name: {{ ._rox.scanner.name }} + name: scanner namespace: {{ .Release.Namespace }} labels: - {{- include "srox.labels" (list . "horizontalpodautoscaler" ._rox.scanner.name) | nindent 4 }} + {{- include "srox.labels" (list . "horizontalpodautoscaler" "scanner") | nindent 4 }} annotations: - {{- include "srox.annotations" (list . "horizontalpodautoscaler" ._rox.scanner.name) | nindent 4 }} + {{- include "srox.annotations" (list . "horizontalpodautoscaler" "scanner") | nindent 4 }} spec: minReplicas: {{ ._rox.scanner.autoscaling.minReplicas }} maxReplicas: {{ ._rox.scanner.autoscaling.maxReplicas }} scaleTargetRef: apiVersion: apps/v1 kind: Deployment - name: {{ ._rox.scanner.name }} + name: scanner targetCPUUtilizationPercentage: 150 {{ end -}} diff --git a/image/templates/helm/shared/templates/_scanner_init.tpl.htpl b/image/templates/helm/shared/templates/_scanner_init.tpl.htpl index 025298c2698b4..24db504268348 100644 --- a/image/templates/helm/shared/templates/_scanner_init.tpl.htpl +++ b/image/templates/helm/shared/templates/_scanner_init.tpl.htpl @@ -24,8 +24,6 @@ [< end >] {{ if or (eq $scannerCfg.mode "") (eq $scannerCfg.mode "full") }} - {{ $_ := set $scannerCfg "name" "scanner" }} - {{ include "srox.configureImage" (list $ $scannerCfg.image) }} {{ include "srox.configureImage" (list $ $scannerCfg.dbImage) }} @@ -38,8 +36,6 @@ [< if not .FeatureFlags.ROX_LOCAL_IMAGE_SCANNING >] {{ include "srox.fail" "Scanner's slim mode currently not supported" }} [< end >] - {{ $_ := set $scannerCfg "name" "scanner-slim" }} - {{ include "srox.configureImage" (list $ $scannerCfg.slimImage) }} {{ include "srox.configureImage" (list $ $scannerCfg.slimDBImage) }} {{ else }} diff --git a/pkg/env/sensor.go b/pkg/env/sensor.go index 9fc7d56e645a5..f9e80de4dafc6 100644 --- a/pkg/env/sensor.go +++ b/pkg/env/sensor.go @@ -14,7 +14,7 @@ var ( // ScannerGRPCEndpoint is used to communicate the scanner endpoint to other services in the same cluster. // This is typically used for Sensor to communicate with a local Scanner-slim's gRPC server. - ScannerGRPCEndpoint = RegisterSetting("ROX_SCANNER_GRPC_ENDPOINT", WithDefault("scanner-slim.stackrox.svc:8443")) + ScannerGRPCEndpoint = RegisterSetting("ROX_SCANNER_GRPC_ENDPOINT", WithDefault("scanner.stackrox.svc:8443")) // UseLocalScanner is used to specify if Sensor should attempt to scan images via a local Scanner. UseLocalScanner = RegisterBooleanSetting("ROX_USE_LOCAL_SCANNER", false) diff --git a/pkg/helm/charts/tests/securedclusterservices/testdata/scanner-slim/scanner-slim.test.yaml b/pkg/helm/charts/tests/securedclusterservices/testdata/scanner-slim/scanner-slim.test.yaml index d681db51e2905..a5ff94bdca6f0 100644 --- a/pkg/helm/charts/tests/securedclusterservices/testdata/scanner-slim/scanner-slim.test.yaml +++ b/pkg/helm/charts/tests/securedclusterservices/testdata/scanner-slim/scanner-slim.test.yaml @@ -8,13 +8,9 @@ tests: set: scanner.disable: false expect: | - container(.deployments["scanner-slim"]; "scanner").image | contains("slim") - container(.deployments["scanner-slim-db"]; "db").image | contains("slim") - .deployments["scanner"] | assertThat(. == null) - .deployments["scanner-db"] | assertThat(. == null) - .secrets["scanner-slim-tls"] | assertThat(. == null) - .secrets["scanner-slim-db-tls"] | assertThat(. == null) - .securitycontextconstraints | keys | sort | assertThat(. == ["stackrox-admission-control", "stackrox-collector", "stackrox-scanner-slim", "stackrox-sensor"]) + container(.deployments["scanner"]; "scanner").image | contains("slim") + container(.deployments["scanner-db"]; "db").image | contains("slim") + .securitycontextconstraints | keys | sort | assertThat(. == ["stackrox-admission-control", "stackrox-collector", "stackrox-scanner", "stackrox-sensor"]) tests: - name: "on openshift 4" - name: "on openshift 3" @@ -24,8 +20,8 @@ tests: - name: "scanner is disabled should not be installed by default" expect: | - .deployments["scanner-slim"] | assertThat(. == null) - .deployments["scanner-db-slim"] | assertThat(. == null) + .deployments["scanner"] | assertThat(. == null) + .deployments["scanner-db"] | assertThat(. == null) - name: "scanner is enabled on non-openshift cluster should fail" set: @@ -39,8 +35,8 @@ tests: set: scanner.disable: false expect: | - container(.deployments["scanner-slim"]; "scanner") | assertThat(.image == "custom.io/custom-scanner:1.2.3") - container(.deployments["scanner-slim-db"]; "db") | assertThat(.image == "custom.io/custom-scanner-db:1.2.3") + container(.deployments["scanner"]; "scanner") | assertThat(.image == "custom.io/custom-scanner:1.2.3") + container(.deployments["scanner-db"]; "db") | assertThat(.image == "custom.io/custom-scanner-db:1.2.3") tests: - name: "with fullref" values: @@ -66,25 +62,25 @@ tests: scanner.disable: false scanner.mode: "slim" expect: | - .networkpolicys["scanner-slim"].spec.ingress | assertThat(length == 2) - .networkpolicys["scanner-slim"].spec.ingress[1] | .from[0].podSelector.matchLabels.app | assertThat(. == "sensor") + .networkpolicys["scanner"].spec.ingress | assertThat(length == 2) + .networkpolicys["scanner"].spec.ingress[1] | .from[0].podSelector.matchLabels.app | assertThat(. == "sensor") - name: "scanner slim service account can access image pull secrets" set: scanner.disable: false scanner.mode: "slim" expect: | - .serviceaccounts["scanner-slim"] | assertThat(. != null) - .serviceaccounts["scanner-slim"] | .imagePullSecrets[] | select(.name == "secured-cluster-services-main") - .serviceaccounts["scanner-slim"] | .imagePullSecrets[] | select(.name == "stackrox") - .serviceaccounts["scanner-slim"] | .imagePullSecrets[] | select(.name == "stackrox-scanner") + .serviceaccounts["scanner"] | assertThat(. != null) + .serviceaccounts["scanner"] | .imagePullSecrets[] | select(.name == "secured-cluster-services-main") + .serviceaccounts["scanner"] | .imagePullSecrets[] | select(.name == "stackrox") + .serviceaccounts["scanner"] | .imagePullSecrets[] | select(.name == "stackrox-scanner") tests: - name: "when authenticating in image registry with user and password" set: imagePullSecrets.username: "imagePullUser" imagePullSecrets.password: "imagePullPassword" expect: | - .serviceaccounts["scanner-slim"] | .imagePullSecrets | assertThat(length == 3) + .serviceaccounts["scanner"] | .imagePullSecrets | assertThat(length == 3) .secrets["secured-cluster-services-main"] | assertThat(. != null) - name: "no secret is created" expect: .secrets["secured-cluster-services-main"] | assertThat(. == null) @@ -92,11 +88,11 @@ tests: - name: "when allowNone is true" set: imagePullSecrets.allowNone: true - expect: .serviceaccounts["scanner-slim"] | .imagePullSecrets | assertThat(length == 3) + expect: .serviceaccounts["scanner"] | .imagePullSecrets | assertThat(length == 3) - name: "when using existing secrets" set: imagePullSecrets.useExisting: "existing-secret1; existing-secret2" expect: | - .serviceaccounts["scanner-slim"] | .imagePullSecrets | assertThat(length == 5) - .serviceaccounts["scanner-slim"] | .imagePullSecrets[] | select(.name == "existing-secret1") - .serviceaccounts["scanner-slim"] | .imagePullSecrets[] | select(.name == "existing-secret2") + .serviceaccounts["scanner"] | .imagePullSecrets | assertThat(length == 5) + .serviceaccounts["scanner"] | .imagePullSecrets[] | select(.name == "existing-secret1") + .serviceaccounts["scanner"] | .imagePullSecrets[] | select(.name == "existing-secret2") diff --git a/sensor/kubernetes/localscanner/service_certificates_repository.go b/sensor/kubernetes/localscanner/service_certificates_repository.go index b369236ba532d..d56bfe465d18d 100644 --- a/sensor/kubernetes/localscanner/service_certificates_repository.go +++ b/sensor/kubernetes/localscanner/service_certificates_repository.go @@ -58,13 +58,13 @@ func newServiceCertificatesRepo(ownerReference metav1.OwnerReference, namespace return &serviceCertificatesRepoSecretsImpl{ secrets: map[storage.ServiceType]serviceCertSecretSpec{ storage.ServiceType_SCANNER_SERVICE: { - secretName: "scanner-slim-tls", + secretName: "scanner-tls", caCertFileName: mtls.CACertFileName, serviceCertFileName: mtls.ServiceCertFileName, serviceKeyFileName: mtls.ServiceKeyFileName, }, storage.ServiceType_SCANNER_DB_SERVICE: { - secretName: "scanner-db-slim-tls", + secretName: "scanner-db-tls", caCertFileName: mtls.CACertFileName, serviceCertFileName: mtls.ServiceCertFileName, serviceKeyFileName: mtls.ServiceKeyFileName, diff --git a/sensor/kubernetes/localscanner/tls_issuer_test.go b/sensor/kubernetes/localscanner/tls_issuer_test.go index 7dd018af8f236..2c7c1eec74427 100644 --- a/sensor/kubernetes/localscanner/tls_issuer_test.go +++ b/sensor/kubernetes/localscanner/tls_issuer_test.go @@ -253,17 +253,17 @@ func (s *localScannerTLSIssueIntegrationTests) TestSuccessfulRefresh() { "no secrets": {k8sClientConfig: fakeK8sClientConfig{}}, "corrupted data in scanner secret": { k8sClientConfig: fakeK8sClientConfig{ - secretsData: map[string]map[string][]byte{"scanner-slim-tls": nil}, + secretsData: map[string]map[string][]byte{"scanner-tls": nil}, }, }, "corrupted data in scanner DB secret": { k8sClientConfig: fakeK8sClientConfig{ - secretsData: map[string]map[string][]byte{"scanner-db-slim-tls": nil}, + secretsData: map[string]map[string][]byte{"scanner-db-tls": nil}, }, }, "corrupted data in all local scanner secrets": { k8sClientConfig: fakeK8sClientConfig{ - secretsData: map[string]map[string][]byte{"scanner-slim-tls": nil, "scanner-db-slim-tls": nil}, + secretsData: map[string]map[string][]byte{"scanner-tls": nil, "scanner-db-tls": nil}, }, }, "refresh failure and retries": {k8sClientConfig: fakeK8sClientConfig{}, numFailedResponses: 2}, @@ -310,13 +310,13 @@ func (s *localScannerTLSIssueIntegrationTests) TestSuccessfulRefresh() { for _, secret := range secrets.Items { var expectedCert *mtls.IssuedCert switch secretName := secret.GetName(); secretName { - case "scanner-slim-tls": + case "scanner-tls": expectedCert = scannerCert - case "scanner-db-slim-tls": + case "scanner-db-tls": expectedCert = scannerDBCert default: s.Require().Failf("expected secret name should be either %q or %q, found %q instead", - "scanner-slim-tls", "scanner-db-slim-tls", secretName) + "scanner-tls", "scanner-db-tls", secretName) } s.Equal(ca.CertPEM(), secret.Data[mtls.CACertFileName]) s.Equal(expectedCert.CertPEM, secret.Data[mtls.ServiceCertFileName]) @@ -330,9 +330,9 @@ func (s *localScannerTLSIssueIntegrationTests) TestUnexpectedOwnerStop() { testCases := map[string]struct { secretNames []string }{ - "wrong owner for scanner secret": {secretNames: []string{"scanner-slim-tls"}}, - "wrong owner for scanner db secret": {secretNames: []string{"scanner-db-slim-tls"}}, - "wrong owner for scanner and scanner db secrets": {secretNames: []string{"scanner-slim-tls", "scanner-db-slim-tls"}}, + "wrong owner for scanner secret": {secretNames: []string{"scanner-tls"}}, + "wrong owner for scanner db secret": {secretNames: []string{"scanner-db-tls"}}, + "wrong owner for scanner and scanner db secrets": {secretNames: []string{"scanner-tls", "scanner-db-slim-tls"}}, } for tcName, tc := range testCases { s.Run(tcName, func() { From 5110fc63d6375a29a0a459b1cb2e4bf1211b110f Mon Sep 17 00:00:00 2001 From: Simon Baeumer Date: Fri, 4 Mar 2022 14:02:21 +0100 Subject: [PATCH 3/5] Disable support to deploy scanner within the same ns as central --- .../stackrox-secured-cluster/templates/_init.tpl.htpl | 8 ++++++++ .../stackrox-secured-cluster/values-scanner.yaml.example | 4 ++++ 2 files changed, 12 insertions(+) diff --git a/image/templates/helm/stackrox-secured-cluster/templates/_init.tpl.htpl b/image/templates/helm/stackrox-secured-cluster/templates/_init.tpl.htpl index add54043dad21..781d658761a18 100644 --- a/image/templates/helm/stackrox-secured-cluster/templates/_init.tpl.htpl +++ b/image/templates/helm/stackrox-secured-cluster/templates/_init.tpl.htpl @@ -278,6 +278,14 @@ {{ $_ := set $._rox.scanner "disable" true }} {{ end }} +{{ if eq ._rox.scanner.disable false}} + {{ $centralDeployment := dict }} + {{ include "srox.safeLookup" (list $ $centralDeployment "apps/v1" "Deployment" $._rox.namespace "central") }} + {{ if $centralDeployment.result }} + {{ include "srox.fail" "Local scanner is not supported to be deployed within a namespace running Central, Scanner must be deployed with the Central chart. To fix this error set scanner.disable=true and re-deploy." }} + {{ end }} +{{ end }} + {{ if and ._rox.env.openshift (eq ._rox.scanner.disable false) }} {{ $_ = set $._rox.scanner "slimImage" ._rox.image.scanner }} {{ $_ = set $._rox.scanner "slimDBImage" ._rox.image.scannerDb }} diff --git a/image/templates/helm/stackrox-secured-cluster/values-scanner.yaml.example b/image/templates/helm/stackrox-secured-cluster/values-scanner.yaml.example index 47acdee965905..c422153e7d83d 100644 --- a/image/templates/helm/stackrox-secured-cluster/values-scanner.yaml.example +++ b/image/templates/helm/stackrox-secured-cluster/values-scanner.yaml.example @@ -5,6 +5,10 @@ # # When installing the Secured Cluster chart, a slim scanner mode is deployed with reduced image caching. # # To run the scanner in the secured cluster, you must connect the Scanner to Sensor. # +# # WARNING: +# # If deployed in the same namespace with Central it is only supported to install Scanner as part of Central's installation. +# # Sensor will use the existing Scanner to scan for local images. +# # Image configuration for scanner: # # For a complete example, see the `values-public.yaml.example` file. # image: From 07646583c44335ec91e91172514f3901bee16da5 Mon Sep 17 00:00:00 2001 From: Simon Baeumer Date: Fri, 4 Mar 2022 14:06:27 +0100 Subject: [PATCH 4/5] fix it --- .../helm/stackrox-secured-cluster/templates/_init.tpl.htpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/image/templates/helm/stackrox-secured-cluster/templates/_init.tpl.htpl b/image/templates/helm/stackrox-secured-cluster/templates/_init.tpl.htpl index 781d658761a18..858fa782ad64d 100644 --- a/image/templates/helm/stackrox-secured-cluster/templates/_init.tpl.htpl +++ b/image/templates/helm/stackrox-secured-cluster/templates/_init.tpl.htpl @@ -278,9 +278,9 @@ {{ $_ := set $._rox.scanner "disable" true }} {{ end }} -{{ if eq ._rox.scanner.disable false}} +{{ if eq ._rox.scanner.disable false }} {{ $centralDeployment := dict }} - {{ include "srox.safeLookup" (list $ $centralDeployment "apps/v1" "Deployment" $._rox.namespace "central") }} + {{ include "srox.safeLookup" (list $ $centralDeployment "apps/v1" "Deployment" $.Release.Namespace "central") }} {{ if $centralDeployment.result }} {{ include "srox.fail" "Local scanner is not supported to be deployed within a namespace running Central, Scanner must be deployed with the Central chart. To fix this error set scanner.disable=true and re-deploy." }} {{ end }} From c3f5e3a64eee3caaef0cb1653651c1613d2a6ea3 Mon Sep 17 00:00:00 2001 From: Simon Baeumer Date: Mon, 7 Mar 2022 09:30:03 +0100 Subject: [PATCH 5/5] fix cr --- sensor/kubernetes/localscanner/tls_issuer_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sensor/kubernetes/localscanner/tls_issuer_test.go b/sensor/kubernetes/localscanner/tls_issuer_test.go index 2c7c1eec74427..2254ca45f5001 100644 --- a/sensor/kubernetes/localscanner/tls_issuer_test.go +++ b/sensor/kubernetes/localscanner/tls_issuer_test.go @@ -332,7 +332,7 @@ func (s *localScannerTLSIssueIntegrationTests) TestUnexpectedOwnerStop() { }{ "wrong owner for scanner secret": {secretNames: []string{"scanner-tls"}}, "wrong owner for scanner db secret": {secretNames: []string{"scanner-db-tls"}}, - "wrong owner for scanner and scanner db secrets": {secretNames: []string{"scanner-tls", "scanner-db-slim-tls"}}, + "wrong owner for scanner and scanner db secrets": {secretNames: []string{"scanner-tls", "scanner-db-tls"}}, } for tcName, tc := range testCases { s.Run(tcName, func() {