From 5ac46323cd2359fbbb2a8d6f9cf28e3964a93f93 Mon Sep 17 00:00:00 2001 From: Marat Salakhutdinov Date: Thu, 11 Jan 2024 16:04:37 -0500 Subject: [PATCH] enable falcobaseline for agent version 12.9.x and above --- charts/agent/Chart.yaml | 2 +- charts/agent/templates/_helpers.tpl | 6 ++ charts/agent/tests/drift_prevention_test.yaml | 28 ------- charts/agent/tests/secure_enable_test.yaml | 30 ------- .../agent/tests/secure_light_config_test.yaml | 81 +++++++++++++++++++ 5 files changed, 88 insertions(+), 59 deletions(-) create mode 100644 charts/agent/tests/secure_light_config_test.yaml diff --git a/charts/agent/Chart.yaml b/charts/agent/Chart.yaml index bc780ff6a..971a2a6cf 100644 --- a/charts/agent/Chart.yaml +++ b/charts/agent/Chart.yaml @@ -30,4 +30,4 @@ sources: - https://app.sysdigcloud.com/#/settings/user - https://github.com/draios/sysdig type: application -version: 1.19.0 +version: 1.19.1 diff --git a/charts/agent/templates/_helpers.tpl b/charts/agent/templates/_helpers.tpl index 25afc5a77..fc299efdb 100644 --- a/charts/agent/templates/_helpers.tpl +++ b/charts/agent/templates/_helpers.tpl @@ -411,6 +411,12 @@ agent config to prevent a backend push from enabling them after installation. "secure_audit_streams") }} {{- $_ := set $secureConfig $secureFeature (dict "enabled" false) }} {{- end }} + {{ else if and $secureLightMode (semverCompare ">= 12.19.x" .Values.image.tag) }} + {{- range $secureFeature := (list + "memdump" + "network_topology") }} + {{- $_ := set $secureConfig $secureFeature (dict "enabled" false) }} + {{- end }} {{ else if $secureLightMode }} {{- range $secureFeature := (list "drift_control" diff --git a/charts/agent/tests/drift_prevention_test.yaml b/charts/agent/tests/drift_prevention_test.yaml index 059a10a65..1ab412f92 100644 --- a/charts/agent/tests/drift_prevention_test.yaml +++ b/charts/agent/tests/drift_prevention_test.yaml @@ -25,20 +25,6 @@ tests: enabled: false template: templates/configmap.yaml - - it: Drift prevention must be false when is secure_light - set: - sysdig: - settings: - feature: - mode: secure_light - asserts: - - matchRegex: - path: data['dragent.yaml'] - pattern: |- - drift_killer: - enabled: false - template: templates/configmap.yaml - - it: Drift prevention must be false when is running on GKE Autopilot set: gke: @@ -115,20 +101,6 @@ tests: enabled: false template: templates/configmap.yaml - - it: Drift control must be false when is secure_light - set: - sysdig: - settings: - feature: - mode: secure_light - asserts: - - matchRegex: - path: data['dragent.yaml'] - pattern: |- - drift_control: - enabled: false - template: templates/configmap.yaml - - it: Drift control must be false when is running on GKE Autopilot set: gke: diff --git a/charts/agent/tests/secure_enable_test.yaml b/charts/agent/tests/secure_enable_test.yaml index 22de52726..ff646ada9 100644 --- a/charts/agent/tests/secure_enable_test.yaml +++ b/charts/agent/tests/secure_enable_test.yaml @@ -42,21 +42,6 @@ tests: pattern: |- commandlines_capture: enabled: false - - matchRegex: - path: data['dragent.yaml'] - pattern: |- - drift_control: - enabled: false - - matchRegex: - path: data['dragent.yaml'] - pattern: |- - drift_killer: - enabled: false - - matchRegex: - path: data['dragent.yaml'] - pattern: |- - falcobaseline: - enabled: false - matchRegex: path: data['dragent.yaml'] pattern: |- @@ -141,21 +126,6 @@ tests: pattern: |- statsd: enabled: false - - matchRegex: - path: data['dragent.yaml'] - pattern: |- - drift_control: - enabled: false - - matchRegex: - path: data['dragent.yaml'] - pattern: |- - drift_killer: - enabled: false - - matchRegex: - path: data['dragent.yaml'] - pattern: |- - falcobaseline: - enabled: false - matchRegex: path: data['dragent.yaml'] pattern: |- diff --git a/charts/agent/tests/secure_light_config_test.yaml b/charts/agent/tests/secure_light_config_test.yaml new file mode 100644 index 000000000..1d5e52814 --- /dev/null +++ b/charts/agent/tests/secure_light_config_test.yaml @@ -0,0 +1,81 @@ +suite: Testing seetings for secure light mode +templates: + - configmap.yaml +tests: + - it: Testing if certain settings set to false for agent version =< 12.18.x + set: + image: + tag: 12.18.1 + sysdig: + accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE + settings: + feature: + mode: secure_light + secure: + enabled: true + asserts: + - matchRegex: + path: data['dragent.yaml'] + pattern: |- + drift_control: + enabled: false + - matchRegex: + path: data['dragent.yaml'] + pattern: |- + drift_killer: + enabled: false + - matchRegex: + path: data['dragent.yaml'] + pattern: |- + falcobaseline: + enabled: false + - matchRegex: + path: data['dragent.yaml'] + pattern: |- + memdump: + enabled: false + - matchRegex: + path: data['dragent.yaml'] + pattern: |- + network_topology: + enabled: false + template: configmap.yaml + + - it: Testing if certain settings set to false for agent version > 12.18.x + set: + image: + tag: 12.19.0 + sysdig: + accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE + settings: + feature: + mode: secure_light + secure: + enabled: true + asserts: + - notMatchRegex: + path: data['dragent.yaml'] + pattern: |- + drift_control: + enabled: false + - notMatchRegex: + path: data['dragent.yaml'] + pattern: |- + drift_killer: + enabled: false + - notMatchRegex: + path: data['dragent.yaml'] + pattern: |- + falcobaseline: + enabled: false + - matchRegex: + path: data['dragent.yaml'] + pattern: |- + memdump: + enabled: false + - matchRegex: + path: data['dragent.yaml'] + pattern: |- + network_topology: + enabled: false + template: configmap.yaml