Skip to content

Commit

Permalink
feat(cluster-scanner): removed support for multi-cluster (#1700)
Browse files Browse the repository at this point in the history
  • Loading branch information
@michele-mangili
michele-mangili authored Apr 17, 2024
1 parent 7d47426 commit ae11676
Show file tree
Hide file tree
Showing 11 changed files with 14 additions and 158 deletions.
2 changes: 1 addition & 1 deletion charts/cluster-scanner/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ name: cluster-scanner
description: Sysdig Cluster Scanner

type: application
version: 0.12.4
version: 0.13.0
appVersion: "0.1.0"
home: https://www.sysdig.com/

Expand Down
12 changes: 5 additions & 7 deletions charts/cluster-scanner/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ $ pre-commit run -a
$ helm repo add sysdig https://charts.sysdig.com
$ helm repo update
$ helm upgrade --install sysdig-cluster-scanner sysdig/cluster-scanner \
--create-namespace -n sysdig --version=0.12.4 \
--create-namespace -n sysdig --version=0.13.0 \
--set global.clusterConfig.name=CLUSTER_NAME \
--set global.sysdig.region=SYSDIG_REGION \
--set global.sysdig.accessKey=YOUR-KEY-HERE
Expand Down Expand Up @@ -55,7 +55,7 @@ To install the chart with the release name `cluster-scanner`, run:

```console
$ helm upgrade --install sysdig-cluster-scanner sysdig/cluster-scanner \
--create-namespace -n sysdig --version=0.12.4 \
--create-namespace -n sysdig --version=0.13.0 \
--set global.clusterConfig.name=CLUSTER_NAME \
--set global.sysdig.region=SYSDIG_REGION \
--set global.sysdig.accessKey=YOUR-KEY-HERE
Expand Down Expand Up @@ -105,14 +105,12 @@ The following table lists the configurable parameters of the `cluster-scanner` c
| eveIntegrationEnabled | Enables the integration with Sysdig Eve. Stores the list of running packages to Sysdig backend. It implies `eveEnabled: true`. | <code>true</code> |
| rootNamespace | The namespace to use to retrieve the cluster UID | <code>"kube-system"</code> |
| replicaCount | | <code>2</code> |
| scannerMode | The scannerMode of the Cluster Scanner. Supported values are `local` or `multi`. Please refer to docs.sysdig.com for further documentation. | <code>"local"</code> |
| sslVerifyCertificate | Optional parameter used to check the compatibility of cluster-scanner component versions with the on-premised backend version. If you are running an on-prem version of the Sysdig backend, you MUST set this parameter with the version of Sysdig backend you are using. If you are runinng on SaaS, do NOT provide this parameter. E.g. if `onPremCompatibilityVersion=6.2`, we ensure that the image tag is < 0.5.0 for both the Runtime Status Integrator and the Image SBOM Extractor. onPremCompatibilityVersion: "6.2" Can be set to false to allow insecure connections to the Sysdig backend, such as for on-premise installs that use self-signed certificates. By default, certificates are always verified. | <code>true</code> |
| sslVerifyRegistryCertificate | Can be set to false to allow insecure connections registries, Such as for registries with self-signed or private certificates. By default, certificates are always verified. | <code>true</code> |
| runtimeStatusIntegrator.image.registry | The image registry to use for the Runtime Status Integrator component of Cluster Scanner | <code>quay.io</code> |
| runtimeStatusIntegrator.image.repository | The image repository to use for pulling the Runtime Status Integrator image | <code>sysdig/runtime-status-integrator</code> |
| runtimeStatusIntegrator.image.tag | | <code>"0.7.2"</code> |
| runtimeStatusIntegrator.multiCluster | When the Cluster Scanner is running in `multi` mode, set the secret name to be used to retrieve the kubeconfig configuration to connect to the clusters to inspect. | <code></code> |
| runtimeStatusIntegrator.localCluster | Restrict access to specific Docker secrets when Cluster Scanner is running in `local` mode. The default behavior is listing all secrets. See `values.yaml` for an example. Optional. | <code></code> |
| runtimeStatusIntegrator.localCluster | Restrict access to specific Docker secrets when Cluster Scanner is running. The default behavior is listing all secrets. See `values.yaml` for an example. Optional. | <code></code> |
| runtimeStatusIntegrator.ports.metrics | The port to be used to expose prometheus metrics for the Runtime Status Integrator | <code>25000</code> |
| runtimeStatusIntegrator.ports.probes | The port to be used for healthcheck probes for the Runtime Status Integrator | <code>7000</code> |
| runtimeStatusIntegrator.resources.limits.cpu | Runtime Status Integrator CPU limit per replica | <code>"1"</code> |
Expand Down Expand Up @@ -167,7 +165,7 @@ Specify each parameter using the **`--set key=value[,key=value]`** argument to `

```console
$ helm upgrade --install sysdig-cluster-scanner sysdig/cluster-scanner \
--create-namespace -n sysdig --version=0.12.4 \
--create-namespace -n sysdig --version=0.13.0 \
--set global.sysdig.region="us1"
```

Expand All @@ -176,7 +174,7 @@ installing the chart. For example:

```console
$ helm upgrade --install sysdig-cluster-scanner sysdig/cluster-scanner \
--create-namespace -n sysdig --version=0.12.4 \
--create-namespace -n sysdig --version=0.13.0 \
--values values.yaml
```

Expand Down
5 changes: 1 addition & 4 deletions charts/cluster-scanner/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,11 +72,9 @@ Create the name of the service account to use
Generates configmap data for mode-specific values
*/}}
{{- define "cluster-scanner.modeConfig" -}}
rsi_mode: {{ .Values.scannerMode }}
{{- if eq .Values.scannerMode "local" }}
rsi_mode: "local"
local_registry_secrets: {{ include "cluster-scanner.runtimeStatusIntegrator.localCluster.localSecrets" . }}
{{- end }}
{{- end }}

{{/*
Generates RSI configmap data for JS values.
Expand Down Expand Up @@ -180,7 +178,6 @@ ise_cache_local_ttl: {{ .ttl }}

{{- define "cluster-scanner.configContent" }}
{{ .Values.global }}
{{ .Values.runtimeStatusIntegrator.multiCluster }}
{{ .Values.runtimeStatusIntegrator.localCluster }}
{{ .Values.runtimeStatusIntegrator.natsJS }}
{{ .Values.imageSbomExtractor.cache }}
Expand Down
2 changes: 0 additions & 2 deletions charts/cluster-scanner/templates/clusterrole.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@ metadata:
rules:
- apiGroups: ["", "apps", "batch", "extensions"]
resources:
{{- if ne .Values.scannerMode "multi" }}
- "deployments"
- "replicasets"
- "daemonsets"
Expand All @@ -14,7 +13,6 @@ rules:
- "cronjobs"
- "jobs"
- "nodes"
{{- end }}
- "namespaces"
- "secrets"
verbs: ["get", "list", "watch"]
9 changes: 0 additions & 9 deletions charts/cluster-scanner/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -169,13 +169,6 @@ spec:
valueFrom:
fieldRef:
fieldPath: status.podIP
{{- if eq .Values.scannerMode "multi" }}
- name: SYSDIG_KUBECONFIG_CONTENT
valueFrom:
secretKeyRef:
name: {{ .Values.runtimeStatusIntegrator.multiCluster.kubeconfigSecretName }}
key: .kubeconfig
{{- end }}
- name: SYSDIG_API_URL
valueFrom:
configMapKeyRef:
Expand Down Expand Up @@ -211,14 +204,12 @@ spec:
name: {{ include "cluster-scanner.fullname" . }}
key: rsi_pprof_enabled
optional: true
{{- if eq .Values.scannerMode "local" }}
- name: LOCAL_REGISTRY_SECRETS
valueFrom:
configMapKeyRef:
name: {{ include "cluster-scanner.fullname" . }}
key: local_registry_secrets
optional: true
{{- end }}
- name: EVE_ENABLED
valueFrom:
configMapKeyRef:
Expand Down
17 changes: 1 addition & 16 deletions charts/cluster-scanner/tests/clusterrole_test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ release:
namespace: test-ns

tests:
- it: "generates correct ClusterRole in local mode"
- it: "generates correct ClusterRole"
asserts:
- equal:
path: metadata.name
Expand All @@ -29,18 +29,3 @@ tests:
- "namespaces"
- "secrets"
verbs: ["get", "list", "watch"]
- it: "generates correct ClusterRole in multi mode"
set:
scannerMode: "multi"
asserts:
- equal:
path: metadata.name
value: test-release-cluster-scanner
- isSubset:
path: rules[0]
content:
apiGroups: ["", "apps", "batch", "extensions"]
resources:
- "namespaces"
- "secrets"
verbs: ["get", "list", "watch"]
48 changes: 0 additions & 48 deletions charts/cluster-scanner/tests/configmap_test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,39 +85,9 @@ tests:
path: data.rsi_mode
value: "local"

- it: "can set multi mod"
set:
global.sysdig.apiHost: "http://test.com"
scannerMode: "multi"
asserts:
- equal:
path: data.rsi_mode
value: "multi"

- it: "can set local mod"
set:
global.sysdig.apiHost: "http://test.com"
scannerMode: "local"
asserts:
- equal:
path: data.rsi_mode
value: "local"

- it: "raise error on unknown mod"
set:
global.sysdig.apiHost: "http://test.com"
scannerMode: "foobar"
asserts:
- failedTemplate:
errorMessage: |
values don't meet the specifications of the schema(s) in the following chart(s):
cluster-scanner:
- scannerMode: scannerMode must be one of the following: "local", "multi"
- it: "has correct format for local_registry_secrets when they are provided"
set:
global.sysdig.apiHost: "http://test.com"
scannerMode: "local"
runtimeStatusIntegrator.localCluster:
rbac:
allowedPullSecrets:
Expand All @@ -135,29 +105,11 @@ tests:
- it: "has correct format for local_registry_secrets when they are not provided"
set:
global.sysdig.apiHost: "http://test.com"
scannerMode: "local"
asserts:
- equal:
path: data.local_registry_secrets
value: ""

- it: "does not evaluate local_registry_secrets when in multi mode"
set:
global.sysdig.apiHost: "http://test.com"
scannerMode: "multi"
runtimeStatusIntegrator.localCluster:
rbac:
allowedPullSecrets:
namespaceOneName:
- myDockerSecretOne
- myDockerSecretTwo
anotherNamespace:
- myOtherDockerSecretOne
- myOtherDockerSecretTwo
asserts:
- isNull:
path: data.local_registry_secrets

- it: "has correct content with redis caching"
set:
global.sysdig.apiHost: "http://test.com"
Expand Down
Loading

0 comments on commit ae11676

Please sign in to comment.