releases dev helm chart with cron-job policy vioation fixes (#12)

- releases dev helm chart with cron-job policy vioation fixes
- makes security context also a template

Signed-off-by: Mritunjay Sharma <[email protected]>

aws/templates/deployment.yaml

@@ -25,7 +25,7 @@ spec:
       {{- end }}
     spec:
       {{- if .Values.image.pullSecrets.create }}
-      imagePullSecrets: 
+      imagePullSecrets:
       - name: {{ .Values.image.pullSecrets.name }}
       {{- end }}
       {{- with .Values.podSecurityContext }}

charts/kube-bench-adapter/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: kube-bench-adapter
 description: The kube-bench adapter periodically runs a CIS benchmark check using cron-job with a tool called kube-bench and produces a cluster-wide policy report based on the Policy Report Custom Resource Definition
 type: application
-version: v1.1.2
+version: v1.1.3-dev
 appVersion: "1.0.0"
 maintainers:
   - name: Nirmata

charts/kube-bench-adapter/templates/_helpers.tpl

@@ -34,6 +34,8 @@ Create chart name and version as used by the chart label.
 Common labels
 */}}
 {{- define "kube-bench.labels" -}}
+app.kubernetes.io/instance: nirmata
+app.kubernetes.io/name: nirmata
 helm.sh/chart: {{ include "kube-bench.chart" . }}
 {{ include "kube-bench.selectorLabels" . }}
 {{- if .Chart.AppVersion }}
@@ -42,6 +44,12 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end }}
 
+{{/* matchLabels */}}
+{{- define "kube-bench.matchLabels" -}}
+app.kubernetes.io/name: nirmata
+app.kubernetes.io/instance: nirmata
+{{- end -}}
+
 {{/*
 Selector labels
 */}}
@@ -60,3 +68,10 @@ Create the name of the service account to use
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
+
+{{/*
+Create secret to access docker registry
+*/}}
+{{- define "imagePullSecret" }}
+{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.image.pullSecrets.registry (printf "%s:%s" .Values.image.pullSecrets.username .Values.image.pullSecrets.password | b64enc) | b64enc }}
+{{- end }}

charts/kube-bench-adapter/templates/cronjob.yaml

@@ -1,7 +1,7 @@
 apiVersion: batch/v1
 kind: CronJob
 metadata:
-  namespace: {{ .Values.kubeBench.namespace}}
+  namespace: {{ .Values.kubeBench.namespace }}
   name: {{ include "kube-bench.fullname" . }}
   labels:
     {{- include "kube-bench.labels" . | nindent 4 }}
@@ -10,6 +10,9 @@ spec:
   jobTemplate:
     spec:
       template:
+        metadata:
+          labels:
+                {{- include "kube-bench.labels" . | nindent 12 }}
         spec:
           containers:
           - name: {{ include "kube-bench.fullname" . }}
@@ -23,5 +26,21 @@ spec:
             "-kubebenchImg", "{{ .Values.kubeBench.kubebenchImg }}",
             "-kubeconfig", "{{ .Values.kubeBench.kubeconfig }}",
             ]
+            {{- with .Values.resources }}
+            resources: {{ tpl (toYaml .) $ | nindent 14 }}
+            {{- end }}
+            {{- with .Values.livenessProbe }}
+            livenessProbe: {{ tpl (toYaml .) $ | nindent 14 }}
+            {{- end }}
+            {{- with .Values.readinessProbe }}
+            readinessProbe: {{ tpl (toYaml .) $ | nindent 14 }}
+            {{- end }}
+            {{- with .Values.securityContext }}
+            securityContext: {{ tpl (toYaml .) $ | nindent 14 }}
+            {{- end }}
+          {{- if .Values.image.pullSecrets.create }}
+          imagePullSecrets:
+          - name: {{ .Values.image.pullSecrets.name }}
+          {{- end }}
           restartPolicy: Never
           serviceAccountName:   {{ include "kube-bench.fullname" . }}

charts/kube-bench-adapter/templates/secrets.yaml

@@ -0,0 +1,10 @@
+{{ if and .Values.image.pullSecrets.name .Values.image.pullSecrets.create -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.image.pullSecrets.name }}
+  namespace: {{.Values.kubeBench.namespace}}
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ template "imagePullSecret" . }}
+{{- end }}

charts/kube-bench-adapter/values.yaml

@@ -10,7 +10,17 @@ image:
   pullPolicy: Always
   # Overrides the image tag whose default is the chart appVersion.
    # --tag of image repository of kube-bench-adapter
-  tag: "v0.1.2"
+  tag: "v0.1.3-dev"
+  pullSecrets:
+    registry:
+    # Leave blank, if no ImagePullSecret is needed.
+    name:
+    # If set to false, the gerrit-master chart expects either a ImagePullSecret
+    # with the name configured above to be present on the cluster or that no
+    # credentials are needed.
+    create: false
+    username:
+    password:
 
 imagePullSecrets: []
 nameOverride: ""
@@ -64,3 +74,37 @@ ingress:
           serviceName: chart-example.local
           servicePort: 80
   tls: []
+
+resources:
+  limits:
+    cpu: 100m
+    memory: 200Mi
+  requests:
+    cpu: 100m
+    memory: 200Mi
+
+## Liveness Probe. The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want.
+## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
+##
+livenessProbe:
+  exec:
+    command:
+    - ./policyreport
+
+## Readiness Probe. The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want.
+## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
+##
+readinessProbe:
+  exec:
+    command:
+    - ./policyreport
+
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+    - ALL
+  readOnlyRootFilesystem: true
+  runAsGroup: 1000
+  runAsNonRoot: true
+  runAsUser: 1000