Generated changes

2020-10-13 02:35:33 +00:00 · 2020-10-13 02:35:33 +00:00 · cd1edf4097
parent 5c4f18e1ed
commit cd1edf4097
12 changed files with 121 additions and 22 deletions
--- a/assets/index.yaml
+++ b/assets/index.yaml
@ -812,7 +812,7 @@ entries:
      catalog.cattle.io/ui-component: monitoring
    apiVersion: v1
    appVersion: 0.38.1
-    created: "2020-10-12T22:25:01.32011898Z"
+    created: "2020-10-13T02:35:33.467832582Z"
    dependencies:
    - condition: kubeStateMetrics.enabled
      name: kube-state-metrics
@ -908,7 +908,7 @@ entries:
    description: Collects several related Helm charts, Grafana dashboards, and Prometheus
      rules combined with documentation and scripts to provide easy to operate end-to-end
      Kubernetes cluster monitoring with Prometheus using the Prometheus Operator.
-    digest: b10f0c697c62187084882f2fb3842ba4db66cf52a89f284ce8698ced0d129a72
+    digest: 8899b5ec82b4155a3ac33ccccce425baf72dfcea841f0af3f453878345f82e73
    home: https://github.com/prometheus-operator/kube-prometheus
    icon: https://raw.githubusercontent.com/prometheus/prometheus.github.io/master/assets/prometheus_logo-cb55bb5c346.png
    keywords:
@ -1078,9 +1078,9 @@ entries:
      catalog.cattle.io/namespace: cattle-monitoring-system
      catalog.cattle.io/release-name: rancher-monitoring-crd
    apiVersion: v1
-    created: "2020-10-12T22:25:01.326842648Z"
+    created: "2020-10-13T02:35:33.474117471Z"
    description: Installs the CRDs for rancher-monitoring.
-    digest: 60ac396d93049e577906ea3dca75fee5eeec556c45915da8d04edc5d2129cdca
+    digest: d33479a7f57f59db8bbf808bdc99d70318bb82900a186a95e3018a55f46b1a8b
    name: rancher-monitoring-crd
    type: application
    urls:
@ -1228,4 +1228,4 @@ entries:
    urls:
    - assets/rio/rio-0.8.000.tgz
    version: 0.8.000
-generated: "2020-10-12T22:53:17.316876871Z"
+generated: "2020-10-13T02:35:33.438687468Z"
--- a/assets/rancher-monitoring/rancher-monitoring-9.4.201.tgz
+++ b/assets/rancher-monitoring/rancher-monitoring-9.4.201.tgz
--- a/assets/rancher-monitoring/rancher-monitoring-crd-9.4.201.tgz
+++ b/assets/rancher-monitoring/rancher-monitoring-crd-9.4.201.tgz
--- a/charts/rancher-monitoring/CHANGELOG.md
+++ b/charts/rancher-monitoring/CHANGELOG.md
@ -19,6 +19,7 @@ All notable changes from the upstream Prometheus Operator chart will be added to
 - Added support for private registries via introducing a new field for `global.cattle.systemDefaultRegistry` that, if supplied, will automatically be prepended onto every image used by the chart.
 - Added a default `nginx` proxy container deployed with Grafana whose config is set in the `ConfigMap` located in `charts/grafana/templates/nginx-config.yaml`. The purpose of this container is to make it possible to view Grafana's UI through a proxy that has a subpath (e.g. Rancher's proxy). This proxy container is set to listen on port `8080` (with a `portName` of `nginx-http` instead of the default `service`), which is also where the Grafana service will now point to, and will forward all requests to the Grafana container listening on the default port `3000`.
 - Added a default `nginx` proxy container deployed with Prometheus whose config is set in the `ConfigMap` located in `templates/prometheus/nginx-config.yaml`. The purpose of this container is to make it possible to view Prometheus's UI through a proxy that has a subpath (e.g. Rancher's proxy). This proxy container is set to listen on port `8080` (with a `portName` of `nginx-http` instead of the default `web`), which is also where the Prometheus service will now point to, and will forward all requests to the Prometheus container listening on the default port `9090`.
+- Added support for passing CIS Scans in a hardened cluster by introducing a Job that patches the default service account within the `cattle-monitoring-system` and `cattle-dashboards` namespaces on install or upgrade and adding a default allow all `NetworkPolicy` to the `cattle-monitoring-system` and `cattle-dashboards` namespaces.
 ### Modified
 - Updated the chart name from `prometheus-operator` to `rancher-monitoring` and added the `io.rancher.certified: rancher` annotation to `Chart.yaml`
 - Modified the default `node-exporter` port from `9100` to `9796`
@ -40,7 +41,7 @@ All notable changes from the upstream Prometheus Operator chart will be added to
 - Modified the default `<serviceMonitor|podMonitor|rule>SelectorNilUsesHelmValues` to default to `false`. As a result, we look for all CRs with any labels in all namespaces by default rather than just the ones tagged with the label `release: rancher-monitoring`.
 - Modified the default images used by the `rancher-monitoring` chart to point to Rancher mirrors of the original images from upstream.
 - Modified the behavior of the chart to create the Alertmanager Config Secret via a pre-install hook instead of using the normal Helm lifecycle to manage the secret. The benefit of this approach is that all changes to the Config Secret done on a live cluster will never get overridden on a `helm upgrade` since the secret only gets created on a `helm install`. If you would like the secret to be cleaned up on an `helm uninstall`, enable `alertmanager.cleanupOnUninstall`; however, this is disabled by default to prevent the loss of alerting configuration on an uninstall. This secret will never be modified on a `helm upgrade`.
- Modified the default `securityContext` for `Pod` templates across the chart to `{"runAsNonRoot": "true", "runAsUser": "1000"}` and set `grafana.rbac.pspUseAppArmor=false` in order to make it possible to deploy this chart on a hardened cluster without AppArmor installed.
+- Modified the default `securityContext` for `Pod` templates across the chart to `{"runAsNonRoot": "true", "runAsUser": "1000"}` and replaced `grafana.rbac.pspUseAppArmor` in favor of `grafana.rbac.pspAnnotations={}` in order to make it possible to deploy this chart on a hardened cluster which does not support Seccomp or AppArmor annotations in PSPs. Users can always choose to specify the annotations they want to use for the PSP directly as part of the values provided.
 - Modified `.Values.prometheus.prometheusSpec.containers` to take in a string representing a template that should be rendered by Helm (via `tpl`) instead of allowing a user to provide YAML directly.
 - Modified the default Grafana configuration to auto assign users who access Grafana to the Viewer role and enable anonymous access to Grafana dashboards by default. This default works well for a Rancher user who is accessing Grafana via the `kubectl proxy` on the Rancher Dashboard UI since anonymous users who enter via the proxy are authenticated by the k8s API Server, but you can / should modify this behavior if you plan on exposing Grafana in a way that does not require authentication (e.g. as a `NodePort` service).
 - Modified the default Grafana configuration to add a default dashboard for Rancher on the Grafana home page.
--- a/charts/rancher-monitoring/charts/grafana/templates/podsecuritypolicy.yaml
+++ b/charts/rancher-monitoring/charts/grafana/templates/podsecuritypolicy.yaml
@ -6,13 +6,9 @@ metadata:
  namespace: {{ template "grafana.namespace" . }}
  labels:
    {{- include "grafana.labels" . | nindent 4 }}
-  annotations:
-    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
-    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'docker/default'
-    {{- if .Values.rbac.pspUseAppArmor }}
-    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
-    apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
-    {{- end }}
+{{- if .Values.rbac.pspAnnotations }}
+    annotations: {{ toYaml .Values.rbac.pspAnnotations | nindent 4 }}
+{{- end }}
 spec:
  privileged: false
  allowPrivilegeEscalation: false
--- a/charts/rancher-monitoring/charts/grafana/values.yaml
+++ b/charts/rancher-monitoring/charts/grafana/values.yaml
@ -1,7 +1,17 @@
 rbac:
  create: true
  pspEnabled: true
-  pspUseAppArmor: false
+  pspAnnotations: {}
+  ## Specify pod annotations
+  ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor
+  ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp
+  ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl
+  ##
+  # seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
+  # seccomp.security.alpha.kubernetes.io/defaultProfileName:  'docker/default'
+  # apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
+  # apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
+
  namespaced: false
  extraRoleRules: []
  # - apiGroups: []
--- a/charts/rancher-monitoring/charts/rancher-pushprox-0.1.0.tgz
+++ b/charts/rancher-monitoring/charts/rancher-pushprox-0.1.0.tgz
--- a/charts/rancher-monitoring/requirements.lock
+++ b/charts/rancher-monitoring/requirements.lock
@ -57,4 +57,4 @@ dependencies:
  repository: file://../../rancher-pushprox/charts
  version: 0.1.0
 digest: sha256:816a7b6760971acf88b62b4178a5d8919cb97b6576cdca22021137929b1ed031
-generated: "2020-10-12T22:24:52.859070811Z"
+generated: "2020-10-13T02:35:25.604939063Z"
--- a/charts/rancher-monitoring/templates/rancher-monitoring/hardened.yaml
+++ b/charts/rancher-monitoring/templates/rancher-monitoring/hardened.yaml
@ -0,0 +1,87 @@
+{{- $namespaces := dict "_0" .Release.Namespace -}}
+{{- if and .Values.grafana.enabled (or .Values.grafana.sidecar.dashboards.enabled .Values.grafana.defaultDashboardsEnabled) -}}
+{{- $_ := set $namespaces "_1" .Values.grafana.sidecar.dashboards.searchNamespace -}}
+{{- end -}}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ .Chart.Name }}-patch-sa
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ .Chart.Name }}-patch-sa
+  annotations:
+    "helm.sh/hook": post-install, post-upgrade
+    "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
+spec:
+  template:
+    metadata:
+      name: {{ .Chart.Name }}-patch-sa
+      labels:
+        app: {{ .Chart.Name }}-patch-sa
+    spec:
+      serviceAccountName: {{ .Chart.Name }}-patch-sa
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+      restartPolicy: Never
+      containers:
+      {{- range $_, $ns := $namespaces }}
+      - name: patch-sa-{{ $ns }}
+        image: {{ template "system_default_registry" $ }}{{ $.Values.global.kubectl.repository }}:{{ $.Values.global.kubectl.tag }}
+        imagePullPolicy: {{ $.Values.global.kubectl.pullPolicy }}
+        command: ["kubectl", "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"]
+        args: ["-n", "{{ $ns }}"]
+      {{- end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Chart.Name }}-patch-sa
+  labels:
+    app: {{ .Chart.Name }}-patch-sa
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  verbs: ['get', 'patch']
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ .Chart.Name }}-patch-sa
+  labels:
+    app: {{ .Chart.Name }}-patch-sa
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Chart.Name }}-patch-sa
+subjects:
+- kind: ServiceAccount
+  name: {{ .Chart.Name }}-patch-sa
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Chart.Name }}-patch-sa
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ .Chart.Name }}-patch-sa
+{{- range $_, $ns := $namespaces }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-allow-all
+  namespace: {{ $ns }}
+spec:
+  podSelector: {}
+  ingress:
+  - {}
+  egress:
+  - {}
+  policyTypes:
+  - Ingress
+  - Egress
+{{- end }}
--- a/charts/rancher-monitoring/values.yaml
+++ b/charts/rancher-monitoring/values.yaml
@ -338,6 +338,10 @@ additionalPrometheusRules: []
 global:
  cattle:
    systemDefaultRegistry: ""
+  kubectl:
+     repository: rancher/kubectl
+     tag: v1.18.6
+     pullPolicy: IfNotPresent
  rbac:
    ## Create RBAC resources for ServiceAccounts and users 
    ##
--- a/index.yaml
+++ b/index.yaml
@ -812,7 +812,7 @@ entries:
      catalog.cattle.io/ui-component: monitoring
    apiVersion: v1
    appVersion: 0.38.1
-    created: "2020-10-12T22:25:01.32011898Z"
+    created: "2020-10-13T02:35:33.467832582Z"
    dependencies:
    - condition: kubeStateMetrics.enabled
      name: kube-state-metrics
@ -908,7 +908,7 @@ entries:
    description: Collects several related Helm charts, Grafana dashboards, and Prometheus
      rules combined with documentation and scripts to provide easy to operate end-to-end
      Kubernetes cluster monitoring with Prometheus using the Prometheus Operator.
-    digest: b10f0c697c62187084882f2fb3842ba4db66cf52a89f284ce8698ced0d129a72
+    digest: 8899b5ec82b4155a3ac33ccccce425baf72dfcea841f0af3f453878345f82e73
    home: https://github.com/prometheus-operator/kube-prometheus
    icon: https://raw.githubusercontent.com/prometheus/prometheus.github.io/master/assets/prometheus_logo-cb55bb5c346.png
    keywords:
@ -1078,9 +1078,9 @@ entries:
      catalog.cattle.io/namespace: cattle-monitoring-system
      catalog.cattle.io/release-name: rancher-monitoring-crd
    apiVersion: v1
-    created: "2020-10-12T22:25:01.326842648Z"
+    created: "2020-10-13T02:35:33.474117471Z"
    description: Installs the CRDs for rancher-monitoring.
-    digest: 60ac396d93049e577906ea3dca75fee5eeec556c45915da8d04edc5d2129cdca
+    digest: d33479a7f57f59db8bbf808bdc99d70318bb82900a186a95e3018a55f46b1a8b
    name: rancher-monitoring-crd
    type: application
    urls:
@ -1228,4 +1228,4 @@ entries:
    urls:
    - assets/rio/rio-0.8.000.tgz
    version: 0.8.000
-generated: "2020-10-12T22:53:17.316876871Z"
+generated: "2020-10-13T02:35:33.438687468Z"
--- a/sha256sum/rancher-monitoring/rancher-monitoring.sum
+++ b/sha256sum/rancher-monitoring/rancher-monitoring.sum
@ -1,4 +1,4 @@
-e0eddabe716afe6e14b6e82adc0275e4b1406b8347dbd37852ce5295965ded9a  packages/rancher-monitoring/overlay/CHANGELOG.md
+9553024443b0a1f67b6a5f5426713144d38674d7c457f64512e8ca48ae249d2c  packages/rancher-monitoring/overlay/CHANGELOG.md
 909d2625c716cebb846218604f54369de9436729133004d041b65ec7345d618f  packages/rancher-monitoring/overlay/app-README.md
 ef03cc1278c0b75fb92012a5136500f5c2bdce9129d2c66c9c9ceec45021cc45  packages/rancher-monitoring/overlay/charts/grafana/templates/nginx-config.yaml
 af335d5859f759a451fb6590d1865b3fb49459c50ba002b6791fb3ddb5a36865  packages/rancher-monitoring/overlay/templates/prometheus/nginx-config.yaml
@ -6,5 +6,6 @@ af335d5859f759a451fb6590d1865b3fb49459c50ba002b6791fb3ddb5a36865  packages/ranch
 bb4f6fc55612f35e086c1b5657fc1ca356f8c3add72145a39e1d6202a4d40ebe  packages/rancher-monitoring/overlay/templates/rancher-monitoring/config-role.yaml
 5ad9876026208a86d66a2ae78ed5d0789ac5aa490cf126b47f73a9919bd37b47  packages/rancher-monitoring/overlay/templates/rancher-monitoring/dashboard-role.yaml
 33fee4fdab967c396d8dd12f058136c3414357cb65bd162c1e26dae561d5ac1d  packages/rancher-monitoring/overlay/templates/rancher-monitoring/default-dashboard.yaml
+9ab6bb402a9c1d5ad652cbd01a14c9fede7d14f9131a3e375ba2933adf1ae98d  packages/rancher-monitoring/overlay/templates/rancher-monitoring/hardened.yaml
 e99f1420d98f0e27f6ed5deba21b3000c7e1085de55de2610b971938eedd5c52  packages/rancher-monitoring/package.yaml
-648db85abcb871c047b5e3bacd8a0ff1b79fd40a192149b73403fcbd58098278  packages/rancher-monitoring/rancher-monitoring.patch
+ba5acbe90e85d05e7e405e5258780980bb2b7c79dc55547293017ba9d6ba1ed9  packages/rancher-monitoring/rancher-monitoring.patch