Add Helm Charts and describe required K8S roles - Githubissues

42Crunch / scand-manager

Kubernetes Wrapper for 42Crunch Scan

GNU Affero General Public License v3.0

1 stars 0 forks source link

Add Helm Charts and describe required K8S roles #1

Closed isamauny closed 1 year ago

isamauny commented 1 year ago

This pod requires specific roles to be able to create and manipulate job. We need to share a sample setup.

florentvaldelievre commented 1 year ago

Hello @isamauny

Any update on this? On our side, we've created our own helm chart for this, but it would have been good to have an official 42crunch scand-manager helm chart

isamauny commented 1 year ago

Hello @florentvaldelievre - Yes, we do have an internal version - Will push here in the next few days.

florentvaldelievre commented 1 year ago

Thanks Isabelle, Is it possible to have the chart available on a public helm repository?

rainchei commented 1 year ago

Hi @florentvaldelievre Could you please help to check if this looks good to you? (https://github.com/42Crunch/scand-manager/tree/helm-charts/charts/scand-manager) I will push it to our public repo if all good to you, and update to you again.

Thanks :)

florentvaldelievre commented 1 year ago

Perfect @rainchei Working as expected. Let me know when you pushed it on a public helm repository. Thank you

florentvaldelievre commented 1 year ago

Hello @rainchei Could you please advise when the helm chart will be available on a public repository?

rainchei commented 1 year ago

Hi @florentvaldelievre We have published the chart to the repo. Please could you help to try with the following?

# add the 42crunch repo
helm repo add 42crunch https://repo.42crunch.com/charts

# (optional) search for available charts
helm search repo 42crunch

# (optional) look for the values
helm show values 42crunch/scand-manager

# install the scand-manager
helm upgrade --install scand-manager 42crunch/scand-manager

Thanks

florentvaldelievre commented 1 year ago

Thanks, it works on most of our kubernetes clusters. However, on some of them, we dont allow Privilege Escalation

Warning FailedCreate 4s (x12 over 15s) replicaset-controller Error creating: admission webhook "validation.gatekeeper.sh" denied the request: [azurepolicy-k8sazurev3noprivilegeescalatio-3c903034ba1f3787336c] Privilege escalation container is not allowed: scand-manager

The Azure Policy preventing this is the following: https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerNoPrivilegeEscalation.json

It is working by adding the following:

securityContext:
  allowPrivilegeEscalation: false

Would you consider adding this on the public repository?

rainchei commented 1 year ago

Hi @florentvaldelievre I have included this into the default values, thanks for reporting this :)

isamauny commented 1 year ago

Will close now as resolved.