search

trendmicro / cloudone-container-security-helm

Helm chart for Trend Micro Cloud One Container Security
Other
18 stars 16 forks source link

Resolve naming issue in scan-manager-rolebinding ClusterRoleBinding #4

Closed vladimir-babichev closed 1 year ago

vladimir-babichev commented 1 year ago

Trend Micro Case

06489140

Description

Following PR resolves error with subject name in scan-manager-role.yaml template file.

Issue

When installing helm chart following error returned by k8s API:

ClusterRoleBinding.rbac.authorization.k8s.io "scan-manager-rolebinding" is invalid: subjects[0].name: Invalid value: "scanManager-trendmicro-container-security": a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')

Error caused by use of camelcase in subject resource name in ClusterRoleBinding produced by templating scan-manager-role.yaml: image

Steps to reproduce

  1. Create value-overrides.yaml

    cloudOne:
endpoint: https://container.us-1.cloudone.trendmicro.com/
runtimeSecurity:
enabled: false
vulnerabilityScanning:
enabled: true
exclusion:
namespaces:
  - kube-system
useExistingSecrets: true

  2. Run helm template or helm install commands:

    helm template trendmicro-container-security -n trendmicro-system https://github.com/trendmicro/cloudone-container-security-helm/archive/2.3.9.tar.gz -f value-overrides.yaml
holyspectral commented 1 year ago

Hi @vladimir-babichev, thanks for contributing! I did a few tests and it works well on my GKE cluster.

The only thing is that I tried helm template and helm install --dry-run on my end. Only the former will generate the camel case name. The helm install never fails on my end.

According to helm docs, in helm install API server will render the template and return the resulting manifests, so that's probably why. But since you mentioned you also see issues on helm install, I wonder if the step would fail in some kubernetes versions or setup. Do you mind sharing a little bit about your kubernetes cluster?

Your PR looks good. Just want to make sure everything is well taken care of on our side. Thanks.

vladimir-babichev commented 1 year ago

Hi @holyspectral, helm install fails on a fresh cluster running v1.24.8:

$ kubectl version -o yaml | yq '.serverVersion.gitVersion'
v1.24.8

$ helm install  trendmicro-container-security https://github.com/trendmicro/cloudone-container-security-helm/archive/2.3.9.tar.gz -f value-overrides.yaml
Error: INSTALLATION FAILED: ServiceAccount "scanManager-trendmicro-container-security" is invalid: metadata.name: Invalid value: "scanManager-trendmicro-container-security": a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')
holyspectral commented 1 year ago

@vladimir-babichev thanks! I can reproduce the issue and confirm your fix is good!