Skip to content

Commit 7ef7653

Browse files
authored
2.30.0: GKE Image Streaming, enhancements, RKE2 and K3s support (#150)
Image Assurance 2.30.0 - Added GKE Image Streaming support for GKE 1.28.9 and higher - Enhancement in case of containerd service restart Runtime Protection 1.16.2 - Added Rancher RKE2 and K3s support Admission Control Enforcer 2.12.0 - Enhancement All - Added some standard K8s and helm labels
1 parent 57a5740 commit 7ef7653

File tree

8 files changed

+196
-95
lines changed

8 files changed

+196
-95
lines changed

checkpoint/cloudguard/Chart.yaml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
apiVersion: v2
2-
appVersion: 2.29.0
2+
appVersion: 2.30.0
33
description: A Helm chart for Check Point CloudGuard Workload Security
44
home: https://portal.checkpoint.com
55
icon: https://www.checkpoint.com/wp-content/uploads/icon-cloudguard-nav.png
@@ -28,10 +28,11 @@ keywords:
2828
- ecs
2929
- tanzu
3030
- k3s
31+
- rke2
3132
- openshift
3233
- eks
3334
- aks
3435
- gke
3536
- autopilot
3637
name: cloudguard
37-
version: 2.29.0
38+
version: 2.30.0

checkpoint/cloudguard/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -136,7 +136,7 @@ The following table list the configurable parameters of this chart and their def
136136
| `proxy` | Proxy settings (e.g. http://my-proxy.com:8080) | `{}` |
137137
| `containerRuntime` | Container runtime (docker/containerd/cri-o) overriding auto-detection | `` |
138138
| `containerRuntimeSocket` | Container runtime socket path overriding auto-detection | `` |
139-
| `platform` | Kubernetes platform (kubernetes/ tanzu/ openshift/ openshift.v3/ eks/ eks.bottlerocket/ gke.cos/ gke.autopilot/ k3s/ kubernetes.coreos) overriding auto-detection | `kubernetes` |
139+
| `platform` | Kubernetes platform (kubernetes/ tanzu/ openshift/ openshift.v3/ eks/ eks.bottlerocket/ gke.cos/ gke.autopilot/ k3s/ rke2/ kubernetes.coreos) overriding auto-detection | `kubernetes` |
140140
| `seccompProfile` | Computer Security facility profile. (to be used in kubernetes 1.19 and up) | `RuntimeDefault` |
141141
| `podAnnotations.seccomp` | Computer Security facility profile. (to be used in kubernetes below 1.19) | `runtime/default` |
142142
| `podAnnotations.apparmor` | Apparmor Linux kernel security module profile. | `{}` |

checkpoint/cloudguard/defaults.yaml

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -51,7 +51,7 @@ podAnnotations:
5151
proxy: {}
5252

5353
containerRuntime:
54-
platform: kubernetes # kubernetes, openshift, openshift.v3, tanzu, eks, eks.bottlerocket, gke.cos, gke.autopilot or k3s
54+
platform: kubernetes # kubernetes, openshift, openshift.v3, tanzu, eks, eks.bottlerocket, gke.cos, gke.autopilot, k3s or rke2
5555

5656
seccompProfile:
5757
type: RuntimeDefault
@@ -112,7 +112,7 @@ addons:
112112
priorityClassName: "system-node-critical"
113113
## Specify image and tag
114114
image: checkpoint/consec-imagescan-daemon
115-
tag: 2.29.0
115+
tag: 2.30.0
116116

117117
## Specify existing service account name ("" to create)
118118
serviceAccountName: ""
@@ -134,7 +134,7 @@ addons:
134134
shim:
135135
## Specify image and tag
136136
image: checkpoint/consec-imagescan-shim
137-
tag: 2.29.0
137+
tag: 2.30.0
138138

139139
## Configure resource requests and limits
140140
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
@@ -170,7 +170,7 @@ addons:
170170
engine:
171171
## Specify image and tag
172172
image: checkpoint/consec-imagescan-engine
173-
tag: 2.29.0
173+
tag: 2.30.0
174174

175175
## Specify existing service account name ("" to create)
176176
serviceAccountName: ""
@@ -203,7 +203,7 @@ addons:
203203
list:
204204
## Specify image and tag
205205
image: checkpoint/consec-imagescan-engine
206-
tag: 2.29.0
206+
tag: 2.30.0
207207

208208
## Specify existing service account name ("" to create)
209209
serviceAccountName: ""
@@ -346,7 +346,7 @@ addons:
346346
enforcer:
347347
## Specify image and tag
348348
image: checkpoint/consec-admission-enforcer
349-
tag: 2.11.0
349+
tag: 2.12.0
350350

351351
## Specify existing service account name ("" to create)
352352
serviceAccountName: ""

checkpoint/cloudguard/templates/_helpers.tpl

Lines changed: 81 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -76,13 +76,16 @@
7676

7777
{{- /* Labels commonly used in our k8s resources */ -}}
7878
{{- define "common.labels" -}}
79-
app.kubernetes.io/name: {{ template "agent.resource.name" . }}
79+
app.kubernetes.io/name: {{ include "agent.resource.name" . }}
8080
app.kubernetes.io/instance: {{ include "name.prefix" . }}
8181
{{- end -}}
8282

8383
{{- /* Labels commonly used in our "pod group" resources */ -}}
8484
{{- define "common.labels.with.chart" -}}
8585
helm.sh/chart: {{ printf "%s-%s" .Chart.name .Chart.version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
86+
app.kubernetes.io/managed-by: {{ $.Release.Service }}
87+
app.kubernetes.io/version: {{ $.Chart.appVersion }}
88+
app.created.by.template: {{ (include "is.helm.template.command" .) | quote }}
8689
{{ template "common.labels" . }}
8790
{{- end -}}
8891

@@ -258,13 +261,13 @@ key: {{ $cert.Key | b64enc }}
258261
{{- printf "{\"auths\":{\"%s\":{\"auth\":\"%s\"}}}" .Values.imageRegistry.url (printf "%s:%s" $user $pass | b64enc) | b64enc -}}
259262
{{- end -}}
260263

261-
{{- /* validate containerRuntime is one of the allowed values.
264+
{{- /* validate containerRuntime is one of the supported values.
262265
takes a context (such as $config, .Values or (dict "containerRuntime" $containerRuntime)) that has a .containerRuntime field */ -}}
263266
{{- define "validate.container.runtime" -}}
264-
{{- $allowedRuntimes := list "docker" "containerd" "cri-o" -}}
265-
{{- if has (.containerRuntime | lower) $allowedRuntimes -}}
267+
{{- $supportedRuntimes := (include "supported.containerRuntimes" .) | splitList " " -}}
268+
{{- if has (.containerRuntime | lower) $supportedRuntimes -}}
266269
{{- else -}}
267-
{{- $err := printf "\n\nERROR: Invalid containerRuntime: %s (should be one of: %s)" .containerRuntime $allowedRuntimes -}}
270+
{{- $err := printf "\n\nERROR: Invalid containerRuntime: %s (should be one of: %s)" .containerRuntime $supportedRuntimes -}}
268271
{{- fail $err -}}
269272
{{- end -}}
270273
{{- end -}}
@@ -286,27 +289,40 @@ takes a context (such as $config, .Values or (dict "containerRuntime" $container
286289
{{- end -}}
287290

288291

292+
{{- /* get the first node from the cluster */ -}}
293+
{{- define "get.first.node" -}}
294+
{{- $nodes := lookup "v1" "Node" "" "" -}}
295+
{{- if empty $nodes -}}
296+
{{- else if eq (len $nodes.items) 0 -}}
297+
{{- else -}}
298+
{{- first $nodes.items | toYaml -}}
299+
{{- end -}}
300+
{{- end -}}
301+
302+
289303
{{- define "get.container.runtime" -}}
290-
{{- if .Values.containerRuntime -}}
291-
{{- include "validate.container.runtime" .Values -}}
292-
{{ .Values.containerRuntime | lower }}
293-
{{- else -}}
294-
{{- $nodes := lookup "v1" "Node" "" "" -}}
295-
{{- if ne (len $nodes) 0 -}}
296-
{{/* examples for runtime version: docker://19.3.3, containerd://1.3.3, cri-o://1.20.3 */}}
297-
{{- $containerRuntimeVersion := (first $nodes.items).status.nodeInfo.containerRuntimeVersion -}}
298-
{{- $containerRuntime := first (regexSplit ":" $containerRuntimeVersion -1) -}}
299-
{{- include "validate.container.runtime" (dict "containerRuntime" $containerRuntime) -}}
304+
{{- if .Values.containerRuntime -}}
305+
{{- include "validate.container.runtime" .Values -}}
306+
{{ .Values.containerRuntime | lower }}
307+
{{- else -}}
308+
{{- $noRuntimeErr := "\n\nERROR: No nodes found, cannot identify container runtime. Use '--set containerRuntime=docker' or '--set containerRuntime=containerd' or '--set containerRuntime=cri-o'" -}}
309+
{{- $firstNode := include "get.first.node" . | fromYaml -}}
310+
{{- if empty $firstNode -}}
311+
{{- fail $noRuntimeErr -}}
312+
{{- end -}}
313+
{{/* examples for runtime version: docker://19.3.3, containerd://1.3.3, cri-o://1.20.3 */}}
314+
{{- $containerRuntimeVersion := $firstNode.status.nodeInfo.containerRuntimeVersion -}}
315+
{{- $containerRuntime := first (regexSplit ":" $containerRuntimeVersion -1) -}}
316+
{{- include "validate.container.runtime" (dict "containerRuntime" $containerRuntime) -}}
300317
{{ $containerRuntime | lower }}
301-
{{- else -}}
302-
{{- fail "\n\nERROR: No nodes found, cannot identify container runtime. Use '--set containerRuntime=docker' or '--set containerRuntime=containerd' or '--set containerRuntime=cri-o'" -}}
303-
{{- end -}}
304-
{{- end -}}
318+
{{- end -}}
305319
{{- end -}}
306320

321+
322+
{{- /* get platform value, if not provided, try to infer it from the first node */ -}}
307323
{{- define "get.platform" -}}
308324
{{- /* use platform value if it's a helm template command or when the provided value is not the default kubernetes */ -}}
309-
{{- if or (include "is.helm.template.command" .) (and .Values.platform (ne .Values.platform "kubernetes")) -}}
325+
{{- if or (eq (include "is.helm.template.command" .) "true") (and .Values.platform (ne .Values.platform "kubernetes")) -}}
310326
{{- include "validate.platform" .Values -}}
311327
{{- lower .Values.platform -}}
312328
{{- else if has "config.openshift.io/v1" .Capabilities.APIVersions -}}
@@ -318,14 +334,18 @@ takes a context (such as $config, .Values or (dict "containerRuntime" $container
318334
{{/* else if has "auto.gke.io/v1" .Capabilities.APIVersions */}}
319335
{{/* printf "gke.autopilot" */}}
320336
{{- else -}}
321-
{{- $nodes := lookup "v1" "Node" "" "" -}}
337+
{{- $supportedPlatforms := (include "supported.platforms" .) | splitList " " -}}
338+
{{- $noPlatformErr := printf "\n\nERROR: No nodes found, cannot identify platform. Append '--set platform=<platform>', platform should be one of %s" $supportedPlatforms -}}
339+
{{- $firstNode := include "get.first.node" . | fromYaml -}}
340+
{{- if empty $firstNode -}}
341+
{{- fail $noPlatformErr -}}
342+
{{- end -}}
343+
{{- $osImage := $firstNode.status.nodeInfo.osImage -}}
322344
{{/*
323345
nodeInfo.osImage example values:
324346
- "Bottlerocket OS 1.7.2 (aws-k8s-1.21)"
325347
- "Container-Optimized OS from Google"
326348
*/}}
327-
{{- $firstNode := (first $nodes.items) -}}
328-
{{- $osImage := $firstNode.status.nodeInfo.osImage -}}
329349
{{- if contains "Bottlerocket" $osImage -}}
330350
{{- printf "eks.bottlerocket" -}}
331351
{{- else if contains "Container-Optimized" $osImage -}}
@@ -334,6 +354,8 @@ takes a context (such as $config, .Values or (dict "containerRuntime" $container
334354
{{- printf "kubernetes.coreos" -}}
335355
{{- else if hasKey $firstNode.metadata.annotations "k3s.io/hostname" -}}
336356
{{- printf "k3s" -}}
357+
{{- else if hasKey $firstNode.metadata.annotations "rke2.io/hostname" -}}
358+
{{- printf "rke2" -}}
337359
{{- else if or (hasKey $firstNode.metadata.labels "eks.amazonaws.com/nodegroup") (hasKey $firstNode.metadata.labels "alpha.eksctl.io/nodegroup-name") (hasKey $firstNode.metadata.labels "eks.amazonaws.com/compute-type") -}}
338360
{{- printf "eks" -}}
339361
{{- else -}}
@@ -390,16 +412,19 @@ If a user opts for the default "preserve" option:
390412
{{- end -}}
391413
{{- end -}}
392414

393-
394415
{{- /*
395416
use to know if we run from template (which mean wo have no connection to the cluster and cannot check Capabilities/nodes etc.)
396417
if there is no namespace probably we are running template
418+
returns string value "true" or "false"
419+
usage:
420+
`{{- if eq (include "is.helm.template.command") "true" -}}`
397421
*/ -}}
398422
{{- define "is.helm.template.command" -}}
423+
{{- if not (hasKey .Values "isHelmTemplateCache") -}}
399424
{{- $namespace := lookup "v1" "Namespace" "" "" -}}
400-
{{- if eq (len $namespace) 0 -}}
401-
true
425+
{{- $_ := set .Values "isHelmTemplateCache" (eq (len $namespace) 0) -}}
402426
{{- end -}}
427+
{{- .Values.isHelmTemplateCache | toYaml -}}
403428
{{- end -}}
404429

405430
{{- define "containerd.sock.path" -}}
@@ -412,20 +437,28 @@ true
412437
{{ printf (.Values.containerRuntimeSocket | toString) }}
413438
{{- else if eq .platform "eks.bottlerocket" -}}
414439
{{- printf "/run/dockershim.sock" -}}
415-
{{- else if eq .platform "k3s" -}}
440+
{{- else if has .platform (list "k3s" "rke2") -}}
416441
{{- printf "/run/k3s/containerd/containerd.sock" -}}
417442
{{- else -}}
418443
{{- printf "/run/containerd/containerd.sock" -}}
419444
{{- end -}}
420445
{{- end -}}
421446

422-
{{- /* validate platform is one of the allowed values.
447+
{{- define "containerd.runtime.v2.task" -}}
448+
{{- if has .platform (list "k3s" "rke2") -}}
449+
{{- printf "/run/k3s/containerd/io.containerd.runtime.v2.task" -}}
450+
{{- else -}}
451+
{{- printf "/run/containerd/io.containerd.runtime.v2.task" -}}
452+
{{- end -}}
453+
{{- end -}}
454+
455+
{{- /* validate platform is one of the supported values.
423456
takes a context (such as $config or .Values) that has a .platform field */ -}}
424457
{{- define "validate.platform" -}}
425-
{{- $allowedPlatforms := list "kubernetes" "tanzu" "openshift" "openshift.v3" "eks" "eks.bottlerocket" "gke.cos" "gke.autopilot" "k3s" "kubernetes.coreos" -}}
426-
{{- if has (.platform | lower) $allowedPlatforms -}}
458+
{{- $supportedPlatforms := (include "supported.platforms" .) | splitList " " -}}
459+
{{- if has (.platform | lower) $supportedPlatforms -}}
427460
{{- else -}}
428-
{{- $err := printf "\n\nERROR: Invalid platform: %s (should be one of: %s)" .platform $allowedPlatforms -}}
461+
{{- $err := printf "\n\nERROR: Invalid platform: %s, should be one of: %s" .platform $supportedPlatforms -}}
429462
{{- fail $err -}}
430463
{{- end -}}
431464
{{- end -}}
@@ -517,3 +550,20 @@ nodeAffinity:
517550
- {{$labelValue}}
518551
{{- end -}}
519552
{{- end -}}
553+
554+
555+
{{- /* list of supported platforms
556+
usage:
557+
`{{- $supportedPlatforms := (include "supported.platforms" .) | splitList " " -}}`
558+
*/ -}}
559+
{{- define "supported.platforms" -}}
560+
kubernetes kubernetes.coreos tanzu openshift openshift.v3 eks eks.bottlerocket gke.cos gke.autopilot k3s rke2
561+
{{- end -}}
562+
563+
{{- /* list of supported containter runtimes
564+
usage:
565+
`{{- $supportedRuntimes := (include "supported.containerRuntimes" .) | splitList " " -}}`
566+
*/ -}}
567+
{{- define "supported.containerRuntimes" -}}
568+
docker containerd cri-o
569+
{{- end -}}

checkpoint/cloudguard/templates/runtime/daemon/daemonset.yaml

Lines changed: 12 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -31,21 +31,29 @@ spec:
3131
{{- end }}
3232
initContainers:
3333
{{- if and $config.featureConfig.enableFileReputation (eq $config.containerRuntime "cri-o") }}
34-
# cri-o folder which contains containers root fs is 'private' mount.
34+
# cri-o folder which contains containers root fs can be mounted privately.
35+
# it depends on variable skip_mount_home in /etc/containers/storage.conf [storage.options.overlay]
36+
# if skip_mount_home==false, private mount will be created.
3537
# So nested/sub mounts will not be propagated to WorkloadSecurity container.
3638
# The following container changes mount type to 'shared' on host in a hacky way:
3739
# Literally container escapes its mount's isolation by changing mount namespace
3840
# to 'init' process namespace, then changes the type of the required mount to 'shared'
3941
- name: criofsfix
40-
image: docker.io/library/alpine:3.16
42+
image: docker.io/library/busybox:1
4143
imagePullPolicy: IfNotPresent
4244
command: [ "/bin/sh", "-c", "--" ]
4345
securityContext:
4446
privileged: true
4547
{{- if (eq $config.platform "kubernetes.coreos") }}
4648
runAsUser: 0
4749
{{- end }}
48-
args: [ "nsenter --mount=/proc/1/ns/mnt -- mount --make-shared /var/lib/containers/storage/overlay" ]
50+
args:
51+
- |
52+
# check that /var/lib/containers/storage/overlay is a mount point
53+
if [ $(nsenter --mount=/proc/1/ns/mnt -- grep -Fc ' /var/lib/containers/storage/overlay ' /proc/self/mountinfo) -gt 0 ];
54+
then
55+
nsenter --mount=/proc/1/ns/mnt -- mount --make-shared /var/lib/containers/storage/overlay;
56+
fi
4957
{{- end }}
5058
# probe (sysdig)
5159
- {{ $containerConfig := merge $config (dict "containerName" "probe") -}}
@@ -323,7 +331,7 @@ spec:
323331
type: Socket
324332
- name: runcontainerdfs-vol
325333
hostPath:
326-
path: /run/containerd/io.containerd.runtime.v2.task # TODO deal with other flavors like bottlerocket
334+
path: {{ include "containerd.runtime.v2.task" $config }}
327335
{{- end }}
328336
{{- if eq $config.containerRuntime "cri-o" }}
329337
- name: crio-sock

checkpoint/cloudguard/templates/runtime/daemon/podsecuritypolicy.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -62,7 +62,7 @@ spec:
6262
{{- else if eq $config.containerRuntime "containerd" }}
6363
- pathPrefix: {{ include "containerd.sock.path" $config }}
6464
readOnly: true
65-
- pathPrefix: /run/containerd/io.containerd.runtime.v2.task
65+
- pathPrefix: {{ include "containerd.runtime.v2.task" $config }}
6666
readOnly: true
6767
{{- else if eq $config.containerRuntime "cri-o" }}
6868
- pathPrefix: /var/run/crio/crio.sock

repository/cloudguard-2.30.0.tgz

28.1 KB
Binary file not shown.

0 commit comments

Comments
 (0)