Merge pull request #119 from yossig-aquasec/master_adding_starboard

adding starboard

deploy/crds/aquasecurity.github.io_aquastarboards_crd.yaml

@@ -0,0 +1,39 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: aquastarboards.aquasecurity.github.io
+spec:
+ group: aquasecurity.github.io
+ names:
+ kind: AquaStarboard
+ listKind: AquaStarboardList
+ plural: aquastarboards
+ singular: aquastarboard
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ additionalPrinterColumns:
+ - name: Replicas
+ type: integer
+ description: Replicas Number
+ JSONPath: .spec.deploy.replicas
+ - name: Age
+ type: date
+ description: Aqua Starboard Age
+ JSONPath: .metadata.creationTimestamp
+ - name: Status
+ type: string
+ description: Aqua Starboard status
+ JSONPath: .status.state
+ - name: Nodes
+ type: string
+ description: List Of Nodes (Pods)
+ JSONPath: .status.nodes
+ served: true
+ storage: true
+ subresources:
+ status: {}

deploy/crds/aquasecurity.github.io_clusterconfigauditreports_crd.yaml

@@ -0,0 +1,51 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: clusterconfigauditreports.aquasecurity.github.io
+ labels:
+ app.kubernetes.io/managed-by: starboard
+spec:
+ group: aquasecurity.github.io
+ names:
+ kind: ClusterConfigAuditReport
+ listKind: ClusterConfigAuditReportList
+ plural: clusterconfigauditreports
+ singular: clusterconfigauditreport
+ categories: [ ]
+ shortNames:
+ - clusterconfigaudit
+ scope: Cluster
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ additionalPrinterColumns:
+ - name: Scanner
+ type: string
+ description: The name of the config audit scanner
+ jsonPath: .report.scanner.name
+ - name: Age
+ type: date
+ description: The age of the report
+ jsonPath: .metadata.creationTimestamp
+ - name: Danger
+ type: integer
+ priority: 1
+ description: The number of checks that failed with Danger status
+ jsonPath: .report.summary.dangerCount
+ - name: Warning
+ type: integer
+ priority: 1
+ description: The number of checks that failed with Warning status
+ jsonPath: .report.summary.warningCount
+ - name: Pass
+ type: integer
+ priority: 1
+ description: The number of checks that passed
+ jsonPath: .report.summary.passCount
+ served: true
+ storage: true
+ subresources:
+ status: {}

deploy/crds/aquasecurity.github.io_configauditreports_crd.yaml

@@ -0,0 +1,52 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: configauditreports.aquasecurity.github.io
+ labels:
+ app.kubernetes.io/managed-by: starboard
+spec:
+ group: aquasecurity.github.io
+ names:
+ kind: ConfigAuditReport
+ listKind: ConfigAuditReportList
+ plural: configauditreports
+ singular: configauditreport
+ categories:
+ - all
+ shortNames:
+ - configaudit
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ additionalPrinterColumns:
+ - name: Scanner
+ type: string
+ description: The name of the config audit scanner
+ jsonPath: .report.scanner.name
+ - name: Age
+ type: date
+ description: The age of the report
+ jsonPath: .metadata.creationTimestamp
+ - name: Danger
+ type: integer
+ priority: 1
+ description: The number of checks that failed with Danger status
+ jsonPath: .report.summary.dangerCount
+ - name: Warning
+ type: integer
+ priority: 1
+ description: The number of checks that failed with Warning status
+ jsonPath: .report.summary.warningCount
+ - name: Pass
+ type: integer
+ priority: 1
+ description: The number of checks that passed
+ jsonPath: .report.summary.passCount
+ served: true
+ storage: true
+ subresources:
+ status: {}

deploy/crds/operator.aquasec.com_aquacsps_crd.yaml

@@ -28,4 +28,4 @@ spec:
  served: true
  storage: true
  subresources:
- status: {}
+ status: {}

deploy/crds/operator_v1alpha1_aquakubeenforcer_cr.yaml

@@ -5,27 +5,50 @@ metadata:
 spec:
  infra:
  version: '6.5'
- serviceAccount: "aqua-kube-enforcer-sa"
+ serviceAccount: aqua-kube-enforcer
  config:
- gateway_address: "aqua-gateway.aqua:8443"
- cluster_name: "aqua-secure"
- imagePullSecret: "aqua-registry"
- token: "<<KubeEnforcer Group Token>>"
+ gateway_address: aqua-gateway:8443
+ cluster_name: aqua-secure
+ imagePullSecret: aqua-registry
+ token: "<<KUBE_ENFORCER_GROUP_TOKEN>>"
  allowAnyVersion: # Optional: running all types of images
  deploy:
  service: ClusterIP
  image:
- registry: "registry.aquasec.com"
+ registry: registry.aquasec.com
  tag: "6.5"
- repository: "kube-enforcer"
- pullPolicy: "Always"
+ repository: kube-enforcer
+ pullPolicy: Always
  resources: # Optional: Set resources requests/limits for kube-enforcer
  limits:
  cpu: "SOME VALUE"
  memory: "SOME VALUE"
  requests:
  cpu: "SOME VALUE"
  memory: "SOME VALUE"
+ starboard:
+ allowAnyVersion: true
+ infra:
+ version: 0.13.0
+ serviceAccount: starboard-operator
+ config:
+ imagePullSecret: starboard-registry
+ deploy:
+ replicas: 1
+ image:
+ registry: docker.io/aquasec
+ tag: ''
+ repository: starboard-operator
+ pullPolicy: IfNotPresent
+ logDevMode: false
+ concurrentScanJobsLimit: ''
+ scanJobRetryAfter: ''
+ metricsBindAddress: ''
+ healthProbeBindAddress: ''
+ cisKubernetesBenchmarkEnable: ''
+ vulnerabilityScannerEnabled: ''
+ batchDeleteLimit: ''
+ batchDeleteDelay: ''
  env: # Optional: environment variables to add to the kube-enforcer
  - name: "SOME ENV"
  value: "SOME ENV VALUE"

docs/DeployOpenShiftOperator.md

@@ -77,6 +77,12 @@ The **[AquaServer CRD](../deploy/crds/operator_v1alpha1_aquaserver_cr.yaml)**, *
 * You can add environment variables using ```.spec.env```.
 * You can define the kube-enforcer resources requests/limits using ```.spec.deploy.resources```.
 
+**[AquaStarboard CRD](../deploy/crds/aquasecurity.github.io_aquastarboards_crd.yaml)** is used to deploy the AquaStarboard in your target cluster by kube-enforcer.
+
+**[ClusterConfigAuditReports CRD](../deploy/crds/aquasecurity.github.io_clusterconfigauditreports_crd.yaml)** is used to deploy the ClusterConfigAuditReports in your target cluster by starboard.
+
+**[ConfigAuditReports CRD](../deploy/crds/aquasecurity.github.io_configauditreports_crd.yaml)** is used to deploy the ConfigAuditReports in your target cluster by starboard.
+
 **[AquaScanner CRD](../deploy/crds/operator_v1alpha1_aquascanner_cr.yaml)** is used to deploy the Aqua Scanner in any cluster. Please see the [example CR](../deploy/crds/operator_v1alpha1_aquascanner_cr.yaml) for the listing of all fields and configurations.
 * You need to set the target Aqua Server using the ```.spec.login.host``` property.
 * You need to provide the ```.spec.login.username``` and ```.spec.login.password``` to authenticate with the Aqua Server.
@@ -548,10 +554,10 @@ metadata:
 spec:
  infra:
  version: '6.5'
- serviceAccount: aqua-kube-enforcer-sa
+ serviceAccount: aqua-kube-enforcer
  config:
  gateway_address: 'aqua-gateway.aqua:8443' # Required: provide <<AQUA GW IP OR DNS: AQUA GW PORT>>
- cluster_name: aqua-secure # Required: provide your cluster name
+ cluster_name: aqua-secure # Required: provide your cluster namea1q 1
  imagePullSecret: aqua-registry # Required: provide the imagePullSecret name
  deploy:
  service: ClusterIP
@@ -560,6 +566,20 @@ spec:
  tag: "<<KUBE_ENFORCER_TAG>>"
  repository: kube-enforcer
  pullPolicy: Always
+ starboard:
+ allowAnyVersion: true
+ infra:
+ version: 0.13.0
+ serviceAccount: starboard-operator
+ config:
+ imagePullSecret: starboard-registry
+ deploy:
+ replicas: 1
+ image:
+ registry: docker.io/aquasec
+ tag: ''
+ repository: starboard-operator
+ pullPolicy: IfNotPresent
  token: <<KUBE_ENFORCER_GROUP_TOKEN>> # Optional: The KubeEnforcer group token (if not provided manual approval will be required) 
 ```
 

pkg/apis/addtoscheme_aquasecurity_v1alpha1.go

@@ -0,0 +1,26 @@
+/*
+
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http:https://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package apis
+
+import (
+ "github.com/aquasecurity/aqua-operator/pkg/apis/aquasecurity/v1alpha1"
+)
+
+func init() {
+ // Register the types with the Scheme so the components can map objects to GroupVersionKinds and back
+ AddToSchemes = append(AddToSchemes, v1alpha1.SchemeBuilder.AddToScheme)
+}

pkg/apis/aquasecurity/group.go

@@ -0,0 +1,22 @@
+/*
+
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http:https://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package aquasecurity contains aquasecurity API versions.
+//
+// This file ensures Go source parsers acknowledge the aquasecurity package
+// and any child packages. It can be removed if any other Go source files are
+// added to this package.
+package aquasecurity

pkg/apis/aquasecurity/v1alpha1/aquastarboard_types.go

@@ -0,0 +1,68 @@
+package v1alpha1
+
+import (
+ "github.com/aquasecurity/aqua-operator/pkg/apis/operator/v1alpha1"
+ corev1 "k8s.io/api/core/v1"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN!
+// NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized.
+
+// AquaStarboardSpec defines the desired state of AquaStarboard
+type AquaStarboardSpec struct {
+ // INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
+ // Important: Run "operator-sdk generate k8s" to regenerate code after modifying this file
+ // Add custom validation using kubebuilder tags: https://book-v1.book.kubebuilder.io/beyond_basics/generating_crd.html
+ Infrastructure *v1alpha1.AquaInfrastructure `json:"infra,omitempty"`
+ AllowAnyVersion bool `json:"allowAnyVersion,omitempty"`
+ StarboardService *v1alpha1.AquaService `json:"deploy,required"`
+ Config v1alpha1.AquaStarboardConfig `json:"config"`
+ RegistryData *v1alpha1.AquaDockerRegistry `json:"registry,omitempty"`
+ ImageData *v1alpha1.AquaImage `json:"image,omitempty"`
+ Envs []corev1.EnvVar `json:"env,omitempty"`
+ LogDevMode bool `json:"logDevMode,omitempty"`
+ ConcurrentScanJobsLimit string `json:"concurrentScanJobsLimit,omitempty"`
+ ScanJobRetryAfter string `json:"scanJobRetryAfter,omitempty"`
+ MetricsBindAddress string `json:"metricsBindAddress,omitempty"`
+ HealthProbeBindAddress string `json:"healthProbeBindAddress,omitempty"`
+ CisKubernetesBenchmarkEnabled string `json:"cisKubernetesBenchmarkEnabled,omitempty"`
+ VulnerabilityScannerEnabled string `json:"vulnerabilityScannerEnabled,omitempty"`
+ BatchDeleteLimit string `json:"batchDeleteLimit,omitempty"`
+ BatchDeleteDelay string `json:"batchDeleteDelay,omitempty"`
+}
+
+// AquaStarboardStatus defines the observed state of AquaStarboard
+type AquaStarboardStatus struct {
+ // INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
+ // Important: Run "operator-sdk generate k8s" to regenerate code after modifying this file
+ // Add custom validation using kubebuilder tags: https://book-v1.book.kubebuilder.io/beyond_basics/generating_crd.html
+ Nodes []string `json:"nodes"`
+ State v1alpha1.AquaDeploymentState `json:"state"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// AquaStarboard is the Schema for the aquastarboards API
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:path=aquastarboards,scope=Namespaced
+type AquaStarboard struct {
+ metav1.TypeMeta `json:",inline"`
+ metav1.ObjectMeta `json:"metadata,omitempty"`
+
+ Spec AquaStarboardSpec `json:"spec,omitempty"`
+ Status AquaStarboardStatus `json:"status,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// AquaStarboardList contains a list of AquaStarboard
+type AquaStarboardList struct {
+ metav1.TypeMeta `json:",inline"`
+ metav1.ListMeta `json:"metadata,omitempty"`
+ Items []AquaStarboard `json:"items"`
+}
+
+func init() {
+ SchemeBuilder.Register(&AquaStarboard{}, &AquaStarboardList{})
+}

pkg/apis/aquasecurity/v1alpha1/doc.go

@@ -0,0 +1,20 @@
+/*
+
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http:https://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package v1alpha1 contains API Schema definitions for the aquasecurity v1alpha1 API group
+// +k8s:deepcopy-gen=package,register
+// +groupName=aquasecurity.github.io
+package v1alpha1