diff --git a/CHANGELOG.md b/CHANGELOG.md
index 16ebc9042bc2a0727a516e81f7c9019d8eb0dfff..7780113d111257d6ff4f2e8e63dc24cecf69fc3c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,14 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
---
+## [2.8.5-bb.0] (2025-03-25)
+### Changed
+- registry1.dso.mil/ironbank/neuvector/neuvector/controller 5.4.1 -> 5.4.3
+- registry1.dso.mil/ironbank/neuvector/neuvector/enforcer 5.4.1 -> 5.4.3
+- registry1.dso.mil/ironbank/neuvector/neuvector/manager 5.4.1 -> 5.4.3
+- registry1.dso.mil/ironbank/neuvector/neuvector/scanner 5 -> 6
+- Updated gluon from 0.5.12 to 0.5.14
+
## [2.8.3-bb.1] - 2025-02-12
### Changed
diff --git a/README.md b/README.md
index b3ed1e8534608e2690e83168c4e6f27f659ba333..fa1746c8c903295369e5d4756c81d4bd51ee6af5 100644
--- a/README.md
+++ b/README.md
@@ -1,7 +1,7 @@
<!-- Warning: Do not manually edit this file. See notes on gluon + helm-docs at the end of this file for more information. -->
# neuvector
-  
+  
Helm chart for NeuVector's core services
@@ -44,7 +44,7 @@ helm install neuvector chart/
|-----|------|---------|-------------|
| openshift | bool | `false` | |
| registry | string | `"registry1.dso.mil"` | |
-| tag | string | `"5.4.1"` | |
+| tag | string | `"5.4.3"` | |
| oem | string | `nil` | |
| imagePullSecrets | string | `"private-registry"` | |
| psp | bool | `false` | |
@@ -87,7 +87,7 @@ helm install neuvector chart/
| internal.certmanager.enabled | bool | `false` | |
| internal.certmanager.secretname | string | `"neuvector-internal"` | |
| internal.autoGenerateCert | bool | `true` | |
-| internal.autoRotateCert | bool | `false` | |
+| internal.autoRotateCert | bool | `true` | |
| controller.enabled | bool | `true` | |
| controller.annotations | object | `{}` | |
| controller.strategy.type | string | `"RollingUpdate"` | |
@@ -117,6 +117,7 @@ helm install neuvector chart/
| controller.nodeSelector | object | `{}` | |
| controller.apisvc.type | string | `nil` | |
| controller.apisvc.annotations | object | `{}` | |
+| controller.apisvc.nodePort | string | `nil` | |
| controller.apisvc.route.enabled | bool | `false` | |
| controller.apisvc.route.termination | string | `"passthrough"` | |
| controller.apisvc.route.host | string | `nil` | |
@@ -206,7 +207,7 @@ helm install neuvector chart/
| controller.certupgrader.containerSecurityContext.capabilities.drop[0] | string | `"ALL"` | |
| controller.prime.enabled | bool | `false` | |
| controller.prime.image.repository | string | `"neuvector/compliance-config"` | |
-| controller.prime.image.tag | string | `"1.0.1"` | |
+| controller.prime.image.tag | string | `"1.0.4"` | |
| controller.prime.image.hash | string | `nil` | |
| enforcer.enabled | bool | `true` | |
| enforcer.image.repository | string | `"ironbank/neuvector/neuvector/enforcer"` | |
@@ -236,6 +237,7 @@ helm install neuvector chart/
| manager.env.envs[0].name | string | `"JDK_JAVA_OPTIONS"` | |
| manager.env.envs[0].value | string | `"-Dcom.redhat.fips=false"` | |
| manager.svc.type | string | `"ClusterIP"` | |
+| manager.svc.nodePort | string | `nil` | |
| manager.svc.loadBalancerIP | string | `nil` | |
| manager.svc.annotations | object | `{}` | |
| manager.route.enabled | bool | `true` | |
@@ -273,7 +275,7 @@ helm install neuvector chart/
| manager.probes.startupFailureThreshold | int | `30` | |
| cve.adapter.enabled | bool | `false` | |
| cve.adapter.image.repository | string | `"neuvector/registry-adapter"` | |
-| cve.adapter.image.tag | string | `"0.1.3"` | |
+| cve.adapter.image.tag | string | `"0.1.6"` | |
| cve.adapter.image.hash | string | `nil` | |
| cve.adapter.priorityClassName | string | `nil` | |
| cve.adapter.resources | object | `{}` | |
@@ -292,7 +294,7 @@ helm install neuvector chart/
| cve.adapter.certificate.pemFile | string | `"tls.crt"` | |
| cve.adapter.harbor.protocol | string | `"https"` | |
| cve.adapter.harbor.secretName | string | `nil` | |
-| cve.adapter.svc.type | string | `"NodePort"` | |
+| cve.adapter.svc.type | string | `"ClusterIP"` | |
| cve.adapter.svc.loadBalancerIP | string | `nil` | |
| cve.adapter.svc.annotations | object | `{}` | |
| cve.adapter.route.enabled | bool | `true` | |
@@ -338,7 +340,7 @@ helm install neuvector chart/
| cve.scanner.strategy.rollingUpdate.maxSurge | int | `1` | |
| cve.scanner.strategy.rollingUpdate.maxUnavailable | int | `0` | |
| cve.scanner.image.repository | string | `"ironbank/neuvector/neuvector/scanner"` | |
-| cve.scanner.image.tag | string | `"5"` | |
+| cve.scanner.image.tag | string | `"6"` | |
| cve.scanner.image.hash | string | `nil` | |
| cve.scanner.priorityClassName | string | `nil` | |
| cve.scanner.resources | object | `{}` | |
@@ -361,6 +363,8 @@ helm install neuvector chart/
| cve.scanner.containerSecurityContext.runAsGroup | int | `1000` | |
| cve.scanner.containerSecurityContext.runAsNonRoot | bool | `true` | |
| cve.scanner.containerSecurityContext.capabilities.drop[0] | string | `"ALL"` | |
+| cve.scanner.volumes | string | `nil` | |
+| cve.scanner.volumeMounts | string | `nil` | |
| resources | object | `{}` | |
| runtimePath | string | `nil` | |
| docker.path | string | `"/var/run/docker.sock"` | |
@@ -410,6 +414,7 @@ helm install neuvector chart/
| monitor.exporter.enabled | bool | `false` | |
| monitor.exporter.serviceMonitor.enabled | bool | `false` | |
| monitor.exporter.svc.enabled | bool | `false` | |
+| lease.enabled | bool | `true` | |
| bbtests.enabled | bool | `false` | |
| bbtests.cypress.artifacts | bool | `true` | |
| bbtests.cypress.envs.cypress_url | string | `"http://neuvector-service-webui.{{ .Release.Namespace }}.svc.cluster.local:8443"` | |
diff --git a/chart/Chart.lock b/chart/Chart.lock
index b05ec4377ba76e6152b5a77afb7ac6d33666c987..ed3863687d80af9dd776469f229a2303dd99be50 100644
--- a/chart/Chart.lock
+++ b/chart/Chart.lock
@@ -1,9 +1,9 @@
dependencies:
- name: monitor
repository: file://./deps/monitor
- version: 2.6.3
+ version: 2.8.5
- name: gluon
repository: oci://registry1.dso.mil/bigbang
- version: 0.5.12
-digest: sha256:86278d93fc2e07fd36143f17d4569f74b86f3f0a943888e0adfb8d9c3160e999
-generated: "2024-12-03T10:12:38.721016-05:00"
+ version: 0.5.14
+digest: sha256:199b7082c9f4d660326567ed73f7fcd3d764cc205d31533689ee8f489e1a963a
+generated: "2025-03-25T16:33:24.520229-04:00"
diff --git a/chart/Chart.yaml b/chart/Chart.yaml
index 8eeb44f56d1d259587b5e74b697520cb2f5ed194..509d293a78778b28154cabc032eca3ef7be7dc8d 100644
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
@@ -1,7 +1,7 @@
name: neuvector
apiVersion: v2
-version: 2.8.3-bb.1
-appVersion: 5.4.1
+version: 2.8.5-bb.0
+appVersion: 5.4.3
description: Helm chart for NeuVector's core services
home: https://neuvector.com
icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4
@@ -11,12 +11,12 @@ maintainers:
engine: gotpl
dependencies:
- name: monitor
- version: 2.6.3
+ version: 2.8.5
alias: monitor
condition: monitor.install
repository: file://./deps/monitor
- name: gluon
- version: "0.5.12"
+ version: "0.5.14"
repository: "oci://registry1.dso.mil/bigbang"
annotations:
bigbang.dev/maintenanceTrack: bb_integrated
@@ -24,23 +24,23 @@ annotations:
- [Find our upstream chart's CHANGELOG here](https://repo1.dso.mil/big-bang/product/packages/neuvector/-/blob/main/CHANGELOG.md?ref_type=heads)
- [and our upstream application release notes here](https://github.com/neuvector/neuvector/releases)
bigbang.dev/applicationVersions: |
- - NeuVector: 5.4.1
+ - NeuVector: 5.4.3
helm.sh/images: |
- name: controller
condition: controller.enabled
- image: registry1.dso.mil/ironbank/neuvector/neuvector/controller:5.4.1
+ image: registry1.dso.mil/ironbank/neuvector/neuvector/controller:5.4.3
- name: enforcer
condition: enforcer.enabled
- image: registry1.dso.mil/ironbank/neuvector/neuvector/enforcer:5.4.1
+ image: registry1.dso.mil/ironbank/neuvector/neuvector/enforcer:5.4.3
- name: manager
condition: manager.enabled
- image: registry1.dso.mil/ironbank/neuvector/neuvector/manager:5.4.1
+ image: registry1.dso.mil/ironbank/neuvector/neuvector/manager:5.4.3
- name: scanner
condition: cve.scanner.enabled
- image: registry1.dso.mil/ironbank/neuvector/neuvector/scanner:5
+ image: registry1.dso.mil/ironbank/neuvector/neuvector/scanner:6
- name: updater
condition: cve.updater.enabled
image: registry1.dso.mil/ironbank/big-bang/base:2.1.0
- name: exporter
condition: monitor.exporter.enabled
- image: registry1.dso.mil/ironbank/neuvector/neuvector/prometheus-exporter:5.3.2
+ image: registry1.dso.mil/ironbank/neuvector/neuvector/prometheus-exporter:1.0.0
diff --git a/chart/Kptfile b/chart/Kptfile
index ca6fa57a77b82f2d9d2d9891fbd1e1b610450b18..2686ab0247881e69e185bc5ff23739c29d092c43 100644
--- a/chart/Kptfile
+++ b/chart/Kptfile
@@ -5,7 +5,7 @@ metadata:
upstream:
type: git
git:
- commit: 94c474eb7dc7b917acdd8c21c1193bdd2d2722f2
+ commit: fee6327bffc6eeba782ef18d502f0d9e6a70033f
repo: https://github.com/neuvector/neuvector-helm
directory: charts/core
- ref: v2.8.3
+ ref: v2.8.5
diff --git a/chart/README.md b/chart/README.md
index 4524ca8ba7f46d9fbcd8c14621951d0cd8fab3b4..1346000ca57a2083fa2826d8fc9c41643795b967 100644
--- a/chart/README.md
+++ b/chart/README.md
@@ -10,6 +10,22 @@ Because the CRD (Custom Resource Definition) policies can be deployed before Neu
Prior to 5.3 release, the user has to specify the correct container runtime type and its socket path. In 5.3.0 release, the enforcer is able to automatically detect the container runtime at its default socket location. The settings of docker/containerd/crio/k8s/bottlerocket become deprecated. If the container runtime socket is not at the default location, please specify it using 'runtimePath' field. In the meantime, the controller does not require the runtime socket to be mounted any more.
+
+## Scan caching
+Scan caching can be enabled by editing values.yaml or creating below override file and pass them with "-f" option on HELM commands.
+```console
+cve:
+ scanner:
+ volumes:
+ - name: scan-cache
+ hostPath:
+ path: /tmp/
+ type: ""
+ volumeMounts:
+ - mountPath: /tmp/images/caches
+ name: scan-cache
+```
+
## Configuration
The following table lists the configurable parameters of the NeuVector chart and their default values.
@@ -76,6 +92,7 @@ Parameter | Description | Default | Notes
`controller.azureFileShare.secretName` | The name of the secret containing the Azure file share storage account name and key | `nil` |
`controller.azureFileShare.shareName` | The name of the Azure file share to use | `nil` |
`controller.apisvc.type` | Controller REST API service type | `nil` |
+`controller.apisvc.nodePort` | Controller REST API service NodePort number | `nil` |
`controller.apisvc.annotations` | Add annotations to controller REST API service | `{}` |
`controller.apisvc.route.enabled` | If true, create a OpenShift route to expose the Controller REST API service | `false` |
`controller.apisvc.route.termination` | Specify TLS termination for OpenShift route for Controller REST API service. Possible passthrough, edge, reencrypt | `passthrough` |
@@ -180,6 +197,7 @@ Parameter | Description | Default | Notes
`CUSTOM_PAGE_FOOTER_CONTENT` | max. 120 characters, base64 encoded. |
`CUSTOM_PAGE_FOOTER_COLOR` | use color name (yellow) or value (#ffff00) |
`manager.svc.type` | set manager service type for native Kubernetes | `NodePort`;<br>if it is OpenShift platform or ingress is enabled, then default is `ClusterIP` | set to LoadBalancer if using cloud providers, such as Azure, Amazon, Google
+`manager.svc.nodePort` | set manager service NodePort number | `nil` |
`manager.svc.loadBalancerIP` | if manager service type is LoadBalancer, this is used to specify the load balancer's IP | `nil` |
`manager.svc.annotations` | Add annotations to manager service | `{}` | see examples in [values.yaml](values.yaml)
`manager.route.enabled` | If true, create a OpenShift route to expose the management console service | `true` |
@@ -297,6 +315,7 @@ Parameter | Description | Default | Notes
`crdwebhooksvc.enabled` | Enable crd service | `true` |
`crdwebhook.enabled` | Create crd resources | `true` |
`crdwebhook.type` | crd webhook type | `ClusterIP` |
+`lease.enabled` | Create lease object or not | `true` |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
diff --git a/chart/charts/gluon-0.5.12.tgz b/chart/charts/gluon-0.5.12.tgz
deleted file mode 100644
index 002bdc40c2d4eb3144041bde2fab7d61a60c84d4..0000000000000000000000000000000000000000
Binary files a/chart/charts/gluon-0.5.12.tgz and /dev/null differ
diff --git a/chart/charts/gluon-0.5.14.tgz b/chart/charts/gluon-0.5.14.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..c99d9e0f44b4d35311fda2b49ee005cbbea4fb67
Binary files /dev/null and b/chart/charts/gluon-0.5.14.tgz differ
diff --git a/chart/charts/monitor-2.6.3.tgz b/chart/charts/monitor-2.6.3.tgz
deleted file mode 100644
index bdb8289fd2f7b00a7332aa0fd64a542410c02cc6..0000000000000000000000000000000000000000
Binary files a/chart/charts/monitor-2.6.3.tgz and /dev/null differ
diff --git a/chart/charts/monitor-2.8.5.tgz b/chart/charts/monitor-2.8.5.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..605ecb1547850e4bdcb927fc959171850bb6a20c
Binary files /dev/null and b/chart/charts/monitor-2.8.5.tgz differ
diff --git a/chart/deps/monitor/Chart.yaml b/chart/deps/monitor/Chart.yaml
index 849920bf2f74ae4f64de07c9d08372b28aa3e38a..a3635cba339cc35cad7fa5f427fc6d2165ef18ea 100644
--- a/chart/deps/monitor/Chart.yaml
+++ b/chart/deps/monitor/Chart.yaml
@@ -1,7 +1,7 @@
name: monitor
apiVersion: v1
-version: 2.6.3
-appVersion: 5.3.0
+version: 2.8.5
+appVersion: 1.0.2
description: Helm chart for NeuVector monitor services
home: https://neuvector.com
icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4
diff --git a/chart/deps/monitor/Kptfile b/chart/deps/monitor/Kptfile
index ce59fe36e8cfae64657ff5373b7f2e9badb5971d..4c6c97062bbb0fbc16c474d576e0497af9f61ede 100644
--- a/chart/deps/monitor/Kptfile
+++ b/chart/deps/monitor/Kptfile
@@ -5,7 +5,7 @@ metadata:
upstream:
type: git
git:
- commit: 0f686c8f614b895904a6e94c7d9935d8b6202dd9
+ commit: fee6327bffc6eeba782ef18d502f0d9e6a70033f
repo: https://github.com/neuvector/neuvector-helm
directory: /charts/monitor
- ref: 2.6.3
+ ref: v2.8.5
diff --git a/chart/deps/monitor/README.md b/chart/deps/monitor/README.md
index b1bd3f81710727091e81e78875843c878f2d05c0..3566c0d32fbe891d850d21cf774d63037025c914 100644
--- a/chart/deps/monitor/README.md
+++ b/chart/deps/monitor/README.md
@@ -15,8 +15,9 @@ Parameter | Description | Default | Notes
`exporter.enabled` | If true, create Prometheus exporter | `false` |
`exporter.image.repository` | exporter image name | `neuvector/prometheus-exporter` |
`exporter.image.tag` | exporter image tag | `latest` |
+`exporter.ctrlSecretName` | existing secret that have CTRL_USERNAME and CTRL_PASSWORD fields to login to the controller. | `nil` | if parameter exists then `exporter.CTRL_USERNAME` & `exporter.CTRL_PASSWORD` will be skipped
`exporter.CTRL_USERNAME` | Username to login to the controller. Suggest to replace the default admin user to a read-only user | `admin` |
`exporter.CTRL_PASSWORD` | Password to login to the controller. | `admin` |
-
+`exporter.enforcerStats.enabled` | If true, enable the Enforcers stats | `false` | For the performance reason, by default the exporter does NOT pull CPU/memory usage from enforcers.
---
Contact <support@neuvector.com> for access to Docker Hub and docs.
diff --git a/chart/deps/monitor/dashboards/nv_dashboard.json b/chart/deps/monitor/dashboards/nv_dashboard.json
index ad7ce631be41a465c3a2be21217bfd7c4258b829..1da8b12e94b1664f39c89048f4c0598c8696d62a 100644
--- a/chart/deps/monitor/dashboards/nv_dashboard.json
+++ b/chart/deps/monitor/dashboards/nv_dashboard.json
@@ -1,4 +1,59 @@
{
+ "__inputs": [
+ {
+ "name": "datasource",
+ "label": "Prometheus",
+ "description": "",
+ "type": "datasource",
+ "pluginId": "prometheus",
+ "pluginName": "Prometheus"
+ }
+ ],
+ "__elements": {},
+ "__requires": [
+ {
+ "type": "grafana",
+ "id": "grafana",
+ "name": "Grafana",
+ "version": "10.2.3"
+ },
+ {
+ "type": "panel",
+ "id": "piechart",
+ "name": "Pie chart",
+ "version": ""
+ },
+ {
+ "type": "datasource",
+ "id": "prometheus",
+ "name": "Prometheus",
+ "version": "1.0.0"
+ },
+ {
+ "type": "panel",
+ "id": "stat",
+ "name": "Stat",
+ "version": ""
+ },
+ {
+ "type": "panel",
+ "id": "table",
+ "name": "Table",
+ "version": ""
+ },
+ {
+ "type": "panel",
+ "id": "text",
+ "name": "Text",
+ "version": ""
+ },
+ {
+ "type": "panel",
+ "id": "timeseries",
+ "name": "Time series",
+ "version": ""
+ }
+ ],
"annotations": {
"list": [
{
@@ -24,6 +79,7 @@
"editable": true,
"fiscalYearStartMonth": 0,
"graphTooltip": 0,
+ "id": null,
"links": [],
"liveNow": false,
"panels": [
@@ -40,17 +96,22 @@
},
"id": 38,
"options": {
+ "code": {
+ "language": "plaintext",
+ "showLineNumbers": false,
+ "showMiniMap": false
+ },
"content": "<div style=\"text-align:center\">\n \n <br>\n <br>\n [Documentation](https://open-docs.neuvector.com)<br>\n </br>\n [Users Slack Channel](https://rancher-users.slack.com/archives/C036F6JDZ8C)<br>\n </br>\n [GitHub](https://github.com/neuvector)\n\n</div>",
"mode": "markdown"
},
- "pluginVersion": "9.1.5",
+ "pluginVersion": "10.2.3",
"title": "NeuVector Product Links",
"type": "text"
},
{
"datasource": {
"type": "prometheus",
- "uid": "prometheus"
+ "uid": "${datasource}"
},
"fieldConfig": {
"defaults": {
@@ -103,14 +164,15 @@
"values": false
},
"text": {},
- "textMode": "auto"
+ "textMode": "auto",
+ "wideLayout": true
},
- "pluginVersion": "9.1.5",
+ "pluginVersion": "10.2.3",
"targets": [
{
"datasource": {
"type": "prometheus",
- "uid": "prometheus"
+ "uid": "${datasource}"
},
"exemplar": true,
"expr": "nv_summary_enforcers",
@@ -128,7 +190,7 @@
{
"datasource": {
"type": "prometheus",
- "uid": "prometheus"
+ "uid": "${datasource}"
},
"fieldConfig": {
"defaults": {
@@ -182,14 +244,15 @@
"values": false
},
"text": {},
- "textMode": "auto"
+ "textMode": "auto",
+ "wideLayout": true
},
- "pluginVersion": "9.1.5",
+ "pluginVersion": "10.2.3",
"targets": [
{
"datasource": {
"type": "prometheus",
- "uid": "prometheus"
+ "uid": "${datasource}"
},
"exemplar": true,
"expr": "nv_summary_cvedbVersion",
@@ -207,7 +270,7 @@
{
"datasource": {
"type": "prometheus",
- "uid": "prometheus"
+ "uid": "${datasource}"
},
"fieldConfig": {
"defaults": {
@@ -261,14 +324,15 @@
"values": false
},
"text": {},
- "textMode": "auto"
+ "textMode": "auto",
+ "wideLayout": true
},
- "pluginVersion": "9.1.5",
+ "pluginVersion": "10.2.3",
"targets": [
{
"datasource": {
"type": "prometheus",
- "uid": "prometheus"
+ "uid": "${datasource}"
},
"exemplar": true,
"expr": "nv_summary_pods",
@@ -286,7 +350,7 @@
{
"datasource": {
"type": "prometheus",
- "uid": "prometheus"
+ "uid": "${datasource}"
},
"fieldConfig": {
"defaults": {
@@ -294,6 +358,7 @@
"mode": "palette-classic"
},
"custom": {
+ "axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
@@ -307,6 +372,7 @@
"tooltip": false,
"viz": false
},
+ "insertNulls": false,
"lineInterpolation": "linear",
"lineWidth": 1,
"pointSize": 5,
@@ -366,7 +432,7 @@
{
"datasource": {
"type": "prometheus",
- "uid": "prometheus"
+ "uid": "${datasource}"
},
"editorMode": "code",
"exemplar": true,
@@ -385,7 +451,7 @@
{
"datasource": {
"type": "prometheus",
- "uid": "prometheus"
+ "uid": "${datasource}"
},
"fieldConfig": {
"defaults": {
@@ -442,14 +508,15 @@
"values": false
},
"text": {},
- "textMode": "auto"
+ "textMode": "auto",
+ "wideLayout": true
},
- "pluginVersion": "9.1.5",
+ "pluginVersion": "10.2.3",
"targets": [
{
"datasource": {
"type": "prometheus",
- "uid": "prometheus"
+ "uid": "${datasource}"
},
"exemplar": true,
"expr": "nv_admission_denied",
@@ -467,7 +534,7 @@
{
"datasource": {
"type": "prometheus",
- "uid": "prometheus"
+ "uid": "${datasource}"
},
"fieldConfig": {
"defaults": {
@@ -538,14 +605,15 @@
"values": false
},
"text": {},
- "textMode": "auto"
+ "textMode": "auto",
+ "wideLayout": true
},
- "pluginVersion": "9.1.5",
+ "pluginVersion": "10.2.3",
"targets": [
{
"datasource": {
"type": "prometheus",
- "uid": "prometheus"
+ "uid": "${datasource}"
},
"exemplar": true,
"expr": "nv_summary_controllers",
@@ -563,7 +631,7 @@
{
"datasource": {
"type": "prometheus",
- "uid": "prometheus"
+ "uid": "${datasource}"
},
"fieldConfig": {
"defaults": {
@@ -621,14 +689,15 @@
"values": false
},
"text": {},
- "textMode": "value"
+ "textMode": "value",
+ "wideLayout": true
},
- "pluginVersion": "9.1.5",
+ "pluginVersion": "10.2.3",
"targets": [
{
"datasource": {
"type": "prometheus",
- "uid": "prometheus"
+ "uid": "${datasource}"
},
"exemplar": true,
"expr": "nv_summary_disconnectedEnforcers",
@@ -652,7 +721,7 @@
],
"datasource": {
"type": "prometheus",
- "uid": "prometheus"
+ "uid": "${datasource}"
},
"fieldConfig": {
"defaults": {
@@ -661,7 +730,9 @@
},
"custom": {
"align": "center",
- "displayMode": "auto",
+ "cellOptions": {
+ "type": "auto"
+ },
"filterable": false,
"inspect": false,
"width": 300
@@ -690,8 +761,10 @@
"value": 101
},
{
- "id": "custom.displayMode",
- "value": "color-text"
+ "id": "custom.cellOptions",
+ "value": {
+ "type": "color-text"
+ }
},
{
"id": "color",
@@ -778,7 +851,9 @@
"id": 29,
"links": [],
"options": {
+ "cellHeight": "sm",
"footer": {
+ "countRows": false,
"enablePagination": true,
"fields": "",
"reducer": [
@@ -794,7 +869,7 @@
}
]
},
- "pluginVersion": "9.1.5",
+ "pluginVersion": "10.2.3",
"scroll": true,
"showHeader": true,
"sort": {
@@ -839,7 +914,7 @@
{
"datasource": {
"type": "prometheus",
- "uid": "prometheus"
+ "uid": "${datasource}"
},
"editorMode": "code",
"exemplar": false,
@@ -947,7 +1022,7 @@
{
"datasource": {
"type": "prometheus",
- "uid": "prometheus"
+ "uid": "${datasource}"
},
"fieldConfig": {
"defaults": {
@@ -955,6 +1030,7 @@
"mode": "palette-classic"
},
"custom": {
+ "axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
@@ -968,6 +1044,7 @@
"tooltip": false,
"viz": false
},
+ "insertNulls": false,
"lineInterpolation": "linear",
"lineWidth": 1,
"pointSize": 5,
@@ -1027,7 +1104,7 @@
{
"datasource": {
"type": "prometheus",
- "uid": "prometheus"
+ "uid": "${datasource}"
},
"editorMode": "code",
"exemplar": true,
@@ -1046,7 +1123,7 @@
{
"datasource": {
"type": "prometheus",
- "uid": "prometheus"
+ "uid": "${datasource}"
},
"fieldConfig": {
"defaults": {
@@ -1140,7 +1217,7 @@
{
"datasource": {
"type": "prometheus",
- "uid": "prometheus"
+ "uid": "${datasource}"
},
"expr": "sum(nv_container_vulnerabilityHigh) by (service)",
"format": "table",
@@ -1153,7 +1230,7 @@
{
"datasource": {
"type": "prometheus",
- "uid": "prometheus"
+ "uid": "${datasource}"
},
"expr": "sum(nv_container_vulnerabilityMedium) by (service)",
"format": "table",
@@ -1186,102 +1263,151 @@
"type": "piechart"
},
{
- "aliasColors": {},
- "bars": false,
- "dashLength": 10,
- "dashes": false,
"datasource": {
"type": "prometheus",
- "uid": "prometheus"
+ "uid": "${datasource}"
+ },
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "mode": "palette-classic"
+ },
+ "custom": {
+ "axisBorderShow": false,
+ "axisCenteredZero": false,
+ "axisColorMode": "text",
+ "axisLabel": "",
+ "axisPlacement": "auto",
+ "barAlignment": 0,
+ "drawStyle": "line",
+ "fillOpacity": 0,
+ "gradientMode": "none",
+ "hideFrom": {
+ "legend": false,
+ "tooltip": false,
+ "viz": false
+ },
+ "insertNulls": false,
+ "lineInterpolation": "linear",
+ "lineWidth": 1,
+ "pointSize": 5,
+ "scaleDistribution": {
+ "type": "linear"
+ },
+ "showPoints": "never",
+ "spanNulls": false,
+ "stacking": {
+ "group": "A",
+ "mode": "none"
+ },
+ "thresholdsStyle": {
+ "mode": "off"
+ }
+ },
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ },
+ {
+ "color": "red",
+ "value": 80
+ }
+ ]
+ },
+ "unit": "percentunit"
+ },
+ "overrides": [
+ {
+ "matcher": {
+ "id": "byValue",
+ "options": {
+ "op": "gte",
+ "reducer": "allIsZero",
+ "value": 0
+ }
+ },
+ "properties": [
+ {
+ "id": "custom.hideFrom",
+ "value": {
+ "legend": true,
+ "tooltip": true,
+ "viz": false
+ }
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byValue",
+ "options": {
+ "op": "gte",
+ "reducer": "allIsNull",
+ "value": 0
+ }
+ },
+ "properties": [
+ {
+ "id": "custom.hideFrom",
+ "value": {
+ "legend": true,
+ "tooltip": true,
+ "viz": false
+ }
+ }
+ ]
+ }
+ ]
},
- "fill": 0,
- "fillGradient": 0,
"gridPos": {
"h": 6,
"w": 12,
"x": 12,
"y": 12
},
- "hiddenSeries": false,
"id": 10,
- "legend": {
- "avg": false,
- "current": false,
- "hideEmpty": true,
- "hideZero": true,
- "max": false,
- "min": false,
- "show": true,
- "total": false,
- "values": false
- },
- "lines": true,
- "linewidth": 1,
"links": [],
- "nullPointMode": "null",
"options": {
- "alertThreshold": true
+ "legend": {
+ "calcs": [],
+ "displayMode": "list",
+ "placement": "bottom",
+ "showLegend": true
+ },
+ "tooltip": {
+ "mode": "multi",
+ "sort": "desc"
+ }
},
- "percentage": false,
- "pluginVersion": "9.1.5",
- "pointradius": 2,
- "points": false,
- "renderer": "flot",
- "seriesOverrides": [],
- "spaceLength": 10,
- "stack": false,
- "steppedLine": false,
+ "pluginVersion": "10.2.3",
"targets": [
{
"datasource": {
"type": "prometheus",
- "uid": "prometheus"
+ "uid": "${datasource}"
},
+ "editorMode": "code",
"exemplar": true,
"expr": "max(nv_enforcer_cpu) by (display)\n",
"format": "time_series",
"interval": "",
"intervalFactor": 1,
"legendFormat": "{{display}}",
+ "range": true,
"refId": "A"
}
],
- "thresholds": [],
- "timeRegions": [],
"title": "Enforcer CPU Usage",
- "tooltip": {
- "shared": true,
- "sort": 2,
- "value_type": "individual"
- },
- "type": "graph",
- "xaxis": {
- "mode": "time",
- "show": true,
- "values": []
- },
- "yaxes": [
- {
- "$$hashKey": "object:865",
- "format": "percentunit",
- "logBase": 1,
- "show": true
- },
- {
- "$$hashKey": "object:866",
- "format": "short",
- "logBase": 1,
- "show": true
- }
- ],
- "yaxis": {
- "align": false
- }
+ "type": "timeseries"
},
{
"datasource": {
"type": "prometheus",
- "uid": "prometheus"
+ "uid": "${datasource}"
},
"fieldConfig": {
"defaults": {
@@ -1290,7 +1416,9 @@
},
"custom": {
"align": "center",
- "displayMode": "auto",
+ "cellOptions": {
+ "type": "auto"
+ },
"inspect": false,
"width": 101
},
@@ -1353,8 +1481,10 @@
}
},
{
- "id": "custom.displayMode",
- "value": "color-text"
+ "id": "custom.cellOptions",
+ "value": {
+ "type": "color-text"
+ }
}
]
},
@@ -1365,8 +1495,10 @@
},
"properties": [
{
- "id": "custom.displayMode",
- "value": "color-text"
+ "id": "custom.cellOptions",
+ "value": {
+ "type": "color-text"
+ }
},
{
"id": "displayName",
@@ -1421,7 +1553,9 @@
"id": 36,
"links": [],
"options": {
+ "cellHeight": "sm",
"footer": {
+ "countRows": false,
"enablePagination": true,
"fields": "",
"reducer": [
@@ -1432,12 +1566,12 @@
"showHeader": true,
"sortBy": []
},
- "pluginVersion": "9.1.5",
+ "pluginVersion": "10.2.3",
"targets": [
{
"datasource": {
"type": "prometheus",
- "uid": "prometheus"
+ "uid": "${datasource}"
},
"editorMode": "code",
"expr": "sum(nv_container_vulnerabilityHigh) by (exported_service)",
@@ -1451,7 +1585,7 @@
{
"datasource": {
"type": "prometheus",
- "uid": "prometheus"
+ "uid": "${datasource}"
},
"editorMode": "code",
"expr": "sum(nv_container_vulnerabilityMedium) by (exported_service)",
@@ -1487,7 +1621,7 @@
{
"datasource": {
"type": "prometheus",
- "uid": "prometheus"
+ "uid": "${datasource}"
},
"fieldConfig": {
"defaults": {
@@ -1496,7 +1630,9 @@
},
"custom": {
"align": "center",
- "displayMode": "auto",
+ "cellOptions": {
+ "type": "auto"
+ },
"filterable": false,
"inspect": false,
"minWidth": 50
@@ -1556,8 +1692,10 @@
"value": "none"
},
{
- "id": "custom.displayMode",
- "value": "color-text"
+ "id": "custom.cellOptions",
+ "value": {
+ "type": "color-text"
+ }
},
{
"id": "color"
@@ -1595,8 +1733,10 @@
"value": "none"
},
{
- "id": "custom.displayMode",
- "value": "color-text"
+ "id": "custom.cellOptions",
+ "value": {
+ "type": "color-text"
+ }
},
{
"id": "thresholds",
@@ -1630,7 +1770,9 @@
"id": 33,
"links": [],
"options": {
+ "cellHeight": "sm",
"footer": {
+ "countRows": false,
"enablePagination": true,
"fields": "",
"reducer": [
@@ -1640,12 +1782,12 @@
},
"showHeader": true
},
- "pluginVersion": "9.1.5",
+ "pluginVersion": "10.2.3",
"targets": [
{
"datasource": {
"type": "prometheus",
- "uid": "prometheus"
+ "uid": "${datasource}"
},
"expr": "sum(nv_image_vulnerabilityHigh) by (name)",
"format": "table",
@@ -1658,7 +1800,7 @@
{
"datasource": {
"type": "prometheus",
- "uid": "prometheus"
+ "uid": "${datasource}"
},
"expr": "sum(nv_image_vulnerabilityMedium) by (name)",
"format": "table",
@@ -1691,56 +1833,132 @@
"type": "table"
},
{
- "aliasColors": {},
- "bars": false,
- "dashLength": 10,
- "dashes": false,
"datasource": {
"type": "prometheus",
- "uid": "prometheus"
+ "uid": "${datasource}"
+ },
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "mode": "palette-classic"
+ },
+ "custom": {
+ "axisBorderShow": false,
+ "axisCenteredZero": false,
+ "axisColorMode": "text",
+ "axisLabel": "",
+ "axisPlacement": "auto",
+ "barAlignment": 0,
+ "drawStyle": "line",
+ "fillOpacity": 0,
+ "gradientMode": "none",
+ "hideFrom": {
+ "legend": false,
+ "tooltip": false,
+ "viz": false
+ },
+ "insertNulls": false,
+ "lineInterpolation": "linear",
+ "lineWidth": 1,
+ "pointSize": 5,
+ "scaleDistribution": {
+ "type": "linear"
+ },
+ "showPoints": "never",
+ "spanNulls": false,
+ "stacking": {
+ "group": "A",
+ "mode": "none"
+ },
+ "thresholdsStyle": {
+ "mode": "off"
+ }
+ },
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ },
+ {
+ "color": "red",
+ "value": 80
+ }
+ ]
+ },
+ "unit": "bytes"
+ },
+ "overrides": [
+ {
+ "matcher": {
+ "id": "byValue",
+ "options": {
+ "op": "gte",
+ "reducer": "allIsZero",
+ "value": 0
+ }
+ },
+ "properties": [
+ {
+ "id": "custom.hideFrom",
+ "value": {
+ "legend": true,
+ "tooltip": true,
+ "viz": false
+ }
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byValue",
+ "options": {
+ "op": "gte",
+ "reducer": "allIsNull",
+ "value": 0
+ }
+ },
+ "properties": [
+ {
+ "id": "custom.hideFrom",
+ "value": {
+ "legend": true,
+ "tooltip": true,
+ "viz": false
+ }
+ }
+ ]
+ }
+ ]
},
- "fill": 0,
- "fillGradient": 0,
"gridPos": {
"h": 6,
"w": 12,
"x": 12,
"y": 18
},
- "hiddenSeries": false,
"id": 35,
- "legend": {
- "avg": false,
- "current": false,
- "hideEmpty": true,
- "hideZero": true,
- "max": false,
- "min": false,
- "show": true,
- "total": false,
- "values": false
- },
- "lines": true,
- "linewidth": 1,
"links": [],
- "nullPointMode": "null",
"options": {
- "alertThreshold": true
+ "legend": {
+ "calcs": [],
+ "displayMode": "list",
+ "placement": "bottom",
+ "showLegend": true
+ },
+ "tooltip": {
+ "mode": "multi",
+ "sort": "desc"
+ }
},
- "percentage": false,
- "pluginVersion": "9.1.5",
- "pointradius": 2,
- "points": false,
- "renderer": "flot",
- "seriesOverrides": [],
- "spaceLength": 10,
- "stack": false,
- "steppedLine": false,
+ "pluginVersion": "10.2.3",
"targets": [
{
"datasource": {
"type": "prometheus",
- "uid": "prometheus"
+ "uid": "${datasource}"
},
"exemplar": true,
"expr": "max(nv_enforcer_memory) by (display)",
@@ -1751,45 +1969,35 @@
"refId": "A"
}
],
- "thresholds": [],
- "timeRegions": [],
"title": "Enforcer Memory Usage",
- "tooltip": {
- "shared": true,
- "sort": 2,
- "value_type": "individual"
- },
- "type": "graph",
- "xaxis": {
- "mode": "time",
- "show": true,
- "values": []
- },
- "yaxes": [
- {
- "$$hashKey": "object:940",
- "format": "bytes",
- "logBase": 1,
- "show": true
- },
- {
- "$$hashKey": "object:941",
- "format": "short",
- "logBase": 1,
- "show": true
- }
- ],
- "yaxis": {
- "align": false
- }
+ "type": "timeseries"
}
],
"refresh": "15s",
- "schemaVersion": 37,
- "style": "dark",
+ "schemaVersion": 39,
"tags": [],
"templating": {
- "list": []
+ "list": [
+ {
+ "current": {
+ "selected": false,
+ "text": "Prometheus",
+ "value": "prometheus"
+ },
+ "hide": 0,
+ "includeAll": false,
+ "label": "Data Source",
+ "multi": false,
+ "name": "datasource",
+ "options": [],
+ "query": "prometheus",
+ "queryValue": "",
+ "refresh": 1,
+ "regex": "",
+ "skipUrlSync": false,
+ "type": "datasource"
+ }
+ ]
},
"time": {
"from": "now-5m",
@@ -1823,6 +2031,6 @@
"timezone": "UTC",
"title": "NeuVector",
"uid": "nv_dashboard0001",
- "version": 2,
+ "version": 1,
"weekStart": ""
-}
+}
\ No newline at end of file
diff --git a/chart/deps/monitor/templates/dashboard.yaml b/chart/deps/monitor/templates/dashboard.yaml
index 72c5d9f7094bb138802a235e6d8329780faf2d73..9a6840a4d8cbacfdcbb3b48568926cdeada9a1db 100644
--- a/chart/deps/monitor/templates/dashboard.yaml
+++ b/chart/deps/monitor/templates/dashboard.yaml
@@ -9,6 +9,10 @@ metadata:
{{- if .Values.exporter.grafanaDashboard.labels }}
{{- toYaml .Values.exporter.grafanaDashboard.labels | nindent 4}}
{{- end }}
+{{- if .Values.exporter.grafanaDashboard.annotations }}
+ annotations:
+ {{- toYaml .Values.exporter.grafanaDashboard.annotations | nindent 4}}
+{{- end }}
data:
nv_dashboard.json: |
{{ .Files.Get "dashboards/nv_dashboard.json" | indent 4 }}
diff --git a/chart/deps/monitor/templates/exporter-deployment.yaml b/chart/deps/monitor/templates/exporter-deployment.yaml
index c4365969a8c97d260001b72274f9d26048a773aa..d9ab4da5066ce1689cdb65ca7fca51ec46ae4552 100644
--- a/chart/deps/monitor/templates/exporter-deployment.yaml
+++ b/chart/deps/monitor/templates/exporter-deployment.yaml
@@ -39,6 +39,10 @@ spec:
serviceAccountName: {{ .Values.serviceAccount }}
serviceAccount: {{ .Values.serviceAccount }}
{{- end }}
+ {{- with .Values.exporter.securityContext }}
+ securityContext:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
containers:
- name: neuvector-prometheus-exporter-pod
{{ if eq .Values.registry "docker.io/neuvector" }}
@@ -59,8 +63,16 @@ spec:
value: neuvector-svc-controller:10443
- name: EXPORTER_PORT
value: "8068"
+ {{- if .Values.exporter.enforcerStats.enabled }}
+ - name: ENFORCER_STATS
+ value: "{{ .Values.exporter.enforcerStats.enabled | default 'false' }}"
+ {{- end }}
envFrom:
- secretRef:
+ {{- if .Values.exporter.ctrlSecretName }}
+ name: {{ .Values.exporter.ctrlSecretName }}
+ {{ else }}
name: neuvector-prometheus-exporter-pod-secret
+ {{- end }}
restartPolicy: Always
{{- end }}
diff --git a/chart/deps/monitor/templates/exporter-service.yaml b/chart/deps/monitor/templates/exporter-service.yaml
index e67e168625aebd59692bf81e44a687eb449c2e7e..9d15b115e12a38a5a8e11a5f5e3c7e4dcd37bf2f 100644
--- a/chart/deps/monitor/templates/exporter-service.yaml
+++ b/chart/deps/monitor/templates/exporter-service.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.exporter.enabled .Values.exporter.svc.enabled -}}
+{{- if and .Values.exporter.enabled .Values.exporter.svc.enabled }}
apiVersion: v1
kind: Service
metadata:
diff --git a/chart/deps/monitor/templates/secret.yaml b/chart/deps/monitor/templates/secret.yaml
index 9a04ac476de70d006a118c12f721d40a3edeb53a..a7517959954f739da004c201e6245afa3da941fa 100644
--- a/chart/deps/monitor/templates/secret.yaml
+++ b/chart/deps/monitor/templates/secret.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.exporter.enabled -}}
+{{- if and (.Values.exporter.enabled) (not .Values.exporter.ctrlSecretName) -}}
apiVersion: v1
kind: Secret
metadata:
diff --git a/chart/deps/monitor/values.yaml b/chart/deps/monitor/values.yaml
index 544df5427d2a29cf21276de5419e0821981e60c5..d2f1e4812191356528c7fece33d6899dbccce7e4 100644
--- a/chart/deps/monitor/values.yaml
+++ b/chart/deps/monitor/values.yaml
@@ -2,17 +2,16 @@
# This is a YAML-formatted file.
# Declare variables to be passed into the templates.
-serviceAccount: default
-
registry: registry1.dso.mil
-oem:
+oem: ''
+leastPrivilege: false
exporter:
# If false, exporter will not be installed
enabled: false
image:
repository: ironbank/neuvector/neuvector/prometheus-exporter
- tag: 5.3.2
+ tag: 1.0.0
# changes this to a readonly user !
CTRL_USERNAME: admin
CTRL_PASSWORD: admin
@@ -27,13 +26,20 @@ exporter:
podAnnotations: {}
svc:
- enabled: false
- type: NodePort
- loadBalancerIP:
+ enabled: true
+ type: ClusterIP
+ loadBalancerIP: ''
annotations: {}
# service.beta.kubernetes.io/azure-load-balancer-internal: "true"
# service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "apps-subnet"
+ grafanaDashboard:
+ enabled: false
+ namespace: "" # Release namespace, if empty
+ labels: {}
+ # annotations: {}
+ # k8s-sidecar-target-directory: /tmp/dashboards/neuvector
+
serviceMonitor:
enabled: false
scheme: ""
@@ -50,7 +56,3 @@ exporter:
# RelabelConfigs to apply to samples before scraping
# ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig
relabelings: []
-
- grafanaDashboard:
- enabled: false
- labels: {}
diff --git a/chart/templates/clusterrole.yaml b/chart/templates/clusterrole.yaml
index 49228b70c35e11c53f0d0abd72d966f0122ee0b6..e4612bd6c1598afed8b6da819bde0fc513c0455d 100644
--- a/chart/templates/clusterrole.yaml
+++ b/chart/templates/clusterrole.yaml
@@ -97,6 +97,31 @@ rules:
---
+{{- if $oc3 }}
+apiVersion: authorization.openshift.io/v1
+{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else }}
+apiVersion: v1
+{{- end }}
+kind: ClusterRole
+metadata:
+ name: neuvector-binding-nvgroupdefinitions
+ labels:
+ chart: {{ template "neuvector.chart" . }}
+ release: {{ .Release.Name }}
+rules:
+- apiGroups:
+ - neuvector.com
+ resources:
+ - nvgroupdefinitions
+ verbs:
+ - get
+ - list
+ - delete
+
+---
+
{{- if $oc4 }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
diff --git a/chart/templates/controller-lease.yaml b/chart/templates/controller-lease.yaml
index cccde54795fc7f5b6679a1a7a8a8c1df073877bf..0c8fdb7154818a542b3b36343e4a444ebc217d12 100644
--- a/chart/templates/controller-lease.yaml
+++ b/chart/templates/controller-lease.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.lease.enabled }}
{{- if .Values.internal.autoGenerateCert }}
apiVersion: coordination.k8s.io/v1
kind: Lease
@@ -6,3 +7,4 @@ metadata:
spec:
leaseTransitions: 0
{{- end }}
+{{- end }}
diff --git a/chart/templates/controller-service.yaml b/chart/templates/controller-service.yaml
index 4705d491b949f2ff925445d00af619679d0da26d..0dc6ab91ae307ddd75f16a7175887421dcb22b41 100644
--- a/chart/templates/controller-service.yaml
+++ b/chart/templates/controller-service.yaml
@@ -40,6 +40,9 @@ spec:
ports:
- port: 10443
protocol: "TCP"
+{{- if .Values.controller.apisvc.nodePort }}
+ nodePort: {{ .Values.controller.apisvc.nodePort }}
+{{- end }}
name: "controller-api"
appProtocol: HTTPS
selector:
diff --git a/chart/templates/crd-role-least.yaml b/chart/templates/crd-role-least.yaml
index 45222a48ea128e87a10cd5d686d2661804bcfb20..81bb87a4b149e263b07fdf7cfc80761b9f742a05 100644
--- a/chart/templates/crd-role-least.yaml
+++ b/chart/templates/crd-role-least.yaml
@@ -400,4 +400,35 @@ userNames:
- system:serviceaccount:{{ .Release.Namespace }}:controller
{{- end }}
+---
+
+# ClusterRoleBinding for NeuVector to manage name referral for common groups
+{{- if $oc3 }}
+apiVersion: authorization.openshift.io/v1
+{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else }}
+apiVersion: v1
+{{- end }}
+kind: ClusterRoleBinding
+metadata:
+ name: neuvector-binding-nvgroupdefinitions
+ labels:
+ chart: {{ template "neuvector.chart" . }}
+ release: {{ .Release.Name }}
+roleRef:
+{{- if not $oc3 }}
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+{{- end }}
+ name: neuvector-binding-nvgroupdefinitions
+subjects:
+- kind: ServiceAccount
+ name: controller
+ namespace: {{ .Release.Namespace }}
+{{- if $oc3 }}
+userNames:
+- system:serviceaccount:{{ .Release.Namespace }}:controller
+{{- end }}
+
{{- end }}
diff --git a/chart/templates/crd-role.yaml b/chart/templates/crd-role.yaml
index ffa029c46907260feeff2d2f59fbf6be4000d557..63feece20f59c6b647f47e817561c83aeaec4a2f 100644
--- a/chart/templates/crd-role.yaml
+++ b/chart/templates/crd-role.yaml
@@ -400,4 +400,35 @@ userNames:
- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }}
{{- end }}
+---
+
+# Clusterrolebinding for Neuvector to manage name referral for common groups
+{{- if $oc3 }}
+apiVersion: authorization.openshift.io/v1
+{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else }}
+apiVersion: v1
+{{- end }}
+kind: ClusterRoleBinding
+metadata:
+ name: neuvector-binding-nvgroupdefinitions
+ labels:
+ chart: {{ template "neuvector.chart" . }}
+ release: {{ .Release.Name }}
+roleRef:
+{{- if not $oc3 }}
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+{{- end }}
+ name: neuvector-binding-nvgroupdefinitions
+subjects:
+- kind: ServiceAccount
+ name: {{ .Values.serviceAccount }}
+ namespace: {{ .Release.Namespace }}
+{{- if $oc3 }}
+userNames:
+- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }}
+{{- end }}
+
{{- end }}
diff --git a/chart/templates/crd.yaml b/chart/templates/crd.yaml
index 15834c9dfe85bf211bb42b781f9bd5fbc930abf9..c97bbdfaa93cce7a92be9799ece9e4e6fa4957ba 100644
--- a/chart/templates/crd.yaml
+++ b/chart/templates/crd.yaml
@@ -72,6 +72,8 @@ spec:
type: array
name:
type: string
+ name_referral:
+ type: boolean
original_name:
type: string
required:
@@ -143,6 +145,8 @@ spec:
type: array
name:
type: string
+ name_referral:
+ type: boolean
original_name:
type: string
required:
@@ -218,6 +222,8 @@ spec:
type: array
name:
type: string
+ name_referral:
+ type: boolean
original_name:
type: string
mon_metric:
@@ -351,6 +357,8 @@ spec:
type: array
name:
type: string
+ name_referral:
+ type: boolean
original_name:
type: string
required:
@@ -422,6 +430,8 @@ spec:
type: array
name:
type: string
+ name_referral:
+ type: boolean
original_name:
type: string
required:
@@ -497,6 +507,8 @@ spec:
type: array
name:
type: string
+ name_referral:
+ type: boolean
original_name:
type: string
mon_metric:
@@ -974,4 +986,63 @@ spec:
type: object
type: object
{{- end }}
+---
+{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+apiVersion: apiextensions.k8s.io/v1
+{{- else }}
+apiVersion: apiextensions.k8s.io/v1beta1
+{{- end }}
+kind: CustomResourceDefinition
+metadata:
+ name: nvgroupdefinitions.neuvector.com
+spec:
+ group: neuvector.com
+ names:
+ kind: NvGroupDefinition
+ listKind: NvGroupDefinitionList
+ plural: nvgroupdefinitions
+ singular: nvgroupdefinition
+ scope: Namespaced
+{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+ version: v1
+{{- end }}
+ versions:
+ - name: v1
+ served: true
+ storage: true
+{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ properties:
+ selector:
+ properties:
+ comment:
+ type: string
+ criteria:
+ items:
+ properties:
+ key:
+ type: string
+ op:
+ type: string
+ value:
+ type: string
+ required:
+ - key
+ - op
+ - value
+ type: object
+ type: array
+ name:
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - selector
+ type: object
+ type: object
+{{- end }}
{{- end }}
diff --git a/chart/templates/manager-service.yaml b/chart/templates/manager-service.yaml
index b310f63d7abc20ba13cd409f01663f6578fd6d85..b9476748a8b6b56ae0659c3b9307f5edad8e1e52 100644
--- a/chart/templates/manager-service.yaml
+++ b/chart/templates/manager-service.yaml
@@ -20,6 +20,9 @@ spec:
- port: 8443
name: manager
protocol: TCP
+{{- if .Values.manager.svc.nodePort }}
+ nodePort: {{ .Values.manager.svc.nodePort }}
+{{- end }}
{{- if or (.Capabilities.KubeVersion.GitVersion | contains "-eks") (.Capabilities.KubeVersion.GitVersion | contains "-gke") }}
{{- if .Values.manager.env.ssl }}
appProtocol: HTTPS
diff --git a/chart/templates/registry-adapter-secret.yaml b/chart/templates/registry-adapter-secret.yaml
index 66f0d80e23c1894c366aa401d4fa2fc90a4ceabe..3317e93415d7cf1db3815fad3ce9f02846d6205d 100644
--- a/chart/templates/registry-adapter-secret.yaml
+++ b/chart/templates/registry-adapter-secret.yaml
@@ -5,7 +5,7 @@
{{- $cert = (dict "Key" .Values.cve.adapter.certificate.key "Cert" .Values.cve.adapter.certificate.certificate ) }}
{{- else }}
{{- $cn := "neuvector" }}
-{{- $cert = genSelfSignedCert $cn nil (list $cn "neuvector-service-registry-adapter.cattle-neuvector-system.svc.cluster.local" "neuvector-service-registry-adapter") (.Values.defaultValidityPeriod | int) -}}
+{{- $cert = genSelfSignedCert $cn nil (list $cn (print "neuvector-service-registry-adapter." (default "neuvector" .Release.Namespace) ".svc.cluster.local") "neuvector-service-registry-adapter") (.Values.defaultValidityPeriod | int) -}}
{{- end }}
apiVersion: v1
diff --git a/chart/templates/rolebinding-least.yaml b/chart/templates/rolebinding-least.yaml
index a3effd3f8895944455471fa0b425c475eed36f87..d40085351973bab278455cbfe18e694e592e6649 100644
--- a/chart/templates/rolebinding-least.yaml
+++ b/chart/templates/rolebinding-least.yaml
@@ -98,7 +98,6 @@ subjects:
userNames:
- system:serviceaccount:{{ .Release.Namespace }}:controller
{{- end }}
-{{- end }}
---
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
@@ -128,6 +127,7 @@ subjects:
userNames:
- system:serviceaccount:{{ .Release.Namespace }}:cert-upgrader
{{- end }}
+{{- end }}
---
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
diff --git a/chart/templates/rolebinding.yaml b/chart/templates/rolebinding.yaml
index 8a721dc74c16df916f407adb7f8724fbc2cd4179..ee2e9f6c39fefe6f7b21f01c6e23624c999bd90a 100644
--- a/chart/templates/rolebinding.yaml
+++ b/chart/templates/rolebinding.yaml
@@ -110,7 +110,6 @@ subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccount }}
namespace: {{ .Release.Namespace }}
-{{- end }}
---
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
@@ -170,4 +169,5 @@ userNames:
- system:serviceaccount:{{ .Release.Namespace }}:cert-upgrader
{{- end }}
{{- end }}
+{{- end }}
diff --git a/chart/templates/scanner-deployment.yaml b/chart/templates/scanner-deployment.yaml
index 117f7afd9133601a1f95b449c0a02e70c9c15811..257de0149e4c7449f3fab0da8f0b80af19c4f7cb 100644
--- a/chart/templates/scanner-deployment.yaml
+++ b/chart/templates/scanner-deployment.yaml
@@ -67,42 +67,7 @@ spec:
{{- if .Values.cve.scanner.securityContext.runAsUser }}
securityContext:
{{- toYaml $.Values.cve.scanner.securityContext | nindent 8 }}
- {{- end }}
- initContainers:
- - name: init-cert-permissions
- {{- if .Values.global.azure.enabled }}
- image: "{{ .Values.global.azure.images.scanner.registry }}/{{ .Values.global.azure.images.scanner.image }}:{{ .Values.global.azure.images.scanner.tag }}"
- {{- else }}
- {{- if eq .Values.registry "registry.neuvector.com" }}
- {{- if .Values.oem }}
- image: "{{ .Values.registry }}/{{ .Values.oem }}/scanner:{{ .Values.cve.scanner.image.tag }}"
- {{- else }}
- image: "{{ .Values.registry }}/scanner:{{ .Values.cve.scanner.image.tag }}"
- {{- end }}
- {{- else }}
- {{- if .Values.cve.scanner.image.hash }}
- image: "{{ .Values.registry }}/{{ .Values.cve.scanner.image.repository }}@{{ .Values.cve.scanner.image.hash }}"
- {{- else if .Values.cve.scanner.image.registry }}
- image: "{{ .Values.cve.scanner.image.registry }}/{{ .Values.cve.scanner.image.repository }}:{{ .Values.cve.scanner.image.tag }}"
- {{- else }}
- image: "{{ .Values.registry }}/{{ .Values.cve.scanner.image.repository }}:{{ .Values.cve.scanner.image.tag }}"
- {{- end }}
- {{- end }}
- {{- end }}
- imagePullPolicy: Always
- securityContext:
- runAsUser: 0
- runAsNonRoot: false
- command:
- - /bin/sh
- - -cx
- - |
- cp -a /etc/neuvector/certs/internal/* /newcerts
- chmod 660 /newcerts/*
- chown scanner:scanner /newcerts/*
- volumeMounts:
- - mountPath: /newcerts
- name: bigbang-readable-certs
+ {{- end }}
containers:
- name: neuvector-scanner-pod
{{- if .Values.global.azure.enabled }}
@@ -165,6 +130,9 @@ spec:
- mountPath: /etc/neuvector/certs/internal/
name: bigbang-readable-certs
{{- end }}
+ {{- with .Values.cve.scanner.volumeMounts }}
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
restartPolicy: Always
volumes:
{{- if or .Values.internal.certmanager.enabled .Values.cve.scanner.internal.certificate.secret }}
@@ -179,4 +147,7 @@ spec:
- name: bigbang-readable-certs
emptyDir:
sizeLimit: 50Mi
+ {{- with .Values.cve.scanner.volumes }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
{{- end }}
diff --git a/chart/templates/upgrader-lease.yaml b/chart/templates/upgrader-lease.yaml
index 2afa935de3c71f6d370b368f4cb49dc6b7a85d09..724ed79287c43e2fbde4795cd0220d41ce664255 100644
--- a/chart/templates/upgrader-lease.yaml
+++ b/chart/templates/upgrader-lease.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.lease.enabled }}
{{- if .Values.internal.autoGenerateCert }}
apiVersion: coordination.k8s.io/v1
kind: Lease
@@ -6,3 +7,5 @@ metadata:
spec:
leaseTransitions: 0
{{- end }}
+{{- end }}
+
diff --git a/chart/values.yaml b/chart/values.yaml
index f7c21f5f189a55a99516639a0f1f88fb0e3713b9..0639c7003fc8a06da4098f9753fd0d1f4882379a 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -4,7 +4,7 @@
openshift: false
registry: registry1.dso.mil
-tag: 5.4.1
+tag: 5.4.3
oem:
imagePullSecrets: private-registry
psp: false
@@ -63,7 +63,8 @@ internal:
enabled: false
secretname: neuvector-internal
autoGenerateCert: true
- autoRotateCert: false
+ autoRotateCert: true
+
controller:
# If false, controller will not be installed
enabled: true
@@ -111,6 +112,7 @@ controller:
apisvc:
type:
annotations: {}
+ nodePort:
# OpenShift Route configuration
# Controller supports HTTPS only, so edge termination not supported
route:
@@ -327,7 +329,7 @@ controller:
enabled: false
image:
repository: neuvector/compliance-config
- tag: 1.0.1
+ tag: 1.0.4
hash:
enforcer:
# If false, enforcer will not be installed
@@ -380,6 +382,7 @@ manager:
value: "-Dcom.redhat.fips=false"
svc:
type: ClusterIP
+ nodePort:
loadBalancerIP:
annotations: {}
# azure
@@ -465,7 +468,7 @@ cve:
enabled: false
image:
repository: neuvector/registry-adapter
- tag: 0.1.3
+ tag: 0.1.6
hash:
priorityClassName:
resources: {}
@@ -505,7 +508,7 @@ cve:
protocol: https
secretName:
svc:
- type: NodePort # should be set to - ClusterIP
+ type: ClusterIP
loadBalancerIP:
annotations: {}
# azure
@@ -596,7 +599,7 @@ cve:
maxUnavailable: 0
image:
repository: ironbank/neuvector/neuvector/scanner
- tag: "5"
+ tag: "6"
hash:
priorityClassName:
resources: {}
@@ -633,27 +636,31 @@ cve:
capabilities:
drop:
- ALL
-resources: {}
-# limits:
-# cpu: 400m
-# memory: 2792Mi
-# requests:
-# cpu: 100m
-# memory: 2280Mi
+ volumes:
+ volumeMounts:
+resources:
+ {}
+ # limits:
+ # cpu: 400m
+ # memory: 2792Mi
+ # requests:
+ # cpu: 100m
+ # memory: 2280Mi
+
+runtimePath: /var/run/containerd/containerd.sock
-runtimePath:
# The following runtime type and socket location are deprecated after 5.3.0.
# If the socket path is not at the default location, use above 'runtimePath' to specify the location.
docker:
path: /var/run/docker.sock
k3s:
- enabled: false
- runtimePath: /run/k3s/containerd/containerd.sock
+ enabled: true
+ runtimePath: /var/run/containerd/containerd.sock
bottlerocket:
enabled: false
runtimePath: /run/dockershim.sock
containerd:
- enabled: false
+ enabled: true
path: /var/run/containerd/containerd.sock
crio:
enabled: false
@@ -733,6 +740,9 @@ monitor:
enabled: false
svc:
enabled: false
+lease:
+ enabled: true
+
# Bigbang helm test values default disabled
bbtests:
enabled: false
@@ -752,3 +762,5 @@ bbtests:
URL: "http://neuvector-service-webui.{{ .Release.Namespace }}.svc.cluster.local:8443"
exporter:
enabled: false
+
+
diff --git a/tests/images.txt b/tests/images.txt
index 6333b26101260c9145c267bbb9baf3c197e0a34f..4c9cba99f68b75320251065904d010f8fce7b7e6 100644
--- a/tests/images.txt
+++ b/tests/images.txt
@@ -1 +1 @@
-registry1.dso.mil/ironbank/neuvector/neuvector/prometheus-exporter:5.3.2
+registry1.dso.mil/ironbank/neuvector/neuvector/prometheus-exporter:1.0.0