From b5a422814879ed3af5036f080d4988a9d85fcb34 Mon Sep 17 00:00:00 2001 From: Christian Kotzbauer Date: Wed, 9 Mar 2022 16:55:52 +0100 Subject: [PATCH] update chart to 0.3.0 Signed-off-by: Christian Kotzbauer --- charts/vulnerability-operator/Chart.yaml | 4 ++-- charts/vulnerability-operator/README.md | 3 ++- .../templates/clusterrole.yaml | 15 +++++++++++++ .../templates/configmap.yaml | 11 ++++++++++ .../templates/deployment.yaml | 10 +++++++++ charts/vulnerability-operator/values.yaml | 22 +++++++++++++++++++ 6 files changed, 62 insertions(+), 3 deletions(-) create mode 100644 charts/vulnerability-operator/templates/configmap.yaml diff --git a/charts/vulnerability-operator/Chart.yaml b/charts/vulnerability-operator/Chart.yaml index 3807680..95440c4 100644 --- a/charts/vulnerability-operator/Chart.yaml +++ b/charts/vulnerability-operator/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 description: Scans SBOMs for vulnerabilities name: vulnerability-operator -version: 0.2.0 -appVersion: 0.2.0 +version: 0.3.0 +appVersion: 0.3.0 home: https://github.com/ckotzbauer/vulnerability-operator sources: - https://github.com/ckotzbauer/vulnerability-operator diff --git a/charts/vulnerability-operator/README.md b/charts/vulnerability-operator/README.md index d9eb3e5..983667a 100644 --- a/charts/vulnerability-operator/README.md +++ b/charts/vulnerability-operator/README.md @@ -31,10 +31,11 @@ The following table lists the configurable parameters of the vulnerability-opera | Parameter | Description | Default | | -------------------------------------- | ------------------------------------------------- | --------------------------------------------- | | `image.repository` | container image repository | `ghcr.io/ckotzbauer/vulnerability-operator` | -| `image.tag` | container image tag | `0.2.0` | +| `image.tag` | container image tag | `0.3.0` | | `image.pullPolicy` | container image pull policy | `IfNotPresent` | | `args` | argument object for cli-args | `{}` | | `envVars` | environment variables | `{}` | +| `ignoreRules` | Grype ignore-rules | `""` | | `nodeSelector` | node labels for pod assignment | `{}` | | `tolerations` | node tolerations for pod assignment | `[]` | | `affinity` | node affinity for pod assignment | `{}` | diff --git a/charts/vulnerability-operator/templates/clusterrole.yaml b/charts/vulnerability-operator/templates/clusterrole.yaml index 31f67a3..8acb3ad 100644 --- a/charts/vulnerability-operator/templates/clusterrole.yaml +++ b/charts/vulnerability-operator/templates/clusterrole.yaml @@ -11,3 +11,18 @@ rules: - pods verbs: - list +- apiGroups: + - apps + resources: + - deployments + - replicasets + - statefulsets + - daemonsets + verbs: + - get +- apiGroups: + - batch + resources: + - jobs + verbs: + - get diff --git a/charts/vulnerability-operator/templates/configmap.yaml b/charts/vulnerability-operator/templates/configmap.yaml new file mode 100644 index 0000000..b87d0e3 --- /dev/null +++ b/charts/vulnerability-operator/templates/configmap.yaml @@ -0,0 +1,11 @@ +{{- if .Values.ignoreRules }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "app.name" . }} + labels: + {{- include "app.labels" . | nindent 4 }} +data: + grype.yaml: | +{{ .Values.ignoreRules | indent 4 }} +{{- end }} diff --git a/charts/vulnerability-operator/templates/deployment.yaml b/charts/vulnerability-operator/templates/deployment.yaml index ddf37fa..66c2c5c 100644 --- a/charts/vulnerability-operator/templates/deployment.yaml +++ b/charts/vulnerability-operator/templates/deployment.yaml @@ -30,6 +30,9 @@ spec: - --{{ $key }} {{- end }} {{- end }} + {{- if .Values.ignoreRules }} + - --grype-config-file=/vuln/grype.yaml + {{- end }} env: {{- if .Values.envVars }} {{ toYaml .Values.envVars | nindent 12 }} @@ -57,11 +60,18 @@ spec: name: work - mountPath: /tmp name: tmp + - mountPath: /vuln + name: grype volumes: - name: work emptyDir: {} - name: tmp emptyDir: {} + {{- if .Values.ignoreRules }} + - name: grype + configMap: + name: {{ template "app.name" . }} + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{ toYaml . | indent 8 }} diff --git a/charts/vulnerability-operator/values.yaml b/charts/vulnerability-operator/values.yaml index 41da339..a0c9f41 100644 --- a/charts/vulnerability-operator/values.yaml +++ b/charts/vulnerability-operator/values.yaml @@ -11,6 +11,28 @@ args: {} envVars: {} +#ignoreRules: "" +ignoreRules: | + ignore: + - vulnerabilities: CVE-XXXXXX + - vulnerabilities: CVE-YYYYYY +# ignore: +# # This is the full set of supported rule fields: +# - vulnerability: CVE-2008-4318 +# fix-state: unknown +# package: +# name: libcurl +# version: 1.5.1 +# type: npm +# location: "/usr/local/lib/node_modules/**" +# +# # We can make rules to match just by vulnerability ID: +# - vulnerability: CVE-2017-41432 +# +# # ...or just by a single package field: +# - package: +# type: gem + podAnnotations: {} resources: {}