Merge branch 'main' into UD-1378-vulnreport-v1alpha2

undistro · May 8, 2024 · 95cc408 · 95cc408
2 parents 5ad148c + 4b07723
commit 95cc408
Show file tree

Hide file tree

Showing 5 changed files with 28 additions and 10 deletions.
diff --git a/charts/zora/README.md b/charts/zora/README.md
@@ -109,14 +109,16 @@ The following table lists the configurable parameters of the Zora chart and thei
 | scan.plugins.marvin.podAnnotations | object | `{}` | Annotations added to the marvin pods |
 | scan.plugins.marvin.image.repository | string | `"ghcr.io/undistro/marvin"` | marvin plugin image repository |
 | scan.plugins.marvin.image.tag | string | `"v0.2.3"` | marvin plugin image tag |
+| scan.plugins.marvin.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
 | scan.plugins.marvin.env | list | `[]` | List of environment variables to set in marvin container. |
 | scan.plugins.marvin.envFrom | list | `[]` | List of sources to populate environment variables in marvin container. |
 | scan.plugins.trivy.ignoreUnfixed | bool | `false` | Specifies whether only fixed vulnerabilities should be reported |
 | scan.plugins.trivy.ignoreDescriptions | bool | `false` | Specifies whether vulnerability descriptions should be ignored |
 | scan.plugins.trivy.resources | object | `{}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `trivy` container |
 | scan.plugins.trivy.podAnnotations | object | `{}` | Annotations added to the trivy pods |
 | scan.plugins.trivy.image.repository | string | `"ghcr.io/undistro/trivy"` | trivy plugin image repository |
-| scan.plugins.trivy.image.tag | string | `"0.50.1-1"` | trivy plugin image tag |
+| scan.plugins.trivy.image.tag | float | `0.51` | trivy plugin image tag |
+| scan.plugins.trivy.image.pullPolicy | string | `"Always"` | Image pull policy |
 | scan.plugins.trivy.env | list | `[]` | List of environment variables to set in trivy container. |
 | scan.plugins.trivy.envFrom | list | `[]` | List of sources to populate environment variables in trivy container. |
 | scan.plugins.trivy.timeout | string | `"10m"` | Trivy timeout |
@@ -130,11 +132,12 @@ The following table lists the configurable parameters of the Zora chart and thei
 | scan.plugins.popeye.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"250m","memory":"256Mi"}}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `popeye` container |
 | scan.plugins.popeye.podAnnotations | object | `{}` | Annotations added to the popeye pods |
 | scan.plugins.popeye.image.repository | string | `"ghcr.io/undistro/popeye"` | popeye plugin image repository |
-| scan.plugins.popeye.image.tag | string | `"0.21.3-6"` | popeye plugin image tag |
+| scan.plugins.popeye.image.tag | float | `0.21` | popeye plugin image tag |
+| scan.plugins.popeye.image.pullPolicy | string | `"Always"` | Image pull policy |
 | scan.plugins.popeye.env | list | `[]` | List of environment variables to set in popeye container. |
 | scan.plugins.popeye.envFrom | list | `[]` | List of sources to populate environment variables in popeye container. |
 | kubexnsImage.repository | string | `"ghcr.io/undistro/kubexns"` | kubexns image repository |
-| kubexnsImage.tag | string | `"v0.1.3"` | kubexns image tag |
+| kubexnsImage.tag | string | `"v0.1.4"` | kubexns image tag |
 | customChecksConfigMap | string | `"zora-custom-checks"` | Custom checks ConfigMap name |
 | httpsProxy | string | `""` | HTTPS proxy URL |
 | noProxy | string | `"kubernetes.default.svc.*,127.0.0.1,localhost"` | Comma-separated list of URL patterns to be excluded from going through the proxy |

diff --git a/charts/zora/templates/plugins/marvin.yaml b/charts/zora/templates/plugins/marvin.yaml
@@ -21,6 +21,9 @@ metadata:
 spec:
   type: misconfiguration
   image: "{{ .Values.scan.plugins.marvin.image.repository }}:{{ .Values.scan.plugins.marvin.image.tag }}"
+  {{- if .Values.scan.plugins.marvin.image.pullPolicy }}
+  imagePullPolicy: "{{ .Values.scan.plugins.marvin.image.pullPolicy }}"
+  {{- end }}
   {{- if .Values.scan.plugins.marvin.resources }}
   resources:
     {{- toYaml .Values.scan.plugins.marvin.resources | nindent 4 }}

diff --git a/charts/zora/templates/plugins/popeye.yaml b/charts/zora/templates/plugins/popeye.yaml
@@ -21,6 +21,9 @@ metadata:
 spec:
   type: misconfiguration
   image: "{{ .Values.scan.plugins.popeye.image.repository }}:{{ .Values.scan.plugins.popeye.image.tag }}"
+  {{- if .Values.scan.plugins.popeye.image.pullPolicy }}
+  imagePullPolicy: "{{ .Values.scan.plugins.popeye.image.pullPolicy }}"
+  {{- end }}
   {{- if .Values.scan.plugins.popeye.resources }}
   resources:
     {{- toYaml .Values.scan.plugins.popeye.resources | nindent 4 }}
@@ -51,6 +54,7 @@ spec:
     - /bin/sh
     - -c
     - |
+      sleep 30
       start=$(date +%s)
       echo Scanning...
       {{- if .Values.scan.plugins.popeye.skipInternalResources }}

diff --git a/charts/zora/templates/plugins/trivy.yaml b/charts/zora/templates/plugins/trivy.yaml
@@ -21,12 +21,16 @@ metadata:
 spec:
   type: vulnerability
   image: "{{ .Values.scan.plugins.trivy.image.repository }}:{{ .Values.scan.plugins.trivy.image.tag }}"
+  {{- if .Values.scan.plugins.trivy.image.pullPolicy }}
+  imagePullPolicy: "{{ .Values.scan.plugins.trivy.image.pullPolicy }}"
+  {{- end }}
   {{- if .Values.scan.plugins.trivy.resources }}
   resources:
     {{- toYaml .Values.scan.plugins.trivy.resources | nindent 4 }}
   {{- end }}
   mountCustomChecksVolume: false
   securityContext:
+    runAsNonRoot: true
     allowPrivilegeEscalation: false
     privileged: false
   {{- with .Values.scan.plugins.trivy.envFrom }}
@@ -58,7 +62,6 @@ spec:
       time trivy k8s \
         --debug \
         --no-progress \
-        --all-namespaces \
         --scanners=vuln \
         -f=json \
         --cache-dir=/tmp/trivy-cache \
@@ -69,8 +72,7 @@ spec:
         --ignore-unfixed \
         {{- end }}
         --timeout={{ .Values.scan.plugins.trivy.timeout | quote }} \
-        -o $(DONE_DIR)/results.json \
-        cluster
+        -o $(DONE_DIR)/results.json
 
       exitcode=$(echo $?)
       if [ $exitcode -ne 0 ]; then

diff --git a/charts/zora/values.yaml b/charts/zora/values.yaml
@@ -193,6 +193,8 @@ scan:
         repository: ghcr.io/undistro/marvin
         # -- marvin plugin image tag
         tag: v0.2.3
+        # -- Image pull policy
+        pullPolicy: IfNotPresent
       # -- List of environment variables to set in marvin container.
       env: []
       # -- List of sources to populate environment variables in marvin container.
@@ -211,7 +213,9 @@ scan:
         # -- trivy plugin image repository
         repository: ghcr.io/undistro/trivy
         # -- trivy plugin image tag
-        tag: 0.50.1-1
+        tag: 0.51
+        # -- Image pull policy
+        pullPolicy: Always
       # -- List of environment variables to set in trivy container.
       env: []
       #  - name: AWS_REGION
@@ -268,7 +272,9 @@ scan:
         # -- popeye plugin image repository
         repository: ghcr.io/undistro/popeye
         # -- popeye plugin image tag
-        tag: 0.21.3-6
+        tag: 0.21
+        # -- Image pull policy
+        pullPolicy: Always
       # -- List of environment variables to set in popeye container.
       env: []
       # -- List of sources to populate environment variables in popeye container.
@@ -278,7 +284,7 @@ kubexnsImage:
   # -- kubexns image repository
   repository: ghcr.io/undistro/kubexns
   # -- kubexns image tag
-  tag: v0.1.3
+  tag: v0.1.4
 
 # -- Custom checks ConfigMap name
 customChecksConfigMap: zora-custom-checks
@@ -290,4 +296,4 @@ noProxy: kubernetes.default.svc.*,127.0.0.1,localhost
 
 # -- (bool) Specifies whether CRDs should be updated by operator at startup
 # @default -- `true` for upgrades
-updateCRDs:
+updateCRDs: