diff --git a/.helmignore b/.helmignore new file mode 100644 index 0000000..50af031 --- /dev/null +++ b/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/Chart.yaml b/Chart.yaml new file mode 100644 index 0000000..124a61c --- /dev/null +++ b/Chart.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +name: threatstack-agent +version: 1.0.0 +appVersion: 2.1.3 +description: A Helm chart for the Threat Stack Cloud Security Agent +keywords: +- security +- compliance +- monitoring +icon: http://www.threatstack.com/images/icons/threat-stack-logo.svg +sources: + - https://app.threatstack.com/ +maintainers: +- name: Threat Stack Inc. + email: support@threatstack.com \ No newline at end of file diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..26c9100 --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2020 Threat Stack, Inc. + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md new file mode 100644 index 0000000..7c58cf5 --- /dev/null +++ b/README.md @@ -0,0 +1,118 @@ +Threat Stack Agent Helm Chart +============================= + +### Overview + +This project defines the helm chart to deploy the Threat Stack container agent in the recommended configuration for kubernetes. + +>>> +**Note:** The chart `version` is independent of the version of the agent packaged/installed by the chart. The version of the application to be installed by the helm chart is defined by helm's `appVersion` field. + +Because agent updates and improvements from version to version can require backwards-incompatible chart changes, we do not provide a way for the agent version to be overridden by a customer `values.yaml` file override. +>>> + +This chart installs the agent in the recommended configuration for kubernetes clusters. Configuration values should be overridden by passing helm one or more yaml files of overrides. See [Additional Installation Notes](#additional-installation-notes) section for specific recommendations. + +The following kubernetes objects are created: + +* A service account named `threatstack-agent` (unless overridden in a `values.yaml`), created in the namespace specifed (the default is `default`) +* A clusterrole/clusterrolebinding that allows the service account to get/list/watch the following objects: + * events + * namespaces + * pods + * clusterroles + * clusterrolebindings + * roles + * rolebindings +* A daemonset that installs the threatstack agent container on each node (1 container per node). It defaults to only deploying on nodes where a label `threatstack-agent` is set to `true` (this can be overridden via a `values.yaml`). +* A replicaset to deploy a specially configured threatstack-agent container that communicates with the kubernetes control plane. +* A Secret to store [sensitive agent configuration](#additional-installation-notes) +* A ConfigMap will be created to store the Threat Stack agent's setup and runtime configuration options. + +### Installation + +>>> +These instructions assume that you already have helm (and the server-side component tiller, if using helm 2) installed in your environment, and that any RBAC configuration for proper operation of helm has been completed. +>>> + +#### Local Installation +The instructions below assume the helm chart has been released to a repository. Alternatively, you can clone this git repository and run `helm package .` in the repository's root to get a `.tgz` file built locally. + +In this, one should not add the helm repository as directed below (step 1), and omit the `--repo https://pkg.threatstack.com/helm` from any command. Also, instead of the chart name being `threatstack-agent`, you should use `/threatstack-agent-.tgz` in helm commands. + +>>> +**WARNING:** Creating a local helm chart does not sign it. Any verfication of the provenance of the chart will fail. +>>> + +#### Installing publicly released chart + +The threatstack agent helm chart follows the standard installation process for charts: + +1. Add the threatstack agent helm repository (URL: https://pkg.threatstack.com/helm) to your local helm configuration + ```shell + > helm repo add https://pkg.threatstack.com/helm + ``` +1. Using the default `values.yaml`, create a local yaml that overrides the configuration as desired or needed for the target cluster (See [Additional Installation Notes][#additional-installation-notes] below) +1. Install the threatstack agent with helm + * `Helm 2:` + ```shell + > helm install --name --repo https://pkg.threatstack.com/helm --values ./.yaml threatstack-agent + ``` + * `Helm 3:` + ```shell + > helm install --repo https://pkg.threatstack.com/helm --values ./.yaml threatstack-agent + ``` + +#### Updating the chart + +After making changes, run: + +helm upgrade threatstack-agent + +#### Uninstalling the chart + +helm delete + +#### Additional Installation Notes + +There is one chart values setting, `agentDeployKey`, that is not defined in the default chart `values.yaml`. The reason is two-fold: + +* This value is different for every Threat Stack customer. +* This value is sensitive information. + +Specifically because of the second reason, it is recommended that this value is **not stored in any source-controlled file**. This value should not be shared, and committing the value to source control can increase the risk of an unauthorized user discovering it. + +Additionally, the helm chart stores this variable in a kubernetes secret when the chart is installed, to avoid the value from being discoverable after installation. Any change of the value should cause a redeployment of the agent with the new value. + +Since helm allows for multiple override files to be supplied to a single `helm install` command, the `agentDeployKey` setting should be overridden in a _separate values file_. This should be done for initial installation and any time the Threat Stack deploy key needs to change. + +> Most of the overridable values for the threatstack agent helm chart are **not** sensitive, and therefore can (and should) be checked into a source control system. + +Assuming you override the default values to match our environment in a `values.yaml` file, and separately override the deploy key setting in a file named `deploykey-override.yaml`, an example `helm install` command would look like: + +> helm install --name my-threatstack-agents --repo https://pkg.threatstack.com/helm --values values.yaml --values deploykey-override.yaml threatstack-agent + +#### Important Configuration Settings + +The following values settings for the helm chart are important to note, or expected to be modified for each target environment: + +* `image.repository` :: The docker repository for the container image to install. It defaults to Threat Stack's offical docker hub repository for the agent. **NOTE:** Changing this could lead to pulling an unofficial or incorrect image, and is strongly discouraged. +* `image.version` :: The docker tag for the container image to install. It defaults to Threat Stack's latest offical docker image version for the agent at the time the chart was released. **NOTE:** Changing this could lead to pulling an unofficial or incorrect image, and is strongly discouraged. +* `gke` :: If `true`, the Daemonset definition will be modified to execute GKE-specific commands for the agent to work correctly there. Defaults to `false` +* `rbac.create` :: If `true`, will create the needed service account to run. If false, the chart will leverage the service account defined in `rbac.serviceAccountName` +* `imagePullSecrets` :: If pulling the agent from a private/internal docker registry that requires credentials, you will need to add the name of your docker credentials secret to this array. *This secret needs to be defined outside of installing this helm chart.* Defaults to an empty array which will only work with public registries. + * For more guidance with using private container registries, please review the following kubernetes documentation for details around how to set this upcorrectly with your registry service: + * https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account + * https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-secret-by-providing-credentials-on-the-command-line + * https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry +* `rulesets` :: The list of Threat Stack rulesets that the againt container should run with. The single-quotes in the double-quotes are intentional and not optional. +* `additionalSetupConfig` :: A list of command line arguments used when the agent container registers itself with the Threat Stack platform. See official documentation for details. +* `additionalConfig` :: A list of command line arguments used when the agent container starts running. See official documentation for details. + +### Contributing enhancements/fixes + +Please fork this repository and submit any changes with a pull request. + +### Licensing + +See the [LICENSE](LICENSE) diff --git a/charts/.gitkeep b/charts/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/templates/NOTES.txt b/templates/NOTES.txt new file mode 100644 index 0000000..5b7a13b --- /dev/null +++ b/templates/NOTES.txt @@ -0,0 +1,23 @@ +{{- if .Values.agentDeployKey }} +Threat Stack agents are being deployed. After a few minutes, you should see +agents showing up on your server tab. + + https://app.threatstack.com/ + +{{- if eq (len .Values.daemonset.nodeSelector) 0 }} +{{- else }} + +The Threat Stack agent is being scheduled to nodes with the appropriate label. Make sure you have added the label to your node definitions. + +By default, this chart will only schedule the Threat Stack agent to nodes with a label `threatstack-agent: "true"`. +{{- end }} +{{- else }} +############################################################################## +#### ERROR: You did not set an agentDeployKey #### +############################################################################## + +This deployment will be incomplete until you get your deploy key from Threat Stack. + +Once registered you can get your deploy key from within the Threat Stack Platform (https://threatstack.zendesk.com/hc/en-us/articles/207322890-View-or-Reset-Your-Organization-s-Deployment-Key). + +{{- end }} diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl new file mode 100644 index 0000000..d8f3818 --- /dev/null +++ b/templates/_helpers.tpl @@ -0,0 +1,56 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "threatstack-agent.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "threatstack-agent.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "threatstack-agent.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the configuration arguments for the Threat Stack Agent container +*/}} +{{- define "threatstack-agent.configArgs" -}} +{{- $defaultConfigArgs := "enable_kubes 1 enable_containers 1" -}} +{{- if .Values.additionalConfig -}} +{{- printf "%s %s" $defaultConfigArgs .Values.additionalConfig -}} +{{- else -}} +{{- printf "%s" $defaultConfigArgs -}} +{{- end -}} +{{- end -}} + +{{/* +Construct the configuration arguments for the Threat Stack Agent api reader container +*/}} +{{- define "threatstack-agent-kubernetes-api.configArgs" -}} +{{- $defaultConfigArgs := "enable_kubes 1 enable_kubes_master 1 enable_containers 1" -}} +{{- if .Values.additionalConfig -}} +{{- printf "%s %s" $defaultConfigArgs .Values.additionalConfig -}} +{{- else -}} +{{- printf "%s" $defaultConfigArgs -}} +{{- end -}} +{{- end -}} diff --git a/templates/cluster-role.yaml b/templates/cluster-role.yaml new file mode 100644 index 0000000..1944f5e --- /dev/null +++ b/templates/cluster-role.yaml @@ -0,0 +1,31 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "threatstack-agent.name" .}} + labels: + app.kubernetes.io/name: {{ include "threatstack-agent.name" . }} + helm.sh/chart: {{ include "threatstack-agent.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +rules: +- apiGroups: + - "" + resources: + - events + - namespaces + - pods + verbs: + - get + - list + - watch +- apiGroups: + - "rbac.authorization.k8s.io" + resources: + - clusterroles + - clusterrolebindings + - roles + - rolebindings + verbs: + - get + - list + - watch \ No newline at end of file diff --git a/templates/cluster-rolebinding.yaml b/templates/cluster-rolebinding.yaml new file mode 100644 index 0000000..d98c696 --- /dev/null +++ b/templates/cluster-rolebinding.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "threatstack-agent.name" .}} + labels: + app.kubernetes.io/name: {{ include "threatstack-agent.name" .}} + helm.sh/chart: {{ include "threatstack-agent.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "threatstack-agent.name" .}} +subjects: +- kind: ServiceAccount + name: {{ include "threatstack-agent.name" .}} + namespace: {{ .Values.rbac.namespace }} \ No newline at end of file diff --git a/templates/configmap.yaml b/templates/configmap.yaml new file mode 100644 index 0000000..3f6ac02 --- /dev/null +++ b/templates/configmap.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-args + namespace: default + labels: + app.kubernetes.io/name: {{ include "threatstack-agent.name" . }} + helm.sh/chart: {{ include "threatstack-agent.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +data: + config-args: "{{ include "threatstack-agent.configArgs" . }}" + kubernetes-api-config-args: "{{ include "threatstack-agent-kubernetes-api.configArgs" . }}" diff --git a/templates/daemonset.yaml b/templates/daemonset.yaml new file mode 100644 index 0000000..110fe6d --- /dev/null +++ b/templates/daemonset.yaml @@ -0,0 +1,121 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "threatstack-agent.name" .}} + labels: + app.kubernetes.io/name: {{ include "threatstack-agent.name" .}} + helm.sh/chart: {{ include "threatstack-agent.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +spec: + selector: + matchLabels: + app.kubernetes.io/name: {{ include "threatstack-agent.name" .}} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "threatstack-agent.name" . }} + helm.sh/chart: {{ include "threatstack-agent.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + name: {{ include "threatstack-agent.name" . }} + annotations: + # If configmap or secret files change, this will change the checksum annotations in the daemonset, forcing a redeploy. + checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }} + spec: +{{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} +{{- else }} +{{- end }} +{{- if .Values.daemonset.nodeSelector }} + nodeSelector: +{{ toYaml .Values.daemonset.nodeSelector | indent 8 }} +{{- else }} +{{- end }} +{{- if .Values.daemonset.affinity }} + affinity: +{{ toYaml .Values.daemonset.affinity | indent 8 }} +{{- else }} +{{- end }} +{{- if .Values.daemonset.tolerations }} + tolerations: +{{ toYaml .Values.daemonset.tolerations | indent 8 }} +{{- else }} +{{- end }} + hostNetwork: true + hostPID: true + serviceAccountName: {{ if .Values.rbac.create }}{{ include "threatstack-agent.name" . }}{{ else }}{{ .Values.rbac.serviceAccountName }}{{ end }} + containers: + - image: {{ .Values.image.repository }}:{{ if not .Values.image.version }}{{ .Chart.AppVersion }}{{ else }}{{ .Values.image.version }}{{ end }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + name: {{ include "threatstack-agent.name" . }} +{{- if eq .Values.gke true }} + command: ["bash"] + args: ["-c", "chroot /threatstackfs /bin/bash -c 'systemctl stop systemd-journald-audit.socket; systemctl mask systemd-journald-audit.socket; systemctl restart systemd-journald; auditctl --backlog_wait_time 0'; eval tsagent setup $THREATSTACK_SETUP_ARGS; eval tsagent config --set $THREATSTACK_CONFIG_ARGS; sleep 5; /opt/threatstack/sbin/tsagentd"] +{{- else }} +{{- end }} +{{- if .Values.daemonset.livenessProbe }} + livenessProbe: +{{ toYaml .Values.daemonset.livenessProbe | indent 10 }} +{{- else }} + livenessProbe: + exec: + command: [ "sh", "-c", "tsagent status" ] + initialDelaySeconds: 15 + periodSeconds: 60 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 +{{- end }} + env: + - name: THREATSTACK_SETUP_ARGS + valueFrom: + secretKeyRef: + name: {{ include "threatstack-agent.fullname" . }} + key: ts-setup-args + - name: THREATSTACK_CONFIG_ARGS + valueFrom: + configMapKeyRef: + name: config-args + key: config-args + securityContext: + privileged: false + capabilities: + add: {{ .Values.capabilities | trim }} +{{- if .Values.daemonset.resources }} + resources: +{{ toYaml .Values.daemonset.resources | trim | indent 10 }} +{{- else }} + resources: + requests: + memory: "256Mi" + cpu: "200m" + limits: + memory: "256Mi" + cpu: "200m" +{{- end }} + volumeMounts: + - name: dockersocket + mountPath: /var/run/docker.sock + - name: hostfs + mountPath: /threatstackfs + - name: containerdsocket + mountPath: /run/containerd/containerd.sock + - name: oldcontainerdsocket + mountPath: /var/run/docker/containerd/docker-containerd.sock + volumes: + - hostPath: + path: /var/run/docker.sock + name: dockersocket + - hostPath: + path: /run/containerd/containerd.sock + name: containerdsocket + - hostPath: + path: /var/run/docker/containerd/docker-containerd.sock + name: oldcontainerdsocket + - hostPath: + path: / + name: hostfs diff --git a/templates/deployment-api-reader.yaml b/templates/deployment-api-reader.yaml new file mode 100644 index 0000000..9f825eb --- /dev/null +++ b/templates/deployment-api-reader.yaml @@ -0,0 +1,107 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "threatstack-agent.name" .}}-kubernetes-api + labels: + app.kubernetes.io/name: {{ include "threatstack-agent.name" .}}-kubernetes-api + helm.sh/chart: {{ include "threatstack-agent.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: {{ include "threatstack-agent.name" .}}-kubernetes-api + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "threatstack-agent.name" . }}-kubernetes-api + helm.sh/chart: {{ include "threatstack-agent.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + name: {{ include "threatstack-agent.name" .}}-kubernetes-api + annotations: + # If configmap or secret files change, this will change the checksum annotations in the deployment, forcing a redeploy. + checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }} + spec: +{{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} +{{- else }} +{{- end }} +{{- if .Values.apiReader.nodeSelector }} + nodeSelector: +{{ toYaml .Values.apiReader.nodeSelector | trim | indent 8 }} +{{- else }} +{{- end }} +{{- if .Values.apiReader.affinity }} + affinity: +{{ toYaml .Values.apiReader.affinity | indent 8 }} +{{- else }} +{{- end }} +{{- if .Values.apiReader.tolerations }} + tolerations: +{{ toYaml .Values.apiReader.tolerations | indent 8 }} +{{- else }} +{{- end }} + hostNetwork: true + hostPID: true + serviceAccountName: {{ if .Values.rbac.create }}{{ include "threatstack-agent.name" . }}{{ else }}{{ .Values.rbac.serviceAccountName }}{{ end }} + containers: + - image: {{ .Values.image.repository }}:{{ if not .Values.image.version }}{{ .Chart.AppVersion }}{{ else }}{{ .Values.image.version }}{{ end }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + name: {{ include "threatstack-agent.name" . }} +{{- if .Values.apiReader.livenessProbe }} + livenessProbe: +{{ toYaml .Values.apiReader.livenessProbe | indent 10 }} +{{- else }} + livenessProbe: + exec: + command: [ "sh", "-c", "tsagent status" ] + initialDelaySeconds: 15 + periodSeconds: 60 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 +{{- end }} + env: + - name: THREATSTACK_SETUP_ARGS + valueFrom: + secretKeyRef: + name: {{ include "threatstack-agent.fullname" . }} + key: ts-setup-args + - name: THREATSTACK_CONFIG_ARGS + valueFrom: + configMapKeyRef: + name: config-args + key: kubernetes-api-config-args + securityContext: + privileged: false + capabilities: + add: {{ .Values.capabilities | trim }} +{{- if .Values.apiReader.resources }} + resources: +{{ toYaml .Values.apiReader.resources | trim | indent 10 }} +{{- else }} + resources: + requests: + memory: "256Mi" + cpu: "200m" + limits: + memory: "256Mi" + cpu: "200m" +{{- end }} + volumeMounts: + - name: dockersocket + mountPath: /var/run/docker.sock + - name: hostfs + mountPath: /threatstackfs + volumes: + - hostPath: + path: /var/run/docker.sock + name: dockersocket + - hostPath: + path: / + name: hostfs \ No newline at end of file diff --git a/templates/secrets.yaml b/templates/secrets.yaml new file mode 100644 index 0000000..83a4c84 --- /dev/null +++ b/templates/secrets.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "threatstack-agent.fullname" . }} + namespace: {{ .Values.rbac.namespace }} + labels: + app.kubernetes.io/name: {{ include "threatstack-agent.name" . }} + helm.sh/chart: {{ include "threatstack-agent.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +type: Opaque +stringData: + ts-setup-args: "--deploy-key {{ .Values.agentDeployKey }} --ruleset '{{ .Values.rulesets }}' {{ .Values.additionalSetupConfig }}" diff --git a/templates/service-account.yaml b/templates/service-account.yaml new file mode 100644 index 0000000..19dd0cc --- /dev/null +++ b/templates/service-account.yaml @@ -0,0 +1,12 @@ +{{- if .Values.rbac.create -}} +kind: ServiceAccount +apiVersion: v1 +metadata: + name: {{ include "threatstack-agent.name" .}} + namespace: {{ .Values.rbac.namespace }} + labels: + app.kubernetes.io/name: {{ include "threatstack-agent.name" . }} + helm.sh/chart: {{ include "threatstack-agent.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} diff --git a/values.yaml b/values.yaml new file mode 100644 index 0000000..ba0e5f4 --- /dev/null +++ b/values.yaml @@ -0,0 +1,140 @@ +### Overriding default helm chart/kubernetes object names +nameOverride: "" +fullnameOverride: "" +imagePullSecrets: [] + +# Set this to true if running on GKE +gke: false + +### Default values for threatstack-agent chart +image: + repository: threatstack/ts-docker2 + version: "" + pullPolicy: Always + +### RBAC and namespacing settings for release +# create :: If `true`, the chart will generate a service account +# namespace :: Override namespace to deploy this chart, as desired +# serviceAccountName :: If `rbac.create` is set to `false`, use this as the service account name +rbac: + create: true + namespace: "default" + serviceAccountName: "threatstack-agent" + +### Threat Stack Agent settings +# +# rulesets :: Define what rules will be applied to the agent by default +# additionalSetupConfig :: Additional parameters passed to the backend during initial agent registration +# additionalConfig :: Additional parameters to configure the running agent +# capabilities :: Docker capabilites required for the proper operation of the agent +rulesets: "Base Rule Set, Docker Rule Set, Kubernetes Rule Set" +additionalSetupConfig: "" + +additionalConfig: "log.level info" + +capabilities: | + ["AUDIT_CONTROL", "AUDIT_READ", "SYS_CHROOT", "CHOWN","DAC_OVERRIDE", "DAC_READ_SEARCH", "FOWNER", "FSETID", "SETGID", "SETUID", "SYS_ADMIN", "SYS_PTRACE"] + +##### +# WARNING! +# +# Do not store the deploy key in a source control system! +# Pass this in via an addditional values yaml file when installing this helm chart +# Example: `helm install --name threatstack-agent -f values.yaml -f overriding-deploy-key.yaml threatstack-agent` +##### +agentDeployKey: "" + +######## +# +# API Server reader Deployment settings +# +# This section configures a single-instance ReplicaSet threatstack-agent pod +# +# The pod makes requests to kubernetes api-server to retrieve information +# on the state of the cluster. +# +# NOTE: This pod DOES NOT monitor its node activity. +# +######## +apiReader: + # Override the agent's liveness probe logic from the default: + # In case of issues with the probe, you can disable it with the + # following values, to allow easier investigating: + # + # livenessProbe: + # exec: + # command: ["/bin/true"] + + # The below values are suggestions. Individual workloads may vary + # and require higher or lower resource requirements. It is + # highly recommended to validate these settings in the target + # environment, and adjust to achieve desired performance. + # + # Ref: http://kubernetes.io/docs/user-guide/compute-resources/ + # + # resources: + # requests: + # memory: "256Mi" + # cpu: "200m" + # limits: + # memory: "256Mi" + # cpu: "200m" + + # Override kubernetes api reader agent's default target nodes + # Default is any node within the target namespace + # + # Set these as desired to only install the kubernetes api reader agent on + # one of a subset of your kubernetes nodes + nodeSelector: {} + # foo: bar + # Optional + affinity: {} + # Optional + tolerations: [] + +######## +# +# Threat Stack Agent Daemonset settings +# +# This section configures a daemonset of threatstack-agent pods +# +# The pods monitor the activity of other pods/deployments on +# the node. +# +######## +daemonset: + # Override the agent's liveness probe logic from the default: + # In case of issues with the probe, you can disable it with the + # following values, to allow easier investigating: + # + # livenessProbe: + # exec: + # command: ["/bin/true"] + + # The below values are suggestions. Individual workloads may vary + # and require higher or lower resource requirements. It is + # highly recommended to validate these settings in the target + # environment, and adjust to achieve desired performance. + # + # Ref: http://kubernetes.io/docs/user-guide/compute-resources/ + # + # + # resources: + # requests: + # memory: "256Mi" + # cpu: "200m" + # limits: + # memory: "256Mi" + # cpu: "200m" + + # Override agent's default target nodes + # Default is to only deploy on nodes that have the label `threatstack-agent=true` + # + # Set these as desired to only install agent on a subset of your kubernetes nodes, + # or to {} to deploy to all nodes in the target namespace + nodeSelector: + threatstack-agent: "true" + # Optional + affinity: {} + # Optional + tolerations: []