diff --git a/charts/zora/README.md b/charts/zora/README.md index b87a529e..a9d833ca 100644 --- a/charts/zora/README.md +++ b/charts/zora/README.md @@ -109,6 +109,7 @@ The following table lists the configurable parameters of the Zora chart and thei | scan.plugins.marvin.podAnnotations | object | `{}` | Annotations added to the marvin pods | | scan.plugins.marvin.image.repository | string | `"ghcr.io/undistro/marvin"` | marvin plugin image repository | | scan.plugins.marvin.image.tag | string | `"v0.2.3"` | marvin plugin image tag | +| scan.plugins.marvin.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | | scan.plugins.marvin.env | list | `[]` | List of environment variables to set in marvin container. | | scan.plugins.marvin.envFrom | list | `[]` | List of sources to populate environment variables in marvin container. | | scan.plugins.trivy.ignoreUnfixed | bool | `false` | Specifies whether only fixed vulnerabilities should be reported | @@ -116,7 +117,8 @@ The following table lists the configurable parameters of the Zora chart and thei | scan.plugins.trivy.resources | object | `{}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `trivy` container | | scan.plugins.trivy.podAnnotations | object | `{}` | Annotations added to the trivy pods | | scan.plugins.trivy.image.repository | string | `"ghcr.io/undistro/trivy"` | trivy plugin image repository | -| scan.plugins.trivy.image.tag | string | `"0.50.1-1"` | trivy plugin image tag | +| scan.plugins.trivy.image.tag | float | `0.51` | trivy plugin image tag | +| scan.plugins.trivy.image.pullPolicy | string | `"Always"` | Image pull policy | | scan.plugins.trivy.env | list | `[]` | List of environment variables to set in trivy container. | | scan.plugins.trivy.envFrom | list | `[]` | List of sources to populate environment variables in trivy container. | | scan.plugins.trivy.timeout | string | `"10m"` | Trivy timeout | @@ -130,11 +132,12 @@ The following table lists the configurable parameters of the Zora chart and thei | scan.plugins.popeye.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"250m","memory":"256Mi"}}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `popeye` container | | scan.plugins.popeye.podAnnotations | object | `{}` | Annotations added to the popeye pods | | scan.plugins.popeye.image.repository | string | `"ghcr.io/undistro/popeye"` | popeye plugin image repository | -| scan.plugins.popeye.image.tag | string | `"0.21.3-6"` | popeye plugin image tag | +| scan.plugins.popeye.image.tag | float | `0.21` | popeye plugin image tag | +| scan.plugins.popeye.image.pullPolicy | string | `"Always"` | Image pull policy | | scan.plugins.popeye.env | list | `[]` | List of environment variables to set in popeye container. | | scan.plugins.popeye.envFrom | list | `[]` | List of sources to populate environment variables in popeye container. | | kubexnsImage.repository | string | `"ghcr.io/undistro/kubexns"` | kubexns image repository | -| kubexnsImage.tag | string | `"v0.1.3"` | kubexns image tag | +| kubexnsImage.tag | string | `"v0.1.4"` | kubexns image tag | | customChecksConfigMap | string | `"zora-custom-checks"` | Custom checks ConfigMap name | | httpsProxy | string | `""` | HTTPS proxy URL | | noProxy | string | `"kubernetes.default.svc.*,127.0.0.1,localhost"` | Comma-separated list of URL patterns to be excluded from going through the proxy | diff --git a/charts/zora/templates/plugins/marvin.yaml b/charts/zora/templates/plugins/marvin.yaml index 0394b139..cca0c28a 100644 --- a/charts/zora/templates/plugins/marvin.yaml +++ b/charts/zora/templates/plugins/marvin.yaml @@ -21,6 +21,9 @@ metadata: spec: type: misconfiguration image: "{{ .Values.scan.plugins.marvin.image.repository }}:{{ .Values.scan.plugins.marvin.image.tag }}" + {{- if .Values.scan.plugins.marvin.image.pullPolicy }} + imagePullPolicy: "{{ .Values.scan.plugins.marvin.image.pullPolicy }}" + {{- end }} {{- if .Values.scan.plugins.marvin.resources }} resources: {{- toYaml .Values.scan.plugins.marvin.resources | nindent 4 }} diff --git a/charts/zora/templates/plugins/popeye.yaml b/charts/zora/templates/plugins/popeye.yaml index 4d9e35b9..e059fcd5 100644 --- a/charts/zora/templates/plugins/popeye.yaml +++ b/charts/zora/templates/plugins/popeye.yaml @@ -21,6 +21,9 @@ metadata: spec: type: misconfiguration image: "{{ .Values.scan.plugins.popeye.image.repository }}:{{ .Values.scan.plugins.popeye.image.tag }}" + {{- if .Values.scan.plugins.popeye.image.pullPolicy }} + imagePullPolicy: "{{ .Values.scan.plugins.popeye.image.pullPolicy }}" + {{- end }} {{- if .Values.scan.plugins.popeye.resources }} resources: {{- toYaml .Values.scan.plugins.popeye.resources | nindent 4 }} @@ -51,6 +54,7 @@ spec: - /bin/sh - -c - | + sleep 30 start=$(date +%s) echo Scanning... {{- if .Values.scan.plugins.popeye.skipInternalResources }} diff --git a/charts/zora/templates/plugins/trivy.yaml b/charts/zora/templates/plugins/trivy.yaml index 22a2d497..f25c1c5a 100644 --- a/charts/zora/templates/plugins/trivy.yaml +++ b/charts/zora/templates/plugins/trivy.yaml @@ -21,12 +21,16 @@ metadata: spec: type: vulnerability image: "{{ .Values.scan.plugins.trivy.image.repository }}:{{ .Values.scan.plugins.trivy.image.tag }}" + {{- if .Values.scan.plugins.trivy.image.pullPolicy }} + imagePullPolicy: "{{ .Values.scan.plugins.trivy.image.pullPolicy }}" + {{- end }} {{- if .Values.scan.plugins.trivy.resources }} resources: {{- toYaml .Values.scan.plugins.trivy.resources | nindent 4 }} {{- end }} mountCustomChecksVolume: false securityContext: + runAsNonRoot: true allowPrivilegeEscalation: false privileged: false {{- with .Values.scan.plugins.trivy.envFrom }} @@ -58,7 +62,6 @@ spec: time trivy k8s \ --debug \ --no-progress \ - --all-namespaces \ --scanners=vuln \ -f=json \ --cache-dir=/tmp/trivy-cache \ @@ -69,8 +72,7 @@ spec: --ignore-unfixed \ {{- end }} --timeout={{ .Values.scan.plugins.trivy.timeout | quote }} \ - -o $(DONE_DIR)/results.json \ - cluster + -o $(DONE_DIR)/results.json exitcode=$(echo $?) if [ $exitcode -ne 0 ]; then diff --git a/charts/zora/values.yaml b/charts/zora/values.yaml index 8ec974d7..28d997c2 100644 --- a/charts/zora/values.yaml +++ b/charts/zora/values.yaml @@ -193,6 +193,8 @@ scan: repository: ghcr.io/undistro/marvin # -- marvin plugin image tag tag: v0.2.3 + # -- Image pull policy + pullPolicy: IfNotPresent # -- List of environment variables to set in marvin container. env: [] # -- List of sources to populate environment variables in marvin container. @@ -211,7 +213,9 @@ scan: # -- trivy plugin image repository repository: ghcr.io/undistro/trivy # -- trivy plugin image tag - tag: 0.50.1-1 + tag: 0.51 + # -- Image pull policy + pullPolicy: Always # -- List of environment variables to set in trivy container. env: [] # - name: AWS_REGION @@ -268,7 +272,9 @@ scan: # -- popeye plugin image repository repository: ghcr.io/undistro/popeye # -- popeye plugin image tag - tag: 0.21.3-6 + tag: 0.21 + # -- Image pull policy + pullPolicy: Always # -- List of environment variables to set in popeye container. env: [] # -- List of sources to populate environment variables in popeye container. @@ -278,7 +284,7 @@ kubexnsImage: # -- kubexns image repository repository: ghcr.io/undistro/kubexns # -- kubexns image tag - tag: v0.1.3 + tag: v0.1.4 # -- Custom checks ConfigMap name customChecksConfigMap: zora-custom-checks @@ -290,4 +296,4 @@ noProxy: kubernetes.default.svc.*,127.0.0.1,localhost # -- (bool) Specifies whether CRDs should be updated by operator at startup # @default -- `true` for upgrades -updateCRDs: \ No newline at end of file +updateCRDs: