Added KubeArmor 1.4.6

packs/kubearmor-1.4.6/README.md

@@ -0,0 +1,23 @@
+# KubeArmor
+
+KubeArmor is a cloud-native runtime security enforcement system that restricts the behavior \(such as process execution, file access, and networking operations\) of pods, containers, and nodes (VMs) at the system level.
+
+KubeArmor leverages [Linux security modules \(LSMs\)](https://en.wikipedia.org/wiki/Linux_Security_Modules) such as [AppArmor](https://en.wikipedia.org/wiki/AppArmor), [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux), or [BPF-LSM](https://docs.kernel.org/bpf/prog_lsm.html) to enforce the user-specified policies. KubeArmor generates rich alerts/telemetry events with container/pod/namespace identities by leveraging eBPF.
+
+## Usage
+
+To use the KubeArmor pack, first create a new add-on cluster profile, and search for the kubearmor pack
+
+A KubeArmor policy is written in yaml and specifies the file, process, network, capabilities and syscalls that need to be monitored or blocked. Policies can be applied on the host and on containers with cluster-wide policy support.
+
+A community-owned library of Kubernetes System and Network policies can be found in this [github repo](https://github.com/kubearmor/policy-templates)
+
+## Least Permissive Access
+
+KubeArmor helps organizations enforce a zero trust posture within their Kubernetes clusters. It allows users to define an allow-based policy that allows specific operations, and denies or audits all other operations. This helps to ensure that only authorized activities are allowed within the cluster, and that any deviations from the expected behavior are denied and flagged for further investigation.
+
+## Harden Infrastructure
+
+One of the key features of KubeArmor is that it provides hardening policies out-of-the-box, meaning that you don't have to spend time researching and configuring them yourself. Instead, you can simply apply the policies to your workloads and immediately start benefiting from the added security that they provide.
+
+For more information refer to the [detailed documentation](https://docs.kubearmor.io/kubearmor).

packs/kubearmor-1.4.6/charts/KubeArmorOperator/Chart.yaml

@@ -0,0 +1,21 @@
+apiVersion: v2
+name: kubearmor-operator
+description: A Helm chart for kubearmor operator
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: v1.4.6
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: v1.4.6

packs/kubearmor-1.4.6/charts/KubeArmorOperator/templates/clusterrole-binding-rbac.yaml

@@ -0,0 +1,51 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ .Values.kubearmorOperator.name }}-clusterrole-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.kubearmorOperator.name }}-clusterrole
+subjects:
+- kind: ServiceAccount
+  name: {{ .Values.kubearmorOperator.name }}
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ .Values.kubearmorOperator.name }}-manage-kubearmor-clusterrole-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.kubearmorOperator.name }}-manage-kubearmor-clusterrole
+subjects:
+- kind: ServiceAccount
+  name: {{ .Values.kubearmorOperator.name }}
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ .Values.kubearmorOperator.name }}-manage-controller-clusterrole-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.kubearmorOperator.name }}-manage-controller-clusterrole
+subjects:
+- kind: ServiceAccount
+  name: {{ .Values.kubearmorOperator.name }}
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ .Values.kubearmorOperator.name }}-manage-relay-clusterrole-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.kubearmorOperator.name }}-manage-relay-clusterrole
+subjects:
+- kind: ServiceAccount
+  name: {{ .Values.kubearmorOperator.name }}
+  namespace: {{ .Release.Namespace }}   

packs/kubearmor-1.4.6/charts/KubeArmorOperator/templates/clusterrole-rbac.yaml

@@ -0,0 +1,189 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.kubearmorOperator.name }}-clusterrole
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+  - watch
+  - list
+  - patch
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - mutatingwebhookconfigurations
+  verbs:
+  - get
+  - create
+  - delete
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - clusterroles
+  - clusterrolebindings
+  verbs:
+  - create
+  - get
+- apiGroups:
+  - operator.kubearmor.com
+  resources:
+  - kubearmorconfigs
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - operator.kubearmor.com
+  resources:
+  - kubearmorconfigs/status
+  verbs:
+  - get
+  - patch
+  - update  
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.kubearmorOperator.name }}-manage-kubearmor-clusterrole
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - nodes
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  - replicasets
+  - daemonsets
+  - statefulsets
+  verbs:
+  - get
+  - list
+  - watch
+  {{- if .Values.kubearmorOperator.annotateResource }}
+  - patch
+  - update
+  {{- end }}
+- apiGroups:
+  - batch
+  resources:
+  - jobs
+  - cronjobs
+  verbs:
+  - get
+  - list
+  - watch
+  {{- if .Values.kubearmorOperator.annotateResource }}
+  - patch
+  - update
+  {{- end }}
+- apiGroups:
+  - security.kubearmor.com
+  resources:
+  - kubearmorpolicies
+  - kubearmorclusterpolicies
+  - kubearmorhostpolicies
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - delete
+- nonResourceURLs:
+  - /apis
+  - /apis/*
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.kubearmorOperator.name }}-manage-relay-clusterrole
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.kubearmorOperator.name }}-manage-controller-clusterrole
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - create
+  - delete
+  - get
+  - patch
+  - list
+  - watch
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch   
+- apiGroups:
+  - security.kubearmor.com
+  resources:
+  - kubearmorpolicies
+  - kubearmorclusterpolicies
+  - kubearmorhostpolicies
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - security.kubearmor.com
+  resources:
+  - kubearmorpolicies/status
+  - kubearmorclusterpolicies/status
+  - kubearmorhostpolicies/status
+  verbs:
+  - get
+  - patch
+  - update

packs/kubearmor-1.4.6/charts/KubeArmorOperator/templates/deployment.yaml

@@ -0,0 +1,61 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Values.kubearmorOperator.name }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    kubearmor-app: {{ .Values.kubearmorOperator.name }}
+spec:
+  selector:
+    matchLabels:
+      kubearmor-app: {{ .Values.kubearmorOperator.name }}
+  template:
+    metadata:
+      labels:
+        kubearmor-app: {{ .Values.kubearmorOperator.name }}
+      {{- with .Values.kubearmorOperator.podLabels }}
+        {{- . | toYaml | nindent 8 }}
+      {{- end }}
+      {{- with .Values.kubearmorOperator.podAnnotations }}
+      annotations:
+        {{- . | toYaml | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- with .Values.kubearmorOperator.podSecurityContext }}
+      securityContext:
+            {{- toYaml . | nindent 8 }}
+      {{- end }}      
+      {{- if .Values.kubearmorOperator.image.imagePullSecrets }}
+      imagePullSecrets:
+      {{ toYaml .Values.kubearmorOperator.image.imagePullSecrets | indent 6 }}
+      {{- end }}
+      {{- if .Values.kubearmorOperator.image.tolerations }}
+      tolerations:
+      {{ toYaml .Values.kubearmorOperator.tolerations | indent 6 }}
+      {{- end }}
+      containers:
+      - name: {{ .Values.kubearmorOperator.name }}
+        env:
+        - name: KUBEARMOR_OPERATOR_NS
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        {{- if .Values.imagePinning -}}
+          {{ include "pinnedImages" .Values.oci_meta | trim | nindent 8 }}
+        {{- end }}
+        image: {{ include "operatorImage" . }}
+        imagePullPolicy: {{ .Values.kubearmorOperator.imagePullPolicy }}
+        args:
+        {{- if .Values.kubearmorOperator.args -}}
+          {{- toYaml .Values.kubearmorOperator.args | trim | nindent 8 }}
+        {{- end }}
+        {{- with .Values.kubearmorOperator.securityContext }}
+        securityContext:
+              {{- toYaml . | nindent 10 }}
+        {{- end }}
+        {{- with .Values.kubearmorOperator.resources }}
+        resources:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+      serviceAccountName: {{ .Values.kubearmorOperator.name }}
+

packs/kubearmor-1.4.6/charts/KubeArmorOperator/templates/helpers.tpl

@@ -0,0 +1,22 @@
+{{- define "pinnedImages" }}
+- name: RELATED_IMAGE_KUBEARMOR_SNITCH
+  value: "{{ .repo }}/{{.images.kubearmorSnitch.image}}:{{.images.kubearmorSnitch.tag}}"
+- name: RELATED_IMAGE_KUBEARMOR
+  value: "{{ .repo }}/{{.images.kubearmor.image}}:{{.images.kubearmor.tag}}"
+- name: RELATED_IMAGE_KUBEARMOR_INIT
+  value: "{{ .repo }}/{{.images.kubearmorInit.image}}:{{.images.kubearmorInit.tag}}"
+- name: RELATED_IMAGE_KUBEARMOR_RELAY_SERVER
+  value: "{{ .repo }}/{{.images.kubearmorRelay.image}}:{{.images.kubearmorRelay.tag}}"
+- name: RELATED_IMAGE_KUBEARMOR_CONTROLLER
+  value: "{{ .repo }}/{{.images.kubearmorController.image}}:{{.images.kubearmorController.tag}}"
+{{- end }}
+
+{{- define "operatorImage" }}
+{{- if .Values.imagePinning }}
+{{- printf "%s/%s:%s" .Values.oci_meta.repo .Values.oci_meta.images.kubearmorOperator.image .Values.oci_meta.images.kubearmorOperator.tag }}
+{{- else if eq .Values.kubearmorOperator.image.tag "" }}
+{{- printf "%s:%s" .Values.kubearmorOperator.image.repository .Chart.Version }}
+{{- else }}
+{{- printf "%s:%s" .Values.kubearmorOperator.image.repository .Values.kubearmorOperator.image.tag }}
+{{- end }}
+{{- end }}

packs/kubearmor-1.4.6/charts/KubeArmorOperator/templates/ka-config.yaml

@@ -0,0 +1,17 @@
+{{- if .Values.autoDeploy }}
+apiVersion: operator.kubearmor.com/v1
+kind: KubeArmorConfig
+metadata:
+    annotations:
+        "helm.sh/hook": post-install,post-upgrade
+    labels:
+        app.kubernetes.io/name: kubearmorconfig
+        app.kubernetes.io/instance: kubearmorconfig-sample
+        app.kubernetes.io/part-of: kubearmoroperator
+        app.kubernetes.io/managed-by: kustomize
+        app.kubernetes.io/created-by: kubearmoroperator
+    name: kubearmor-default
+    namespace: {{ .Release.Namespace }}
+spec:
+    {{- toYaml .Values.kubearmorConfig | nindent 4}}
+{{- end}}