Merge branch 'other-approach-test' into outpostlite-remediation-security-changes

# Conflicts:
#	wiz-outpost-lite/templates/_helpers.tpl
#	wiz-outpost-lite/templates/deployment.yaml

Author: yairsappir

.DS_Store

@@ -0,0 +1,28 @@
+global:
+  wizApiToken:
+    wizApiTokensVolumeMount: /path/to/global
+
+wiz-kubernetes-connector:
+  enabled: true
+  autoCreateConnector:
+    enabled: true
+    autoDeleteConnectorEnabled: true
+  broker:
+    enabled: true
+
+wiz-sensor:
+  enabled: true
+  imagePullSecret:
+    create: true
+    name: sensor-image-pull
+    username: pulluser
+    password: pullpassword
+  image:
+    registry: wizio.azurecr.io
+
+wiz-admission-controller:
+  enabled: true
+  opaWebhook:
+    enabled: true
+  kubernetesAuditLogsWebhook:
+    enabled: true

.circleci/tests/testfiles/wiz-kubernetes-integration/api-tokens-volume-mount.yaml

@@ -9,4 +9,5 @@
 /.github/ @wiz-sec/wiz-devops
 /.circleci/ @wiz-sec/wiz-devops
 /.circleci/tests/ @wiz-sec/Wiz-Charts-Approvers
-/wiz-outpost-lite/**/* @yarinm
+/wiz-outpost-lite/**/* @yarinm
+/wiz-sensor/**/* @ariknem

.github/CODEOWNERS

@@ -1,3 +1,4 @@
 .idea/*
 !/.idea/runConfigurations
 
+.DS_Store

.gitignore

@@ -1,22 +1,18 @@
 apiVersion: v2
 name: wiz-admission-controller
 description: Wiz admission controller
-
 type: application
-
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 3.9.1
-
+version: 3.10.0-preview.3
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "2.8"
-
+appVersion: "2.9"
 dependencies:
   - name: wiz-common
-    version: "0.1.6"
+    version: "0.1.8"
     repository: https://wiz-sec.github.io/charts
 #    repository: "file://../wiz-common" # Use this line to test the chart locally

wiz-admission-controller/Chart.yaml

@@ -50,6 +50,16 @@ If release name contains chart name it will be used as a full name.
 {{- end }}
 {{- end }}
 
+{{- define "wiz-admission-controller-uninstall.name" -}}
+{{- if .Values.wizUninstallJob.nameOverride }}
+{{- .Values.wizUninstallJob.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $suffix := "-uninstall" -}}
+{{- $maxLength := int (sub 63 (len $suffix)) -}}
+{{- printf "%s%s" (include "wiz-admission-controller.fullname" . | trunc $maxLength | trimSuffix "-") $suffix -}}
+{{- end }}
+{{- end }}
+
 {{- define "wiz-admission-controller.wiz-hpa-enforcer.name" -}}
 {{- $suffix := "-hpa" -}}
 {{- $maxLength := int (sub 63 (len $suffix)) -}}
@@ -120,6 +130,14 @@ Wiz manager selector labels
 app.kubernetes.io/name: {{ include "wiz-admission-controller-manager.name" . }}
 {{- end }}
 
+{{/*
+Wiz uninstall selector labels
+*/}}
+{{- define "wiz-admission-controller-uninstall.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "wiz-admission-controller-uninstall.name" . }}
+{{- end }}
+
+
 {{- define "wiz-admission-controller-enforcement.labels" -}}
 {{ include "wiz-admission-controller.labels" . }}
 {{ include "wiz-admission-controller-enforcement.selectorLabels" . }}
@@ -135,6 +153,11 @@ app.kubernetes.io/name: {{ include "wiz-admission-controller-manager.name" . }}
 {{ include "wiz-admission-controller-manager.selectorLabels" . }}
 {{- end }}
 
+{{- define "wiz-admission-controller-uninstall.labels" -}}
+{{ include "wiz-admission-controller.labels" . }}
+{{ include "wiz-admission-controller-uninstall.selectorLabels" . }}
+{{- end }}
+
 {{/*
 Wiz Horizontal Pod Autoscaler labels
 */}}
@@ -319,15 +342,24 @@ Clean the list of deployments for the auto-update flag, removing quotes and brac
 {{- end -}}
 
 {{- define "wiz-admission-controller.isWizApiTokenSecretEnabled" -}}
-  {{- if and (.Values.wizApiToken.secret.create) (eq (include "wiz-common.isWizApiClientVolumeMountEnabled" (list .Values.wizApiToken.usePodCustomEnvironmentVariablesFile .Values.wizApiToken.wizApiTokensVolumeMount) | trim | lower) "true") }}
+  {{- if and (.Values.wizApiToken.secret.create) (eq (include "wiz-common.isWizApiClientVolumeMountEnabled" (list .Values.wizApiToken.usePodCustomEnvironmentVariablesFile .Values.wizApiToken.wizApiTokensVolumeMount .Values.global.wizApiToken.wizApiTokensVolumeMount) | trim | lower) "true") }}
     true
   {{- else }}
     false
   {{- end }}
 {{- end }}
 
+{{- define "wiz-admission-controller.isWizApiClientVolumeMountEnabled" -}}
+{{- if eq (include "wiz-common.isWizApiClientVolumeMountEnabled" (list .Values.wizApiToken.usePodCustomEnvironmentVariablesFile .Values.wizApiToken.wizApiTokensVolumeMount .Values.global.wizApiToken.wizApiTokensVolumeMount) | trim | lower) "true" -}}
+true
+{{- else -}}
+false
+{{- end }}
+{{- end }}
+
+
 {{- define "wiz-admission-controller.spec.common.volumeMounts" -}}
-{{- if eq (include "wiz-common.isWizApiClientVolumeMountEnabled" (list .Values.wizApiToken.usePodCustomEnvironmentVariablesFile .Values.wizApiToken.wizApiTokensVolumeMount) | trim | lower) "true" -}}
+{{- if eq (include "wiz-admission-controller.isWizApiClientVolumeMountEnabled" . | trim | lower) "true" }}
 - name: {{ include "wiz-common.volumes.apiClientName" . }}
   mountPath: /var/{{ include "wiz-common.volumes.apiClientName" . }}
   readOnly: true
@@ -338,7 +370,7 @@ Clean the list of deployments for the auto-update flag, removing quotes and brac
 {{- end -}}
 
 {{- define "wiz-admission-controller.spec.common.volumes" -}}
-{{- if eq (include "wiz-common.isWizApiClientVolumeMountEnabled" (list .Values.wizApiToken.usePodCustomEnvironmentVariablesFile .Values.wizApiToken.wizApiTokensVolumeMount) | trim | lower) "true" -}}
+{{- if eq (include "wiz-admission-controller.isWizApiClientVolumeMountEnabled" . | trim | lower) "true" }}
 - name: {{ include "wiz-common.volumes.apiClientName" . | trim }}
   secret:
     secretName: {{ include "wiz-admission-controller.secretApiTokenName" . | trim }}
@@ -353,15 +385,19 @@ Clean the list of deployments for the auto-update flag, removing quotes and brac
 {{- if not .Values.wizApiToken.usePodCustomEnvironmentVariablesFile }}
 - name: CLI_FILES_AS_ARGS
 {{- $wizApiTokensPath := "" -}}
-{{- if .Values.wizApiToken.wizApiTokensVolumeMount }}
-  {{- $wizApiTokensPath = .Values.wizApiToken.wizApiTokensVolumeMount -}}
+{{- if coalesce .Values.wizApiToken.wizApiTokensVolumeMount .Values.global.wizApiToken.wizApiTokensVolumeMount }}
+  {{- $wizApiTokensPath = coalesce .Values.wizApiToken.wizApiTokensVolumeMount .Values.global.wizApiToken.wizApiTokensVolumeMount -}}
 {{- else }}
   {{- $wizApiTokensPath = printf "/var/%s" (include "wiz-common.volumes.apiClientName" .) -}}
 {{- end }}
   value: "{{ $wizApiTokensPath }}/clientToken,{{ $wizApiTokensPath }}/clientId"
 {{- end }}
 {{- if or .Values.global.httpProxyConfiguration.enabled .Values.httpProxyConfiguration.enabled }}
 {{ include "wiz-common.proxy.env" . | trim }}
+{{- if or .Values.global.httpProxyConfiguration.clientCertificate .Values.httpProxyConfiguration.clientCertificate }}
+- name: WIZ_HTTP_PROXY_CLIENT_CERT_PATH
+  value: "{{ include "wiz-common.proxy.dir" . }}/clientCertificate"
+{{- end }}
 {{- end }}
 - name: WIZ_ENV
   value: {{ coalesce .Values.global.wizApiToken.clientEndpoint .Values.wizApiToken.clientEndpoint | quote }}
@@ -411,21 +447,6 @@ Clean the list of deployments for the auto-update flag, removing quotes and brac
 - name: WIZ_MISCONFIGURATION_CUSTOM_ERROR_MESSAGE
   value:  "{{ coalesce .Values.opaWebhook.customErrorMessage .Values.customErrorMessage }}"
 {{- end -}}
-{{- if  .Values.opaWebhook.enabled }}
-- name: WIZ_MISCONFIGURATION_WEBHOOK_CONFIG
-  value: |
-  {{ .Values.opaWebhook | toJson | nindent 4 }}
-{{- end -}}
-{{- if .Values.imageIntegrityWebhook.enabled }}
-- name: WIZ_IMAGE_INTEGRITY_WEBHOOK_CONFIG
-  value: |
-  {{ .Values.imageIntegrityWebhook | toJson | nindent 4 }}
-{{- end -}}
-{{- if .Values.kubernetesAuditLogsWebhook.enabled }}
-- name: WIZ_KUBERNETES_AUDIT_LOG_WEBHOOK_CONFIG
-  value: |
-  {{ .Values.kubernetesAuditLogsWebhook | toJson | nindent 4 }}
-{{- end -}}
 {{- if coalesce .Values.global.clusterDisplayName .Values.clusterDisplayName }}
 - name: WIZ_CLUSTER_NAME
   value: {{ coalesce .Values.global.clusterDisplayName .Values.clusterDisplayName | quote }}

wiz-admission-controller/templates/_helpers.tpl

@@ -61,7 +61,7 @@ spec:
                 {{- else }}
                 {{- toYaml .Values.securityContext | nindent 16 }}
                 {{- end }}
-              image: "{{ coalesce .Values.global.image.registry .Values.image.registry }}/{{ coalesce .Values.global.image.repository .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+              image: {{ include "wiz-admission-controller.image" . }}
               imagePullPolicy: {{ .Values.image.pullPolicy }}
               command:
               - "/usr/bin/wiz-admission-controller"

wiz-admission-controller/templates/cronjobmanager.yaml

@@ -101,6 +101,9 @@ spec:
           - "--image-integrity-enabled=false"
           env:
           {{- include "wiz-admission-controller.spec.common.envVars" . | trim | nindent 10 }}
+          - name: WIZ_KUBERNETES_AUDIT_LOG_WEBHOOK_CONFIG
+            value: |
+          {{- .Values.kubernetesAuditLogsWebhook | toJson | nindent 14 }}
           ## Enable debug webhook that only logs the request
           {{- if .Values.debugWebhook.enabled }}
           - name: WIZ_DEBUG_WEBHOOK_ENABLED

wiz-admission-controller/templates/deploymentauditlogs.yaml

@@ -117,6 +117,16 @@ spec:
           - "--kubernetes-audit-logs-enabled=false"
           env:
           {{- include "wiz-admission-controller.spec.common.envVars" . | trim | nindent 10 }}
+          {{- if  .Values.opaWebhook.enabled }}
+          - name: WIZ_MISCONFIGURATION_WEBHOOK_CONFIG
+            value: |
+          {{- .Values.opaWebhook | toJson | nindent 14 }}
+          {{- end -}}
+          {{- if .Values.imageIntegrityWebhook.enabled }}
+          - name: WIZ_IMAGE_INTEGRITY_WEBHOOK_CONFIG
+            value: |
+          {{- .Values.imageIntegrityWebhook | toJson | nindent 14 }}
+          {{- end }}
           - name: WIZ_IMAGE_INTEGRITY_PATCH_IMAGE_DIGEST_ANNOTATION
             value: {{ .Values.imageIntegrityWebhook.patchImageDigestAnnotation | quote }}
            # For running pod with read only file system we write all the cache files to /var/cache volume mount, used by image integrity hook

wiz-admission-controller/templates/deploymentenforcement.yaml

@@ -0,0 +1,123 @@
+{{ if .Values.wizUninstallJob.enabled -}}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "wiz-admission-controller-uninstall.name" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    wiz.io/component: "admission-controller-uninstall"
+    {{- include "wiz-admission-controller-uninstall.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": post-delete
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    rollme.proxyHash: {{ include "wiz-admission-controller.proxyHash" . }}
+    rollme.wizApiTokenHash: {{ include "wiz-admission-controller.wizApiTokenHash" . }}
+    {{- with (.Values.wizUninstallJob.jobAnnotations) }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  {{- if .Values.wizUninstallJob.useJobTTL }}
+  ttlSecondsAfterFinished: 60
+  {{- end }}
+  manualSelector: true
+  selector:
+    matchLabels:
+      {{- include "wiz-admission-controller-uninstall.selectorLabels" . | nindent 6 }}
+  activeDeadlineSeconds: {{ .Values.wizUninstallJob.timeoutSeconds }}
+  backoffLimit: 1
+  template:
+    metadata:
+      {{- if (or .Values.global.podAnnotations .Values.podAnnotations .Values.wizUninstallJob.podAnnotations)}}
+      annotations:
+        {{- with .Values.global.podAnnotations }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+        {{- with .Values.podAnnotations }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+        {{- with .Values.wizUninstallJob.podAnnotations }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- end }}
+      labels:
+        wiz.io/component: "admission-controller-uninstall"
+      {{- include "wiz-admission-controller-uninstall.labels" . | nindent 8 }}
+      {{- with .Values.global.podLabels }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- with .Values.wizUninstallJob.podAdditionalSpec }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      restartPolicy: "Never"
+      securityContext:
+        {{- if hasKey .Values.global "lowPrivilegePodSecurityPolicy" }}
+          {{- toYaml .Values.global.lowPrivilegePodSecurityPolicy | nindent 8 }}
+        {{- else }}
+          {{- toYaml .Values.podSecurityContext | nindent 8 }}
+        {{- end }}
+      {{- if .Values.hostNetwork }}
+      hostNetwork: true
+      {{- end }}
+      volumes:
+        {{- include "wiz-admission-controller.spec.common.volumes" . | trim | nindent 8 }}
+        {{- with .Values.customVolumes }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+        {{- with .Values.global.customVolumes }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      containers:
+        - name: {{ .Chart.Name }}-uninstall
+          securityContext:
+             {{- if hasKey .Values.global "lowPrivilegeSecurityPolicy" }}
+             {{- toYaml .Values.global.lowPrivilegeSecurityPolicy | nindent 14 }}
+             {{- else }}
+             {{- toYaml .Values.securityContext | nindent 14 }}
+             {{- end }}
+          image: {{ include "wiz-admission-controller.image" . }}
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          command:
+          - "/usr/bin/wiz-admission-controller"
+          - "uninstall"
+          {{- include "wiz-admission-controller.spec.common.commandArgs" . | trim | nindent 10 }}
+          env:
+          {{- include "wiz-admission-controller.spec.common.envVars" . | trim | nindent 10 }}
+          resources:
+            {{- include "wiz-admission-controller.resources" . | trim | nindent 12 }}
+          volumeMounts:
+            {{- include "wiz-admission-controller.spec.common.volumeMounts" . | trim | nindent 14 }}
+            {{- if or .Values.customVolumeMounts .Values.global.customVolumeMounts }}
+            {{- with .Values.customVolumeMounts }}
+              {{- toYaml . | nindent 14 }}
+            {{- end }}
+            {{- with .Values.global.customVolumeMounts }}
+              {{- toYaml . | nindent 14 }}
+            {{- end }}
+            {{- end }}
+      {{- with (coalesce .Values.global.nodeSelector .Values.nodeSelector) }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with (coalesce .Values.global.affinity .Values.affinity) }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- if (or .Values.global.tolerations .Values.tolerations) }}
+      tolerations:
+        {{- with .Values.global.tolerations }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+        {{- with .Values.tolerations }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- end }}
+{{- end }}
+