Merge remote-tracking branch 'origin/master' into outpostlite-remediation-security-changes

yairsappir · yairsappir · commit 43fdfb1331c6 · 2025-04-10T13:08:28.000+03:00
diff --git a/wiz-admission-controller/Chart.yaml b/wiz-admission-controller/Chart.yaml
@@ -5,12 +5,12 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 3.9.5
+version: 3.10.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "2.8"
+appVersion: "2.9"
 dependencies:
   - name: wiz-common
     version: "0.1.8"
diff --git a/wiz-admission-controller/templates/_helpers.tpl b/wiz-admission-controller/templates/_helpers.tpl
@@ -50,6 +50,16 @@ If release name contains chart name it will be used as a full name.
 {{- end }}
 {{- end }}
 
+{{- define "wiz-admission-controller-uninstall.name" -}}
+{{- if .Values.wizUninstallJob.nameOverride }}
+{{- .Values.wizUninstallJob.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $suffix := "-uninstall" -}}
+{{- $maxLength := int (sub 63 (len $suffix)) -}}
+{{- printf "%s%s" (include "wiz-admission-controller.fullname" . | trunc $maxLength | trimSuffix "-") $suffix -}}
+{{- end }}
+{{- end }}
+
 {{- define "wiz-admission-controller.wiz-hpa-enforcer.name" -}}
 {{- $suffix := "-hpa" -}}
 {{- $maxLength := int (sub 63 (len $suffix)) -}}
@@ -120,6 +130,14 @@ Wiz manager selector labels
 app.kubernetes.io/name: {{ include "wiz-admission-controller-manager.name" . }}
 {{- end }}
 
+{{/*
+Wiz uninstall selector labels
+*/}}
+{{- define "wiz-admission-controller-uninstall.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "wiz-admission-controller-uninstall.name" . }}
+{{- end }}
+
+
 {{- define "wiz-admission-controller-enforcement.labels" -}}
 {{ include "wiz-admission-controller.labels" . }}
 {{ include "wiz-admission-controller-enforcement.selectorLabels" . }}
@@ -135,6 +153,11 @@ app.kubernetes.io/name: {{ include "wiz-admission-controller-manager.name" . }}
 {{ include "wiz-admission-controller-manager.selectorLabels" . }}
 {{- end }}
 
+{{- define "wiz-admission-controller-uninstall.labels" -}}
+{{ include "wiz-admission-controller.labels" . }}
+{{ include "wiz-admission-controller-uninstall.selectorLabels" . }}
+{{- end }}
+
 {{/*
 Wiz Horizontal Pod Autoscaler labels
 */}}
diff --git a/wiz-admission-controller/templates/jobuninstall.yaml b/wiz-admission-controller/templates/jobuninstall.yaml
@@ -0,0 +1,123 @@
+{{ if .Values.wizUninstallJob.enabled -}}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "wiz-admission-controller-uninstall.name" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    wiz.io/component: "admission-controller-uninstall"
+    {{- include "wiz-admission-controller-uninstall.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    rollme.proxyHash: {{ include "wiz-admission-controller.proxyHash" . }}
+    rollme.wizApiTokenHash: {{ include "wiz-admission-controller.wizApiTokenHash" . }}
+    {{- with (.Values.wizUninstallJob.jobAnnotations) }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  {{- if .Values.wizUninstallJob.useJobTTL }}
+  ttlSecondsAfterFinished: 60
+  {{- end }}
+  manualSelector: true
+  selector:
+    matchLabels:
+      {{- include "wiz-admission-controller-uninstall.selectorLabels" . | nindent 6 }}
+  activeDeadlineSeconds: {{ .Values.wizUninstallJob.timeoutSeconds }}
+  backoffLimit: 1
+  template:
+    metadata:
+      {{- if (or .Values.global.podAnnotations .Values.podAnnotations .Values.wizUninstallJob.podAnnotations)}}
+      annotations:
+        {{- with .Values.global.podAnnotations }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+        {{- with .Values.podAnnotations }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+        {{- with .Values.wizUninstallJob.podAnnotations }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- end }}
+      labels:
+        wiz.io/component: "admission-controller-uninstall"
+      {{- include "wiz-admission-controller-uninstall.labels" . | nindent 8 }}
+      {{- with .Values.global.podLabels }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- with .Values.wizUninstallJob.podAdditionalSpec }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      restartPolicy: "Never"
+      securityContext:
+        {{- if hasKey .Values.global "lowPrivilegePodSecurityPolicy" }}
+          {{- toYaml .Values.global.lowPrivilegePodSecurityPolicy | nindent 8 }}
+        {{- else }}
+          {{- toYaml .Values.podSecurityContext | nindent 8 }}
+        {{- end }}
+      {{- if .Values.hostNetwork }}
+      hostNetwork: true
+      {{- end }}
+      volumes:
+        {{- include "wiz-admission-controller.spec.common.volumes" . | trim | nindent 8 }}
+        {{- with .Values.customVolumes }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+        {{- with .Values.global.customVolumes }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      containers:
+        - name: {{ .Chart.Name }}-uninstall
+          securityContext:
+             {{- if hasKey .Values.global "lowPrivilegeSecurityPolicy" }}
+             {{- toYaml .Values.global.lowPrivilegeSecurityPolicy | nindent 14 }}
+             {{- else }}
+             {{- toYaml .Values.securityContext | nindent 14 }}
+             {{- end }}
+          image: {{ include "wiz-admission-controller.image" . }}
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          command:
+          - "/usr/bin/wiz-admission-controller"
+          - "uninstall"
+          {{- include "wiz-admission-controller.spec.common.commandArgs" . | trim | nindent 10 }}
+          env:
+          {{- include "wiz-admission-controller.spec.common.envVars" . | trim | nindent 10 }}
+          resources:
+            {{- include "wiz-admission-controller.resources" . | trim | nindent 12 }}
+          volumeMounts:
+            {{- include "wiz-admission-controller.spec.common.volumeMounts" . | trim | nindent 14 }}
+            {{- if or .Values.customVolumeMounts .Values.global.customVolumeMounts }}
+            {{- with .Values.customVolumeMounts }}
+              {{- toYaml . | nindent 14 }}
+            {{- end }}
+            {{- with .Values.global.customVolumeMounts }}
+              {{- toYaml . | nindent 14 }}
+            {{- end }}
+            {{- end }}
+      {{- with (coalesce .Values.global.nodeSelector .Values.nodeSelector) }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with (coalesce .Values.global.affinity .Values.affinity) }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- if (or .Values.global.tolerations .Values.tolerations) }}
+      tolerations:
+        {{- with .Values.global.tolerations }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+        {{- with .Values.tolerations }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- end }}
+{{- end }}
+
diff --git a/wiz-admission-controller/values.yaml b/wiz-admission-controller/values.yaml
@@ -498,6 +498,21 @@ wizManager:
     # If empty, a name is generated using the nameOverride
     name: ""
 
+wizUninstallJob:
+  enabled: true # Should the uninstall job be deployed.
+  nameOverride: "" # Override the uninstall job name.
+  timeoutSeconds: 300 # The timeout for the uninstall job in seconds.
+  # Toggle the TTL (Time to Live) mechanism for automatic cleanup of finished Jobs.
+  # Set to `true` to enable Kubernetes to automatically delete Jobs after they complete or fail, based on the `ttlSecondsAfterFinished` field.
+  # Set to `false` if using Argo CD to manage Job lifecycle with deletion hooks, as TTL-based cleanup can cause Application to appear OutOfSync.
+  # See: https://argo-cd.readthedocs.io/en/stable/user-guide/resource_hooks/#sync-status-with-jobsworkflows-with-time-to-live-ttl
+  useJobTTL: true
+  jobAnnotations: {}
+  podAnnotations: {}
+  podAdditionalSpec: {}
+
+
+
 # Global values to override chart values.
 global:
   nameOverride: "" # Override the release’s name.
diff --git a/wiz-kubernetes-integration/Chart.yaml b/wiz-kubernetes-integration/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: wiz-kubernetes-integration
 description: A Helm chart for Kubernetes
 type: application
-version: 0.2.88
+version: 0.2.92
 appVersion: ""
 
 # Dependencies for wiz-kubernetes connector and wiz-admission-controller and wiz-sensor
@@ -17,5 +17,5 @@ dependencies:
   condition: wiz-admission-controller.enabled
 - name: wiz-sensor
   repository: https://wiz-sec.github.io/charts
-  version: ">=1.0.6187"
+  version: ">=1.0.6440"
   condition: wiz-sensor.enabled
diff --git a/wiz-sensor/Chart.yaml b/wiz-sensor/Chart.yaml
@@ -3,5 +3,5 @@ description: Wiz Sensor helm chart
 home: https://www.wiz.io/
 name: wiz-sensor
 type: application
-version: 1.0.6187
-appVersion: 1.0.6187
+version: 1.0.6440
+appVersion: 1.0.6349
diff --git a/wiz-sensor/templates/daemonset.yaml b/wiz-sensor/templates/daemonset.yaml
@@ -37,6 +37,11 @@ spec:
         {{- end }}
 
     spec:
+      {{- if .Values.setFsGroup }}
+      securityContext:
+        fsGroup: {{- if .Values.privileged }} 0 {{- else }} 2202 {{- end }}
+      {{- end }}
+
       {{- if .Values.serviceAccount.create }}
       serviceAccountName: {{ include "wiz-sensor.serviceAccountName" . }}
       {{- end }}
@@ -378,6 +383,31 @@ spec:
           {{- toYaml . | nindent 8 }}
         {{- end }}
 
+        {{- if and (not .Values.gkeAutopilot) .Values.livenessProbe.enabled }}
+        livenessProbe:
+          exec:
+            command:
+            - "/bin/onprem-agent"
+            - "version"
+{{ toYaml .Values.livenessProbe.config | indent 10 }}
+        {{- end }}
+        {{- if and (not .Values.gkeAutopilot) .Values.startupProbe.enabled }}
+        startupProbe:
+          exec:
+            command:
+            - "/bin/onprem-agent"
+            - "version"
+{{ toYaml .Values.startupProbe.config | indent 10 }}
+        {{- end }}
+        {{- if and (not .Values.gkeAutopilot) .Values.readinessProbe.enabled }}
+        readinessProbe:
+          exec:
+            command:
+            - "/bin/onprem-agent"
+            - "version"
+{{ toYaml .Values.readinessProbe.config | indent 10 }}
+        {{- end }}
+
         securityContext:
         {{- if .Values.privileged }}
           privileged: true
diff --git a/wiz-sensor/values.yaml b/wiz-sensor/values.yaml
@@ -83,6 +83,9 @@ oldAppArmorAnnotation: false
 # check by enabling this option.
 disableImageVersionCheck: false
 
+# add appropriate fsGroup/supplementalGroups to the pod's securityContext
+useFsGroup: false
+
 clusterExternalId: "" # Required for OKE clusters - specify the cluster's OCID
 subscriptionExternalId: "" # Optional. Used to associate the installation with a Subscription if none can be obtained from IMDS (e.g. on-prem)
 clusterTags: {} # Optional. List of key: value tags to be added to KubernetesCluster object associated with this installation
@@ -295,6 +298,8 @@ daemonset:
   #- key: node.ocs.openshift.io/storage
   #  value: "true"
   #  effect: NoSchedule
+  #- key: CriticalAddonsOnly # allow running on EKS auto-mode system nodes
+  #  operator: Exists
 
   # Default strategy to update the daemonset
   updateStrategy:
