Merge remote-tracking branch 'origin/master' into outpostlite-remediation-security-changes

yairsappir · yairsappir · commit 7923d7115661 · 2025-03-24T10:49:46.000+02:00
# Conflicts:
#	wiz-outpost-lite/templates/deployment.yaml
diff --git a/.circleci/tests/golden/wiz-outpost-lite/remediation.golden.yaml b/.circleci/tests/golden/wiz-outpost-lite/remediation.golden.yaml
@@ -4,6 +4,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: sa-remediation-aws-rds-003
+  namespace: release-helm-namespace
   labels:
     helm.sh/chart: "GOLDEN_STATIC_VALUE"
     app.kubernetes.io/name: wiz-outpost-lite
diff --git a/wiz-admission-controller/Chart.yaml b/wiz-admission-controller/Chart.yaml
@@ -5,12 +5,12 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 3.10.0-preview.3
+version: 3.9.5
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "2.9"
+appVersion: "2.8"
 dependencies:
   - name: wiz-common
     version: "0.1.8"
diff --git a/wiz-admission-controller/templates/_helpers.tpl b/wiz-admission-controller/templates/_helpers.tpl
@@ -50,16 +50,6 @@ If release name contains chart name it will be used as a full name.
 {{- end }}
 {{- end }}
 
-{{- define "wiz-admission-controller-uninstall.name" -}}
-{{- if .Values.wizUninstallJob.nameOverride }}
-{{- .Values.wizUninstallJob.nameOverride | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- $suffix := "-uninstall" -}}
-{{- $maxLength := int (sub 63 (len $suffix)) -}}
-{{- printf "%s%s" (include "wiz-admission-controller.fullname" . | trunc $maxLength | trimSuffix "-") $suffix -}}
-{{- end }}
-{{- end }}
-
 {{- define "wiz-admission-controller.wiz-hpa-enforcer.name" -}}
 {{- $suffix := "-hpa" -}}
 {{- $maxLength := int (sub 63 (len $suffix)) -}}
@@ -130,14 +120,6 @@ Wiz manager selector labels
 app.kubernetes.io/name: {{ include "wiz-admission-controller-manager.name" . }}
 {{- end }}
 
-{{/*
-Wiz uninstall selector labels
-*/}}
-{{- define "wiz-admission-controller-uninstall.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "wiz-admission-controller-uninstall.name" . }}
-{{- end }}
-
-
 {{- define "wiz-admission-controller-enforcement.labels" -}}
 {{ include "wiz-admission-controller.labels" . }}
 {{ include "wiz-admission-controller-enforcement.selectorLabels" . }}
@@ -153,11 +135,6 @@ app.kubernetes.io/name: {{ include "wiz-admission-controller-uninstall.name" . }
 {{ include "wiz-admission-controller-manager.selectorLabels" . }}
 {{- end }}
 
-{{- define "wiz-admission-controller-uninstall.labels" -}}
-{{ include "wiz-admission-controller.labels" . }}
-{{ include "wiz-admission-controller-uninstall.selectorLabels" . }}
-{{- end }}
-
 {{/*
 Wiz Horizontal Pod Autoscaler labels
 */}}
diff --git a/wiz-admission-controller/templates/jobuninstall.yaml b/wiz-admission-controller/templates/jobuninstall.yaml
diff --git a/wiz-admission-controller/values.yaml b/wiz-admission-controller/values.yaml
@@ -498,21 +498,6 @@ wizManager:
     # If empty, a name is generated using the nameOverride
     name: ""
 
-wizUninstallJob:
-  enabled: true # Should the uninstall job be deployed.
-  nameOverride: "" # Override the uninstall job name.
-  timeoutSeconds: 300 # The timeout for the uninstall job in seconds.
-  # Toggle the TTL (Time to Live) mechanism for automatic cleanup of finished Jobs.
-  # Set to `true` to enable Kubernetes to automatically delete Jobs after they complete or fail, based on the `ttlSecondsAfterFinished` field.
-  # Set to `false` if using Argo CD to manage Job lifecycle with deletion hooks, as TTL-based cleanup can cause Application to appear OutOfSync.
-  # See: https://argo-cd.readthedocs.io/en/stable/user-guide/resource_hooks/#sync-status-with-jobsworkflows-with-time-to-live-ttl
-  useJobTTL: true
-  jobAnnotations: {}
-  podAnnotations: {}
-  podAdditionalSpec: {}
-
-
-
 # Global values to override chart values.
 global:
   nameOverride: "" # Override the release’s name.
diff --git a/wiz-kubernetes-integration/Chart.yaml b/wiz-kubernetes-integration/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: wiz-kubernetes-integration
 description: A Helm chart for Kubernetes
 type: application
-version: 0.2.84
+version: 0.2.87
 appVersion: ""
 
 # Dependencies for wiz-kubernetes connector and wiz-admission-controller and wiz-sensor
diff --git a/wiz-outpost-lite/templates/deployment.yaml b/wiz-outpost-lite/templates/deployment.yaml
@@ -28,14 +28,6 @@ spec:
       {{- if .Values.serviceAccount.create }}
       serviceAccountName: sa-{{ .runner }}
       {{- end }}
-      {{- if or (hasKey .Values "podSecurityContext") (hasKey .Values "podSecurityContextOverride") }}
-      securityContext:
-        {{- if hasKey .Values "podSecurityContextOverride"}}
-        {{- toYaml .Values.podSecurityContextOverride | nindent 8 }}
-        {{- else }}
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
-        {{- end }}
-      {{- end }}
       restartPolicy: Always
       {{- if .Values.affinity }}
       affinity:
@@ -150,14 +142,15 @@ spec:
           {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
-          {{- if or (hasKey .Values "containerSecurityContext") (hasKey .Values "containerSecurityContextOverride") }}
           securityContext:
-            {{- if hasKey .Values "containerSecurityContextOverride"}}
-            {{- toYaml .Values.containerSecurityContextOverride | nindent 12 }}
-            {{- else }}
-            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+            {{- if .Values.openshift }}
+            privileged: true
             {{- end }}
-          {{- end}}
+            capabilities:
+              add:
+              - SYS_ADMIN
+            seLinuxOptions:
+              type: spc_t
           volumeMounts:
             - mountPath: /var/wiz
               name: working-dir
diff --git a/wiz-outpost-lite/templates/openshift.yaml b/wiz-outpost-lite/templates/openshift.yaml
@@ -0,0 +1,41 @@
+{{- range $values := (include "wiz-outpost-lite.runners" . | fromJson) }}
+{{- with merge $values (omit $ "Values") }}
+{{- if and .Values.openshift (eq .runner "container-registry") -}}
+apiVersion: security.openshift.io/v1
+kind: SecurityContextConstraints
+metadata:
+  name: {{ include "wiz-outpost-lite.fullname" . }}-scc
+  labels: {{- include "wiz-outpost-lite.labels" . | nindent 4 }}
+allowHostDirVolumePlugin: true
+allowPrivilegedContainer: true
+readOnlyRootFilesystem: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+requiredDropCapabilities: null
+groups: []
+priority: 0
+allowedCapabilities:
+  - SYS_ADMIN
+fsGroup:
+  type: RunAsAny
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: RunAsAny
+supplementalGroups:
+  type: RunAsAny
+seccompProfiles:
+  - '*'
+users:
+- system:serviceaccount:{{ .Release.Namespace }}:sa-{{ .runner }}
+volumes:
+  - downwardAPI
+  - emptyDir
+  - hostPath
+  - secret
+---
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/wiz-outpost-lite/templates/serviceaccount.yaml b/wiz-outpost-lite/templates/serviceaccount.yaml
@@ -5,6 +5,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: sa-{{ .runner }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "wiz-outpost-lite.labels" . | nindent 4 }}
 ---
diff --git a/wiz-outpost-lite/values.yaml b/wiz-outpost-lite/values.yaml
@@ -71,6 +71,10 @@ httpProxyConfiguration:
 
 terminationGracePeriodSeconds: 30
 
+# Use when installing on OpenShift clusters to create a SecurityContextConstraint for our service-account
+openshift: false
+
+# Use when installing on OpenShift clusters to create a Service Account for the SecurityContextConstraint
 serviceAccount:
   create: false
 
