diff --git a/cluster/config-defaults.yaml b/cluster/config-defaults.yaml index 771dcbb758..a530fd1703 100644 --- a/cluster/config-defaults.yaml +++ b/cluster/config-defaults.yaml @@ -1194,3 +1194,8 @@ role_sync_controller_enabled: "true" {{ else }} role_sync_controller_enabled: "false" {{ end }} + +#Wiz Configs +wiz_enable_runtime_monitoring_daemonset: "false" +wiz_adapter_cpu: "300m" +wiz_adapter_memory: "300Mi" diff --git a/cluster/manifests/deletions.yaml b/cluster/manifests/deletions.yaml index ed5f25cdc6..86f51d11b5 100644 --- a/cluster/manifests/deletions.yaml +++ b/cluster/manifests/deletions.yaml @@ -339,3 +339,59 @@ post_apply: - name: kube-janitor kind: ClusterRoleBinding {{- end }} +{{- if ne .Cluster.ConfigItems.wiz_enable_runtime_monitoring_daemonset "true" }} +- name: wiz-sensor + kind: ServiceAccount + namespace: wiz +- name: wiz-sensor-apikey + kind: Secret + namespace: wiz +# - name: wiz-sensor-imagepullkey +# kind : Secret +# namespace: wiz +- name: wiz-sensor + kind : DaemonSet + namespace: wiz +- name: wiz-sensor + kind : ClusterRole + namespace: wiz +- name: wiz-sensor + kind : ClusterRoleBinding + namespace: wiz +- name: wiz-broker + kind : ServiceAccount + namespace: wiz +- name: wiz-cluster-reader + kind : ServiceAccount + namespace: wiz +- name: wiz-auto-modify-connector + kind : ServiceAccount + namespace: wiz +- name: wiz-connector-connector + kind : Secret + namespace: wiz +- name: wiz-cluster-reader-token + kind : Secret + namespace: wiz +- name: wiz-api-token + kind : Secret + namespace: wiz +- name: wiz-auto-modify-connector + kind : Role + namespace: wiz +- name: wiz-auto-modify-connector + kind : RoleBinding + namespace: wiz +- name: wiz-kubernetes-connector-create-connector + kind : Job + namespace: wiz +- name: wiz-kubernetes-connector-delete-connector + kind : Job + namespace: wiz +- name: wiz-connector-agent + kind : Deployment + namespace: wiz +- name: wiz-cluster-reader + kind : ClusterRoleBinding + namespace: wiz +{{- end }} diff --git a/cluster/manifests/wiz/001-namespace.yaml b/cluster/manifests/wiz/001-namespace.yaml new file mode 100644 index 0000000000..d95bff0e17 --- /dev/null +++ b/cluster/manifests/wiz/001-namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: wiz diff --git a/cluster/manifests/wiz/002-connector-serviceaccount.yaml b/cluster/manifests/wiz/002-connector-serviceaccount.yaml new file mode 100644 index 0000000000..7fdf58a3f9 --- /dev/null +++ b/cluster/manifests/wiz/002-connector-serviceaccount.yaml @@ -0,0 +1,35 @@ +{{ if eq .Cluster.ConfigItems.wiz_enable_runtime_monitoring_daemonset "true"}} +--- +# Source: wiz-kubernetes-integration/charts/wiz-kubernetes-connector/charts/wiz-broker/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: wiz-broker + namespace: "wiz" + labels: + helm.sh/chart: wiz-broker-2.1.0 + application: "wiz" + component: "connector" +--- +# Source: wiz-kubernetes-integration/charts/wiz-kubernetes-connector/templates/service-account-cluster-reader.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: wiz-cluster-reader + namespace: "wiz" + labels: + helm.sh/chart: wiz-broker-2.1.0 + application: "wiz" + component: "connector" +--- +# Source: wiz-kubernetes-integration/charts/wiz-kubernetes-connector/templates/service-account-modify-connector.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: wiz-auto-modify-connector + namespace: "wiz" + labels: + helm.sh/chart: wiz-broker-2.1.0 + application: "wiz" + component: "connector" +{{end}} diff --git a/cluster/manifests/wiz/002-sensor-serviceaccount.yaml b/cluster/manifests/wiz/002-sensor-serviceaccount.yaml new file mode 100644 index 0000000000..7d506c0250 --- /dev/null +++ b/cluster/manifests/wiz/002-sensor-serviceaccount.yaml @@ -0,0 +1,13 @@ +{{ if eq .Cluster.ConfigItems.wiz_enable_runtime_monitoring_daemonset "true"}} +--- +# Source: wiz-sensor/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: wiz-sensor + namespace: wiz + labels: + helm.sh/chart: wiz-sensor-1.0.4760 + application: "wiz" + component: "connector" +{{end}} diff --git a/cluster/manifests/wiz/003-connector-clusterrole.yaml b/cluster/manifests/wiz/003-connector-clusterrole.yaml new file mode 100644 index 0000000000..e5caac1015 --- /dev/null +++ b/cluster/manifests/wiz/003-connector-clusterrole.yaml @@ -0,0 +1,20 @@ +{{ if eq .Cluster.ConfigItems.wiz_enable_runtime_monitoring_daemonset "true"}} +--- +# Source: wiz-kubernetes-integration/charts/wiz-kubernetes-connector/templates/service-account-cluster-reader.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: wiz-cluster-reader + labels: + helm.sh/chart: wiz-broker-2.1.0 + application: "wiz" + component: "connector" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: readonly # readonly role created by default in out kubernetes environment +subjects: +- kind: ServiceAccount + name: wiz-cluster-reader + namespace: "wiz" +{{end}} diff --git a/cluster/manifests/wiz/003-connector-role.yaml b/cluster/manifests/wiz/003-connector-role.yaml new file mode 100644 index 0000000000..54f71ea13e --- /dev/null +++ b/cluster/manifests/wiz/003-connector-role.yaml @@ -0,0 +1,43 @@ +{{ if eq .Cluster.ConfigItems.wiz_enable_runtime_monitoring_daemonset "true"}} +--- +# Source: wiz-kubernetes-integration/charts/wiz-kubernetes-connector/templates/service-account-modify-connector.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: wiz-auto-modify-connector + namespace: "wiz" + labels: + helm.sh/chart: wiz-broker-2.1.0 + application: "wiz" + component: "connector" +rules: + - apiGroups: [""] + resources: ["secrets"] + resourceNames: ["wiz-connector-connector"] + verbs: ["update", "get"] + - apiGroups: [""] + resources: ["secrets"] + resourceNames: + - "wiz-api-token" + - "wiz-cluster-reader-token" + verbs: ["get"] +--- +# Source: wiz-kubernetes-integration/charts/wiz-kubernetes-connector/templates/service-account-modify-connector.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: wiz-auto-modify-connector + namespace: "wiz" + labels: + helm.sh/chart: wiz-broker-2.1.0 + application: "wiz" + component: "connector" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: wiz-auto-modify-connector +subjects: +- kind: ServiceAccount + name: wiz-auto-modify-connector + namespace: "wiz" +{{end}} diff --git a/cluster/manifests/wiz/003-sensor-clusterrole.yaml b/cluster/manifests/wiz/003-sensor-clusterrole.yaml new file mode 100644 index 0000000000..a98cda829e --- /dev/null +++ b/cluster/manifests/wiz/003-sensor-clusterrole.yaml @@ -0,0 +1,42 @@ +{{ if eq .Cluster.ConfigItems.wiz_enable_runtime_monitoring_daemonset "true"}} +--- +# Source: wiz-sensor/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: wiz-sensor + labels: + helm.sh/chart: wiz-sensor-1.0.4760 + application: "wiz" + component: "sensor" +rules: + - apiGroups: [""] + resources: ["pods", "namespaces", "nodes", "replicationcontrollers", "serviceaccounts"] + verbs: ["get", "list", "watch"] + + - apiGroups: ["apps"] + resources: ["daemonsets", "replicasets", "deployments", "statefulsets"] + verbs: ["get", "list", "watch"] + + - apiGroups: ["batch"] + resources: ["cronjobs"] + verbs: ["get", "list", "watch"] +--- +# Source: wiz-sensor/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: wiz-sensor + labels: + helm.sh/chart: wiz-sensor-1.0.4760 + application: "wiz" + component: "sensor" +subjects: +- kind: ServiceAccount + name: wiz-sensor + namespace: wiz +roleRef: + kind: ClusterRole + name: wiz-sensor + apiGroup: rbac.authorization.k8s.io +{{end}} diff --git a/cluster/manifests/wiz/004-connector-secrets.yaml b/cluster/manifests/wiz/004-connector-secrets.yaml new file mode 100644 index 0000000000..cc2012c729 --- /dev/null +++ b/cluster/manifests/wiz/004-connector-secrets.yaml @@ -0,0 +1,45 @@ +{{ if eq .Cluster.ConfigItems.wiz_enable_runtime_monitoring_daemonset "true"}} +--- +# Source: wiz-kubernetes-integration/charts/wiz-kubernetes-connector/templates/secret-connector.yaml +apiVersion: v1 +kind: Secret +metadata: + name: wiz-connector-connector + namespace: "wiz" + labels: + helm.sh/chart: wiz-broker-2.1.0 + application: "wiz" + component: "connector" +type: Opaque +data: + connectorData: "e30=" +--- +# Source: wiz-kubernetes-integration/charts/wiz-kubernetes-connector/templates/service-account-cluster-reader.yaml +apiVersion: v1 +kind: Secret +metadata: + name: wiz-cluster-reader-token + namespace: "wiz" + labels: + helm.sh/chart: wiz-broker-2.1.0 + application: "wiz" + component: "connector" + annotations: + kubernetes.io/service-account.name: wiz-cluster-reader +type: kubernetes.io/service-account-token +--- +# Source: wiz-sensor/templates/apikeysecret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: wiz-api-token + namespace: wiz + labels: + helm.sh/chart: wiz-broker-2.1.0 + application: "wiz" + component: "connector" +type: Opaque +stringData: + clientId: "{{ .Cluster.ConfigItems.wiz_api_client_id }}" + clientToken: "{{ .Cluster.ConfigItems.wiz_api_client_token }}" +{{end}} diff --git a/cluster/manifests/wiz/004-sensor-secrets.yaml b/cluster/manifests/wiz/004-sensor-secrets.yaml new file mode 100644 index 0000000000..c6b29365a4 --- /dev/null +++ b/cluster/manifests/wiz/004-sensor-secrets.yaml @@ -0,0 +1,31 @@ +{{ if eq .Cluster.ConfigItems.wiz_enable_runtime_monitoring_daemonset "true"}} +--- +# Source: wiz-sensor/templates/apikeysecret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: wiz-sensor-apikey + namespace: wiz + labels: + helm.sh/chart: wiz-sensor-1.0.4760 + application: "wiz" + component: "sensor" +type: Opaque +stringData: + clientId: "{{ .Cluster.ConfigItems.wiz_api_client_id }}" + clientToken: "{{ .Cluster.ConfigItems.wiz_api_client_token }}" +# --- +# # Source: wiz-sensor/templates/imagepullsecret.yaml +# apiVersion: v1 +# kind: Secret +# type: kubernetes.io/dockerconfigjson +# metadata: +# name: wiz-sensor-imagepullkey +# labels: +# helm.sh/chart: wiz-sensor-1.0.4760 +# application: "wiz" +# component: "sensor" +# namespace: wiz +# data: +# .dockerconfigjson: "{{ .Cluster.ConfigItems.wiz_sensor_dockerconfigjson }}" +{{end}} diff --git a/cluster/manifests/wiz/005-connector-job.yaml b/cluster/manifests/wiz/005-connector-job.yaml new file mode 100644 index 0000000000..cad0071d8b --- /dev/null +++ b/cluster/manifests/wiz/005-connector-job.yaml @@ -0,0 +1,155 @@ +{{ if eq .Cluster.ConfigItems.wiz_enable_runtime_monitoring_daemonset "true"}} +--- +# Source: wiz-kubernetes-integration/charts/wiz-kubernetes-connector/templates/job-create-connector.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: wiz-kubernetes-connector-create-connector + namespace: "wiz" + labels: + helm.sh/chart: wiz-broker-2.1.0 + application: "wiz" + component: "connector" +spec: + ttlSecondsAfterFinished: 60 + manualSelector: true + selector: + matchLabels: + application: "wiz" + component: "connector" + backoffLimit: 1 + template: + metadata: + labels: + helm.sh/chart: wiz-broker-2.1.0 + application: "wiz" + component: "connector" + spec: + serviceAccountName: wiz-auto-modify-connector + restartPolicy: "Never" + securityContext: + runAsNonRoot: true + runAsUser: 1000 + containers: + - name: wiz-connector-creator + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 1000 + image: "container-registry-test.zalando.net/secops-systems/wiz-broker:2.5-pr-1-4" + imagePullPolicy: IfNotPresent + command: + - "wiz-broker" + args: + - create-kubernetes-connector + - --api-server-endpoint + - "https://kubernetes.default.svc.cluster.local" + - --secrets-namespace + - "wiz" + - --service-account-token-secret-name + - "wiz-cluster-reader-token" + - --output-secret-name + - "wiz-connector-connector" + - --is-on-prem=true + - --service-type + - "Kubernetes" + - --wait=true + - --connector-name + - {{.Cluster.Alias}} + env: + - name: LOG_LEVEL + value: info + - name: WIZ_CLIENT_ID + valueFrom: + secretKeyRef: + name: wiz-api-token + key: clientId + optional: false + - name: WIZ_CLIENT_TOKEN + valueFrom: + secretKeyRef: + name: wiz-api-token + key: clientToken + optional: false + - name: WIZ_ENV + value: + resources: + limits: + cpu: {{ .Cluster.ConfigItems.wiz_adapter_cpu }} + memory: {{ .Cluster.ConfigItems.wiz_adapter_memory }} + requests: + cpu: {{ .Cluster.ConfigItems.wiz_adapter_cpu }} + memory: {{ .Cluster.ConfigItems.wiz_adapter_memory }} +--- +# Source: wiz-kubernetes-integration/charts/wiz-kubernetes-connector/templates/job-delete-connector.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: wiz-kubernetes-connector-delete-connector + namespace: "wiz" + labels: + helm.sh/chart: wiz-broker-2.1.0 + application: "wiz" + component: "connector" +spec: + ttlSecondsAfterFinished: 60 + manualSelector: true + selector: + matchLabels: + application: "wiz" + component: "connector" + backoffLimit: 1 + template: + metadata: + labels: + helm.sh/chart: wiz-broker-2.1.0 + application: "wiz" + component: "connector" + spec: + serviceAccountName: wiz-auto-modify-connector + restartPolicy: "Never" + securityContext: + runAsNonRoot: true + runAsUser: 1000 + containers: + - name: wiz-connector-delete + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 1000 + image: "container-registry-test.zalando.net/secops-systems/wiz-broker:2.5-pr-1-4" + imagePullPolicy: IfNotPresent + command: ["/bin/sh", "-c"] + args: + - > + wiz-broker delete-kubernetes-connector + --input-secrets-namespace + "wiz" + --input-secret-name + "wiz-connector-connector" + || true + env: + - name: LOG_LEVEL + value: info + - name: WIZ_CLIENT_ID + valueFrom: + secretKeyRef: + name: wiz-api-token + key: clientId + optional: false + - name: WIZ_CLIENT_TOKEN + valueFrom: + secretKeyRef: + name: wiz-api-token + key: clientToken + optional: false + - name: WIZ_ENV + value: "" + resources: + limits: + cpu: {{ .Cluster.ConfigItems.wiz_adapter_cpu }} + memory: {{ .Cluster.ConfigItems.wiz_adapter_memory }} + requests: + cpu: {{ .Cluster.ConfigItems.wiz_adapter_cpu }} + memory: {{ .Cluster.ConfigItems.wiz_adapter_memory }} +{{end}} diff --git a/cluster/manifests/wiz/connector-deployment.yaml b/cluster/manifests/wiz/connector-deployment.yaml new file mode 100644 index 0000000000..e2c0e15177 --- /dev/null +++ b/cluster/manifests/wiz/connector-deployment.yaml @@ -0,0 +1,77 @@ +{{ if eq .Cluster.ConfigItems.wiz_enable_runtime_monitoring_daemonset "true"}} +--- +# Source: wiz-kubernetes-integration/charts/wiz-kubernetes-connector/charts/wiz-broker/templates/wiz-broker-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: wiz-connector-agent + namespace: "wiz" + labels: + helm.sh/chart: wiz-broker-2.1.0 + application: "wiz" + component: "connector" +spec: + replicas: 1 + selector: + matchLabels: + application: "wiz" + component: "connector" + template: + metadata: + labels: + helm.sh/chart: wiz-broker-2.1.0 + application: "wiz" + component: "connector" + spec: + serviceAccountName: wiz-broker + securityContext: + runAsNonRoot: true + runAsUser: 1000 + volumes: + - name: connector-data + secret: + secretName: wiz-connector-connector + items: + - key: connectorData + path: data + containers: + - name: wiz-broker + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 1000 + image: "container-registry-test.zalando.net/secops-systems/wiz-broker:2.5-pr-1-4" + imagePullPolicy: IfNotPresent + volumeMounts: + - name: connector-data + mountPath: /etc/connectorData + readOnly: true + args: + - /etc/connectorData/data + env: + - name: LOG_LEVEL + value: info + - name: WIZ_ENV + value: + - name: WIZ_CLIENT_ID + valueFrom: + secretKeyRef: + name: wiz-api-token + key: clientId + - name: WIZ_CLIENT_TOKEN + valueFrom: + secretKeyRef: + name: wiz-api-token + key: clientToken + - name: TARGET_IP + value: kubernetes.default.svc.cluster.local + - name: TARGET_PORT + value: "443" + resources: + limits: + cpu: {{ .Cluster.ConfigItems.wiz_adapter_cpu }} + memory: {{ .Cluster.ConfigItems.wiz_adapter_memory }} + requests: + cpu: {{ .Cluster.ConfigItems.wiz_adapter_cpu }} + memory: {{ .Cluster.ConfigItems.wiz_adapter_memory }} +{{end}} diff --git a/cluster/manifests/wiz/sensor-daemonset.yaml b/cluster/manifests/wiz/sensor-daemonset.yaml new file mode 100644 index 0000000000..ac37d6ad36 --- /dev/null +++ b/cluster/manifests/wiz/sensor-daemonset.yaml @@ -0,0 +1,196 @@ +{{ if eq .Cluster.ConfigItems.wiz_enable_runtime_monitoring_daemonset "true"}} +--- +# Source: wiz-sensor/templates/daemonset.yaml +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: wiz-sensor + labels: + helm.sh/chart: wiz-sensor-1.0.4760 + application: "wiz" + component: "sensor" + namespace: wiz +spec: + selector: + matchLabels: + application: "wiz" + component: "sensor" + updateStrategy: + type: RollingUpdate + template: + metadata: + labels: + helm.sh/chart: wiz-sensor-1.0.4760 + application: "wiz" + component: "sensor" + annotations: + container.apparmor.security.beta.kubernetes.io/wiz-sensor: unconfined + cluster-autoscaler.kubernetes.io/enable-ds-eviction: "true" + node-ready.cluster.zalando.org/exclude: "true" + spec: + serviceAccountName: wiz-sensor + nodeSelector: + node.kubernetes.io/role: worker + hostPID: true + hostIPC: true + tolerations: + - key: karpenter.sh/disruption + operator: Exists + - key: node.kubernetes.io/not-ready + operator: Exists + - key: aws.amazon.com/spot + operator: Exists + - key: zalando.org/node-not-ready + operator: Exists + effect: NoSchedule + - key: nvidia.com/gpu + value: present + effect: NoSchedule + - key: dedicated + value: skipper-ingress + effect: NoSchedule + restartPolicy: Always + containers: + - name: wiz-sensor + image: container-registry-test.zalando.net/secops-systems/wiz-sensor:v1-pr-1-4 + imagePullPolicy: IfNotPresent + securityContext: + capabilities: + add: + - SYS_ADMIN # moving between namespaces + - SYS_CHROOT # moving between namespaces + - SYS_RESOURCE # eBPF + - SYS_RAWIO # file hashing + - DAC_OVERRIDE # file hashing + - DAC_READ_SEARCH # file hashing + - NET_ADMIN # network events + - NET_RAW # network events + - IPC_LOCK # eBPF + - FOWNER # file hashing + - SYS_PTRACE # eBPF + - SYSLOG # kernel symbol resolve + - KILL # response + privileged: false + runAsNonRoot: true + runAsUser: 2202 + runAsGroup: 2202 + readOnlyRootFilesystem: true + seccompProfile: + type: Unconfined + seLinuxOptions: + user: "system_u" + role: "system_r" + level: "s0" + type: "spc_t" + env: + - name: MIN_SENSOR_COMPAT_BUILD_VER + value: "4142" + - name: HELM_CHART_COMPAT_VER + value: "1" + - name: WIZ_TMP_STORE + value: "/wiz-sensor-store/" + - name: WIZ_HOST_STORE + value: "/wiz-host-cache/" + - name: WIZ_RAMFS_STORE + value: "/tmp/" + - name: LOG_FILE + value: "/wiz-sensor-store/sensor.log" # ToDo: after discussing with WIZ we can add annotation logging/destination: "{{.Cluster.ConfigItems.log_destination_infra}}" to push logs diretcly scalyr + - name: MY_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_POD_UID + valueFrom: + fieldRef: + fieldPath: metadata.uid + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_APIKEY_SECRET_NAME + value: wiz-sensor-apikey + - name: AWS_EC2_METADATA_DISABLED + value: "true" + - name: CRI_SOCKET_CUSTOM_PATH + value: + - name: HTTP_PROXY_URL + value: + - name: HTTP_PROXY_USERNAME + value: + - name: HTTP_PROXY_PASSWORD + value: + - name: HTTP_PROXY_CERT + value: + - name: BACKEND_ENV + value: prod + - name: SENSOR_CLUSTER_NAME + value: + - name: RUST_LOG + value: info + - name: STDOUT_LOG + value: error + - name: POD_MEM_LIMITS + valueFrom: + resourceFieldRef: + containerName: wiz-sensor + resource: limits.memory + divisor: "1Mi" + - name: POD_CPU_LIMITS + valueFrom: + resourceFieldRef: + containerName: wiz-sensor + resource: limits.cpu + divisor: "1m" + volumeMounts: + - name: sensor-host-cache + mountPath: /wiz-host-cache/ + - name: sensor-store + mountPath: /wiz-sensor-store/ + - name: tmp-store + mountPath: /tmp/ + - name: api-client-secret + mountPath: /api-client/ + - name: api-endpoint-name-secret + mountPath: /api-endpoint-name/ + resources: + limits: + cpu: {{ .Cluster.ConfigItems.wiz_adapter_cpu }} + memory: {{ .Cluster.ConfigItems.wiz_adapter_memory }} + requests: + cpu: {{ .Cluster.ConfigItems.wiz_adapter_cpu }} + memory: {{ .Cluster.ConfigItems.wiz_adapter_memory }} + terminationGracePeriodSeconds: 90 + # imagePullSecrets: + # - name: wiz-sensor-imagepullkey + volumes: + - name: sensor-host-cache + hostPath: + path: /var/lib/wiz/ + type: DirectoryOrCreate + - name: api-client-secret + secret: + secretName: wiz-sensor-apikey + items: + - key: clientId + path: clientId + - key: clientToken + path: clientToken + - name: api-endpoint-name-secret + secret: + secretName: wiz-sensor-apikey + optional: true + items: + - key: clientEndpoint + path: clientEndpoint + - name: sensor-store + emptyDir: + sizeLimit: "1Gi" + - name: tmp-store + emptyDir: + sizeLimit: "100Mi" + medium: "Memory" +{{end}}