Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add wiz manifests #8679

Open
wants to merge 25 commits into
base: dev
Choose a base branch
from
Open

feat: add wiz manifests #8679

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
ec72710
feat: add wiz manifests
Dec 19, 2024
de2a398
feat: update permissions for sensor
Dec 19, 2024
a5b89dc
feat: add wiz manifests
Dec 19, 2024
c307aaf
feat: add wiz manifests
Dec 19, 2024
0cdad7a
Update secrets namespace + cleanup trailing curly brackets
zaklawrencea Dec 19, 2024
500acb7
fix: minor changes
Dec 20, 2024
38944d1
Merge branch 'vthupili' of https://github.com/zalando-incubator/kuber…
Dec 20, 2024
4fda53d
fix: minor changes
Dec 20, 2024
a65b322
enable wiz to exclude from node ready event
Dec 20, 2024
eb25c7f
Fix typos
katyanna Dec 20, 2024
ebb156a
Fix missing }
katyanna Dec 20, 2024
3630e94
Update cluster/manifests/deletions.yaml
demonCoder95 Dec 23, 2024
dfdffc5
Minor fixes
Jan 2, 2025
aa8ddc6
Minor fixes
Jan 3, 2025
38e467d
Minor fixes
Jan 3, 2025
63ca7d7
Merge branch 'dev' into vthupili
Jan 3, 2025
e773b9a
restructure
Jan 3, 2025
9854e09
Merge branch 'dev' into vthupili
Jan 3, 2025
73ce47e
remove imagepull secrets
Jan 3, 2025
a2aef3f
remove imagepull secrets
Jan 3, 2025
9e6fc8b
add limits for broker
Jan 3, 2025
b8f3a59
add limits for broker
Jan 3, 2025
6b0b73e
restructure
Jan 3, 2025
c176b5b
update image Tags
Jan 3, 2025
0dc9cbe
update image Tags
Jan 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions cluster/config-defaults.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1194,3 +1194,6 @@ role_sync_controller_enabled: "true"
{{ else }}
role_sync_controller_enabled: "false"
{{ end }}

#Wiz Configs
wiz_enable_runtime_monitoring_daemonset: "false"
39 changes: 39 additions & 0 deletions cluster/manifests/wiz/connector/clusterrole.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
{{ if eq .Cluster.ConfigItems.wiz_enable_runtime_monitoring_daemonset "true"}}
# ---
# # We are using ClusterRole readonly created by default in the cluster instead of creating new one provided by wiz
# # Source: wiz-kubernetes-integration/charts/wiz-kubernetes-connector/templates/service-account-cluster-reader.yaml
# apiVersion: rbac.authorization.k8s.io/v1
# kind: ClusterRole
# metadata:
# name: wiz-cluster-reader
# labels:
# helm.sh/chart: wiz-kubernetes-connector-3.1.1
# app.kubernetes.io/name: wiz-kubernetes-connector
# app.kubernetes.io/instance: wiz-connector
# app.kubernetes.io/version: "2.5"
# app.kubernetes.io/managed-by: Helm
# rules:
# - apiGroups: ["*"]
# resources: ["*"]
# verbs: ["get", "list", "watch"]
demonCoder95 marked this conversation as resolved.
Show resolved Hide resolved
---
# Source: wiz-kubernetes-integration/charts/wiz-kubernetes-connector/templates/service-account-cluster-reader.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: wiz-cluster-reader
labels:
helm.sh/chart: wiz-kubernetes-connector-3.1.1
app.kubernetes.io/name: wiz-kubernetes-connector
app.kubernetes.io/instance: wiz-connector
app.kubernetes.io/version: "2.5"
app.kubernetes.io/managed-by: Helm
demonCoder95 marked this conversation as resolved.
Show resolved Hide resolved
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: readonly # readonly role created by default in out kubernetes environment
subjects:
- kind: ServiceAccount
name: wiz-cluster-reader
namespace: "wiz"
{{end}}
79 changes: 79 additions & 0 deletions cluster/manifests/wiz/connector/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
{{ if eq .Cluster.ConfigItems.wiz_enable_runtime_monitoring_daemonset "true"}}
---
# Source: wiz-kubernetes-integration/charts/wiz-kubernetes-connector/charts/wiz-broker/templates/wiz-broker-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: wiz-connector-agent
namespace: "wiz"
labels:
helm.sh/chart: wiz-broker-2.1.0
app.kubernetes.io/name: wiz-broker
app.kubernetes.io/instance: wiz-connector
app.kubernetes.io/version: "2.5"
app.kubernetes.io/managed-by: Helm
vinaythupili marked this conversation as resolved.
Show resolved Hide resolved
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: wiz-broker
app.kubernetes.io/instance: wiz-connector
template:
metadata:
annotations:
rollme: "Cd4Gg"
demonCoder95 marked this conversation as resolved.
Show resolved Hide resolved
labels:
helm.sh/chart: wiz-broker-2.1.0
app.kubernetes.io/name: wiz-broker
app.kubernetes.io/instance: wiz-connector
app.kubernetes.io/version: "2.5"
app.kubernetes.io/managed-by: Helm
spec:
serviceAccountName: wiz-broker
securityContext:
runAsNonRoot: true
runAsUser: 1000
volumes:
- name: connector-data
secret:
secretName: wiz-connector-connector
items:
- key: connectorData
path: data
containers:
- name: wiz-broker
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 1000
image: "wiziopublic.azurecr.io/wiz-app/wiz-broker:2.5"
vinaythupili marked this conversation as resolved.
Show resolved Hide resolved
imagePullPolicy: Always
demonCoder95 marked this conversation as resolved.
Show resolved Hide resolved
volumeMounts:
- name: connector-data
mountPath: /etc/connectorData
readOnly: true
args: [
/etc/connectorData/data
]
demonCoder95 marked this conversation as resolved.
Show resolved Hide resolved
env:
- name: LOG_LEVEL
value: info
- name: WIZ_ENV
value:
demonCoder95 marked this conversation as resolved.
Show resolved Hide resolved
- name: WIZ_CLIENT_ID
valueFrom:
secretKeyRef:
name: wiz-api-token
key: clientId
- name: WIZ_CLIENT_TOKEN
valueFrom:
secretKeyRef:
name: wiz-api-token
key: clientToken
- name: TARGET_IP
value: kubernetes.default.svc.cluster.local
- name: TARGET_PORT
value: "443"
resources:
null
{{end}}}
zaklawrencea marked this conversation as resolved.
Show resolved Hide resolved
167 changes: 167 additions & 0 deletions cluster/manifests/wiz/connector/job.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,167 @@
{{ if eq .Cluster.ConfigItems.wiz_enable_runtime_monitoring_daemonset "true"}}
---
# Source: wiz-kubernetes-integration/charts/wiz-kubernetes-connector/templates/job-create-connector.yaml
apiVersion: batch/v1
kind: Job
metadata:
name: wiz-kubernetes-connector-create-connector
namespace: "wiz"
labels:
helm.sh/chart: wiz-kubernetes-connector-3.1.1
app.kubernetes.io/name: wiz-kubernetes-connector
app.kubernetes.io/instance: wiz-connector
app.kubernetes.io/version: "2.5"
app.kubernetes.io/managed-by: Helm
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
rollme.wizApiTokenHash: ce8124bc1b0fbc0cb5cd47338ca0c7d5f5446d79936e443a201d96b192a7bd65
rollme.proxyHash: 9aa53d69075371b3fa23ebeea2fd2416ea81fb533499d071ca2d576f17c7c886
rollme.brokerHash: 115ba85431eeaf8db3ff2173aee02d16e67df1555d5e1ef74cfa7ac0d812cab2
demonCoder95 marked this conversation as resolved.
Show resolved Hide resolved

spec:
ttlSecondsAfterFinished: 60
manualSelector: true
selector:
matchLabels:
app.kubernetes.io/name: wiz-kubernetes-connector
app.kubernetes.io/instance: wiz-connector
demonCoder95 marked this conversation as resolved.
Show resolved Hide resolved
backoffLimit: 1
template:
metadata:
labels:

helm.sh/chart: wiz-kubernetes-connector-3.1.1
app.kubernetes.io/name: wiz-kubernetes-connector
app.kubernetes.io/instance: wiz-connector
app.kubernetes.io/version: "2.5"
app.kubernetes.io/managed-by: Helm
demonCoder95 marked this conversation as resolved.
Show resolved Hide resolved
spec:
serviceAccountName: wiz-auto-modify-connector
restartPolicy: "Never"
securityContext:
runAsNonRoot: true
runAsUser: 1000
containers:
- name: wiz-connector-creator
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 1000
image: "wiziopublic.azurecr.io/wiz-app/wiz-broker:2.5"
imagePullPolicy: Always
demonCoder95 marked this conversation as resolved.
Show resolved Hide resolved
command:
- "wiz-broker"
args:

demonCoder95 marked this conversation as resolved.
Show resolved Hide resolved
- create-kubernetes-connector
- --api-server-endpoint
- "https://kubernetes.default.svc.cluster.local"
- --secrets-namespace
- "default"
zaklawrencea marked this conversation as resolved.
Show resolved Hide resolved
- --service-account-token-secret-name
- "wiz-cluster-reader-token"
- --output-secret-name
- "wiz-connector-connector"
- --is-on-prem=true
- --service-type
- "Kubernetes"
- --wait=true
env:
- name: LOG_LEVEL
value: info
- name: WIZ_CLIENT_ID
valueFrom:
secretKeyRef:
name: wiz-api-token
key: clientId
optional: false
- name: WIZ_CLIENT_TOKEN
valueFrom:
secretKeyRef:
name: wiz-api-token
key: clientToken
optional: false
- name: WIZ_ENV
value:
resources:
null
---
# Source: wiz-kubernetes-integration/charts/wiz-kubernetes-connector/templates/job-delete-connector.yaml
apiVersion: batch/v1
kind: Job
metadata:
name: wiz-kubernetes-connector-delete-connector
namespace: "wiz"
labels:
helm.sh/chart: wiz-kubernetes-connector-3.1.1
app.kubernetes.io/name: wiz-kubernetes-connector
app.kubernetes.io/instance: wiz-connector
app.kubernetes.io/version: "2.5"
app.kubernetes.io/managed-by: Helm
annotations:
"helm.sh/hook": pre-delete
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
rollme.proxyHash: 9aa53d69075371b3fa23ebeea2fd2416ea81fb533499d071ca2d576f17c7c886
rollme.brokerHash: 115ba85431eeaf8db3ff2173aee02d16e67df1555d5e1ef74cfa7ac0d812cab2

spec:
ttlSecondsAfterFinished: 60
manualSelector: true
selector:
matchLabels:
app.kubernetes.io/name: wiz-kubernetes-connector
app.kubernetes.io/instance: wiz-connector
backoffLimit: 1
template:
metadata:
labels:

demonCoder95 marked this conversation as resolved.
Show resolved Hide resolved
helm.sh/chart: wiz-kubernetes-connector-3.1.1
app.kubernetes.io/name: wiz-kubernetes-connector
app.kubernetes.io/instance: wiz-connector
app.kubernetes.io/version: "2.5"
app.kubernetes.io/managed-by: Helm
spec:
serviceAccountName: wiz-auto-modify-connector
restartPolicy: "Never"
securityContext:
runAsNonRoot: true
runAsUser: 1000
containers:
- name: wiz-connector-delete
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 1000
image: "wiziopublic.azurecr.io/wiz-app/wiz-broker:2.5"
imagePullPolicy: Always
demonCoder95 marked this conversation as resolved.
Show resolved Hide resolved
command: ["/bin/sh", "-c"]
args:
- >
wiz-broker delete-kubernetes-connector
--input-secrets-namespace
"default"
demonCoder95 marked this conversation as resolved.
Show resolved Hide resolved
--input-secret-name
"wiz-connector-connector"
|| true
env:
- name: LOG_LEVEL
value: info
- name: WIZ_CLIENT_ID
valueFrom:
secretKeyRef:
name: wiz-api-token
key: clientId
optional: false
- name: WIZ_CLIENT_TOKEN
valueFrom:
secretKeyRef:
name: wiz-api-token
key: clientToken
optional: false
- name: WIZ_ENV
value: ""
demonCoder95 marked this conversation as resolved.
Show resolved Hide resolved
resources:
null
{{end}}}
56 changes: 56 additions & 0 deletions cluster/manifests/wiz/connector/role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
{{ if eq .Cluster.ConfigItems.wiz_enable_runtime_monitoring_daemonset "true"}}
---
# Source: wiz-kubernetes-integration/charts/wiz-kubernetes-connector/templates/service-account-modify-connector.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: wiz-auto-modify-connector
namespace: "wiz"
labels:
helm.sh/chart: wiz-kubernetes-connector-3.1.1
app.kubernetes.io/name: wiz-kubernetes-connector
app.kubernetes.io/instance: wiz-connector
app.kubernetes.io/version: "2.5"
app.kubernetes.io/managed-by: Helm
annotations:
"helm.sh/hook": pre-install,pre-upgrade,pre-delete
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook-weight": "-1"
rules:
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["wiz-connector-connector"]
verbs: ["update", "get"]
- apiGroups: [""]
resources: ["secrets"]
resourceNames: [
"wiz-api-token",
"wiz-cluster-reader-token",
]
demonCoder95 marked this conversation as resolved.
Show resolved Hide resolved
verbs: ["get"]
---
# Source: wiz-kubernetes-integration/charts/wiz-kubernetes-connector/templates/service-account-modify-connector.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: wiz-auto-modify-connector
namespace: "wiz"
labels:
helm.sh/chart: wiz-kubernetes-connector-3.1.1
app.kubernetes.io/name: wiz-kubernetes-connector
app.kubernetes.io/instance: wiz-connector
app.kubernetes.io/version: "2.5"
app.kubernetes.io/managed-by: Helm
annotations:
"helm.sh/hook": pre-install,pre-upgrade,pre-delete
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook-weight": "-1"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: wiz-auto-modify-connector
subjects:
- kind: ServiceAccount
name: wiz-auto-modify-connector
namespace: "wiz"
{{end}}}
Loading