Feat/portscan exporter (#4)

* Add portscan-exporter chart * Minor bugfixes * minor bugfixes * update image tag * version bump * add psp * update version * add * fix
nce · Sep 29, 2022 · 4c80d9d · 4c80d9d
1 parent 467022e
commit 4c80d9d
Show file tree

Hide file tree

Showing 7 changed files with 92 additions and 23 deletions.
diff --git a/charts/portscan-exporter/Chart.yaml b/charts/portscan-exporter/Chart.yaml
@@ -17,4 +17,4 @@ maintainers:
 name: portscan-exporter
 sources:
   - https://github.con/nce/xxx
-version: 0.1.2
+version: 0.2.0
diff --git a/charts/portscan-exporter/README.md b/charts/portscan-exporter/README.md
@@ -1,6 +1,6 @@
 # portscan-exporter
 
-![Version: 0.1.2](https://img.shields.io/badge/Version-0.1.2-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square)
+![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square)
 
 Port-Scanner is prometheus exporter and portscannig solution
 
@@ -25,7 +25,7 @@ Port-Scanner is prometheus exporter and portscannig solution
 | metrics.serviceMonitor | object | `{"annotations":{},"enabled":false,"honorLabels":false,"interval":"","jobLabel":"","labels":{},"metricRelabelings":[],"namespace":"","relabelings":[],"scrapeTimeout":"","selector":{}}` | If the kube-prometheus stack is used, configure the `serviceMonitor` |
 | portscan.containerPorts | object | `{"health":12000,"metrics":10000}` | Ports the container exposes |
 | portscan.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"enabled":true}` | SecurityContext enforced on the container |
-| portscan.extraEnvVars | list | `[{"name":"RATELIMIT","value":"35"},{"name":"LOGLEVEL","value":"DEBUG"}]` | Refer to xxx for ENV options (`./portscan-exporter -h`) |
+| portscan.extraEnvVars | list | `[{"name":"RATELIMIT","value":"70"},{"name":"LOGLEVEL","value":"DEBUG"}]` | Refer to xxx for ENV options (`./portscan-exporter -h`) |
 | portscan.image.pullPolicy | string | `"IfNotPresent"` | As we set the `tag` to git commits, `IfNotPresent` should be okay |
 | portscan.image.pullSecrets | list | `[]` | https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ |
 | portscan.image.registry | string | `"ghcr.io"` |  |
@@ -40,7 +40,8 @@ Port-Scanner is prometheus exporter and portscannig solution
 | portscan.resources.limits.memory | string | `"3Gi"` | memory limit of the scanner |
 | portscan.resources.requests.cpu | int | `2` | cpu requests of the scanner |
 | portscan.resources.requests.memory | string | `"2Gi"` | memory requests of the scanner |
-| rbac | object | `{"create":true}` | Along the `serviceAccount` we need special ClusterRoles |
+| rbac.create | bool | `true` | Along the `serviceAccount` we need special ClusterRoles |
+| rbac.pspEnabled | bool | `true` | Using PSPs creates Role/Rolebindings |
 | service | object | `{"ports":{"metrics":10000},"type":"ClusterIP"}` | Service Configuration for the endpoints |
 | service.ports | object | `{"metrics":10000}` | Portname to portnumber configuration |
 | serviceAccount | object | `{"automountServiceAccountToken":true,"create":true,"name":"portscanner"}` | A dedicated serviceAccount is best practice for the application |

diff --git a/charts/portscan-exporter/templates/clusterrole.yaml b/charts/portscan-exporter/templates/clusterrole.yaml
@@ -0,0 +1,22 @@
+{{ if .Values.rbac.create }}
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "portscan.fullname" . }}
+  namespace: {{ include "portscan.namespace" . | quote }}
+  labels: {{- include "portscan.labels" . | nindent 4 }}
+    app.kubernetes.io/component: portscan
+    {{- if .Values.commonLabels }}
+    {{- include "portscan.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "portscan.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+rules:
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list"]
+  {{- if .Values.rbac.rules }}
+  {{- include "portscan.render" ( dict "value" .Values.rbac.rules "context" $ ) | nindent 2 }}
+  {{- end }}
+{{- end }}
diff --git a/charts/portscan-exporter/templates/podsecuritypolicy.yaml b/charts/portscan-exporter/templates/podsecuritypolicy.yaml
@@ -0,0 +1,32 @@
+{{- if .Values.rbac.pspEnabled }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ template "portscan.fullname" . }}
+  labels:
+    {{- include "portscan.labels" . | nindent 4 }}
+spec:
+  privileged: false
+  allowPrivilegeEscalation: false
+  volumes: []
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'MustRunAsNonRoot'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 65534
+        max: 65534
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 65534
+        max: 65534
+  readOnlyRootFilesystem: true
+  requiredDropCapabilities:
+    - ALL
+{{- end }}
diff --git a/charts/portscan-exporter/templates/role.yaml b/charts/portscan-exporter/templates/role.yaml
@@ -1,22 +1,18 @@
-{{ if .Values.rbac.create }}
-kind: ClusterRole
+{{- if .Values.rbac.pspEnabled }}
 apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
 metadata:
-  name: {{ include "portscan.fullname" . }}
+  name: {{ template "portscan.fullname" . }}
   namespace: {{ include "portscan.namespace" . | quote }}
-  labels: {{- include "portscan.labels" . | nindent 4 }}
-    app.kubernetes.io/component: portscan
-    {{- if .Values.commonLabels }}
-    {{- include "portscan.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
-    {{- end }}
-  {{- if .Values.commonAnnotations }}
-  annotations: {{- include "portscan.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
-  {{- end }}
+  labels:
+    {{- include "portscan.labels" . | nindent 4 }}
 rules:
-  - apiGroups: [""]
-    resources: ["pods"]
-    verbs: ["get", "list"]
-  {{- if .Values.rbac.rules }}
-  {{- include "portscan.render" ( dict "value" .Values.rbac.rules "context" $ ) | nindent 2 }}
-  {{- end }}
+  - apiGroups:
+      - policy
+    resources:
+      - podsecuritypolicies
+    verbs:
+      - use
+    resourceNames:
+      - {{ template "portscan.fullname" . }}
 {{- end }}
diff --git a/charts/portscan-exporter/templates/rolebinding.yaml b/charts/portscan-exporter/templates/rolebinding.yaml
@@ -0,0 +1,16 @@
+{{- if .Values.rbac.pspEnabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ template "portscan.fullname" . }}
+  labels:
+    {{- include "portscan.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "portscan.fullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "portscan.serviceAccountName" . }}
+    namespace: {{ include "portscan.namespace" . | quote }}
+{{- end }}
diff --git a/charts/portscan-exporter/values.yaml b/charts/portscan-exporter/values.yaml
@@ -46,7 +46,7 @@ portscan:
   # -- Refer to xxx for ENV options (`./portscan-exporter -h`)
   extraEnvVars:
     - name: RATELIMIT
-      value: "35"
+      value: "70"
     - name: LOGLEVEL
       value: "DEBUG"
 
@@ -134,9 +134,11 @@ metrics:
     ##
     selector: {}
 
-# -- Along the `serviceAccount` we need special ClusterRoles
 rbac:
+  # -- Along the `serviceAccount` we need special ClusterRoles
   create: true
+  # -- Using PSPs creates Role/Rolebindings
+  pspEnabled: true
 
 # -- Service Configuration for the endpoints
 service: