feat: add wiz manifests #8679
feat: add wiz manifests #8679
Conversation
|
👍 |
zaklawrencea
added
major
|
We should also populate the deletions.yaml. Otherwise, the ConfigItem cannot be used to turn it off again. |
updated 👍 |
Signed-off-by: Katyanna Moura <[email protected]>
Trigger deletions when daemonset is disabled. Co-authored-by: Zak Lawrence A <[email protected]>
| @@ -1202,3 +1202,12 @@ role_sync_controller_enabled: "true" | |||
| {{ else }} | |||
| role_sync_controller_enabled: "false" | |||
| {{ end }} | |||
|
|
|||
| #Wiz Configs | |||
| wiz_enable_runtime_sensor: "false" | |||
There was a problem hiding this comment.
please describe with 1-2 lines in a comment what these configs do. See how we do it in the rest of this file.
memory/cpu config-items don't need much description, those are obvious, but the others e.g. like wiz_node_feature_rollout does need a bit of description how to use it.
| - name: wiz-sensor | ||
| kind : ClusterRoleBinding | ||
| namespace: wiz | ||
| {{- end }} |
There was a problem hiding this comment.
If both runtime_sensor and runtime_connector are false, then it should also delete the wiz namespace as a last step.
| selector: | ||
| matchLabels: | ||
| application: "wiz" | ||
| component: "sensor" |
There was a problem hiding this comment.
please use daemonset: wiz-sensor as the only label selector here. This is how we do it for all other daemonsets/deployments in this repo and it allows easier change of application/component labels if ever needed in the future.
| selector: | ||
| matchLabels: | ||
| application: "wiz" | ||
| component: "connector" |
There was a problem hiding this comment.
please use deployment: wiz-connector-agent as the only label selector here. This is how we do it for all other daemonsets/deployments in this repo and it allows easier change of application/component labels if ever needed in the future.
| node-feature.zalando.org/wiz: enabled | ||
| {{ else }} | ||
| node.kubernetes.io/role: worker | ||
| {{ end }} |
There was a problem hiding this comment.
This should not be node-feature.zalando.org/wiz: enabled or node.kubernetes.io/role: worker. It should always select nodes with node.kubernetes.io/role: worker and optionally it should limit this futher to nodes with: node-feature.zalando.org/wiz: enabled
E.g. you want this:
nodeSelector:
{{ if eq .Cluster.ConfigItems.wiz_node_feature_rollout "true" }}
node-feature.zalando.org/wiz: enabled
{{ end }}
node.kubernetes.io/role: worker
| cluster-autoscaler.kubernetes.io/enable-ds-eviction: "true" | ||
| node-ready.cluster.zalando.org/exclude: "true" | ||
| spec: | ||
| serviceAccountName: wiz-sensor |
There was a problem hiding this comment.
This service account should be added to the privileged list here:
kubernetes-on-aws/cluster/manifests/01-admission-control/config.yaml
Lines 95 to 113 in 5f4fdd5
it should ofc. only be added if eq .Cluster.ConfigItems.wiz_enable_runtime_sensor "true"
This was currently set per cluster via: teapot_admission_controller_pod_security_policy_privileged_service_accounts but it makes more sense to make it a condition of the wiz_enable_runtime_sensor: true|false config-item.
| - IPC_LOCK # eBPF | ||
| - FOWNER # file hashing | ||
| - SYS_PTRACE # eBPF | ||
| - SYSLOG # kernel symbol resolve |
There was a problem hiding this comment.
These capabilities should be enabled conditionally here:
kubernetes-on-aws/cluster/manifests/01-admission-control/config.yaml
Lines 119 to 136 in 5f4fdd5
(Those that are not already mentioned in the list)
| - name: tmp-store | ||
| emptyDir: | ||
| sizeLimit: "100Mi" | ||
| medium: "Memory" |
There was a problem hiding this comment.
Note that this memory volume will contribute to the memory limit of the pod. Would be good to understand with wiz if this must be memory backed or could be backed by disk and thereby allow to potentially lower the memory request/limit of daemonset pod.
-- add wiz manifests