Merge pull request #44 from octarinesec/runtime-crd

Runtime crd
octarinesec · Jun 17, 2021 · b71babf · b71babf
2 parents c73e307 + 5818d31
commit b71babf
Show file tree

Hide file tree

Showing 54 changed files with 2,962 additions and 471 deletions.
diff --git a/PROJECT b/PROJECT
@@ -1,25 +1,30 @@
 domain: operator.containers.carbonblack.io
 layout: go.kubebuilder.io/v3
+plugins:
+  manifests.sdk.operatorframework.io/v2: {}
+  scorecard.sdk.operatorframework.io/v2: {}
 projectName: cbcontainers
 repo: github.com/vmware/cbcontainers-operator
 resources:
 - api:
     crdVersion: v1beta1
   controller: true
   domain: operator.containers.carbonblack.io
-  group: 
   kind: CBContainersCluster
   path: github.com/vmware/cbcontainers-operator/api/v1
   version: v1
 - api:
     crdVersion: v1beta1
   controller: true
   domain: operator.containers.carbonblack.io
-  group: 
   kind: CBContainersHardening
   path: github.com/vmware/cbcontainers-operator/api/v1
   version: v1
+- api:
+    crdVersion: v1beta1
+  controller: true
+  domain: operator.containers.carbonblack.io
+  kind: CBContainersRuntime
+  path: github.com/vmware/cbcontainers-operator/api/v1
+  version: v1
 version: "3"
-plugins:
-  manifests.sdk.operatorframework.io/v2: {}
-  scorecard.sdk.operatorframework.io/v2: {}
diff --git a/README.md b/README.md
@@ -78,7 +78,7 @@ the State Reporter components that are responsible for reporting the cluster sta
 
 * Notice that without the first CR, the Hardening components won't be able to work. 
 
-```sh
+```yaml
 apiVersion: operator.containers.carbonblack.io/v1
 kind: CBContainersHardening
 metadata:
@@ -89,6 +89,11 @@ spec:
     host: {EVENTS_HOST}
 ```
 
+#### 2.3 Apply the Carbon Black Container Runtime CR
+<u>cbcontainersruntimes.operator.containers.carbonblack.io</u>
+
+TODO
+
 ### Uninstalling the Carbon Black Cloud Container Operator
 ```sh
 make undeploy
@@ -106,7 +111,7 @@ You can create a ClusterRole and bind it with ClusterRoleBinding to the service
 If you don't have such cluster role & cluster role binding configured, you can use the following:
 
 Cluster Role:
-```sh
+```yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -115,7 +120,7 @@ rules:
 - nonResourceURLs:
     - /metrics
       verbs:
-    - get
+      - get
 ```
 
 Cluster Role binding creation:
@@ -127,7 +132,7 @@ kubectl create clusterrolebinding metrics --clusterrole=cbcontainers-metrics-rea
 
 Use the following ServiceMonitor to start scraping metrics from the CBContainers operator:
 * Make sure that your Prometheus custom resource service monitor selectors match it. 
-```
+```yaml
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
@@ -160,7 +165,7 @@ kubectl set env -n cbcontainers-dataplane deployment cbcontainers-operator HTTP_
 In order to configure those environment variables for the Hardening Enforcer and the Hardening State Reporter components,
 update the Hardening CR using the proxy environment variables:
 
-```sh
+```yaml
 spec:
   enforcerSpec:
     env:

diff --git a/api/v1/cbcontainerscluster_types.go b/api/v1/cbcontainerscluster_types.go
@@ -25,28 +25,10 @@ import (
 
 // CBContainersClusterSpec defines the desired state of CBContainersCluster
 type CBContainersClusterSpec struct {
-	Account           string                               `json:"account,required"`
-	ClusterName       string                               `json:"clusterName,required"`
-	ApiGatewaySpec    CBContainersClusterApiGatewaySpec    `json:"apiGatewaySpec,required"`
-	EventsGatewaySpec CBContainersClusterEventsGatewaySpec `json:"eventsGatewaySpec,required"`
-}
-
-type CBContainersClusterEventsGatewaySpec struct {
-	Host string `json:"host,required"`
-	// +kubebuilder:default:=443
-	Port int `json:"port,omitempty"`
-}
-
-type CBContainersClusterApiGatewaySpec struct {
-	// +kubebuilder:default:="https"
-	Scheme string `json:"scheme,omitempty"`
-	Host   string `json:"host,required"`
-	// +kubebuilder:default:=443
-	Port int `json:"port,omitempty"`
-	// +kubebuilder:default:="containers"
-	Adapter string `json:"adapter,omitempty"`
-	// +kubebuilder:default:="cbcontainers-access-token"
-	AccessTokenSecretName string `json:"accessTokenSecretName,omitempty"`
+	Account           string                        `json:"account,required"`
+	ClusterName       string                        `json:"clusterName,required"`
+	ApiGatewaySpec    CBContainersApiGatewaySpec    `json:"apiGatewaySpec,required"`
+	EventsGatewaySpec CBContainersEventsGatewaySpec `json:"eventsGatewaySpec,required"`
 }
 
 // CBContainersClusterStatus defines the observed state of CBContainersCluster

diff --git a/api/v1/cbcontainershardening_types.go b/api/v1/cbcontainershardening_types.go
@@ -24,50 +24,15 @@ import (
 // EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
 // NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
 
-type CBContainersHardeningProbesSpec struct {
-	// +kubebuilder:default:="/ready"
-	ReadinessPath string `json:"readinessPath,omitempty"`
-	// +kubebuilder:default:="/alive"
-	LivenessPath string `json:"livenessPath,omitempty"`
-	// +kubebuilder:default:=8181
-	Port int `json:"port,omitempty"`
-	// +kubebuilder:default:="HTTP"
-	Scheme coreV1.URIScheme `json:"scheme,omitempty"`
-	// +kubebuilder:default:=3
-	InitialDelaySeconds int32 `json:"initialDelaySeconds,omitempty"`
-	// +kubebuilder:default:=1
-	TimeoutSeconds int32 `json:"timeoutSeconds,omitempty"`
-	// +kubebuilder:default:=30
-	PeriodSeconds int32 `json:"periodSeconds,omitempty"`
-	// +kubebuilder:default:=1
-	SuccessThreshold int32 `json:"successThreshold,omitempty"`
-	// +kubebuilder:default:=3
-	FailureThreshold int32 `json:"failureThreshold,omitempty"`
-}
-
-type CBContainersHardeningPrometheusSpec struct {
-	// +kubebuilder:default:=false
-	Enabled *bool `json:"enabled,omitempty"`
-	// +kubebuilder:default:=7071
-	Port int `json:"port,omitempty"`
-}
-
-type CBContainersHardeningImageSpec struct {
-	Repository string `json:"repository,omitempty"`
-	Tag        string `json:"tag,omitempty"`
-	// +kubebuilder:default:="Always"
-	PullPolicy coreV1.PullPolicy `json:"pullPolicy,omitempty"`
-}
-
 type CBContainersHardeningSpec struct {
-	Version string `json:"version,required"`
+	Version           string                        `json:"version,required"`
+	EventsGatewaySpec CBContainersEventsGatewaySpec `json:"eventsGatewaySpec,required"`
 	// +kubebuilder:default:="cbcontainers-access-token"
 	AccessTokenSecretName string `json:"accessTokenSecretName,omitempty"`
 	// +kubebuilder:default:=<>
 	EnforcerSpec CBContainersHardeningEnforcerSpec `json:"enforcerSpec,omitempty"`
 	// +kubebuilder:default:=<>
 	StateReporterSpec CBContainersHardeningStateReporterSpec `json:"stateReporterSpec,omitempty"`
-	EventsGatewaySpec CBContainersHardeningEventsGatewaySpec `json:"eventsGatewaySpec,required"`
 }
 
 type CBContainersHardeningStateReporterSpec struct {
@@ -78,19 +43,13 @@ type CBContainersHardeningStateReporterSpec struct {
 	// +kubebuilder:default:=<>
 	PodTemplateAnnotations map[string]string `json:"podTemplateAnnotations,omitempty"`
 	// +kubebuilder:default:={repository:"cbartifactory/guardrails-state-reporter"}
-	Image CBContainersHardeningImageSpec `json:"image,omitempty"`
+	Image CBContainersImageSpec `json:"image,omitempty"`
 	// +kubebuilder:default:=<>
 	Env map[string]string `json:"env,omitempty"`
 	// +kubebuilder:default:={requests: {memory: "64Mi", cpu: "30m"}, limits: {memory: "256Mi", cpu: "200m"}}
 	Resources coreV1.ResourceRequirements `json:"resources,omitempty"`
 	// +kubebuilder:default:=<>
-	Probes CBContainersHardeningProbesSpec `json:"probes,omitempty"`
-}
-
-type CBContainersHardeningEventsGatewaySpec struct {
-	Host string `json:"host,required"`
-	// +kubebuilder:default:=443
-	Port int `json:"port,omitempty"`
+	Probes CBContainersHTTPProbesSpec `json:"probes,omitempty"`
 }
 
 type CBContainersHardeningEnforcerSpec struct {
@@ -105,13 +64,13 @@ type CBContainersHardeningEnforcerSpec struct {
 	// +kubebuilder:default:=<>
 	Env map[string]string `json:"env,omitempty"`
 	// +kubebuilder:default:=<>
-	Prometheus CBContainersHardeningPrometheusSpec `json:"prometheus,omitempty"`
+	Prometheus CBContainersPrometheusSpec `json:"prometheus,omitempty"`
 	// +kubebuilder:default:={repository:"cbartifactory/guardrails-enforcer"}
-	Image CBContainersHardeningImageSpec `json:"image,omitempty"`
+	Image CBContainersImageSpec `json:"image,omitempty"`
 	// +kubebuilder:default:={requests: {memory: "64Mi", cpu: "30m"}, limits: {memory: "256Mi", cpu: "200m"}}
 	Resources coreV1.ResourceRequirements `json:"resources,omitempty"`
 	// +kubebuilder:default:=<>
-	Probes CBContainersHardeningProbesSpec `json:"probes,omitempty"`
+	Probes CBContainersHTTPProbesSpec `json:"probes,omitempty"`
 	// +kubebuilder:default:=5
 	WebhookTimeoutSeconds int32 `json:"webhookTimeoutSeconds,omitempty"`
 }

diff --git a/api/v1/cbcontainersruntime_types.go b/api/v1/cbcontainersruntime_types.go
@@ -0,0 +1,110 @@
+/*
+Copyright 2021.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	coreV1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type CBContainersRuntimeResolverSpec struct {
+	EventsGatewaySpec CBContainersEventsGatewaySpec `json:"eventsGatewaySpec,required"`
+	// +kubebuilder:default:=<>
+	Labels map[string]string `json:"labels,omitempty"`
+	// +kubebuilder:default:=<>
+	DeploymentAnnotations map[string]string `json:"deploymentAnnotations,omitempty"`
+	// +kubebuilder:default:={prometheus.io/scrape: "false", prometheus.io/port: "7071"}
+	PodTemplateAnnotations map[string]string `json:"podTemplateAnnotations,omitempty"`
+	// +kubebuilder:default:=1
+	ReplicasCount *int32 `json:"replicasCount,omitempty"`
+	// +kubebuilder:default:=<>
+	Env map[string]string `json:"env,omitempty"`
+	// +kubebuilder:default:={repository:"cbartifactory/runtime-kubernetes-resolver"}
+	Image CBContainersImageSpec `json:"image,omitempty"`
+	// +kubebuilder:default:={requests: {memory: "64Mi", cpu: "200m"}, limits: {memory: "128Mi", cpu: "600m"}}
+	Resources coreV1.ResourceRequirements `json:"resources,omitempty"`
+	// +kubebuilder:default:=<>
+	Probes CBContainersHTTPProbesSpec `json:"probes,omitempty"`
+	// +kubebuilder:default:=<>
+	Prometheus CBContainersPrometheusSpec `json:"prometheus,omitempty"`
+}
+
+type CBContainersRuntimeSensorSpec struct {
+	// +kubebuilder:default:=<>
+	Labels map[string]string `json:"labels,omitempty"`
+	// +kubebuilder:default:=<>
+	DaemonSetAnnotations map[string]string `json:"daemonSetAnnotations,omitempty"`
+	// +kubebuilder:default:={prometheus.io/scrape: "false", prometheus.io/port: "7071"}
+	PodTemplateAnnotations map[string]string `json:"podTemplateAnnotations,omitempty"`
+	// +kubebuilder:default:=<>
+	Env map[string]string `json:"env,omitempty"`
+	// +kubebuilder:default:={repository:"cbartifactory/runtime-kubernetes-sensor"}
+	Image CBContainersImageSpec `json:"image,omitempty"`
+	// +kubebuilder:default:={requests: {memory: "1Gi", cpu: "400m"}, limits: {memory: "2Gi", cpu: "1"}}
+	Resources coreV1.ResourceRequirements `json:"resources,omitempty"`
+	// +kubebuilder:default:=<>
+	Probes CBContainersFileProbesSpec `json:"probes,omitempty"`
+	// +kubebuilder:default:=<>
+	Prometheus CBContainersPrometheusSpec `json:"prometheus,omitempty"`
+	// +kubebuilder:default:=2
+	VerbosityLevel *int `json:"verbosity_level,omitempty"`
+}
+
+// CBContainersRuntimeSpec defines the desired state of CBContainersRuntime
+type CBContainersRuntimeSpec struct {
+	Version string `json:"version,required"`
+	// +kubebuilder:default:="cbcontainers-access-token"
+	AccessTokenSecretName string `json:"accessTokenSecretName,omitempty"`
+	// +kubebuilder:default:=<>
+	ResolverSpec CBContainersRuntimeResolverSpec `json:"resolverSpec,omitempty"`
+	// +kubebuilder:default:=<>
+	SensorSpec CBContainersRuntimeSensorSpec `json:"sensorSpec,omitempty"`
+	// +kubebuilder:default:=443
+	InternalGrpcPort int32 `json:"internalGrpcPort,omitempty"`
+}
+
+// CBContainersRuntimeStatus defines the observed state of CBContainersRuntime
+type CBContainersRuntimeStatus struct {
+	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
+	// Important: Run "make" to regenerate code after modifying this file
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:scope=Cluster
+
+// CBContainersRuntime is the Schema for the cbcontainersruntimes API
+type CBContainersRuntime struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   CBContainersRuntimeSpec   `json:"spec,omitempty"`
+	Status CBContainersRuntimeStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// CBContainersRuntimeList contains a list of CBContainersRuntime
+type CBContainersRuntimeList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []CBContainersRuntime `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&CBContainersRuntime{}, &CBContainersRuntimeList{})
+}
diff --git a/api/v1/gateway_types.go b/api/v1/gateway_types.go
@@ -0,0 +1,19 @@
+package v1
+
+type CBContainersEventsGatewaySpec struct {
+	Host string `json:"host,required"`
+	// +kubebuilder:default:=443
+	Port int `json:"port,omitempty"`
+}
+
+type CBContainersApiGatewaySpec struct {
+	Host string `json:"host,required"`
+	// +kubebuilder:default:="https"
+	Scheme string `json:"scheme,omitempty"`
+	// +kubebuilder:default:=443
+	Port int `json:"port,omitempty"`
+	// +kubebuilder:default:="containers"
+	Adapter string `json:"adapter,omitempty"`
+	// +kubebuilder:default:="cbcontainers-access-token"
+	AccessTokenSecretName string `json:"accessTokenSecretName,omitempty"`
+}
diff --git a/api/v1/image_types.go b/api/v1/image_types.go
@@ -0,0 +1,12 @@
+package v1
+
+import (
+	coreV1 "k8s.io/api/core/v1"
+)
+
+type CBContainersImageSpec struct {
+	Repository string `json:"repository,omitempty"`
+	Tag        string `json:"tag,omitempty"`
+	// +kubebuilder:default:="Always"
+	PullPolicy coreV1.PullPolicy `json:"pullPolicy,omitempty"`
+}
diff --git a/api/v1/metrics_types.go b/api/v1/metrics_types.go
@@ -0,0 +1,8 @@
+package v1
+
+type CBContainersPrometheusSpec struct {
+	// +kubebuilder:default:=false
+	Enabled *bool `json:"enabled,omitempty"`
+	// +kubebuilder:default:=7071
+	Port int `json:"port,omitempty"`
+}