From e34f0ccbccffda0008c1bffc2c219a86f71afa2f Mon Sep 17 00:00:00 2001 From: Eric Bailey Date: Wed, 20 Apr 2022 12:33:57 -0500 Subject: [PATCH 1/2] feat(helm): support custom policies with built-in scanner --- deploy/helm/Chart.yaml | 2 +- deploy/helm/templates/policies.yaml | 9 +++++++++ deploy/helm/values.yaml | 16 ++++++++++++++++ 3 files changed, 26 insertions(+), 1 deletion(-) diff --git a/deploy/helm/Chart.yaml b/deploy/helm/Chart.yaml index ea3eac276..e132e0500 100644 --- a/deploy/helm/Chart.yaml +++ b/deploy/helm/Chart.yaml @@ -6,7 +6,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.10.4 +version: 0.11.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/deploy/helm/templates/policies.yaml b/deploy/helm/templates/policies.yaml index ebbb3e8f1..5e1ad038a 100644 --- a/deploy/helm/templates/policies.yaml +++ b/deploy/helm/templates/policies.yaml @@ -863,3 +863,12 @@ data: kubernetes.namespace]))\n\n\tres := {\n\t\t\"msg\": msg,\n\t\t\"id\": __rego_metadata__.id,\n\t\t\"title\": __rego_metadata__.title,\n\t\t\"severity\": __rego_metadata__.severity,\n\t\t\"type\": __rego_metadata__.type,\n\t}\n}\n" + {{- with .Values.additionalPolicies }} + {{- range $key, $val := .library }} + library.{{ $key }}: {{ $val | quote }} + {{- end }} + {{- range $key, $val := .policy }} + policy.{{ $key }}.rego: {{ $val.rego | quote }} + policy.{{ $key }}.kinds: {{ $val.kinds | quote }} + {{- end }} + {{- end }} diff --git a/deploy/helm/values.yaml b/deploy/helm/values.yaml index 41d539b04..f63850f84 100644 --- a/deploy/helm/values.yaml +++ b/deploy/helm/values.yaml @@ -476,3 +476,19 @@ nodeSelector: {} tolerations: [] affinity: {} + +additionalPolicies: + library: {} + # kubernetes.rego: | + # << REGO >> + # utils.rego: | + # << REGO >> + policy: {} + # access_to_host_pid: + # rego: | + # << REGO >> + # kinds: Workload + # configmap_with_sensitive_data: + # rego: | + # << REGO >> + # kinds: ConfigMap From ca46f4cbc7b6b73a701b1a760a73328e53b02380 Mon Sep 17 00:00:00 2001 From: Eric Bailey Date: Wed, 20 Apr 2022 12:57:01 -0500 Subject: [PATCH 2/2] docs(tutorial): add note about custom policies with Helm chart --- .../writing-custom-configuration-audit-policies.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/docs/tutorials/writing-custom-configuration-audit-policies.md b/docs/tutorials/writing-custom-configuration-audit-policies.md index 0a8ea1311..52ead5ca4 100644 --- a/docs/tutorials/writing-custom-configuration-audit-policies.md +++ b/docs/tutorials/writing-custom-configuration-audit-policies.md @@ -134,6 +134,17 @@ data: } ``` +When using the Helm chart, this can be accomplished as follows: + +```yaml +additionalPolicies: + policy: + recommended_labels: + kinds: "*" + rego: |- + ... +``` + In this example, to add a new policy, you must define two data entries in the `starboard-policies-config` ConfigMap: