feat: add wiz manifests

cluster/config-defaults.yaml

@@ -1194,3 +1194,8 @@ role_sync_controller_enabled: "true"
 {{ else }}
 role_sync_controller_enabled: "false"
 {{ end }}
+
+#Wiz Configs
+wiz_enable_runtime_monitoring_daemonset: "false"
+wiz_adapter_cpu: "300m"
+wiz_adapter_memory: "300Mi"

cluster/manifests/deletions.yaml

@@ -339,3 +339,59 @@ post_apply:
 - name: kube-janitor
   kind: ClusterRoleBinding
 {{- end }}
+{{- if ne .Cluster.ConfigItems.wiz_enable_runtime_monitoring_daemonset "true" }}
+- name: wiz-sensor
+  kind: ServiceAccount
+  namespace: wiz
+- name: wiz-sensor-apikey
+  kind: Secret
+  namespace: wiz
+# - name: wiz-sensor-imagepullkey
+#   kind : Secret
+#   namespace: wiz
+- name: wiz-sensor
+  kind : DaemonSet
+  namespace: wiz
+- name: wiz-sensor
+  kind : ClusterRole
+  namespace: wiz
+- name: wiz-sensor
+  kind : ClusterRoleBinding
+  namespace: wiz
+- name: wiz-broker
+  kind : ServiceAccount
+  namespace: wiz
+- name: wiz-cluster-reader
+  kind : ServiceAccount
+  namespace: wiz
+- name: wiz-auto-modify-connector
+  kind : ServiceAccount
+  namespace: wiz
+- name: wiz-connector-connector
+  kind : Secret
+  namespace: wiz
+- name: wiz-cluster-reader-token
+  kind : Secret
+  namespace: wiz
+- name: wiz-api-token
+  kind : Secret
+  namespace: wiz
+- name: wiz-auto-modify-connector
+  kind : Role
+  namespace: wiz
+- name: wiz-auto-modify-connector
+  kind : RoleBinding
+  namespace: wiz
+- name: wiz-kubernetes-connector-create-connector
+  kind : Job
+  namespace: wiz
+- name: wiz-kubernetes-connector-delete-connector
+  kind : Job
+  namespace: wiz
+- name: wiz-connector-agent
+  kind : Deployment
+  namespace: wiz
+- name: wiz-cluster-reader
+  kind : ClusterRoleBinding
+  namespace: wiz
+{{- end }}

cluster/manifests/wiz/001-namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: wiz

cluster/manifests/wiz/002-connector-serviceaccount.yaml

@@ -0,0 +1,35 @@
+{{ if eq .Cluster.ConfigItems.wiz_enable_runtime_monitoring_daemonset "true"}}
+---
+# Source: wiz-kubernetes-integration/charts/wiz-kubernetes-connector/charts/wiz-broker/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: wiz-broker
+  namespace: "wiz"
+  labels:
+    helm.sh/chart: wiz-broker-2.1.0
+    application: "wiz"
+    component: "connector"
+---
+# Source: wiz-kubernetes-integration/charts/wiz-kubernetes-connector/templates/service-account-cluster-reader.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: wiz-cluster-reader
+  namespace: "wiz"
+  labels:
+    helm.sh/chart: wiz-broker-2.1.0
+    application: "wiz"
+    component: "connector"
+---
+# Source: wiz-kubernetes-integration/charts/wiz-kubernetes-connector/templates/service-account-modify-connector.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: wiz-auto-modify-connector
+  namespace: "wiz"
+  labels:
+    helm.sh/chart: wiz-broker-2.1.0
+    application: "wiz"
+    component: "connector"
+{{end}}

cluster/manifests/wiz/002-sensor-serviceaccount.yaml

@@ -0,0 +1,13 @@
+{{ if eq .Cluster.ConfigItems.wiz_enable_runtime_monitoring_daemonset "true"}}
+---
+# Source: wiz-sensor/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: wiz-sensor
+  namespace: wiz
+  labels:
+    helm.sh/chart: wiz-sensor-1.0.4760
+    application: "wiz"
+    component: "connector"
+{{end}}

cluster/manifests/wiz/003-connector-clusterrole.yaml

@@ -0,0 +1,20 @@
+{{ if eq .Cluster.ConfigItems.wiz_enable_runtime_monitoring_daemonset "true"}}
+---
+# Source: wiz-kubernetes-integration/charts/wiz-kubernetes-connector/templates/service-account-cluster-reader.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: wiz-cluster-reader
+  labels:
+    helm.sh/chart: wiz-broker-2.1.0
+    application: "wiz"
+    component: "connector"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name:  readonly # readonly role created by default in out kubernetes environment
+subjects:
+- kind: ServiceAccount
+  name: wiz-cluster-reader
+  namespace: "wiz"
+{{end}}

cluster/manifests/wiz/003-connector-role.yaml

@@ -0,0 +1,43 @@
+{{ if eq .Cluster.ConfigItems.wiz_enable_runtime_monitoring_daemonset "true"}}
+---
+# Source: wiz-kubernetes-integration/charts/wiz-kubernetes-connector/templates/service-account-modify-connector.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: wiz-auto-modify-connector
+  namespace: "wiz"
+  labels:
+    helm.sh/chart: wiz-broker-2.1.0
+    application: "wiz"
+    component: "connector"
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    resourceNames: ["wiz-connector-connector"]
+    verbs: ["update", "get"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    resourceNames: 
+      - "wiz-api-token"
+      - "wiz-cluster-reader-token"
+    verbs: ["get"]
+---
+# Source: wiz-kubernetes-integration/charts/wiz-kubernetes-connector/templates/service-account-modify-connector.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: wiz-auto-modify-connector
+  namespace: "wiz"
+  labels:
+    helm.sh/chart: wiz-broker-2.1.0
+    application: "wiz"
+    component: "connector"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name:  wiz-auto-modify-connector
+subjects:
+- kind: ServiceAccount
+  name: wiz-auto-modify-connector
+  namespace: "wiz"
+{{end}}

cluster/manifests/wiz/003-sensor-clusterrole.yaml

@@ -0,0 +1,42 @@
+{{ if eq .Cluster.ConfigItems.wiz_enable_runtime_monitoring_daemonset "true"}}
+---
+# Source: wiz-sensor/templates/clusterrole.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: wiz-sensor
+  labels:
+    helm.sh/chart: wiz-sensor-1.0.4760
+    application: "wiz"
+    component: "sensor"
+rules:
+  - apiGroups: [""]
+    resources: ["pods", "namespaces", "nodes", "replicationcontrollers", "serviceaccounts"]
+    verbs: ["get", "list", "watch"]
+
+  - apiGroups: ["apps"]
+    resources: ["daemonsets", "replicasets", "deployments", "statefulsets"]
+    verbs: ["get", "list", "watch"]
+
+  - apiGroups: ["batch"]
+    resources: ["cronjobs"]
+    verbs: ["get", "list", "watch"]
+---
+# Source: wiz-sensor/templates/clusterrolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: wiz-sensor
+  labels:
+    helm.sh/chart: wiz-sensor-1.0.4760
+    application: "wiz"
+    component: "sensor"
+subjects:
+- kind: ServiceAccount
+  name: wiz-sensor
+  namespace: wiz
+roleRef:
+  kind: ClusterRole
+  name: wiz-sensor
+  apiGroup: rbac.authorization.k8s.io
+{{end}}

cluster/manifests/wiz/004-connector-secrets.yaml

@@ -0,0 +1,45 @@
+{{ if eq .Cluster.ConfigItems.wiz_enable_runtime_monitoring_daemonset "true"}}
+---
+# Source: wiz-kubernetes-integration/charts/wiz-kubernetes-connector/templates/secret-connector.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: wiz-connector-connector
+  namespace: "wiz"
+  labels:
+    helm.sh/chart: wiz-broker-2.1.0
+    application: "wiz"
+    component: "connector"
+type: Opaque
+data:
+  connectorData: "e30="
+---
+# Source: wiz-kubernetes-integration/charts/wiz-kubernetes-connector/templates/service-account-cluster-reader.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: wiz-cluster-reader-token
+  namespace: "wiz"
+  labels:
+    helm.sh/chart: wiz-broker-2.1.0
+    application: "wiz"
+    component: "connector"
+  annotations:
+    kubernetes.io/service-account.name: wiz-cluster-reader
+type: kubernetes.io/service-account-token
+---
+# Source: wiz-sensor/templates/apikeysecret.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: wiz-api-token
+  namespace: wiz
+  labels:
+    helm.sh/chart: wiz-broker-2.1.0
+    application: "wiz"
+    component: "connector"
+type: Opaque
+data:
+  clientId: "{{ .Cluster.ConfigItems.wiz_api_client_id | base64 }}"
+  clientToken: "{{ .Cluster.ConfigItems.wiz_api_client_token | base64 }}"
+{{end}}

cluster/manifests/wiz/004-sensor-secrets.yaml

@@ -0,0 +1,31 @@
+{{ if eq .Cluster.ConfigItems.wiz_enable_runtime_monitoring_daemonset "true"}}
+---
+# Source: wiz-sensor/templates/apikeysecret.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: wiz-sensor-apikey
+  namespace: wiz
+  labels:
+    helm.sh/chart: wiz-sensor-1.0.4760
+    application: "wiz"
+    component: "connector"
+type: Opaque
+data:
+  clientId: "{{ .Cluster.ConfigItems.wiz_api_client_id | base64 }}"
+  clientToken: "{{ .Cluster.ConfigItems.wiz_api_client_token | base64 }}"
+# ---
+# # Source: wiz-sensor/templates/imagepullsecret.yaml
+# apiVersion: v1
+# kind: Secret
+# type: kubernetes.io/dockerconfigjson
+# metadata:
+#   name: wiz-sensor-imagepullkey
+#   labels:
+#     helm.sh/chart: wiz-sensor-1.0.4760
+#     application: "wiz"
+#     component: "sensor"
+#   namespace: wiz
+# data:
+#   .dockerconfigjson: "{{ .Cluster.ConfigItems.wiz_sensor_dockerconfigjson }}"
+{{end}}

cluster/manifests/wiz/connector-deployment.yaml

@@ -0,0 +1,77 @@
+{{ if eq .Cluster.ConfigItems.wiz_enable_runtime_monitoring_daemonset "true"}}
+---
+# Source: wiz-kubernetes-integration/charts/wiz-kubernetes-connector/charts/wiz-broker/templates/wiz-broker-deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: wiz-connector-agent
+  namespace: "wiz"
+  labels:
+    helm.sh/chart: wiz-broker-2.1.0
+    application: "wiz"
+    component: "connector"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      application: "wiz"
+      component: "connector"
+  template:
+    metadata:
+      labels:
+        helm.sh/chart: wiz-broker-2.1.0
+        application: "wiz"
+        component: "connector"
+    spec:
+      serviceAccountName: wiz-broker
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+      volumes:
+        - name: connector-data
+          secret:
+            secretName: wiz-connector-connector
+            items:
+              - key: connectorData
+                path: data
+      containers:
+        - name: wiz-broker
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            runAsUser: 1000
+          image: "container-registry-test.zalando.net/secops-systems/wiz-broker:2.5-pr-1-4"
+          imagePullPolicy: IfNotPresent
+          volumeMounts:
+          - name: connector-data
+            mountPath: /etc/connectorData
+            readOnly: true
+          args:
+            - /etc/connectorData/data
+          env:
+          - name: LOG_LEVEL
+            value: info
+          - name: WIZ_ENV
+            value: 
+          - name: WIZ_CLIENT_ID
+            valueFrom:
+              secretKeyRef:
+                name: wiz-api-token
+                key: clientId
+          - name: WIZ_CLIENT_TOKEN
+            valueFrom:
+              secretKeyRef:
+                name: wiz-api-token
+                key: clientToken
+          - name: TARGET_IP
+            value: kubernetes.default.svc.cluster.local
+          - name: TARGET_PORT
+            value: "443"
+          resources:
+            limits:
+              cpu: {{ .Cluster.ConfigItems.wiz_adapter_cpu }} 
+              memory: {{ .Cluster.ConfigItems.wiz_adapter_memory }} 
+            requests:
+              cpu: {{ .Cluster.ConfigItems.wiz_adapter_cpu }}
+              memory: {{ .Cluster.ConfigItems.wiz_adapter_memory }} 
+{{end}}