zalando-incubator · vinaythupili · Dec 19, 2024 · Dec 19, 2024 · Dec 19, 2024 · Dec 19, 2024
diff --git a/cluster/config-defaults.yaml b/cluster/config-defaults.yaml
@@ -1194,3 +1194,8 @@ role_sync_controller_enabled: "true"
 {{ else }}
 role_sync_controller_enabled: "false"
 {{ end }}
+
+#Wiz Configs
+wiz_enable_runtime_monitoring_daemonset: "false"
+wiz_adapter_cpu: "300m"
+wiz_adapter_memory: "300Mi"
diff --git a/cluster/manifests/deletions.yaml b/cluster/manifests/deletions.yaml
@@ -339,3 +339,59 @@ post_apply:
 - name: kube-janitor
   kind: ClusterRoleBinding
 {{- end }}
+{{- if eq .Cluster.ConfigItems.wiz_enable_runtime_monitoring_daemonset "true"}}
+- name: wiz-sensor
+  kind: ServiceAccount
+  namespace: wiz
+- name: wiz-sensor-apikey
+  kind: Secret
+  namespace: wiz
+- name: wiz-sensor-imagepullkey
+  kind : Secret
+  namespace: wiz
+- name: wiz-sensor
+  kind : DaemonSet
+  namespace: wiz
+- name: wiz-sensor
+  kind : ClusterRole
+  namespace: wiz
+- name: wiz-sensor
+  kind : ClusterRoleBinding
+  namespace: wiz
+- name: wiz-broker
+  kind : ServiceAccount
+  namespace: wiz
+- name: wiz-cluster-reader
+  kind : ServiceAccount
+  namespace: wiz
+- name: wiz-auto-modify-connector
+  kind : ServiceAccount
+  namespace: wiz
+- name: wiz-connector-connector
+  kind : Secret
+  namespace: wiz
+- name: wiz-cluster-reader-token
+  kind : Secret
+  namespace: wiz
+- name: wiz-api-token
+  kind : Secret
+  namespace: wiz
+- name: wiz-auto-modify-connector
+  kind : Role
+  namespace: wiz
+- name: wiz-auto-modify-connector
+  kind : RoleBinding
+  namespace: wiz
+- name: wiz-kubernetes-connector-create-connector
+  kind : Job
+  namespace: wiz
+- name: wiz-kubernetes-connector-delete-connector
+  kind : Job
+  namespace: wiz
+- name: wiz-connector-agent
+  kind : Deployment
+  namespace: wiz
+- name: wiz-cluster-reader
+  kind : ClusterRoleBinding
+  namespace: wiz
+{{- end }}
diff --git a/cluster/manifests/wiz/connector/clusterrole.yaml b/cluster/manifests/wiz/connector/clusterrole.yaml
@@ -0,0 +1,39 @@
+{{ if eq .Cluster.ConfigItems.wiz_enable_runtime_monitoring_daemonset "true"}}
+# ---
+# # We are using ClusterRole readonly created by default in the cluster instead of creating new one provided by wiz
+# # Source: wiz-kubernetes-integration/charts/wiz-kubernetes-connector/templates/service-account-cluster-reader.yaml
+# apiVersion: rbac.authorization.k8s.io/v1
+# kind: ClusterRole
+# metadata:
+#   name: wiz-cluster-reader
+#   labels:
+#     helm.sh/chart: wiz-kubernetes-connector-3.1.1
+#     app.kubernetes.io/name: wiz-kubernetes-connector
+#     app.kubernetes.io/instance: wiz-connector
+#     app.kubernetes.io/version: "2.5"
+#     app.kubernetes.io/managed-by: Helm
+# rules:
+#   - apiGroups: ["*"]
+#     resources: ["*"]
+#     verbs: ["get", "list", "watch"]
+---
+# Source: wiz-kubernetes-integration/charts/wiz-kubernetes-connector/templates/service-account-cluster-reader.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: wiz-cluster-reader
+  labels:
+    helm.sh/chart: wiz-kubernetes-connector-3.1.1
+    app.kubernetes.io/name: wiz-kubernetes-connector
+    app.kubernetes.io/instance: wiz-connector
+    app.kubernetes.io/version: "2.5"
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name:  readonly # readonly role created by default in out kubernetes environment
+subjects:
+- kind: ServiceAccount
+  name: wiz-cluster-reader
+  namespace: "wiz"
+{{end}}
diff --git a/cluster/manifests/wiz/connector/deployment.yaml b/cluster/manifests/wiz/connector/deployment.yaml
@@ -0,0 +1,81 @@
+{{ if eq .Cluster.ConfigItems.wiz_enable_runtime_monitoring_daemonset "true"}}
+---
+# Source: wiz-kubernetes-integration/charts/wiz-kubernetes-connector/charts/wiz-broker/templates/wiz-broker-deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: wiz-connector-agent
+  namespace: "wiz"
+  labels:
+    helm.sh/chart: wiz-broker-2.1.0
+    app.kubernetes.io/name: wiz-broker
+    app.kubernetes.io/instance: wiz-connector
+    app.kubernetes.io/version: "2.5"
+    app.kubernetes.io/managed-by: Helm
+    application: "wiz"
+    component: "connector"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: wiz-broker
+      app.kubernetes.io/instance: wiz-connector
+  template:
+    metadata:
+      annotations:
+        rollme: "Cd4Gg"
+      labels:
+        helm.sh/chart: wiz-broker-2.1.0
+        app.kubernetes.io/name: wiz-broker
+        app.kubernetes.io/instance: wiz-connector
+        app.kubernetes.io/version: "2.5"
+        app.kubernetes.io/managed-by: Helm
+    spec:
+      serviceAccountName: wiz-broker
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+      volumes:
+        - name: connector-data
+          secret:
+            secretName: wiz-connector-connector
+            items:
+              - key: connectorData
+                path: data
+      containers:
+        - name: wiz-broker
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            runAsUser: 1000
+          image: "wiziopublic.azurecr.io/wiz-app/wiz-broker:2.5"
+          imagePullPolicy: Always
+          volumeMounts:
+          - name: connector-data
+            mountPath: /etc/connectorData
+            readOnly: true
+          args: [
+            /etc/connectorData/data
+          ]
+          env:
+          - name: LOG_LEVEL
+            value: info
+          - name: WIZ_ENV
+            value: 
+          - name: WIZ_CLIENT_ID
+            valueFrom:
+              secretKeyRef:
+                name: wiz-api-token
+                key: clientId
+          - name: WIZ_CLIENT_TOKEN
+            valueFrom:
+              secretKeyRef:
+                name: wiz-api-token
+                key: clientToken
+          - name: TARGET_IP
+            value: kubernetes.default.svc.cluster.local
+          - name: TARGET_PORT
+            value: "443"
+          resources:
+            null
+{{end}}
diff --git a/cluster/manifests/wiz/connector/job.yaml b/cluster/manifests/wiz/connector/job.yaml
@@ -0,0 +1,171 @@
+{{ if eq .Cluster.ConfigItems.wiz_enable_runtime_monitoring_daemonset "true"}}
+---
+# Source: wiz-kubernetes-integration/charts/wiz-kubernetes-connector/templates/job-create-connector.yaml
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: wiz-kubernetes-connector-create-connector
+  namespace: "wiz"
+  labels:
+    helm.sh/chart: wiz-kubernetes-connector-3.1.1
+    app.kubernetes.io/name: wiz-kubernetes-connector
+    app.kubernetes.io/instance: wiz-connector
+    app.kubernetes.io/version: "2.5"
+    app.kubernetes.io/managed-by: Helm
+    application: "wiz"
+    component: "connector"
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded 
+    rollme.wizApiTokenHash: ce8124bc1b0fbc0cb5cd47338ca0c7d5f5446d79936e443a201d96b192a7bd65
+    rollme.proxyHash: 9aa53d69075371b3fa23ebeea2fd2416ea81fb533499d071ca2d576f17c7c886
+    rollme.brokerHash: 115ba85431eeaf8db3ff2173aee02d16e67df1555d5e1ef74cfa7ac0d812cab2   
+
+spec:
+  ttlSecondsAfterFinished: 60
+  manualSelector: true
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: wiz-kubernetes-connector
+      app.kubernetes.io/instance: wiz-connector
+  backoffLimit: 1
+  template:
+    metadata:
+      labels:
+
+        helm.sh/chart: wiz-kubernetes-connector-3.1.1
+        app.kubernetes.io/name: wiz-kubernetes-connector
+        app.kubernetes.io/instance: wiz-connector
+        app.kubernetes.io/version: "2.5"
+        app.kubernetes.io/managed-by: Helm
+    spec:
+      serviceAccountName: wiz-auto-modify-connector
+      restartPolicy: "Never"
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+      containers:
+        - name: wiz-connector-creator
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            runAsUser: 1000
+          image: "wiziopublic.azurecr.io/wiz-app/wiz-broker:2.5"
+          imagePullPolicy: Always
+          command:
+            - "wiz-broker"
+          args:
+
+            - create-kubernetes-connector
+            - --api-server-endpoint
+            - "https://kubernetes.default.svc.cluster.local"
+            - --secrets-namespace
+            - "wiz"
+            - --service-account-token-secret-name
+            - "wiz-cluster-reader-token"
+            - --output-secret-name
+            - "wiz-connector-connector"
+            - --is-on-prem=true
+            - --service-type
+            - "Kubernetes"
+            - --wait=true
+          env:
+          - name: LOG_LEVEL
+            value: info
+          - name: WIZ_CLIENT_ID
+            valueFrom:
+              secretKeyRef:
+                name: wiz-api-token
+                key: clientId
+                optional: false
+          - name: WIZ_CLIENT_TOKEN
+            valueFrom:
+              secretKeyRef:
+                name: wiz-api-token
+                key: clientToken
+                optional: false
+          - name: WIZ_ENV
+            value: 
+          resources:
+            null
+---
+# Source: wiz-kubernetes-integration/charts/wiz-kubernetes-connector/templates/job-delete-connector.yaml
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: wiz-kubernetes-connector-delete-connector
+  namespace: "wiz"
+  labels:
+    helm.sh/chart: wiz-kubernetes-connector-3.1.1
+    app.kubernetes.io/name: wiz-kubernetes-connector
+    app.kubernetes.io/instance: wiz-connector
+    app.kubernetes.io/version: "2.5"
+    app.kubernetes.io/managed-by: Helm
+    application: "wiz"
+    component: "connector"
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    rollme.proxyHash: 9aa53d69075371b3fa23ebeea2fd2416ea81fb533499d071ca2d576f17c7c886
+    rollme.brokerHash: 115ba85431eeaf8db3ff2173aee02d16e67df1555d5e1ef74cfa7ac0d812cab2 
+
+spec:
+  ttlSecondsAfterFinished: 60
+  manualSelector: true
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: wiz-kubernetes-connector
+      app.kubernetes.io/instance: wiz-connector
+  backoffLimit: 1
+  template:
+    metadata:
+      labels:
+
+        helm.sh/chart: wiz-kubernetes-connector-3.1.1
+        app.kubernetes.io/name: wiz-kubernetes-connector
+        app.kubernetes.io/instance: wiz-connector
+        app.kubernetes.io/version: "2.5"
+        app.kubernetes.io/managed-by: Helm
+    spec:
+      serviceAccountName: wiz-auto-modify-connector
+      restartPolicy: "Never"
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+      containers:
+        - name: wiz-connector-delete
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            runAsUser: 1000
+          image: "wiziopublic.azurecr.io/wiz-app/wiz-broker:2.5"
+          imagePullPolicy: Always
+          command: ["/bin/sh", "-c"]
+          args:
+            - >
+              wiz-broker delete-kubernetes-connector 
+              --input-secrets-namespace 
+              "default" 
+              --input-secret-name 
+              "wiz-connector-connector" 
+              || true
+          env:
+          - name: LOG_LEVEL
+            value: info
+          - name: WIZ_CLIENT_ID
+            valueFrom:
+              secretKeyRef:
+                name: wiz-api-token
+                key: clientId
+                optional: false
+          - name: WIZ_CLIENT_TOKEN
+            valueFrom:
+              secretKeyRef:
+                name: wiz-api-token
+                key: clientToken
+                optional: false
+          - name: WIZ_ENV
+            value: ""
+          resources:
+            null
+{{end}}