diff --git a/.templates/new-scanner/README.md b/.templates/new-scanner/README.md index 1cd1f8a0b9..1cad837946 100644 --- a/.templates/new-scanner/README.md +++ b/.templates/new-scanner/README.md @@ -60,13 +60,16 @@ Please include any extra Helm chart configurations that can be useful. | Key | Type | Default | Description | |-----|------|---------|-------------| | cascadingRules.enabled | bool | `true` | Enables or disables the installation of the default cascading rules for this scanner | +| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | parser.image.repository | string | `"docker.io/securecodebox/scanner-new-scanner"` | Parser image repository | | parser.image.tag | string | defaults to the charts version | Parser image tag | | parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | +| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | +| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | | scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | @@ -83,6 +86,7 @@ Please include any extra Helm chart configurations that can be useful. | scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | | scanner.securityContext.readOnlyRootFilesystem | bool | `true` | Prevents write access to the containers file system | | scanner.securityContext.runAsNonRoot | bool | `true` | Enforces that the scanner image is run as a non root user | +| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## License diff --git a/.templates/new-scanner/templates/new-scanner-parse-definition.yaml b/.templates/new-scanner/templates/new-scanner-parse-definition.yaml index 2e9a3dc630..ea583b3c71 100644 --- a/.templates/new-scanner/templates/new-scanner-parse-definition.yaml +++ b/.templates/new-scanner/templates/new-scanner-parse-definition.yaml @@ -14,3 +14,7 @@ spec: {{- toYaml .Values.parser.env | nindent 4 }} scopeLimiterAliases: {{- toYaml .Values.parser.scopeLimiterAliases | nindent 4 }} + affinity: + {{- toYaml .Values.parser.affinity | nindent 4 }} + tolerations: + {{- toYaml .Values.parser.tolerations | nindent 4 }} diff --git a/.templates/new-scanner/templates/new-scanner-scan-type.yaml b/.templates/new-scanner/templates/new-scanner-scan-type.yaml index bcc15a1c2c..c11a1ca4eb 100644 --- a/.templates/new-scanner/templates/new-scanner-scan-type.yaml +++ b/.templates/new-scanner/templates/new-scanner-scan-type.yaml @@ -19,9 +19,14 @@ spec: {{- if .Values.scanner.activeDeadlineSeconds }} activeDeadlineSeconds: {{ .Values.scanner.activeDeadlineSeconds }} {{- end }} + template: spec: restartPolicy: OnFailure + affinity: + {{- toYaml .Values.scanner.affinity | nindent 12 }} + tolerations: + {{- toYaml .Values.scanner.tolerations | nindent 12 }} containers: - name: new-scanner image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}" diff --git a/.templates/new-scanner/values.yaml b/.templates/new-scanner/values.yaml index ef7e16fd64..f8f9a88ef1 100644 --- a/.templates/new-scanner/values.yaml +++ b/.templates/new-scanner/values.yaml @@ -20,6 +20,12 @@ parser: # parser.scopeLimiterAliases -- Optional finding aliases to be used in the scopeLimiter. scopeLimiterAliases: {} + # parser.affinity -- Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # parser.tolerations -- Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] + scanner: image: # scanner.image.repository -- Container Image to run the scan @@ -77,6 +83,12 @@ scanner: # scanner.securityContext.capabilities.drop[0] -- This drops all linux privileges from the container. - all + # scanner.affinity -- Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # scanner.tolerations -- Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] + cascadingRules: # cascadingRules.enabled -- Enables or disables the installation of the default cascading rules for this scanner enabled: true diff --git a/hooks/cascading-scans/README.md b/hooks/cascading-scans/README.md index b6f23872af..c600cd549e 100644 --- a/hooks/cascading-scans/README.md +++ b/hooks/cascading-scans/README.md @@ -160,10 +160,12 @@ zap-http zap-baseline-scan non-invasive medium | Key | Type | Default | Description | |-----|------|---------|-------------| +| hook.affinity | object | `{}` | Optional affinity settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | hook.image.repository | string | `"docker.io/securecodebox/hook-cascading-scans"` | Hook image repository | | hook.image.tag | string | defaults to the charts version | The image Tag defaults to the charts version if not defined. | | hook.labels | object | `{}` | Add Kubernetes Labels to the hook definition | | hook.priority | int | `0` | Hook priority. Higher priority Hooks are guaranteed to execute before low priority Hooks. | +| hook.tolerations | list | `[]` | Optional tolerations settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | hook.ttlSecondsAfterFinished | string | `nil` | Seconds after which the kubernetes job for the hook will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## License diff --git a/hooks/cascading-scans/docs/README.ArtifactHub.md b/hooks/cascading-scans/docs/README.ArtifactHub.md index 554277257c..cdf96d3ccf 100644 --- a/hooks/cascading-scans/docs/README.ArtifactHub.md +++ b/hooks/cascading-scans/docs/README.ArtifactHub.md @@ -168,10 +168,12 @@ zap-http zap-baseline-scan non-invasive medium | Key | Type | Default | Description | |-----|------|---------|-------------| +| hook.affinity | object | `{}` | Optional affinity settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | hook.image.repository | string | `"docker.io/securecodebox/hook-cascading-scans"` | Hook image repository | | hook.image.tag | string | defaults to the charts version | The image Tag defaults to the charts version if not defined. | | hook.labels | object | `{}` | Add Kubernetes Labels to the hook definition | | hook.priority | int | `0` | Hook priority. Higher priority Hooks are guaranteed to execute before low priority Hooks. | +| hook.tolerations | list | `[]` | Optional tolerations settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | hook.ttlSecondsAfterFinished | string | `nil` | Seconds after which the kubernetes job for the hook will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## Contributing diff --git a/hooks/cascading-scans/templates/cascading-scans-hook.yaml b/hooks/cascading-scans/templates/cascading-scans-hook.yaml index 36f98a826c..4b19ab50d1 100644 --- a/hooks/cascading-scans/templates/cascading-scans-hook.yaml +++ b/hooks/cascading-scans/templates/cascading-scans-hook.yaml @@ -20,3 +20,7 @@ spec: - name: "securecodebox" ttlSecondsAfterFinished: {{ .Values.hook.ttlSecondsAfterFinished }} serviceAccountName: cascading-scans + affinity: + {{- toYaml .Values.hook.affinity | nindent 4 }} + tolerations: + {{- toYaml .Values.hook.tolerations | nindent 4 }} diff --git a/hooks/cascading-scans/values.yaml b/hooks/cascading-scans/values.yaml index 63e7370d54..f0d9a62ef6 100644 --- a/hooks/cascading-scans/values.yaml +++ b/hooks/cascading-scans/values.yaml @@ -22,3 +22,9 @@ hook: # hook.ttlSecondsAfterFinished -- Seconds after which the kubernetes job for the hook will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ ttlSecondsAfterFinished: null + + # hook.affinity -- Optional affinity settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # hook.tolerations -- Optional tolerations settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] diff --git a/hooks/finding-post-processing/README.md b/hooks/finding-post-processing/README.md index b76148a523..d1857839fc 100644 --- a/hooks/finding-post-processing/README.md +++ b/hooks/finding-post-processing/README.md @@ -87,10 +87,12 @@ The `override` field specifies the desired fields and values that need to be upd | Key | Type | Default | Description | |-----|------|---------|-------------| +| hook.affinity | object | `{}` | Optional affinity settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | hook.image.repository | string | `"docker.io/securecodebox/hook-finding-post-processing"` | Hook image repository | | hook.image.tag | string | defaults to the charts version | The image Tag defaults to the charts version if not defined. | | hook.labels | object | `{}` | Add Kubernetes Labels to the hook definition | | hook.priority | int | `0` | Hook priority. Higher priority Hooks are guaranteed to execute before low priority Hooks. | +| hook.tolerations | list | `[]` | Optional tolerations settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | hook.ttlSecondsAfterFinished | string | `nil` | Seconds after which the kubernetes job for the hook will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | rules | list | `[]` | | diff --git a/hooks/finding-post-processing/docs/README.ArtifactHub.md b/hooks/finding-post-processing/docs/README.ArtifactHub.md index 94f0941fcf..ff8de82054 100644 --- a/hooks/finding-post-processing/docs/README.ArtifactHub.md +++ b/hooks/finding-post-processing/docs/README.ArtifactHub.md @@ -95,10 +95,12 @@ The `override` field specifies the desired fields and values that need to be upd | Key | Type | Default | Description | |-----|------|---------|-------------| +| hook.affinity | object | `{}` | Optional affinity settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | hook.image.repository | string | `"docker.io/securecodebox/hook-finding-post-processing"` | Hook image repository | | hook.image.tag | string | defaults to the charts version | The image Tag defaults to the charts version if not defined. | | hook.labels | object | `{}` | Add Kubernetes Labels to the hook definition | | hook.priority | int | `0` | Hook priority. Higher priority Hooks are guaranteed to execute before low priority Hooks. | +| hook.tolerations | list | `[]` | Optional tolerations settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | hook.ttlSecondsAfterFinished | string | `nil` | Seconds after which the kubernetes job for the hook will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | rules | list | `[]` | | diff --git a/hooks/finding-post-processing/templates/finding-post-processing-hook.yaml b/hooks/finding-post-processing/templates/finding-post-processing-hook.yaml index ece9da3c77..801909a179 100644 --- a/hooks/finding-post-processing/templates/finding-post-processing-hook.yaml +++ b/hooks/finding-post-processing/templates/finding-post-processing-hook.yaml @@ -19,3 +19,7 @@ spec: env: - name: RULES value: {{ .Values.rules | toJson | quote }} + affinity: + {{- toYaml .Values.hook.affinity | nindent 4 }} + tolerations: + {{- toYaml .Values.hook.tolerations | nindent 4 }} diff --git a/hooks/finding-post-processing/values.yaml b/hooks/finding-post-processing/values.yaml index ba87d2544d..6568150391 100644 --- a/hooks/finding-post-processing/values.yaml +++ b/hooks/finding-post-processing/values.yaml @@ -38,3 +38,9 @@ hook: # hook.ttlSecondsAfterFinished -- Seconds after which the kubernetes job for the hook will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ ttlSecondsAfterFinished: null + + # hook.affinity -- Optional affinity settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # hook.tolerations -- Optional tolerations settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] diff --git a/hooks/generic-webhook/README.md b/hooks/generic-webhook/README.md index c4f9c0ea50..0b7a34a18c 100644 --- a/hooks/generic-webhook/README.md +++ b/hooks/generic-webhook/README.md @@ -55,10 +55,12 @@ Kubernetes: `>=v1.11.0-0` | Key | Type | Default | Description | |-----|------|---------|-------------| +| hook.affinity | object | `{}` | Optional affinity settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | hook.image.repository | string | `"docker.io/securecodebox/hook-generic-webhook"` | Hook image repository | | hook.image.tag | string | defaults to the charts version | The image Tag defaults to the charts version if not defined. | | hook.labels | object | `{}` | Add Kubernetes Labels to the hook definition | | hook.priority | int | `0` | Hook priority. Higher priority Hooks are guaranteed to execute before low priority Hooks. | +| hook.tolerations | list | `[]` | Optional tolerations settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | hook.ttlSecondsAfterFinished | string | `nil` | Seconds after which the kubernetes job for the hook will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | webhookUrl | string | `"http://example.com"` | The URL of your WebHook endpoint | diff --git a/hooks/generic-webhook/docs/README.ArtifactHub.md b/hooks/generic-webhook/docs/README.ArtifactHub.md index 46b8f9fe85..0767eaa4e3 100644 --- a/hooks/generic-webhook/docs/README.ArtifactHub.md +++ b/hooks/generic-webhook/docs/README.ArtifactHub.md @@ -63,10 +63,12 @@ Kubernetes: `>=v1.11.0-0` | Key | Type | Default | Description | |-----|------|---------|-------------| +| hook.affinity | object | `{}` | Optional affinity settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | hook.image.repository | string | `"docker.io/securecodebox/hook-generic-webhook"` | Hook image repository | | hook.image.tag | string | defaults to the charts version | The image Tag defaults to the charts version if not defined. | | hook.labels | object | `{}` | Add Kubernetes Labels to the hook definition | | hook.priority | int | `0` | Hook priority. Higher priority Hooks are guaranteed to execute before low priority Hooks. | +| hook.tolerations | list | `[]` | Optional tolerations settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | hook.ttlSecondsAfterFinished | string | `nil` | Seconds after which the kubernetes job for the hook will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | webhookUrl | string | `"http://example.com"` | The URL of your WebHook endpoint | diff --git a/hooks/generic-webhook/templates/webhook-hook.yaml b/hooks/generic-webhook/templates/webhook-hook.yaml index 2c30a3da84..da6afff112 100644 --- a/hooks/generic-webhook/templates/webhook-hook.yaml +++ b/hooks/generic-webhook/templates/webhook-hook.yaml @@ -19,3 +19,7 @@ spec: env: - name: WEBHOOK_URL value: {{ .Values.webhookUrl | quote }} + affinity: + {{- toYaml .Values.hook.affinity | nindent 4 }} + tolerations: + {{- toYaml .Values.hook.tolerations | nindent 4 }} diff --git a/hooks/generic-webhook/values.yaml b/hooks/generic-webhook/values.yaml index cf4794e3a8..464225aab6 100644 --- a/hooks/generic-webhook/values.yaml +++ b/hooks/generic-webhook/values.yaml @@ -25,3 +25,9 @@ hook: # hook.ttlSecondsAfterFinished -- Seconds after which the kubernetes job for the hook will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ ttlSecondsAfterFinished: null + + # hook.affinity -- Optional affinity settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # hook.tolerations -- Optional tolerations settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] diff --git a/hooks/notification/README.md b/hooks/notification/README.md index d7cc1cf714..012484d807 100644 --- a/hooks/notification/README.md +++ b/hooks/notification/README.md @@ -343,11 +343,13 @@ To fill your template with data we provide the following objects. | env[1].name | string | `"SMTP_CONFIG"` | | | env[1].valueFrom.secretKeyRef.key | string | `"smtp-config-key"` | | | env[1].valueFrom.secretKeyRef.name | string | `"some-secret"` | | +| hook.affinity | object | `{}` | Optional affinity settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | hook.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | hook.image.repository | string | `"docker.io/securecodebox/hook-notification"` | Hook image repository | | hook.image.tag | string | defaults to the charts version | Image tag | | hook.labels | object | `{}` | Add Kubernetes Labels to the hook definition | | hook.priority | int | `0` | Hook priority. Higher priority Hooks are guaranteed to execute before low priority Hooks. | +| hook.tolerations | list | `[]` | Optional tolerations settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | hook.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the hook will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | notificationChannels[0].endPoint | string | `"SOME_ENV_KEY"` | | | notificationChannels[0].name | string | `"slack"` | | diff --git a/hooks/notification/docs/README.ArtifactHub.md b/hooks/notification/docs/README.ArtifactHub.md index 4890bc7ad0..d2554ccbad 100644 --- a/hooks/notification/docs/README.ArtifactHub.md +++ b/hooks/notification/docs/README.ArtifactHub.md @@ -351,11 +351,13 @@ To fill your template with data we provide the following objects. | env[1].name | string | `"SMTP_CONFIG"` | | | env[1].valueFrom.secretKeyRef.key | string | `"smtp-config-key"` | | | env[1].valueFrom.secretKeyRef.name | string | `"some-secret"` | | +| hook.affinity | object | `{}` | Optional affinity settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | hook.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | hook.image.repository | string | `"docker.io/securecodebox/hook-notification"` | Hook image repository | | hook.image.tag | string | defaults to the charts version | Image tag | | hook.labels | object | `{}` | Add Kubernetes Labels to the hook definition | | hook.priority | int | `0` | Hook priority. Higher priority Hooks are guaranteed to execute before low priority Hooks. | +| hook.tolerations | list | `[]` | Optional tolerations settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | hook.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the hook will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | notificationChannels[0].endPoint | string | `"SOME_ENV_KEY"` | | | notificationChannels[0].name | string | `"slack"` | | diff --git a/hooks/notification/templates/notification-hook.yaml b/hooks/notification/templates/notification-hook.yaml index 5525628b60..99e6234699 100644 --- a/hooks/notification/templates/notification-hook.yaml +++ b/hooks/notification/templates/notification-hook.yaml @@ -36,3 +36,7 @@ spec: {{ end }} env: {{- toYaml .Values.env | nindent 4}} + affinity: + {{- toYaml .Values.hook.affinity | nindent 4 }} + tolerations: + {{- toYaml .Values.hook.tolerations | nindent 4 }} diff --git a/hooks/notification/values.yaml b/hooks/notification/values.yaml index 87d2d86bb3..36f9d0eb7c 100644 --- a/hooks/notification/values.yaml +++ b/hooks/notification/values.yaml @@ -25,6 +25,13 @@ hook: # hook.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the hook will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ ttlSecondsAfterFinished: null + # hook.affinity -- Optional affinity settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # hook.tolerations -- Optional tolerations settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] + + notificationChannels: - name: slack type: slack diff --git a/hooks/persistence-defectdojo/README.md b/hooks/persistence-defectdojo/README.md index f883c669d9..b01fddcaae 100644 --- a/hooks/persistence-defectdojo/README.md +++ b/hooks/persistence-defectdojo/README.md @@ -242,11 +242,13 @@ spec: | defectdojo.lowPrivilegedMode | bool | `false` | Allows the hook to run with a users token whose access rights are restricted to one / multiple product types but doesn't have global platform rights. If set to true, the DefectDojo User ID has to be configured instead of the username (`defectdojo.authentication.userId`). User needs to have at least the `Maintainer` role in the used Product Type. | | defectdojo.syncFindingsBack | bool | `true` | Syncs back (two way sync) all imported findings from DefectDojo to SCB Findings Store. When set to false the hook will only import the findings to DefectDojo (one way sync). | | defectdojo.url | string | `"http://defectdojo-django.default.svc"` | Url to the DefectDojo Instance | +| hook.affinity | object | `{}` | Optional affinity settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | hook.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | hook.image.repository | string | `"docker.io/securecodebox/hook-persistence-defectdojo"` | Hook image repository | | hook.image.tag | string | `nil` | Container image tag | | hook.labels | object | `{}` | Add Kubernetes Labels to the hook definition | | hook.priority | int | `0` | Hook priority. Higher priority Hooks are guaranteed to execute before low priority Hooks. | +| hook.tolerations | list | `[]` | Optional tolerations settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | hook.ttlSecondsAfterFinished | string | `nil` | Seconds after which the kubernetes job for the hook will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## License diff --git a/hooks/persistence-defectdojo/docs/README.ArtifactHub.md b/hooks/persistence-defectdojo/docs/README.ArtifactHub.md index a14f59e0b9..88a46ea1cf 100644 --- a/hooks/persistence-defectdojo/docs/README.ArtifactHub.md +++ b/hooks/persistence-defectdojo/docs/README.ArtifactHub.md @@ -250,11 +250,13 @@ spec: | defectdojo.lowPrivilegedMode | bool | `false` | Allows the hook to run with a users token whose access rights are restricted to one / multiple product types but doesn't have global platform rights. If set to true, the DefectDojo User ID has to be configured instead of the username (`defectdojo.authentication.userId`). User needs to have at least the `Maintainer` role in the used Product Type. | | defectdojo.syncFindingsBack | bool | `true` | Syncs back (two way sync) all imported findings from DefectDojo to SCB Findings Store. When set to false the hook will only import the findings to DefectDojo (one way sync). | | defectdojo.url | string | `"http://defectdojo-django.default.svc"` | Url to the DefectDojo Instance | +| hook.affinity | object | `{}` | Optional affinity settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | hook.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | hook.image.repository | string | `"docker.io/securecodebox/hook-persistence-defectdojo"` | Hook image repository | | hook.image.tag | string | `nil` | Container image tag | | hook.labels | object | `{}` | Add Kubernetes Labels to the hook definition | | hook.priority | int | `0` | Hook priority. Higher priority Hooks are guaranteed to execute before low priority Hooks. | +| hook.tolerations | list | `[]` | Optional tolerations settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | hook.ttlSecondsAfterFinished | string | `nil` | Seconds after which the kubernetes job for the hook will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## Contributing diff --git a/hooks/persistence-defectdojo/values.yaml b/hooks/persistence-defectdojo/values.yaml index cba8b82891..3ad2f4e0eb 100644 --- a/hooks/persistence-defectdojo/values.yaml +++ b/hooks/persistence-defectdojo/values.yaml @@ -25,6 +25,12 @@ hook: # -- Seconds after which the kubernetes job for the hook will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ ttlSecondsAfterFinished: null + # hook.affinity -- Optional affinity settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # hook.tolerations -- Optional tolerations settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] + defectdojo: # -- Syncs back (two way sync) all imported findings from DefectDojo to SCB Findings Store. When set to false the hook will only import the findings to DefectDojo (one way sync). syncFindingsBack: true diff --git a/hooks/persistence-elastic/README.md b/hooks/persistence-elastic/README.md index 0521d429fd..49af404456 100644 --- a/hooks/persistence-elastic/README.md +++ b/hooks/persistence-elastic/README.md @@ -80,10 +80,12 @@ the [Luxon documentation](https://moment.github.io/luxon/docs/manual/formatting. | externalElasticStack.enabled | bool | `false` | Enable this when you already have an Elastic Stack running to which you want to send your results | | externalElasticStack.kibanaAddress | string | `"https://kibana.example.com"` | The URL of the kibana service used to visualize all findings. | | fullnameOverride | string | `""` | | +| hook.affinity | object | `{}` | Optional affinity settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | hook.image.repository | string | `"docker.io/securecodebox/hook-persistence-elastic"` | Hook image repository | | hook.image.tag | string | defaults to the charts version | The image Tag defaults to the charts version if not defined. | | hook.labels | object | `{}` | Add Kubernetes Labels to the hook definition | | hook.priority | int | `0` | Hook priority. Higher priority Hooks are guaranteed to execute before low priority Hooks. | +| hook.tolerations | list | `[]` | Optional tolerations settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | hook.ttlSecondsAfterFinished | string | `nil` | Seconds after which the kubernetes job for the hook will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | imagePullSecrets | list | `[]` | | | indexAppendNamespace | bool | `true` | Define if the name of the namespace where this hook is deployed to must be added to the index name. The namespace can be used to separate index by tenants (namespaces). | diff --git a/hooks/persistence-elastic/docs/README.ArtifactHub.md b/hooks/persistence-elastic/docs/README.ArtifactHub.md index 227e92a077..62b86dd634 100644 --- a/hooks/persistence-elastic/docs/README.ArtifactHub.md +++ b/hooks/persistence-elastic/docs/README.ArtifactHub.md @@ -88,10 +88,12 @@ the [Luxon documentation](https://moment.github.io/luxon/docs/manual/formatting. | externalElasticStack.enabled | bool | `false` | Enable this when you already have an Elastic Stack running to which you want to send your results | | externalElasticStack.kibanaAddress | string | `"https://kibana.example.com"` | The URL of the kibana service used to visualize all findings. | | fullnameOverride | string | `""` | | +| hook.affinity | object | `{}` | Optional affinity settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | hook.image.repository | string | `"docker.io/securecodebox/hook-persistence-elastic"` | Hook image repository | | hook.image.tag | string | defaults to the charts version | The image Tag defaults to the charts version if not defined. | | hook.labels | object | `{}` | Add Kubernetes Labels to the hook definition | | hook.priority | int | `0` | Hook priority. Higher priority Hooks are guaranteed to execute before low priority Hooks. | +| hook.tolerations | list | `[]` | Optional tolerations settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | hook.ttlSecondsAfterFinished | string | `nil` | Seconds after which the kubernetes job for the hook will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | imagePullSecrets | list | `[]` | | | indexAppendNamespace | bool | `true` | Define if the name of the namespace where this hook is deployed to must be added to the index name. The namespace can be used to separate index by tenants (namespaces). | diff --git a/hooks/persistence-elastic/values.yaml b/hooks/persistence-elastic/values.yaml index 038852f5d5..72b7116bba 100644 --- a/hooks/persistence-elastic/values.yaml +++ b/hooks/persistence-elastic/values.yaml @@ -94,3 +94,9 @@ hook: # hook.ttlSecondsAfterFinished -- Seconds after which the kubernetes job for the hook will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ ttlSecondsAfterFinished: null + + # hook.affinity -- Optional affinity settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # hook.tolerations -- Optional tolerations settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] diff --git a/hooks/update-field/README.md b/hooks/update-field/README.md index f8bf3ba2d9..2c3294d537 100644 --- a/hooks/update-field/README.md +++ b/hooks/update-field/README.md @@ -62,10 +62,12 @@ helm upgrade --install ufh secureCodeBox/update-field-hook --set attribute.name= |-----|------|---------|-------------| | attribute.name | string | `"category"` | The name of the attribute you want to add to each finding result | | attribute.value | string | `"my-own-category"` | The value of the attribute you want to add to each finding result | +| hook.affinity | object | `{}` | Optional affinity settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | hook.image.repository | string | `"docker.io/securecodebox/hook-update-field"` | Hook image repository | | hook.image.tag | string | defaults to the charts version | The image Tag defaults to the charts version if not defined. | | hook.labels | object | `{}` | Add Kubernetes Labels to the hook definition | | hook.priority | int | `0` | Hook priority. Higher priority Hooks are guaranteed to execute before low priority Hooks. | +| hook.tolerations | list | `[]` | Optional tolerations settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | hook.ttlSecondsAfterFinished | string | `nil` | Seconds after which the kubernetes job for the hook will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## License diff --git a/hooks/update-field/docs/README.ArtifactHub.md b/hooks/update-field/docs/README.ArtifactHub.md index 04185161ab..79dbd9acc7 100644 --- a/hooks/update-field/docs/README.ArtifactHub.md +++ b/hooks/update-field/docs/README.ArtifactHub.md @@ -70,10 +70,12 @@ helm upgrade --install ufh secureCodeBox/update-field-hook --set attribute.name= |-----|------|---------|-------------| | attribute.name | string | `"category"` | The name of the attribute you want to add to each finding result | | attribute.value | string | `"my-own-category"` | The value of the attribute you want to add to each finding result | +| hook.affinity | object | `{}` | Optional affinity settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | hook.image.repository | string | `"docker.io/securecodebox/hook-update-field"` | Hook image repository | | hook.image.tag | string | defaults to the charts version | The image Tag defaults to the charts version if not defined. | | hook.labels | object | `{}` | Add Kubernetes Labels to the hook definition | | hook.priority | int | `0` | Hook priority. Higher priority Hooks are guaranteed to execute before low priority Hooks. | +| hook.tolerations | list | `[]` | Optional tolerations settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | hook.ttlSecondsAfterFinished | string | `nil` | Seconds after which the kubernetes job for the hook will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## Contributing diff --git a/hooks/update-field/templates/update-field-hook.yaml b/hooks/update-field/templates/update-field-hook.yaml index fc234cca0f..a555cb9c1a 100644 --- a/hooks/update-field/templates/update-field-hook.yaml +++ b/hooks/update-field/templates/update-field-hook.yaml @@ -21,3 +21,7 @@ spec: value: {{ .Values.attribute.name | quote }} - name: ATTRIBUTE_VALUE value: {{ .Values.attribute.value | quote }} + affinity: + {{- toYaml .Values.hook.affinity | nindent 4 }} + tolerations: + {{- toYaml .Values.hook.tolerations | nindent 4 }} diff --git a/hooks/update-field/values.yaml b/hooks/update-field/values.yaml index 9235e35c5a..cf8e5ae9cb 100644 --- a/hooks/update-field/values.yaml +++ b/hooks/update-field/values.yaml @@ -28,3 +28,9 @@ hook: # hook.ttlSecondsAfterFinished -- Seconds after which the kubernetes job for the hook will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ ttlSecondsAfterFinished: null + + # hook.affinity -- Optional affinity settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # hook.tolerations -- Optional tolerations settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] diff --git a/scanners/amass/README.md b/scanners/amass/README.md index 46b0705251..8697211369 100644 --- a/scanners/amass/README.md +++ b/scanners/amass/README.md @@ -70,13 +70,16 @@ Kubernetes: `>=v1.11.0-0` | Key | Type | Default | Description | |-----|------|---------|-------------| | cascadingRules.enabled | bool | `false` | Enables or disables the installation of the default cascading rules for this scanner | +| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | parser.image.repository | string | `"docker.io/securecodebox/parser-amass"` | Parser image repository | | parser.image.tag | string | defaults to the charts version | Parser image tag | | parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | +| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | +| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | | scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | @@ -93,6 +96,7 @@ Kubernetes: `>=v1.11.0-0` | scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | | scanner.securityContext.readOnlyRootFilesystem | bool | `false` | Prevents write access to the containers file system | | scanner.securityContext.runAsNonRoot | bool | `false` | Enforces that the scanner image is run as a non root user | +| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## License diff --git a/scanners/amass/docs/README.ArtifactHub.md b/scanners/amass/docs/README.ArtifactHub.md index 1d91092e22..de5cc70d89 100644 --- a/scanners/amass/docs/README.ArtifactHub.md +++ b/scanners/amass/docs/README.ArtifactHub.md @@ -75,13 +75,16 @@ Kubernetes: `>=v1.11.0-0` | Key | Type | Default | Description | |-----|------|---------|-------------| | cascadingRules.enabled | bool | `false` | Enables or disables the installation of the default cascading rules for this scanner | +| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | parser.image.repository | string | `"docker.io/securecodebox/parser-amass"` | Parser image repository | | parser.image.tag | string | defaults to the charts version | Parser image tag | | parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | +| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | +| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | | scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | @@ -98,6 +101,7 @@ Kubernetes: `>=v1.11.0-0` | scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | | scanner.securityContext.readOnlyRootFilesystem | bool | `false` | Prevents write access to the containers file system | | scanner.securityContext.runAsNonRoot | bool | `false` | Enforces that the scanner image is run as a non root user | +| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## Contributing diff --git a/scanners/amass/templates/amass-parse-definition.yaml b/scanners/amass/templates/amass-parse-definition.yaml index 73d8d9e7cb..a38df92869 100644 --- a/scanners/amass/templates/amass-parse-definition.yaml +++ b/scanners/amass/templates/amass-parse-definition.yaml @@ -14,3 +14,7 @@ spec: {{- toYaml .Values.parser.env | nindent 4 }} scopeLimiterAliases: {{- toYaml .Values.parser.scopeLimiterAliases | nindent 4 }} + affinity: + {{- toYaml .Values.parser.affinity | nindent 4 }} + tolerations: + {{- toYaml .Values.parser.tolerations | nindent 4 }} diff --git a/scanners/amass/templates/amass-scan-type.yaml b/scanners/amass/templates/amass-scan-type.yaml index 149578fb1a..c5d1dc9360 100644 --- a/scanners/amass/templates/amass-scan-type.yaml +++ b/scanners/amass/templates/amass-scan-type.yaml @@ -22,6 +22,10 @@ spec: template: spec: restartPolicy: OnFailure + affinity: + {{- toYaml .Values.scanner.affinity | nindent 12 }} + tolerations: + {{- toYaml .Values.scanner.tolerations | nindent 12 }} containers: - name: amass image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}" diff --git a/scanners/amass/values.yaml b/scanners/amass/values.yaml index 69bb54a012..4a891d998b 100644 --- a/scanners/amass/values.yaml +++ b/scanners/amass/values.yaml @@ -20,6 +20,12 @@ parser: # parser.scopeLimiterAliases -- Optional finding aliases to be used in the scopeLimiter. scopeLimiterAliases: {} + # parser.affinity -- Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # parser.tolerations -- Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] + scanner: image: # scanner.image.repository -- Container Image to run the scan @@ -83,6 +89,12 @@ scanner: # scanner.securityContext.capabilities.drop[0] -- This drops all linux privileges from the container. - all + # scanner.affinity -- Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # scanner.tolerations -- Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] + cascadingRules: # cascadingRules.enabled -- Enables or disables the installation of the default cascading rules for this scanner enabled: false diff --git a/scanners/angularjs-csti-scanner/README.md b/scanners/angularjs-csti-scanner/README.md index 0b69684590..e70e703b48 100644 --- a/scanners/angularjs-csti-scanner/README.md +++ b/scanners/angularjs-csti-scanner/README.md @@ -169,13 +169,16 @@ options.scope.request_methods = [ | Key | Type | Default | Description | |-----|------|---------|-------------| | cascadingRules.enabled | bool | `false` | Enables or disables the installation of the default cascading rules for this scanner | +| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | parser.image.repository | string | `"docker.io/securecodebox/parser-angularjs-csti-scanner"` | Parser image repository | | parser.image.tag | string | defaults to the charts version | Parser image tag | | parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | +| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | +| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | | scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | @@ -192,6 +195,7 @@ options.scope.request_methods = [ | scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | | scanner.securityContext.readOnlyRootFilesystem | bool | `false` | Prevents write access to the containers file system | | scanner.securityContext.runAsNonRoot | bool | `true` | Enforces that the scanner image is run as a non root user | +| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## License diff --git a/scanners/angularjs-csti-scanner/docs/README.ArtifactHub.md b/scanners/angularjs-csti-scanner/docs/README.ArtifactHub.md index 74a7d273eb..00ac5fc92d 100644 --- a/scanners/angularjs-csti-scanner/docs/README.ArtifactHub.md +++ b/scanners/angularjs-csti-scanner/docs/README.ArtifactHub.md @@ -174,13 +174,16 @@ options.scope.request_methods = [ | Key | Type | Default | Description | |-----|------|---------|-------------| | cascadingRules.enabled | bool | `false` | Enables or disables the installation of the default cascading rules for this scanner | +| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | parser.image.repository | string | `"docker.io/securecodebox/parser-angularjs-csti-scanner"` | Parser image repository | | parser.image.tag | string | defaults to the charts version | Parser image tag | | parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | +| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | +| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | | scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | @@ -197,6 +200,7 @@ options.scope.request_methods = [ | scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | | scanner.securityContext.readOnlyRootFilesystem | bool | `false` | Prevents write access to the containers file system | | scanner.securityContext.runAsNonRoot | bool | `true` | Enforces that the scanner image is run as a non root user | +| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## Contributing diff --git a/scanners/angularjs-csti-scanner/templates/angularjs-csti-scanner-parse-definition.yaml b/scanners/angularjs-csti-scanner/templates/angularjs-csti-scanner-parse-definition.yaml index f616decb4c..ef01bd8a75 100644 --- a/scanners/angularjs-csti-scanner/templates/angularjs-csti-scanner-parse-definition.yaml +++ b/scanners/angularjs-csti-scanner/templates/angularjs-csti-scanner-parse-definition.yaml @@ -14,3 +14,7 @@ spec: {{- toYaml .Values.parser.env | nindent 4 }} scopeLimiterAliases: {{- toYaml .Values.parser.scopeLimiterAliases | nindent 4 }} + affinity: + {{- toYaml .Values.parser.affinity | nindent 4 }} + tolerations: + {{- toYaml .Values.parser.tolerations | nindent 4 }} diff --git a/scanners/angularjs-csti-scanner/templates/angularjs-csti-scanner-scan-type.yaml b/scanners/angularjs-csti-scanner/templates/angularjs-csti-scanner-scan-type.yaml index abd46bd9ca..164ebc1117 100644 --- a/scanners/angularjs-csti-scanner/templates/angularjs-csti-scanner-scan-type.yaml +++ b/scanners/angularjs-csti-scanner/templates/angularjs-csti-scanner-scan-type.yaml @@ -22,6 +22,10 @@ spec: template: spec: restartPolicy: OnFailure + affinity: + {{- toYaml .Values.scanner.affinity | nindent 12 }} + tolerations: + {{- toYaml .Values.scanner.tolerations | nindent 12 }} containers: - name: acstis-scanner image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}" diff --git a/scanners/angularjs-csti-scanner/values.yaml b/scanners/angularjs-csti-scanner/values.yaml index fb43a38a54..0fc3c8ac29 100644 --- a/scanners/angularjs-csti-scanner/values.yaml +++ b/scanners/angularjs-csti-scanner/values.yaml @@ -20,6 +20,12 @@ parser: # parser.scopeLimiterAliases -- Optional finding aliases to be used in the scopeLimiter. scopeLimiterAliases: {} + # parser.affinity -- Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # parser.tolerations -- Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] + scanner: image: # scanner.image.repository -- Container Image to run the scan @@ -77,6 +83,12 @@ scanner: # scanner.securityContext.capabilities.drop[0] -- This drops all linux privileges from the container. - all + # scanner.affinity -- Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # scanner.tolerations -- Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] + cascadingRules: # cascadingRules.enabled -- Enables or disables the installation of the default cascading rules for this scanner enabled: false diff --git a/scanners/cmseek/README.md b/scanners/cmseek/README.md index 9be4b4b587..65ec7f5835 100644 --- a/scanners/cmseek/README.md +++ b/scanners/cmseek/README.md @@ -71,13 +71,16 @@ Kubernetes: `>=v1.11.0-0` | Key | Type | Default | Description | |-----|------|---------|-------------| | cascadingRules.enabled | bool | `true` | Enables or disables the installation of the default cascading rules for this scanner | +| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | parser.image.repository | string | `"docker.io/securecodebox/parser-cmseek"` | Parser image repository | | parser.image.tag | string | defaults to the charts version | Parser image tag | | parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | +| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | +| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | | scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | @@ -94,6 +97,7 @@ Kubernetes: `>=v1.11.0-0` | scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | | scanner.securityContext.readOnlyRootFilesystem | bool | `false` | Prevents write access to the containers file system | | scanner.securityContext.runAsNonRoot | bool | `true` | Enforces that the scanner image is run as a non root user | +| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## License diff --git a/scanners/cmseek/docs/README.ArtifactHub.md b/scanners/cmseek/docs/README.ArtifactHub.md index b087892300..984c81c7fc 100644 --- a/scanners/cmseek/docs/README.ArtifactHub.md +++ b/scanners/cmseek/docs/README.ArtifactHub.md @@ -78,13 +78,16 @@ Kubernetes: `>=v1.11.0-0` | Key | Type | Default | Description | |-----|------|---------|-------------| | cascadingRules.enabled | bool | `true` | Enables or disables the installation of the default cascading rules for this scanner | +| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | parser.image.repository | string | `"docker.io/securecodebox/parser-cmseek"` | Parser image repository | | parser.image.tag | string | defaults to the charts version | Parser image tag | | parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | +| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | +| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | | scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | @@ -101,6 +104,7 @@ Kubernetes: `>=v1.11.0-0` | scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | | scanner.securityContext.readOnlyRootFilesystem | bool | `false` | Prevents write access to the containers file system | | scanner.securityContext.runAsNonRoot | bool | `true` | Enforces that the scanner image is run as a non root user | +| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## Contributing diff --git a/scanners/cmseek/templates/cmseek-parse-definition.yaml b/scanners/cmseek/templates/cmseek-parse-definition.yaml index 85635deed6..01cd770f70 100644 --- a/scanners/cmseek/templates/cmseek-parse-definition.yaml +++ b/scanners/cmseek/templates/cmseek-parse-definition.yaml @@ -14,3 +14,7 @@ spec: {{- toYaml .Values.parser.env | nindent 4 }} scopeLimiterAliases: {{- toYaml .Values.parser.scopeLimiterAliases | nindent 4 }} + affinity: + {{- toYaml .Values.parser.affinity | nindent 4 }} + tolerations: + {{- toYaml .Values.parser.tolerations | nindent 4 }} diff --git a/scanners/cmseek/templates/cmseek-scan-type.yaml b/scanners/cmseek/templates/cmseek-scan-type.yaml index 3ff244a42f..06942d3a3d 100644 --- a/scanners/cmseek/templates/cmseek-scan-type.yaml +++ b/scanners/cmseek/templates/cmseek-scan-type.yaml @@ -22,6 +22,10 @@ spec: template: spec: restartPolicy: Never + affinity: + {{- toYaml .Values.scanner.affinity | nindent 12 }} + tolerations: + {{- toYaml .Values.scanner.tolerations | nindent 12 }} containers: - name: cmseek image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}" diff --git a/scanners/cmseek/values.yaml b/scanners/cmseek/values.yaml index 2b12898b51..ea1b8fbc86 100644 --- a/scanners/cmseek/values.yaml +++ b/scanners/cmseek/values.yaml @@ -20,6 +20,12 @@ parser: # parser.scopeLimiterAliases -- Optional finding aliases to be used in the scopeLimiter. scopeLimiterAliases: {} + # parser.affinity -- Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # parser.tolerations -- Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] + scanner: image: # scanner.image.repository -- Container Image to run the scan @@ -77,6 +83,12 @@ scanner: # scanner.securityContext.capabilities.drop[0] -- This drops all linux privileges from the container. - all + # scanner.affinity -- Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # scanner.tolerations -- Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] + cascadingRules: # cascadingRules.enabled -- Enables or disables the installation of the default cascading rules for this scanner enabled: true diff --git a/scanners/git-repo-scanner/README.md b/scanners/git-repo-scanner/README.md index cc87dbc23c..3a225b1114 100644 --- a/scanners/git-repo-scanner/README.md +++ b/scanners/git-repo-scanner/README.md @@ -99,13 +99,16 @@ Kubernetes: `>=v1.11.0-0` | Key | Type | Default | Description | |-----|------|---------|-------------| | cascadingRules.enabled | bool | `false` | Enables or disables the installation of the default cascading rules for this scanner | +| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | parser.image.repository | string | `"docker.io/securecodebox/parser-git-repo-scanner"` | Parser image repository | | parser.image.tag | string | defaults to the charts version | Parser image tag | | parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | +| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | +| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | | scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | @@ -122,6 +125,7 @@ Kubernetes: `>=v1.11.0-0` | scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | | scanner.securityContext.readOnlyRootFilesystem | bool | `true` | Prevents write access to the containers file system | | scanner.securityContext.runAsNonRoot | bool | `true` | Enforces that the scanner image is run as a non root user | +| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## License diff --git a/scanners/git-repo-scanner/docs/README.ArtifactHub.md b/scanners/git-repo-scanner/docs/README.ArtifactHub.md index cbc8f3bf38..b3a586accc 100644 --- a/scanners/git-repo-scanner/docs/README.ArtifactHub.md +++ b/scanners/git-repo-scanner/docs/README.ArtifactHub.md @@ -106,13 +106,16 @@ Kubernetes: `>=v1.11.0-0` | Key | Type | Default | Description | |-----|------|---------|-------------| | cascadingRules.enabled | bool | `false` | Enables or disables the installation of the default cascading rules for this scanner | +| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | parser.image.repository | string | `"docker.io/securecodebox/parser-git-repo-scanner"` | Parser image repository | | parser.image.tag | string | defaults to the charts version | Parser image tag | | parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | +| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | +| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | | scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | @@ -129,6 +132,7 @@ Kubernetes: `>=v1.11.0-0` | scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | | scanner.securityContext.readOnlyRootFilesystem | bool | `true` | Prevents write access to the containers file system | | scanner.securityContext.runAsNonRoot | bool | `true` | Enforces that the scanner image is run as a non root user | +| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## Contributing diff --git a/scanners/git-repo-scanner/templates/git-repo-scanner-parse-definition.yaml b/scanners/git-repo-scanner/templates/git-repo-scanner-parse-definition.yaml index 5555a4cc58..761ac18dfc 100644 --- a/scanners/git-repo-scanner/templates/git-repo-scanner-parse-definition.yaml +++ b/scanners/git-repo-scanner/templates/git-repo-scanner-parse-definition.yaml @@ -14,3 +14,7 @@ spec: {{- toYaml .Values.parser.env | nindent 4 }} scopeLimiterAliases: {{- toYaml .Values.parser.scopeLimiterAliases | nindent 4 }} + affinity: + {{- toYaml .Values.parser.affinity | nindent 4 }} + tolerations: + {{- toYaml .Values.parser.tolerations | nindent 4 }} diff --git a/scanners/git-repo-scanner/templates/git-repo-scanner-scan-type.yaml b/scanners/git-repo-scanner/templates/git-repo-scanner-scan-type.yaml index f587c4d6ba..b2551f7259 100644 --- a/scanners/git-repo-scanner/templates/git-repo-scanner-scan-type.yaml +++ b/scanners/git-repo-scanner/templates/git-repo-scanner-scan-type.yaml @@ -22,6 +22,10 @@ spec: template: spec: restartPolicy: OnFailure + affinity: + {{- toYaml .Values.scanner.affinity | nindent 12 }} + tolerations: + {{- toYaml .Values.scanner.tolerations | nindent 12 }} containers: - name: git-repo-scanner image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.Version }}" diff --git a/scanners/git-repo-scanner/values.yaml b/scanners/git-repo-scanner/values.yaml index 50cb204759..bf6195f925 100644 --- a/scanners/git-repo-scanner/values.yaml +++ b/scanners/git-repo-scanner/values.yaml @@ -20,6 +20,12 @@ parser: # parser.scopeLimiterAliases -- Optional finding aliases to be used in the scopeLimiter. scopeLimiterAliases: {} + # parser.affinity -- Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # parser.tolerations -- Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] + scanner: image: # scanner.image.repository -- Container Image to run the scan @@ -77,6 +83,12 @@ scanner: # scanner.securityContext.capabilities.drop[0] -- This drops all linux privileges from the container. - all + # scanner.affinity -- Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # scanner.tolerations -- Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] + cascadingRules: # cascadingRules.enabled -- Enables or disables the installation of the default cascading rules for this scanner enabled: false diff --git a/scanners/gitleaks/README.md b/scanners/gitleaks/README.md index 3b6221a60a..89fcca6a03 100644 --- a/scanners/gitleaks/README.md +++ b/scanners/gitleaks/README.md @@ -162,13 +162,16 @@ For more information on how to use cascades take a look at | Key | Type | Default | Description | |-----|------|---------|-------------| | cascadingRules.enabled | bool | `true` | Enables or disables the installation of the default cascading rules for this scanner | +| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | parser.image.repository | string | `"docker.io/securecodebox/parser-gitleaks"` | Parser image repository | | parser.image.tag | string | defaults to the charts version | Parser image tag | | parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | +| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | +| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | | scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | @@ -185,6 +188,7 @@ For more information on how to use cascades take a look at | scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | | scanner.securityContext.readOnlyRootFilesystem | bool | `true` | Prevents write access to the containers file system | | scanner.securityContext.runAsNonRoot | bool | `false` | Enforces that the scanner image is run as a non root user | +| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## License diff --git a/scanners/gitleaks/docs/README.ArtifactHub.md b/scanners/gitleaks/docs/README.ArtifactHub.md index 6ea7157499..6f7fea6fc8 100644 --- a/scanners/gitleaks/docs/README.ArtifactHub.md +++ b/scanners/gitleaks/docs/README.ArtifactHub.md @@ -167,13 +167,16 @@ For more information on how to use cascades take a look at | Key | Type | Default | Description | |-----|------|---------|-------------| | cascadingRules.enabled | bool | `true` | Enables or disables the installation of the default cascading rules for this scanner | +| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | parser.image.repository | string | `"docker.io/securecodebox/parser-gitleaks"` | Parser image repository | | parser.image.tag | string | defaults to the charts version | Parser image tag | | parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | +| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | +| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | | scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | @@ -190,6 +193,7 @@ For more information on how to use cascades take a look at | scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | | scanner.securityContext.readOnlyRootFilesystem | bool | `true` | Prevents write access to the containers file system | | scanner.securityContext.runAsNonRoot | bool | `false` | Enforces that the scanner image is run as a non root user | +| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## Contributing diff --git a/scanners/gitleaks/templates/gitleaks-parse-definition.yaml b/scanners/gitleaks/templates/gitleaks-parse-definition.yaml index b4029108a4..a07c2045ee 100644 --- a/scanners/gitleaks/templates/gitleaks-parse-definition.yaml +++ b/scanners/gitleaks/templates/gitleaks-parse-definition.yaml @@ -14,3 +14,7 @@ spec: {{- toYaml .Values.parser.env | nindent 4 }} scopeLimiterAliases: {{- toYaml .Values.parser.scopeLimiterAliases | nindent 4 }} + affinity: + {{- toYaml .Values.parser.affinity | nindent 4 }} + tolerations: + {{- toYaml .Values.parser.tolerations | nindent 4 }} diff --git a/scanners/gitleaks/templates/gitleaks-scan-type.yaml b/scanners/gitleaks/templates/gitleaks-scan-type.yaml index d388efac01..bcbc465a0d 100644 --- a/scanners/gitleaks/templates/gitleaks-scan-type.yaml +++ b/scanners/gitleaks/templates/gitleaks-scan-type.yaml @@ -22,6 +22,10 @@ spec: template: spec: restartPolicy: OnFailure + affinity: + {{- toYaml .Values.scanner.affinity | nindent 12 }} + tolerations: + {{- toYaml .Values.scanner.tolerations | nindent 12 }} containers: - name: gitleaks image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}" diff --git a/scanners/gitleaks/values.yaml b/scanners/gitleaks/values.yaml index 00e5be0a21..d2c7f198f2 100644 --- a/scanners/gitleaks/values.yaml +++ b/scanners/gitleaks/values.yaml @@ -20,6 +20,12 @@ parser: # parser.scopeLimiterAliases -- Optional finding aliases to be used in the scopeLimiter. scopeLimiterAliases: {} + # parser.affinity -- Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # parser.tolerations -- Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] + scanner: image: # scanner.image.repository -- Container Image to run the scan @@ -82,6 +88,12 @@ scanner: # scanner.securityContext.capabilities.drop[0] -- This drops all linux privileges from the container. - all + # scanner.affinity -- Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # scanner.tolerations -- Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] + cascadingRules: # cascadingRules.enabled -- Enables or disables the installation of the default cascading rules for this scanner enabled: true diff --git a/scanners/kube-hunter/README.md b/scanners/kube-hunter/README.md index 9bbf43bbe1..3536f97391 100644 --- a/scanners/kube-hunter/README.md +++ b/scanners/kube-hunter/README.md @@ -63,13 +63,16 @@ Kubernetes: `>=v1.11.0-0` | Key | Type | Default | Description | |-----|------|---------|-------------| | cascadingRules.enabled | bool | `true` | Enables or disables the installation of the default cascading rules for this scanner | +| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | parser.image.repository | string | `"docker.io/securecodebox/parser-kube-hunter"` | Parser image repository | | parser.image.tag | string | defaults to the charts version | Parser image tag | | parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | +| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | +| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | | scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | @@ -86,6 +89,7 @@ Kubernetes: `>=v1.11.0-0` | scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | | scanner.securityContext.readOnlyRootFilesystem | bool | `true` | Prevents write access to the containers file system | | scanner.securityContext.runAsNonRoot | bool | `false` | Enforces that the scanner image is run as a non root user | +| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## License diff --git a/scanners/kube-hunter/docs/README.ArtifactHub.md b/scanners/kube-hunter/docs/README.ArtifactHub.md index 0085648f73..2fdbc08d7f 100644 --- a/scanners/kube-hunter/docs/README.ArtifactHub.md +++ b/scanners/kube-hunter/docs/README.ArtifactHub.md @@ -70,13 +70,16 @@ Kubernetes: `>=v1.11.0-0` | Key | Type | Default | Description | |-----|------|---------|-------------| | cascadingRules.enabled | bool | `true` | Enables or disables the installation of the default cascading rules for this scanner | +| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | parser.image.repository | string | `"docker.io/securecodebox/parser-kube-hunter"` | Parser image repository | | parser.image.tag | string | defaults to the charts version | Parser image tag | | parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | +| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | +| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | | scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | @@ -93,6 +96,7 @@ Kubernetes: `>=v1.11.0-0` | scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | | scanner.securityContext.readOnlyRootFilesystem | bool | `true` | Prevents write access to the containers file system | | scanner.securityContext.runAsNonRoot | bool | `false` | Enforces that the scanner image is run as a non root user | +| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## Contributing diff --git a/scanners/kube-hunter/templates/kube-hunter-parse-definition.yaml b/scanners/kube-hunter/templates/kube-hunter-parse-definition.yaml index c78c1a3268..18d7c5f0d4 100644 --- a/scanners/kube-hunter/templates/kube-hunter-parse-definition.yaml +++ b/scanners/kube-hunter/templates/kube-hunter-parse-definition.yaml @@ -14,3 +14,7 @@ spec: {{- toYaml .Values.parser.env | nindent 4 }} scopeLimiterAliases: {{- toYaml .Values.parser.scopeLimiterAliases | nindent 4 }} + affinity: + {{- toYaml .Values.parser.affinity | nindent 4 }} + tolerations: + {{- toYaml .Values.parser.tolerations | nindent 4 }} diff --git a/scanners/kube-hunter/templates/kubehunter-scan-type.yaml b/scanners/kube-hunter/templates/kubehunter-scan-type.yaml index 431ed28126..d70f0b75be 100644 --- a/scanners/kube-hunter/templates/kubehunter-scan-type.yaml +++ b/scanners/kube-hunter/templates/kubehunter-scan-type.yaml @@ -22,6 +22,10 @@ spec: template: spec: restartPolicy: Never + affinity: + {{- toYaml .Values.scanner.affinity | nindent 12 }} + tolerations: + {{- toYaml .Values.scanner.tolerations | nindent 12 }} containers: - name: kube-hunter image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}" diff --git a/scanners/kube-hunter/values.yaml b/scanners/kube-hunter/values.yaml index ce377170a7..df410c4879 100644 --- a/scanners/kube-hunter/values.yaml +++ b/scanners/kube-hunter/values.yaml @@ -20,6 +20,12 @@ parser: # parser.scopeLimiterAliases -- Optional finding aliases to be used in the scopeLimiter. scopeLimiterAliases: {} + # parser.affinity -- Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # parser.tolerations -- Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] + scanner: image: # scanner.image.repository -- Container Image to run the scan @@ -77,6 +83,12 @@ scanner: # scanner.securityContext.capabilities.drop[0] -- This drops all linux privileges from the container. - all + # scanner.affinity -- Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # scanner.tolerations -- Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] + cascadingRules: # cascadingRules.enabled -- Enables or disables the installation of the default cascading rules for this scanner enabled: true diff --git a/scanners/kubeaudit/README.md b/scanners/kubeaudit/README.md index 2db3600250..5030900090 100644 --- a/scanners/kubeaudit/README.md +++ b/scanners/kubeaudit/README.md @@ -67,13 +67,16 @@ Kubernetes: `>=v1.11.0-0` |-----|------|---------|-------------| | cascadingRules.enabled | bool | `false` | Enables or disables the installation of the default cascading rules for this scanner | | kubeauditScope | string | `"namespace"` | Automatically sets up rbac roles for kubeaudit to access the resources it scans. Can be either "cluster" (ClusterRole) or "namespace" (Role) | +| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | parser.image.repository | string | `"docker.io/securecodebox/parser-kubeaudit"` | Parser image repository | | parser.image.tag | string | defaults to the charts version | Parser image tag | | parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | +| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | +| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | | scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | @@ -90,6 +93,7 @@ Kubernetes: `>=v1.11.0-0` | scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | | scanner.securityContext.readOnlyRootFilesystem | bool | `true` | Prevents write access to the containers file system | | scanner.securityContext.runAsNonRoot | bool | `true` | Enforces that the scanner image is run as a non root user | +| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## License diff --git a/scanners/kubeaudit/docs/README.ArtifactHub.md b/scanners/kubeaudit/docs/README.ArtifactHub.md index a0bb4721c5..73e402acc1 100644 --- a/scanners/kubeaudit/docs/README.ArtifactHub.md +++ b/scanners/kubeaudit/docs/README.ArtifactHub.md @@ -74,13 +74,16 @@ Kubernetes: `>=v1.11.0-0` |-----|------|---------|-------------| | cascadingRules.enabled | bool | `false` | Enables or disables the installation of the default cascading rules for this scanner | | kubeauditScope | string | `"namespace"` | Automatically sets up rbac roles for kubeaudit to access the resources it scans. Can be either "cluster" (ClusterRole) or "namespace" (Role) | +| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | parser.image.repository | string | `"docker.io/securecodebox/parser-kubeaudit"` | Parser image repository | | parser.image.tag | string | defaults to the charts version | Parser image tag | | parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | +| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | +| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | | scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | @@ -97,6 +100,7 @@ Kubernetes: `>=v1.11.0-0` | scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | | scanner.securityContext.readOnlyRootFilesystem | bool | `true` | Prevents write access to the containers file system | | scanner.securityContext.runAsNonRoot | bool | `true` | Enforces that the scanner image is run as a non root user | +| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## Contributing diff --git a/scanners/kubeaudit/templates/kubeaudit-parse-definition.yaml b/scanners/kubeaudit/templates/kubeaudit-parse-definition.yaml index 6fd7aa76a9..1378435a57 100644 --- a/scanners/kubeaudit/templates/kubeaudit-parse-definition.yaml +++ b/scanners/kubeaudit/templates/kubeaudit-parse-definition.yaml @@ -14,3 +14,7 @@ spec: {{- toYaml .Values.parser.env | nindent 4 }} scopeLimiterAliases: {{- toYaml .Values.parser.scopeLimiterAliases | nindent 4 }} + affinity: + {{- toYaml .Values.parser.affinity | nindent 4 }} + tolerations: + {{- toYaml .Values.parser.tolerations | nindent 4 }} diff --git a/scanners/kubeaudit/templates/kubeaudit-scan-type.yaml b/scanners/kubeaudit/templates/kubeaudit-scan-type.yaml index 233d7fd98c..5dcfcfdb2f 100644 --- a/scanners/kubeaudit/templates/kubeaudit-scan-type.yaml +++ b/scanners/kubeaudit/templates/kubeaudit-scan-type.yaml @@ -22,6 +22,10 @@ spec: template: spec: restartPolicy: OnFailure + affinity: + {{- toYaml .Values.scanner.affinity | nindent 12 }} + tolerations: + {{- toYaml .Values.scanner.tolerations | nindent 12 }} containers: - name: kubeaudit image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}" diff --git a/scanners/kubeaudit/values.yaml b/scanners/kubeaudit/values.yaml index 8f3b619a2b..6f0063ae8e 100644 --- a/scanners/kubeaudit/values.yaml +++ b/scanners/kubeaudit/values.yaml @@ -20,6 +20,12 @@ parser: # parser.scopeLimiterAliases -- Optional finding aliases to be used in the scopeLimiter. scopeLimiterAliases: {} + # parser.affinity -- Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # parser.tolerations -- Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] + scanner: image: # scanner.image.repository -- Container Image to run the scan @@ -77,6 +83,12 @@ scanner: # scanner.securityContext.capabilities.drop[0] -- This drops all linux privileges from the container. - all + # scanner.affinity -- Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # scanner.tolerations -- Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] + # kubeauditScope -- Automatically sets up rbac roles for kubeaudit to access the resources it scans. Can be either "cluster" (ClusterRole) or "namespace" (Role) kubeauditScope: "namespace" diff --git a/scanners/ncrack/README.md b/scanners/ncrack/README.md index 56508890ab..888434319b 100644 --- a/scanners/ncrack/README.md +++ b/scanners/ncrack/README.md @@ -211,13 +211,16 @@ helm delete ncrack | cascadingRules.enabled | bool | `true` | Enables or disables the installation of the default cascading rules for this scanner | | encryptPasswords.existingSecret | string | `nil` | secret name with a pem encoded rsa public key to encrypt identified passwords | | encryptPasswords.key | string | `"public.key"` | name of the property in the secret with the pem encoded rsa public key | +| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | parser.image.repository | string | `"docker.io/securecodebox/parser-ncrack"` | Parser image repository | | parser.image.tag | string | defaults to the charts version | Parser image tag | | parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | +| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | +| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | | scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | @@ -234,6 +237,7 @@ helm delete ncrack | scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | | scanner.securityContext.readOnlyRootFilesystem | bool | `true` | Prevents write access to the containers file system | | scanner.securityContext.runAsNonRoot | bool | `true` | Enforces that the scanner image is run as a non root user | +| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## License diff --git a/scanners/ncrack/docs/README.ArtifactHub.md b/scanners/ncrack/docs/README.ArtifactHub.md index df9bfd3a59..780cd37bfb 100644 --- a/scanners/ncrack/docs/README.ArtifactHub.md +++ b/scanners/ncrack/docs/README.ArtifactHub.md @@ -218,13 +218,16 @@ helm delete ncrack | cascadingRules.enabled | bool | `true` | Enables or disables the installation of the default cascading rules for this scanner | | encryptPasswords.existingSecret | string | `nil` | secret name with a pem encoded rsa public key to encrypt identified passwords | | encryptPasswords.key | string | `"public.key"` | name of the property in the secret with the pem encoded rsa public key | +| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | parser.image.repository | string | `"docker.io/securecodebox/parser-ncrack"` | Parser image repository | | parser.image.tag | string | defaults to the charts version | Parser image tag | | parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | +| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | +| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | | scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | @@ -241,6 +244,7 @@ helm delete ncrack | scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | | scanner.securityContext.readOnlyRootFilesystem | bool | `true` | Prevents write access to the containers file system | | scanner.securityContext.runAsNonRoot | bool | `true` | Enforces that the scanner image is run as a non root user | +| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## Contributing diff --git a/scanners/ncrack/templates/ncrack-parse-definition.yaml b/scanners/ncrack/templates/ncrack-parse-definition.yaml index 150e9f5185..92d1c9f046 100644 --- a/scanners/ncrack/templates/ncrack-parse-definition.yaml +++ b/scanners/ncrack/templates/ncrack-parse-definition.yaml @@ -14,3 +14,7 @@ spec: {{- toYaml .Values.parser.env | nindent 4 }} scopeLimiterAliases: {{- toYaml .Values.parser.scopeLimiterAliases | nindent 4 }} + affinity: + {{- toYaml .Values.parser.affinity | nindent 4 }} + tolerations: + {{- toYaml .Values.parser.tolerations | nindent 4 }} diff --git a/scanners/ncrack/templates/ncrack-scan-type.yaml b/scanners/ncrack/templates/ncrack-scan-type.yaml index 8f389cc8ed..b460003137 100644 --- a/scanners/ncrack/templates/ncrack-scan-type.yaml +++ b/scanners/ncrack/templates/ncrack-scan-type.yaml @@ -22,6 +22,10 @@ spec: template: spec: restartPolicy: OnFailure + affinity: + {{- toYaml .Values.scanner.affinity | nindent 12 }} + tolerations: + {{- toYaml .Values.scanner.tolerations | nindent 12 }} containers: - name: ncrack image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}" diff --git a/scanners/ncrack/values.yaml b/scanners/ncrack/values.yaml index d83485592c..20fdfb3e36 100644 --- a/scanners/ncrack/values.yaml +++ b/scanners/ncrack/values.yaml @@ -26,6 +26,12 @@ parser: # parser.scopeLimiterAliases -- Optional finding aliases to be used in the scopeLimiter. scopeLimiterAliases: {} + # parser.affinity -- Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # parser.tolerations -- Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] + scanner: image: # scanner.image.repository -- Container Image to run the scan @@ -83,6 +89,12 @@ scanner: # scanner.securityContext.capabilities.drop[0] -- This drops all linux privileges from the container. - all + # scanner.affinity -- Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # scanner.tolerations -- Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] + cascadingRules: # cascadingRules.enabled -- Enables or disables the installation of the default cascading rules for this scanner enabled: true diff --git a/scanners/nikto/README.md b/scanners/nikto/README.md index daec720c08..a53822fa19 100644 --- a/scanners/nikto/README.md +++ b/scanners/nikto/README.md @@ -82,13 +82,16 @@ Kubernetes: `>=v1.11.0-0` | Key | Type | Default | Description | |-----|------|---------|-------------| | cascadingRules.enabled | bool | `true` | Enables or disables the installation of the default cascading rules for this scanner | +| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | parser.image.repository | string | `"docker.io/securecodebox/parser-nikto"` | Parser image repository | | parser.image.tag | string | defaults to the charts version | Parser image tag | | parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | +| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | +| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | | scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | @@ -105,6 +108,7 @@ Kubernetes: `>=v1.11.0-0` | scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | | scanner.securityContext.readOnlyRootFilesystem | bool | `true` | Prevents write access to the containers file system | | scanner.securityContext.runAsNonRoot | bool | `true` | Enforces that the scanner image is run as a non root user | +| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## License diff --git a/scanners/nikto/docs/README.ArtifactHub.md b/scanners/nikto/docs/README.ArtifactHub.md index 37f71c588e..0bfe2b7953 100644 --- a/scanners/nikto/docs/README.ArtifactHub.md +++ b/scanners/nikto/docs/README.ArtifactHub.md @@ -87,13 +87,16 @@ Kubernetes: `>=v1.11.0-0` | Key | Type | Default | Description | |-----|------|---------|-------------| | cascadingRules.enabled | bool | `true` | Enables or disables the installation of the default cascading rules for this scanner | +| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | parser.image.repository | string | `"docker.io/securecodebox/parser-nikto"` | Parser image repository | | parser.image.tag | string | defaults to the charts version | Parser image tag | | parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | +| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | +| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | | scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | @@ -110,6 +113,7 @@ Kubernetes: `>=v1.11.0-0` | scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | | scanner.securityContext.readOnlyRootFilesystem | bool | `true` | Prevents write access to the containers file system | | scanner.securityContext.runAsNonRoot | bool | `true` | Enforces that the scanner image is run as a non root user | +| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## Contributing diff --git a/scanners/nikto/templates/nikto-parse-definition.yaml b/scanners/nikto/templates/nikto-parse-definition.yaml index 9cbf15a066..2fce4b244d 100644 --- a/scanners/nikto/templates/nikto-parse-definition.yaml +++ b/scanners/nikto/templates/nikto-parse-definition.yaml @@ -14,3 +14,7 @@ spec: {{- toYaml .Values.parser.env | nindent 4 }} scopeLimiterAliases: {{- toYaml .Values.parser.scopeLimiterAliases | nindent 4 }} + affinity: + {{- toYaml .Values.parser.affinity | nindent 4 }} + tolerations: + {{- toYaml .Values.parser.tolerations | nindent 4 }} diff --git a/scanners/nikto/templates/nikto-scan-type.yaml b/scanners/nikto/templates/nikto-scan-type.yaml index e63ba0e16f..6bb5ed8fe5 100644 --- a/scanners/nikto/templates/nikto-scan-type.yaml +++ b/scanners/nikto/templates/nikto-scan-type.yaml @@ -22,6 +22,10 @@ spec: template: spec: restartPolicy: Never + affinity: + {{- toYaml .Values.scanner.affinity | nindent 12 }} + tolerations: + {{- toYaml .Values.scanner.tolerations | nindent 12 }} containers: - name: nikto image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}" diff --git a/scanners/nikto/values.yaml b/scanners/nikto/values.yaml index 602e2f6af9..ea13435839 100644 --- a/scanners/nikto/values.yaml +++ b/scanners/nikto/values.yaml @@ -20,6 +20,12 @@ parser: # parser.scopeLimiterAliases -- Optional finding aliases to be used in the scopeLimiter. scopeLimiterAliases: {} + # parser.affinity -- Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # parser.tolerations -- Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] + scanner: image: # scanner.image.repository -- Container Image to run the scan @@ -77,6 +83,12 @@ scanner: # scanner.securityContext.capabilities.drop[0] -- This drops all linux privileges from the container. - all + # scanner.affinity -- Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # scanner.tolerations -- Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] + cascadingRules: # cascadingRules.enabled -- Enables or disables the installation of the default cascading rules for this scanner enabled: true diff --git a/scanners/nmap/README.md b/scanners/nmap/README.md index ec432da143..f839c9ae2b 100644 --- a/scanners/nmap/README.md +++ b/scanners/nmap/README.md @@ -133,13 +133,16 @@ spec: | Key | Type | Default | Description | |-----|------|---------|-------------| | cascadingRules.enabled | bool | `true` | Enables or disables the installation of the default cascading rules for this scanner | +| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | parser.image.repository | string | `"docker.io/securecodebox/parser-nmap"` | Parser image repository | | parser.image.tag | string | defaults to the charts version | Parser image tag | | parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | +| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | +| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | | scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | @@ -156,6 +159,7 @@ spec: | scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | | scanner.securityContext.readOnlyRootFilesystem | bool | `true` | Prevents write access to the containers file system | | scanner.securityContext.runAsNonRoot | bool | `true` | Enforces that the scanner image is run as a non root user | +| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## License diff --git a/scanners/nmap/docs/README.ArtifactHub.md b/scanners/nmap/docs/README.ArtifactHub.md index 8ed68f5dec..7c7432f112 100644 --- a/scanners/nmap/docs/README.ArtifactHub.md +++ b/scanners/nmap/docs/README.ArtifactHub.md @@ -138,13 +138,16 @@ spec: | Key | Type | Default | Description | |-----|------|---------|-------------| | cascadingRules.enabled | bool | `true` | Enables or disables the installation of the default cascading rules for this scanner | +| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | parser.image.repository | string | `"docker.io/securecodebox/parser-nmap"` | Parser image repository | | parser.image.tag | string | defaults to the charts version | Parser image tag | | parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | +| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | +| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | | scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | @@ -161,6 +164,7 @@ spec: | scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | | scanner.securityContext.readOnlyRootFilesystem | bool | `true` | Prevents write access to the containers file system | | scanner.securityContext.runAsNonRoot | bool | `true` | Enforces that the scanner image is run as a non root user | +| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## Contributing diff --git a/scanners/nmap/templates/nmap-parse-definition.yaml b/scanners/nmap/templates/nmap-parse-definition.yaml index 9e5bc83e52..8c9b3cc6dc 100644 --- a/scanners/nmap/templates/nmap-parse-definition.yaml +++ b/scanners/nmap/templates/nmap-parse-definition.yaml @@ -14,3 +14,7 @@ spec: {{- toYaml .Values.parser.env | nindent 4 }} scopeLimiterAliases: {{- toYaml .Values.parser.scopeLimiterAliases | nindent 4 }} + affinity: + {{- toYaml .Values.parser.affinity | nindent 4 }} + tolerations: + {{- toYaml .Values.parser.tolerations | nindent 4 }} diff --git a/scanners/nmap/templates/nmap-scan-type.yaml b/scanners/nmap/templates/nmap-scan-type.yaml index a033042075..a118fbaf26 100644 --- a/scanners/nmap/templates/nmap-scan-type.yaml +++ b/scanners/nmap/templates/nmap-scan-type.yaml @@ -22,6 +22,10 @@ spec: template: spec: restartPolicy: OnFailure + affinity: + {{- toYaml .Values.scanner.affinity | nindent 12 }} + tolerations: + {{- toYaml .Values.scanner.tolerations | nindent 12 }} containers: - name: nmap image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}" diff --git a/scanners/nmap/values.yaml b/scanners/nmap/values.yaml index 597b882e73..c391f301fd 100644 --- a/scanners/nmap/values.yaml +++ b/scanners/nmap/values.yaml @@ -20,6 +20,12 @@ parser: # parser.scopeLimiterAliases -- Optional finding aliases to be used in the scopeLimiter. scopeLimiterAliases: {} + # parser.affinity -- Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # parser.tolerations -- Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] + scanner: image: # scanner.image.repository -- Container Image to run the scan @@ -77,6 +83,12 @@ scanner: # scanner.securityContext.capabilities.drop[0] -- This drops all linux privileges from the container. - all + # scanner.affinity -- Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # scanner.tolerations -- Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] + cascadingRules: # cascadingRules.enabled -- Enables or disables the installation of the default cascading rules for this scanner enabled: true diff --git a/scanners/nuclei/README.md b/scanners/nuclei/README.md index 4abab7a89c..4e889edde9 100644 --- a/scanners/nuclei/README.md +++ b/scanners/nuclei/README.md @@ -180,13 +180,16 @@ helm install nuclei secureCodeBox/nuclei --set="nucleiTemplateCache.enabled=fals | nucleiTemplateCache.failedJobsHistoryLimit | int | `10` | Determines how many failed jobs are kept until kubernetes cleans them up. See: https://kubernetes.io/docs/tasks/job/automated-tasks-with-cron-jobs/#jobs-history-limits | | nucleiTemplateCache.schedule | string | `"0 */1 * * *"` | | | nucleiTemplateCache.successfulJobsHistoryLimit | int | `3` | Determines how many successful jobs are kept until kubernetes cleans them up. See: https://kubernetes.io/docs/tasks/job/automated-tasks-with-cron-jobs/#jobs-history-limits | +| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | parser.image.repository | string | `"docker.io/securecodebox/parser-nuclei"` | Parser image repository | | parser.image.tag | string | defaults to the charts version | Parser image tag | | parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | +| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | +| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | | scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | @@ -203,6 +206,7 @@ helm install nuclei secureCodeBox/nuclei --set="nucleiTemplateCache.enabled=fals | scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | | scanner.securityContext.readOnlyRootFilesystem | bool | `false` | Prevents write access to the containers file system | | scanner.securityContext.runAsNonRoot | bool | `false` | Enforces that the scanner image is run as a non root user | +| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## License diff --git a/scanners/nuclei/docs/README.ArtifactHub.md b/scanners/nuclei/docs/README.ArtifactHub.md index e193da0fa9..57940cd7c5 100644 --- a/scanners/nuclei/docs/README.ArtifactHub.md +++ b/scanners/nuclei/docs/README.ArtifactHub.md @@ -187,13 +187,16 @@ helm install nuclei secureCodeBox/nuclei --set="nucleiTemplateCache.enabled=fals | nucleiTemplateCache.failedJobsHistoryLimit | int | `10` | Determines how many failed jobs are kept until kubernetes cleans them up. See: https://kubernetes.io/docs/tasks/job/automated-tasks-with-cron-jobs/#jobs-history-limits | | nucleiTemplateCache.schedule | string | `"0 */1 * * *"` | | | nucleiTemplateCache.successfulJobsHistoryLimit | int | `3` | Determines how many successful jobs are kept until kubernetes cleans them up. See: https://kubernetes.io/docs/tasks/job/automated-tasks-with-cron-jobs/#jobs-history-limits | +| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | parser.image.repository | string | `"docker.io/securecodebox/parser-nuclei"` | Parser image repository | | parser.image.tag | string | defaults to the charts version | Parser image tag | | parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | +| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | +| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | | scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | @@ -210,6 +213,7 @@ helm install nuclei secureCodeBox/nuclei --set="nucleiTemplateCache.enabled=fals | scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | | scanner.securityContext.readOnlyRootFilesystem | bool | `false` | Prevents write access to the containers file system | | scanner.securityContext.runAsNonRoot | bool | `false` | Enforces that the scanner image is run as a non root user | +| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## Contributing diff --git a/scanners/nuclei/templates/nuclei-parse-definition.yaml b/scanners/nuclei/templates/nuclei-parse-definition.yaml index b0a1f19fbb..4baf603760 100644 --- a/scanners/nuclei/templates/nuclei-parse-definition.yaml +++ b/scanners/nuclei/templates/nuclei-parse-definition.yaml @@ -14,3 +14,7 @@ spec: {{- toYaml .Values.parser.env | nindent 4 }} scopeLimiterAliases: {{- toYaml .Values.parser.scopeLimiterAliases | nindent 4 }} + affinity: + {{- toYaml .Values.parser.affinity | nindent 4 }} + tolerations: + {{- toYaml .Values.parser.tolerations | nindent 4 }} diff --git a/scanners/nuclei/templates/nuclei-scan-type.yaml b/scanners/nuclei/templates/nuclei-scan-type.yaml index 461366a8d6..ac79a450be 100644 --- a/scanners/nuclei/templates/nuclei-scan-type.yaml +++ b/scanners/nuclei/templates/nuclei-scan-type.yaml @@ -22,6 +22,10 @@ spec: template: spec: restartPolicy: OnFailure + affinity: + {{- toYaml .Values.scanner.affinity | nindent 12 }} + tolerations: + {{- toYaml .Values.scanner.tolerations | nindent 12 }} containers: - name: nuclei image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}" diff --git a/scanners/nuclei/values.yaml b/scanners/nuclei/values.yaml index 16ca0973f5..5755b2308f 100644 --- a/scanners/nuclei/values.yaml +++ b/scanners/nuclei/values.yaml @@ -20,6 +20,12 @@ parser: # parser.scopeLimiterAliases -- Optional finding aliases to be used in the scopeLimiter. scopeLimiterAliases: {} + # parser.affinity -- Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # parser.tolerations -- Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] + scanner: image: # scanner.image.repository -- Container Image to run the scan @@ -77,6 +83,12 @@ scanner: # scanner.securityContext.capabilities.drop[0] -- This drops all linux privileges from the container. - all + # scanner.affinity -- Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # scanner.tolerations -- Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] + nucleiTemplateCache: # -- Enables or disables the use of an persistent volume to cache the always downloaded nuclei-templates for all scans. enabled: true diff --git a/scanners/screenshooter/README.md b/scanners/screenshooter/README.md index 5479278c0b..64acb3316e 100644 --- a/scanners/screenshooter/README.md +++ b/scanners/screenshooter/README.md @@ -62,13 +62,16 @@ Kubernetes: `>=v1.11.0-0` | Key | Type | Default | Description | |-----|------|---------|-------------| | cascadingRules.enabled | bool | `true` | Enables or disables the installation of the default cascading rules for this scanner | +| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | parser.image.repository | string | `"docker.io/securecodebox/parser-screenshooter"` | Parser image repository | | parser.image.tag | string | defaults to the charts version | Parser image tag | | parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | +| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | +| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | | scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | @@ -85,6 +88,7 @@ Kubernetes: `>=v1.11.0-0` | scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | | scanner.securityContext.readOnlyRootFilesystem | bool | `true` | Prevents write access to the containers file system | | scanner.securityContext.runAsNonRoot | bool | `true` | Enforces that the scanner image is run as a non root user | +| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## License diff --git a/scanners/screenshooter/docs/README.ArtifactHub.md b/scanners/screenshooter/docs/README.ArtifactHub.md index 9666454b63..d47747a66a 100644 --- a/scanners/screenshooter/docs/README.ArtifactHub.md +++ b/scanners/screenshooter/docs/README.ArtifactHub.md @@ -67,13 +67,16 @@ Kubernetes: `>=v1.11.0-0` | Key | Type | Default | Description | |-----|------|---------|-------------| | cascadingRules.enabled | bool | `true` | Enables or disables the installation of the default cascading rules for this scanner | +| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | parser.image.repository | string | `"docker.io/securecodebox/parser-screenshooter"` | Parser image repository | | parser.image.tag | string | defaults to the charts version | Parser image tag | | parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | +| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | +| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | | scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | @@ -90,6 +93,7 @@ Kubernetes: `>=v1.11.0-0` | scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | | scanner.securityContext.readOnlyRootFilesystem | bool | `true` | Prevents write access to the containers file system | | scanner.securityContext.runAsNonRoot | bool | `true` | Enforces that the scanner image is run as a non root user | +| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## Contributing diff --git a/scanners/screenshooter/templates/screenshooter-parse-definition.yaml b/scanners/screenshooter/templates/screenshooter-parse-definition.yaml index 0d83f29343..bf310b3d60 100644 --- a/scanners/screenshooter/templates/screenshooter-parse-definition.yaml +++ b/scanners/screenshooter/templates/screenshooter-parse-definition.yaml @@ -14,3 +14,7 @@ spec: {{- toYaml .Values.parser.env | nindent 4 }} scopeLimiterAliases: {{- toYaml .Values.parser.scopeLimiterAliases | nindent 4 }} + affinity: + {{- toYaml .Values.parser.affinity | nindent 4 }} + tolerations: + {{- toYaml .Values.parser.tolerations | nindent 4 }} diff --git a/scanners/screenshooter/templates/screenshooter-scan-type.yaml b/scanners/screenshooter/templates/screenshooter-scan-type.yaml index d014873d06..352eb6a0ba 100644 --- a/scanners/screenshooter/templates/screenshooter-scan-type.yaml +++ b/scanners/screenshooter/templates/screenshooter-scan-type.yaml @@ -22,6 +22,10 @@ spec: template: spec: restartPolicy: OnFailure + affinity: + {{- toYaml .Values.scanner.affinity | nindent 12 }} + tolerations: + {{- toYaml .Values.scanner.tolerations | nindent 12 }} containers: - name: screenshooter image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.Version }}" diff --git a/scanners/screenshooter/values.yaml b/scanners/screenshooter/values.yaml index 229bb8ae9e..f24ccfa464 100644 --- a/scanners/screenshooter/values.yaml +++ b/scanners/screenshooter/values.yaml @@ -20,6 +20,12 @@ parser: # parser.scopeLimiterAliases -- Optional finding aliases to be used in the scopeLimiter. scopeLimiterAliases: {} + # parser.affinity -- Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # parser.tolerations -- Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] + scanner: image: # scanner.image.repository -- Container Image to run the scan @@ -77,6 +83,12 @@ scanner: # scanner.securityContext.capabilities.drop[0] -- This drops all linux privileges from the container. - all + # scanner.affinity -- Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # scanner.tolerations -- Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] + cascadingRules: # cascadingRules.enabled -- Enables or disables the installation of the default cascading rules for this scanner enabled: true diff --git a/scanners/semgrep/README.md b/scanners/semgrep/README.md index 54e9956fbe..a889b5d0eb 100644 --- a/scanners/semgrep/README.md +++ b/scanners/semgrep/README.md @@ -173,12 +173,15 @@ Kubernetes: `>=v1.11.0-0` | Key | Type | Default | Description | |-----|------|---------|-------------| | cascadingRules.enabled | bool | `true` | Enables or disables the installation of the default cascading rules for this scanner | +| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | parser.backoffLimit | int | `3` | | | parser.env | list | `[]` | | | parser.image.pullPolicy | string | `"IfNotPresent"` | | | parser.image.repository | string | `"securecodebox/parser-semgrep"` | | | parser.image.tag | string | `nil` | | | parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | +| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | +| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | scanner.backoffLimit | int | `3` | | | scanner.env | list | `[]` | | | scanner.extraContainers | list | `[]` | | @@ -193,6 +196,7 @@ Kubernetes: `>=v1.11.0-0` | scanner.securityContext.privileged | bool | `false` | | | scanner.securityContext.readOnlyRootFilesystem | bool | `false` | | | scanner.securityContext.runAsNonRoot | bool | `true` | | +| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | scanner.ttlSecondsAfterFinished | string | `nil` | | ## License diff --git a/scanners/semgrep/docs/README.ArtifactHub.md b/scanners/semgrep/docs/README.ArtifactHub.md index 6330ff3985..6ed4f59a0a 100644 --- a/scanners/semgrep/docs/README.ArtifactHub.md +++ b/scanners/semgrep/docs/README.ArtifactHub.md @@ -178,12 +178,15 @@ Kubernetes: `>=v1.11.0-0` | Key | Type | Default | Description | |-----|------|---------|-------------| | cascadingRules.enabled | bool | `true` | Enables or disables the installation of the default cascading rules for this scanner | +| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | parser.backoffLimit | int | `3` | | | parser.env | list | `[]` | | | parser.image.pullPolicy | string | `"IfNotPresent"` | | | parser.image.repository | string | `"securecodebox/parser-semgrep"` | | | parser.image.tag | string | `nil` | | | parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | +| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | +| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | scanner.backoffLimit | int | `3` | | | scanner.env | list | `[]` | | | scanner.extraContainers | list | `[]` | | @@ -198,6 +201,7 @@ Kubernetes: `>=v1.11.0-0` | scanner.securityContext.privileged | bool | `false` | | | scanner.securityContext.readOnlyRootFilesystem | bool | `false` | | | scanner.securityContext.runAsNonRoot | bool | `true` | | +| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | scanner.ttlSecondsAfterFinished | string | `nil` | | ## Contributing diff --git a/scanners/semgrep/templates/semgrep-parse-definition.yaml b/scanners/semgrep/templates/semgrep-parse-definition.yaml index c565e9861f..cd8b7e6390 100644 --- a/scanners/semgrep/templates/semgrep-parse-definition.yaml +++ b/scanners/semgrep/templates/semgrep-parse-definition.yaml @@ -14,3 +14,7 @@ spec: {{- toYaml .Values.parser.env | nindent 4 }} scopeLimiterAliases: {{- toYaml .Values.parser.scopeLimiterAliases | nindent 4 }} + affinity: + {{- toYaml .Values.parser.affinity | nindent 4 }} + tolerations: + {{- toYaml .Values.parser.tolerations | nindent 4 }} diff --git a/scanners/semgrep/templates/semgrep-scan-type.yaml b/scanners/semgrep/templates/semgrep-scan-type.yaml index a91379cc7b..73db77caaf 100644 --- a/scanners/semgrep/templates/semgrep-scan-type.yaml +++ b/scanners/semgrep/templates/semgrep-scan-type.yaml @@ -22,6 +22,10 @@ spec: template: spec: restartPolicy: OnFailure + affinity: + {{- toYaml .Values.scanner.affinity | nindent 12 }} + tolerations: + {{- toYaml .Values.scanner.tolerations | nindent 12 }} containers: - name: semgrep image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}" diff --git a/scanners/semgrep/values.yaml b/scanners/semgrep/values.yaml index 02bb74e731..16d4b8d4fe 100644 --- a/scanners/semgrep/values.yaml +++ b/scanners/semgrep/values.yaml @@ -10,6 +10,12 @@ parser: # parser.scopeLimiterAliases -- Optional finding aliases to be used in the scopeLimiter. scopeLimiterAliases: {} + # parser.affinity -- Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # parser.tolerations -- Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] + scanner: image: repository: docker.io/returntocorp/semgrep @@ -46,6 +52,12 @@ scanner: drop: - all + # scanner.affinity -- Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # scanner.tolerations -- Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] + cascadingRules: # cascadingRules.enabled -- Enables or disables the installation of the default cascading rules for this scanner enabled: true \ No newline at end of file diff --git a/scanners/ssh-scan/README.md b/scanners/ssh-scan/README.md index 2503fcfa18..67a8c13de7 100644 --- a/scanners/ssh-scan/README.md +++ b/scanners/ssh-scan/README.md @@ -96,13 +96,16 @@ Kubernetes: `>=v1.11.0-0` | Key | Type | Default | Description | |-----|------|---------|-------------| | cascadingRules.enabled | bool | `true` | Enables or disables the installation of the default cascading rules for this scanner | +| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | parser.image.repository | string | `"docker.io/securecodebox/parser-ssh-scan"` | Parser image repository | | parser.image.tag | string | defaults to the charts version | Parser image tag | | parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | +| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | +| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | | scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | @@ -119,6 +122,7 @@ Kubernetes: `>=v1.11.0-0` | scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | | scanner.securityContext.readOnlyRootFilesystem | bool | `false` | Prevents write access to the containers file system | | scanner.securityContext.runAsNonRoot | bool | `false` | Enforces that the scanner image is run as a non root user | +| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## License diff --git a/scanners/ssh-scan/docs/README.ArtifactHub.md b/scanners/ssh-scan/docs/README.ArtifactHub.md index ec98cf9dbc..817ae03934 100644 --- a/scanners/ssh-scan/docs/README.ArtifactHub.md +++ b/scanners/ssh-scan/docs/README.ArtifactHub.md @@ -103,13 +103,16 @@ Kubernetes: `>=v1.11.0-0` | Key | Type | Default | Description | |-----|------|---------|-------------| | cascadingRules.enabled | bool | `true` | Enables or disables the installation of the default cascading rules for this scanner | +| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | parser.image.repository | string | `"docker.io/securecodebox/parser-ssh-scan"` | Parser image repository | | parser.image.tag | string | defaults to the charts version | Parser image tag | | parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | +| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | +| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | | scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | @@ -126,6 +129,7 @@ Kubernetes: `>=v1.11.0-0` | scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | | scanner.securityContext.readOnlyRootFilesystem | bool | `false` | Prevents write access to the containers file system | | scanner.securityContext.runAsNonRoot | bool | `false` | Enforces that the scanner image is run as a non root user | +| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## Contributing diff --git a/scanners/ssh-scan/templates/ssh-scan-parse-definition.yaml b/scanners/ssh-scan/templates/ssh-scan-parse-definition.yaml index 3c43579b05..f178392b48 100644 --- a/scanners/ssh-scan/templates/ssh-scan-parse-definition.yaml +++ b/scanners/ssh-scan/templates/ssh-scan-parse-definition.yaml @@ -14,3 +14,7 @@ spec: {{- toYaml .Values.parser.env | nindent 4 }} scopeLimiterAliases: {{- toYaml .Values.parser.scopeLimiterAliases | nindent 4 }} + affinity: + {{- toYaml .Values.parser.affinity | nindent 4 }} + tolerations: + {{- toYaml .Values.parser.tolerations | nindent 4 }} diff --git a/scanners/ssh-scan/templates/ssh-scan-scan-type.yaml b/scanners/ssh-scan/templates/ssh-scan-scan-type.yaml index c3e1e1427f..63f253b012 100644 --- a/scanners/ssh-scan/templates/ssh-scan-scan-type.yaml +++ b/scanners/ssh-scan/templates/ssh-scan-scan-type.yaml @@ -22,6 +22,10 @@ spec: template: spec: restartPolicy: OnFailure + affinity: + {{- toYaml .Values.scanner.affinity | nindent 12 }} + tolerations: + {{- toYaml .Values.scanner.tolerations | nindent 12 }} containers: - name: ssh-scan image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}" diff --git a/scanners/ssh-scan/values.yaml b/scanners/ssh-scan/values.yaml index 88568984ea..116dcb7adc 100644 --- a/scanners/ssh-scan/values.yaml +++ b/scanners/ssh-scan/values.yaml @@ -20,6 +20,12 @@ parser: # parser.scopeLimiterAliases -- Optional finding aliases to be used in the scopeLimiter. scopeLimiterAliases: {} + # parser.affinity -- Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # parser.tolerations -- Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] + scanner: image: # scanner.image.repository -- Container Image to run the scan @@ -77,6 +83,12 @@ scanner: # scanner.securityContext.capabilities.drop[0] -- This drops all linux privileges from the container. - all + # scanner.affinity -- Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # scanner.tolerations -- Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] + cascadingRules: # cascadingRules.enabled -- Enables or disables the installation of the default cascading rules for this scanner enabled: true diff --git a/scanners/sslyze/README.md b/scanners/sslyze/README.md index 99cc3a960a..2494317c28 100644 --- a/scanners/sslyze/README.md +++ b/scanners/sslyze/README.md @@ -163,13 +163,16 @@ Kubernetes: `>=v1.11.0-0` | Key | Type | Default | Description | |-----|------|---------|-------------| | cascadingRules.enabled | bool | `true` | Enables or disables the installation of the default cascading rules for this scanner | +| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | parser.image.repository | string | `"docker.io/securecodebox/parser-sslyze"` | Parser image repository | | parser.image.tag | string | defaults to the charts version | Parser image tag | | parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | +| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | +| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | | scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | @@ -186,6 +189,7 @@ Kubernetes: `>=v1.11.0-0` | scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | | scanner.securityContext.readOnlyRootFilesystem | bool | `true` | Prevents write access to the containers file system | | scanner.securityContext.runAsNonRoot | bool | `false` | Enforces that the scanner image is run as a non root user | +| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## License diff --git a/scanners/sslyze/docs/README.ArtifactHub.md b/scanners/sslyze/docs/README.ArtifactHub.md index 398531bf06..31e2cdf604 100644 --- a/scanners/sslyze/docs/README.ArtifactHub.md +++ b/scanners/sslyze/docs/README.ArtifactHub.md @@ -170,13 +170,16 @@ Kubernetes: `>=v1.11.0-0` | Key | Type | Default | Description | |-----|------|---------|-------------| | cascadingRules.enabled | bool | `true` | Enables or disables the installation of the default cascading rules for this scanner | +| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | parser.image.repository | string | `"docker.io/securecodebox/parser-sslyze"` | Parser image repository | | parser.image.tag | string | defaults to the charts version | Parser image tag | | parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | +| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | +| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | | scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | @@ -193,6 +196,7 @@ Kubernetes: `>=v1.11.0-0` | scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | | scanner.securityContext.readOnlyRootFilesystem | bool | `true` | Prevents write access to the containers file system | | scanner.securityContext.runAsNonRoot | bool | `false` | Enforces that the scanner image is run as a non root user | +| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## Contributing diff --git a/scanners/sslyze/templates/sslyze-parse-definition.yaml b/scanners/sslyze/templates/sslyze-parse-definition.yaml index 4151d995ae..96da850576 100644 --- a/scanners/sslyze/templates/sslyze-parse-definition.yaml +++ b/scanners/sslyze/templates/sslyze-parse-definition.yaml @@ -14,3 +14,7 @@ spec: {{- toYaml .Values.parser.env | nindent 4 }} scopeLimiterAliases: {{- toYaml .Values.parser.scopeLimiterAliases | nindent 4 }} + affinity: + {{- toYaml .Values.parser.affinity | nindent 4 }} + tolerations: + {{- toYaml .Values.parser.tolerations | nindent 4 }} diff --git a/scanners/sslyze/templates/sslyze-scan-type.yaml b/scanners/sslyze/templates/sslyze-scan-type.yaml index 65880dcd76..4ff6228e6a 100644 --- a/scanners/sslyze/templates/sslyze-scan-type.yaml +++ b/scanners/sslyze/templates/sslyze-scan-type.yaml @@ -22,6 +22,10 @@ spec: template: spec: restartPolicy: OnFailure + affinity: + {{- toYaml .Values.scanner.affinity | nindent 12 }} + tolerations: + {{- toYaml .Values.scanner.tolerations | nindent 12 }} containers: - name: sslyze image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}" diff --git a/scanners/sslyze/values.yaml b/scanners/sslyze/values.yaml index df51d4c6e7..5fab38f567 100644 --- a/scanners/sslyze/values.yaml +++ b/scanners/sslyze/values.yaml @@ -20,6 +20,12 @@ parser: # parser.scopeLimiterAliases -- Optional finding aliases to be used in the scopeLimiter. scopeLimiterAliases: {} + # parser.affinity -- Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # parser.tolerations -- Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] + scanner: image: # scanner.image.repository -- Container Image to run the scan @@ -77,6 +83,12 @@ scanner: # scanner.securityContext.capabilities.drop[0] -- This drops all linux privileges from the container. - all + # scanner.affinity -- Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # scanner.tolerations -- Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] + cascadingRules: # cascadingRules.enabled -- Enables or disables the installation of the default cascading rules for this scanner enabled: true diff --git a/scanners/test-scan/README.md b/scanners/test-scan/README.md index 77117741a9..4e3536f02e 100644 --- a/scanners/test-scan/README.md +++ b/scanners/test-scan/README.md @@ -56,13 +56,16 @@ Kubernetes: `>=v1.11.0-0` | Key | Type | Default | Description | |-----|------|---------|-------------| | cascadingRules.enabled | bool | `false` | Enables or disables the installation of the default cascading rules for this scanner | +| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | parser.image.repository | string | `"docker.io/securecodebox/parser-test-scan"` | Parser image repository | | parser.image.tag | string | defaults to the charts version | Parser image tag | | parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | +| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | +| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | | scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | @@ -79,6 +82,7 @@ Kubernetes: `>=v1.11.0-0` | scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | | scanner.securityContext.readOnlyRootFilesystem | bool | `true` | Prevents write access to the containers file system | | scanner.securityContext.runAsNonRoot | bool | `true` | Enforces that the scanner image is run as a non root user | +| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## License diff --git a/scanners/test-scan/docs/README.ArtifactHub.md b/scanners/test-scan/docs/README.ArtifactHub.md index aa96efab2b..7c29fe76a3 100644 --- a/scanners/test-scan/docs/README.ArtifactHub.md +++ b/scanners/test-scan/docs/README.ArtifactHub.md @@ -62,13 +62,16 @@ Kubernetes: `>=v1.11.0-0` | Key | Type | Default | Description | |-----|------|---------|-------------| | cascadingRules.enabled | bool | `false` | Enables or disables the installation of the default cascading rules for this scanner | +| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | parser.image.repository | string | `"docker.io/securecodebox/parser-test-scan"` | Parser image repository | | parser.image.tag | string | defaults to the charts version | Parser image tag | | parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | +| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | +| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | | scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | @@ -85,6 +88,7 @@ Kubernetes: `>=v1.11.0-0` | scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | | scanner.securityContext.readOnlyRootFilesystem | bool | `true` | Prevents write access to the containers file system | | scanner.securityContext.runAsNonRoot | bool | `true` | Enforces that the scanner image is run as a non root user | +| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## Contributing diff --git a/scanners/test-scan/templates/test-scan-parse-definition.yaml b/scanners/test-scan/templates/test-scan-parse-definition.yaml index 4a802ea5d6..d6662cbf05 100644 --- a/scanners/test-scan/templates/test-scan-parse-definition.yaml +++ b/scanners/test-scan/templates/test-scan-parse-definition.yaml @@ -14,3 +14,7 @@ spec: {{- toYaml .Values.parser.env | nindent 4 }} scopeLimiterAliases: {{- toYaml .Values.parser.scopeLimiterAliases | nindent 4 }} + affinity: + {{- toYaml .Values.parser.affinity | nindent 4 }} + tolerations: + {{- toYaml .Values.parser.tolerations | nindent 4 }} diff --git a/scanners/test-scan/templates/test-scan-scan-type.yaml b/scanners/test-scan/templates/test-scan-scan-type.yaml index 3a4dcd16b5..2654c07abb 100644 --- a/scanners/test-scan/templates/test-scan-scan-type.yaml +++ b/scanners/test-scan/templates/test-scan-scan-type.yaml @@ -22,6 +22,10 @@ spec: template: spec: restartPolicy: OnFailure + affinity: + {{- toYaml .Values.scanner.affinity | nindent 12 }} + tolerations: + {{- toYaml .Values.scanner.tolerations | nindent 12 }} containers: - name: test-scan image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.Version }}" diff --git a/scanners/test-scan/values.yaml b/scanners/test-scan/values.yaml index a2840bc4bb..29a8e701ea 100644 --- a/scanners/test-scan/values.yaml +++ b/scanners/test-scan/values.yaml @@ -20,6 +20,12 @@ parser: # parser.scopeLimiterAliases -- Optional finding aliases to be used in the scopeLimiter. scopeLimiterAliases: {} + # parser.affinity -- Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # parser.tolerations -- Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] + scanner: image: # scanner.image.repository -- Container Image to run the scan @@ -77,6 +83,12 @@ scanner: # scanner.securityContext.capabilities.drop[0] -- This drops all linux privileges from the container. - all + # scanner.affinity -- Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # scanner.tolerations -- Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] + cascadingRules: # cascadingRules.enabled -- Enables or disables the installation of the default cascading rules for this scanner enabled: false diff --git a/scanners/trivy/README.md b/scanners/trivy/README.md index 573ef4b1f3..8b435b0260 100644 --- a/scanners/trivy/README.md +++ b/scanners/trivy/README.md @@ -189,13 +189,16 @@ Kubernetes: `>=v1.11.0-0` | Key | Type | Default | Description | |-----|------|---------|-------------| | cascadingRules.enabled | bool | `false` | Enables or disables the installation of the default cascading rules for this scanner | +| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | parser.image.repository | string | `"docker.io/securecodebox/parser-trivy"` | Parser image repository | | parser.image.tag | string | defaults to the charts version | Parser image tag | | parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | +| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | +| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | | scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | @@ -212,6 +215,7 @@ Kubernetes: `>=v1.11.0-0` | scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | | scanner.securityContext.readOnlyRootFilesystem | bool | `false` | Prevents write access to the containers file system | | scanner.securityContext.runAsNonRoot | bool | `false` | Enforces that the scanner image is run as a non root user | +| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## License diff --git a/scanners/trivy/docs/README.ArtifactHub.md b/scanners/trivy/docs/README.ArtifactHub.md index 30ba5e8dae..6f7fb18f94 100644 --- a/scanners/trivy/docs/README.ArtifactHub.md +++ b/scanners/trivy/docs/README.ArtifactHub.md @@ -196,13 +196,16 @@ Kubernetes: `>=v1.11.0-0` | Key | Type | Default | Description | |-----|------|---------|-------------| | cascadingRules.enabled | bool | `false` | Enables or disables the installation of the default cascading rules for this scanner | +| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | parser.image.repository | string | `"docker.io/securecodebox/parser-trivy"` | Parser image repository | | parser.image.tag | string | defaults to the charts version | Parser image tag | | parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | +| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | +| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | | scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | @@ -219,6 +222,7 @@ Kubernetes: `>=v1.11.0-0` | scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | | scanner.securityContext.readOnlyRootFilesystem | bool | `false` | Prevents write access to the containers file system | | scanner.securityContext.runAsNonRoot | bool | `false` | Enforces that the scanner image is run as a non root user | +| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## Contributing diff --git a/scanners/trivy/templates/trivy-parse-definition.yaml b/scanners/trivy/templates/trivy-parse-definition.yaml index 5c5a8fccaf..a7f3935f85 100644 --- a/scanners/trivy/templates/trivy-parse-definition.yaml +++ b/scanners/trivy/templates/trivy-parse-definition.yaml @@ -14,3 +14,7 @@ spec: {{- toYaml .Values.parser.env | nindent 4 }} scopeLimiterAliases: {{- toYaml .Values.parser.scopeLimiterAliases | nindent 4 }} + affinity: + {{- toYaml .Values.parser.affinity | nindent 4 }} + tolerations: + {{- toYaml .Values.parser.tolerations | nindent 4 }} diff --git a/scanners/trivy/templates/trivy-scan-type.yaml b/scanners/trivy/templates/trivy-scan-type.yaml index 3f899e990e..66bb941247 100644 --- a/scanners/trivy/templates/trivy-scan-type.yaml +++ b/scanners/trivy/templates/trivy-scan-type.yaml @@ -22,6 +22,10 @@ spec: template: spec: restartPolicy: OnFailure + affinity: + {{- toYaml .Values.scanner.affinity | nindent 12 }} + tolerations: + {{- toYaml .Values.scanner.tolerations | nindent 12 }} containers: - name: trivy image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}" diff --git a/scanners/trivy/values.yaml b/scanners/trivy/values.yaml index d46493794e..fbb3ae603e 100644 --- a/scanners/trivy/values.yaml +++ b/scanners/trivy/values.yaml @@ -20,6 +20,12 @@ parser: # parser.scopeLimiterAliases -- Optional finding aliases to be used in the scopeLimiter. scopeLimiterAliases: {} + # parser.affinity -- Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # parser.tolerations -- Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] + scanner: image: # scanner.image.repository -- Container Image to run the scan @@ -77,6 +83,12 @@ scanner: # scanner.securityContext.capabilities.drop[0] -- This drops all linux privileges from the container. - all + # scanner.affinity -- Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # scanner.tolerations -- Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] + cascadingRules: # cascadingRules.enabled -- Enables or disables the installation of the default cascading rules for this scanner enabled: false diff --git a/scanners/typo3scan/README.md b/scanners/typo3scan/README.md index 0898bc3d6d..9b5e634b31 100644 --- a/scanners/typo3scan/README.md +++ b/scanners/typo3scan/README.md @@ -77,13 +77,16 @@ Kubernetes: `>=v1.11.0-0` | Key | Type | Default | Description | |-----|------|---------|-------------| | cascadingRules.enabled | bool | `true` | Enables or disables the installation of the default cascading rules for this scanner | +| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | parser.image.repository | string | `"docker.io/securecodebox/parser-typo3scan"` | Parser image repository | | parser.image.tag | string | defaults to the charts version | Parser image tag | | parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | +| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | +| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | | scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | @@ -100,6 +103,7 @@ Kubernetes: `>=v1.11.0-0` | scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | | scanner.securityContext.readOnlyRootFilesystem | bool | `false` | Prevents write access to the containers file system | | scanner.securityContext.runAsNonRoot | bool | `true` | Enforces that the scanner image is run as a non root user | +| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## License diff --git a/scanners/typo3scan/docs/README.ArtifactHub.md b/scanners/typo3scan/docs/README.ArtifactHub.md index 3bb8d83ea7..c9f7891ac8 100644 --- a/scanners/typo3scan/docs/README.ArtifactHub.md +++ b/scanners/typo3scan/docs/README.ArtifactHub.md @@ -84,13 +84,16 @@ Kubernetes: `>=v1.11.0-0` | Key | Type | Default | Description | |-----|------|---------|-------------| | cascadingRules.enabled | bool | `true` | Enables or disables the installation of the default cascading rules for this scanner | +| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | parser.image.repository | string | `"docker.io/securecodebox/parser-typo3scan"` | Parser image repository | | parser.image.tag | string | defaults to the charts version | Parser image tag | | parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | +| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | +| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | | scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | @@ -107,6 +110,7 @@ Kubernetes: `>=v1.11.0-0` | scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | | scanner.securityContext.readOnlyRootFilesystem | bool | `false` | Prevents write access to the containers file system | | scanner.securityContext.runAsNonRoot | bool | `true` | Enforces that the scanner image is run as a non root user | +| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## Contributing diff --git a/scanners/typo3scan/templates/typo3scan-parse-definition.yaml b/scanners/typo3scan/templates/typo3scan-parse-definition.yaml index 576814b774..9722ea51e6 100644 --- a/scanners/typo3scan/templates/typo3scan-parse-definition.yaml +++ b/scanners/typo3scan/templates/typo3scan-parse-definition.yaml @@ -14,3 +14,7 @@ spec: {{- toYaml .Values.parser.env | nindent 4 }} scopeLimiterAliases: {{- toYaml .Values.parser.scopeLimiterAliases | nindent 4 }} + affinity: + {{- toYaml .Values.parser.affinity | nindent 4 }} + tolerations: + {{- toYaml .Values.parser.tolerations | nindent 4 }} diff --git a/scanners/typo3scan/templates/typo3scan-scan-type.yaml b/scanners/typo3scan/templates/typo3scan-scan-type.yaml index 66e97f6164..0f1f3f0459 100644 --- a/scanners/typo3scan/templates/typo3scan-scan-type.yaml +++ b/scanners/typo3scan/templates/typo3scan-scan-type.yaml @@ -22,6 +22,10 @@ spec: template: spec: restartPolicy: Never + affinity: + {{- toYaml .Values.scanner.affinity | nindent 12 }} + tolerations: + {{- toYaml .Values.scanner.tolerations | nindent 12 }} containers: - name: typo3scan image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}" diff --git a/scanners/typo3scan/values.yaml b/scanners/typo3scan/values.yaml index f826a2c27d..34756c1085 100644 --- a/scanners/typo3scan/values.yaml +++ b/scanners/typo3scan/values.yaml @@ -20,6 +20,12 @@ parser: # parser.scopeLimiterAliases -- Optional finding aliases to be used in the scopeLimiter. scopeLimiterAliases: {} + # parser.affinity -- Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # parser.tolerations -- Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] + scanner: image: # scanner.image.repository -- Container Image to run the scan @@ -77,6 +83,12 @@ scanner: # scanner.securityContext.capabilities.drop[0] -- This drops all linux privileges from the container. - all + # scanner.affinity -- Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # scanner.tolerations -- Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] + cascadingRules: # cascadingRules.enabled -- Enables or disables the installation of the default cascading rules for this scanner enabled: true diff --git a/scanners/whatweb/README.md b/scanners/whatweb/README.md index 27766ef317..c2fc64b478 100644 --- a/scanners/whatweb/README.md +++ b/scanners/whatweb/README.md @@ -194,13 +194,16 @@ Kubernetes: `>=v1.11.0-0` | Key | Type | Default | Description | |-----|------|---------|-------------| | cascadingRules.enabled | bool | `true` | Enables or disables the installation of the default cascading rules for this scanner | +| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | parser.image.repository | string | `"docker.io/securecodebox/parser-whatweb"` | Parser image repository | | parser.image.tag | string | defaults to the charts version | Parser image tag | | parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | +| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | +| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | | scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | @@ -217,6 +220,7 @@ Kubernetes: `>=v1.11.0-0` | scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | | scanner.securityContext.readOnlyRootFilesystem | bool | `true` | Prevents write access to the containers file system | | scanner.securityContext.runAsNonRoot | bool | `true` | Enforces that the scanner image is run as a non root user | +| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## License diff --git a/scanners/whatweb/docs/README.ArtifactHub.md b/scanners/whatweb/docs/README.ArtifactHub.md index dbc883cea8..63612d9205 100644 --- a/scanners/whatweb/docs/README.ArtifactHub.md +++ b/scanners/whatweb/docs/README.ArtifactHub.md @@ -199,13 +199,16 @@ Kubernetes: `>=v1.11.0-0` | Key | Type | Default | Description | |-----|------|---------|-------------| | cascadingRules.enabled | bool | `true` | Enables or disables the installation of the default cascading rules for this scanner | +| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | parser.image.repository | string | `"docker.io/securecodebox/parser-whatweb"` | Parser image repository | | parser.image.tag | string | defaults to the charts version | Parser image tag | | parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | +| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | +| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | | scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | @@ -222,6 +225,7 @@ Kubernetes: `>=v1.11.0-0` | scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | | scanner.securityContext.readOnlyRootFilesystem | bool | `true` | Prevents write access to the containers file system | | scanner.securityContext.runAsNonRoot | bool | `true` | Enforces that the scanner image is run as a non root user | +| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## Contributing diff --git a/scanners/whatweb/templates/whatweb-parse-definition.yaml b/scanners/whatweb/templates/whatweb-parse-definition.yaml index 84bbd21792..8858e16536 100644 --- a/scanners/whatweb/templates/whatweb-parse-definition.yaml +++ b/scanners/whatweb/templates/whatweb-parse-definition.yaml @@ -14,3 +14,7 @@ spec: {{- toYaml .Values.parser.env | nindent 4 }} scopeLimiterAliases: {{- toYaml .Values.parser.scopeLimiterAliases | nindent 4 }} + affinity: + {{- toYaml .Values.parser.affinity | nindent 4 }} + tolerations: + {{- toYaml .Values.parser.tolerations | nindent 4 }} diff --git a/scanners/whatweb/templates/whatweb-scan-type.yaml b/scanners/whatweb/templates/whatweb-scan-type.yaml index a575bf3f09..f0f87f0761 100644 --- a/scanners/whatweb/templates/whatweb-scan-type.yaml +++ b/scanners/whatweb/templates/whatweb-scan-type.yaml @@ -22,6 +22,10 @@ spec: template: spec: restartPolicy: Never + affinity: + {{- toYaml .Values.scanner.affinity | nindent 12 }} + tolerations: + {{- toYaml .Values.scanner.tolerations | nindent 12 }} containers: - name: whatweb image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}" diff --git a/scanners/whatweb/values.yaml b/scanners/whatweb/values.yaml index 078ff0da95..ae7791e376 100644 --- a/scanners/whatweb/values.yaml +++ b/scanners/whatweb/values.yaml @@ -20,6 +20,12 @@ parser: # parser.scopeLimiterAliases -- Optional finding aliases to be used in the scopeLimiter. scopeLimiterAliases: {} + # parser.affinity -- Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # parser.tolerations -- Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] + scanner: image: # scanner.image.repository -- Container Image to run the scan @@ -77,6 +83,12 @@ scanner: # scanner.securityContext.capabilities.drop[0] -- This drops all linux privileges from the container. - all + # scanner.affinity -- Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # scanner.tolerations -- Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] + cascadingRules: # cascadingRules.enabled -- Enables or disables the installation of the default cascading rules for this scanner enabled: true diff --git a/scanners/wpscan/README.md b/scanners/wpscan/README.md index 2acba70480..d451fc7df5 100644 --- a/scanners/wpscan/README.md +++ b/scanners/wpscan/README.md @@ -102,13 +102,16 @@ Kubernetes: `>=v1.11.0-0` | Key | Type | Default | Description | |-----|------|---------|-------------| | cascadingRules.enabled | bool | `false` | Enables or disables the installation of the default cascading rules for this scanner | +| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | parser.image.repository | string | `"docker.io/securecodebox/parser-wpscan"` | Parser image repository | | parser.image.tag | string | defaults to the charts version | Parser image tag | | parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | +| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | +| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | | scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | @@ -125,6 +128,7 @@ Kubernetes: `>=v1.11.0-0` | scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | | scanner.securityContext.readOnlyRootFilesystem | bool | `false` | Prevents write access to the containers file system | | scanner.securityContext.runAsNonRoot | bool | `false` | Enforces that the scanner image is run as a non root user | +| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## License diff --git a/scanners/wpscan/docs/README.ArtifactHub.md b/scanners/wpscan/docs/README.ArtifactHub.md index 603bdf4884..92a3d4389b 100644 --- a/scanners/wpscan/docs/README.ArtifactHub.md +++ b/scanners/wpscan/docs/README.ArtifactHub.md @@ -107,13 +107,16 @@ Kubernetes: `>=v1.11.0-0` | Key | Type | Default | Description | |-----|------|---------|-------------| | cascadingRules.enabled | bool | `false` | Enables or disables the installation of the default cascading rules for this scanner | +| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | parser.image.repository | string | `"docker.io/securecodebox/parser-wpscan"` | Parser image repository | | parser.image.tag | string | defaults to the charts version | Parser image tag | | parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | +| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | +| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | | scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | @@ -130,6 +133,7 @@ Kubernetes: `>=v1.11.0-0` | scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | | scanner.securityContext.readOnlyRootFilesystem | bool | `false` | Prevents write access to the containers file system | | scanner.securityContext.runAsNonRoot | bool | `false` | Enforces that the scanner image is run as a non root user | +| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## Contributing diff --git a/scanners/wpscan/templates/wpscan-parse-definition.yaml b/scanners/wpscan/templates/wpscan-parse-definition.yaml index 763fb786db..6195742ec7 100644 --- a/scanners/wpscan/templates/wpscan-parse-definition.yaml +++ b/scanners/wpscan/templates/wpscan-parse-definition.yaml @@ -14,3 +14,7 @@ spec: {{- toYaml .Values.parser.env | nindent 4 }} scopeLimiterAliases: {{- toYaml .Values.parser.scopeLimiterAliases | nindent 4 }} + affinity: + {{- toYaml .Values.parser.affinity | nindent 4 }} + tolerations: + {{- toYaml .Values.parser.tolerations | nindent 4 }} diff --git a/scanners/wpscan/templates/wpscan-scan-type.yaml b/scanners/wpscan/templates/wpscan-scan-type.yaml index c8b346cfd0..f054627803 100644 --- a/scanners/wpscan/templates/wpscan-scan-type.yaml +++ b/scanners/wpscan/templates/wpscan-scan-type.yaml @@ -22,6 +22,10 @@ spec: template: spec: restartPolicy: OnFailure + affinity: + {{- toYaml .Values.scanner.affinity | nindent 12 }} + tolerations: + {{- toYaml .Values.scanner.tolerations | nindent 12 }} containers: - name: wpscan image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}" diff --git a/scanners/wpscan/values.yaml b/scanners/wpscan/values.yaml index 1ea5f3e475..98432bce05 100644 --- a/scanners/wpscan/values.yaml +++ b/scanners/wpscan/values.yaml @@ -20,6 +20,12 @@ parser: # parser.scopeLimiterAliases -- Optional finding aliases to be used in the scopeLimiter. scopeLimiterAliases: {} + # parser.affinity -- Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # parser.tolerations -- Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] + scanner: image: # scanner.image.repository -- Container Image to run the scan @@ -77,6 +83,12 @@ scanner: # scanner.securityContext.capabilities.drop[0] -- This drops all linux privileges from the container. - all + # scanner.affinity -- Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # scanner.tolerations -- Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] + cascadingRules: # cascadingRules.enabled -- Enables or disables the installation of the default cascading rules for this scanner enabled: false diff --git a/scanners/zap-advanced/README.md b/scanners/zap-advanced/README.md index 19ce99dcdf..c3ec22d632 100644 --- a/scanners/zap-advanced/README.md +++ b/scanners/zap-advanced/README.md @@ -480,13 +480,16 @@ zapConfiguration: | Key | Type | Default | Description | |-----|------|---------|-------------| | cascadingRules.enabled | bool | `true` | Enables or disables the installation of the default cascading rules for this scanner | +| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | parser.image.repository | string | `"docker.io/securecodebox/parser-zap"` | Parser image repository | | parser.image.tag | string | defaults to the charts version | Parser image tag | | parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | +| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | +| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | | scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | scanner.envFrom | list | `[]` | Optional mount environment variables from configMaps or secrets (see: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables) | @@ -504,6 +507,7 @@ zapConfiguration: | scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | | scanner.securityContext.readOnlyRootFilesystem | bool | `false` | Prevents write access to the containers file system | | scanner.securityContext.runAsNonRoot | bool | `false` | Enforces that the scanner image is run as a non root user | +| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | zapConfiguration | object | `{"global":{"addonInstall":["pscanrulesBeta","ascanrulesBeta","pscanrulesAlpha","ascanrulesAlpha"],"addonUpdate":true,"sessionName":"secureCodeBox"}}` | All `scanType` specific configuration options. Feel free to add more configuration options. All configuration options can be overriden by scan specific configurations if defined. Please have a look into the README.md to find more configuration options. | | zapConfiguration.global | object | `{"addonInstall":["pscanrulesBeta","ascanrulesBeta","pscanrulesAlpha","ascanrulesAlpha"],"addonUpdate":true,"sessionName":"secureCodeBox"}` | Optional general ZAP Configurations settings. | diff --git a/scanners/zap-advanced/docs/README.ArtifactHub.md b/scanners/zap-advanced/docs/README.ArtifactHub.md index 11f337b235..7468550dd3 100644 --- a/scanners/zap-advanced/docs/README.ArtifactHub.md +++ b/scanners/zap-advanced/docs/README.ArtifactHub.md @@ -485,13 +485,16 @@ zapConfiguration: | Key | Type | Default | Description | |-----|------|---------|-------------| | cascadingRules.enabled | bool | `true` | Enables or disables the installation of the default cascading rules for this scanner | +| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | parser.image.repository | string | `"docker.io/securecodebox/parser-zap"` | Parser image repository | | parser.image.tag | string | defaults to the charts version | Parser image tag | | parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | +| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | +| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | | scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | scanner.envFrom | list | `[]` | Optional mount environment variables from configMaps or secrets (see: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables) | @@ -509,6 +512,7 @@ zapConfiguration: | scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | | scanner.securityContext.readOnlyRootFilesystem | bool | `false` | Prevents write access to the containers file system | | scanner.securityContext.runAsNonRoot | bool | `false` | Enforces that the scanner image is run as a non root user | +| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | zapConfiguration | object | `{"global":{"addonInstall":["pscanrulesBeta","ascanrulesBeta","pscanrulesAlpha","ascanrulesAlpha"],"addonUpdate":true,"sessionName":"secureCodeBox"}}` | All `scanType` specific configuration options. Feel free to add more configuration options. All configuration options can be overriden by scan specific configurations if defined. Please have a look into the README.md to find more configuration options. | | zapConfiguration.global | object | `{"addonInstall":["pscanrulesBeta","ascanrulesBeta","pscanrulesAlpha","ascanrulesAlpha"],"addonUpdate":true,"sessionName":"secureCodeBox"}` | Optional general ZAP Configurations settings. | diff --git a/scanners/zap-advanced/templates/zap-advanced-parse-definition.yaml b/scanners/zap-advanced/templates/zap-advanced-parse-definition.yaml index 0e5aba5295..39d447e5e4 100644 --- a/scanners/zap-advanced/templates/zap-advanced-parse-definition.yaml +++ b/scanners/zap-advanced/templates/zap-advanced-parse-definition.yaml @@ -16,3 +16,7 @@ spec: {{- toYaml .Values.parser.env | nindent 4 }} scopeLimiterAliases: {{- toYaml .Values.parser.scopeLimiterAliases | nindent 4 }} + affinity: + {{- toYaml .Values.parser.affinity | nindent 4 }} + tolerations: + {{- toYaml .Values.parser.tolerations | nindent 4 }} diff --git a/scanners/zap-advanced/templates/zap-advanced-scan-type.yaml b/scanners/zap-advanced/templates/zap-advanced-scan-type.yaml index 2799d2a496..5d1f27e2e0 100644 --- a/scanners/zap-advanced/templates/zap-advanced-scan-type.yaml +++ b/scanners/zap-advanced/templates/zap-advanced-scan-type.yaml @@ -44,6 +44,10 @@ spec: template: spec: restartPolicy: Never + affinity: + {{- toYaml .Values.scanner.affinity | nindent 12 }} + tolerations: + {{- toYaml .Values.scanner.tolerations | nindent 12 }} containers: - name: zap-advanced-scan image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.Version }}" diff --git a/scanners/zap-advanced/values.yaml b/scanners/zap-advanced/values.yaml index b33cdef5ca..aff43b670d 100644 --- a/scanners/zap-advanced/values.yaml +++ b/scanners/zap-advanced/values.yaml @@ -20,6 +20,12 @@ parser: # parser.scopeLimiterAliases -- Optional finding aliases to be used in the scopeLimiter. scopeLimiterAliases: {} + # parser.affinity -- Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # parser.tolerations -- Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] + scanner: image: # scanner.image.repository -- Container Image to run the scan @@ -92,6 +98,12 @@ scanner: drop: # scanner.securityContext.capabilities.drop[0] -- This drops all linux privileges from the container. - all + + # scanner.affinity -- Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # scanner.tolerations -- Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] zapContainer: image: diff --git a/scanners/zap/README.md b/scanners/zap/README.md index b21d08a850..571ab48718 100644 --- a/scanners/zap/README.md +++ b/scanners/zap/README.md @@ -102,13 +102,16 @@ That's why we introduced this `zap-advanced` scanner chart, which introduces ext | Key | Type | Default | Description | |-----|------|---------|-------------| | cascadingRules.enabled | bool | `true` | Enables or disables the installation of the default cascading rules for this scanner | +| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | parser.image.repository | string | `"docker.io/securecodebox/parser-zap"` | Parser image repository | | parser.image.tag | string | defaults to the charts version | Parser image tag | | parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | +| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | +| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | | scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | scanner.envFrom | list | `[]` | Optional mount environment variables from configMaps or secrets (see: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables) | @@ -126,6 +129,7 @@ That's why we introduced this `zap-advanced` scanner chart, which introduces ext | scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | | scanner.securityContext.readOnlyRootFilesystem | bool | `false` | Prevents write access to the containers file system | | scanner.securityContext.runAsNonRoot | bool | `false` | Enforces that the scanner image is run as a non root user | +| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## License diff --git a/scanners/zap/docs/README.ArtifactHub.md b/scanners/zap/docs/README.ArtifactHub.md index 01ed8141cb..e2f2a8d0b9 100644 --- a/scanners/zap/docs/README.ArtifactHub.md +++ b/scanners/zap/docs/README.ArtifactHub.md @@ -107,13 +107,16 @@ That's why we introduced this `zap-advanced` scanner chart, which introduces ext | Key | Type | Default | Description | |-----|------|---------|-------------| | cascadingRules.enabled | bool | `true` | Enables or disables the installation of the default cascading rules for this scanner | +| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | parser.image.repository | string | `"docker.io/securecodebox/parser-zap"` | Parser image repository | | parser.image.tag | string | defaults to the charts version | Parser image tag | | parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | +| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | +| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | | scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | | scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | scanner.envFrom | list | `[]` | Optional mount environment variables from configMaps or secrets (see: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables) | @@ -131,6 +134,7 @@ That's why we introduced this `zap-advanced` scanner chart, which introduces ext | scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | | scanner.securityContext.readOnlyRootFilesystem | bool | `false` | Prevents write access to the containers file system | | scanner.securityContext.runAsNonRoot | bool | `false` | Enforces that the scanner image is run as a non root user | +| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## Contributing diff --git a/scanners/zap/templates/zap-parse-definition.yaml b/scanners/zap/templates/zap-parse-definition.yaml index 3d3d961d2a..97a47ae36f 100644 --- a/scanners/zap/templates/zap-parse-definition.yaml +++ b/scanners/zap/templates/zap-parse-definition.yaml @@ -14,3 +14,7 @@ spec: {{- toYaml .Values.parser.env | nindent 4 }} scopeLimiterAliases: {{- toYaml .Values.parser.scopeLimiterAliases | nindent 4 }} + affinity: + {{- toYaml .Values.parser.affinity | nindent 4 }} + tolerations: + {{- toYaml .Values.parser.tolerations | nindent 4 }} diff --git a/scanners/zap/templates/zap-scan-type.yaml b/scanners/zap/templates/zap-scan-type.yaml index 535821eb16..d9def62d88 100644 --- a/scanners/zap/templates/zap-scan-type.yaml +++ b/scanners/zap/templates/zap-scan-type.yaml @@ -22,6 +22,10 @@ spec: template: spec: restartPolicy: Never + affinity: + {{- toYaml .Values.scanner.affinity | nindent 12 }} + tolerations: + {{- toYaml .Values.scanner.tolerations | nindent 12 }} containers: - name: zap-baseline-scan image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}" @@ -66,6 +70,10 @@ spec: template: spec: restartPolicy: Never + affinity: + {{- toYaml .Values.scanner.affinity | nindent 12 }} + tolerations: + {{- toYaml .Values.scanner.tolerations | nindent 12 }} containers: - name: zap-api-scan image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}" @@ -109,6 +117,10 @@ spec: template: spec: restartPolicy: Never + affinity: + {{- toYaml .Values.scanner.affinity | nindent 12 }} + tolerations: + {{- toYaml .Values.scanner.tolerations | nindent 12 }} containers: - name: zap-full-scan image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}" diff --git a/scanners/zap/values.yaml b/scanners/zap/values.yaml index b1aee17a7e..931760d606 100644 --- a/scanners/zap/values.yaml +++ b/scanners/zap/values.yaml @@ -20,6 +20,12 @@ parser: # parser.scopeLimiterAliases -- Optional finding aliases to be used in the scopeLimiter. scopeLimiterAliases: {} + # parser.affinity -- Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # parser.tolerations -- Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] + scanner: image: # scanner.image.repository -- Container Image to run the scan @@ -83,6 +89,11 @@ scanner: drop: # scanner.securityContext.capabilities.drop[0] -- This drops all linux privileges from the container. - all + # scanner.affinity -- Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) + affinity: {} + + # scanner.tolerations -- Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + tolerations: [] cascadingRules: # cascadingRules.enabled -- Enables or disables the installation of the default cascading rules for this scanner