diff --git a/README.md b/README.md index cbacd36..aa027c9 100644 --- a/README.md +++ b/README.md @@ -69,7 +69,7 @@ domain you own. Cloud Identity offers a Download the binary for your platform: ```sh -VERSION=v0.4.1 +VERSION=v0.4.2 curl -Lo gatekeeper-securitycenter "https://github.com/GoogleCloudPlatform/gatekeeper-securitycenter/releases/download/${VERSION}/gatekeeper-securitycenter_$(uname -s)_$(uname -m)" chmod +x gatekeeper-securitycenter ``` diff --git a/manifests/README.md b/manifests/README.md index f608508..7e2210c 100644 --- a/manifests/README.md +++ b/manifests/README.md @@ -14,7 +14,7 @@ These instructions assume that you have already created the ### Fetch the manifests ```sh -VERSION=v0.4.1 +VERSION=v0.4.2 kpt pkg get https://github.com/GoogleCloudPlatform/gatekeeper-securitycenter.git/manifests@$VERSION manifests ``` diff --git a/manifests/deployment.yaml b/manifests/deployment.yaml index d82136a..926634f 100644 --- a/manifests/deployment.yaml +++ b/manifests/deployment.yaml @@ -1,70 +1,55 @@ -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - apiVersion: apps/v1 kind: Deployment metadata: - name: gatekeeper-securitycenter-controller-manager - namespace: gatekeeper-securitycenter # kpt-set: ${namespace} labels: control-plane: controller-manager gatekeeper-securitycenter/operation: manager - gatekeeper-securitycenter/system: 'yes' + gatekeeper-securitycenter/system: "yes" + name: gatekeeper-securitycenter-controller-manager + namespace: gatekeeper-securitycenter spec: replicas: 1 selector: matchLabels: control-plane: controller-manager gatekeeper-securitycenter/operation: controller - gatekeeper-securitycenter/system: 'yes' + gatekeeper-securitycenter/system: "yes" template: metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/manager: runtime/default labels: control-plane: controller-manager gatekeeper-securitycenter/operation: controller - gatekeeper-securitycenter/system: 'yes' - annotations: - container.seccomp.security.alpha.kubernetes.io/manager: runtime/default + gatekeeper-securitycenter/system: "yes" spec: - serviceAccountName: gatekeeper-securitycenter-controller containers: - - name: manager - image: gatekeeper-securitycenter # kpt-set: ${image} - args: + - args: - findings - manager - --source=$(SOURCE) - --cluster=$(CLUSTER) - - --interval=120 # kpt-set: --interval=${interval} - - --dry-run=false # kpt-set: --dry-run=${dry-run} + - --interval=120 + - --dry-run=false env: - name: SOURCE valueFrom: configMapKeyRef: - name: gatekeeper-securitycenter-config key: SOURCE_NAME + name: gatekeeper-securitycenter-config - name: CLUSTER valueFrom: configMapKeyRef: - name: gatekeeper-securitycenter-config key: CLUSTER_NAME + name: gatekeeper-securitycenter-config - name: DEBUG - value: "false" # kpt-set: ${debug-env} + value: "false" + image: ghcr.io/googlecloudplatform/gatekeeper-securitycenter:v0.4.2@sha256:28883f0507487771513971512dcf3abddcc3aba705b9a0702e2e847abdd8f268 + name: manager resources: requests: - cpu: 250m # kpt-set: ${request-cpu} - memory: 512Mi # kpt-set: ${request-memory} + cpu: 250m + memory: 512Mi securityContext: allowPrivilegeEscalation: false capabilities: @@ -74,3 +59,4 @@ spec: runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 + serviceAccountName: gatekeeper-securitycenter-controller