daemonset.yaml

{{- $name := include "base.name" . -}}
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: {{ $name }}
  labels: {{ include "base.labels.mulesoft" . | nindent 4 }}
spec:
  selector:
    matchLabels:
      app: {{ $name }}
  updateStrategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 1
  minReadySeconds: 3
  template:
    metadata:
      labels: {{ include "base.labels.mulesoft" . | nindent 8 }}
      name: {{ $name }}
    spec:
      serviceAccountName: {{ $name }}
      hostNetwork: true
      hostPID: true
      {{ include "base.image.pull-secret-name" . | indent 6 | trim }}
      {{- if ge .Capabilities.KubeVersion.Minor "6" }}
      tolerations:
        {{ toYaml .Values.tolerations | indent 8 | trim }}
      {{- end }}
      containers:
        - name: {{ $name }}-agent
          image: {{ template "base.image.name" . }}
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          {{ include "base.resources.limits" . | indent 10 | trim }}
          env:
            - name: THREATSTACK_CONFIG_PATH
              value: /tmp/ts-config/ts-config.json
          securityContext:
            capabilities:
              add: ["AUDIT_CONTROL", "AUDIT_READ", "NET_ADMIN", "SYS_ADMIN"]
          volumeMounts:
            - name: {{ $name }}
              mountPath: /threatstackfs/tmp/ts-config
            - name: dockersocket
              mountPath: /var/run/docker.sock
            - name: hostfs
              mountPath: /threatstackfs
      volumes:
        - name: {{ $name }}
          secret:
            secretName: {{ $name }}
            items:
              - key: ts-config.json
                path: ts-config.json
        - name: dockersocket
          hostPath:
            path: /var/run/docker.sock
        - name: hostfs
          hostPath:
            path: /

psp.yaml

apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
  name: infosec-monitoring
spec:
  fsGroup:
    rule: RunAsAny
  hostNetwork: true
  hostPID: true
  hostPorts:
  - max: 65535
    min: 1024
  allowedCapabilities:
    - AUDIT_CONTROL
    - AUDIT_READ
    - NET_ADMIN
    - SYS_ADMIN
  runAsUser:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  volumes:
  - '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: infosec-monitoring
rules:
- apiGroups:
  - extensions
  resourceNames:
  - infosec-monitoring
  resources:
  - podsecuritypolicies
  verbs:
  - use

rbac.yaml

{{- $name := include "base.name" . -}}
apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ $name }}
  namespace: {{ .Release.Namespace }}
---
kind: ClusterRoleBinding
{{/* Support 1.8+ */}}
{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" }}
apiVersion: rbac.authorization.k8s.io/v1
{{ else }}
apiVersion: rbac.authorization.k8s.io/v1beta1
{{- end }}
metadata:
  name: {{ $name }}
  namespace: {{ .Release.Namespace }}
roleRef:
  kind: ClusterRole
  name: infosec-monitoring
subjects:
  - kind: ServiceAccount
    name: {{ $name }}
    namespace: {{ .Release.Namespace }}

secrets.yaml

{{- $name := include "base.name" . -}}
apiVersion: v1
kind: Secret
metadata:
  name: {{ $name }}
  labels: {{ include "base.labels.standard" . | nindent 4 }}
type: Opaque
data:
  ts-config.json: {{ toJson .Values.threatstack | b64enc | trim -}}

values.yaml

threatstack:
  deploy-key: ""
  agent_type: "i"
  ruleset: "Base Rule Set, Docker Rule Set, Kubernetes Rule Set, CIS Docker Rule Set"
  configuration:
    enable_containers: 1
    enable_kubes: 1
    log_level: "info"

# deploy key gets injected at our deploy phase in our pipeline