stackrox · gavin-stackrox · Feb 14, 2023 · Oct 4, 2022 · Jan 25, 2023 · Feb 2, 2023
diff --git a/central/detection/service/service_impl_test.go b/central/detection/service/service_impl_test.go
@@ -530,19 +530,44 @@ spec:
   adminPortalCredentialsRef:
     name: asecretname
 `
+const cronYaml = `
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: example
+  namespace: sst-etcd-backup
+spec:
+  schedule: '@daily'
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+            - name: hello
+              image: busybox
+              args:
+                - /bin/sh
+                - '-c'
+                - date; echo Hello from the Kubernetes cluster
+          restartPolicy: OnFailure
+`
 
 func TestParseList_Success(t *testing.T) {
-	_, _, err := getObjectsFromYAML(listYAML)
-	require.NoError(t, err)
-
-	_, _, err = getObjectsFromYAML(openshiftDeploymentConfigYaml)
-	require.NoError(t, err)
-
-	_, _, err = getObjectsFromYAML(multiYaml)
-	require.NoError(t, err)
-
-	_, _, err = getObjectsFromYAML(openshiftDeploymentConfigYaml)
-	require.NoError(t, err)
+	for name, yaml := range map[string]string{
+		"listYaml":                          listYAML,
+		"openshiftDeploymentConfigYaml":     openshiftDeploymentConfigYaml,
+		"multiYaml":                         multiYaml,
+		"openshiftDeployConfMultiYaml":      openshiftDeploymentConfigYaml,
+		"operatorCRDMultiYaml":              operatorCRDMultiYaml,
+		"operatorCRDYaml":                   operatorCRDYaml,
+		"openshiftRouteWithOperatorCRDYaml": openshiftRouteWithOperatorCRDYaml,
+		"cronYaml":                          cronYaml,
+	} {
+		t.Run(name, func(t *testing.T) {
+			_, _, err := getObjectsFromYAML(yaml)
+			require.NoError(t, err)
+		})
+	}
 }
 
 func TestParseList_ConversionToOpenshiftObjects(t *testing.T) {

diff --git a/central/tlsconfig/tlsconfig.go b/central/tlsconfig/tlsconfig.go
@@ -38,6 +38,7 @@ func GetAdditionalCAs() ([][]byte, error) {
 	var certDERs [][]byte
 	for _, certFile := range certFileInfos {
 		if filepath.Ext(certFile.Name()) != ".crt" {
+			log.Infof("Skipping additional-ca file %q, must end with '*.crt'.", certFile.Name())
 			continue
 		}
 		content, err := os.ReadFile(path.Join(additionalCADir, certFile.Name()))

diff --git a/deploy/README.md b/deploy/README.md
@@ -18,13 +18,14 @@ $ LOAD_BALANCER=route ./deploy/openshift/deploy.sh
 
 Most environment variables can be found in [common/env.sh](common/env.sh).
 
-| **Name**           | **Values**            | **Description**                                                                                                                                                            |
-|--------------------|-----------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `COLLECTION_METHOD`  | `ebpf`  \| `kernel-module` | Set the collection method for collector.                                                                                                                                   |
-| `HOTRELOAD`          | `true`  \| `false`         | `HOTRELOAD` mounts Sensor and Central local binaries into locally running pods. Only works with docker-desktop.  Alternatively you can use ./dev-tools/enabled-hotreload.sh. Note however that this will break the linter: https://stack-rox.atlassian.net/browse/ROX-6562 |
-| `LOAD_BALANCER`      | `route` \| `lb`            | Configure how to expose Central, important if deployed on remote clusters. Use `route` for OpenShift, `lb` for Kubernetes.                                                 |
-| `MAIN_IMAGE_TAG`     | `string`                   | Configure the image tag of the `stackrox/main` image to be deployed.                                                                                                       |
-| `MONITORING_SUPPORT` | `true`  \| `false`         | Enable StackRox monitoring.                                                                                                                                                |
-| `REGISTRY_USERNAME`  | `string`                   | Set docker registry username to pull the docker.io/stackrox/main image. |
-| `REGISTRY_PASSWORD`  | `string`                   | Set docker registry password to pull the docker.io/stackrox/main image.  |
-| `STORAGE`            | `none`  \| `pvc`           | Defines which storage to use for the Central database, to preserve data between Central restarts it is recommended to use `pvc`.                                                |
+| **Name**                | **Values**            | **Description**                                                                                                                                                            |
+|-------------------------|-----------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `COLLECTION_METHOD`     | `ebpf`  \| `kernel-module` | Set the collection method for collector.                                                                                                                                   |
+| `HOTRELOAD`             | `true`  \| `false`         | `HOTRELOAD` mounts Sensor and Central local binaries into locally running pods. Only works with docker-desktop.  Alternatively you can use ./dev-tools/enabled-hotreload.sh. Note however that this will break the linter: https://stack-rox.atlassian.net/browse/ROX-6562 |
+| `LOAD_BALANCER`         | `route` \| `lb`            | Configure how to expose Central, important if deployed on remote clusters. Use `route` for OpenShift, `lb` for Kubernetes.                                                 |
+| `MAIN_IMAGE_TAG`        | `string`                   | Configure the image tag of the `stackrox/main` image to be deployed.                                                                                                       |
+| `MONITORING_SUPPORT`    | `true`  \| `false`         | Enable StackRox monitoring.                                                                                                                                                |
+| `MONITORING_ENABLE_PSP` | `true` \| `false`          | Generate PodSecurityPolicies for monitoring. Defaults to `false`, as PSPs were deprecated in k8s 1.25. |
+| `REGISTRY_USERNAME`     | `string`                   | Set docker registry username to pull the docker.io/stackrox/main image. |
+| `REGISTRY_PASSWORD`     | `string`                   | Set docker registry password to pull the docker.io/stackrox/main image.  |
+| `STORAGE`               | `none`  \| `pvc`           | Defines which storage to use for the Central database, to preserve data between Central restarts it is recommended to use `pvc`.                                                |
diff --git a/...toring/templates/pod-security-policy.yaml → ...toring/templates/pod-security-config.yaml b/...toring/templates/pod-security-policy.yaml → ...toring/templates/pod-security-config.yaml
@@ -1,11 +1,12 @@
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: stackrox-monitoring-psp
+  name: stackrox-monitoring
   labels:
     app.kubernetes.io/name: stackrox
     app: monitoring
 rules:
+{{- if .Values.enableMonitoringPSPs }}
   - apiGroups:
       - policy
     resources:
@@ -14,6 +15,7 @@ rules:
       - stackrox-monitoring
     verbs:
       - use
+{{- end }}
   - apiGroups: [""]
     resources:
       - endpoints
@@ -25,20 +27,21 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: stackrox-monitoring-psp
+  name: stackrox-monitoring
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: stackrox
     app: monitoring
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: stackrox-monitoring-psp
+  name: stackrox-monitoring
 subjects:
   - kind: ServiceAccount
     name: monitoring
     namespace: {{ .Release.Namespace }}
 ---
+{{- if .Values.enableMonitoringPSPs }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
@@ -75,3 +78,4 @@ spec:
     ranges:
       - min: 4000
         max: 4000
+{{- end }}
diff --git a/deploy/charts/monitoring/values.yaml b/deploy/charts/monitoring/values.yaml
@@ -21,3 +21,5 @@ persistence:
   storageClass: null
 
 nodeSelector: {}
+
+enableMonitoringPSPs: ${MONITORING_ENABLE_PSP}
diff --git a/deploy/common/env.sh b/deploy/common/env.sh
@@ -21,6 +21,9 @@ echo "ROX_HTPASSWD_AUTH set to $ROX_HTPASSWD_AUTH"
 
 echo "MONITORING_SUPPORT set to ${MONITORING_SUPPORT}"
 
+export MONITORING_ENABLE_PSP=${MONITORING_ENABLE_PSP:-false}
+echo "MONITORING_ENABLE_PSP set to ${MONITORING_ENABLE_PSP}"
+
 export CLUSTER=${CLUSTER:-remote}
 echo "CLUSTER set to $CLUSTER"
 

diff --git a/operator/tests/common/delete-central-errors-cluster.envsubst.yaml b/operator/tests/common/delete-central-errors-cluster.envsubst.yaml
@@ -17,16 +17,6 @@ kind: ClusterRole
 metadata:
   name: stackrox-${NAMESPACE}-scanner-psp
 ---
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: stackrox-${NAMESPACE}-central
----
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: stackrox-${NAMESPACE}-scanner
----
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:

diff --git a/operator/tests/common/delete-securedcluster-errors.yaml b/operator/tests/common/delete-securedcluster-errors.yaml
@@ -93,21 +93,6 @@ kind: ClusterRole
 metadata:
   name: stackrox:view-cluster
 ---
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: stackrox-admission-control
----
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: stackrox-collector
----
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: stackrox-sensor
----
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:

@@ -1342,9 +1342,9 @@ func TestDifferentBaseTypes(t *testing.T) {
 			},
 			q: &query.Query{
 				FieldQueries: []*query.FieldQuery{
-					// This test will fail in three years, but if this test still matters then,
+					// This test will fail in 1000 years, but if this test still matters then,
 					// we have other problems...
-					{Field: "BaseTS", Values: []string{">1000d"}},
+					{Field: "BaseTS", Values: []string{">01/01/3023"}},
 				},
 			},
 		},

diff --git a/pkg/protoconv/resources/resources.go b/pkg/protoconv/resources/resources.go
@@ -17,6 +17,7 @@ import (
 	"github.com/stackrox/rox/pkg/stringutils"
 	"github.com/stackrox/rox/pkg/timestamp"
 	"github.com/stackrox/rox/pkg/utils"
+	batchV1 "k8s.io/api/batch/v1"
 	batchV1beta1 "k8s.io/api/batch/v1beta1"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/meta"
@@ -122,6 +123,9 @@ func newWrap(meta metav1.Object, kind, clusterID, registryOverride string) *Depl
 // SpecToPodTemplateSpec turns a top level spec into a podTemplateSpec
 func SpecToPodTemplateSpec(spec reflect.Value) (v1.PodTemplateSpec, error) {
 	templateInterface := spec.FieldByName("Template")
+	if !doesFieldExist(templateInterface) {
+		return v1.PodTemplateSpec{}, errors.Errorf("obj %+v does not have a Template field", spec)
+	}
 	if templateInterface.Type().Kind() == reflect.Ptr && !templateInterface.IsNil() {
 		templateInterface = templateInterface.Elem()
 	}
@@ -237,8 +241,11 @@ func (w *DeploymentWrap) populateFields(obj interface{}) {
 		// types do. So, we need to directly access the Pod's Spec field,
 		// instead of looking for it inside a PodTemplate.
 		podSpec = o.Spec
+	// batch/v1beta1 CronJob is deprecated in v1.21+, unavailable in v1.25+.
 	case *batchV1beta1.CronJob:
 		podSpec = o.Spec.JobTemplate.Spec.Template.Spec
+	case *batchV1.CronJob:
+		podSpec = o.Spec.JobTemplate.Spec.Template.Spec
 	default:
 		podTemplate, err := SpecToPodTemplateSpec(spec)
 		if err != nil {

diff --git a/pkg/protoconv/resources/resources_test.go b/pkg/protoconv/resources/resources_test.go
@@ -12,6 +12,8 @@ import (
 	"github.com/stretchr/testify/assert"
 	appsV1 "k8s.io/api/apps/v1"
 	appsV1beta2 "k8s.io/api/apps/v1beta2"
+	batchV1 "k8s.io/api/batch/v1"
+	batchV1beta1 "k8s.io/api/batch/v1beta1"
 	v1 "k8s.io/api/core/v1"
 	extV1beta1 "k8s.io/api/extensions/v1beta1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -103,6 +105,42 @@ func TestDaemonSetReplicas(t *testing.T) {
 	assert.Equal(t, int(deploymentWrap.Replicas), 0)
 }
 
+func TestCronJobPopulateSpec(t *testing.T) {
+	deploymentWrap := &DeploymentWrap{
+		Deployment: &storage.Deployment{
+			Type: kubernetes.CronJob,
+		},
+	}
+
+	cronJob1 := &batchV1.CronJob{
+		Spec: batchV1.CronJobSpec{
+			JobTemplate: batchV1.JobTemplateSpec{
+				Spec: batchV1.JobSpec{
+					Template: v1.PodTemplateSpec{
+						Spec: v1.PodSpec{Containers: []v1.Container{{Name: "container1"}}},
+					},
+				},
+			},
+		},
+	}
+	deploymentWrap.populateFields(cronJob1)
+	assert.Equal(t, deploymentWrap.Containers[0].Name, "container1")
+
+	cronJob2 := &batchV1beta1.CronJob{
+		Spec: batchV1beta1.CronJobSpec{
+			JobTemplate: batchV1beta1.JobTemplateSpec{
+				Spec: batchV1.JobSpec{
+					Template: v1.PodTemplateSpec{
+						Spec: v1.PodSpec{Containers: []v1.Container{{Name: "container2"}}},
+					},
+				},
+			},
+		},
+	}
+	deploymentWrap.populateFields(cronJob2)
+	assert.Equal(t, deploymentWrap.Containers[0].Name, "container2")
+}
+
 func TestIsTrackedReference(t *testing.T) {
 	cases := []struct {
 		ref       metav1.OwnerReference

diff --git a/qa-tests-backend/scripts/lib.sh b/qa-tests-backend/scripts/lib.sh
@@ -6,7 +6,11 @@ set -euo pipefail
 
 deploy_default_psp() {
     info "Deploy Default PSP for stackrox namespace"
-    "${ROOT}/scripts/ci/create-default-psp.sh"
+    if [[ "$POD_SECURITY_POLICIES" != "false" ]]; then
+        "${ROOT}/scripts/ci/create-default-psp.sh"
+    else
+        info "POD_SECURITY_POLICIES is false, skip Deploy Default PSP for stackrox namespace"
+    fi
 }
 
 deploy_webhook_server() {

diff --git a/qa-tests-backend/scripts/run-compatibility.sh b/qa-tests-backend/scripts/run-compatibility.sh
@@ -28,6 +28,7 @@ compatibility_test() {
         fi
 
         setup_deployment_env false false
+        setup_podsecuritypolicies_config
         remove_existing_stackrox_resources
         setup_default_TLS_certs
 

diff --git a/qa-tests-backend/scripts/run-part-1.sh b/qa-tests-backend/scripts/run-part-1.sh
@@ -22,6 +22,7 @@ test_part_1() {
 
     setup_gcp
     setup_deployment_env false false
+    setup_podsecuritypolicies_config
     remove_existing_stackrox_resources
     setup_default_TLS_certs
 

diff --git a/qa-tests-backend/src/main/groovy/orchestratormanager/Kubernetes.groovy b/qa-tests-backend/src/main/groovy/orchestratormanager/Kubernetes.groovy
@@ -107,8 +107,9 @@ import objects.NetworkPolicyTypes
 import objects.Node
 import objects.Secret
 import objects.SecretKeyRef
-import util.Timer
+import util.Env
 import util.Helpers
+import util.Timer
 
 @Slf4j
 class Kubernetes implements OrchestratorMain {
@@ -1631,7 +1632,8 @@ class Kubernetes implements OrchestratorMain {
     }
 
     protected defaultPspForNamespace(String namespace) {
-        PodSecurityPolicy psp = new PodSecurityPolicyBuilder().withNewMetadata()
+        if (Env.get("POD_SECURITY_POLICIES") != "false") {
+            PodSecurityPolicy psp = new PodSecurityPolicyBuilder().withNewMetadata()
                 .withName("allow-all-for-test")
                 .endMetadata()
                 .withNewSpec()
@@ -1649,9 +1651,10 @@ class Kubernetes implements OrchestratorMain {
                 .withNewFsGroup().withRule("RunAsAny").endFsGroup()
                 .endSpec()
                 .build()
-        client.policy().v1beta1().podSecurityPolicies().createOrReplace(psp)
-        createClusterRole(generatePspRole())
-        createClusterRoleBinding(generatePspRoleBinding(namespace))
+            client.policy().v1beta1().podSecurityPolicies().createOrReplace(psp)
+            createClusterRole(generatePspRole())
+            createClusterRoleBinding(generatePspRoleBinding(namespace))
+        }
     }
 
     /*

diff --git a/qa-tests-backend/src/test/groovy/CSVTest.groovy b/qa-tests-backend/src/test/groovy/CSVTest.groovy
@@ -2,6 +2,8 @@ import static com.jayway.restassured.RestAssured.given
 import com.jayway.restassured.response.Response
 import com.opencsv.CSVReader
 import groovy.transform.EqualsAndHashCode
+import groovy.transform.ToString
+
 import groups.BAT
 import objects.Deployment
 import objects.Pagination
@@ -83,6 +85,8 @@ class CSVTest extends BaseSpecification {
         ImageService.scanImage("quay.io/rhacs-eng/qa:nginx-1-9")
         orchestrator.createDeployment(CVE_DEPLOYMENT)
         assert Services.waitForDeployment(CVE_DEPLOYMENT)
+        // wait for all image CVEs to be discovered and added to db
+        sleep(5000)
     }
 
     def cleanupSpec() {
@@ -199,6 +203,7 @@ class CSVTest extends BaseSpecification {
     }
 
     @EqualsAndHashCode(includeFields = true)
+    @ToString(includes="id,cvss")
     class CVE {
         String id
         float cvss
Original file line number	Diff line number	Diff line change
Expand Up		@@ -21,3 +21,5 @@ persistence:
		storageClass: null

		nodeSelector: {}

		enableMonitoringPSPs: ${MONITORING_ENABLE_PSP}