Giant Swarm offers a managed security bundle which provides an unintrusive baseline for security observability and enforcement in Kubernetes clusters. This App is a convenient wrapper containing multiple other Apps which make up the security bundle. See our full App Bundle reference to learn more.
By default, installing the security bundle in a cluster includes:
- Falco, from our
falco-app
- Kyverno, from our
kyverno-app
- our
kyverno-policies
app for Kubernetes Pod Security Standards (PSS)
- our
- Trivy, from our
trivy-app
- Trivy Operator, from our
trivy-operator
app- our
starboard-exporter
for exposing metrics
- our
Some optional components are also installable from this bundle, including:
- Jiralert, from our
jiralert-app
, for automatically creating Jira issues from security findings
Previous versions of the pack included Starboard, from our starboard-app
. Starboard has been deprecated in favor of Trivy Operator, and we have removed the Starboard app from this app bundle as of v0.13.0.
Apps can be selectively enabled or disabled using the enabled
setting for that app in the security-bundle
Helm values.
More information and configuration options can be found in each app repository.
Note: There is a known issue when uninstalling Kyverno where some resources may not be removed properly. The cause is still under investigation, but a recent update has improved the situation so that Kyverno's webhooks are properly removed, meaning the remnants are unnecessary but should otherwise have no negative effect on the cluster. If installing Kyverno through this App, you may need to manually remove some lingering Kyverno resources if you subsequently choose to remove Kyverno.
security-pack
users must delete the old security-pack
CR first before installing the bundle. It is not possible to update directly from a security-pack
to a security-bundle
App CR by renaming it.
To change an existing security-pack
install to a security-bundle
, the following changes must be made:
- any overrides to the
kyverno-policies
App in thesecurity-bundle
App values configuration must be replaced with equivalent overrides under thekyvernoPolicies
key. The keykyverno-policies
has been renamed tokyvernoPolicies
only to simplify its usage in Helm. The name of thekyverno-policies
App itself is unchanged. - if using the default installation namespace (
security-pack
), any logic which depends on that namespace must be updated to reference the new default namespaces (security-bundle
). If setting a custom installation namespace, no change is required. - if the existing
security-pack
App CR is installing from theplayground
catalog, the catalog must be changed togiantswarm
. Thesecurity-bundle
will not be pushed to theplayground
catalog. - after the above changes have been made, the old
security-pack
CR must be deleted before the newsecurity-bundle
CR can then be created.
This "App of Apps" method is rather new and our UX tooling is still catching up, so our normal App installation methods may or may not work for you depending on your management cluster and component versions.
The currently recommended way to install the security bundle is:
-
Create
user-values.yaml
containing the name of the cluster where the Apps should be installed, and the organization where that cluster is running:clusterName: demo1 organization: demo-team
-
Use
kubectl gs
to template the "outer" App CR:$ kubectl gs template app \ --catalog giantswarm \ --name security-bundle \ --app-name demo01-security-bundle \ --in-cluster \ --cluster-name demo01 \ --target-namespace demo01 \ --version 0.0.1 \ --user-configmap user-values.yaml > outerApp.yaml
-
Apply the generated App CR and ConfigMap to the management cluster:
$ kubectl --context=<your-mc> apply -f outerApp.yaml configmap/security-bundle-userconfig created app.application.giantswarm.io/security-bundle created
Support for these methods are not yet officially supported, but may still work:
If you are not using kubectl gs
plugin, plese remember to ensure the correct label: app-operator.giantswarm.io/version: 0.0.0
is set on the App CR. Missing this configuration will result with stuck deployment of an app.
When naming the App CR, please make sure the name is unique within the Management Cluster, using just security-bundle
name for two or more App CRs may lead to unexpected behavior. It is recommended to use cluster name as a prefix or suffix,
for example demo01-security-bundle
or security-bundle-demo1
.
This is an example of a values file you could upload using our web interface.
# values.yaml
clusterName: demo1
organization: demo-team
If you have access to the Kubernetes API on the management cluster, you could create the App CR and ConfigMap directly.
Here is an example that would install the app to
workload cluster abc12
:
# appCR.yaml
apiVersion: application.giantswarm.io/v1alpha1
kind: App
metadata:
labels:
app-operator.giantswarm.io/version: 0.0.0
giantswarm.io/cluster: demo1
name: security-bundle
namespace: demo1
spec:
catalog: giantswarm
kubeConfig:
inCluster: true
name: security-bundle
namespace: demo1
userConfig:
configMap:
name: security-bundle-userconfig
namespace: demo1
version: 0.0.1
# user-values-configmap.yaml
apiVersion: v1
data:
values: |
clusterName: demo1
organization: giantswarm
kind: ConfigMap
metadata:
creationTimestamp: null
name: security-bundle-userconfig
namespace: demo1
See our full reference page on how to configure applications for more details.