fix(charts): Changed to Deployment from DaemonSet for adapters

deployments/nimbus-k8tls/Chart.yaml

@@ -1,8 +1,8 @@
 apiVersion: v2
 type: application
 name: nimbus-k8tls
-version: 0.1.0
-appVersion: "0.1.0"
+version: 0.1.1
+appVersion: "0.1.1"
 description: Nimbus adapter for k8tls
 sources:
   - https://github.com/5GSEC/nimbus

deployments/nimbus-k8tls/templates/NOTES.txt

@@ -0,0 +1,3 @@
+Thank you for installing nimbus-k8tls.
+
+Your release is named '{{ include "nimbus-k8tls.fullname" . }}' and deployed in '{{ .Release.Namespace }}' namespace.

deployments/nimbus-k8tls/templates/daemonset.yaml → deployments/nimbus-k8tls/templates/deployment.yaml

@@ -1,5 +1,5 @@
 apiVersion: apps/v1
-kind: DaemonSet
+kind: Deployment
 metadata:
   name: {{ include "nimbus-k8tls.fullname" . }}
   labels:
@@ -26,4 +26,5 @@ spec:
           - name: TTLSECONDSAFTERFINISHED
             value: "{{ .Values.output.elasticsearch.ttlsecondsafterfinished }}"
           {{- end }}
-      terminationGracePeriodSeconds: 10
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}

deployments/nimbus-k8tls/values.yaml

@@ -1,5 +1,3 @@
-# Default values for nimbus-k8tls.
-
 image:
   repository: 5gsec/nimbus-k8tls
   pullPolicy: Always
@@ -13,9 +11,24 @@ serviceAccount:
   automount: true
   name: "nimbus-k8tls"
 
+podSecurityContext:
+  fsGroup: 2000
+
 securityContext:
+  capabilities:
+    drop:
+      - ALL
+  readOnlyRootFilesystem: true
   runAsNonRoot: true
-  runAsUser: 65533
+  runAsUser: 1000
+
+resources:
+  limits:
+    cpu: 50m
+    memory: 64Mi
+  requests:
+    cpu: 50m
+    memory: 64Mi
 
 output:
   elasticsearch:
@@ -26,4 +39,3 @@ output:
     index: "findings"
     password: "" # Password in base64 encoded format
     ttlsecondsafterfinished: "10" # Amount of time to keep the pod around after job has been completed
-

deployments/nimbus-kubearmor/Chart.yaml

@@ -6,7 +6,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.3
+version: 0.1.4
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

deployments/nimbus-kubearmor/templates/NOTES.txt

@@ -0,0 +1,3 @@
+Thank you for installing nimbus-kubearmor.
+
+Your release is named '{{ include "nimbus-kubearmor.fullname" . }}' and deployed in '{{ .Release.Namespace }}' namespace.

deployments/nimbus-kubearmor/templates/daemonset.yaml → deployments/nimbus-kubearmor/templates/deployment.yaml

@@ -1,5 +1,5 @@
 apiVersion: apps/v1
-kind: DaemonSet
+kind: Deployment
 metadata:
   name: {{ include "nimbus-kubearmor.fullname" . }}
   labels:
@@ -21,4 +21,5 @@ spec:
             {{- toYaml .Values.securityContext | nindent 12 }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
-      terminationGracePeriodSeconds: 10
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}

deployments/nimbus-kubearmor/values.yaml

@@ -1,7 +1,3 @@
-# Default values for nimbus-kubearmor.
-
-autoDeploy: true
-
 image:
   repository: 5gsec/nimbus-kubearmor
   pullPolicy: Always
@@ -20,9 +16,27 @@ serviceAccount:
   # If not set and create is true, a name is generated using the fullname template
   name: "nimbus-kubearmor"
 
+podSecurityContext:
+  fsGroup: 2000
+
 securityContext:
+  capabilities:
+    drop:
+      - ALL
+  readOnlyRootFilesystem: true
   runAsNonRoot: true
-  runAsUser: 65533
+  runAsUser: 1000
+
+resources:
+  limits:
+    cpu: 50m
+    memory: 64Mi
+  requests:
+    cpu: 50m
+    memory: 64Mi
+
+# Deploy engine
+autoDeploy: true
 
 kubearmor-operator:
   autoDeploy: true

deployments/nimbus-kyverno/Chart.yaml

@@ -7,7 +7,7 @@ kubeVersion: ">= 1.25"
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.1
+version: 0.1.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

deployments/nimbus-kyverno/templates/NOTES.txt

@@ -0,0 +1,3 @@
+Thank you for installing nimbus-kyverno.
+
+Your release is named '{{ include "nimbus-kyverno.fullname" . }}' and deployed in '{{ .Release.Namespace }}' namespace.

deployments/nimbus-kyverno/templates/daemonset.yaml → deployments/nimbus-kyverno/templates/deployment.yaml

@@ -1,5 +1,5 @@
 apiVersion: apps/v1
-kind: DaemonSet
+kind: Deployment
 metadata:
   name: {{ include "nimbus-kyverno.fullname" . }}
   labels:
@@ -21,4 +21,5 @@ spec:
             {{- toYaml .Values.securityContext | nindent 12 }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
-      terminationGracePeriodSeconds: 10
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}

deployments/nimbus-kyverno/values.yaml

@@ -1,7 +1,3 @@
-# Default values for nimbus-kyverno.
-
-autoDeploy: true
-
 image:
   repository: 5gsec/nimbus-kyverno
   pullPolicy: Always
@@ -20,6 +16,24 @@ serviceAccount:
   # If not set and create is true, a name is generated using the fullname template
   name: "nimbus-kyverno"
 
+podSecurityContext:
+  fsGroup: 2000
+
 securityContext:
+  capabilities:
+    drop:
+      - ALL
+  readOnlyRootFilesystem: true
   runAsNonRoot: true
-  runAsUser: 65535
+  runAsUser: 1000
+
+resources:
+  limits:
+    cpu: 50m
+    memory: 64Mi
+  requests:
+    cpu: 50m
+    memory: 64Mi
+
+# Deploy engine
+autoDeploy: true

deployments/nimbus-netpol/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.2
+version: 0.1.3
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

deployments/nimbus-netpol/templates/NOTES.txt

@@ -0,0 +1,3 @@
+Thank you for installing nimbus-netpol.
+
+Your release is named '{{ include "nimbus-netpol.fullname" . }}' and deployed in '{{ .Release.Namespace }}' namespace.

deployments/nimbus-netpol/templates/daemonset.yaml → deployments/nimbus-netpol/templates/deployment.yaml

@@ -1,5 +1,5 @@
 apiVersion: apps/v1
-kind: DaemonSet
+kind: Deployment
 metadata:
   name: {{ include "nimbus-netpol.fullname" . }}
   labels:
@@ -21,4 +21,5 @@ spec:
             {{- toYaml .Values.securityContext | nindent 12 }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
-      terminationGracePeriodSeconds: 10
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}

deployments/nimbus-netpol/values.yaml

@@ -18,6 +18,21 @@ serviceAccount:
   # If not set and create is true, a name is generated using the fullname template
   name: "nimbus-netpol"
 
+podSecurityContext:
+  fsGroup: 2000
+
 securityContext:
+  capabilities:
+    drop:
+      - ALL
+  readOnlyRootFilesystem: true
   runAsNonRoot: true
-  runAsUser: 65532
+  runAsUser: 1000
+
+resources:
+  limits:
+    cpu: 50m
+    memory: 64Mi
+  requests:
+    cpu: 50m
+    memory: 64Mi

deployments/nimbus/templates/NOTES.txt

@@ -0,0 +1,23 @@
+Thank you for installing Nimbus suite.
+
+Your release is named '{{ include "nimbus.fullname" . }}' and deployed in '{{ .Release.Namespace }}' namespace.
+{{printf "" }}
+
+{{- if .Values.autoDeploy.kubearmor }}
+Deployed nimbus-kubearmor adapter along with KubeArmor security engine in '{{ .Release.Namespace }}' namespace.
+{{ printf "" }}
+{{- end}}
+
+{{- if .Values.autoDeploy.kyverno }}
+Deployed nimbus-kyverno adapter along with Kyverno security engine in '{{ .Release.Namespace }}' namespace.
+{{ printf "" }}
+{{- end}}
+
+{{- if .Values.autoDeploy.k8tls }}
+Deployed nimbus-k8tls adapter in '{{ .Release.Namespace }}' namespace.
+{{ printf "" }}
+{{- end}}
+
+{{- if .Values.autoDeploy.netpol }}
+Deployed nimbus-netpol adapter in '{{ .Release.Namespace }}' namespace.
+{{- end}}

deployments/nimbus/templates/deployment.yaml

@@ -26,4 +26,5 @@ spec:
             {{- toYaml .Values.livenessProbe | nindent 12 }}
           readinessProbe:
             {{- toYaml .Values.readinessProbe | nindent 12 }}
-      terminationGracePeriodSeconds: 10
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}

deployments/nimbus/values.yaml

@@ -1,5 +1,4 @@
-# Default values for nimbus.
-
+# Deploy adapters
 autoDeploy:
   kubearmor: true
   netpol: true
@@ -26,9 +25,24 @@ serviceAccount:
   # If not set and create is true, a name is generated using the fullname template
   name: "nimbus-operator"
 
+podSecurityContext:
+  fsGroup: 2000
+
 securityContext:
+  capabilities:
+    drop:
+      - ALL
+  readOnlyRootFilesystem: true
   runAsNonRoot: true
-  runAsUser: 65534
+  runAsUser: 1000
+
+resources:
+  limits:
+    cpu: 100m
+    memory: 128Mi
+  requests:
+    cpu: 100m
+    memory: 128Mi
 
 livenessProbe:
   httpGet: