Add cluster name and description to CyberArk Discovery and Context snapshot

The purpose of the change is to give Discovery and Context service operators a clear way to communicate uploaded secret findings and remediations with a team or contact for the origin cluster, by allowing the platform-team to supply these new configuration values when they deploy the agent: - `config.clusterName` — a human‑readable cluster name, and - `config.clusterDescription` — a short description (contact info, purpose). These new fields are optional. If the clusterName is empty, the `ARK_USERNAME` is used as the cluster-name. The rationale is that each agent deployment will be assigned a unique "service account" which should be given a username derived from the name of the target cluster. Therefore the service account username will be sufficient information for the security team to communicate risks and remediations to the platform team responsible for the cluster. This provides an imperfect, but expedient improvement for Web UI users and support for on‑prem / non‑cloud deployments which can be improved in future if with more backend/ cloud discovery work. It wasn't strictly necessary, but I also tried to sort out the confusion around the `cluster_id` and the `cluster_name`. I've added a new `cluster_name` field to the config file and updated the `venafi-kubernetes-agent` chart to set that config field instead of the overloading the `cluster_id` field which is used for other purposes by the much older Jetstack Secure agent. Summary of changes: - Add ClusterName and ClusterDescription fields to Snapshot struct - Populate these fields from Options in PostDataReadingsWithOptions - Add clusterName and clusterDescription Helm values and docs - Populate cluster_id and cluster_description in the rendered configmap - Update values.schema.json to include descriptions for the new values - Add ClusterDescription field to pkg/agent Config and CombinedConfig - Default MachineHub cluster name from ARK_USERNAME env when not set Signed-off-by: Richard Wall <richard.wall@cyberark.com>

Author: wallrj-cyberark

deploy/charts/disco-agent/README.md

@@ -277,6 +277,24 @@ Example: excludeAnnotationKeysRegex: ['^kapp\.k14s\.io/original.*']
 > ```yaml
 > []
 > ```
+#### **config.clusterName** ~ `string`
+> Default value:
+> ```yaml
+> ""
+> ```
+
+A human readable name for the cluster where the agent is deployed (optional). 
+ 
+This cluster name will be associated with the data that the agent uploads to the Discovery and Context service. If empty (the default), the service account name will be used instead.
+#### **config.clusterDescription** ~ `string`
+> Default value:
+> ```yaml
+> ""
+> ```
+
+A short description of the cluster where the agent is deployed (optional). 
+ 
+This description will be associated with the data that the agent uploads to the Discovery and Context service. The description may include contact information such as the email address of the cluster administrator, so that any problems and risks identified by the Discovery and Context service can be communicated to the people responsible for the affected secrets.
 #### **authentication.secretName** ~ `string`
 > Default value:
 > ```yaml

deploy/charts/disco-agent/templates/configmap.yaml

@@ -7,6 +7,8 @@ metadata:
  {{- include "disco-agent.labels" . | nindent 4 }}
 data:
  config.yaml: |-
+ cluster_name: {{ .Values.config.clusterName | quote }}
+ cluster_description: {{ .Values.config.clusterDescription | quote }}
  period: {{ .Values.config.period | quote }}
  {{- with .Values.config.excludeAnnotationKeysRegex }}
  exclude-annotation-keys-regex:

deploy/charts/disco-agent/tests/__snapshot__/configmap_test.yaml.snap

@@ -1,8 +1,224 @@
+custom-cluster-description:
+ 1: |
+ apiVersion: v1
+ data:
+ config.yaml: |-
+ cluster_name: ""
+ cluster_description: "A cloud hosted Kubernetes cluster hosting production workloads.\n\nteam: team-1\nemail: team-1@example.com\npurpose: Production workloads\n"
+ period: "12h0m0s"
+ data-gatherers:
+ - kind: k8s-discovery
+ name: ark/discovery
+ - kind: k8s-dynamic
+ name: ark/secrets
+ config:
+ resource-type:
+ version: v1
+ resource: secrets
+ field-selectors:
+ - type!=kubernetes.io/dockercfg
+ - type!=kubernetes.io/dockerconfigjson
+ - type!=bootstrap.kubernetes.io/token
+ - type!=helm.sh/release.v1
+ - kind: k8s-dynamic
+ name: ark/serviceaccounts
+ config:
+ resource-type:
+ resource: serviceaccounts
+ version: v1
+ - kind: k8s-dynamic
+ name: ark/roles
+ config:
+ resource-type:
+ version: v1
+ group: rbac.authorization.k8s.io
+ resource: roles
+ - kind: k8s-dynamic
+ name: ark/clusterroles
+ config:
+ resource-type:
+ version: v1
+ group: rbac.authorization.k8s.io
+ resource: clusterroles
+ - kind: k8s-dynamic
+ name: ark/rolebindings
+ config:
+ resource-type:
+ version: v1
+ group: rbac.authorization.k8s.io
+ resource: rolebindings
+ - kind: k8s-dynamic
+ name: ark/clusterrolebindings
+ config:
+ resource-type:
+ version: v1
+ group: rbac.authorization.k8s.io
+ resource: clusterrolebindings
+ - kind: k8s-dynamic
+ name: ark/jobs
+ config:
+ resource-type:
+ version: v1
+ group: batch
+ resource: jobs
+ - kind: k8s-dynamic
+ name: ark/cronjobs
+ config:
+ resource-type:
+ version: v1
+ group: batch
+ resource: cronjobs
+ - kind: k8s-dynamic
+ name: ark/deployments
+ config:
+ resource-type:
+ version: v1
+ group: apps
+ resource: deployments
+ - kind: k8s-dynamic
+ name: ark/statefulsets
+ config:
+ resource-type:
+ version: v1
+ group: apps
+ resource: statefulsets
+ - kind: k8s-dynamic
+ name: ark/daemonsets
+ config:
+ resource-type:
+ version: v1
+ group: apps
+ resource: daemonsets
+ - kind: k8s-dynamic
+ name: ark/pods
+ config:
+ resource-type:
+ version: v1
+ resource: pods
+ kind: ConfigMap
+ metadata:
+ labels:
+ app.kubernetes.io/instance: test
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: disco-agent
+ app.kubernetes.io/version: v0.0.0
+ helm.sh/chart: disco-agent-0.0.0
+ name: test-disco-agent-config
+ namespace: test-ns
+custom-cluster-name:
+ 1: |
+ apiVersion: v1
+ data:
+ config.yaml: |-
+ cluster_name: "cluster-1 region-1 cloud-1 "
+ cluster_description: ""
+ period: "12h0m0s"
+ data-gatherers:
+ - kind: k8s-discovery
+ name: ark/discovery
+ - kind: k8s-dynamic
+ name: ark/secrets
+ config:
+ resource-type:
+ version: v1
+ resource: secrets
+ field-selectors:
+ - type!=kubernetes.io/dockercfg
+ - type!=kubernetes.io/dockerconfigjson
+ - type!=bootstrap.kubernetes.io/token
+ - type!=helm.sh/release.v1
+ - kind: k8s-dynamic
+ name: ark/serviceaccounts
+ config:
+ resource-type:
+ resource: serviceaccounts
+ version: v1
+ - kind: k8s-dynamic
+ name: ark/roles
+ config:
+ resource-type:
+ version: v1
+ group: rbac.authorization.k8s.io
+ resource: roles
+ - kind: k8s-dynamic
+ name: ark/clusterroles
+ config:
+ resource-type:
+ version: v1
+ group: rbac.authorization.k8s.io
+ resource: clusterroles
+ - kind: k8s-dynamic
+ name: ark/rolebindings
+ config:
+ resource-type:
+ version: v1
+ group: rbac.authorization.k8s.io
+ resource: rolebindings
+ - kind: k8s-dynamic
+ name: ark/clusterrolebindings
+ config:
+ resource-type:
+ version: v1
+ group: rbac.authorization.k8s.io
+ resource: clusterrolebindings
+ - kind: k8s-dynamic
+ name: ark/jobs
+ config:
+ resource-type:
+ version: v1
+ group: batch
+ resource: jobs
+ - kind: k8s-dynamic
+ name: ark/cronjobs
+ config:
+ resource-type:
+ version: v1
+ group: batch
+ resource: cronjobs
+ - kind: k8s-dynamic
+ name: ark/deployments
+ config:
+ resource-type:
+ version: v1
+ group: apps
+ resource: deployments
+ - kind: k8s-dynamic
+ name: ark/statefulsets
+ config:
+ resource-type:
+ version: v1
+ group: apps
+ resource: statefulsets
+ - kind: k8s-dynamic
+ name: ark/daemonsets
+ config:
+ resource-type:
+ version: v1
+ group: apps
+ resource: daemonsets
+ - kind: k8s-dynamic
+ name: ark/pods
+ config:
+ resource-type:
+ version: v1
+ resource: pods
+ kind: ConfigMap
+ metadata:
+ labels:
+ app.kubernetes.io/instance: test
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: disco-agent
+ app.kubernetes.io/version: v0.0.0
+ helm.sh/chart: disco-agent-0.0.0
+ name: test-disco-agent-config
+ namespace: test-ns
 custom-period:
  1: |
  apiVersion: v1
  data:
  config.yaml: |-
+ cluster_name: ""
+ cluster_description: ""
  period: "1m"
  data-gatherers:
  - kind: k8s-discovery
@@ -108,6 +324,8 @@ defaults:
  apiVersion: v1
  data:
  config.yaml: |-
+ cluster_name: ""
+ cluster_description: ""
  period: "12h0m0s"
  data-gatherers:
  - kind: k8s-discovery

deploy/charts/disco-agent/tests/configmap_test.yaml

@@ -14,3 +14,20 @@ tests:
  config.period: 1m
  asserts:
  - matchSnapshot: {}
+
+ - it: custom-cluster-name
+ set:
+ config.clusterName: "cluster-1 region-1 cloud-1 "
+ asserts:
+ - matchSnapshot: {}
+
+ - it: custom-cluster-description
+ set:
+ config.clusterDescription: |
+ A cloud hosted Kubernetes cluster hosting production workloads.
+
+ team: team-1
+ email: team-1@example.com
+ purpose: Production workloads
+ asserts:
+ - matchSnapshot: {}

deploy/charts/disco-agent/values.schema.json

@@ -104,6 +104,12 @@
  "helm-values.config": {
  "additionalProperties": false,
  "properties": {
+ "clusterDescription": {
+ "$ref": "#/$defs/helm-values.config.clusterDescription"
+ },
+ "clusterName": {
+ "$ref": "#/$defs/helm-values.config.clusterName"
+ },
  "excludeAnnotationKeysRegex": {
  "$ref": "#/$defs/helm-values.config.excludeAnnotationKeysRegex"
  },
@@ -116,6 +122,16 @@
  },
  "type": "object"
  },
+ "helm-values.config.clusterDescription": {
+ "default": "",
+ "description": "A short description of the cluster where the agent is deployed (optional).\n\nThis description will be associated with the data that the agent uploads to the Discovery and Context service. The description may include contact information such as the email address of the cluster administrator, so that any problems and risks identified by the Discovery and Context service can be communicated to the people responsible for the affected secrets.",
+ "type": "string"
+ },
+ "helm-values.config.clusterName": {
+ "default": "",
+ "description": "A human readable name for the cluster where the agent is deployed (optional).\n\nThis cluster name will be associated with the data that the agent uploads to the Discovery and Context service. If empty (the default), the service account name will be used instead.",
+ "type": "string"
+ },
  "helm-values.config.excludeAnnotationKeysRegex": {
  "default": [],
  "description": "You can configure the agent to exclude some annotations or labels from being pushed . All Kubernetes objects are affected. The objects are still pushed, but the specified annotations and labels are removed before being pushed.\n\nDots is the only character that needs to be escaped in the regex. Use either double quotes with escaped single quotes or unquoted strings for the regex to avoid YAML parsing issues with `\\.`.\n\nExample: excludeAnnotationKeysRegex: ['^kapp\\.k14s\\.io/original.*']",

deploy/charts/disco-agent/values.yaml

@@ -138,6 +138,22 @@ config:
  excludeAnnotationKeysRegex: []
  excludeLabelKeysRegex: []
 
+ # A human readable name for the cluster where the agent is deployed (optional).
+ #
+ # This cluster name will be associated with the data that the agent uploads to
+ # the Discovery and Context service. If empty (the default), the service
+ # account name will be used instead.
+ clusterName: ""
+
+ # A short description of the cluster where the agent is deployed (optional).
+ #
+ # This description will be associated with the data that the agent uploads to
+ # the Discovery and Context service. The description may include contact
+ # information such as the email address of the cluster administrator, so that
+ # any problems and risks identified by the Discovery and Context service can
+ # be communicated to the people responsible for the affected secrets.
+ clusterDescription: ""
+
 authentication:
  secretName: agent-credentials
 

deploy/charts/venafi-kubernetes-agent/templates/NOTES.txt

@@ -1,3 +1,11 @@
+{{- if .Values.config.configmap.name }}
+You are using a custom configuration in the following ConfigMap: {{ .Values.config.configmap.name | quote }}.
+
+DEPRECATION: The `cluster_id` configuration field is deprecated.
+If your configuration contains `cluster_id`, it will continue to work as a
+fallback, but please migrate to `cluster_name` to avoid ambiguity.
+{{- end }}
+
 {{- if .Values.authentication.venafiConnection.enabled }}
 - Check the VenafiConnection exists: "{{ .Values.authentication.venafiConnection.namespace }}/{{ .Values.authentication.venafiConnection.name }}"
 > kubectl get VenafiConnection -n {{ .Values.authentication.venafiConnection.namespace }} {{ .Values.authentication.venafiConnection.name }}

deploy/charts/venafi-kubernetes-agent/templates/configmap.yaml

@@ -9,7 +9,7 @@ metadata:
  {{- include "venafi-kubernetes-agent.labels" . | nindent 4 }}
 data:
  config.yaml: |-
- cluster_id: {{ .Values.config.clusterName | quote }}
+ cluster_name: {{ .Values.config.clusterName | quote }}
  cluster_description: {{ .Values.config.clusterDescription | quote }}
  server: {{ .Values.config.server | quote }}
  period: {{ .Values.config.period | quote }}