neuvector · Jan 22, 2025 · Feb 4, 2025 · Mar 7, 2025 · Mar 19, 2025 · Mar 19, 2025
diff --git a/CODEOWNERS b/CODEOWNERS
@@ -1,2 +1,2 @@
-* @neuvector/helm @yasker 
-.github/ @neuvector/build @yasker 
+* @neuvector/helm
+.github/ @neuvector/build
diff --git a/charts/core/Chart.yaml b/charts/core/Chart.yaml
@@ -1,7 +1,7 @@
 name: core
 apiVersion: v1
-version: 2.8.4
-appVersion: 5.4.2
+version: 2.8.5
+appVersion: 5.4.3
 description: Helm chart for NeuVector's core services
 home: https://neuvector.com
 icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4

diff --git a/charts/core/README.md b/charts/core/README.md
@@ -8,6 +8,22 @@ Because the CRD (Custom Resource Definition) policies can be deployed before Neu
 ## Choosing container runtime
 Prior to 5.3 release, the user has to specify the correct container runtime type and its socket path. In 5.3.0 release, the enforcer is able to automatically detect the container runtime at its default socket location. The settings of docker/containerd/crio/k8s/bottlerocket become deprecated. If the container runtime socket is not at the default location, please specify it using 'runtimePath' field. In the meantime, the controller does not require the runtime socket to be mounted any more.
 
+
+## Scan caching
+Scan caching can be enabled by editing values.yaml or creating below override file and pass them with "-f" option on HELM commands.
+```console
+cve:
+  scanner:
+    volumes:
+      - name: scan-cache
+        hostPath:
+          path: /tmp/
+          type: ""
+    volumeMounts:
+      - mountPath: /tmp/images/caches
+        name: scan-cache
+```
+
 ## Configuration
 
 The following table lists the configurable parameters of the NeuVector chart and their default values.

diff --git a/charts/core/templates/clusterrole.yaml b/charts/core/templates/clusterrole.yaml
@@ -97,6 +97,31 @@ rules:
 
 ---
 
+{{- if $oc3 }}
+apiVersion: authorization.openshift.io/v1
+{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else }}
+apiVersion: v1
+{{- end }}
+kind: ClusterRole
+metadata:
+  name: neuvector-binding-nvgroupdefinitions
+  labels:
+    chart: {{ template "neuvector.chart" . }}
+    release: {{ .Release.Name }}
+rules:
+- apiGroups:
+  - neuvector.com
+  resources:
+  - nvgroupdefinitions
+  verbs:
+  - get
+  - list
+  - delete
+
+---
+
 {{- if $oc4 }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole

diff --git a/charts/core/templates/crd-role-least.yaml b/charts/core/templates/crd-role-least.yaml
@@ -400,4 +400,35 @@ userNames:
 - system:serviceaccount:{{ .Release.Namespace }}:controller
 {{- end }}
 
+---
+
+# ClusterRoleBinding for NeuVector to manage name referral for common groups
+{{- if $oc3 }}
+apiVersion: authorization.openshift.io/v1
+{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else }}
+apiVersion: v1
+{{- end }}
+kind: ClusterRoleBinding
+metadata:
+  name: neuvector-binding-nvgroupdefinitions
+  labels:
+    chart: {{ template "neuvector.chart" . }}
+    release: {{ .Release.Name }}
+roleRef:
+{{- if not $oc3 }}
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+{{- end }}
+  name: neuvector-binding-nvgroupdefinitions
+subjects:
+- kind: ServiceAccount
+  name: controller
+  namespace: {{ .Release.Namespace }}
+{{- if $oc3 }}
+userNames:
+- system:serviceaccount:{{ .Release.Namespace }}:controller
+{{- end }}
+
 {{- end }}
diff --git a/charts/core/templates/crd-role.yaml b/charts/core/templates/crd-role.yaml
@@ -400,4 +400,35 @@ userNames:
 - system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }}
 {{- end }}
 
+---
+
+# Clusterrolebinding for Neuvector to manage name referral for common groups
+{{- if $oc3 }}
+apiVersion: authorization.openshift.io/v1
+{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else }}
+apiVersion: v1
+{{- end }}
+kind: ClusterRoleBinding
+metadata:
+  name: neuvector-binding-nvgroupdefinitions
+  labels:
+    chart: {{ template "neuvector.chart" . }}
+    release: {{ .Release.Name }}
+roleRef:
+{{- if not $oc3 }}
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+{{- end }}
+  name: neuvector-binding-nvgroupdefinitions
+subjects:
+- kind: ServiceAccount
+  name: {{ .Values.serviceAccount }}
+  namespace: {{ .Release.Namespace }}
+{{- if $oc3 }}
+userNames:
+- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }}
+{{- end }}
+
 {{- end }}
diff --git a/charts/core/templates/crd.yaml b/charts/core/templates/crd.yaml
@@ -72,6 +72,8 @@ spec:
                           type: array
                         name:
                           type: string
+                        name_referral:
+                          type: boolean
                         original_name:
                           type: string
                       required:
@@ -143,6 +145,8 @@ spec:
                           type: array
                         name:
                           type: string
+                        name_referral:
+                          type: boolean
                         original_name:
                           type: string
                       required:
@@ -218,6 +222,8 @@ spec:
                         type: array
                       name:
                         type: string
+                      name_referral:
+                        type: boolean
                       original_name:
                         type: string
                       mon_metric:
@@ -351,6 +357,8 @@ spec:
                           type: array
                         name:
                           type: string
+                        name_referral:
+                          type: boolean
                         original_name:
                           type: string
                       required:
@@ -422,6 +430,8 @@ spec:
                           type: array
                         name:
                           type: string
+                        name_referral:
+                          type: boolean
                         original_name:
                           type: string
                       required:
@@ -497,6 +507,8 @@ spec:
                         type: array
                       name:
                         type: string
+                      name_referral:
+                        type: boolean
                       original_name:
                         type: string
                       mon_metric:
@@ -974,4 +986,63 @@ spec:
             type: object
         type: object
 {{- end }}
+---
+{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+apiVersion: apiextensions.k8s.io/v1
+{{- else }}
+apiVersion: apiextensions.k8s.io/v1beta1
+{{- end }}
+kind: CustomResourceDefinition
+metadata:
+  name: nvgroupdefinitions.neuvector.com
+spec:
+  group: neuvector.com
+  names:
+    kind: NvGroupDefinition
+    listKind: NvGroupDefinitionList
+    plural: nvgroupdefinitions
+    singular: nvgroupdefinition
+  scope: Namespaced
+{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+  version: v1
+{{- end }}
+  versions:
+  - name: v1
+    served: true
+    storage: true
+{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            properties:
+              selector:
+                properties:
+                  comment:
+                    type: string
+                  criteria:
+                    items:
+                      properties:
+                        key:
+                          type: string
+                        op:
+                          type: string
+                        value:
+                          type: string
+                      required:
+                      - key
+                      - op
+                      - value
+                      type: object
+                    type: array
+                  name:
+                    type: string
+                required:
+                - name
+                type: object
+            required:
+            - selector
+            type: object
+        type: object
+{{- end }}
 {{- end }}
diff --git a/charts/core/templates/scanner-deployment.yaml b/charts/core/templates/scanner-deployment.yaml
@@ -125,6 +125,9 @@ spec:
             - mountPath: /etc/neuvector/certs/internal/
               name: internal-cert-dir
           {{- end }}
+          {{- with .Values.cve.scanner.volumeMounts }}
+          {{- toYaml . | nindent 12 }}
+          {{- end }}
       restartPolicy: Always
       volumes:
       {{- if or .Values.internal.certmanager.enabled .Values.cve.scanner.internal.certificate.secret }}
@@ -136,4 +139,7 @@ spec:
           emptyDir:
             sizeLimit: 50Mi
       {{- end }}
+      {{- with .Values.cve.scanner.volumes }}
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
 {{- end }}
diff --git a/charts/core/values.yaml b/charts/core/values.yaml
@@ -5,7 +5,7 @@
 openshift: false
 
 registry: docker.io
-tag: 5.4.2
+tag: 5.4.3
 oem:
 imagePullSecrets:
 psp: false
@@ -317,7 +317,7 @@ controller:
     enabled: false
     image:
       repository: neuvector/compliance-config
-      tag: 1.0.2
+      tag: 1.0.4
       hash:
 enforcer:
   # If false, enforcer will not be installed
@@ -446,7 +446,7 @@ cve:
     enabled: false
     image:
       repository: neuvector/registry-adapter
-      tag: 0.1.5
+      tag: 0.1.6
       hash:
     priorityClassName:
     resources:
@@ -537,7 +537,7 @@ cve:
     image:
       registry: ""
       repository: neuvector/updater
-      tag: 0.0.1
+      tag: 0.0.2
       hash:
     schedule: "0 0 * * *"
     priorityClassName:
@@ -596,7 +596,8 @@ cve:
         keyFile: tls.key
         pemFile: tls.crt
         caFile: ca.crt # must be the same CA for all internal.
-
+    volumes: 
+    volumeMounts:
 resources:
   {}
   # limits:

diff --git a/charts/crd/Chart.yaml b/charts/crd/Chart.yaml
@@ -1,7 +1,7 @@
 name: crd
 apiVersion: v1
-version: 2.8.4
-appVersion: 5.4.2
+version: 2.8.5
+appVersion: 5.4.3
 description: Helm chart for NeuVector's CRD services
 home: https://neuvector.com
 icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4

diff --git a/charts/crd/templates/crd.yaml b/charts/crd/templates/crd.yaml
@@ -74,6 +74,8 @@ spec:
                           type: string
                         original_name:
                           type: string
+                        name_referral:
+                          type: boolean
                       required:
                       - name
                       type: object
@@ -143,6 +145,8 @@ spec:
                           type: array
                         name:
                           type: string
+                        name_referral:
+                          type: boolean
                         original_name:
                           type: string
                       required:
@@ -218,6 +222,8 @@ spec:
                         type: array
                       name:
                         type: string
+                      name_referral:
+                        type: boolean
                       original_name:
                         type: string
                       mon_metric:
@@ -352,6 +358,8 @@ spec:
                           type: array
                         name:
                           type: string
+                        name_referral:
+                          type: boolean
                         original_name:
                           type: string
                       required:
@@ -423,6 +431,8 @@ spec:
                           type: array
                         name:
                           type: string
+                        name_referral:
+                          type: boolean
                         original_name:
                           type: string
                       required:
@@ -498,6 +508,8 @@ spec:
                         type: array
                       name:
                         type: string
+                      name_referral:
+                        type: boolean
                       original_name:
                         type: string
                       mon_metric:
@@ -980,3 +992,62 @@ spec:
             type: object
         type: object
 {{- end }}
+---
+{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+apiVersion: apiextensions.k8s.io/v1
+{{- else }}
+apiVersion: apiextensions.k8s.io/v1beta1
+{{- end }}
+kind: CustomResourceDefinition
+metadata:
+  name: nvgroupdefinitions.neuvector.com
+spec:
+  group: neuvector.com
+  names:
+    kind: NvGroupDefinition
+    listKind: NvGroupDefinitionList
+    plural: nvgroupdefinitions
+    singular: nvgroupdefinition
+  scope: Namespaced
+{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+  version: v1
+{{- end }}
+  versions:
+  - name: v1
+    served: true
+    storage: true
+{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            properties:
+              selector:
+                properties:
+                  comment:
+                    type: string
+                  criteria:
+                    items:
+                      properties:
+                        key:
+                          type: string
+                        op:
+                          type: string
+                        value:
+                          type: string
+                      required:
+                      - key
+                      - op
+                      - value
+                      type: object
+                    type: array
+                  name:
+                    type: string
+                required:
+                - name
+                type: object
+            required:
+            - selector
+            type: object
+        type: object
+{{- end }}
diff --git a/charts/monitor/Chart.yaml b/charts/monitor/Chart.yaml
@@ -1,7 +1,7 @@
 name: monitor
 apiVersion: v1
-version: 2.8.4
-appVersion: 1.0.1
+version: 2.8.5
+appVersion: 1.0.2
 description: Helm chart for NeuVector monitor services
 home: https://neuvector.com
 icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4

diff --git a/charts/monitor/values.yaml b/charts/monitor/values.yaml
@@ -11,7 +11,7 @@ exporter:
   enabled: true
   image:
     repository: neuvector/prometheus-exporter
-    tag: 1.0.2
+    tag: 1.0.3
   # changes this to a readonly user !
   CTRL_USERNAME: admin
   CTRL_PASSWORD: admin

diff --git a/test/crd_test.go b/test/crd_test.go
@@ -17,7 +17,7 @@ func TestCRD(t *testing.T) {
 	out := helm.RenderTemplate(t, options, helmChartPath, nvRel, []string{"templates/crd.yaml"})
 	outs := splitYaml(out)
 
-	if len(outs) != 7 {
+	if len(outs) != 8 {
 		t.Errorf("Resource count is wrong. count=%v\n", len(outs))
 	}
 }
@@ -33,7 +33,7 @@ func TestCoreCRD(t *testing.T) {
 	out := helm.RenderTemplate(t, options, helmChartPath, nvRel, []string{"templates/crd.yaml"})
 	outs := splitYaml(out)
 
-	if len(outs) != 7 {
+	if len(outs) != 8 {
 		t.Errorf("Resource count is wrong. count=%v\n", len(outs))
 	}
 }

diff --git a/test/role_test.go b/test/role_test.go
@@ -34,7 +34,7 @@ func TestClusterRole(t *testing.T) {
 	out := helm.RenderTemplate(t, options, helmChartPath, nvRel, []string{"templates/clusterrole.yaml"})
 	outs := splitYaml(out)
 
-	if len(outs) != 3 {
+	if len(outs) != 4 {
 		t.Errorf("Resource count is wrong. count=%v\n", len(outs))
 	}
 }