diff --git a/cis-k8s-job/templates/cis-cron-job.yaml b/cis-k8s-job/templates/cis-cron-job.yaml index 559ed67..bd3842b 100644 --- a/cis-k8s-job/templates/cis-cron-job.yaml +++ b/cis-k8s-job/templates/cis-cron-job.yaml @@ -10,8 +10,12 @@ spec: spec: template: spec: + {{- if .Values.imagePullSecrets.name }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets.name }} + {{- end }} containers: - - image: accuknox/accuknox-job:latest + - image: "{{ .Values.accuknoxJob.image.repository }}:{{ .Values.accuknoxJob.image.tag }}" command: ["/bin/sh", "-c"] args: ['/bin/sh entrypoint.sh && curl --location --request POST "https://${URL}/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=KB&label_id=${LABEL_NAME}&save_to_s3=true" --header "Tenant-Id: ${TENANT_ID}" --header "Authorization: Bearer ${AUTH_TOKEN}" --form "file=@\"./data/report.json\"" && cat /data/report.json'] name: cis-k8s-cronjob @@ -40,7 +44,7 @@ spec: - mountPath: /data name: datapath initContainers: - - image: docker.io/aquasec/kube-bench:v0.6.19 + - image: "{{ .Values.kubeBench.image.repository }}:{{ .Values.kubeBench.image.tag }}" command: ["/bin/sh", "-c"] args: ["kube-bench run --json > /data/report.json"] name: kube-bench diff --git a/cis-k8s-job/templates/cis-job.yaml b/cis-k8s-job/templates/cis-job.yaml index e2a4a27..e4dd4a6 100644 --- a/cis-k8s-job/templates/cis-job.yaml +++ b/cis-k8s-job/templates/cis-job.yaml @@ -10,8 +10,12 @@ spec: labels: app: cis-k8s-job spec: + {{- if .Values.imagePullSecrets.name }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets.name }} + {{- end }} containers: - - image: accuknox/accuknox-job:latest + - image: "{{ .Values.accuknoxJob.image.repository }}:{{ .Values.accuknoxJob.image.tag }}" command: ["/bin/sh", "-c"] args: ['/bin/sh entrypoint.sh && curl --location --request POST "https://${URL}/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=KB&label_id=${LABEL_NAME}&save_to_s3=true" --header "Tenant-Id: ${TENANT_ID}" --header "Authorization: Bearer ${AUTH_TOKEN}" --form "file=@\"./data/report.json\"" && cat /data/report.json'] name: cis-k8s-cronjob @@ -40,7 +44,7 @@ spec: - mountPath: /data name: datapath initContainers: - - image: docker.io/aquasec/kube-bench:v0.6.19 + - image: "{{ .Values.kubeBench.image.repository }}:{{ .Values.kubeBench.image.tag }}" command: ["/bin/sh", "-c"] args: ["kube-bench run --json > /data/report.json"] name: kube-bench diff --git a/cis-k8s-job/templates/imagepullsecret.yaml b/cis-k8s-job/templates/imagepullsecret.yaml new file mode 100644 index 0000000..c335f89 --- /dev/null +++ b/cis-k8s-job/templates/imagepullsecret.yaml @@ -0,0 +1,11 @@ +{{- if .Values.imagePullSecrets.registry }} +# if user didn't specify a secretName, use the default +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.imagePullSecrets.name }} + namespace: {{ .Release.Namespace }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ printf "{\"auths\":{\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"auth\":\"%s\"}}}" .Values.imagePullSecrets.registry .Values.imagePullSecrets.username .Values.imagePullSecrets.password (printf "%s:%s" .Values.imagePullSecrets.username .Values.imagePullSecrets.password | b64enc) | b64enc }} +{{- end }} \ No newline at end of file diff --git a/cis-k8s-job/values.yaml b/cis-k8s-job/values.yaml index b23112d..24e863a 100644 --- a/cis-k8s-job/values.yaml +++ b/cis-k8s-job/values.yaml @@ -2,6 +2,25 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. + +accuknoxJob: + image: + repository: accuknox/accuknox-job + tag: "latest" + +kubeBench: + image: + repository: docker.io/aquasec/kube-bench + tag: "v0.6.19" + +# To use existing secret updated {imagePullSecrets.name} with your secret name. +imagePullSecrets: + name: "" + registry: "" + username: "" + password: "" + + accuknox: authToken: "NO-TOKEN-SET" cronTab: "30 9 * * *" diff --git a/k8s-risk-assessment-job/templates/cronjob.yaml b/k8s-risk-assessment-job/templates/cronjob.yaml index b603dc2..cc074d9 100644 --- a/k8s-risk-assessment-job/templates/cronjob.yaml +++ b/k8s-risk-assessment-job/templates/cronjob.yaml @@ -15,6 +15,10 @@ spec: spec: template: spec: + {{- if .Values.imagePullSecrets.name }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets.name }} + {{- end }} initContainers: - name: job-init-container image: "{{ .Values.kubescape.image.repository }}:{{ .Values.kubescape.image.tag }}" @@ -26,7 +30,7 @@ spec: - name: datapath mountPath: /data containers: - - image: accuknox/accuknox-job:latest + - image: "{{ .Values.accuknoxJob.image.repository }}:{{ .Values.accuknoxJob.image.tag }}" name: artifact-api-container command: - '/bin/sh' diff --git a/k8s-risk-assessment-job/templates/imagepullsecret.yaml b/k8s-risk-assessment-job/templates/imagepullsecret.yaml new file mode 100644 index 0000000..c335f89 --- /dev/null +++ b/k8s-risk-assessment-job/templates/imagepullsecret.yaml @@ -0,0 +1,11 @@ +{{- if .Values.imagePullSecrets.registry }} +# if user didn't specify a secretName, use the default +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.imagePullSecrets.name }} + namespace: {{ .Release.Namespace }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ printf "{\"auths\":{\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"auth\":\"%s\"}}}" .Values.imagePullSecrets.registry .Values.imagePullSecrets.username .Values.imagePullSecrets.password (printf "%s:%s" .Values.imagePullSecrets.username .Values.imagePullSecrets.password | b64enc) | b64enc }} +{{- end }} \ No newline at end of file diff --git a/k8s-risk-assessment-job/templates/job.yaml b/k8s-risk-assessment-job/templates/job.yaml index aaacd12..f78bf66 100644 --- a/k8s-risk-assessment-job/templates/job.yaml +++ b/k8s-risk-assessment-job/templates/job.yaml @@ -9,6 +9,10 @@ spec: labels: app: k8s-risk-assessment-job spec: + {{- if .Values.imagePullSecrets.name }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets.name }} + {{- end }} initContainers: - name: job-init-container image: "{{ .Values.kubescape.image.repository }}:{{ .Values.kubescape.image.tag }}" @@ -20,7 +24,7 @@ spec: - name: datapath mountPath: /data containers: - - image: accuknox/accuknox-job:latest + - image: "{{ .Values.accuknoxJob.image.repository }}:{{ .Values.accuknoxJob.image.tag }}" name: artifact-api-container command: - '/bin/sh' diff --git a/k8s-risk-assessment-job/values.yaml b/k8s-risk-assessment-job/values.yaml index 9b669bf..0c087ab 100644 --- a/k8s-risk-assessment-job/values.yaml +++ b/k8s-risk-assessment-job/values.yaml @@ -7,6 +7,19 @@ kubescape: repository: quay.io/kubescape/kubescape-cli tag: "v3.0.8" +accuknoxJob: + image: + repository: accuknox/accuknox-job + tag: "latest" + + +# To use existing secret updated {imagePullSecrets.name} with your secret name. +imagePullSecrets: + name: "" + registry: "" + username: "" + password: "" + replicaCount: 1 accuknox: diff --git a/k8tls-job/templates/imagepullsecret.yaml b/k8tls-job/templates/imagepullsecret.yaml new file mode 100644 index 0000000..c335f89 --- /dev/null +++ b/k8tls-job/templates/imagepullsecret.yaml @@ -0,0 +1,11 @@ +{{- if .Values.imagePullSecrets.registry }} +# if user didn't specify a secretName, use the default +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.imagePullSecrets.name }} + namespace: {{ .Release.Namespace }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ printf "{\"auths\":{\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"auth\":\"%s\"}}}" .Values.imagePullSecrets.registry .Values.imagePullSecrets.username .Values.imagePullSecrets.password (printf "%s:%s" .Values.imagePullSecrets.username .Values.imagePullSecrets.password | b64enc) | b64enc }} +{{- end }} \ No newline at end of file diff --git a/k8tls-job/templates/k8tls-cronjob.yaml b/k8tls-job/templates/k8tls-cronjob.yaml index 4c7feb1..91a5e15 100644 --- a/k8tls-job/templates/k8tls-cronjob.yaml +++ b/k8tls-job/templates/k8tls-cronjob.yaml @@ -38,9 +38,13 @@ spec: spec: template: spec: + {{- if .Values.imagePullSecrets.name }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets.name }} + {{- end }} serviceAccountName: k8tls-serviceact containers: - - image: accuknox/accuknox-job:latest + - image: "{{ .Values.accuknoxJob.image.repository }}:{{ .Values.accuknoxJob.image.tag }}" command: ["/bin/sh", "-c"] args: ['curl --location --request POST "https://${URL}/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=K8TLS&save_to_s3=true" --header "Tenant-Id: ${TENANT_ID}" --header "Authorization: Bearer ${AUTH_TOKEN}" --form "file=@\"/data/report.json\"" && cat /data/report.json'] name: k8tls-job @@ -69,7 +73,7 @@ spec: initContainers: - command: ["/bin/sh", "-c"] args: ["./k8s_tlsscan"] - image: kubearmor/k8tls:latest + image: "{{ .Values.k8tls.image.repository }}:{{ .Values.k8tls.image.tag }}" name: k8tls env: - name: JSON diff --git a/k8tls-job/templates/k8tls-job.yaml b/k8tls-job/templates/k8tls-job.yaml index 250e8d0..7aef681 100644 --- a/k8tls-job/templates/k8tls-job.yaml +++ b/k8tls-job/templates/k8tls-job.yaml @@ -8,9 +8,13 @@ spec: metadata: name: k8tls-job spec: + {{- if .Values.imagePullSecrets.name }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets.name }} + {{- end }} serviceAccountName: k8tls-serviceact containers: - - image: accuknox/accuknox-job:latest + - image: "{{ .Values.accuknoxJob.image.repository }}:{{ .Values.accuknoxJob.image.tag }}" command: ["/bin/sh", "-c"] args: ['curl --location --request POST "https://${URL}/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=K8TLS&save_to_s3=true" --header "Tenant-Id: ${TENANT_ID}" --header "Authorization: Bearer ${AUTH_TOKEN}" --form "file=@\"/data/report.json\"" && cat /data/report.json'] name: k8tls-job @@ -39,7 +43,7 @@ spec: initContainers: - command: ["/bin/sh", "-c"] args: ["./k8s_tlsscan"] - image: kubearmor/k8tls:latest + image: "{{ .Values.k8tls.image.repository }}:{{ .Values.k8tls.image.tag }}" name: k8tls env: - name: JSON diff --git a/k8tls-job/values.yaml b/k8tls-job/values.yaml index 508e9d5..d39b6ae 100644 --- a/k8tls-job/values.yaml +++ b/k8tls-job/values.yaml @@ -2,6 +2,23 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. +k8tls: + image: + repository: kubearmor/k8tls + tag: "latest" + +accuknoxJob: + image: + repository: accuknox/accuknox-job + tag: "latest" + +# To use existing secret updated {imagePullSecrets.name} with your secret name. +imagePullSecrets: + name: "" + registry: "" + username: "" + password: "" + accuknox: authToken: "NO-TOKEN-SET" cronTab: "30 9 * * *" diff --git a/kiem-job/templates/deployment.yaml b/kiem-job/templates/deployment.yaml index b982671..9262af0 100644 --- a/kiem-job/templates/deployment.yaml +++ b/kiem-job/templates/deployment.yaml @@ -14,9 +14,13 @@ spec: spec: template: spec: + {{- if .Values.imagePullSecrets.name }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets.name }} + {{- end }} initContainers: - name: kiem-init - image: accuknox/kiem:latest + image: "{{ .Values.kiem.image.repository }}:{{ .Values.kiem.image.tag }}" args: ["./kiem", "run", "--mode", "k8s", "--output", "/data/report.json"] env: - name: CLUSTER_NAME @@ -25,7 +29,7 @@ spec: - name: datapath mountPath: /data containers: - - image: accuknox/accuknox-job:latest + - image: "{{ .Values.accuknoxJob.image.repository }}:{{ .Values.accuknoxJob.image.tag }}" command: ['sh', '-c', 'curl --location --request POST "https://${URL}/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=KIEM&save_to_s3=true&label_id=${LABEL_NAME}" --header "Tenant-Id: ${TENANT_ID}" --header "Authorization: Bearer ${AUTH_TOKEN}" --form "file=@\"/data/report.json\""'] name: accuknox-kiem-cronjob resources: {} diff --git a/kiem-job/templates/imagepullsecret.yaml b/kiem-job/templates/imagepullsecret.yaml new file mode 100644 index 0000000..c335f89 --- /dev/null +++ b/kiem-job/templates/imagepullsecret.yaml @@ -0,0 +1,11 @@ +{{- if .Values.imagePullSecrets.registry }} +# if user didn't specify a secretName, use the default +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.imagePullSecrets.name }} + namespace: {{ .Release.Namespace }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ printf "{\"auths\":{\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"auth\":\"%s\"}}}" .Values.imagePullSecrets.registry .Values.imagePullSecrets.username .Values.imagePullSecrets.password (printf "%s:%s" .Values.imagePullSecrets.username .Values.imagePullSecrets.password | b64enc) | b64enc }} +{{- end }} \ No newline at end of file diff --git a/kiem-job/templates/job.yaml b/kiem-job/templates/job.yaml index 55b8d36..a612d73 100644 --- a/kiem-job/templates/job.yaml +++ b/kiem-job/templates/job.yaml @@ -9,6 +9,10 @@ spec: labels: app: kiem-job spec: + {{- if .Values.imagePullSecrets.name }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets.name }} + {{- end }} initContainers: - name: kiem-init image: accuknox/kiem:latest diff --git a/kiem-job/values.yaml b/kiem-job/values.yaml index 72bf6d1..4e7a48f 100644 --- a/kiem-job/values.yaml +++ b/kiem-job/values.yaml @@ -2,6 +2,25 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. + +kiem: + image: + repository: accuknox/kiem + tag: "latest" + +accuknoxJob: + image: + repository: accuknox/accuknox-job + tag: "latest" + +# To use existing secret, updated {imagePullSecrets.name} with your secret name. +imagePullSecrets: + name: "" + registry: "" + username: "" + password: "" + + replicaCount: 1 accuknox: