feat: add accuknox job for running kubescape

Signed-off-by: Rudraksh Pareek <[email protected]>

accuknox-kubescape-job/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

accuknox-kubescape-job/Chart.yaml

@@ -0,0 +1,8 @@
+apiVersion: v2
+name: accuknox-kubescape-job
+description: A Helm chart for creating AccuKnox kubescape job
+type: application
+version: 0.1.0
+
+# version of kubescape that is referred in the CronJob
+appVersion: 3.0.8

accuknox-kubescape-job/templates/clusterrole.yaml

@@ -0,0 +1,19 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kubescape-clusterrole
+rules:
+  - apiGroups:
+    - ""
+    - extensions
+    - apps
+    - batch
+    - rbac.authorization.k8s.io
+    - roles.rbac.authorization.k8s.io
+    - authorization.k8s.io
+    - certificates.k8s.io
+    - apiextensions.k8s.io
+    - admissionregistration.k8s.io
+    - networking.k8s.io
+    resources: ["*"]
+    verbs:  ["*"]

accuknox-kubescape-job/templates/clusterrolebinding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kubescape-clusterrole-binding
+subjects:
+- namespace: {{ .Release.Namespace }}
+  kind: ServiceAccount
+  name: kubescape-service-account
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kubescape-clusterrole

accuknox-kubescape-job/templates/configmap.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: accuknox-kubescape-cronjob-script-configmap
+  namespace: {{ .Release.Namespace }}
+data:
+  augment-and-push-results.sh: |
+    #! /bin/env bash
+
+    cat <<< $(jq ". +=
+      {
+        "accuknox_metadata": {
+          "cluster_name":"'$ENV.CLUSTER_NAME'",
+          "label_name":"'$ENV.LABEL_NAME'"
+        }
+      }" /data/report.json) > /data/report.json
+
+    curl --location --request POST \
+    --header "Authorization: Bearer ${AUTH_TOKEN}" \
+    --header "Tenant-Id: ${TENANT_ID}" \
+    --form "file=@\"/data/report.json\"" \
+    "https://cspm.${URL}.accuknox.com/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=kubescape&save_to_s3=false"

accuknox-kubescape-job/templates/cronjob.yaml

@@ -0,0 +1,57 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: accuknox-kubescape-job
+  namespace: {{ .Release.Namespace }}
+spec:
+  schedule: "{{ .Values.accuknox.cronTab }}"
+  successfulJobsHistoryLimit: 1
+  failedJobsHistoryLimit: 1
+
+  jobTemplate:
+    metadata:
+      labels:
+        app: accuknox-kubescape-job
+    spec:
+      template:
+        spec:
+          initContainers:
+            - name: kubescape-init
+              image: "{{ .Values.kubescape.image.repository }}:{{ if ne .Values.kubescape.image.tag "" }}{{ .Values.kubescape.image.tag }}{{ else }}v{{ .Chart.AppVersion }}{{ end }}"
+              args: ["scan", "--format", "json", "--output", "/data/report.json", "--cluster-name=$(CLUSTER_NAME)"]
+              env:
+                - name: CLUSTER_NAME
+                  value: {{ if ne .Values.accuknox.clusterName "" }}{{ .Values.accuknox.clusterName }}{{ else }}{{ "default" }}{{ end }}
+              volumeMounts:
+                - name: datapath
+                  mountPath: /data
+          containers:
+            - image: accuknox/accuknox-job:latest
+              name: accuknox-kubescape-cronjob
+              command:
+                - '/bin/bash'
+                - '/script/augment-and-push-results.sh'
+              env:
+                - name: URL
+                  value: {{ .Values.accuknox.URL }}
+                - name: TENANT_ID
+                  value: {{ .Values.accuknox.tenantID | quote }}
+                - name: AUTH_TOKEN
+                  value: {{ .Values.accuknox.authToken }}
+                - name: CLUSTER_NAME
+                  value: {{ if ne .Values.accuknox.clusterName "" }}{{ .Values.accuknox.clusterName }}{{ else }}{{ "default" }}{{ end }}
+                - name: LABEL_NAME
+                  value: {{ if ne .Values.accuknox.label "" }}{{ .Values.accuknox.label }}{{ else }}{{ "default" }}{{ end }}
+              volumeMounts:
+                - mountPath: /data
+                  name: datapath
+                - mountPath: /script
+                  name: scriptpath
+          volumes:
+            - name: datapath
+              emptyDir: {}
+            - name: scriptpath
+              configMap:
+                name: accuknox-kubescape-cronjob-script-configmap
+          restartPolicy: OnFailure
+          serviceAccount: kubescape-service-account

accuknox-kubescape-job/templates/serviceaccount.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kubescape-service-account
+  namespace: {{ .Release.Namespace }}

accuknox-kubescape-job/values.yaml

@@ -0,0 +1,19 @@
+# Default values for accuknox-kubescape-job.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+kubescape:
+  image:
+    repository: quay.io/kubescape/kubescape-cli
+    # if empty, take from appVersion
+    tag: ""
+
+replicaCount: 1
+
+accuknox:
+  authToken: "NO-TOKEN-SET"
+  URL: "dev"
+  tenantID: ""
+  cronTab: "0 */6 * * *"
+  clusterName: ""
+  label: ""