From c84814c27302ffd788bc841c0fa444871f6a448a Mon Sep 17 00:00:00 2001 From: Rudraksh Pareek Date: Mon, 22 Apr 2024 15:42:31 +0530 Subject: [PATCH] feat: add accuknox job for running kubescape Signed-off-by: Rudraksh Pareek --- accuknox-kubescape-job/.helmignore | 23 ++++++++ accuknox-kubescape-job/Chart.yaml | 8 +++ .../templates/clusterrole.yaml | 19 +++++++ .../templates/clusterrolebinding.yaml | 12 ++++ .../templates/configmap.yaml | 22 +++++++ accuknox-kubescape-job/templates/cronjob.yaml | 57 +++++++++++++++++++ .../templates/serviceaccount.yaml | 5 ++ accuknox-kubescape-job/values.yaml | 19 +++++++ 8 files changed, 165 insertions(+) create mode 100644 accuknox-kubescape-job/.helmignore create mode 100644 accuknox-kubescape-job/Chart.yaml create mode 100644 accuknox-kubescape-job/templates/clusterrole.yaml create mode 100644 accuknox-kubescape-job/templates/clusterrolebinding.yaml create mode 100644 accuknox-kubescape-job/templates/configmap.yaml create mode 100644 accuknox-kubescape-job/templates/cronjob.yaml create mode 100644 accuknox-kubescape-job/templates/serviceaccount.yaml create mode 100644 accuknox-kubescape-job/values.yaml diff --git a/accuknox-kubescape-job/.helmignore b/accuknox-kubescape-job/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/accuknox-kubescape-job/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/accuknox-kubescape-job/Chart.yaml b/accuknox-kubescape-job/Chart.yaml new file mode 100644 index 0000000..6963b6f --- /dev/null +++ b/accuknox-kubescape-job/Chart.yaml @@ -0,0 +1,8 @@ +apiVersion: v2 +name: accuknox-kubescape-job +description: A Helm chart for creating AccuKnox kubescape job +type: application +version: 0.1.0 + +# version of kubescape that is referred in the CronJob +appVersion: 3.0.8 diff --git a/accuknox-kubescape-job/templates/clusterrole.yaml b/accuknox-kubescape-job/templates/clusterrole.yaml new file mode 100644 index 0000000..a6847b3 --- /dev/null +++ b/accuknox-kubescape-job/templates/clusterrole.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubescape-clusterrole +rules: + - apiGroups: + - "" + - extensions + - apps + - batch + - rbac.authorization.k8s.io + - roles.rbac.authorization.k8s.io + - authorization.k8s.io + - certificates.k8s.io + - apiextensions.k8s.io + - admissionregistration.k8s.io + - networking.k8s.io + resources: ["*"] + verbs: ["*"] diff --git a/accuknox-kubescape-job/templates/clusterrolebinding.yaml b/accuknox-kubescape-job/templates/clusterrolebinding.yaml new file mode 100644 index 0000000..7ee64ad --- /dev/null +++ b/accuknox-kubescape-job/templates/clusterrolebinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kubescape-clusterrole-binding +subjects: +- namespace: {{ .Release.Namespace }} + kind: ServiceAccount + name: kubescape-service-account +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kubescape-clusterrole diff --git a/accuknox-kubescape-job/templates/configmap.yaml b/accuknox-kubescape-job/templates/configmap.yaml new file mode 100644 index 0000000..aaa71a8 --- /dev/null +++ b/accuknox-kubescape-job/templates/configmap.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: accuknox-kubescape-cronjob-script-configmap + namespace: {{ .Release.Namespace }} +data: + augment-and-push-results.sh: | + #! /bin/env bash + + cat <<< $(jq ". += + { + "accuknox_metadata": { + "cluster_name":"'$ENV.CLUSTER_NAME'", + "label_name":"'$ENV.LABEL_NAME'" + } + }" /data/report.json) > /data/report.json + + curl --location --request POST \ + --header "Authorization: Bearer ${AUTH_TOKEN}" \ + --header "Tenant-Id: ${TENANT_ID}" \ + --form "file=@\"/data/report.json\"" \ + "https://cspm.${URL}.accuknox.com/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=kubescape&save_to_s3=false" diff --git a/accuknox-kubescape-job/templates/cronjob.yaml b/accuknox-kubescape-job/templates/cronjob.yaml new file mode 100644 index 0000000..64fa32a --- /dev/null +++ b/accuknox-kubescape-job/templates/cronjob.yaml @@ -0,0 +1,57 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: accuknox-kubescape-job + namespace: {{ .Release.Namespace }} +spec: + schedule: "{{ .Values.accuknox.cronTab }}" + successfulJobsHistoryLimit: 1 + failedJobsHistoryLimit: 1 + + jobTemplate: + metadata: + labels: + app: accuknox-kubescape-job + spec: + template: + spec: + initContainers: + - name: kubescape-init + image: "{{ .Values.kubescape.image.repository }}:{{ if ne .Values.kubescape.image.tag "" }}{{ .Values.kubescape.image.tag }}{{ else }}v{{ .Chart.AppVersion }}{{ end }}" + args: ["scan", "--format", "json", "--output", "/data/report.json", "--cluster-name=$(CLUSTER_NAME)"] + env: + - name: CLUSTER_NAME + value: {{ if ne .Values.accuknox.clusterName "" }}{{ .Values.accuknox.clusterName }}{{ else }}{{ "default" }}{{ end }} + volumeMounts: + - name: datapath + mountPath: /data + containers: + - image: accuknox/accuknox-job:latest + name: accuknox-kubescape-cronjob + command: + - '/bin/bash' + - '/script/augment-and-push-results.sh' + env: + - name: URL + value: {{ .Values.accuknox.URL }} + - name: TENANT_ID + value: {{ .Values.accuknox.tenantID | quote }} + - name: AUTH_TOKEN + value: {{ .Values.accuknox.authToken }} + - name: CLUSTER_NAME + value: {{ if ne .Values.accuknox.clusterName "" }}{{ .Values.accuknox.clusterName }}{{ else }}{{ "default" }}{{ end }} + - name: LABEL_NAME + value: {{ if ne .Values.accuknox.label "" }}{{ .Values.accuknox.label }}{{ else }}{{ "default" }}{{ end }} + volumeMounts: + - mountPath: /data + name: datapath + - mountPath: /script + name: scriptpath + volumes: + - name: datapath + emptyDir: {} + - name: scriptpath + configMap: + name: accuknox-kubescape-cronjob-script-configmap + restartPolicy: OnFailure + serviceAccount: kubescape-service-account diff --git a/accuknox-kubescape-job/templates/serviceaccount.yaml b/accuknox-kubescape-job/templates/serviceaccount.yaml new file mode 100644 index 0000000..a64c4e1 --- /dev/null +++ b/accuknox-kubescape-job/templates/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kubescape-service-account + namespace: {{ .Release.Namespace }} diff --git a/accuknox-kubescape-job/values.yaml b/accuknox-kubescape-job/values.yaml new file mode 100644 index 0000000..ad47cc5 --- /dev/null +++ b/accuknox-kubescape-job/values.yaml @@ -0,0 +1,19 @@ +# Default values for accuknox-kubescape-job. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +kubescape: + image: + repository: quay.io/kubescape/kubescape-cli + # if empty, take from appVersion + tag: "" + +replicaCount: 1 + +accuknox: + authToken: "NO-TOKEN-SET" + URL: "dev" + tenantID: "" + cronTab: "0 */6 * * *" + clusterName: "" + label: ""