search

deepfence / ThreatMapper

Open Source Cloud Native Application Protection Platform (CNAPP)
https://deepfence.io
Apache License 2.0
4.77k stars 571 forks source link

Add Helm support for AWS Account posture scanner #2024

Closed lumattr closed 2 days ago

lumattr commented 5 months ago

Additional context It would be great if the AWS account scanner would be deployed in helm. I Appreaciate that it takes additional effort due to the need to have a Service account and an IAM role attached, but as i have the console and agents already in K8s its awkward to have a seperate ECS cluster for the account scanner.

Is your feature request related to a problem? Please describe. A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like Ideally it would be a helm chart that would run the cloud-scanner image, and would require me as the end user to create a role with the needed policy, attach that to a service account and pass that to the helm chart.

Describe alternatives you've considered This could be a terraform module, but that wouldnt work for me specifically as we use CDK in house.

Components/Services

Additional context This is how i am deploying it at the moment:

cloudscanner.ts

```js import { ICluster, KubernetesManifest } from "aws-cdk-lib/aws-eks"; import { ManagedPolicy } from "aws-cdk-lib/aws-iam"; const serviceName = "deepfence-cloud-scanner"; export function addCloudScanner(stack: Stack, cluster: ICluster, namespace: string, consoleUrl: url): KubernetesManifest { const serviceAccount = cluster.addServiceAccount("cloudScannerSA", { name: serviceName, namespace, }); const policy = ManagedPolicy.fromManagedPolicyArn(stack, "auditPolicy", "arn:aws:iam::aws:policy/SecurityAudit"); serviceAccount.role.addManagedPolicy(policy); return cluster.addManifest("console", { apiVersion: "apps/v1", kind: "Deployment", metadata: { name: serviceName, namespace, }, spec: { selector: { matchLabels: { app: serviceName, }, }, replicas: 1, template: { metadata: { labels: { app: serviceName, }, }, spec: { serviceAccountName: serviceAccount.serviceAccountName, nodeSelector: { "kubernetes.io/arch": "amd64", }, containers: [ { name: "cloud-scanner", image: "deepfenceio/cloud-scanner:2.1.0", imagePullPolicy: "Always", args: [ "-mode", "service", "-mgmt-console-url", consoleUrl "-debug", "true", "-cloud-audit-log-ids", `arn:aws:cloudtrail:${stack.region}:${stack.account}:trail/trail`, ], env: [ { name: "DEEPFENCE_KEY", valueFrom: { secretKeyRef: { name: "deepfence-agent-key", key: "deepfence-key", }, }, }, ], resources: { requests: { cpu: "2048m", memory: "4096Mi", }, limits: { cpu: "4096m", memory: "8192Mi", }, }, }, ], }, }, }, }); } ```

ibreakthecloud commented 5 months ago

I understand the need of having cloud-scanner as a part of console/agent deployment. Currently we don't have it, but we can look into it. cc: @gnmahanth

lumattr commented 5 months ago

@ibreakthecloud @gnmahanth I appreciate you looking into this.

As far as i can see the way i have it running at the moment is working successfully. The only niggle with it is that the Account ID that its showing in the console is the Instance ID of the node the pod is running on.

Is there a way that can be overridden via an environment variable or a command arg or something?

gnmahanth commented 5 months ago

@lumattr thanks for reporting the issue, there is no support for running cloud scanner on kubernetes we are looking into it

cc: @ibreakthecloud @jatin-baweja

Steps to reproduce the issue

logs: 

$ kubectl logs cloud-scanner-5747d74c4b-jsz8b -n cloud-scanner
Starting periodic command scheduler: cron.
time="2024-03-21 05:45:20" level=debug msg=NewComplianceScanService file="service.go:62"
{590323219893 x86_64 us-east-1f <nil> <nil> <nil> ami-0c67d4deba6eb4fba **<aws instance id>** t3.xlarge <nil> 2024-02-19 09:42:10 +0000 UTC 10.10.107.149 <nil> us-east-1 2017-09-30}
time="2024-03-21 05:45:20" level=debug msg="Building http client" file="client.go:56"
2024/03/21 05:45:20 [DEBUG] POST https://<console>:443/deepfence/auth/token
time="2024-03-21 05:45:20" level=warning msg="Task role is not set to arn:aws:iam::aws:policy/ReadOnlyAccess. Disabling CloudTrail based updates of cloud resources." file="cloudtrail.go:45"
time="2024-03-21 05:45:20" level=info msg="Registering with Deepfence management console" file="main.go:67"
time="2024-03-21 05:45:20" level=info msg="Restarting steampipe service" file="util.go:96"
time="2024-03-21 05:45:32" level=info msg="Steampipe service restarted" file="util.go:116"
2024/03/21 05:46:08 [DEBUG] POST https://<console>:443/deepfence/cloud-node/account
time="2024-03-21 05:46:08" level=warning msg="no cloudtrails found with management events and write or read-write mode" file="service.go:115"
time="2024-03-21 05:46:08" level=debug msg="Adding scans data to pending scans: map[]" file="client.go:194"
time="2024-03-21 05:46:08" level=info msg="Querying Resources" file="service.go:272"
time="2024-03-21 05:46:08" level=info msg="Started querying resources for aws: [**<aws instance id>**]" file="query.go:86"
time="2024-03-21 05:46:08" level=debug msg="Querying resources for aws_iam_account_summary" file="query.go:155"
2024/03/21 05:46:38 [DEBUG] POST https://<console>:443/deepfence/ingest/cloud-resources
time="2024-03-21 05:46:38" level=debug msg="Got length of 1 for aws_iam_account_summary" file="query.go:191"
time="2024-03-21 05:46:38" level=debug msg="Resources ingested: 1" file="client.go:243"
time="2024-03-21 05:46:38" level=debug msg="Querying resources for aws_account" file="query.go:155"

screen shot: image

gnmahanth commented 2 days ago

related https://github.com/deepfence/ThreatMapper/pull/2301

https://docs.deepfence.io/threatmapper/docs/cloudscanner/aws#cloud-scanner-on-eks-cluster-using-irsa