search

kubescape / operator

Operator is an in-cluster component of the Kubescape security platform. It allows clients to connect to itself, listens for commands from the connected clients and controls other in-cluster components according to received commands.
Apache License 2.0
13 stars 20 forks source link

readme

Operator

OpenSSF Scorecard

The Operator component is at the heart of Kubescape as it is the triggering engine for the different actions in the cluster; It responds to REST API requests and messages received over websocket connections, and triggers the relevant action in the cluster. Such actions could be triggering a configuration scan, an image vulnerability scan, defining a recurring scan (by creating CronJobs), etc.

Running Operator

Build Operator go build .
Run the executable. You can run the executable as a stand-alone and as part of the Kubescape cluster components.

Prerequisites

  1. Add configuration files.
/etc/config/capabilities.json ```json5 { "capabilities": { "configurationScan": "enable", "continuousScan": "disable", "networkGenerator": "disable", "nodeScan": "enable", "otel": "enable", "relevancy": "enable", "runtimeObservability": "disable", "seccomp": "disable", "vulnerabilityScan": "enable" }, "components": { "gateway": { "enabled": true }, "hostScanner": { "enabled": true }, "kollector": { "enabled": true }, "kubescape": { "enabled": true }, "kubescapeScheduler": { "enabled": true }, "kubevuln": { "enabled": true }, "kubevulnScheduler": { "enabled": true }, "nodeAgent": { "enabled": true }, "operator": { "enabled": true }, "otelCollector": { "enabled": true }, "storage": { "enabled": true } }, "configurations": { "persistence": "enable", "server": { "account": null, "url": "foo.com" } } } ```
/etc/config/clusterData.json ```json5 { "gatewayWebsocketURL": "127.0.0.1:8001", "gatewayRestURL": "127.0.0.1:8002", "kubevulnURL": "127.0.0.1:8081", "kubescapeURL": "127.0.0.1:8080", "accountID": "*********************", "clusterName": "******" } ```
/etc/config/config.json ```json5 { "cleanupdelay": 600000000000, "matchingrulesfilename": "/etc/config/matchingRules.json", "namespace": "kubescape", "port": "4002", "triggersecurityframework": false, "workerconcurrency": 3 } ```
/etc/config/services.json ```json5 { "version": "v1", "response": { "event-receiver-http": "https://report.armo.cloud", "event-receiver-ws": "wss://report.armo.cloud", "gateway": "wss://ens.euprod1.cyberarmorsoft.com", "api-server": "https://api.armosec.io", "metrics": "otelcol.armosec.io:443" } } ```

If continuous scanning is enabled, add the following configuration file (change to the relevant values):

/etc/config/matchingRules.json ```json5 { "match": [ { "apiGroups": [ "apps" ], "apiVersions": [ "v1" ], "resources": [ "deployments" ] } ], "namespaces": [ "default" ] } ```

API Documentation

The Operator provides an HTTP API.

You can learn more about the API using one of the provided interactive OpenAPI UIs:

Environment Variables

Check out utils/environmentvariables.go

Example Requests

Trigger an Action

Example ``` curl -X POST http:///v1/triggerAction -H 'Content-Type: application/json' -d '{ "commands": [ { "CommandName": "scan", "WildWlid": "wlid://cluster-minikube-v1" } ] }' ```

Trigger Kubescape scanning

Example ``` curl -X POST \ -H 'Content-Type: application/json' \ -d '{ "commands": [ { "CommandName": "kubescapeScan", "args": { "scanV1": { "submit": true } } } ] }' \ http://127.0.0.1:4002/v1/triggerAction ```

Create a CronJob that will repeatedly trigger a Kubescape scanning all frameworks

Example ``` curl -X POST \ -H 'Content-Type: application/json' \ -d '{ "commands": [ { "CommandName": "setKubescapeCronJob", "args": { "kubescapeJobParams": { "cronTabSchedule": "* * * * *" }, "scanV1": { "submit": true } } } ] }' \ http://127.0.0.1:4002/v1/triggerAction ```

Create a CronJob that will repeatedly trigger a Kubescape scann according to a specific framework

Example ``` curl -X POST \ -H 'Content-Type: application/json' \ -d '{ "commands": [ { "CommandName": "setKubescapeCronJob", "args": { "kubescapeJobParams": { "cronTabSchedule": "* * * * *" }, "scanV1": { "submit": true, "targetType": "framework", "targetNames": [ "nsa" ] } } } ] }' \ http://127.0.0.1:4002/v1/triggerAction ```

Trigger Kubevuln scanning

Example ``` curl -X POST \ -H 'Content-Type: application/json' \ -d '{ "commands": [ { "CommandName": "scan", "WildWlid": "wlid://cluster-minikube-v1" } ] }' \ http://127.0.0.1:4002/v1/triggerAction ```

Create a CronJob that will repeatedly trigger a Kubevuln scan

Example ``` curl -X POST \ -H 'Content-Type: application/json' \ -d '{ "commands": [ { "CommandName": "setVulnScanCronJob", "WildWlid": "wlid://cluster-minikube/namespace-systest-ns-chj8", "args": { "jobParams": { "cronTabSchedule": "* * * * *" } } } ] }' \ http://127.0.0.1:4002/v1/triggerAction ```

Update a CronJob that repeatedly triggers a Kubevuln scan

Example ``` curl -X POST \ -H 'Content-Type: application/json' \ -d '{ "commands": [ { "CommandName": "updateVulnScanCronJob", "args": { "jobParams": { "cronTabSchedule": "* * * * *", "name": "vuln-scan-scheduled-2393196145723502557" } } } ] }' \ http://127.0.0.1:4002/v1/triggerAction ```

Delete a CronJob that repeatedly triggers a Kubevuln scan

Example ``` curl -X POST \ -H 'Content-Type: application/json' \ -d '{ "commands": [ { "CommandName": "deleteVulnScanCronJob", "args": { "jobParams": { "cronTabSchedule": "2 0 * * *", "name": "vuln-scan-scheduled-605400646375517620" } } } ] }' \ http://127.0.0.1:4002/v1/triggerAction ```

VS code configuration samples

You can use the sample files below to setup your VS code environment for building and debugging purposes.

.vscode/launch.json ```json5 { "version": "0.2.0", "configurations": [ { "name": "Launch Package", "type": "go", "request": "launch", "mode": "auto", "program": "${workspaceRoot}", "env": { "PORT": "4002", "NAMESPACE": "kubescape", "CONFIG": "${workspaceRoot}/.vscode/clusterData.json", }, "args": [ "-alsologtostderr", "-v=4", "2>&1" ] } ] } ``` We configured the Operator to listen to port 4002, and define the configuration in the clusterData.json file [as mentioned above](https://github.com/kubescape/operator#preparations).

and also need to open the ports of the other in-cluster components, as mentioned above.

Running Operator as stand-alone

The Operator also supports running as a stand-alone. For this you need to define in the config file, for the relevant values that will be empty. For example:

.vscode/clusterData.json ```json5 { "gatewayWebsocketURL": "", "gatewayRestURL": "", "kubevulnURL": "", "kubescapeURL": "", "accountID": "*********************", "clusterName": "******" } ```

Also do not specify a service config file for the backend addresses.