Skip to content

Commit

Permalink
Revert "Insecure connection handling (#38)"
Browse files Browse the repository at this point in the history 
This reverts commit fa61f4c.

Signed-off-by: Rudraksh Pareek <[email protected]>
  • Loading branch information
@DelusionalOptimist
DelusionalOptimist committed Nov 15, 2024
1 parent ae82fc8 commit 03230a9
Show file tree
Hide file tree
Showing 16 changed files with 41 additions and 211 deletions.
Binary file removed .DS_Store
View file
Binary file not shown.
4 changes: 0 additions & 4 deletions Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,5 @@ FROM alpine:latest

RUN apk --update add jq curl
COPY entrypoint.sh .
COPY curl_command.sh .

# Grant execute permissions to the scripts
RUN chmod +x entrypoint.sh curl_command.sh

ENTRYPOINT ["/bin/sh", "entrypoint.sh"]
Binary file removed cis-k8s-job/.DS_Store
View file
Binary file not shown.
112 changes: 25 additions & 87 deletions cis-k8s-job/templates/cis-cron-job.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,115 +10,53 @@ spec:
spec:
template:
spec:
{{- if or (or (contains "master" .Values.toolConfig.nodeType) (contains "controlplane" .Values.toolConfig.nodeType)) (or (contains "master" .Values.toolConfig.targets) (contains "controlplane" .Values.toolConfig.targets)) }}
{{- include "masterConfig" .Values.toolConfig | trim | nindent 10 }}
{{- end }}
{{- if .Values.imagePullSecrets.name }}
imagePullSecrets:
- name: {{ .Values.imagePullSecrets.name }}
{{- end }}
containers:
- image: accuknox/accuknox-job:latest
- image: "{{ .Values.accuknoxJob.image.repository }}:{{ .Values.accuknoxJob.image.tag }}"
command: ["/bin/sh", "-c"]
args: ['/bin/sh entrypoint.sh && ./curl_command.sh']
args: ['/bin/sh entrypoint.sh && curl --location --request POST "https://${URL}/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=KB&label_id=${LABEL_NAME}&save_to_s3=true" --header "Tenant-Id: ${TENANT_ID}" --header "Authorization: Bearer ${AUTH_TOKEN}" --form "file=@\"./data/report.json\"" && cat /data/report.json']
name: cis-k8s-cronjob
resources: {}
env:
- name: AUTH_TOKEN
value: {{ .Values.accuknox.authToken }}
valueFrom:
secretKeyRef:
key: AUTH_TOKEN
{{- if (.Values.accuknox.secretName | empty) }}
name: cis-k8s-job-auth-token
{{- else }}
name: {{ .Values.accuknox.secretName }}
{{- end }}
- name: CLUSTER_NAME
value: {{ .Values.accuknox.clusterName }}
- name: LABEL_NAME
value: {{ .Values.accuknox.label }}
- name: CLUSTER_ID
value: {{ .Values.accuknox.clusterID }}
value: {{ .Values.accuknox.clusterId }}
- name: TENANT_ID
value: {{ .Values.accuknox.tenantID | quote}}
value: {{ .Values.accuknox.tenantId | quote}}
- name: URL
value: {{ .Values.accuknox.URL }}
- name: CERT_BUNDLE_PATH
value: {{ .Values.accuknox.certBundlePath | quote }}
- name: CERT_BUNDLE_URL
value: {{ .Values.accuknox.certBundleURL }}
- name: USE_INSECURE_CONNECTION
value: {{ .Values.accuknox.useInsecureConnection | quote }}
- name: DATA_TYPE
value: "KB"
value: {{ .Values.accuknox.url }}
volumeMounts:
- mountPath: /data
name: datapath
initContainers:
- image: docker.io/aquasec/kube-bench:v0.6.19
command: ["/bin/sh", "-c"]
args: ["kube-bench run --json > /data/report.json"]
- image: "{{ .Values.kubeBench.image.repository }}:{{ .Values.kubeBench.image.tag }}"
command:
{{- include "cmd" .Values.toolConfig | trim | nindent 13 }}
name: kube-bench
volumeMounts:
- mountPath: /data
name: datapath
- mountPath: /var/lib/etcd
name: var-lib-etcd
readOnly: true
- mountPath: /var/lib/kubelet
name: var-lib-kubelet
readOnly: true
- mountPath: /var/lib/kube-scheduler
name: var-lib-kube-scheduler
readOnly: true
- mountPath: /var/lib/kube-controller-manager
name: var-lib-kube-controller-manager
readOnly: true
- mountPath: /etc/systemd
name: etc-systemd
readOnly: true
- mountPath: /lib/systemd/
name: lib-systemd
readOnly: true
- mountPath: /srv/kubernetes/
name: srv-kubernetes
readOnly: true
- mountPath: /etc/kubernetes
name: etc-kubernetes
readOnly: true
- mountPath: /usr/local/mount-from-host/bin
name: usr-bin
readOnly: true
- mountPath: /etc/cni/net.d/
name: etc-cni-netd
readOnly: true
- mountPath: /opt/cni/bin/
name: opt-cni-bin
readOnly: true
{{- include "volumeMounts" .Values.toolConfig | trim | nindent 13 }}
hostPID: true
restartPolicy: Never
volumes:
- name: datapath
emptyDir: {}
- hostPath:
path: /var/lib/etcd
name: var-lib-etcd
- hostPath:
path: /var/lib/kubelet
name: var-lib-kubelet
- hostPath:
path: /var/lib/kube-scheduler
name: var-lib-kube-scheduler
- hostPath:
path: /var/lib/kube-controller-manager
name: var-lib-kube-controller-manager
- hostPath:
path: /etc/systemd
name: etc-systemd
- hostPath:
path: /lib/systemd
name: lib-systemd
- hostPath:
path: /srv/kubernetes
name: srv-kubernetes
- hostPath:
path: /etc/kubernetes
name: etc-kubernetes
- hostPath:
path: /usr/bin
name: usr-bin
- hostPath:
path: /etc/cni/net.d/
name: etc-cni-netd
- hostPath:
path: /opt/cni/bin/
name: opt-cni-bin
{{- include "volumes" .Values.toolConfig | trim | nindent 11 }}

schedule: "{{ .Values.accuknox.cronTab }}"
successfulJobsHistoryLimit: 1
Expand Down
16 changes: 4 additions & 12 deletions cis-k8s-job/templates/cis-job.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ spec:
containers:
- image: "{{ .Values.accuknoxJob.image.repository }}:{{ .Values.accuknoxJob.image.tag }}"
command: ["/bin/sh", "-c"]
args: ['/bin/sh entrypoint.sh && ./curl_command.sh']
args: ['/bin/sh entrypoint.sh && curl --location --request POST "https://${URL}/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=KB&label_id=${LABEL_NAME}&save_to_s3=true" --header "Tenant-Id: ${TENANT_ID}" --header "Authorization: Bearer ${AUTH_TOKEN}" --form "file=@\"./data/report.json\"" && cat /data/report.json']
name: cis-k8s-cronjob
resources: {}
env:
Expand All @@ -41,19 +41,11 @@ spec:
- name: LABEL_NAME
value: {{ .Values.accuknox.label }}
- name: CLUSTER_ID
value: {{ .Values.accuknox.clusterID }}
value: {{ .Values.accuknox.clusterId }}
- name: TENANT_ID
value: {{ .Values.accuknox.tenantID | quote}}
value: {{ .Values.accuknox.tenantId | quote}}
- name: URL
value: {{ .Values.accuknox.URL }}
- name: CERT_BUNDLE_PATH
value: {{ .Values.accuknox.certBundlePath | quote }}
- name: CERT_BUNDLE_URL
value: {{ .Values.accuknox.certBundleURL }}
- name: USE_INSECURE_CONNECTION
value: {{ .Values.accuknox.useInsecureConnection | quote }}
- name: DATA_TYPE
value: "KB"
value: {{ .Values.accuknox.url }}
volumeMounts:
- mountPath: /data
name: datapath
Expand Down
34 changes: 0 additions & 34 deletions curl_command.sh
View file

This file was deleted.

8 changes: 5 additions & 3 deletions k8s-risk-assessment-job/templates/configmap.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,8 @@ data:
cat /data/report.json
# push
/curl_command.sh
curl --location --request POST \
--header "Authorization: Bearer ${AUTH_TOKEN}" \
--header "Tenant-Id: ${TENANT_ID}" \
--form "file=@\"/data/report.json\"" \
"https://${URL}/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=KS&save_to_s3=true&label_id=${LABEL_NAME}"
8 changes: 0 additions & 8 deletions k8s-risk-assessment-job/templates/cronjob.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,14 +55,6 @@ spec:
value: {{ .Values.accuknox.clusterID | quote }}
- name: LABEL_NAME
value: {{ .Values.accuknox.label }}
- name: CERT_BUNDLE_PATH
value: {{ .Values.accuknox.certBundlePath | quote }}
- name: CERT_BUNDLE_URL
value: {{ .Values.accuknox.certBundleURL }}
- name: USE_INSECURE_CONNECTION
value: {{ .Values.accuknox.useInsecureConnection | quote }}
- name: DATA_TYPE
value: "KS"
volumeMounts:
- mountPath: /data
name: datapath
Expand Down
8 changes: 0 additions & 8 deletions k8s-risk-assessment-job/templates/job.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,14 +51,6 @@ spec:
value: {{ .Values.accuknox.clusterID | quote }}
- name: LABEL_NAME
value: {{ .Values.accuknox.label }}
- name: CERT_BUNDLE_PATH
value: {{ .Values.accuknox.certBundlePath | quote }}
- name: CERT_BUNDLE_URL
value: {{ .Values.accuknox.certBundleURL }}
- name: USE_INSECURE_CONNECTION
value: {{ .Values.accuknox.useInsecureConnection | quote }}
- name: DATA_TYPE
value: "KS"
volumeMounts:
- mountPath: /data
name: datapath
Expand Down
4 changes: 0 additions & 4 deletions k8s-risk-assessment-job/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,3 @@ accuknox:
clusterID: 0
label: ""
secretName: ""
certBundlePath: "" # Set this for cert local path if needed .
certBundleURL: "" # Set this for cert URL if needed (if certBundlePath is set as well certBundlePath will take precedent)
useInsecureConnection: false # Set to true if insecure connection is needed

11 changes: 1 addition & 10 deletions k8tls-job/templates/k8tls-cronjob.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,8 +46,7 @@ spec:
containers:
- image: "{{ .Values.accuknoxJob.image.repository }}:{{ .Values.accuknoxJob.image.tag }}"
command: ["/bin/sh", "-c"]
args: ['./curl_command.sh']

args: ['curl --location --request POST "https://${URL}/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=K8TLS&save_to_s3=true" --header "Tenant-Id: ${TENANT_ID}" --header "Authorization: Bearer ${AUTH_TOKEN}" --form "file=@\"/data/report.json\"" && cat /data/report.json']
name: k8tls-job
resources: {}
env:
Expand All @@ -68,14 +67,6 @@ spec:
value: {{ if ne .Values.accuknox.clusterName "" }}{{ .Values.accuknox.clusterName }}{{ else }}{{ "default" }}{{ end }}
- name: LABEL_NAME
value: {{ if ne .Values.accuknox.label "" }}{{ .Values.accuknox.label }}{{ else }}{{ "default" }}{{ end }}
- name: CERT_BUNDLE_PATH
value: {{ .Values.accuknox.certBundlePath | quote }}
- name: CERT_BUNDLE_URL
value: {{ .Values.accuknox.certBundleURL }}
- name: USE_INSECURE_CONNECTION
value: {{ .Values.accuknox.useInsecureConnection | quote }}
- name: DATA_TYPE
value: "K8TLS"
volumeMounts:
- mountPath: /data
name: datapath
Expand Down
10 changes: 1 addition & 9 deletions k8tls-job/templates/k8tls-job.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ spec:
containers:
- image: "{{ .Values.accuknoxJob.image.repository }}:{{ .Values.accuknoxJob.image.tag }}"
command: ["/bin/sh", "-c"]
args: ['./curl_command.sh']
args: ['curl --location --request POST "https://${URL}/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=K8TLS&save_to_s3=true" --header "Tenant-Id: ${TENANT_ID}" --header "Authorization: Bearer ${AUTH_TOKEN}" --form "file=@\"/data/report.json\"" && cat /data/report.json']
name: k8tls-job
resources: {}
env:
Expand All @@ -39,14 +39,6 @@ spec:
value: {{ if ne .Values.accuknox.clusterName "" }}{{ .Values.accuknox.clusterName }}{{ else }}{{ "default" }}{{ end }}
- name: LABEL_NAME
value: {{ if ne .Values.accuknox.label "" }}{{ .Values.accuknox.label }}{{ else }}{{ "default" }}{{ end }}
- name: CERT_BUNDLE_PATH
value: {{ .Values.accuknox.certBundlePath | quote }}
- name: CERT_BUNDLE_URL
value: {{ .Values.accuknox.certBundleURL }}
- name: USE_INSECURE_CONNECTION
value: {{ .Values.accuknox.useInsecureConnection | quote }}
- name: DATA_TYPE
value: "K8TLS"
volumeMounts:
- mountPath: /data
name: datapath
Expand Down
4 changes: 1 addition & 3 deletions k8tls-job/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,4 @@ accuknox:
clusterName: ""
label: ""
URL: "cspm.demo.accuknox.com"
certBundlePath: "" # Set this for cert local path if needed .
certBundleURL: "" # Set this for cert URL if needed (if certBundlePath is set as well certBundlePath will take precedent)
useInsecureConnection: false # Set to true if insecure connection is needed
secretName: ""
15 changes: 2 additions & 13 deletions kiem-job/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,11 +29,8 @@ spec:
- name: datapath
mountPath: /data
containers:

- image: accuknox/accuknox-job:latest
command: ["/bin/sh", "-c"]
args: ['./curl_command.sh']

- image: "{{ .Values.accuknoxJob.image.repository }}:{{ .Values.accuknoxJob.image.tag }}"
command: ['sh', '-c', 'curl --location --request POST "https://${URL}/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=KIEM&save_to_s3=true&label_id=${LABEL_NAME}" --header "Tenant-Id: ${TENANT_ID}" --header "Authorization: Bearer ${AUTH_TOKEN}" --form "file=@\"/data/report.json\""']
name: accuknox-kiem-cronjob
resources: {}
env:
Expand All @@ -54,14 +51,6 @@ spec:
value: {{ .Values.accuknox.clusterName }}
- name: LABEL_NAME
value: {{ .Values.accuknox.label | quote}}
- name: CERT_BUNDLE_PATH
value: {{ .Values.accuknox.certBundlePath | quote }}
- name: CERT_BUNDLE_URL
value: {{ .Values.accuknox.certBundleURL }}
- name: USE_INSECURE_CONNECTION
value: {{ .Values.accuknox.useInsecureConnection | quote }}
- name: DATA_TYPE
value: "KIEM"
volumeMounts:
- mountPath: /data
name: datapath
Expand Down
13 changes: 1 addition & 12 deletions kiem-job/templates/job.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,10 +27,7 @@ spec:
mountPath: /data
containers:
- image: accuknox/accuknox-job:latest

command: ["/bin/sh", "-c"]
args: ['./curl_command.sh']

command: ['sh', '-c', 'curl --location --request POST "https://${URL}/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=KIEM&save_to_s3=true&label_id=${LABEL_NAME}" --header "Tenant-Id: ${TENANT_ID}" --header "Authorization: Bearer ${AUTH_TOKEN}" --form "file=@\"/data/report.json\""']
name: accuknox-kiem-job
resources: {}
env:
Expand All @@ -51,14 +48,6 @@ spec:
value: {{ .Values.accuknox.clusterName }}
- name: LABEL_NAME
value: {{ .Values.accuknox.label | quote}}
- name: CERT_BUNDLE_PATH
value: {{ .Values.accuknox.certBundlePath | quote }}
- name: CERT_BUNDLE_URL
value: {{ .Values.accuknox.certBundleURL }}
- name: USE_INSECURE_CONNECTION
value: {{ .Values.accuknox.useInsecureConnection | quote }}
- name: DATA_TYPE
value: "KIEM"
volumeMounts:
- mountPath: /data
name: datapath
Expand Down
5 changes: 1 addition & 4 deletions kiem-job/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,4 @@ accuknox:
cronTab: "30 9 * * *"
clusterName: ""
label: ""
certBundlePath: "" # Set this for cert local path if needed .
certBundleURL: "" # Set this for cert URL if needed (if certBundlePath is set as well certBundlePath will take precedent)
useInsecureConnection: false # Set to true if insecure connection is needed

secretName: ""

0 comments on commit 03230a9

Please sign in to comment.