diff --git a/.DS_Store b/.DS_Store deleted file mode 100644 index a460048..0000000 Binary files a/.DS_Store and /dev/null differ diff --git a/Dockerfile b/Dockerfile index 02c8a21..a1c7b50 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,9 +2,5 @@ FROM alpine:latest RUN apk --update add jq curl COPY entrypoint.sh . -COPY curl_command.sh . - -# Grant execute permissions to the scripts -RUN chmod +x entrypoint.sh curl_command.sh ENTRYPOINT ["/bin/sh", "entrypoint.sh"] diff --git a/cis-k8s-job/.DS_Store b/cis-k8s-job/.DS_Store deleted file mode 100644 index f702656..0000000 Binary files a/cis-k8s-job/.DS_Store and /dev/null differ diff --git a/cis-k8s-job/templates/cis-cron-job.yaml b/cis-k8s-job/templates/cis-cron-job.yaml index 7609ec6..cd7a81f 100644 --- a/cis-k8s-job/templates/cis-cron-job.yaml +++ b/cis-k8s-job/templates/cis-cron-job.yaml @@ -10,115 +10,53 @@ spec: spec: template: spec: + {{- if or (or (contains "master" .Values.toolConfig.nodeType) (contains "controlplane" .Values.toolConfig.nodeType)) (or (contains "master" .Values.toolConfig.targets) (contains "controlplane" .Values.toolConfig.targets)) }} + {{- include "masterConfig" .Values.toolConfig | trim | nindent 10 }} + {{- end }} + {{- if .Values.imagePullSecrets.name }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets.name }} + {{- end }} containers: - - image: accuknox/accuknox-job:latest + - image: "{{ .Values.accuknoxJob.image.repository }}:{{ .Values.accuknoxJob.image.tag }}" command: ["/bin/sh", "-c"] - args: ['/bin/sh entrypoint.sh && ./curl_command.sh'] + args: ['/bin/sh entrypoint.sh && curl --location --request POST "https://${URL}/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=KB&label_id=${LABEL_NAME}&save_to_s3=true" --header "Tenant-Id: ${TENANT_ID}" --header "Authorization: Bearer ${AUTH_TOKEN}" --form "file=@\"./data/report.json\"" && cat /data/report.json'] name: cis-k8s-cronjob resources: {} env: - name: AUTH_TOKEN - value: {{ .Values.accuknox.authToken }} + valueFrom: + secretKeyRef: + key: AUTH_TOKEN + {{- if (.Values.accuknox.secretName | empty) }} + name: cis-k8s-job-auth-token + {{- else }} + name: {{ .Values.accuknox.secretName }} + {{- end }} - name: CLUSTER_NAME value: {{ .Values.accuknox.clusterName }} - name: LABEL_NAME value: {{ .Values.accuknox.label }} - name: CLUSTER_ID - value: {{ .Values.accuknox.clusterID }} + value: {{ .Values.accuknox.clusterId }} - name: TENANT_ID - value: {{ .Values.accuknox.tenantID | quote}} + value: {{ .Values.accuknox.tenantId | quote}} - name: URL - value: {{ .Values.accuknox.URL }} - - name: CERT_BUNDLE_PATH - value: {{ .Values.accuknox.certBundlePath | quote }} - - name: CERT_BUNDLE_URL - value: {{ .Values.accuknox.certBundleURL }} - - name: USE_INSECURE_CONNECTION - value: {{ .Values.accuknox.useInsecureConnection | quote }} - - name: DATA_TYPE - value: "KB" + value: {{ .Values.accuknox.url }} volumeMounts: - mountPath: /data name: datapath initContainers: - - image: docker.io/aquasec/kube-bench:v0.6.19 - command: ["/bin/sh", "-c"] - args: ["kube-bench run --json > /data/report.json"] + - image: "{{ .Values.kubeBench.image.repository }}:{{ .Values.kubeBench.image.tag }}" + command: + {{- include "cmd" .Values.toolConfig | trim | nindent 13 }} name: kube-bench volumeMounts: - - mountPath: /data - name: datapath - - mountPath: /var/lib/etcd - name: var-lib-etcd - readOnly: true - - mountPath: /var/lib/kubelet - name: var-lib-kubelet - readOnly: true - - mountPath: /var/lib/kube-scheduler - name: var-lib-kube-scheduler - readOnly: true - - mountPath: /var/lib/kube-controller-manager - name: var-lib-kube-controller-manager - readOnly: true - - mountPath: /etc/systemd - name: etc-systemd - readOnly: true - - mountPath: /lib/systemd/ - name: lib-systemd - readOnly: true - - mountPath: /srv/kubernetes/ - name: srv-kubernetes - readOnly: true - - mountPath: /etc/kubernetes - name: etc-kubernetes - readOnly: true - - mountPath: /usr/local/mount-from-host/bin - name: usr-bin - readOnly: true - - mountPath: /etc/cni/net.d/ - name: etc-cni-netd - readOnly: true - - mountPath: /opt/cni/bin/ - name: opt-cni-bin - readOnly: true + {{- include "volumeMounts" .Values.toolConfig | trim | nindent 13 }} hostPID: true restartPolicy: Never volumes: - - name: datapath - emptyDir: {} - - hostPath: - path: /var/lib/etcd - name: var-lib-etcd - - hostPath: - path: /var/lib/kubelet - name: var-lib-kubelet - - hostPath: - path: /var/lib/kube-scheduler - name: var-lib-kube-scheduler - - hostPath: - path: /var/lib/kube-controller-manager - name: var-lib-kube-controller-manager - - hostPath: - path: /etc/systemd - name: etc-systemd - - hostPath: - path: /lib/systemd - name: lib-systemd - - hostPath: - path: /srv/kubernetes - name: srv-kubernetes - - hostPath: - path: /etc/kubernetes - name: etc-kubernetes - - hostPath: - path: /usr/bin - name: usr-bin - - hostPath: - path: /etc/cni/net.d/ - name: etc-cni-netd - - hostPath: - path: /opt/cni/bin/ - name: opt-cni-bin + {{- include "volumes" .Values.toolConfig | trim | nindent 11 }} schedule: "{{ .Values.accuknox.cronTab }}" successfulJobsHistoryLimit: 1 diff --git a/cis-k8s-job/templates/cis-job.yaml b/cis-k8s-job/templates/cis-job.yaml index bd6ac14..bef5c29 100644 --- a/cis-k8s-job/templates/cis-job.yaml +++ b/cis-k8s-job/templates/cis-job.yaml @@ -23,7 +23,7 @@ spec: containers: - image: "{{ .Values.accuknoxJob.image.repository }}:{{ .Values.accuknoxJob.image.tag }}" command: ["/bin/sh", "-c"] - args: ['/bin/sh entrypoint.sh && ./curl_command.sh'] + args: ['/bin/sh entrypoint.sh && curl --location --request POST "https://${URL}/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=KB&label_id=${LABEL_NAME}&save_to_s3=true" --header "Tenant-Id: ${TENANT_ID}" --header "Authorization: Bearer ${AUTH_TOKEN}" --form "file=@\"./data/report.json\"" && cat /data/report.json'] name: cis-k8s-cronjob resources: {} env: @@ -41,19 +41,11 @@ spec: - name: LABEL_NAME value: {{ .Values.accuknox.label }} - name: CLUSTER_ID - value: {{ .Values.accuknox.clusterID }} + value: {{ .Values.accuknox.clusterId }} - name: TENANT_ID - value: {{ .Values.accuknox.tenantID | quote}} + value: {{ .Values.accuknox.tenantId | quote}} - name: URL - value: {{ .Values.accuknox.URL }} - - name: CERT_BUNDLE_PATH - value: {{ .Values.accuknox.certBundlePath | quote }} - - name: CERT_BUNDLE_URL - value: {{ .Values.accuknox.certBundleURL }} - - name: USE_INSECURE_CONNECTION - value: {{ .Values.accuknox.useInsecureConnection | quote }} - - name: DATA_TYPE - value: "KB" + value: {{ .Values.accuknox.url }} volumeMounts: - mountPath: /data name: datapath diff --git a/curl_command.sh b/curl_command.sh deleted file mode 100644 index 678ba29..0000000 --- a/curl_command.sh +++ /dev/null @@ -1,34 +0,0 @@ -#!/bin/sh - -# Initialize CURL_FLAGS to handle both insecure and certificate usage -CURL_FLAGS="" - -# Always add --insecure if USE_INSECURE_CONNECTION is true -if [ "$USE_INSECURE_CONNECTION" = "true" ]; then - CURL_FLAGS="$CURL_FLAGS --insecure" -fi - -# Add certificate flags if CERT_BUNDLE_PATH is provided -if [ -n "$CERT_BUNDLE_PATH" ]; then - echo "Using in-line certificate content from CERT_BUNDLE_PATH..." - printf "%b" "$CERT_BUNDLE_PATH" > /tmp/cert.pem - CURL_FLAGS="$CURL_FLAGS --cacert /tmp/cert.pem" -elif [ -n "$CERT_BUNDLE_URL" ]; then - echo "Attempting to download certificate from $CERT_BUNDLE_URL..." - if curl -o /tmp/cert.pem "$CERT_BUNDLE_URL"; then - CURL_FLAGS="$CURL_FLAGS --cacert /tmp/cert.pem" - else - echo "Certificate not available or failed to download." - fi -fi - -# main curl command -curl --location --request POST "https://${URL}/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=${DATA_TYPE}&label_id=${LABEL_NAME}&save_to_s3=true" \ - --header "Tenant-Id: ${TENANT_ID}" \ - --header "Authorization: Bearer ${AUTH_TOKEN}" \ - $CURL_FLAGS \ - --form "file=@/data/report.json" || exit 1 - -# Print the report -cat /data/report.json - diff --git a/k8s-risk-assessment-job/templates/configmap.yaml b/k8s-risk-assessment-job/templates/configmap.yaml index 0915929..d5c5b04 100644 --- a/k8s-risk-assessment-job/templates/configmap.yaml +++ b/k8s-risk-assessment-job/templates/configmap.yaml @@ -33,6 +33,8 @@ data: cat /data/report.json # push - - /curl_command.sh - + curl --location --request POST \ + --header "Authorization: Bearer ${AUTH_TOKEN}" \ + --header "Tenant-Id: ${TENANT_ID}" \ + --form "file=@\"/data/report.json\"" \ + "https://${URL}/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=KS&save_to_s3=true&label_id=${LABEL_NAME}" diff --git a/k8s-risk-assessment-job/templates/cronjob.yaml b/k8s-risk-assessment-job/templates/cronjob.yaml index 08aa81c..cc074d9 100644 --- a/k8s-risk-assessment-job/templates/cronjob.yaml +++ b/k8s-risk-assessment-job/templates/cronjob.yaml @@ -55,14 +55,6 @@ spec: value: {{ .Values.accuknox.clusterID | quote }} - name: LABEL_NAME value: {{ .Values.accuknox.label }} - - name: CERT_BUNDLE_PATH - value: {{ .Values.accuknox.certBundlePath | quote }} - - name: CERT_BUNDLE_URL - value: {{ .Values.accuknox.certBundleURL }} - - name: USE_INSECURE_CONNECTION - value: {{ .Values.accuknox.useInsecureConnection | quote }} - - name: DATA_TYPE - value: "KS" volumeMounts: - mountPath: /data name: datapath diff --git a/k8s-risk-assessment-job/templates/job.yaml b/k8s-risk-assessment-job/templates/job.yaml index a5759fe..f5d43a7 100644 --- a/k8s-risk-assessment-job/templates/job.yaml +++ b/k8s-risk-assessment-job/templates/job.yaml @@ -51,14 +51,6 @@ spec: value: {{ .Values.accuknox.clusterID | quote }} - name: LABEL_NAME value: {{ .Values.accuknox.label }} - - name: CERT_BUNDLE_PATH - value: {{ .Values.accuknox.certBundlePath | quote }} - - name: CERT_BUNDLE_URL - value: {{ .Values.accuknox.certBundleURL }} - - name: USE_INSECURE_CONNECTION - value: {{ .Values.accuknox.useInsecureConnection | quote }} - - name: DATA_TYPE - value: "KS" volumeMounts: - mountPath: /data name: datapath diff --git a/k8s-risk-assessment-job/values.yaml b/k8s-risk-assessment-job/values.yaml index bd26d80..0c087ab 100644 --- a/k8s-risk-assessment-job/values.yaml +++ b/k8s-risk-assessment-job/values.yaml @@ -31,7 +31,3 @@ accuknox: clusterID: 0 label: "" secretName: "" - certBundlePath: "" # Set this for cert local path if needed . - certBundleURL: "" # Set this for cert URL if needed (if certBundlePath is set as well certBundlePath will take precedent) - useInsecureConnection: false # Set to true if insecure connection is needed - diff --git a/k8tls-job/templates/k8tls-cronjob.yaml b/k8tls-job/templates/k8tls-cronjob.yaml index 57d1a3a..91a5e15 100644 --- a/k8tls-job/templates/k8tls-cronjob.yaml +++ b/k8tls-job/templates/k8tls-cronjob.yaml @@ -46,8 +46,7 @@ spec: containers: - image: "{{ .Values.accuknoxJob.image.repository }}:{{ .Values.accuknoxJob.image.tag }}" command: ["/bin/sh", "-c"] - args: ['./curl_command.sh'] - + args: ['curl --location --request POST "https://${URL}/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=K8TLS&save_to_s3=true" --header "Tenant-Id: ${TENANT_ID}" --header "Authorization: Bearer ${AUTH_TOKEN}" --form "file=@\"/data/report.json\"" && cat /data/report.json'] name: k8tls-job resources: {} env: @@ -68,14 +67,6 @@ spec: value: {{ if ne .Values.accuknox.clusterName "" }}{{ .Values.accuknox.clusterName }}{{ else }}{{ "default" }}{{ end }} - name: LABEL_NAME value: {{ if ne .Values.accuknox.label "" }}{{ .Values.accuknox.label }}{{ else }}{{ "default" }}{{ end }} - - name: CERT_BUNDLE_PATH - value: {{ .Values.accuknox.certBundlePath | quote }} - - name: CERT_BUNDLE_URL - value: {{ .Values.accuknox.certBundleURL }} - - name: USE_INSECURE_CONNECTION - value: {{ .Values.accuknox.useInsecureConnection | quote }} - - name: DATA_TYPE - value: "K8TLS" volumeMounts: - mountPath: /data name: datapath diff --git a/k8tls-job/templates/k8tls-job.yaml b/k8tls-job/templates/k8tls-job.yaml index d1ad70b..9c49240 100644 --- a/k8tls-job/templates/k8tls-job.yaml +++ b/k8tls-job/templates/k8tls-job.yaml @@ -18,7 +18,7 @@ spec: containers: - image: "{{ .Values.accuknoxJob.image.repository }}:{{ .Values.accuknoxJob.image.tag }}" command: ["/bin/sh", "-c"] - args: ['./curl_command.sh'] + args: ['curl --location --request POST "https://${URL}/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=K8TLS&save_to_s3=true" --header "Tenant-Id: ${TENANT_ID}" --header "Authorization: Bearer ${AUTH_TOKEN}" --form "file=@\"/data/report.json\"" && cat /data/report.json'] name: k8tls-job resources: {} env: @@ -39,14 +39,6 @@ spec: value: {{ if ne .Values.accuknox.clusterName "" }}{{ .Values.accuknox.clusterName }}{{ else }}{{ "default" }}{{ end }} - name: LABEL_NAME value: {{ if ne .Values.accuknox.label "" }}{{ .Values.accuknox.label }}{{ else }}{{ "default" }}{{ end }} - - name: CERT_BUNDLE_PATH - value: {{ .Values.accuknox.certBundlePath | quote }} - - name: CERT_BUNDLE_URL - value: {{ .Values.accuknox.certBundleURL }} - - name: USE_INSECURE_CONNECTION - value: {{ .Values.accuknox.useInsecureConnection | quote }} - - name: DATA_TYPE - value: "K8TLS" volumeMounts: - mountPath: /data name: datapath diff --git a/k8tls-job/values.yaml b/k8tls-job/values.yaml index 5899eaa..d39b6ae 100644 --- a/k8tls-job/values.yaml +++ b/k8tls-job/values.yaml @@ -26,6 +26,4 @@ accuknox: clusterName: "" label: "" URL: "cspm.demo.accuknox.com" - certBundlePath: "" # Set this for cert local path if needed . - certBundleURL: "" # Set this for cert URL if needed (if certBundlePath is set as well certBundlePath will take precedent) - useInsecureConnection: false # Set to true if insecure connection is needed + secretName: "" diff --git a/kiem-job/templates/deployment.yaml b/kiem-job/templates/deployment.yaml index 940e778..9262af0 100644 --- a/kiem-job/templates/deployment.yaml +++ b/kiem-job/templates/deployment.yaml @@ -29,11 +29,8 @@ spec: - name: datapath mountPath: /data containers: - - - image: accuknox/accuknox-job:latest - command: ["/bin/sh", "-c"] - args: ['./curl_command.sh'] - + - image: "{{ .Values.accuknoxJob.image.repository }}:{{ .Values.accuknoxJob.image.tag }}" + command: ['sh', '-c', 'curl --location --request POST "https://${URL}/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=KIEM&save_to_s3=true&label_id=${LABEL_NAME}" --header "Tenant-Id: ${TENANT_ID}" --header "Authorization: Bearer ${AUTH_TOKEN}" --form "file=@\"/data/report.json\""'] name: accuknox-kiem-cronjob resources: {} env: @@ -54,14 +51,6 @@ spec: value: {{ .Values.accuknox.clusterName }} - name: LABEL_NAME value: {{ .Values.accuknox.label | quote}} - - name: CERT_BUNDLE_PATH - value: {{ .Values.accuknox.certBundlePath | quote }} - - name: CERT_BUNDLE_URL - value: {{ .Values.accuknox.certBundleURL }} - - name: USE_INSECURE_CONNECTION - value: {{ .Values.accuknox.useInsecureConnection | quote }} - - name: DATA_TYPE - value: "KIEM" volumeMounts: - mountPath: /data name: datapath diff --git a/kiem-job/templates/job.yaml b/kiem-job/templates/job.yaml index 672d14b..0ad2eec 100644 --- a/kiem-job/templates/job.yaml +++ b/kiem-job/templates/job.yaml @@ -27,10 +27,7 @@ spec: mountPath: /data containers: - image: accuknox/accuknox-job:latest - - command: ["/bin/sh", "-c"] - args: ['./curl_command.sh'] - + command: ['sh', '-c', 'curl --location --request POST "https://${URL}/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=KIEM&save_to_s3=true&label_id=${LABEL_NAME}" --header "Tenant-Id: ${TENANT_ID}" --header "Authorization: Bearer ${AUTH_TOKEN}" --form "file=@\"/data/report.json\""'] name: accuknox-kiem-job resources: {} env: @@ -51,14 +48,6 @@ spec: value: {{ .Values.accuknox.clusterName }} - name: LABEL_NAME value: {{ .Values.accuknox.label | quote}} - - name: CERT_BUNDLE_PATH - value: {{ .Values.accuknox.certBundlePath | quote }} - - name: CERT_BUNDLE_URL - value: {{ .Values.accuknox.certBundleURL }} - - name: USE_INSECURE_CONNECTION - value: {{ .Values.accuknox.useInsecureConnection | quote }} - - name: DATA_TYPE - value: "KIEM" volumeMounts: - mountPath: /data name: datapath diff --git a/kiem-job/values.yaml b/kiem-job/values.yaml index 7e429dd..4e7a48f 100644 --- a/kiem-job/values.yaml +++ b/kiem-job/values.yaml @@ -30,7 +30,4 @@ accuknox: cronTab: "30 9 * * *" clusterName: "" label: "" - certBundlePath: "" # Set this for cert local path if needed . - certBundleURL: "" # Set this for cert URL if needed (if certBundlePath is set as well certBundlePath will take precedent) - useInsecureConnection: false # Set to true if insecure connection is needed - + secretName: ""