github/kubescape
1
0
Fork 0
mirror of https://github.com/kubescape/kubescape.git synced 2026-02-14 09:59:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

Deprecated host-scanner

Browse Source 
Signed-off-by: David Wertenteil <dwertent@armosec.io>
This commit is contained in:
David Wertenteil
2023-07-04 09:43:10 +03:00
parent aa0fe21a2e
commit 8989cc1679
12 changed files with 189 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
cmd/scan/scan.go
View File

@@ -16,7 +16,7 @@ var scanCmdExamples = fmt.Sprintf(`
Scan command is for scanning an existing cluster or kubernetes manifest files based on pre-defined frameworks
# Scan current cluster with all frameworks
%[1]s scan --enable-host-scan --verbose
%[1]s scan
# Scan kubernetes YAML manifest files
%[1]s scan .
@@ -107,6 +107,8 @@ func GetScanCommand(ks meta.IKubescape) *cobra.Command {
hostF := scanCmd.PersistentFlags().VarPF(&scanInfo.HostSensorEnabled, "enable-host-scan", "", "Deploy Kubescape host-sensor daemonset in the scanned cluster. Deleting it right after we collecting the data. Required to collect valuable data from cluster nodes for certain controls. Yaml file: https://github.com/kubescape/kubescape/blob/master/core/pkg/hostsensorutils/hostsensor.yaml")
hostF.NoOptDefVal = "true"
hostF.DefValue = "false, for no TTY in stdin"
scanCmd.PersistentFlags().MarkHidden("enable-host-scan")
scanCmd.PersistentFlags().MarkDeprecated("enable-host-scan", "To activate the host scanner capability, proceed with the installation of the kubescape operator chart found here: https://github.com/kubescape/helm-charts/tree/main/charts/kubescape-cloud-operator. The flag will be removed at 1.Dec.2023")
scanCmd.AddCommand(getControlCmd(ks, &scanInfo))
scanCmd.AddCommand(getFrameworkCmd(ks, &scanInfo))

1
core/pkg/hostsensorutils/hostsensordeploy.go
View File

@@ -83,7 +83,6 @@ func (hsh *HostSensorHandler) Init(ctx context.Context) error {
// store pod names
// make sure all pods are running, after X seconds treat has running anyway, and log an error on the pods not running yet
logger.L().Info("Installing host scanner")
logger.L().Debug("The host scanner is a DaemonSet that runs on each node in the cluster. The DaemonSet will be running in it's own Namespace and will be deleted once the scan is completed. If you do not wish to install the host scanner, please run the scan without the --enable-host-scan flag.")
// log is used to avoid log duplication
// coming from the different host-scanner instances

2
core/pkg/opaprocessor/testdata/opaSessionObjMock.json vendored
View File

File diff suppressed because one or more lines are too long

2
core/pkg/resourcehandler/k8sresources.go
View File

@@ -131,7 +131,7 @@ func (k8sHandler *K8sResourceHandler) GetResources(ctx context.Context, sessionO
cautils.StopSpinner()
logger.L().Success("Requested Host scanner data")
} else {
cautils.SetInfoMapForResources("enable-host-scan flag not used. For more information: https://hub.armosec.io/docs/host-sensor", hostResources, sessionObj.InfoMap)
cautils.SetInfoMapForResources("This control requires the host-scanner capability. To activate the host scanner capability, proceed with the installation of the kubescape operator chart found here: https://github.com/kubescape/helm-charts/tree/main/charts/kubescape-cloud-operator", hostResources, sessionObj.InfoMap)
}
}

8
core/pkg/resultshandling/printer/v2/testdata/mock_summaryDetails.json vendored
View File

@@ -449,7 +449,7 @@
"C-0069": {
"statusInfo": {
"status": "skipped",
"info": "enable-host-scan flag not used. For more information: https://hub.armosec.io/docs/host-sensor"
"info": "This control requires the host-scanner capability. To activate the host scanner capability, proceed with the installation of the kubescape operator chart found here: https://github.com/kubescape/helm-charts/tree/main/charts/kubescape-cloud-operator"
},
"controlID": "C-0069",
"name": "Disable anonymous access to Kubelet service",
@@ -470,7 +470,7 @@
"C-0070": {
"statusInfo": {
"status": "skipped",
"info": "enable-host-scan flag not used. For more information: https://hub.armosec.io/docs/host-sensor"
"info": "This control requires the host-scanner capability. To activate the host scanner capability, proceed with the installation of the kubescape operator chart found here: https://github.com/kubescape/helm-charts/tree/main/charts/kubescape-cloud-operator"
},
"controlID": "C-0070",
"name": "Enforce Kubelet client TLS authentication",
@@ -942,7 +942,7 @@
"C-0069": {
"statusInfo": {
"status": "skipped",
"info": "enable-host-scan flag not used. For more information: https://hub.armosec.io/docs/host-sensor"
"info": "This control requires the host-scanner capability. To activate the host scanner capability, proceed with the installation of the kubescape operator chart found here: https://github.com/kubescape/helm-charts/tree/main/charts/kubescape-cloud-operator"
},
"controlID": "C-0069",
"name": "Disable anonymous access to Kubelet service",
@@ -963,7 +963,7 @@
"C-0070": {
"statusInfo": {
"status": "skipped",
"info": "enable-host-scan flag not used. For more information: https://hub.armosec.io/docs/host-sensor"
"info": "This control requires the host-scanner capability. To activate the host scanner capability, proceed with the installation of the kubescape operator chart found here: https://github.com/kubescape/helm-charts/tree/main/charts/kubescape-cloud-operator"
},
"controlID": "C-0070",
"name": "Enforce Kubelet client TLS authentication",

14
core/pkg/resultshandling/reporter/v2/testdata/mock_opasessionobj.json vendored
View File

@@ -49241,7 +49241,7 @@
"C-0069": {
"statusInfo": {
"status": "skipped",
"info": "enable-host-scan flag not used. For more information: https://hub.armosec.io/docs/host-sensor"
"info": "This control requires the host-scanner capability. To activate the host scanner capability, proceed with the installation of the kubescape operator chart found here: https://github.com/kubescape/helm-charts/tree/main/charts/kubescape-cloud-operator"
},
"controlID": "C-0069",
"name": "Disable anonymous access to Kubelet service",
@@ -49262,7 +49262,7 @@
"C-0070": {
"statusInfo": {
"status": "skipped",
"info": "enable-host-scan flag not used. For more information: https://hub.armosec.io/docs/host-sensor"
"info": "This control requires the host-scanner capability. To activate the host scanner capability, proceed with the installation of the kubescape operator chart found here: https://github.com/kubescape/helm-charts/tree/main/charts/kubescape-cloud-operator"
},
"controlID": "C-0070",
"name": "Enforce Kubelet client TLS authentication",
@@ -49734,7 +49734,7 @@
"C-0069": {
"statusInfo": {
"status": "skipped",
"info": "enable-host-scan flag not used. For more information: https://hub.armosec.io/docs/host-sensor"
"info": "This control requires the host-scanner capability. To activate the host scanner capability, proceed with the installation of the kubescape operator chart found here: https://github.com/kubescape/helm-charts/tree/main/charts/kubescape-cloud-operator"
},
"controlID": "C-0069",
"name": "Disable anonymous access to Kubelet service",
@@ -49755,7 +49755,7 @@
"C-0070": {
"statusInfo": {
"status": "skipped",
"info": "enable-host-scan flag not used. For more information: https://hub.armosec.io/docs/host-sensor"
"info": "This control requires the host-scanner capability. To activate the host scanner capability, proceed with the installation of the kubescape operator chart found here: https://github.com/kubescape/helm-charts/tree/main/charts/kubescape-cloud-operator"
},
"controlID": "C-0070",
"name": "Enforce Kubelet client TLS authentication",
@@ -50001,15 +50001,15 @@
"InfoMap": {
"hostdata.kubescape.cloud/v1beta0/KubeletCommandLine": {
"status": "skipped",
"info": "enable-host-scan flag not used. For more information: https://hub.armosec.io/docs/host-sensor"
"info": "This control requires the host-scanner capability. To activate the host scanner capability, proceed with the installation of the kubescape operator chart found here: https://github.com/kubescape/helm-charts/tree/main/charts/kubescape-cloud-operator"
},
"hostdata.kubescape.cloud/v1beta0/KubeletConfiguration": {
"status": "skipped",
"info": "enable-host-scan flag not used. For more information: https://hub.armosec.io/docs/host-sensor"
"info": "This control requires the host-scanner capability. To activate the host scanner capability, proceed with the installation of the kubescape operator chart found here: https://github.com/kubescape/helm-charts/tree/main/charts/kubescape-cloud-operator"
},
"hostdata.kubescape.cloud/v1beta0/KubeletInfo": {
"status": "skipped",
"info": "enable-host-scan flag not used. For more information: https://hub.armosec.io/docs/host-sensor"
"info": "This control requires the host-scanner capability. To activate the host scanner capability, proceed with the installation of the kubescape operator chart found here: https://github.com/kubescape/helm-charts/tree/main/charts/kubescape-cloud-operator"
}
},
"ResourceToControlsMap": {

4
docs/getting-started.md
View File

@@ -17,7 +17,7 @@ You can also check [other installation methods](installation.md)
## Run your first scan
```sh
kubescape scan --enable-host-scan --verbose
kubescape scan --verbose
```
You will see output like this:
@@ -33,7 +33,7 @@ _Some documentation on using Kubescape is yet to move here from the [ARMO Platfo
* Scan a running Kubernetes cluster:
```sh
kubescape scan --enable-host-scan --verbose
kubescape scan --verbose
```
> **Note**

2
httphandler/README.md
View File

@@ -101,7 +101,7 @@ When scanning is not in progress
"excludedNamespaces": [<str>], // list of namespaces to exclude (same as 'kubescape scan --excluded-namespaces')
"includeNamespaces": [<str>], // list of namespaces to include (same as 'kubescape scan --include-namespaces')
"useCachedArtifacts"`: <bool>, // use the cached artifacts instead of downloading (offline support)
"hostScanner": <bool>, // deploy Kubescape K8s host-scanner DaemonSet in the scanned cluster (same as 'kubescape scan --enable-host-scan')
"hostScanner": <bool>, // deploy Kubescape host-sensor daemonset in the scanned cluster. Deleting it right after we collecting the data. Required to collect valuable data from cluster nodes for certain controls
"keepLocal": <bool>, // do not submit results to Kubescape cloud (same as 'kubescape scan --keep-local')
"account": <str>, // account ID (same as 'kubescape scan --account')
"targetType": <str>, // framework/control

160
httphandler/node-agent.yaml Normal file
View File

@@ -0,0 +1,160 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: node-agent
namespace: kubescape
uid: 7d7340d8-0f58-473d-8bba-b07d602bc60e
spec:
revisionHistoryLimit: 10
selector:
matchLabels:
app.kubernetes.io/instance: kubescape
app.kubernetes.io/name: node-agent
tier: ks-control-plane
template:
metadata:
creationTimestamp: null
labels:
alt-name: node-agent
app: node-agent
app.kubernetes.io/instance: kubescape
app.kubernetes.io/name: node-agent
helm.sh/chart: kubescape-relevancy-2.0.10
otel: enabled
tier: ks-control-plane
spec:
automountServiceAccountToken: true
containers:
- env:
- name: KS_LOGGER_LEVEL
value: debug
- name: KS_LOGGER_NAME
value: zap
- name: OTEL_COLLECTOR_SVC
value: otel-collector:4317
- name: NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: CONFIG_ENV_VAR
value: /etc/node-agent/configuration/ConfigurationFile.json
- name: NodeName
image: quay.io/kubescape/sniffer:v0.1.58-relevancy
imagePullPolicy: IfNotPresent
name: node-agent
resources: {}
securityContext:
capabilities:
add:
- SYS_RESOURCE
- SYS_ADMIN
runAsUser: 0
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /etc/node-agent/configuration
name: configmap-volume
- mountPath: /root/.falco
name: root-falco-fs
- mountPath: /host/proc
name: proc-fs
- mountPath: /sys/kernel/debug
name: debugfs
- mountPath: /host/var/run/docker.sock
name: docker-socket
- mountPath: /host/run/containerd/containerd.sock
name: containerd-socket
- mountPath: /host/run/crio/crio.sock
name: crio-socket
dnsPolicy: ClusterFirst
initContainers:
- env:
- name: FALCO_BPF_PROBE
image: docker.io/falcosecurity/falco-driver-loader:0.32.2
imagePullPolicy: IfNotPresent
name: falco-driver-loader
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /root/.falco
name: root-falco-fs
- mountPath: /host/proc
name: proc-fs
readOnly: true
- mountPath: /host/boot
name: boot-fs
readOnly: true
- mountPath: /host/lib/modules
name: lib-modules
- mountPath: /host/usr
name: usr-fs
readOnly: true
- mountPath: /host/etc
name: etc-fs
readOnly: true
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: node-agent-service-account
serviceAccountName: node-agent-service-account
terminationGracePeriodSeconds: 30
volumes:
- configMap:
defaultMode: 420
name: node-agent-config-map
name: configmap-volume
- emptyDir: {}
name: root-falco-fs
- hostPath:
path: /boot
type: ""
name: boot-fs
- hostPath:
path: /lib/modules
type: ""
name: lib-modules
- hostPath:
path: /usr
type: ""
name: usr-fs
- hostPath:
path: /etc
type: ""
name: etc-fs
- hostPath:
path: /dev
type: ""
name: dev-fs
- hostPath:
path: /var/run/docker.sock
type: ""
name: docker-socket
- hostPath:
path: /run/containerd/containerd.sock
type: ""
name: containerd-socket
- hostPath:
path: /run/crio/crio.sock
type: ""
name: crio-socket
- hostPath:
path: /proc
type: ""
name: proc-fs
- hostPath:
path: /sys/kernel/debug
type: ""
name: debugfs
updateStrategy:
rollingUpdate:
maxSurge: 0
maxUnavailable: 1
type: RollingUpdate
status:
currentNumberScheduled: 0
desiredNumberScheduled: 0
numberMisscheduled: 0
numberReady: 0
observedGeneration: 2

2
install.ps1
View File

@@ -36,4 +36,4 @@ if (-not $currentPath.Contains($BASE_DIR)) {
Write-Host "Finished Installation.`n" -ForegroundColor Green
kubescape version
Write-Host "`nUsage: $ kubescape scan --enable-host-scan" -ForegroundColor Magenta
Write-Host "`nUsage: $ kubescape scan" -ForegroundColor Magenta

2
install.sh
View File

@@ -113,7 +113,7 @@ echo -e "\033[0m"
$KUBESCAPE_EXEC version
echo
echo -e "\033[35mUsage: $ $KUBESCAPE_EXEC scan --enable-host-scan"
echo -e "\033[35mUsage: $ $KUBESCAPE_EXEC scan"
if [ "$(id -u)" -ne 0 ]; then
echo -e "\nRemember to add the Kubescape CLI to your path with:"

16
smoke_testing/test_scan.py
View File

@@ -9,35 +9,35 @@ single_file = os.path.join("..", "examples", "online-boutique", "frontend.yaml")
def scan_all(kubescape_exec: str):
return smoke_utils.run_command(command=[kubescape_exec, "scan", all_files, "--enable-host-scan=false"])
return smoke_utils.run_command(command=[kubescape_exec, "scan", all_files])
def scan_control_name(kubescape_exec: str):
return smoke_utils.run_command(command=[kubescape_exec, "scan", "control", 'HostPath mount', all_files, "--enable-host-scan=false"])
return smoke_utils.run_command(command=[kubescape_exec, "scan", "control", 'HostPath mount', all_files])
def scan_control_id(kubescape_exec: str):
return smoke_utils.run_command(command=[kubescape_exec, "scan", "control", 'C-0048', all_files, "--enable-host-scan=false"])
return smoke_utils.run_command(command=[kubescape_exec, "scan", "control", 'C-0048', all_files])
def scan_controls(kubescape_exec: str):
return smoke_utils.run_command(command=[kubescape_exec, "scan", "control", 'C-0048,C-0016', all_files, "--enable-host-scan=false"])
return smoke_utils.run_command(command=[kubescape_exec, "scan", "control", 'C-0048,C-0016', all_files])
def scan_framework(kubescape_exec: str):
return smoke_utils.run_command(command=[kubescape_exec, "scan", "framework", "nsa", all_files, "--enable-host-scan=false"])
return smoke_utils.run_command(command=[kubescape_exec, "scan", "framework", "nsa", all_files])
def scan_frameworks(kubescape_exec: str):
return smoke_utils.run_command(command=[kubescape_exec, "scan", "framework", "nsa,mitre", all_files, "--enable-host-scan=false"])
return smoke_utils.run_command(command=[kubescape_exec, "scan", "framework", "nsa,mitre", all_files])
def scan_all(kubescape_exec: str):
return smoke_utils.run_command(command=[kubescape_exec, "scan", all_files, "--enable-host-scan=false"])
return smoke_utils.run_command(command=[kubescape_exec, "scan", all_files])
def scan_from_stdin(kubescape_exec: str):
return smoke_utils.run_command(command=["cat", single_file, "|", kubescape_exec, "scan", "framework", "nsa", "-", "--enable-host-scan=false"])
return smoke_utils.run_command(command=["cat", single_file, "|", kubescape_exec, "scan", "framework", "nsa", "-"])
def run(kubescape_exec: str):