Adding readme and yaml

httphandler/README.md

@@ -0,0 +1,17 @@
+# Using kubescape with prometheus
+
+> This is a beta version, we might make some changes before publishing the official Prometheus support
+
+**Set environment `KS_RUN_PROMETHEUS_SERVER=true`**
+
+Running `kubescape` will start up a webserver on port `8080` which will serve the following paths: 
+
+* `/metrics` - will trigger cluster scan (equivalent to `kubescape scan --format prometheus`) and will respond with prometheus metrics once they have been scanned. This will respond 503 if the scan failed.
+* `/livez` - will respond 204 OK every time
+* `/readyz` - will respond 204 once metrics are available, will respond 503 if no metrics are available
+
+## Installation into kubernetes
+
+The files in [kubescape.yaml](kubescape.yaml) will deploy one instance of kubescape to run on your cluster. 
+
+**NOTE** Make sure the configurations suit your cluster (e.g. `serviceType`)

httphandler/ks-prometheus-support.yaml

@@ -0,0 +1,107 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app: kubescape
+  name: ks-scanner
+---
+# ------------------- Kubescape Service Account ------------------- #
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app: kubescape
+  name: kubescape-discovery
+  namespace: ks-scanner
+---
+# ------------------- Kubescape Cluster Role & Cluster Role Binding ------------------- #
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: kubescape-discovery-clusterroles
+  # "namespace" omitted since ClusterRoles are not namespaced
+rules:
+- apiGroups: ["*"]
+  resources: ["*"]
+  verbs: ["get", "list", "describe"]
+
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: kubescape-discovery-role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kubescape-discovery-clusterroles
+subjects:
+- kind: ServiceAccount
+  name: kubescape-discovery
+  namespace: ks-scanner
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: kubescape-service
+  namespace: ks-scanner
+  labels:
+    app: kubescape-service
+spec:
+  type: NodePort
+  ports:
+    - port: 8080
+      targetPort: 8080
+      protocol: TCP
+  selector:
+    app: kubescape
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kubescape
+  namespace: ks-scanner
+  labels:
+    app: kubescape
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: kubescape
+  template:
+    metadata:
+      labels:
+        app: kubescape
+    spec:
+      serviceAccountName: kubescape-discovery
+      containers:
+      - name: kubescape
+        # livenessProbe:
+        #   httpGet:
+        #     path: /livez
+        #     port: 8080
+        #   initialDelaySeconds: 3
+        #   periodSeconds: 3
+        # readinessProbe:
+        #   httpGet:
+        #     path: /readyz
+        #     port: 8080
+        #   initialDelaySeconds: 3
+        #   periodSeconds: 3
+        image: quay.io/armosec/kubescape:prometheus.v1
+        env:
+        - name: KS_RUN_PROMETHEUS_SERVER
+          value: "true"
+        - name: KS_DEFAULT_CONFIGMAP_NAMESPACE
+          value: "ks-scanner"
+        ports:
+        - containerPort: 8080
+        command:
+        - kubescape
+        resources:
+          requests:
+            cpu: 10m
+            memory: 100Mi
+          limits:
+            cpu: 500m
+            memory: 500Mi