From 8a04934fbd47de1765661656e4cff30141a402b7 Mon Sep 17 00:00:00 2001 From: dwertent Date: Thu, 10 Feb 2022 20:41:28 +0200 Subject: [PATCH] Adding readme and yaml --- httphandler/README.md | 17 ++++ httphandler/ks-prometheus-support.yaml | 107 +++++++++++++++++++++++++ 2 files changed, 124 insertions(+) create mode 100644 httphandler/README.md create mode 100644 httphandler/ks-prometheus-support.yaml diff --git a/httphandler/README.md b/httphandler/README.md new file mode 100644 index 00000000..84bcd011 --- /dev/null +++ b/httphandler/README.md @@ -0,0 +1,17 @@ +# Using kubescape with prometheus + +> This is a beta version, we might make some changes before publishing the official Prometheus support + +**Set environment `KS_RUN_PROMETHEUS_SERVER=true`** + +Running `kubescape` will start up a webserver on port `8080` which will serve the following paths: + +* `/metrics` - will trigger cluster scan (equivalent to `kubescape scan --format prometheus`) and will respond with prometheus metrics once they have been scanned. This will respond 503 if the scan failed. +* `/livez` - will respond 204 OK every time +* `/readyz` - will respond 204 once metrics are available, will respond 503 if no metrics are available + +## Installation into kubernetes + +The files in [kubescape.yaml](kubescape.yaml) will deploy one instance of kubescape to run on your cluster. + +**NOTE** Make sure the configurations suit your cluster (e.g. `serviceType`) \ No newline at end of file diff --git a/httphandler/ks-prometheus-support.yaml b/httphandler/ks-prometheus-support.yaml new file mode 100644 index 00000000..4f0488d9 --- /dev/null +++ b/httphandler/ks-prometheus-support.yaml @@ -0,0 +1,107 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + labels: + app: kubescape + name: ks-scanner +--- +# ------------------- Kubescape Service Account ------------------- # +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: kubescape + name: kubescape-discovery + namespace: ks-scanner +--- +# ------------------- Kubescape Cluster Role & Cluster Role Binding ------------------- # +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kubescape-discovery-clusterroles + # "namespace" omitted since ClusterRoles are not namespaced +rules: +- apiGroups: ["*"] + resources: ["*"] + verbs: ["get", "list", "describe"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kubescape-discovery-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kubescape-discovery-clusterroles +subjects: +- kind: ServiceAccount + name: kubescape-discovery + namespace: ks-scanner +--- +apiVersion: v1 +kind: Service +metadata: + name: kubescape-service + namespace: ks-scanner + labels: + app: kubescape-service +spec: + type: NodePort + ports: + - port: 8080 + targetPort: 8080 + protocol: TCP + selector: + app: kubescape +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kubescape + namespace: ks-scanner + labels: + app: kubescape +spec: + replicas: 1 + selector: + matchLabels: + app: kubescape + template: + metadata: + labels: + app: kubescape + spec: + serviceAccountName: kubescape-discovery + containers: + - name: kubescape + # livenessProbe: + # httpGet: + # path: /livez + # port: 8080 + # initialDelaySeconds: 3 + # periodSeconds: 3 + # readinessProbe: + # httpGet: + # path: /readyz + # port: 8080 + # initialDelaySeconds: 3 + # periodSeconds: 3 + image: quay.io/armosec/kubescape:prometheus.v1 + env: + - name: KS_RUN_PROMETHEUS_SERVER + value: "true" + - name: KS_DEFAULT_CONFIGMAP_NAMESPACE + value: "ks-scanner" + ports: + - containerPort: 8080 + command: + - kubescape + resources: + requests: + cpu: 10m + memory: 100Mi + limits: + cpu: 500m + memory: 500Mi