From ce8175be6117460118f93cd245f5e581ec91c50a Mon Sep 17 00:00:00 2001 From: itsCheithanya <85927700+itsCheithanya@users.noreply.github.com> Date: Tue, 6 Sep 2022 12:09:25 +0530 Subject: [PATCH 1/4] Update README.md (#782) --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 79d3aeeb..00399a52 100644 --- a/README.md +++ b/README.md @@ -11,7 +11,7 @@ :sunglasses: [Want to contribute?](#being-a-part-of-the-team) :innocent: -Kubescape is a K8s open-source tool providing a Kubernetes single pane of glass, including risk analysis, security compliance, RBAC visualizer, and image vulnerabilities scanning. +Kubescape is a K8s open-source tool providing a Kubernetes single pane of glass, including risk analysis, security compliance, RBAC visualizer, and image vulnerability scanning. Kubescape scans K8s clusters, YAML files, and HELM charts, detecting misconfigurations according to multiple frameworks (such as the [NSA-CISA](https://www.armosec.io/blog/kubernetes-hardening-guidance-summary-by-armo/?utm_source=github&utm_medium=repository), [MITRE ATT&CKĀ®](https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/)), software vulnerabilities, and RBAC (role-based-access-control) violations at early stages of the CI/CD pipeline, calculates risk score instantly and shows risk trends over time. It has become one of the fastest-growing Kubernetes tools among developers due to its easy-to-use CLI interface, flexible output formats, and automated scanning capabilities, saving Kubernetes users and admins precious time, effort, and resources. From 52aa5f02e2f7314b4d988faa510ec5aa06ef2ba4 Mon Sep 17 00:00:00 2001 From: TarangVerma <90996971+TarangVerma@users.noreply.github.com> Date: Tue, 6 Sep 2022 12:10:47 +0530 Subject: [PATCH 2/4] Fixed typos in contribute.md (#779) Fixed some spellings as well as grammar so that reader gets clear and concise view of the text. --- core/pkg/registryadaptors/contribute.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/core/pkg/registryadaptors/contribute.md b/core/pkg/registryadaptors/contribute.md index a9a6e648..fbef3c8f 100644 --- a/core/pkg/registryadaptors/contribute.md +++ b/core/pkg/registryadaptors/contribute.md @@ -4,12 +4,12 @@ ### Layers -* Controls and Rules: that actual control logic implementation, the "tests" themselves. Implemented in rego -* OPA engine: the [OPA](https://github.com/open-policy-agent/opa) rego interpreter -* Rules processor: Kubescape component, it enumerates and runs the controls while also preparing the all the input data that the controls need for running -* Data sources: set of different modules providing data to the Rules processor so it can run the controls with them. Examples: Kubernetes objects, cloud vendor API objects and adding in this proposal the vulnerability infomration +* Controls and Rules: that actual control logic implementation, the "tests" themselves. Implemented in rego. +* OPA engine: the [OPA](https://github.com/open-policy-agent/opa) rego interpreter. +* Rules processor: Kubescape component, it enumerates and runs the controls while preparing all of the input data that the controls need for running. +* Data sources: set of different modules providing data to the Rules processor so it can run the controls with them. Examples: Kubernetes objects, cloud vendor API objects and adding in this proposal the vulnerability information. * Cloud Image Vulnerability adaption interface: the subject of this proposal, it gives a common interface for different registry/vulnerability vendors to adapt to. -* CIV adaptors: specific implementation of the CIV interface, example Harbor adaption +* CIV adaptors: specific implementation of the CIV interface, example Harbor adaption. ``` ----------------------- | Controls/Rules (rego) | @@ -88,7 +88,7 @@ type ContainerImageInformation struct { type IContainerImageVulnerabilityAdaptor interface { // Credentials are coming from user input (CLI or configuration file) and they are abstracted at string to string map level - // so and example use would be like registry: "simpledockerregistry:80" and credentials like {"username":"joedoe","password":"abcd1234"} + // so an example use would be like registry: "simpledockerregistry:80" and credentials like {"username":"joedoe","password":"abcd1234"} Login(registry string, credentials map[string]string) error // For "help" purposes @@ -161,4 +161,4 @@ The rego results will be a combination of the k8s artifact and the list of relev } ] } -``` \ No newline at end of file +``` From f7f11abfc2efd795ca160448526d8baa632ed953 Mon Sep 17 00:00:00 2001 From: Krishna Agarwal Date: Tue, 6 Sep 2022 12:11:18 +0530 Subject: [PATCH 3/4] fixed typos (#777) * fixed typos * Update container-image-vulnerability-adaptor.md --- docs/proposals/container-image-vulnerability-adaptor.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/proposals/container-image-vulnerability-adaptor.md b/docs/proposals/container-image-vulnerability-adaptor.md index 72baad40..6a6def97 100644 --- a/docs/proposals/container-image-vulnerability-adaptor.md +++ b/docs/proposals/container-image-vulnerability-adaptor.md @@ -6,12 +6,12 @@ source #287 ### Big picture -* Kubescape team is planning to create controls which take into account image vulnerabilities, example: looking for public internet facing workloads with critical vulnerabilities. These are seriously affecting the security health of a cluster and therefore we think it is important to cover it. We think that most container registries are/will support image scanning like Harbor and therefore, the ability to get information from them is important. -* There is information in the image repository which is important for the existing controls as well. They are incomplete without it, example see this issue: Non-root containers check is broken #19 . These are not necessarily image vulnerability related. Can be information in the image manifest (like the issue before), but it can be the image BOM related. +* Kubescape team is planning to create controls which take into account image vulnerabilities, for example: looking for public internet facing workloads with critical vulnerabilities. These are seriously affecting the security health of a cluster and therefore we think it is important to cover it. We think that most container registries are/will support image scanning like Harbor and therefore, the ability to get information from them is important. +* There is information in the image repository which is important for the existing controls as well. They are incomplete without it, this example sees this issue: Non-root containers check is broken #19. These are not necessarily image vulnerability related. These can be information in the image manifest (like the issue before), but it can also be the image BOM related. ### Relation to this proposal -Multiple changes and design decisions need to be made before Kubescape will support the above outlined controls. However, a focal point in the whole picture is the ability to access vulnerability of databases of container images. We anticipate that most container image repositories will support image vulnerability scanning, like some major players already do. Since there is no single API available which all of these data sources support, it is important to create an adaption layer within Kubescape so that different datasources can serve Kubescape's goals. +Multiple changes and design decisions need to be made before Kubescape will support the above outlined controls. However, a focal point in the whole picture is the ability to access vulnerability of databases of container images. We anticipate that most container image repositories will support image vulnerability scanning, like some major players already do. Since there is no single API available which all of these data sources support, it is important to create an adaption layer within Kubescape so that different data sources can serve Kubescape's goals. ## High level design of Kubescape @@ -22,7 +22,7 @@ Multiple changes and design decisions need to be made before Kubescape will supp * Rules processor: Kubescape component, it enumerates and runs the controls while also preparing all the input data that the controls need for running * Data sources: Set of different modules providing data to the Rules processor so that it can run the controls with them. Examples: Kubernetes objects, cloud vendor API objects and adding the vulnerability information in this proposal * Cloud Image Vulnerability adaption interface: The subject of this proposal, it gives a common interface for different registry/vulnerability vendors to adapt to. -* CIV adaptors: Specific implementation of the CIV interface, example Harbor adaption +* CIV adaptors: Specific implementation of the CIV interface, for example Harbor adaption ``` ----------------------- | Controls/Rules (rego) | From 43dbb55d50c7cae87fa9672c466a501181bb1d1e Mon Sep 17 00:00:00 2001 From: Vicky Aryan <96813659+pwnb0y@users.noreply.github.com> Date: Wed, 7 Sep 2022 13:31:21 +0530 Subject: [PATCH 4/4] fixed some typo mistakes (#786) --- httphandler/README.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/httphandler/README.md b/httphandler/README.md index b80e9887..04b34b1f 100644 --- a/httphandler/README.md +++ b/httphandler/README.md @@ -23,7 +23,7 @@ Running `kubescape` will start up a web-server on port `8080` which will serve t ### Get results * GET `/v1/results` - request kubescape scan results -* * query `id=` -> request results of a specific scan ID. If empty will return latest results +* * query `id=` -> request results of a specific scan ID. If empty will return the latest results * * query `keep=true` -> keep the results in the local storage after returning. default is `keep=false` - the results will be deleted from local storage after they are returned [Response](#response-object): @@ -55,7 +55,7 @@ When scanning is in progress } ``` ### Check scanning progress status -Check the scanning status - is the scanning in progress or done. This is meant for a waiting mechanize since the API does not return the entire results object when the scanning is done +Check the scanning status - is the scanning in progress or done? This is meant for a waiting mechanize since the API does not return the entire results object when the scanning is done * GET `/v1/status` - Request kubescape scan status * * query `id=` -> Check status of a specific scan. If empty will check if any scan is in progress @@ -81,15 +81,15 @@ When scanning is not in progress ``` ### Delete cached results -* DELETE `/v1/results` - Delete kubescape scan results from storage. If empty will delete latest results +* DELETE `/v1/results` - Delete kubescape scan results from storage. If empty will delete the latest results * * query `id=`: Delete ID of specific results * * query `all`: Delete all cached results ### Prometheus support API * GET/POST `/v1/metrics` - will trigger cluster scan. will respond with prometheus metrics once they have been scanned. This will respond 503 if the scan failed. -* `/livez` - will respond 200 is server is alive -* `/readyz` - will respond 200 if server can receive requests +* `/livez` - will respond 200 if the server is alive +* `/readyz` - will respond 200 if the server can receive requests ## Objects @@ -140,7 +140,7 @@ When scanning is not in progress curl --request GET http://127.0.0.1:8080/v1/results -o response.json ``` -#### Trigger scan and wait for scan to end +#### Trigger scan and wait for the scan to end ```bash curl --header "Content-Type: application/json" --request POST --data '{"hostScanner":true, "submit": true}' http://127.0.0.1:8080/v1/scan?wait -o scan_results.json @@ -171,7 +171,7 @@ go tool pprof http://localhost:6060/debug/pprof/heap ## Supported environment variables * `KS_ACCOUNT`: Account ID -* `KS_SUBMIT`: Submit the results to Kubescape SaaS version +* `KS_SUBMIT`: Submit the results to the Kubescape SaaS version * `KS_EXCLUDE_NAMESPACES`: List of namespaces to exclude, e.g. `KS_EXCLUDE_NAMESPACES=kube-system,kube-public` * `KS_INCLUDE_NAMESPACES`: List of namespaces to include, rest of the namespaces will be ignored. e.g. `KS_INCLUDE_NAMESPACES=dev,prod` * `KS_HOST_SCAN_YAML`: Full path to the host scanner YAML