github/kubescape
1
0
Fork 0
mirror of https://github.com/kubescape/kubescape.git synced 2026-02-14 09:59:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

Initial documentation update upon joining the CNCF (#1020)

Browse Source 
* Initial refactor

Signed-off-by: Craig Box <craigb@armosec.io>

* Initial refactor.

Signed-off-by: Craig Box <craigb@armosec.io>

* Now how did that get in there?

Signed-off-by: Craig Box <craigb@armosec.io>

* small fixes

Signed-off-by: Craig Box <craigb@armosec.io>

* Use GitHub note and warning syntax

Signed-off-by: Craig Box <craigb@armosec.io>

* second guessing thing with no docs

Signed-off-by: Craig Box <craigb@armosec.io>

* Final changes

Signed-off-by: Craig Box <craigb@armosec.io>

Signed-off-by: Craig Box <craigb@armosec.io>
This commit is contained in:
Craig Box
2023-01-11 19:53:55 +13:00
committed by GitHub
parent f1514d6e76
commit c39683872e
30 changed files with 532 additions and 556 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
.DS_Store vendored Normal file
View File

Binary file not shown.

94
CONTRIBUTING.md
View File

@@ -4,14 +4,16 @@ First, it is awesome that you are considering contributing to Kubescape! Contrib
When contributing, we categorize contributions into two:
* Small code changes or fixes, whose scope is limited to a single or two files
* Complex features and improvements, that are not limited
* Complex features and improvements, with potentially unlimited scope
If you have a small change, feel free to fire up a Pull Request.
When planning a bigger change, please first discuss the change you wish to make via issue,
email, or any other method with the owners of this repository before making a change. Most likely your changes or features are great, but sometimes we might be already going in this direction (or the exact opposite ;-) ) and we don't want to waste your time.
When planning a bigger change, please first discuss the change you wish to make via an issue,
so the maintainers are able to help guide you and let you know if you are going in the right direction.
Please note we have a code of conduct, please follow it in all your interactions with the project.
## Code of Conduct
Please follow our [code of conduct](CODE_OF_CONDUCT.md) in all of your interactions within the project.
## Pull Request Process
@@ -22,79 +24,41 @@ Please note we have a code of conduct, please follow it in all your interactions
3. Open Pull Request to `dev` branch - we test the component before merging into the `master` branch
4. We will merge the Pull Request once you have the sign-off.
## Code of Conduct
## Developer Certificate of Origin
### Our Pledge
All commits to the project must be "signed off", which states that you agree to the terms of the [Developer Certificate of Origin](https://developercertificate.org/). This is done by adding a "Signed-off-by:" line in the commit message, with your name and email address.
In the interest of fostering an open and welcoming environment, we as
contributors and maintainers pledge to make participation in our project and
our community a harassment-free experience for everyone, regardless of age, body
size, disability, ethnicity, gender identity and expression, level of experience,
nationality, personal appearance, race, religion, or sexual identity and
orientation.
Commits made through the GitHub web application are automatically signed off.
### Our Standards
### Configuring Git to sign off commits
Examples of behavior that contributes to creating a positive environment
include:
First, configure your name and email address in Git global settings:
* Using welcoming and inclusive language
* Being respectful of differing viewpoints and experiences
* Gracefully accepting constructive criticism
* Focusing on what is best for the community
* Showing empathy towards other community members
```
$ git config --global user.name "John Doe"
$ git config --global user.email johndoe@example.com
```
Examples of unacceptable behavior by participants include:
You can now sign off per-commit, or configure Git to always sign off commits per repository.
* The use of sexualized language or imagery and unwelcome sexual attention or
advances
* Trolling, insulting/derogatory comments, and personal or political attacks
* Public or private harassment
* Publishing others' private information, such as a physical or electronic
address, without explicit permission
* Other conduct which could reasonably be considered inappropriate in a
professional setting
### Sign off per-commit
We will distance those who constantly adhere to unacceptable behavior.
Add [`-s`](https://git-scm.com/docs/git-commit#Documentation/git-commit.txt--s) to your Git command line. For example:
### Our Responsibilities
```git commit -s -m "Fix issue 64738"```
Project maintainers are responsible for clarifying the standards of acceptable
behavior and are expected to take appropriate and fair corrective actions in
response to any instances of unacceptable behavior.
This is tedious, and if you forget, you'll have to [amend your commit](#f)
Project maintainers have the right and responsibility to remove, edit, or
reject comments, commits, code, wiki edits, issues, and other contributions
that are not aligned to this Code of Conduct, or to ban temporarily or
permanently any contributor for other behaviors that they deem inappropriate,
threatening, offensive, or harmful.
### Configure a repository to always include sign off
### Scope
There are many ways to achieve this with Git hooks, but the simplest is to do the following:
This Code of Conduct applies both within project spaces and in public spaces
when an individual is representing the project or its community. Examples of
representing a project or community include using an official project e-mail
address, posting via an official social media account, or acting as an appointed
representative at an online or offline event. Representation of a project may be
further defined and clarified by project maintainers.
```
cd your-repo
curl -Ls https://gist.githubusercontent.com/dixudx/7d7edea35b4d91e1a2a8fbf41d0954fa/raw/prepare-commit-msg -o .git/hooks/prepare-commit-msg
chmod +x .git/hooks/prepare-commit-msg
```
### Enforcement
## Fixing a commit where the DCO failed
Instances of abusive, harassing, or otherwise unacceptable behavior may be
reported by contacting the project team at [INSERT EMAIL ADDRESS]. All
complaints will be reviewed and investigated and will result in a response that
is deemed necessary and appropriate to the circumstances. The project team is
obligated to maintain confidentiality with regard to the reporter of an incident.
Further details of specific enforcement policies may be posted separately.
Project maintainers who do not follow or enforce the Code of Conduct in good
faith may face temporary or permanent repercussions as determined by other
members of the project's leadership.
### Attribution
This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
available at [http://contributor-covenant.org/version/1/4][version]
[homepage]: http://contributor-covenant.org
[version]: http://contributor-covenant.org/version/1/4/
Check out [this guide](https://github.com/src-d/guide/blob/master/developer-community/fix-DCO.md).

496
README.md
View File

@@ -1,478 +1,94 @@
<div align="center">
<img src="docs/kubescape.png" width="300" alt="logo">
</div>
---
[![Version](https://img.shields.io/github/v/release/kubescape/kubescape)](releases)
[![build](https://github.com/kubescape/kubescape/actions/workflows/build.yaml/badge.svg)](https://github.com/kubescape/kubescape/actions/workflows/build.yaml)
[![Go Report Card](https://goreportcard.com/badge/github.com/kubescape/kubescape)](https://goreportcard.com/report/github.com/kubescape/kubescape)
[![Gitpod Ready-to-Code](https://img.shields.io/badge/Gitpod-Ready--to--Code-blue?logo=gitpod)](https://gitpod.io/#https://github.com/kubescape/kubescape)
[![GitHub](https://img.shields.io/github/license/kubescape/kubescape)](https://github.com/kubescape/kubescape/blob/master/LICENSE)
[![CNCF](https://shields.io/badge/CNCF-Sandbox%20project-blue?logo=linux-foundation&style=flat)](https://landscape.cncf.io/card-mode?project=sandbox&selected=kubescape)
[![Twitter Follow](https://img.shields.io/twitter/follow/kubescape?style=social)](https://twitter.com/kubescape)
:sunglasses: [Want to contribute?](#being-a-part-of-the-team) :innocent:
# Kubescape
<picture>
<source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/cncf/artwork/master/projects/kubescape/stacked/white/kubescape-stacked-white.svg" width="150">
<source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/cncf/artwork/master/projects/kubescape/stacked/color/kubescape-stacked-color.svg" width="150">
<img alt="Kubescape logo" align="right" src="https://raw.githubusercontent.com/cncf/artwork/master/projects/kubescape/stacked/color/kubescape-stacked-color.svg" width="150">
</picture>
Kubescape is an open-source Kubernetes security platform. A single pane of glass access to view risk analysis, security compliance, RBAC visualization, and image vulnerability scanning.
Kubescape scans Kubernetes clusters, YAML files, and Helm charts. It detects misconfigurations according to multiple frameworks (such as [NSA-CISA](https://www.armosec.io/blog/kubernetes-hardening-guidance-summary-by-armo/?utm_source=github&utm_medium=repository), [MITRE ATT&CK®](https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/) and [CIS Benchmark](https://www.armosec.io/blog/cis-kubernetes-benchmark-framework-scanning-tools-comparison/?utm_source=github&utm_medium=repository)). Kubescape also helps you find software vulnerabilities, and RBAC (role-based-access-control) violations at early stages of the CI/CD pipeline. It calculates your risk score instantly and shows risk trends over time.
_An open-source Kubernetes security platform for your IDE, CI/CD pipelines, and clusters_
Kubescape is one of the fastest-growing Kubernetes security tools among developers. It saves Kubernetes users and admins precious time, effort, and resources with its easy-to-use CLI interface, flexible output formats, and automated scanning capabilities.
Kubescape integrates natively with other DevOps tools, including Jenkins, CircleCI, Github workflows, Prometheus, and Slack. It supports multi-cloud Kubernetes deployments like EKS, GKE, and AKS.
Kubescape is an open-source Kubernetes security platform. It includes risk analysis, security compliance, and misconfiguration scanning. Targeted at the DevSecOps practitioner or platform engineer, it offers an easy-to-use CLI interface, flexible output formats, and automated scanning capabilities. It saves Kubernetes users and admins precious time, effort, and resources.
</br>
Kubescape scans clusters, YAML files, and Helm charts. It detects misconfigurations according to multiple frameworks (including [NSA-CISA](https://www.armosec.io/blog/kubernetes-hardening-guidance-summary-by-armo/?utm_source=github&utm_medium=repository), [MITRE ATT&CK®](https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/) and the [CIS Benchmark](https://www.armosec.io/blog/cis-kubernetes-benchmark-framework-scanning-tools-comparison/?utm_source=github&utm_medium=repository)).
# Kubescape CLI:
<img src="docs/demo.gif">
Kubescape was created by [ARMO](https://www.armosec.io/?utm_source=github&utm_medium=repository) and is a [Cloud Native Computing Foundation (CNCF) sandbox project](https://www.cncf.io/sandbox-projects/).
</br>
## Demo
<img src="docs/img/demo.gif">
_Please [star ⭐](https://github.com/kubescape/kubescape/stargazers) the repo if you want us to continue developing and improving Kubescape! 😀_
## Getting started
Experimenting with Kubescape is as easy as:
# TL;DR
## Install:
```sh
curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash
```
*OR:*
Learn more about:
[Install on windows](#install-on-windows)
* [Installing Kubescape](docs/getting-started.md#install-kubescape)
* [Running your first scan](docs/getting-started.md#run-your-first-scan)
* [Usage](docs/getting-started.md#examples)
* [Architecture](docs/architecture.md)
* [Building Kubescape from source](docs/building.md)
[Install on macOS](#install-on-macos)
_Did you know you can use Kubescape in all these places?_
[Install on NixOS or Linux/macOS via nix](#install-on-nixos-or-with-nix-community)
## Run:
```sh
kubescape scan --enable-host-scan --verbose
```
<img src="docs/summary.png">
</br>
> Kubescape is an open source project. We welcome your feedback and ideas for improvement. Were also aiming to collaborate with the Kubernetes community to help make the tests more robust and complete as Kubernetes develops.
</br>
## Architecture in short
[Component architecture](docs/architecture.drawio.svg)
### [CLI](#kubescape-cli)
<div align="center">
<img src="docs/ks-cli-arch.png" width="300" alt="cli-diagram">
<img src="docs/img/ksfromcodetodeploy.png" alt="Places you can use Kubescape: in your IDE, CI, CD, or against a running cluster.">
</div>
### [Operator](https://github.com/kubescape/helm-charts#readme)
<div align="center">
<img src="docs/ks-operator-arch.png" width="300" alt="operator-diagram">
</div>
## Under the hood
### Please [star ⭐](https://github.com/kubescape/kubescape/stargazers) the repo if you want us to continue developing and improving Kubescape 😀
Kubescape uses [Open Policy Agent](https://github.com/open-policy-agent/opa) to verify Kubernetes objects against [a library of posture controls](https://github.com/kubescape/regolibrary).
</br>
By default, the results are printed in a console-friendly manner, but they can be:
# Being a part of the team
* exported to JSON or junit XML
* rendered to HTML or PDF
* submitted to a [cloud service](docs/providers.md)
It retrieves Kubernetes objects from the API server and runs a set of [Rego snippets](https://www.openpolicyagent.org/docs/latest/policy-language/) developed by [ARMO](https://www.armosec.io?utm_source=github&utm_medium=repository).
## Community
You are in vited to our community! We are excited about this project and want to return the love we get.
We hold community meetings on [Zoom](https://us02web.zoom.us/j/84020231442) on the first Tuesday of every month at 14:00 GMT! :sunglasses:
Kubescape is an open source project, we welcome your feedback and ideas for improvement. We are part of the Kubernetes community and are building more tests and controls as the ecosystem develops.
Please make sure that you follow our [Code Of Conduct](https://github.com/kubescape/kubescape/blob/master/CODE_OF_CONDUCT.md).
We hold [community meetings](https://us02web.zoom.us/j/84020231442) on Zoom, on the first Tuesday of every month, at 14:00 GMT.
The Kubescape project follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md).
## Contributions
Want to discuss something? Have an issue? [Want to contribute?](https://github.com/kubescape/kubescape/blob/master/CONTRIBUTING.md)
* Feel free to pick a task from the [issues](https://github.com/kubescape/kubescape/issues?q=is%3Aissue+is%3Aopen+label%3A%22open+for+contribution%22), [roadmap](docs/roadmap.md) or suggest a feature of your own. [Contact us](MAINTAINERS.md) directly for more information :)
* [Open an issue](https://github.com/kubescape/kubescape/issues/new/choose) , we are trying to respond within 48 hours
* [Join us](https://discord.com/invite/WKZRaCtBxN) in the discussion on our discord server!
Thanks to all our contributors! Check out our [CONTRIBUTING](CONTRIBUTING.md) file to learn how to join them.
[<img src="docs/discord-banner.png" width="100" alt="logo" align="center">](https://discord.com/invite/WKZRaCtBxN)
![discord](https://img.shields.io/discord/893048809884643379)
* Feel free to pick a task from the [issues](https://github.com/kubescape/kubescape/issues?q=is%3Aissue+is%3Aopen+label%3A%22open+for+contribution%22), [roadmap](docs/roadmap.md) or suggest a feature of your own.
* [Open an issue](https://github.com/kubescape/kubescape/issues/new/choose): we aim to respond to all issues within 48 hours.
* [Join the CNCF Slack](https://slack.cncf.io/) and then our [users](https://cloud-native.slack.com/archives/C04EY3ZF9GE) or [developers](https://cloud-native.slack.com/archives/C04GY6H082K) channel.
<br>
# Options and examples
[Kubescape docs](https://hub.armosec.io/docs?utm_source=github&utm_medium=repository)
## Playground
* [Kubescape playground](https://killercoda.com/saiyampathak/scenario/kubescape)
## Tutorials
* [Overview](https://youtu.be/wdBkt_0Qhbg)
* [How To Secure Kubernetes Clusters With Kubescape And Armo](https://youtu.be/ZATGiDIDBQk)
* [Scan Kubernetes YAML files](https://youtu.be/Ox6DaR7_4ZI)
* [Scan container image registry](https://youtu.be/iQ_k8EnK-3s)
* [Scan Kubescape on an air-gapped environment (offline support)](https://youtu.be/IGXL9s37smM)
* [Managing exceptions in the Kubescape SaaS version](https://youtu.be/OzpvxGmCR80)
* [Configure and run customized frameworks](https://youtu.be/12Sanq_rEhs)
* Customize control configurations:
- [Kubescape CLI](https://youtu.be/955psg6TVu4)
- [Kubescape SaaS](https://youtu.be/lIMVSVhH33o)
## Install on Windows
<details><summary>Windows</summary>
**Requires powershell v5.0+**
``` powershell
iwr -useb https://raw.githubusercontent.com/kubescape/kubescape/master/install.ps1 | iex
```
Note: if you get an error you might need to change the execution policy (i.e. enable Powershell) with
``` powershell
Set-ExecutionPolicy RemoteSigned -scope CurrentUser
```
</details>
## Install on macOS
<details><summary>MacOS</summary>
1. ```sh
brew tap kubescape/tap
```
2. ```sh
brew install kubescape-cli
```
</details>
## Install on NixOS or with nix (Community)
<details><summary>Nix/NixOS</summary>
Direct issues installing `kubescape` via `nix` through the channels mentioned [here](https://nixos.wiki/wiki/Support)
You can use `nix` on Linux or macOS and on other platforms unofficially.
Try it out in an ephemeral shell: `nix-shell -p kubescape`
Install declarative as usual
NixOS:
```nix
# your other config ...
environment.systemPackages = with pkgs; [
# your other packages ...
kubescape
];
```
home-manager:
```nix
# your other config ...
home.packages = with pkgs; [
# your other packages ...
kubescape
];
```
Or to your profile (not preferred): `nix-env --install -A nixpkgs.kubescape`
</details>
## Usage & Examples
### Examples
#### Scan a running Kubernetes cluster
```
kubescape scan --enable-host-scan --verbose
```
> Read [here](https://hub.armosec.io/docs/host-sensor?utm_source=github&utm_medium=repository) more about the `enable-host-scan` flag
#### Scan a running Kubernetes cluster with [`nsa`](https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/) framework
```
kubescape scan framework nsa
```
#### Scan a running Kubernetes cluster with [`MITRE ATT&CK®`](https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/) framework
```
kubescape scan framework mitre
```
#### Scan a running Kubernetes cluster with a specific control using the control name or control ID. [List of controls](https://hub.armosec.io/docs/controls?utm_source=github&utm_medium=repository)
```
kubescape scan control "Privileged container"
```
#### Scan using an alternative kubeconfig file
```
kubescape scan --kubeconfig cluster.conf
```
#### Scan specific namespaces
```
kubescape scan --include-namespaces development,staging,production
```
#### Scan cluster and exclude some namespaces
```
kubescape scan --exclude-namespaces kube-system,kube-public
```
#### Scan local `yaml`/`json` files before deploying. [Take a look at the demonstration](https://youtu.be/Ox6DaR7_4ZI).
```
kubescape scan *.yaml
```
#### Scan Kubernetes manifest files from a git repository
```
kubescape scan https://github.com/kubescape/kubescape
```
#### Display all scanned resources (including the resources which passed)
```
kubescape scan --verbose
```
#### Output in `json` format
> Add the `--format-version v2` flag
```
kubescape scan --format json --format-version v2 --output results.json
```
#### Output in `junit xml` format
```
kubescape scan --format junit --output results.xml
```
#### Output in `pdf` format - Contributed by [@alegrey91](https://github.com/alegrey91)
```
kubescape scan --format pdf --output results.pdf
```
#### Output in `prometheus` metrics format - Contributed by [@Joibel](https://github.com/Joibel)
```
kubescape scan --format prometheus
```
#### Output in `html` format
```
kubescape scan --format html --output results.html
```
#### Scan with exceptions. Objects with exceptions will be presented as `exclude` and not `fail`
[Full documentation](examples/exceptions/README.md)
```
kubescape scan --exceptions examples/exceptions/exclude-kube-namespaces.json
```
#### Scan Helm charts
```
kubescape scan </path/to/directory>
```
> Kubescape will load the default value file
#### Scan a Kustomize Directory
```
kubescape scan </path/to/directory>
```
> Kubescape will generate Kubernetes YAML objects using a 'Kustomize' file and scan them for security.
### Offline/Air-gapped Environment Support
[Video tutorial](https://youtu.be/IGXL9s37smM)
It is possible to run Kubescape offline!
#### Download all artifacts
1. Download and save in local directory, if path not specified, will save all in `~/.kubescape`
```
kubescape download artifacts --output path/to/local/dir
```
2. Copy the downloaded artifacts to the air-gaped/offline environment
3. Scan using the downloaded artifacts
```
kubescape scan --use-artifacts-from path/to/local/dir
```
#### Download a single artifact
You can also download a single artifact and scan with the `--use-from` flag
1. Download and save in a file, if the file name is not specified, will save in `~/.kubescape/<framework name>.json`
```
kubescape download framework nsa --output /path/nsa.json
```
2. Copy the downloaded artifacts to the air-gaped/offline environment
3. Scan using the downloaded framework
```
kubescape scan framework nsa --use-from /path/nsa.json
```
## Scan Periodically using Helm
[Please follow the instructions here](https://hub.armosec.io/docs/installation-of-armo-in-cluster?utm_source=github&utm_medium=repository)
[helm chart repo](https://github.com/armosec/armo-helm)
# Integrations
## VS Code Extension
![Visual Studio Marketplace Downloads](https://img.shields.io/visual-studio-marketplace/d/kubescape.kubescape?label=VScode) ![Open VSX](https://img.shields.io/open-vsx/dt/kubescape/kubescape?label=openVSX&color=yellowgreen)
Scan the YAML files while writing them using the [VS Code extension](https://github.com/armosec/vscode-kubescape/blob/master/README.md)
## Lens Extension
View Kubescape scan results directly in [Lens IDE](https://k8slens.dev/) using kubescape [Lens extension](https://github.com/armosec/lens-kubescape/blob/master/README.md)
# Building Kubescape
## Build on Windows
<details><summary>Windows</summary>
1. Install MSYS2 & build libgit _(needed only for the first time)_
```
build.bat all
```
> You can install MSYS2 separately by running `build.bat install` and build libgit2 separately by running `build.bat build`
2. Build kubescape
```
make build
```
OR
```
go build -tags=static .
```
</details>
## Build on Linux/MacOS
<details><summary>Linux / MacOS</summary>
1. Install libgit2 dependency _(needed only for the first time)_
```
make libgit2
```
> `cmake` is required to build libgit2. You can install it by running `sudo apt-get install cmake` (Linux) or `brew install cmake` (macOS)
2. Build kubescape
```
make build
```
OR
```
go build -tags=static .
```
3. Test
```
make test
```
</details>
## Build on pre-configured killercoda's ubuntu playground
* [Pre-configured Killercoda's Ubuntu Playground](https://killercoda.com/suhas-gumma/scenario/kubescape-build-for-development)
<details><summary> Pre-programmed actions executed by the playground </summary>
* Clone the official GitHub repository of `Kubescape`.
* [Automate the build process on Linux](https://github.com/kubescape/kubescape#build-on-linuxmacos)
* The entire process involves executing multiple commands in order and it takes around 5-6 minutes to execute them all.
</details>
<details>
<summary>Instructions to use the playground</summary>
* Apply changes you wish to make to the Kubescape directory using text editors like `Vim`.
* [Build on Linux](https://github.com/kubescape/kubescape#build-on-linuxmacos)
* Now, you can use Kubescape like a regular user. Instead of using `kubescape`, use `./kubescape`. Make sure you are in the Kubescape directory because the command will execute the binary named `kubescape` in `kubescape directory`)
</details>
## VS Code configuration samples
You can use the sample files below to setup your VS Code environment for building and debugging purposes.
<details><summary>.vscode/settings.json</summary>
```json5
// .vscode/settings.json
{
"go.testTags": "static",
"go.buildTags": "static",
"go.toolsEnvVars": {
"CGO_ENABLED": "1"
}
}
```
</details>
<details><summary>.vscode/launch.json</summary>
```json5
// .vscode/launch.json
{
"version": "0.2.0",
"configurations": [
{
"name": "Launch Package",
"type": "go",
"request": "launch",
"mode": "auto",
"program": "${workspaceFolder}/main.go",
"args": [
"scan",
"--logger",
"debug"
],
"buildFlags": "-tags=static"
}
]
}
```
</details>
# Under the hood
## Technology
Kubescape is based on the [OPA engine](https://github.com/open-policy-agent/opa) and ARMO's posture controls.
The tools retrieve Kubernetes objects from the API server and runs a set of [Rego snippets](https://www.openpolicyagent.org/docs/latest/policy-language/) developed by [ARMO](https://www.armosec.io?utm_source=github&utm_medium=repository).
The results by default are printed in a "console friendly" manner, but they can be retrieved in JSON format for further processing.
Kubescape is an open source project, we welcome your feedback and ideas for improvement. We are part of the Kubernetes community and aim to make the tests more robust and complete as Kubernetes develops.
## Thanks to all the contributors ❤️
<a href = "https://github.com/kubescape/kubescape/graphs/contributors">
<img src = "https://contrib.rocks/image?repo=kubescape/kubescape"/>
</a>
## License
Copyright 2021-2023, the Kubescape Authors. All rights reserved. Kubescape is released under the Apache 2.0 license. See the [LICENSE](LICENSE) file for details.
Kubescape is a [Cloud Native Computing Foundation (CNCF) sandbox project](https://www.cncf.io/sandbox-projects/) and was contributed by [ARMO](https://www.armosec.io/?utm_source=github&utm_medium=repository).
<div align="center">
<img src="https://raw.githubusercontent.com/cncf/artwork/master/other/cncf-sandbox/horizontal/color/cncf-sandbox-horizontal-color.svg" width="300" alt="CNCF Sandbox Project">
</div>

1
core/pkg/registryadaptors/README.md
View File

@@ -28,6 +28,7 @@ Expecting:
"secretKey": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
}
```
> **Note**
> If you are missing the `accountID` field, set it by running `kubescape config set accountID <>`
For CICD, set environments variables as following:

BIN
docs/ARMO-header-2022.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 14 MiB

1
docs/Kubescape flow.drawio
View File

@@ -1 +0,0 @@
<mxfile host="app.diagrams.net" modified="2022-12-06T13:44:27.567Z" agent="5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36" etag="82Ze98LIXdxZb4qKuLJX" version="20.6.0" type="github"><diagram id="-fs2xgBgB6aFH82wrd4-" name="Page-1">5Vpdc5s4FP01fkzGIAT2o2OndabpxLNuZ9tHGRRQC4gRIrbz61cyAgOisXdqDG0ekkgXIUvnnvvpjMA82n1kKAk+Uw+HI3Ps7UZgMTJNAwJD/JGSfS4BxjQX+Ix4atFRsCavWAnHSpoRD6e1hZzSkJOkLnRpHGOX12SIMbqtL3umYf1TE+RjTbB2UahL/yUeD3LpBI6P8iUmflB8sjFWTyJULFaCNEAe3VZE4H4E5oxSno+i3RyHErwCl/y9D794Wh6M4Zif88Jk+fDt6y57/Ofl5uud/4pm2XR5Y4B8mxcUZurG6rR8X0CwDQjH6wS5cr4Vah6Bu4BHoZgZYqg2wIzj3S+PZpQXFkzBNMKc7cWS4gWgMFIkMaZqvj1CbheMCKpwFy8ipWa/3PuIhBgoMP4HMMXGFRywJ5ihppTxgPo0RuH9UXrHaBZ7WG47FrPjmkdKE4XWD8z5XtEcZZzWsRR4sf039f5h8l1ObmExXeyqDxd7NcvPKg/4tgbEfWjGXPwWIyxlZYj5mJ+kjq5ThkPEyUv9JBfXT3HMCnHnnxeazuoa6Z7JN1aDybbO5EkLkZ2ueGxO3yuP4Z/BY6jxePnly2pwRC5Z2xeRDVsD6lO2wamLEjwybRRJDOJNmpT3r6AncOB1iFBI/FiMXYEHZkIg0SIi7s/Ug4h4Xm4MOCWvaHPYSmKfUBLzw+3g3Qgu5F6C/2luCnLrlDP6E89pSMW+i5jGcpdnEoYN0QW0ZFqw7m4g1LQ0bdFSZ2GzSHbeyieuTWWjSeWxTuVSFtSTua7I7GgwiQT2mfgZEz6HxqkG2gmYUJrk2e8z2UlodX5fAki7AaQ50YB0ruoTJhqMT5sfAoj0UCbIXzjlv43lJQwVwmFBV1xhSIYKmiC1GKrhwGsaaoFKBaaHOMl0Tv21EcY47TzhVSOMXrGuGHVxqvvMv1UnYOrcnraUNnfSnVb0cqx3dwIt57Q7acuOOnQnerb/lPH35E/g1DqDu/ZVuatXFnnaML4RP0+r2RASCOA0/DA4z+K7SyD0FHadbSIyiHQLwobpF6etomW2oGV2hZaeqa6YsEqx2QcigBoAZjbULLOwjL5QK6rbvppXx37V9+qz7ptX4OzmldOu0+s0r4AezjSFpYFs0IiwtQ+J0AsDp2P/Jtfg46YUIPenf9CriJZimzJuqRAGL2MBDRcLWlpeRpuPLRsMlzcAvUqbU0E6GurZ7tXbKo1ugOWcF5G6A0uv1fDOxUl7Q+XqcDWKW8vUW3VtDdXO0h5LL6TyHtRt71hNhsYsvbpBnAunNDikzJ6RKloB7y5iW/a5EXvSZ8S29FrnT47Ypj28kK3XRZ8mayGYrR56dxfNFKd3f2HpddGSytq7+YWeHcp2yIaJkS9HqYviGLPeEQVwaIhONUQfIuRj+ZXISxbG/SNmDCy6Qz3Jnvk+wz7igyjMrQbFOmz9iOnxH9IOzyr/1gfu/wM=</diagram></mxfile>

19
docs/architecture.md Normal file
View File

@@ -0,0 +1,19 @@
# Kubescape architecture
_Please check back soon for more: until then, enjoy these fine diagrams._
### [Component architecture](img/architecture.drawio.svg)
<div align="center">
<img src="img/architecture.drawio.svg" width="600" alt="Component architecture">
</div>
### [CLI](#kubescape-cli)
<div align="center">
<img src="img/ks-cli-arch.png" width="600" alt="cli-diagram">
</div>
### [Operator](https://github.com/kubescape/helm-charts#readme)
<div align="center">
<img src="img/ks-operator-arch.png" width="600" alt="operator-diagram">
</div>

107
docs/building.md Normal file
View File

@@ -0,0 +1,107 @@
# Building Kubescape
## Build on Windows
1. Install MSYS2 & build libgit _(needed only for the first time)_
```
build.bat all
```
> **Note**
> You can install MSYS2 separately by running `build.bat install` and build libgit2 separately by running `build.bat build`
2. Build kubescape
```
make build
```
OR
```
go build -tags=static .
```
## Build on Linux/MacOS
1. Install libgit2 dependency _(needed only for the first time)_
```
make libgit2
```
> **Note**
> `cmake` is required to build libgit2. You can install it by running `sudo apt-get install cmake` (Linux) or `brew install cmake` (macOS).
2. Build kubescape
```
make build
```
OR
```
go build -tags=static .
```
3. Test
```
make test
```
## Build Kubescape in a pre-configured playground
We have created a [Killercoda scenario](https://killercoda.com/suhas-gumma/scenario/kubescape-build-for-development) that you can use to experiment building Kubescape from source.
When you start the scenario, a script will clone the Kubescape repository and [execute a Linux build steps](https://github.com/kubescape/kubescape#build-on-linuxmacos). The entire process executes multiple commands in order: it takes around 5-6 minutes to complete.
How to use the build playground:
* Apply changes you wish to make to the Kubescape source code.
* [Perform a Linux build](#build-on-linuxmacos)
* Now, you can use Kubescape like normal, but instead of using `kubescape`, use `./kubescape`.
## VS Code configuration samples
You can use the sample files below to setup your VS Code environment for building and debugging purposes.
`.vscode/settings.json`:
```json5
// .vscode/settings.json
{
"go.testTags": "static",
"go.buildTags": "static",
"go.toolsEnvVars": {
"CGO_ENABLED": "1"
}
}
```
`.vscode/launch.json`:
```json5
// .vscode/launch.json
{
"version": "0.2.0",
"configurations": [
{
"name": "Launch Package",
"type": "go",
"request": "launch",
"mode": "auto",
"program": "${workspaceFolder}/main.go",
"args": [
"scan",
"--logger",
"debug"
],
"buildFlags": "-tags=static"
}
]
}
```

BIN
docs/demo.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 897 KiB

BIN
docs/discord-banner.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 16 KiB

295
docs/getting-started.md Normal file
View File

@@ -0,0 +1,295 @@
# Getting started with Kubescape
Kubescape can run as a command line tool on a client, as an operator inside a cluster, as part of your CI/CD process, or more.
The best way to get started with Kubescape is to download it to the machine you use to manage your Kubernetes cluster.
## Install Kubescape
```sh
curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash
```
(We're a security product; please read the file before you run it!)
You can also
* [Install on windows](#install-on-windows)
* [Install on macOS](#install-on-macos)
* [Install on NixOS or Linux/macOS via nix](#install-on-nixos-or-with-nix-community)
## Run your first scan
```sh
kubescape scan --enable-host-scan --verbose
```
You will see output like this:
<img src="img/summary.png">
## Usage
_Some documentation on using Kubescape is yet to move here from the [ARMO Platform docs](https://hub.armosec.io/docs?utm_source=github&utm_medium=repository)_.
### Examples
* Scan a running Kubernetes cluster:
```sh
kubescape scan --enable-host-scan --verbose
```
> **Note**
> [Read more about host scanning](https://hub.armosec.io/docs/host-sensor?utm_source=github&utm_medium=repository).
* Scan a running Kubernetes cluster with the [NSA framework](https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/):
```sh
kubescape scan framework nsa
```
* Scan a running Kubernetes cluster with the [MITRE ATT&CK® framework](https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/):
```sh
kubescape scan framework mitre
```
* Scan for a specific control, using the control name or control ID. [See the list of controls](https://hub.armosec.io/docs/controls?utm_source=github&utm_medium=repository).
```sh
kubescape scan control "Privileged container"
```
* Use an alternative kubeconfig file:
```sh
kubescape scan --kubeconfig cluster.conf
```
* Scan specific namespaces:
```sh
kubescape scan --include-namespaces development,staging,production
```
* Exclude certain namespaces:
```sh
kubescape scan --exclude-namespaces kube-system,kube-public
```
* Scan local YAML/JSON files before deploying:
```sh
kubescape scan *.yaml
```
Take a look at the demonstration](https://youtu.be/Ox6DaR7_4ZI).
* Scan Kubernetes manifest files from a Git repository:
```sh
kubescape scan https://github.com/kubescape/kubescape
```
* Scan with exceptions
```sh
kubescape scan --exceptions examples/exceptions/exclude-kube-namespaces.json
```
Objects with exceptions will be presented as `exclude` and not `fail`.
[See more examples about exceptions.](/examples/exceptions/README.md)
* Scan Helm charts
```sh
kubescape scan </path/to/directory>
```
> **Note**
> Kubescape will load the default VALUES file.
* Scan a Kustomize directory
```sh
kubescape scan </path/to/directory>
```
> **Note**
> Kubescape will generate Kubernetes YAML objects using a `kustomize` file and scan them for security.
### Output formats
* JSON:
```sh
kubescape scan --format json --format-version v2 --output results.json
```
> **Note**
> Add the `--format-version v2` flag for maximum compatibility.
* junit XML:
```sh
kubescape scan --format junit --output results.xml
```
* PDF:
```sh
kubescape scan --format pdf --output results.pdf
```
_Contributed by [@alegrey91](https://github.com/alegrey91)_
* Prometheus metrics:
```
kubescape scan --format prometheus
```
_Contributed by [@Joibel](https://github.com/Joibel)_
* HTML
```
kubescape scan --format html --output results.html
```
* Display all scanned resources (including the resources which passed):
```sh
kubescape scan --verbose
```
## Offline/air-gapped environment support
It is possible to run Kubescape offline! Check out our [video tutorial](https://youtu.be/IGXL9s37smM).
### Download all artifacts
1. Download the controls and save them in the local directory. If no path is specified, they will be saved in `~/.kubescape`.
```sh
kubescape download artifacts --output path/to/local/dir
```
2. Copy the downloaded artifacts to the offline system.
3. Scan using the downloaded artifacts:
```sh
kubescape scan --use-artifacts-from path/to/local/dir
```
### Download a single artifact
You can also download a single artifact, and scan with the `--use-from` flag:
1. Download and save in a file. If no file name is specified, the artifact will be saved as `~/.kubescape/<framework name>.json`.
```sh
kubescape download framework nsa --output /path/nsa.json
```
2. Copy the downloaded artifacts to the offline system.
3. Scan using the downloaded framework:
```sh
kubescape scan framework nsa --use-from /path/nsa.json
```
## Other ways to use Kubescape
### Scan periodically using Helm
We publish [a Helm chart](https://github.com/kubescape/helm-charts) for our in-cluster components. [Please follow the instructions here](https://hub.armosec.io/docs/installation-of-armo-in-cluster?utm_source=github&utm_medium=repository)
### VS Code Extension
![Visual Studio Marketplace Downloads](https://img.shields.io/visual-studio-marketplace/d/kubescape.kubescape?label=VScode) ![Open VSX](https://img.shields.io/open-vsx/dt/kubescape/kubescape?label=openVSX&color=yellowgreen)
Scan your YAML files while writing them using our [VS Code extension](https://github.com/armosec/vscode-kubescape/blob/master/README.md).
### Lens Extension
View Kubescape scan results directly in the [Lens IDE](https://k8slens.dev/) using the [Kubescape Lens extension](https://github.com/armosec/lens-kubescape/blob/master/README.md).
## Playground
Experiment with Kubescape in the [Kubescape playground](https://killercoda.com/saiyampathak/scenario/kubescape): this scenario will install a K3s cluster and Kubescape. You can start with any of the `kubescape scan` commands in the [examples](#examples).
## Tutorial videos
* [Kubescape overview](https://youtu.be/wdBkt_0Qhbg)
* [How to secure Kubernetes clusters with Kubescape](https://youtu.be/ZATGiDIDBQk)
* [Scan Kubernetes YAML files](https://youtu.be/Ox6DaR7_4ZI)
* [Scan container image registry](https://youtu.be/iQ_k8EnK-3s)
* [Scan Kubescape on an air-gapped environment (offline support)](https://youtu.be/IGXL9s37smM)
* [Managing exceptions in ARMO Platform](https://youtu.be/OzpvxGmCR80)
* [Configure and run customized frameworks](https://youtu.be/12Sanq_rEhs)
* Customize control configurations:
- [Kubescape CLI](https://youtu.be/955psg6TVu4)
- [ARMO Platform](https://youtu.be/lIMVSVhH33o)
## Other installation methods
The `curl` install method will work on all platforms, but you may wish to use a native method to install Kubescape.
### Install on Windows
You must have PowerShell v5.0 or higher installed.
``` powershell
iwr -useb https://raw.githubusercontent.com/kubescape/kubescape/master/install.ps1 | iex
```
If you get an error, you may need to change the execution policy:
``` powershell
Set-ExecutionPolicy RemoteSigned -scope CurrentUser
```
### Install on macOS
You can install Kubescape via [Homebrew](https://brew.sh/):
```sh
brew tap kubescape/tap
brew install kubescape-cli
```
</details>
### Install on NixOS or with nix
_This method is community-supported. If you are having trouble, please reach out to [NixOS support](https://nixos.wiki/wiki/Support)_
You can use `nix` on Linux or macOS.
Try it out in an ephemeral shell: `nix-shell -p kubescape`
NixOS:
```
# your other config ...
environment.systemPackages = with pkgs; [
# your other packages ...
kubescape
];
```
home-manager:
```
# your other config ...
home.packages = with pkgs; [
# your other packages ...
kubescape
];
```
Or, to your profile (not preferred): `nix-env --install -A nixpkgs.kubescape`

0
docs/architecture.drawio.svg → docs/img/architecture.drawio
View File

4
docs/img/architecture.drawio.svg Normal file
View File

File diff suppressed because one or more lines are too long
Side by Side

After

Width:  |  Height:  |  Size: 23 KiB

BIN
docs/img/demo.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 678 KiB

0
docs/favicon.ico → docs/img/favicon.ico
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 15 KiB

After

Width:  |  Height:  |  Size: 15 KiB

0
docs/ks-cli-arch.png → docs/img/ks-cli-arch.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 15 KiB

After

Width:  |  Height:  |  Size: 15 KiB

0
docs/ks-operator-arch.png → docs/img/ks-operator-arch.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 20 KiB

After

Width:  |  Height:  |  Size: 20 KiB

0
docs/ksfromcodetodeploy.png → docs/img/ksfromcodetodeploy.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 967 KiB

After

Width:  |  Height:  |  Size: 967 KiB

0
docs/summary.png → docs/img/summary.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 163 KiB

After

Width:  |  Height:  |  Size: 163 KiB

9
docs/index.html
View File

@@ -2,9 +2,9 @@
<head>
<title>
Kubscape Website
Kubescape
</title>
<link rel="icon" type="image/x-icon" href="favicon.ico">
<link rel="icon" type="image/x-icon" href="img/favicon.ico">
</head>
<style>
img {
@@ -15,10 +15,7 @@
</style>
<body style="text-align: center;">
<img src="kubescape.png" alt="Kubescape logo" style="width:20%">
<iframe src="https://discordapp.com/widget?id=893048809884643379&theme=dark" width="350" height="500"
allowtransparency="true" frameborder="0"
sandbox="allow-popups allow-popups-to-escape-sandbox allow-same-origin allow-scripts"></iframe>
<img src="img/kubescape.png" alt="Kubescape logo" style="width:20%">
</body>
</html>

BIN
docs/install.jpeg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 40 KiB

BIN
docs/kubescape.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 59 KiB

35
docs/new-feature.svg
View File

@@ -1,35 +0,0 @@
<svg xmlns="http://www.w3.org/2000/svg" width="104" height="20">
<defs>
<linearGradient id="workflow-fill" x1="50%" y1="0%" x2="50%" y2="100%">
<stop stop-color="#444D56" offset="0%"></stop>
<stop stop-color="#24292E" offset="100%"></stop>
</linearGradient>
<linearGradient id="state-fill" x1="50%" y1="0%" x2="50%" y2="100%">
<stop stop-color="#34D058" offset="0%"></stop>
<stop stop-color="#28A745" offset="100%"></stop>
</linearGradient>
</defs>
<g fill="none" fill-rule="evenodd">
<g font-family="&#39;DejaVu Sans&#39;,Verdana,Geneva,sans-serif" font-size="11">
<path id="workflow-bg" d="M0,3 C0,1.3431 1.3552,0 3.02702703,0 L54,0 L54,20 L3.02702703,20 C1.3552,20 0,18.6569 0,17 L0,3 Z" fill="url(#workflow-fill)" fill-rule="nonzero"></path>
<text fill="#010101" fill-opacity=".3">
<tspan x="22.1981982" y="15">new</tspan>
</text>
<text fill="#FFFFFF">
<tspan x="22.1981982" y="14">new</tspan>
</text>
</g>
<g transform="translate(54)" font-family="&#39;DejaVu Sans&#39;,Verdana,Geneva,sans-serif" font-size="11">
<path d="M0 0h46.939C48.629 0 50 1.343 50 3v14c0 1.657-1.37 3-3.061 3H0V0z" id="state-bg" fill="url(#state-fill)" fill-rule="nonzero"></path>
<text fill="#010101" fill-opacity=".3">
<tspan x="4" y="15">feature</tspan>
</text>
<text fill="#FFFFFF">
<tspan x="4" y="14">feature</tspan>
</text>
</g>
<path fill="#959DA5" d="M11 3c-3.868 0-7 3.132-7 7a6.996 6.996 0 0 0 4.786 6.641c.35.062.482-.148.482-.332 0-.166-.01-.718-.01-1.304-1.758.324-2.213-.429-2.353-.822-.079-.202-.42-.823-.717-.99-.245-.13-.595-.454-.01-.463.552-.009.946.508 1.077.718.63 1.058 1.636.76 2.039.577.061-.455.245-.761.446-.936-1.557-.175-3.185-.779-3.185-3.456 0-.762.271-1.392.718-1.882-.07-.175-.315-.892.07-1.855 0 0 .586-.183 1.925.718a6.5 6.5 0 0 1 1.75-.236 6.5 6.5 0 0 1 1.75.236c1.338-.91 1.925-.718 1.925-.718.385.963.14 1.68.07 1.855.446.49.717 1.112.717 1.882 0 2.686-1.636 3.28-3.194 3.456.254.219.473.639.473 1.295 0 .936-.009 1.689-.009 1.925 0 .184.131.402.481.332A7.011 7.011 0 0 0 18 10c0-3.867-3.133-7-7-7z"></path>
</g>
</svg>
Side by Side

Before

Width:  |  Height:  |  Size: 2.1 KiB

7
docs/providers.md Normal file
View File

@@ -0,0 +1,7 @@
# Providers
Kubescape results are a very useful input to security services. Here are a list of commercial services that are compatible with Kubescape. If you develop one, please send a PR to add it to this list!
### ARMO Platform
ARMO Platform is the enterprise solution based on, and powered by Kubescape. Its a multi-cloud Kubernetes and CI/CD security platform with a single pane of glass. Features include risk analysis, security compliance, misconfiguration, image vulnerability, repository and registry scanning, RBAC visualization, and more. The Community Edition is free forever! [Get started today](https://cloud.armosec.io/account/sign-up?utm_source=github&utm_medium=repository).

BIN
docs/run.jpeg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 76 KiB

BIN
docs/using-mov.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 161 KiB

6
examples/exceptions/README.md
View File

@@ -28,8 +28,10 @@ You can find [here](https://github.com/kubescape/kubescape/tree/master/examples/
## Usage
The `resources` list and `posturePolicies` list are designed to be a combination of the resources and policies to exclude
> You must declare at least one resource and one policy
The `resources` list and `posturePolicies` list are designed to be a combination of the resources and policies to exclude.
> **Warning**
> You must declare at least one resource and one policy.
e.g. If you wish to exclude all namespaces with the label `"environment": "dev"`, the resource list should look as follows:
```

3
httphandler/examples/microservice/README.md
View File

@@ -4,7 +4,8 @@
```bash
kubectl apply -f ks-deployment.yaml
```
> **NOTE** Make sure the configurations suit your cluster (e.g. `serviceType`, namespace, etc.)
> **Note**
> Make sure the configurations suit your cluster (e.g. `serviceType`, namespace, etc.)
2. Trigger scan
```bash

3
httphandler/examples/prometheus/README.md
View File

@@ -4,7 +4,8 @@
```bash
kubectl apply -f ks-deployment.yaml
```
> **NOTE** Make sure the configurations suit your cluster (e.g. `serviceType`, etc.)
> **Note**
> Make sure the configurations suit your cluster (e.g. `serviceType`, etc.)
2. Deploy kube-prometheus-stack
```bash

8
website/index.html
View File

@@ -3,12 +3,10 @@
<title>
Kubescape Website
</title>
<h1>Kubescape Website</h1>
</head>
<body>
<h2>
Join us!!!
<iframe src="https://discordapp.com/widget?id=893048809884643379&theme=dark" width="350" height="500" allowtransparency="true" frameborder="0" sandbox="allow-popups allow-popups-to-escape-sandbox allow-same-origin allow-scripts"></iframe>
</h2>
<h1>
Coming soon!
</h1>
</body>
</html>