Merge bb88272251 into e561f78ada

2026-03-21 02:48:19 +00:00 · 2021-10-12 00:20:05 +03:00
215 changed files with 13496 additions and 12766 deletions
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -2,7 +2,10 @@ name: build

 on:
  push:
-    branches: [ master ] 
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+    types: [ closed ]
 jobs:
  once:
    name: Create release
@@ -29,6 +32,7 @@ jobs:
        os: [ubuntu-latest, macos-latest, windows-latest]
    steps:
      - uses: actions/checkout@v1
+
      - name: Set up Go
        uses: actions/setup-go@v2
        with:
@@ -44,14 +48,8 @@ jobs:
          ArmoERServer: report.armo.cloud
          ArmoWebsite: portal.armo.cloud
          CGO_ENABLED: 0
-        run: python3 --version && python3 build.py
+        run: python build.py
      
-      - name: Smoke Testing
-        env:
-          RELEASE: v1.0.${{ github.run_number }} 
-          KUBESCAPE_SKIP_UPDATE_CHECK: "true"
-        run: python3 smoke_testing/init.py ${PWD}/build/${{ matrix.os }}/kubescape
-
      - name: Upload Release binaries
        id: upload-release-asset
        uses: actions/upload-release-asset@v1
@@ -62,33 +60,3 @@ jobs:
          asset_path: build/${{ matrix.os }}/kubescape
          asset_name: kubescape-${{ matrix.os }}
          asset_content_type: application/octet-stream
-
-
-  build-docker:
-    name: Build docker container, tag and upload to registry
-    needs: build
-    if: ${{ github.repository == 'armosec/kubescape' }}
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v2
-
-      - name: Set name
-        run: echo quay.io/armosec/kubescape:v1.0.${{ github.run_number }} > build_tag.txt
-
-      - name: Build the Docker image
-        run: docker build . --file build/Dockerfile --tag $(cat build_tag.txt) --build-arg run_number=${{ github.run_number }}
-
-      - name: Re-Tag Image to latest
-        run: docker tag $(cat build_tag.txt) quay.io/armosec/kubescape:latest
-
-      - name: Login to Quay.io
-        env: # Or as an environment variable
-          QUAY_PASSWORD: ${{ secrets.QUAYIO_REGISTRY_PASSWORD }}
-          QUAY_USERNAME: ${{ secrets.QUAYIO_REGISTRY_USERNAME }}
-        run: docker login -u="${QUAY_USERNAME}" -p="${QUAY_PASSWORD}" quay.io
-      - name: Push Docker image
-        run: |
-          docker push $(cat build_tag.txt)
-          docker push quay.io/armosec/kubescape:latest
-        
--- a/.github/workflows/build_dev.yaml
+++ b/.github/workflows/build_dev.yaml
@@ -3,6 +3,9 @@ name: build-dev
 on:
  push:
    branches: [ dev ]
+  pull_request:
+    branches: [ dev ]
+    types: [ closed ]
 jobs:
  build:
    name: Create cross-platform dev build
@@ -28,44 +31,10 @@ jobs:
          ArmoERServer: report.euprod1.cyberarmorsoft.com
          ArmoWebsite: portal.armo.cloud
          CGO_ENABLED: 0
-        run: python3 --version && python3 build.py
+        run: mkdir -p build/${{ matrix.os }}  && go mod tidy && go build -ldflags "-w -s -X github.com/armosec/kubescape/cmd.BuildNumber=$RELEASE -X github.com/armosec/kubescape/cautils/getter.ArmoBEURL=$ArmoBEServer -X github.com/armosec/kubescape/cautils/getter.ArmoERURL=$ArmoERServer -X github.com/armosec/kubescape/cautils/getter.ArmoFEURL=$ArmoWebsite" -o build/${{ matrix.os }}/kubescape # && md5sum build/${{ matrix.os }}/kubescape > build/${{ matrix.os }}/kubescape.md5
      
-      - name: Smoke Testing
-        env:
-          RELEASE: v1.0.${{ github.run_number }}
-          KUBESCAPE_SKIP_UPDATE_CHECK: "true"
-        run: python3 smoke_testing/init.py ${PWD}/build/${{ matrix.os }}/kubescape
-
      - name: Upload build artifacts 
        uses: actions/upload-artifact@v2
        with:
          name: kubescape-${{ matrix.os }}
          path: build/${{ matrix.os }}/kubescape 
-
-
-  build-docker:
-    name: Build docker container, tag and upload to registry
-    needs: build
-    if: ${{ github.repository == 'armosec/kubescape' }}
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v2
-
-      - name: Set name
-        run: echo quay.io/armosec/kubescape:dev-v1.0.${{ github.run_number }} > build_tag.txt
-
-      - name: Build the Docker image
-        run: docker build . --file build/Dockerfile --tag $(cat build_tag.txt) --build-arg run_number=${{ github.run_number }}
-      
-      - name: Login to Quay.io
-        env: # Or as an environment variable
-          QUAY_PASSWORD: ${{ secrets.QUAYIO_REGISTRY_PASSWORD }}
-          QUAY_USERNAME: ${{ secrets.QUAYIO_REGISTRY_USERNAME }}
-        run: docker login -u="${QUAY_USERNAME}" -p="${QUAY_PASSWORD}" quay.io
-        
-      - name: Push Docker image
-        run: |
-          docker push $(cat build_tag.txt)
-    
-        
--- a/.github/workflows/master_pr_checks.yaml
+++ b/.github/workflows/master_pr_checks.yaml
@@ -1,39 +0,0 @@
-name: master-pr
-
-on:
-  pull_request:
-    branches: [ master ]
-    types: [ edited, opened, synchronize, reopened ]
-jobs:
-  build:
-    name: Create cross-platform build
-    runs-on: ${{ matrix.os }}
-    strategy:
-      matrix:
-        os: [ubuntu-latest, macos-latest, windows-latest]
-    steps:
-      - uses: actions/checkout@v1
-
-      - name: Set up Go
-        uses: actions/setup-go@v2
-        with:
-          go-version: 1.17
-
-      - name: Test
-        run: go test -v ./...
-
-      - name: Build
-        env:
-          RELEASE: v1.0.${{ github.run_number }} 
-          ArmoBEServer: api.armo.cloud
-          ArmoERServer: report.armo.cloud
-          ArmoWebsite: portal.armo.cloud
-          CGO_ENABLED: 0
-        run: python3 --version && python3 build.py
-
-      - name: Smoke Testing
-        env:
-          RELEASE: v1.0.${{ github.run_number }} 
-          KUBESCAPE_SKIP_UPDATE_CHECK: "true"
-        run: python3 smoke_testing/init.py ${PWD}/build/${{ matrix.os }}/kubescape
-        
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,4 @@
 *.vs*
 *kubescape*
 *debug*
-*vender*
-*.pyc*
 .idea
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -19,8 +19,7 @@ Please note we have a code of conduct, please follow it in all your interactions
   build.
 2. Update the README.md with details of changes to the interface, this includes new environment 
   variables, exposed ports, useful file locations and container parameters.
-3. Open Pull Request to `dev` branch - we test the component before merging into the `master` branch
-4. We will merge the Pull Request in once you have the sign-off.
+3. We will merge the Pull Request in once you have the sign-off.

 ## Code of Conduct

--- a/README.md
+++ b/README.md
@@ -3,12 +3,9 @@
 [![build](https://github.com/armosec/kubescape/actions/workflows/build.yaml/badge.svg)](https://github.com/armosec/kubescape/actions/workflows/build.yaml)
 [![Go Report Card](https://goreportcard.com/badge/github.com/armosec/kubescape)](https://goreportcard.com/report/github.com/armosec/kubescape)

-Kubescape is the first open-source tool for testing if Kubernetes is deployed securely according to multiple frameworks:
-regulatory, customized company policies and DevSecOps best practices, such as the  [NSA-CISA](https://www.armosec.io/blog/kubernetes-hardening-guidance-summary-by-armo) and the [MITRE ATT&CK®](https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/) .  
-Kubescape scans K8s clusters, YAML files, and HELM charts, and detect misconfigurations and software vulnerabilities at early stages of the CI/CD pipeline and provides a risk score instantly and risk trends over time.
-Kubescape integrates natively with other DevOps tools, including Jenkins, CircleCI and Github workflows.
+Kubescape is the first tool for testing if Kubernetes is deployed securely as defined in [Kubernetes Hardening Guidance by NSA and CISA](https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/)

-</br>
+Use Kubescape to test clusters or scan single YAML files and integrate it to your processes.

 <img src="docs/demo.gif">

@@ -24,22 +21,15 @@ curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh |

 ## Run:
 ```
-kubescape scan --submit
+kubescape scan framework nsa --exclude-namespaces kube-system,kube-public
 ```

+If you wish to scan all namespaces in your cluster, remove the `--exclude-namespaces` flag.
+
 <img src="docs/summary.png">

-</br>
-
-> Kubescape is an open source project, we welcome your feedback and ideas for improvement. We’re also aiming to collaborate with the Kubernetes community to help make the tests themselves more robust and complete as Kubernetes develops.
-
-</br>
-
 ### Click [👍](https://github.com/armosec/kubescape/stargazers) if you want us to continue to develop and improve Kubescape 😀

-</br>
-
-
 # Being part of the team

 We invite you to our team! We are excited about this project and want to return the love we get.
@@ -51,16 +41,8 @@ Want to contribute? Want to discuss something? Have an issue?

 [<img src="docs/discord-banner.png" width="100" alt="logo" align="center">](https://armosec.github.io/kubescape/)

-
 # Options and examples

-## Tutorials
-
-* [Overview](https://youtu.be/wdBkt_0Qhbg)
-* [Scanning Kubernetes YAML files](https://youtu.be/Ox6DaR7_4ZI)
-* [Scan Kubescape on an air-gapped environment (offline support)](https://youtu.be/IGXL9s37smM)
-* [Managing exceptions in the Kubescape SaaS version](https://youtu.be/OzpvxGmCR80)
-
 ## Install on Windows

 **Requires powershell v5.0+**
@@ -86,105 +68,74 @@ Set-ExecutionPolicy RemoteSigned -scope CurrentUser

 ## Flags

-| flag                        | default                   | description                                                                                                                                                                                                                                                                                                          | options                          |
-|-----------------------------|---------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------|
-| `-e`/`--exclude-namespaces` | Scan all namespaces       | Namespaces to exclude from scanning. Recommended to exclude `kube-system` and `kube-public` namespaces                                                                                                                                                                                                               |                                              |
-| `--include-namespaces`      | Scan all namespaces       | Scan specific namespaces                                                                                                                            |                                              |
-| `-s`/`--silent`             | Display progress messages | Silent progress messages                                                                                                                                                                                                                                                                                             |                                              |
-| `-t`/`--fail-threshold`     | `100` (do not fail)         | fail command (return exit code 1) if result is above threshold                                                                                                                                                                                                                                                       | `0` -> `100`                                 |
-| `-f`/`--format`             | `pretty-printer`          | Output format                                                                                                                                                                                                                                                                                                        | `pretty-printer`/`json`/`junit`/`prometheus` |
-| `-o`/`--output`             | print to stdout           | Save scan result in file                                                                                                                                                                                                                                                                                             |                                              |
-| `--use-from`                |                           | Load local framework object from specified path. If not used will download latest                                                                                                                                                                                                                                    |                                              |
-| `--use-default`             | `false`                   | Load local framework object from default path. If not used will download latest                                                                                                                                                                                                                                      | `true`/`false`                               |
-| `--exceptions`              |                           | Path to an [exceptions obj](examples/exceptions.json). If not set will download exceptions from Armo management portal                                                                                                                                                                                               |                                              |
-| `--submit`                  | `false`                   | If set, Kubescape will send the scan results to Armo management portal where you can see the results in a user-friendly UI, choose your preferred compliance framework, check risk results history and trends, manage exceptions, get remediation recommendations and much more. By default the results are not sent | `true`/`false`                               |
-| `--keep-local`              | `false`                   | Kubescape will not send scan results to Armo management portal. Use this flag if you ran with the `--submit` flag in the past and you do not want to submit your current scan results                                                                                                                                | `true`/`false`                               |
-| `--account`                 |                           | Armo portal account ID. Default will load account ID from configMap or config file                                                                                                                                                                                                                                   |                                              |
-| `--verbose`                 | `false`                   | Display all of the input resources and not only failed resources                                                                                                                                                                                                                                                     | `true`/`false`                               |
-
+| flag |  default | description | options |
+| --- | --- | --- | --- |
+| `-e`/`--exclude-namespaces` | Scan all namespaces | Namespaces to exclude from scanning. Recommended to exclude `kube-system` and `kube-public` namespaces |
+| `-s`/`--silent` | Display progress messages | Silent progress messages |
+| `-t`/`--fail-threshold` | `0` (do not fail) | fail command (return exit code 1) if result bellow threshold| `0` -> `100` |
+| `-f`/`--format` | `pretty-printer` | Output format | `pretty-printer`/`json`/`junit` |
+| `-o`/`--output` | print to stdout | Save scan result in file |
+| `--use-from` | | Load local framework object from specified path. If not used will download latest |
+| `--use-default` | `false` | Load local framework object from default path. If not used will download latest | `true`/`false` |
+| `--exceptions` | | Path to an [exceptions obj](examples/exceptions.json). If not set will download exceptions from Armo management portal |
+| `--submit` | `false` | If set, Kubescape will send scan results to Armo management portal to allow users to control exceptions and maintain chronological scan results. By default the results are not sent | `true`/`false`|
+| `--local` | `false` | Kubescape will not send scan results to Armo management portal. Use this flag if you ran with the `--submit` flag in the past and you do not want to submit your current scan results | `true`/`false`|
+| `--account` | | Armo portal account ID. Default will load account ID from configMap or config file | |

 ## Usage & Examples

 ### Examples

-#### Scan a running Kubernetes cluster with [`nsa`](https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/) framework and submit results to the [Kubescape SaaS version](https://portal.armo.cloud/)
+* Scan a running Kubernetes cluster with [`nsa`](https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/) framework and submit results to [Armo portal](https://portal.armo.cloud/)
 ```
-kubescape scan framework nsa --submit
+kubescape scan framework nsa --exclude-namespaces kube-system,kube-public --submit
 ```


-#### Scan a running Kubernetes cluster with [`MITRE ATT&CK®`](https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/) framework and submit results to the [Kubescape SaaS version](https://portal.armo.cloud/)
+* Scan a running Kubernetes cluster with [`mitre`](https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/) framework and submit results to [Armo portal](https://portal.armo.cloud/)
 ```
-kubescape scan framework mitre --submit
+kubescape scan framework mitre --exclude-namespaces kube-system,kube-public --submit
 ```

-
-#### Scan a running Kubernetes cluster with a specific control using the control name or control ID. [List of controls](https://hub.armo.cloud/docs/controls) 
-```
-kubescape scan control "Privileged container"
-```
-
-#### Scan specific namespaces
-```
-kubescape scan framework nsa --include-namespaces development,staging,production
-```
-
-#### Scan cluster and exclude some namespaces
-```
-kubescape scan framework nsa --exclude-namespaces kube-system,kube-public
-```
-
-#### Scan local `yaml`/`json` files before deploying. [Take a look at the demonstration](https://youtu.be/Ox6DaR7_4ZI)
+* Scan local `yaml`/`json` files before deploying
 ```
 kubescape scan framework nsa *.yaml
 ```

-#### Scan kubernetes manifest files from a public github repository 
+
+* Scan `yaml`/`json` files from url
 ```
-kubescape scan framework nsa https://github.com/armosec/kubescape
+kubescape scan framework nsa https://raw.githubusercontent.com/GoogleCloudPlatform/microservices-demo/master/release/kubernetes-manifests.yaml
 ```

-#### Display all scanned resources (including the resources who passed) 
+* Output in `json` format
 ```
-kubescape scan framework nsa --verbose
+kubescape scan framework nsa --exclude-namespaces kube-system,kube-public --format json --output results.json
 ```

-#### Output in `json` format
+* Output in `junit xml` format
 ```
-kubescape scan framework nsa --format json --output results.json
+kubescape scan framework nsa --exclude-namespaces kube-system,kube-public --format junit --output results.xml
 ```

-#### Output in `junit xml` format
+* Scan with exceptions, objects with exceptions will be presented as `warning` and not `fail`  <img src="docs/new-feature.svg">
 ```
-kubescape scan framework nsa --format junit --output results.xml
+kubescape scan framework nsa --exceptions examples/exceptions.json
 ```

-#### Output in `prometheus` metrics format - Contributed by [@Joibel](https://github.com/Joibel)
-```
-kubescape scan framework nsa --format prometheus
-```
+### Helm Support

-#### Scan with exceptions, objects with exceptions will be presented as `exclude` and not `fail`
-[Full documentation](examples/exceptions/README.md)
-```
-kubescape scan framework nsa --exceptions examples/exceptions/exclude-kube-namespaces.json
-```
-
-#### Scan Helm charts - Render the helm chart using [`helm template`](https://helm.sh/docs/helm/helm_template/) and pass to stdout
+* Render the helm chart using [`helm template`](https://helm.sh/docs/helm/helm_template/) and pass to stdout
 ```
 helm template [NAME] [CHART] [flags] --dry-run | kubescape scan framework nsa -
 ```

-e.g.
+for example:
 ```
 helm template bitnami/mysql --generate-name --dry-run | kubescape scan framework nsa -
 ```
-
-
 ### Offline Support

-[Video tutorial](https://youtu.be/IGXL9s37smM)
-
 It is possible to run Kubescape offline!

 First download the framework and then scan with `--use-from` flag
@@ -199,40 +150,13 @@ kubescape download framework nsa --output nsa.json
 kubescape scan framework nsa --use-from nsa.json
 ```

+Kubescape is an open source project, we welcome your feedback and ideas for improvement. We’re also aiming to collaborate with the Kubernetes community to help make the tests themselves more robust and complete as Kubernetes develops.

-## Scan Periodically using Helm - Contributed by [@yonahd](https://github.com/yonahd)  
- 
-You can scan your cluster periodically by adding a `CronJob` that will repeatedly trigger kubescape
-
-```
-helm install kubescape examples/helm_chart/
-```
-
-## Scan using docker image
-
-Official Docker image `quay.io/armosec/kubescape`
-
-```
-docker run -v "$(pwd)/example.yaml:/app/example.yaml  quay.io/armosec/kubescape scan framework nsa /app/example.yaml
-```
-
-# Submit data manually
-
-Use the `submit` command if you wish to submit data manually
-
-## Submit scan results manually
-
-First, scan your cluster using the `json` format flag: `kubescape scan framework <name> --format json --output path/to/results.json`.
-
-Now you can submit the results to the Kubaescape SaaS version -
-```
-kubescape submit results path/to/results.json
-```
 # How to build

-## Build using python (3.7^) script
+## Build using python script

-Kubescape can be built using:
+Kubescpae can be built using:

 ``` sh
 python build.py
@@ -263,14 +187,12 @@ go build -o kubescape .

 3. Run
 ```
-./kubescape scan framework nsa
+./kubescape scan framework nsa --exclude-namespaces kube-system,kube-public
 ```

 4. Enjoy :zany_face:

-## Docker Build
-
-### Build your own Docker image
+## How to build in Docker

 1. Clone Project
 ```
@@ -282,11 +204,10 @@ git clone https://github.com/armosec/kubescape.git kubescape && cd "$_"
 docker build -t kubescape -f build/Dockerfile .
 ```

-
 # Under the hood

 ## Tests
-Kubescape is running the following tests according to what is defined by [Kubernetes Hardening Guidance by NSA and CISA](https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/)
+Kubescape is running the following tests according to what is defined by [Kubernetes Hardening Guidance by NSA and CISA](https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/)
 * Non-root containers
 * Immutable container filesystem
 * Privileged containers
--- a/build.py
+++ b/build.py
@@ -41,7 +41,7 @@ def main():

    # Set some variables
    packageName = getPackageName()
-    buildUrl = "github.com/armosec/kubescape/cautils.BuildNumber"
+    buildUrl = "github.com/armosec/kubescape/cmd.BuildNumber"
    releaseVersion = os.getenv("RELEASE")
    ArmoBEServer = os.getenv("ArmoBEServer")
    ArmoERServer = os.getenv("ArmoERServer")
@@ -59,7 +59,8 @@ def main():
           ER_SERVER_CONST, ArmoERServer, WEBSITE_CONST, ArmoWebsite)
    status = subprocess.call(["go", "build", "-o", "%s/%s" % (buildDir, packageName), "-ldflags" ,ldflags])
    checkStatus(status, "Failed to build kubescape")
-    
+
+
    sha1 = hashlib.sha1()
    with open(buildDir + "/" + packageName, "rb") as kube:
        sha1.update(kube.read())
@@ -67,7 +68,6 @@ def main():
            kube_sha.write(sha1.hexdigest())

    print("Build Done")
- 
- 
+
 if __name__ == "__main__":
    main()
--- a/build/Dockerfile
+++ b/build/Dockerfile
@@ -1,32 +1,15 @@
 FROM golang:1.17-alpine as builder
-#ENV GOPROXY=https://goproxy.io,direct
-
-ARG run_number
-
-ENV RELEASE=v1.0.${run_number}
-
-ENV GO111MODULE=
-
-ENV CGO_ENABLED=0
-
-# Install required python/pip
-ENV PYTHONUNBUFFERED=1
-RUN apk add --update --no-cache python3 && ln -sf python3 /usr/bin/python
-RUN python3 -m ensurepip
-RUN pip3 install --no-cache --upgrade pip setuptools
+ENV GOPROXY=https://goproxy.io,direct
+ENV GO111MODULE=on

 WORKDIR /work
 ADD . .
-
-RUN python build.py
-
-RUN ls -ltr build/ubuntu-latest
-RUN cat /work/build/ubuntu-latest/kubescape.sha1
+RUN GOOS=linux CGO_ENABLED=0 go build -ldflags="-s -w " -installsuffix cgo  -o kubescape .

 FROM alpine
-COPY --from=builder /work/build/ubuntu-latest/kubescape /usr/bin/kubescape
+COPY --from=builder /work/kubescape /usr/bin/kubescape

 # # Download the frameworks. Use the "--use-default" flag when running kubescape
 # RUN kubescape download framework nsa && kubescape download framework mitre

-ENTRYPOINT ["kubescape"]
+CMD ["kubescape"]
--- a/cautils/apis/backendconnector.go
+++ b/cautils/apis/backendconnector.go
@@ -0,0 +1,101 @@
+package apis
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"net/http"
+)
+
+// HTTPReqFunc allows you to insert query params and more to aggregation message while using update aggregator
+type HTTPReqFunc func(req *http.Request, qryData interface{})
+
+func BasicBEQuery(req *http.Request, qryData interface{}) {
+
+	q := req.URL.Query()
+
+	if notificationData, isok := qryData.(*LoginObject); isok {
+		q.Add("customerGUID", notificationData.GUID)
+	}
+
+	req.URL.RawQuery = q.Encode()
+}
+
+func EmptyQuery(req *http.Request, qryData interface{}) {
+	q := req.URL.Query()
+	req.URL.RawQuery = q.Encode()
+}
+
+func MapQuery(req *http.Request, qryData interface{}) {
+	q := req.URL.Query()
+	if qryMap, isok := qryData.(map[string]string); isok {
+		for k, v := range qryMap {
+			q.Add(k, v)
+		}
+
+	}
+	req.URL.RawQuery = q.Encode()
+}
+
+func BEHttpRequest(loginobj *LoginObject, beURL,
+	httpverb string,
+	endpoint string,
+	payload []byte,
+	f HTTPReqFunc,
+	qryData interface{}) ([]byte, error) {
+	client := &http.Client{}
+
+	beURL = fmt.Sprintf("%v/%v", beURL, endpoint)
+	req, err := http.NewRequest(httpverb, beURL, bytes.NewReader(payload))
+	if err != nil {
+		return nil, err
+	}
+
+	req.Header.Set("Authorization", loginobj.Authorization)
+	f(req, qryData)
+
+	for _, cookie := range loginobj.Cookies {
+		req.AddCookie(cookie)
+	}
+	resp, err := client.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
+		fmt.Printf("req:\n%v\nresp:%v\n", req, resp)
+		return nil, fmt.Errorf("Error #%v Due to: %v", resp.StatusCode, resp.Status)
+	}
+	defer resp.Body.Close()
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+	return body, nil
+}
+
+type BELoginResponse struct {
+	Name              string `json:"name"`
+	PreferredUsername string `json:"preferred_username"`
+	Email             string `json:"email"`
+	CustomerGuid      string `json:"customerGuid"`
+	Expires           string `json:"expires"`
+	Authorization     string `json:"authorization"`
+	Cookies           []*http.Cookie
+}
+
+func (r *BELoginResponse) ToLoginObject() *LoginObject {
+	l := &LoginObject{}
+	l.Authorization = r.Authorization
+	l.Cookies = r.Cookies
+	l.Expires = r.Expires
+	l.GUID = r.CustomerGuid
+
+	return l
+}
+
+type BackendConnector struct {
+	BaseURL         string
+	BELoginResponse *BELoginResponse
+	Credentials     *CustomerLoginDetails
+	HTTPClient      *http.Client
+}
--- a/cautils/apis/backendconnectormethods.go
+++ b/cautils/apis/backendconnectormethods.go
@@ -0,0 +1,128 @@
+package apis
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+)
+
+func MakeBackendConnector(client *http.Client, baseURL string, loginDetails *CustomerLoginDetails) (*BackendConnector, error) {
+	if err := ValidateBEConnectorMakerInput(client, baseURL, loginDetails); err != nil {
+		return nil, err
+	}
+	conn := &BackendConnector{BaseURL: baseURL, Credentials: loginDetails, HTTPClient: client}
+	err := conn.Login()
+
+	return conn, err
+}
+
+func ValidateBEConnectorMakerInput(client *http.Client, baseURL string, loginDetails *CustomerLoginDetails) error {
+	if client == nil {
+		return fmt.Errorf("You must provide an initialized httpclient")
+	}
+	if len(baseURL) == 0 {
+		return fmt.Errorf("you must provide a valid backend url")
+	}
+
+	if loginDetails == nil || (len(loginDetails.Email) == 0 && len(loginDetails.Password) == 0) {
+		return fmt.Errorf("you must provide valid login details")
+	}
+	return nil
+
+}
+
+func (r *BackendConnector) Login() error {
+	if !r.IsExpired() {
+		return nil
+	}
+
+	loginInfoBytes, err := json.Marshal(r.Credentials)
+	if err != nil {
+		return fmt.Errorf("unable to marshal credentials properly")
+	}
+
+	beURL := fmt.Sprintf("%v/%v", r.BaseURL, "login")
+
+	req, err := http.NewRequest("POST", beURL, bytes.NewReader(loginInfoBytes))
+	if err != nil {
+		return err
+	}
+
+	req.Header.Set("Referer", strings.Replace(beURL, "dashbe", "cpanel", 1))
+	resp, err := r.HTTPClient.Do(req)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return fmt.Errorf("unable to read login response")
+	}
+
+	loginS := &BELoginResponse{}
+	json.Unmarshal(body, &loginS)
+
+	loginS.Cookies = resp.Cookies()
+	r.BELoginResponse = loginS
+
+	return nil
+}
+
+func (r *BackendConnector) IsExpired() bool {
+	return r.BELoginResponse == nil || r.BELoginResponse.ToLoginObject().IsExpired()
+}
+
+func (r *BackendConnector) GetBaseURL() string {
+	return r.BaseURL
+}
+func (r *BackendConnector) GetLoginObj() *LoginObject {
+	return r.BELoginResponse.ToLoginObject()
+}
+func (r *BackendConnector) GetClient() *http.Client {
+	return r.HTTPClient
+}
+
+func (r *BackendConnector) HTTPSend(httpverb string,
+	endpoint string,
+	payload []byte,
+	f HTTPReqFunc,
+	qryData interface{}) ([]byte, error) {
+
+	beURL := fmt.Sprintf("%v/%v", r.GetBaseURL(), endpoint)
+	req, err := http.NewRequest(httpverb, beURL, bytes.NewReader(payload))
+	if err != nil {
+		return nil, err
+	}
+
+	if r.IsExpired() {
+		r.Login()
+	}
+
+	loginobj := r.GetLoginObj()
+	req.Header.Set("Authorization", loginobj.Authorization)
+	f(req, qryData)
+	q := req.URL.Query()
+	q.Set("customerGUID", loginobj.GUID)
+	req.URL.RawQuery = q.Encode()
+
+	for _, cookie := range loginobj.Cookies {
+		req.AddCookie(cookie)
+	}
+	resp, err := r.GetClient().Do(req)
+	if err != nil {
+		return nil, err
+	}
+	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
+		fmt.Printf("req:\n%v\nresp:%v\n", req, resp)
+		return nil, fmt.Errorf("Error #%v Due to: %v", resp.StatusCode, resp.Status)
+	}
+	defer resp.Body.Close()
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+	return body, nil
+}
--- a/cautils/apis/clusterapis.go
+++ b/cautils/apis/clusterapis.go
@@ -0,0 +1,25 @@
+package apis
+
+// WebsocketScanCommand api
+const (
+	WebsocketScanCommandVersion string = "v1"
+	WebsocketScanCommandPath    string = "scanImage"
+)
+
+// commands send via websocket
+const (
+	UPDATE            string = "update"
+	ATTACH            string = "Attach"
+	REMOVE            string = "remove"
+	DETACH            string = "Detach"
+	INCOMPATIBLE      string = "Incompatible"
+	REPLACE_HEADERS   string = "ReplaceHeaders"
+	IMAGE_UNREACHABLE string = "ImageUnreachable"
+	SIGN              string = "sign"
+	UNREGISTERED      string = "unregistered"
+	INJECT            string = "inject"
+	RESTART           string = "restart"
+	ENCRYPT           string = "encryptSecret"
+	DECRYPT           string = "decryptSecret"
+	SCAN              string = "scan"
+)
--- a/cautils/apis/datastructures.go
+++ b/cautils/apis/datastructures.go
@@ -0,0 +1,78 @@
+package apis
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+
+	"github.com/docker/docker/api/types"
+)
+
+// WebsocketScanCommand trigger scan thru the websocket
+type WebsocketScanCommand struct {
+	// CustomerGUID string `json:"customerGUID"`
+	ImageTag      string `json:"imageTag"`
+	Wlid          string `json:"wlid"`
+	IsScanned     bool   `json:"isScanned"`
+	ContainerName string `json:"containerName"`
+	JobID         string `json:"jobID,omitempty"`
+	LastAction    int    `json:"actionIDN"`
+	// ImageHash     string `json:"imageHash"`
+	Credentials *types.AuthConfig `json:"credentials,omitempty"`
+}
+
+//taken from BE
+// ElasticRespTotal holds the total struct in Elastic array response
+type ElasticRespTotal struct {
+	Value    int    `json:"value"`
+	Relation string `json:"relation"`
+}
+
+// V2ListResponse holds the response of some list request with some metadata
+type V2ListResponse struct {
+	Total    ElasticRespTotal `json:"total"`
+	Response interface{}      `json:"response"`
+	// Cursor for quick access to the next page. Not supported yet
+	Cursor string `json:"cursor"`
+}
+
+// Oauth2Customer returns inside the "ca_groups" field in claims section of
+// Oauth2 verification process
+type Oauth2Customer struct {
+	CustomerName string `json:"customerName"`
+	CustomerGUID string `json:"customerGUID"`
+}
+
+type LoginObject struct {
+	Authorization string `json:"authorization"`
+	GUID          string
+	Cookies       []*http.Cookie
+	Expires       string
+}
+
+type SafeMode struct {
+	Reporter        string `json:"reporter"`                // "Agent"
+	Action          string `json:"action,omitempty"`        // "action"
+	Wlid            string `json:"wlid"`                    // CAA_WLID
+	PodName         string `json:"podName"`                 // CAA_POD_NAME
+	InstanceID      string `json:"instanceID"`              // CAA_POD_NAME
+	ContainerName   string `json:"containerName,omitempty"` // CAA_CONTAINER_NAME
+	ProcessName     string `json:"processName,omitempty"`
+	ProcessID       int    `json:"processID,omitempty"`
+	ProcessCMD      string `json:"processCMD,omitempty"`
+	ComponentGUID   string `json:"componentGUID,omitempty"` // CAA_GUID
+	StatusCode      int    `json:"statusCode"`              // 0/1/2
+	ProcessExitCode int    `json:"processExitCode"`         // 0 +
+	Timestamp       int64  `json:"timestamp"`
+	Message         string `json:"message,omitempty"` // any string
+	JobID           string `json:"jobID,omitempty"`   // any string
+	Compatible      *bool  `json:"compatible,omitempty"`
+}
+
+func (safeMode *SafeMode) Json() string {
+	b, err := json.Marshal(*safeMode)
+	if err != nil {
+		return ""
+	}
+	return fmt.Sprintf("%s", b)
+}
--- a/cautils/apis/datastructures_test.go
+++ b/cautils/apis/datastructures_test.go
@@ -0,0 +1,26 @@
+package apis
+
+// import (
+// 	"fmt"
+// 	"net/http"
+// 	"testing"
+// )
+
+// func TestAuditStructure(t *testing.T) {
+// 	c := http.Client{}
+// 	be, err := MakeBackendConnector(&c, "https://dashbe.eudev3.cyberarmorsoft.com", &CustomerLoginDetails{Email: "lalafi@cyberarmor.io", Password: "*", CustomerName: "CyberArmorTests"})
+// 	if err != nil {
+// 		t.Errorf("sad1")
+
+// 	}
+
+// 	b, err := be.HTTPSend("GET", "v1/microservicesOverview", nil, MapQuery, map[string]string{"wlid": "wlid://cluster-childrenofbodom/namespace-default/deployment-pos"})
+// 	if err != nil {
+// 		t.Errorf("sad2")
+
+// 	}
+// 	fmt.Printf("%v", string(b))
+
+// 	t.Errorf("sad")
+
+// }
--- a/cautils/apis/interfaces.go
+++ b/cautils/apis/interfaces.go
@@ -0,0 +1,27 @@
+package apis
+
+import (
+	"net/http"
+)
+
+// type Dashboard interface {
+// 	OPAFRAMEWORKGet(string, bool) ([]opapolicy.Framework, error)
+// }
+
+// Connector - interface for any connector (BE/Portal and so on)
+type Connector interface {
+
+	//may used for a more generic httpsend interface based method
+	GetBaseURL() string
+	GetLoginObj() *LoginObject
+	GetClient() *http.Client
+
+	Login() error
+	IsExpired() bool
+
+	HTTPSend(httpverb string,
+		endpoint string,
+		payload []byte,
+		f HTTPReqFunc,
+		qryData interface{}) ([]byte, error)
+}
--- a/cautils/apis/login.go
+++ b/cautils/apis/login.go
@@ -0,0 +1,255 @@
+package apis
+
+import (
+	"bytes"
+	"io"
+	"net/http"
+	"time"
+
+	oidc "github.com/coreos/go-oidc"
+	uuid "github.com/satori/go.uuid"
+
+	// "go.uber.org/zap"
+	"context"
+	"encoding/json"
+	"fmt"
+	"strings"
+
+	"golang.org/x/oauth2"
+)
+
+func GetOauth2TokenURL() string {
+	return "https://idens.eudev3.cyberarmorsoft.com/auth/realms/CyberArmorSites"
+}
+
+func GetLoginStruct() (LoginAux, error) {
+
+	return LoginAux{Referer: "https://cpanel.eudev3.cyberarmorsoft.com/login", Url: "https://cpanel.eudev3.cyberarmorsoft.com/login"}, nil
+}
+
+func LoginWithKeycloak(loginDetails CustomerLoginDetails) ([]uuid.UUID, *oidc.IDToken, error) {
+	// var custGUID uuid.UUID
+	// config.Oauth2TokenURL
+	if GetOauth2TokenURL() == "" {
+		return nil, nil, fmt.Errorf("missing oauth2 token URL")
+	}
+	urlaux, _ := GetLoginStruct()
+	conf, err := getOauth2Config(urlaux)
+	if err != nil {
+		return nil, nil, err
+	}
+	ctx := context.Background()
+	provider, err := oidc.NewProvider(ctx, GetOauth2TokenURL())
+	if err != nil {
+		return nil, nil, err
+	}
+
+	// "Oauth2ClientID": "golang-client"
+	oidcConfig := &oidc.Config{
+		ClientID:          "golang-client",
+		SkipClientIDCheck: true,
+	}
+
+	verifier := provider.Verifier(oidcConfig)
+	ouToken, err := conf.PasswordCredentialsToken(ctx, loginDetails.Email, loginDetails.Password)
+	if err != nil {
+		return nil, nil, err
+	}
+	// "Authorization",
+	authorization := fmt.Sprintf("%s %s", ouToken.Type(), ouToken.AccessToken)
+	// oidc.IDTokenVerifier
+	tkn, err := verifier.Verify(ctx, ouToken.AccessToken)
+	if err != nil {
+		return nil, tkn, err
+	}
+	tkn.Nonce = authorization
+	if loginDetails.CustomerName == "" {
+		customers, err := getCustomersNames(tkn)
+		if err != nil {
+			return nil, tkn, err
+		}
+		if len(customers) == 1 {
+			loginDetails.CustomerName = customers[0]
+		} else {
+			return nil, tkn, fmt.Errorf("login with one of the following customers: %v", customers)
+		}
+	}
+	custGUID, err := getCustomerGUID(tkn, &loginDetails)
+	if err != nil {
+		return nil, tkn, err
+	}
+	return []uuid.UUID{custGUID}, tkn, nil
+}
+
+func getOauth2Config(urlaux LoginAux) (*oauth2.Config, error) {
+	reURLSlices := strings.Split(urlaux.Referer, "/")
+	if len(reURLSlices) == 0 {
+		reURLSlices = strings.Split(urlaux.Url, "/")
+	}
+	// zapLogger.With(zap.Strings("referer", reURLSlices)).Info("Searching oauth2Config for")
+	if len(reURLSlices) < 3 {
+		reURLSlices = []string{reURLSlices[0], reURLSlices[0], reURLSlices[0]}
+	}
+	lg, _ := GetLoginStruct()
+	provider, _ := oidc.NewProvider(context.Background(), GetOauth2TokenURL())
+	//provider.Endpoint {"AuthURL":"https://idens.eudev3.cyberarmorsoft.com/auth/realms/CyberArmorSites/protocol/openid-connect/auth","TokenURL":"https://idens.eudev3.cyberarmorsoft.com/auth/realms/CyberArmorSites/protocol/openid-connect/token","AuthStyle":0}
+	conf := oauth2.Config{
+		ClientID:     "golang-client",
+		ClientSecret: "4e33bad2-3491-41a6-b486-93c492cfb4a2",
+		RedirectURL:  lg.Referer,
+		// Discovery returns the OAuth2 endpoints.
+		Endpoint: provider.Endpoint(),
+		// "openid" is a required scope for OpenID Connect flows.
+		Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
+	}
+	return &conf, nil
+	// return nil, fmt.Errorf("canno't find oauth2Config for referer '%+v'.\nPlease set referer or origin headers", reURLSlices)
+}
+
+func getCustomersNames(oauth2Details *oidc.IDToken) ([]string, error) {
+	var claimsJSON Oauth2Claims
+	if err := oauth2Details.Claims(&claimsJSON); err != nil {
+		return nil, err
+	}
+
+	customersList := make([]string, 0, len(claimsJSON.CAGroups))
+	for _, v := range claimsJSON.CAGroups {
+		var caCustomer Oauth2Customer
+		if err := json.Unmarshal([]byte(v), &caCustomer); err == nil {
+			customersList = append(customersList, caCustomer.CustomerName)
+		}
+	}
+	return customersList, nil
+}
+
+func getCustomerGUID(tkn *oidc.IDToken, loginDetails *CustomerLoginDetails) (uuid.UUID, error) {
+
+	customers, err := getCustomersList(tkn)
+	if err != nil {
+		return uuid.UUID{}, err
+	}
+
+	// if customer name not provided - use default customer
+	if loginDetails.CustomerName == "" && len(customers) > 0 {
+		return uuid.FromString(customers[0].CustomerGUID)
+	}
+
+	for _, i := range customers {
+		if i.CustomerName == loginDetails.CustomerName {
+			return uuid.FromString(i.CustomerGUID)
+		}
+	}
+	return uuid.UUID{}, fmt.Errorf("customer name not found in customer list")
+}
+
+func getCustomersList(oauth2Details *oidc.IDToken) ([]Oauth2Customer, error) {
+	var claimsJSON Oauth2Claims
+	if err := oauth2Details.Claims(&claimsJSON); err != nil {
+		return nil, err
+	}
+
+	customersList := make([]Oauth2Customer, 0, len(claimsJSON.CAGroups))
+	for _, v := range claimsJSON.CAGroups {
+		var caCustomer Oauth2Customer
+		if err := json.Unmarshal([]byte(v), &caCustomer); err == nil {
+			customersList = append(customersList, caCustomer)
+		}
+	}
+	return customersList, nil
+}
+
+// func MakeAuthCookies(custGUID uuid.UUID, ouToken *oidc.IDToken) (*http.Cookie, error) {
+// 	var ccc http.Cookie
+// 	var responseData AuthenticationCookie
+// 	expireDate := time.Now().UTC().Add(time.Duration(config.CookieExpirationHours) * time.Hour)
+// 	if ouToken != nil {
+// 		expireDate = ouToken.Expiry
+// 	}
+// 	ccc.Expires = expireDate
+// 	responseData.CustomerGUID = custGUID
+// 	responseData.Expires = ccc.Expires
+// 	responseData.Version = 0
+// 	authorizationStr := ""
+// 	if ouToken != nil {
+// 		authorizationStr = ouToken.Nonce
+// 		if err := ouToken.Claims(&responseData.Oauth2Claims); err != nil {
+// 			errStr := fmt.Sprintf("failed to get claims from JWT")
+// 			return nil, fmt.Errorf("%v", errStr)
+// 		}
+// 	}
+// 	jsonBytes, err := json.Marshal(responseData)
+// 	if err != nil {
+// 		errStr := fmt.Sprintf("failed to get claims from JWT")
+// 		return nil, fmt.Errorf("%v", errStr)
+// 	}
+// 	ccc.Name = "auth"
+// 	ccc.Value = hex.EncodeToString(jsonBytes) + "." + cacheaccess.CalcHmac256(jsonBytes)
+// 	// TODO: HttpOnly for security...
+// 	ccc.HttpOnly = false
+// 	ccc.Path = "/"
+// 	ccc.Secure = true
+// 	ccc.SameSite = http.SameSiteNoneMode
+// 	http.SetCookie(w, &ccc)
+// 	responseData.Authorization = authorizationStr
+// 	jsonBytes, err = json.Marshal(responseData)
+// 	if err != nil {
+// 		w.WriteHeader(http.StatusInternalServerError)
+// 		fmt.Fprintf(w, "error while marshaling response(2) %s", err)
+// 		return
+// 	}
+// 	w.Write(jsonBytes)
+// }
+
+func Login(loginDetails CustomerLoginDetails) (*LoginObject, error) {
+
+	return nil, nil
+}
+
+func GetBEInfo(cfgFile string) string {
+	return "https://dashbe.eudev3.cyberarmorsoft.com"
+}
+
+func BELogin(loginDetails *CustomerLoginDetails, login string, cfg string) (*BELoginResponse, error) {
+	client := &http.Client{}
+
+	basebeURL := GetBEInfo(cfg)
+	beURL := fmt.Sprintf("%v/%v", basebeURL, login)
+
+	loginInfoBytes, err := json.Marshal(loginDetails)
+	if err != nil {
+		return nil, err
+	}
+	req, err := http.NewRequest("POST", beURL, bytes.NewReader(loginInfoBytes))
+	if err != nil {
+		return nil, err
+	}
+
+	req.Header.Set("Referer", strings.Replace(beURL, "dashbe", "cpanel", 1))
+	resp, err := client.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+
+	loginS := &BELoginResponse{}
+	json.Unmarshal(body, &loginS)
+
+	loginS.Cookies = resp.Cookies()
+	return loginS, nil
+}
+
+func (r *LoginObject) IsExpired() bool {
+	if r == nil {
+		return true
+	}
+	t, err := time.Parse(time.RFC3339, r.Expires)
+	if err != nil {
+		return true
+	}
+
+	return t.UTC().Before(time.Now().UTC())
+}
--- a/cautils/apis/logindatastructures.go
+++ b/cautils/apis/logindatastructures.go
@@ -0,0 +1,38 @@
+package apis
+
+import (
+	"time"
+
+	"github.com/gofrs/uuid"
+)
+
+// AuthenticationCookie is what it is
+type AuthenticationCookie struct {
+	Oauth2Claims  `json:",inline"`
+	CustomerGUID  uuid.UUID `json:"customerGuid"`
+	Expires       time.Time `json:"expires"`
+	Version       int       `json:"version"`
+	Authorization string    `json:"authorization,omitempty"`
+}
+
+type LoginAux struct {
+	Referer string
+	Url     string
+}
+
+// CustomerLoginDetails is what it is
+type CustomerLoginDetails struct {
+	Email        string    `json:"email"`
+	Password     string    `json:"password"`
+	CustomerName string    `json:"customer,omitempty"`
+	CustomerGUID uuid.UUID `json:"customerGuid,omitempty"`
+}
+
+// Oauth2Claims returns in claims section of Oauth2 verification process
+type Oauth2Claims struct {
+	Sub               string   `json:"sub"`
+	Name              string   `json:"name"`
+	PreferredUserName string   `json:"preferred_username"`
+	CAGroups          []string `json:"ca_groups"`
+	Email             string   `json:"email"`
+}
--- a/cautils/apis/websocketdatastructures.go
+++ b/cautils/apis/websocketdatastructures.go
@@ -0,0 +1,132 @@
+package apis
+
+import (
+	"encoding/json"
+	"fmt"
+)
+
+// Commands list of commands received from websocket
+type Commands struct {
+	Commands []Command `json:"commands"`
+}
+
+// Command structure of command received from websocket
+type Command struct {
+	CommandName string                 `json:"commandName"`
+	ResponseID  string                 `json:"responseID"`
+	Wlid        string                 `json:"wlid,omitempty"`
+	WildWlid    string                 `json:"wildWlid,omitempty"`
+	Sid         string                 `json:"sid,omitempty"`
+	WildSid     string                 `json:"wildSid,omitempty"`
+	JobTracking JobTracking            `json:"jobTracking"`
+	Args        map[string]interface{} `json:"args,omitempty"`
+}
+
+type JobTracking struct {
+	JobID            string `json:"jobID,omitempty"`
+	ParentID         string `json:"parentAction,omitempty"`
+	LastActionNumber int    `json:"numSeq,omitempty"`
+}
+
+func (c *Command) DeepCopy() *Command {
+	newCommand := &Command{}
+	newCommand.CommandName = c.CommandName
+	newCommand.ResponseID = c.ResponseID
+	newCommand.Wlid = c.Wlid
+	newCommand.WildWlid = c.WildWlid
+	if c.Args != nil {
+		newCommand.Args = make(map[string]interface{})
+		for i, j := range c.Args {
+			newCommand.Args[i] = j
+		}
+	}
+	return newCommand
+}
+
+func (c *Command) GetLabels() map[string]string {
+	if c.Args != nil {
+		if ilabels, ok := c.Args["labels"]; ok {
+			labels := map[string]string{}
+			if b, e := json.Marshal(ilabels); e == nil {
+				if e = json.Unmarshal(b, &labels); e == nil {
+					return labels
+				}
+			}
+		}
+	}
+	return map[string]string{}
+}
+
+func (c *Command) SetLabels(labels map[string]string) {
+	if c.Args == nil {
+		c.Args = make(map[string]interface{})
+	}
+	c.Args["labels"] = labels
+}
+
+func (c *Command) GetFieldSelector() map[string]string {
+	if c.Args != nil {
+		if ilabels, ok := c.Args["fieldSelector"]; ok {
+			labels := map[string]string{}
+			if b, e := json.Marshal(ilabels); e == nil {
+				if e = json.Unmarshal(b, &labels); e == nil {
+					return labels
+				}
+			}
+		}
+	}
+	return map[string]string{}
+}
+
+func (c *Command) SetFieldSelector(labels map[string]string) {
+	if c.Args == nil {
+		c.Args = make(map[string]interface{})
+	}
+	c.Args["fieldSelector"] = labels
+}
+
+func (c *Command) GetID() string {
+	if c.WildWlid != "" {
+		return c.WildWlid
+	}
+	if c.WildSid != "" {
+		return c.WildSid
+	}
+	if c.Wlid != "" {
+		return c.Wlid
+	}
+	if c.Sid != "" {
+		return c.Sid
+	}
+	return ""
+}
+
+func (c *Command) Json() string {
+	b, _ := json.Marshal(*c)
+	return fmt.Sprintf("%s", b)
+}
+
+func SIDFallback(c *Command) {
+	if c.GetID() == "" {
+		sid, err := getSIDFromArgs(c.Args)
+		if err != nil || sid == "" {
+			return
+		}
+		c.Sid = sid
+	}
+}
+
+func getSIDFromArgs(args map[string]interface{}) (string, error) {
+	sidInterface, ok := args["sid"]
+	if !ok {
+		return "", nil
+	}
+	sid, ok := sidInterface.(string)
+	if !ok || sid == "" {
+		return "", fmt.Errorf("sid found in args but empty")
+	}
+	// if _, err := secrethandling.SplitSecretID(sid); err != nil {
+	// 	return "", err
+	// }
+	return sid, nil
+}
--- a/cautils/armotypes/executionpolicytypes.go
+++ b/cautils/armotypes/executionpolicytypes.go
@@ -0,0 +1,16 @@
+package armotypes
+
+type EnforcementsRule struct {
+	MonitoredObject          []string `json:"monitoredObject"`
+	MonitoredObjectExistence []string `json:"objectExistence"`
+	MonitoredObjectEvent     []string `json:"event"`
+	Action                   []string `json:"action"`
+}
+
+type ExecutionPolicy struct {
+	PortalBase                `json:",inline"`
+	Designators               []PortalDesignator `json:"designators"`
+	PolicyType                string             `json:"policyType"`
+	CreationTime              string             `json:"creation_time"`
+	ExecutionEnforcementsRule []EnforcementsRule `json:"enforcementRules"`
+}
--- a/cautils/armotypes/portaltypes.go
+++ b/cautils/armotypes/portaltypes.go
@@ -0,0 +1,66 @@
+package armotypes
+
+import "strings"
+
+const (
+	CostumerGuidQuery   = "costumerGUID"
+	ClusterNameQuery    = "cluster"
+	DatacenterNameQuery = "datacenter"
+	NamespaceQuery      = "namespace"
+	ProjectQuery        = "project"
+	WlidQuery           = "wlid"
+	SidQuery            = "sid"
+)
+
+// PortalBase holds basic items data from portal BE
+type PortalBase struct {
+	GUID       string                 `json:"guid"`
+	Name       string                 `json:"name"`
+	Attributes map[string]interface{} `json:"attributes,omitempty"` // could be string
+}
+
+type DesignatorType string
+
+// Supported designators
+const (
+	DesignatorAttributes DesignatorType = "Attributes"
+	DesignatorAttribute  DesignatorType = "Attribute" // Deprecated
+	/*
+		WorkloadID format.
+		k8s format: wlid://cluster-<cluster>/namespace-<namespace>/<kind>-<name>
+		native format: wlid://datacenter-<datacenter>/project-<project>/native-<name>
+	*/
+	DesignatorWlid DesignatorType = "Wlid"
+	/*
+		Wild card - subset of wlid. e.g.
+		1. Include cluster:
+			wlid://cluster-<cluster>/
+		2. Include cluster and namespace (filter out all other namespaces):
+			wlid://cluster-<cluster>/namespace-<namespace>/
+	*/
+	DesignatorWildWlid      DesignatorType = "WildWlid"
+	DesignatorWlidContainer DesignatorType = "WlidContainer"
+	DesignatorWlidProcess   DesignatorType = "WlidProcess"
+	DesignatorSid           DesignatorType = "Sid" // secret id
+)
+
+func (dt DesignatorType) ToLower() DesignatorType {
+	return DesignatorType(strings.ToLower(string(dt)))
+}
+
+// attributes
+const (
+	AttributeCluster   = "cluster"
+	AttributeNamespace = "namespace"
+	AttributeKind      = "kind"
+	AttributeName      = "name"
+)
+
+// PortalDesignator represented single designation options
+type PortalDesignator struct {
+	DesignatorType DesignatorType    `json:"designatorType"`
+	WLID           string            `json:"wlid"`
+	WildWLID       string            `json:"wildwlid"`
+	SID            string            `json:"sid"`
+	Attributes     map[string]string `json:"attributes"`
+}
--- a/cautils/armotypes/portaltypes_mock.go
+++ b/cautils/armotypes/portaltypes_mock.go
@@ -0,0 +1,18 @@
+package armotypes
+
+func MockPortalBase(customerGUID, name string, attributes map[string]interface{}) *PortalBase {
+	if customerGUID == "" {
+		customerGUID = "36b6f9e1-3b63-4628-994d-cbe16f81e9c7"
+	}
+	if name == "" {
+		name = "portalbase-a"
+	}
+	if attributes == nil {
+		attributes = make(map[string]interface{})
+	}
+	return &PortalBase{
+		GUID:       customerGUID,
+		Name:       name,
+		Attributes: attributes,
+	}
+}
--- a/cautils/armotypes/portaltypesutils.go
+++ b/cautils/armotypes/portaltypesutils.go
@@ -0,0 +1,113 @@
+package armotypes
+
+import (
+	"github.com/armosec/kubescape/cautils/cautils"
+	"github.com/golang/glog"
+)
+
+var IgnoreLabels = []string{AttributeCluster, AttributeNamespace}
+
+func (designator *PortalDesignator) GetCluster() string {
+	cluster, _, _, _, _ := designator.DigestPortalDesignator()
+	return cluster
+}
+
+func (designator *PortalDesignator) GetNamespace() string {
+	_, namespace, _, _, _ := designator.DigestPortalDesignator()
+	return namespace
+}
+
+func (designator *PortalDesignator) GetKind() string {
+	_, _, kind, _, _ := designator.DigestPortalDesignator()
+	return kind
+}
+
+func (designator *PortalDesignator) GetName() string {
+	_, _, _, name, _ := designator.DigestPortalDesignator()
+	return name
+}
+func (designator *PortalDesignator) GetLabels() map[string]string {
+	_, _, _, _, labels := designator.DigestPortalDesignator()
+	return labels
+}
+
+// DigestPortalDesignator - get cluster namespace and labels from designator
+func (designator *PortalDesignator) DigestPortalDesignator() (string, string, string, string, map[string]string) {
+	switch designator.DesignatorType.ToLower() {
+	case DesignatorAttributes.ToLower(), DesignatorAttribute.ToLower():
+		return designator.DigestAttributesDesignator()
+	case DesignatorWlid.ToLower(), DesignatorWildWlid.ToLower():
+		return cautils.GetClusterFromWlid(designator.WLID), cautils.GetNamespaceFromWlid(designator.WLID), cautils.GetKindFromWlid(designator.WLID), cautils.GetNameFromWlid(designator.WLID), map[string]string{}
+	// case DesignatorSid: // TODO
+	default:
+		glog.Warningf("in 'digestPortalDesignator' designator type: '%v' not yet supported. please contact Armo team", designator.DesignatorType)
+	}
+	return "", "", "", "", nil
+}
+
+func (designator *PortalDesignator) DigestAttributesDesignator() (string, string, string, string, map[string]string) {
+	cluster := ""
+	namespace := ""
+	kind := ""
+	name := ""
+	labels := map[string]string{}
+	attributes := designator.Attributes
+	if attributes == nil {
+		return cluster, namespace, kind, name, labels
+	}
+	for k, v := range attributes {
+		labels[k] = v
+	}
+	if v, ok := attributes[AttributeNamespace]; ok {
+		namespace = v
+		delete(labels, AttributeNamespace)
+	}
+	if v, ok := attributes[AttributeCluster]; ok {
+		cluster = v
+		delete(labels, AttributeCluster)
+	}
+	if v, ok := attributes[AttributeKind]; ok {
+		kind = v
+		delete(labels, AttributeKind)
+	}
+	if v, ok := attributes[AttributeName]; ok {
+		name = v
+		delete(labels, AttributeName)
+	}
+	return cluster, namespace, kind, name, labels
+}
+
+// DigestPortalDesignator DEPRECATED. use designator.DigestPortalDesignator() - get cluster namespace and labels from designator
+func DigestPortalDesignator(designator *PortalDesignator) (string, string, map[string]string) {
+	switch designator.DesignatorType {
+	case DesignatorAttributes, DesignatorAttribute:
+		return DigestAttributesDesignator(designator.Attributes)
+	case DesignatorWlid, DesignatorWildWlid:
+		return cautils.GetClusterFromWlid(designator.WLID), cautils.GetNamespaceFromWlid(designator.WLID), map[string]string{}
+	// case DesignatorSid: // TODO
+	default:
+		glog.Warningf("in 'digestPortalDesignator' designator type: '%v' not yet supported. please contact Armo team", designator.DesignatorType)
+	}
+	return "", "", nil
+}
+func DigestAttributesDesignator(attributes map[string]string) (string, string, map[string]string) {
+	cluster := ""
+	namespace := ""
+	labels := map[string]string{}
+	if attributes == nil {
+		return cluster, namespace, labels
+	}
+	for k, v := range attributes {
+		labels[k] = v
+	}
+	if v, ok := attributes[AttributeNamespace]; ok {
+		namespace = v
+		delete(labels, AttributeNamespace)
+	}
+	if v, ok := attributes[AttributeCluster]; ok {
+		cluster = v
+		delete(labels, AttributeCluster)
+	}
+
+	return cluster, namespace, labels
+}
--- a/cautils/armotypes/postureexceptionpolicytypes.go
+++ b/cautils/armotypes/postureexceptionpolicytypes.go
@@ -0,0 +1,42 @@
+package armotypes
+
+type PostureExceptionPolicyActions string
+
+const AlertOnly PostureExceptionPolicyActions = "alertOnly"
+const Disable PostureExceptionPolicyActions = "disable"
+
+type PostureExceptionPolicy struct {
+	PortalBase      `json:",inline"`
+	PolicyType      string                          `json:"policyType"`
+	CreationTime    string                          `json:"creationTime"`
+	Actions         []PostureExceptionPolicyActions `json:"actions"`
+	Resources       []PortalDesignator              `json:"resources"`
+	PosturePolicies []PosturePolicy                 `json:"posturePolicies"`
+}
+
+type PosturePolicy struct {
+	FrameworkName string `json:"frameworkName"`
+	ControlName   string `json:"controlName"`
+	RuleName      string `json:"ruleName"`
+}
+
+func (exceptionPolicy *PostureExceptionPolicy) IsAlertOnly() bool {
+	if exceptionPolicy.IsDisable() {
+		return false
+	}
+
+	for i := range exceptionPolicy.Actions {
+		if exceptionPolicy.Actions[i] == AlertOnly {
+			return true
+		}
+	}
+	return false
+}
+func (exceptionPolicy *PostureExceptionPolicy) IsDisable() bool {
+	for i := range exceptionPolicy.Actions {
+		if exceptionPolicy.Actions[i] == Disable {
+			return true
+		}
+	}
+	return false
+}
--- a/cautils/armotypes/postureexceptionpolicytypesutils.go
+++ b/cautils/armotypes/postureexceptionpolicytypesutils.go
@@ -0,0 +1 @@
+package armotypes
--- a/cautils/cautils/armometadata.go
+++ b/cautils/cautils/armometadata.go
@@ -0,0 +1,196 @@
+package cautils
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/golang/glog"
+)
+
+// labels added to the workload
+const (
+	ArmoPrefix          string = "armo"
+	ArmoAttach          string = ArmoPrefix + ".attach"
+	ArmoInitialSecret   string = ArmoPrefix + ".initial"
+	ArmoSecretStatus    string = ArmoPrefix + ".secret"
+	ArmoCompatibleLabel string = ArmoPrefix + ".compatible"
+
+	ArmoSecretProtectStatus string = "protect"
+	ArmoSecretClearStatus   string = "clear"
+)
+
+// annotations added to the workload
+const (
+	ArmoUpdate               string = ArmoPrefix + ".last-update"
+	ArmoWlid                 string = ArmoPrefix + ".wlid"
+	ArmoSid                  string = ArmoPrefix + ".sid"
+	ArmoJobID                string = ArmoPrefix + ".job"
+	ArmoJobIDPath            string = ArmoJobID + "/id"
+	ArmoJobParentPath        string = ArmoJobID + "/parent"
+	ArmoJobActionPath        string = ArmoJobID + "/action"
+	ArmoCompatibleAnnotation string = ArmoAttach + "/compatible"
+	ArmoReplaceheaders       string = ArmoAttach + "/replaceheaders"
+)
+
+const ( // DEPRECATED
+
+	CAAttachLabel string = "cyberarmor"
+	Patched       string = "Patched"
+	Done          string = "Done"
+	Encrypted     string = "Protected"
+
+	CAInjectOld = "injectCyberArmor"
+
+	CAPrefix          string = "cyberarmor"
+	CAProtectedSecret string = CAPrefix + ".secret"
+	CAInitialSecret   string = CAPrefix + ".initial"
+	CAInject          string = CAPrefix + ".inject"
+	CAIgnore          string = CAPrefix + ".ignore"
+	CAReplaceHeaders  string = CAPrefix + ".removeSecurityHeaders"
+)
+
+const ( // DEPRECATED
+	CAUpdate string = CAPrefix + ".last-update"
+	CAStatus string = CAPrefix + ".status"
+	CAWlid   string = CAPrefix + ".wlid"
+)
+
+type ClusterConfig struct {
+	EventReceiverREST       string `json:"eventReceiverREST"`
+	EventReceiverWS         string `json:"eventReceiverWS"`
+	MaserNotificationServer string `json:"maserNotificationServer"`
+	Postman                 string `json:"postman"`
+	Dashboard               string `json:"dashboard"`
+	Portal                  string `json:"portal"`
+	CustomerGUID            string `json:"customerGUID"`
+	ClusterGUID             string `json:"clusterGUID"`
+	ClusterName             string `json:"clusterName"`
+	OciImageURL             string `json:"ociImageURL"`
+	NotificationWSURL       string `json:"notificationWSURL"`
+	NotificationRestURL     string `json:"notificationRestURL"`
+	VulnScanURL             string `json:"vulnScanURL"`
+	OracleURL               string `json:"oracleURL"`
+	ClairURL                string `json:"clairURL"`
+}
+
+// represents workload basic info
+type SpiffeBasicInfo struct {
+	//cluster/datacenter
+	Level0     string `json:"level0"`
+	Level0Type string `json:"level0Type"`
+
+	//namespace/project
+	Level1     string `json:"level0"`
+	Level1Type string `json:"level0Type"`
+
+	Kind string `json:"kind"`
+	Name string `json:"name"`
+}
+
+type ImageInfo struct {
+	Registry     string `json:"registry"`
+	VersionImage string `json:"versionImage"`
+}
+
+func IsAttached(labels map[string]string) *bool {
+	attach := false
+	if labels == nil {
+		return nil
+	}
+	if attached, ok := labels[ArmoAttach]; ok {
+		if strings.ToLower(attached) == "true" {
+			attach = true
+			return &attach
+		} else {
+			return &attach
+		}
+	}
+
+	// deprecated
+	if _, ok := labels[CAAttachLabel]; ok {
+		attach = true
+		return &attach
+	}
+
+	// deprecated
+	if inject, ok := labels[CAInject]; ok {
+		if strings.ToLower(inject) == "true" {
+			attach = true
+			return &attach
+		}
+	}
+
+	// deprecated
+	if ignore, ok := labels[CAIgnore]; ok {
+		if strings.ToLower(ignore) == "true" {
+			return &attach
+		}
+	}
+
+	return nil
+}
+
+func IsSecretProtected(labels map[string]string) *bool {
+	protect := false
+	if labels == nil {
+		return nil
+	}
+	if protected, ok := labels[ArmoSecretStatus]; ok {
+		if strings.ToLower(protected) == ArmoSecretProtectStatus {
+			protect = true
+			return &protect
+		} else {
+			return &protect
+		}
+	}
+	return nil
+}
+
+func LoadConfig(configPath string, loadToEnv bool) (*ClusterConfig, error) {
+	if configPath == "" {
+		configPath = "/etc/config/clusterData.json"
+	}
+
+	dat, err := os.ReadFile(configPath)
+	if err != nil || len(dat) == 0 {
+		return nil, fmt.Errorf("Config empty or not found. path: %s", configPath)
+	}
+	componentConfig := &ClusterConfig{}
+	if err := json.Unmarshal(dat, componentConfig); err != nil {
+		return componentConfig, fmt.Errorf("Failed to read component config, path: %s, reason: %s", configPath, err.Error())
+	}
+	if loadToEnv {
+		componentConfig.LoadConfigToEnv()
+	}
+	return componentConfig, nil
+}
+
+func (clusterConfig *ClusterConfig) LoadConfigToEnv() {
+
+	SetEnv("CA_CLUSTER_NAME", clusterConfig.ClusterName)
+	SetEnv("CA_CLUSTER_GUID", clusterConfig.ClusterGUID)
+	SetEnv("CA_ORACLE_SERVER", clusterConfig.OracleURL)
+	SetEnv("CA_CUSTOMER_GUID", clusterConfig.CustomerGUID)
+	SetEnv("CA_DASHBOARD_BACKEND", clusterConfig.Dashboard)
+	SetEnv("CA_NOTIFICATION_SERVER_REST", clusterConfig.NotificationWSURL)
+	SetEnv("CA_NOTIFICATION_SERVER_WS", clusterConfig.NotificationWSURL)
+	SetEnv("CA_NOTIFICATION_SERVER_REST", clusterConfig.NotificationRestURL)
+	SetEnv("CA_OCIMAGE_URL", clusterConfig.OciImageURL)
+	SetEnv("CA_K8S_REPORT_URL", clusterConfig.EventReceiverWS)
+	SetEnv("CA_EVENT_RECEIVER_HTTP", clusterConfig.EventReceiverREST)
+	SetEnv("CA_VULNSCAN", clusterConfig.VulnScanURL)
+	SetEnv("CA_POSTMAN", clusterConfig.Postman)
+	SetEnv("MASTER_NOTIFICATION_SERVER_HOST", clusterConfig.MaserNotificationServer)
+	SetEnv("CLAIR_URL", clusterConfig.ClairURL)
+
+}
+
+func SetEnv(key, value string) {
+	if e := os.Getenv(key); e == "" {
+		if err := os.Setenv(key, value); err != nil {
+			glog.Warningf("%s: %s", key, err.Error())
+		}
+	}
+}
--- a/cautils/cautils/cautils_test.go
+++ b/cautils/cautils/cautils_test.go
@@ -0,0 +1,29 @@
+package cautils
+
+import (
+	"testing"
+)
+
+// tests wlid parse
+
+func TestSpiffeWLIDToInfoSuccess(t *testing.T) {
+
+	WLID := "wlid://cluster-HipsterShopCluster2/namespace-prod/deployment-cartservice"
+	ms, er := SpiffeToSpiffeInfo(WLID)
+
+	if er != nil || ms.Level0 != "HipsterShopCluster2" || ms.Level0Type != "cluster" || ms.Level1 != "prod" || ms.Level1Type != "namespace" ||
+		ms.Kind != "deployment" || ms.Name != "cartservice" {
+		t.Errorf("TestSpiffeWLIDToInfoSuccess failed to parse %v", WLID)
+	}
+}
+
+func TestSpiffeSIDInfoSuccess(t *testing.T) {
+
+	SID := "sid://cluster-HipsterShopCluster2/namespace-dev/secret-caregcred"
+	ms, er := SpiffeToSpiffeInfo(SID)
+
+	if er != nil || ms.Level0 != "HipsterShopCluster2" || ms.Level0Type != "cluster" || ms.Level1 != "dev" || ms.Level1Type != "namespace" ||
+		ms.Kind != "secret" || ms.Name != "caregcred" {
+		t.Errorf("TestSpiffeSIDInfoSuccess failed to parse %v", SID)
+	}
+}
--- a/cautils/cautils/genericutils.go
+++ b/cautils/cautils/genericutils.go
@@ -0,0 +1,118 @@
+package cautils
+
+import (
+	"crypto/sha256"
+	"fmt"
+	"strings"
+)
+
+// wlid/ sid utils
+const (
+	SpiffePrefix = "://"
+)
+
+// wlid/ sid utils
+const (
+	PackagePath = "vendor/github.com/armosec/capacketsgo"
+)
+
+//AsSHA256 takes anything turns it into string :) https://blog.8bitzen.com/posts/22-08-2019-how-to-hash-a-struct-in-go
+func AsSHA256(v interface{}) string {
+	h := sha256.New()
+	h.Write([]byte(fmt.Sprintf("%v", v)))
+
+	return fmt.Sprintf("%x", h.Sum(nil))
+}
+
+func SpiffeToSpiffeInfo(spiffe string) (*SpiffeBasicInfo, error) {
+	basicInfo := &SpiffeBasicInfo{}
+
+	pos := strings.Index(spiffe, SpiffePrefix)
+	if pos < 0 {
+		return nil, fmt.Errorf("invalid spiffe %s", spiffe)
+	}
+
+	pos += len(SpiffePrefix)
+	spiffeNoPrefix := spiffe[pos:]
+	splits := strings.Split(spiffeNoPrefix, "/")
+	if len(splits) < 3 {
+		return nil, fmt.Errorf("invalid spiffe %s", spiffe)
+	}
+
+	p0 := strings.Index(splits[0], "-")
+	p1 := strings.Index(splits[1], "-")
+	p2 := strings.Index(splits[2], "-")
+	if p0 == -1 || p1 == -1 || p2 == -1 {
+		return nil, fmt.Errorf("invalid spiffe %s", spiffe)
+	}
+	basicInfo.Level0Type = splits[0][:p0]
+	basicInfo.Level0 = splits[0][p0+1:]
+	basicInfo.Level1Type = splits[1][:p1]
+	basicInfo.Level1 = splits[1][p1+1:]
+	basicInfo.Kind = splits[2][:p2]
+	basicInfo.Name = splits[2][p2+1:]
+
+	return basicInfo, nil
+}
+
+func ImageTagToImageInfo(imageTag string) (*ImageInfo, error) {
+	ImageInfo := &ImageInfo{}
+	spDelimiter := "/"
+	pos := strings.Index(imageTag, spDelimiter)
+	if pos < 0 {
+		ImageInfo.Registry = ""
+		ImageInfo.VersionImage = imageTag
+		return ImageInfo, nil
+	}
+
+	splits := strings.Split(imageTag, spDelimiter)
+	if len(splits) == 0 {
+
+		return nil, fmt.Errorf("Invalid image info %s", imageTag)
+	}
+
+	ImageInfo.Registry = splits[0]
+	if len(splits) > 1 {
+		ImageInfo.VersionImage = splits[len(splits)-1]
+	} else {
+		ImageInfo.VersionImage = ""
+	}
+
+	return ImageInfo, nil
+}
+
+func BoolPointer(b bool) *bool { return &b }
+
+func BoolToString(b bool) string {
+	if b {
+		return "true"
+	}
+	return "false"
+}
+
+func BoolPointerToString(b *bool) string {
+	if b == nil {
+		return ""
+	}
+	if *b {
+		return "true"
+	}
+	return "false"
+}
+
+func StringToBool(s string) bool {
+	if strings.ToLower(s) == "true" || strings.ToLower(s) == "1" {
+		return true
+	}
+	return false
+}
+
+func StringToBoolPointer(s string) *bool {
+	if strings.ToLower(s) == "true" || strings.ToLower(s) == "1" {
+		return BoolPointer(true)
+	}
+	if strings.ToLower(s) == "false" || strings.ToLower(s) == "0" {
+		return BoolPointer(false)
+	}
+	return nil
+}
--- a/cautils/cautils/k8sutils.go
+++ b/cautils/cautils/k8sutils.go
@@ -0,0 +1,52 @@
+package cautils
+
+import (
+	"fmt"
+	"hash/fnv"
+	"strings"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+var NamespacesListToIgnore = make([]string, 0)
+var KubeNamespaces = []string{metav1.NamespaceSystem, metav1.NamespacePublic}
+
+// NamespacesListToIgnore namespaces to ignore if a pod
+func InitNamespacesListToIgnore(caNamespace string) {
+	if len(NamespacesListToIgnore) > 0 {
+		return
+	}
+	NamespacesListToIgnore = append(NamespacesListToIgnore, KubeNamespaces...)
+	NamespacesListToIgnore = append(NamespacesListToIgnore, caNamespace)
+}
+
+func IfIgnoreNamespace(ns string) bool {
+	for i := range NamespacesListToIgnore {
+		if NamespacesListToIgnore[i] == ns {
+			return true
+		}
+	}
+	return false
+}
+
+func IfKubeNamespace(ns string) bool {
+	for i := range KubeNamespaces {
+		if NamespacesListToIgnore[i] == ns {
+			return true
+		}
+	}
+	return false
+}
+
+func hash(s string) string {
+	h := fnv.New32a()
+	h.Write([]byte(s))
+	return fmt.Sprintf("%d", h.Sum32())
+}
+func GenarateConfigMapName(wlid string) string {
+	name := strings.ToLower(fmt.Sprintf("ca-%s-%s-%s", GetNamespaceFromWlid(wlid), GetKindFromWlid(wlid), GetNameFromWlid(wlid)))
+	if len(name) >= 63 {
+		name = hash(name)
+	}
+	return name
+}
--- a/cautils/cautils/wlid.go
+++ b/cautils/cautils/wlid.go
@@ -0,0 +1,238 @@
+package cautils
+
+import (
+	"fmt"
+	"strings"
+)
+
+// API fields
+var (
+	WlidPrefix           = "wlid://"
+	SidPrefix            = "sid://"
+	ClusterWlidPrefix    = "cluster-"
+	NamespaceWlidPrefix  = "namespace-"
+	DataCenterWlidPrefix = "datacenter-"
+	ProjectWlidPrefix    = "project-"
+	SecretSIDPrefix      = "secret-"
+	SubSecretSIDPrefix   = "subsecret-"
+	K8SKindsList         = []string{"ComponentStatus", "ConfigMap", "ControllerRevision", "CronJob",
+		"CustomResourceDefinition", "DaemonSet", "Deployment", "Endpoints", "Event", "HorizontalPodAutoscaler",
+		"Ingress", "Job", "Lease", "LimitRange", "LocalSubjectAccessReview", "MutatingWebhookConfiguration",
+		"Namespace", "NetworkPolicy", "Node", "PersistentVolume", "PersistentVolumeClaim", "Pod",
+		"PodDisruptionBudget", "PodSecurityPolicy", "PodTemplate", "PriorityClass", "ReplicaSet",
+		"ReplicationController", "ResourceQuota", "Role", "RoleBinding", "Secret", "SelfSubjectAccessReview",
+		"SelfSubjectRulesReview", "Service", "ServiceAccount", "StatefulSet", "StorageClass",
+		"SubjectAccessReview", "TokenReview", "ValidatingWebhookConfiguration", "VolumeAttachment"}
+	NativeKindsList = []string{"Dockerized", "Native"}
+	KindReverseMap  = map[string]string{}
+	dataImagesList  = []string{}
+)
+
+func IsWlid(id string) bool {
+	return strings.HasPrefix(id, WlidPrefix)
+}
+
+func IsSid(id string) bool {
+	return strings.HasPrefix(id, SidPrefix)
+}
+
+// GetK8SKindFronList get the calculated wlid
+func GetK8SKindFronList(kind string) string { // TODO GetK8SKindFromList
+	for i := range K8SKindsList {
+		if strings.ToLower(kind) == strings.ToLower(K8SKindsList[i]) {
+			return K8SKindsList[i]
+		}
+	}
+	return kind
+}
+
+// IsK8SKindInList Check if the kind is a known kind
+func IsK8SKindInList(kind string) bool {
+	for i := range K8SKindsList {
+		if strings.ToLower(kind) == strings.ToLower(K8SKindsList[i]) {
+			return true
+		}
+	}
+	return false
+}
+
+// generateWLID
+func generateWLID(pLevel0, level0, pLevel1, level1, k, name string) string {
+	kind := strings.ToLower(k)
+	kind = strings.Replace(kind, "-", "", -1)
+
+	wlid := WlidPrefix
+	wlid += fmt.Sprintf("%s%s", pLevel0, level0)
+	if level1 == "" {
+		return wlid
+	}
+	wlid += fmt.Sprintf("/%s%s", pLevel1, level1)
+
+	if kind == "" {
+		return wlid
+	}
+	wlid += fmt.Sprintf("/%s", kind)
+
+	if name == "" {
+		return wlid
+	}
+	wlid += fmt.Sprintf("-%s", name)
+
+	return wlid
+}
+
+// GetWLID get the calculated wlid
+func GetWLID(level0, level1, k, name string) string {
+	return generateWLID(ClusterWlidPrefix, level0, NamespaceWlidPrefix, level1, k, name)
+}
+
+// GetK8sWLID get the k8s calculated wlid
+func GetK8sWLID(level0, level1, k, name string) string {
+	return generateWLID(ClusterWlidPrefix, level0, NamespaceWlidPrefix, level1, k, name)
+}
+
+// GetNativeWLID get the native calculated wlid
+func GetNativeWLID(level0, level1, k, name string) string {
+	return generateWLID(DataCenterWlidPrefix, level0, ProjectWlidPrefix, level1, k, name)
+}
+
+// WildWlidContainsWlid does WildWlid contains Wlid
+func WildWlidContainsWlid(wildWlid, wlid string) bool { // TODO- test
+	if wildWlid == wlid {
+		return true
+	}
+	wildWlidR, _ := RestoreMicroserviceIDsFromSpiffe(wildWlid)
+	wlidR, _ := RestoreMicroserviceIDsFromSpiffe(wlid)
+	if len(wildWlidR) > len(wildWlidR) {
+		// invalid wlid
+		return false
+	}
+
+	for i := range wildWlidR {
+		if wildWlidR[i] != wlidR[i] {
+			return false
+		}
+	}
+	return true
+}
+
+func restoreInnerIdentifiersFromID(spiffeSlices []string) []string {
+	if len(spiffeSlices) >= 1 && strings.HasPrefix(spiffeSlices[0], ClusterWlidPrefix) {
+		spiffeSlices[0] = spiffeSlices[0][len(ClusterWlidPrefix):]
+	}
+	if len(spiffeSlices) >= 2 && strings.HasPrefix(spiffeSlices[1], NamespaceWlidPrefix) {
+		spiffeSlices[1] = spiffeSlices[1][len(NamespaceWlidPrefix):]
+	}
+	if len(spiffeSlices) >= 3 && strings.Contains(spiffeSlices[2], "-") {
+		dashIdx := strings.Index(spiffeSlices[2], "-")
+		spiffeSlices = append(spiffeSlices, spiffeSlices[2][dashIdx+1:])
+		spiffeSlices[2] = spiffeSlices[2][:dashIdx]
+		if val, ok := KindReverseMap[spiffeSlices[2]]; ok {
+			spiffeSlices[2] = val
+		}
+	}
+	return spiffeSlices
+}
+
+// RestoreMicroserviceIDsFromSpiffe -
+func RestoreMicroserviceIDsFromSpiffe(spiffe string) ([]string, error) {
+	if spiffe == "" {
+		return nil, fmt.Errorf("in RestoreMicroserviceIDsFromSpiffe, expecting valid wlid recieved empty string")
+	}
+
+	if StringHasWhitespace(spiffe) {
+		return nil, fmt.Errorf("wlid %s invalid. whitespace found", spiffe)
+	}
+
+	if strings.HasPrefix(spiffe, WlidPrefix) {
+		spiffe = spiffe[len(WlidPrefix):]
+	} else if strings.HasPrefix(spiffe, SidPrefix) {
+		spiffe = spiffe[len(SidPrefix):]
+	}
+	spiffeSlices := strings.Split(spiffe, "/")
+	// The documented WLID format (https://cyberarmorio.sharepoint.com/sites/development2/Shared%20Documents/kubernetes_design1.docx?web=1)
+	if len(spiffeSlices) <= 3 {
+		spiffeSlices = restoreInnerIdentifiersFromID(spiffeSlices)
+	}
+	if len(spiffeSlices) != 4 { // first used WLID, deprecated since 24.10.2019
+		return spiffeSlices, fmt.Errorf("invalid WLID format. format received: %v", spiffeSlices)
+	}
+
+	for i := range spiffeSlices {
+		if spiffeSlices[i] == "" {
+			return spiffeSlices, fmt.Errorf("one or more entities are empty, spiffeSlices: %v", spiffeSlices)
+		}
+	}
+
+	return spiffeSlices, nil
+}
+
+// RestoreMicroserviceIDsFromSpiffe -
+func RestoreMicroserviceIDs(spiffe string) []string {
+	if spiffe == "" {
+		return []string{}
+	}
+
+	if StringHasWhitespace(spiffe) {
+		return []string{}
+	}
+
+	if strings.HasPrefix(spiffe, WlidPrefix) {
+		spiffe = spiffe[len(WlidPrefix):]
+	} else if strings.HasPrefix(spiffe, SidPrefix) {
+		spiffe = spiffe[len(SidPrefix):]
+	}
+	spiffeSlices := strings.Split(spiffe, "/")
+
+	return restoreInnerIdentifiersFromID(spiffeSlices)
+}
+
+// GetClusterFromWlid parse wlid and get cluster
+func GetClusterFromWlid(wlid string) string {
+	r := RestoreMicroserviceIDs(wlid)
+	if len(r) >= 1 {
+		return r[0]
+	}
+	return ""
+}
+
+// GetNamespaceFromWlid parse wlid and get Namespace
+func GetNamespaceFromWlid(wlid string) string {
+	r := RestoreMicroserviceIDs(wlid)
+	if len(r) >= 2 {
+		return r[1]
+	}
+	return ""
+}
+
+// GetKindFromWlid parse wlid and get kind
+func GetKindFromWlid(wlid string) string {
+	r := RestoreMicroserviceIDs(wlid)
+	if len(r) >= 3 {
+		return GetK8SKindFronList(r[2])
+	}
+	return ""
+}
+
+// GetNameFromWlid parse wlid and get name
+func GetNameFromWlid(wlid string) string {
+	r := RestoreMicroserviceIDs(wlid)
+	if len(r) >= 4 {
+		return GetK8SKindFronList(r[3])
+	}
+	return ""
+}
+
+// IsWlidValid test if wlid is a valid wlid
+func IsWlidValid(wlid string) error {
+	_, err := RestoreMicroserviceIDsFromSpiffe(wlid)
+	return err
+}
+
+// StringHasWhitespace check if a string has whitespace
+func StringHasWhitespace(str string) bool {
+	if whitespace := strings.Index(str, " "); whitespace != -1 {
+		return true
+	}
+	return false
+}
--- a/cautils/customerloader.go
+++ b/cautils/customerloader.go
@@ -4,13 +4,14 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"net/url"
 	"os"
 	"strings"

+	"github.com/armosec/kubescape/cautils/getter"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

-	"github.com/armosec/k8s-interface/k8sinterface"
-	"github.com/armosec/kubescape/cautils/getter"
+	"github.com/armosec/kubescape/cautils/k8sinterface"
 	corev1 "k8s.io/api/core/v1"
 )

@@ -29,7 +30,6 @@ type ConfigObj struct {
 	CustomerGUID       string `json:"customerGUID"`
 	Token              string `json:"invitationParam"`
 	CustomerAdminEMail string `json:"adminMail"`
-	ClusterName        string `json:"clusterName"`
 }

 func (co *ConfigObj) Json() []byte {
@@ -39,106 +39,81 @@ func (co *ConfigObj) Json() []byte {
 	return []byte{}
 }

-// Config - convert ConfigObj to config file
-func (co *ConfigObj) Config() []byte {
-	clusterName := co.ClusterName
-	co.ClusterName = "" // remove cluster name before saving to file
-	b, err := json.Marshal(co)
-	co.ClusterName = clusterName
-
-	if err == nil {
-		return b
-	}
-
-	return []byte{}
-}
-
 // ======================================================================================
 // =============================== interface ============================================
 // ======================================================================================
-type ITenantConfig interface {
-	// set
-	SetTenant() error
+type IClusterConfig interface {
+	// setters
+	SetCustomerGUID(customerGUID string) error

 	// getters
-	GetClusterName() string
 	GetCustomerGUID() string
 	GetConfigObj() *ConfigObj
-	// GetBackendAPI() getter.IBackend
-	// GenerateURL()
+	GetK8sAPI() *k8sinterface.KubernetesApi
+	GetBackendAPI() getter.IBackend
+	GetDefaultNS() string
+	GenerateURL()
+}

-	IsConfigFound() bool
+// ClusterConfigSetup - Setup the desired cluster behavior regarding submittion to the Armo BE
+func ClusterConfigSetup(scanInfo *ScanInfo, k8s *k8sinterface.KubernetesApi, beAPI getter.IBackend) IClusterConfig {
+	/*
+
+		If "First run (local config not found)" -
+			Default - Do not send report (local)
+			Local - Do not send report
+			Submit - Create tenant & Submit report
+
+		If "Submitted but not signed up" -
+			Default	- Submit report (submit)
+			Local - Delete local config & Do not send report
+			Submit - Submit report
+
+		If "Signed up user" -
+			Default	- Submit report (submit)
+			Local - Do not send report
+			Submit - Submit report
+
+	*/
+	clusterConfig := NewClusterConfig(k8s, beAPI)
+	if err := clusterConfig.SetCustomerGUID(scanInfo.Account); err != nil {
+		fmt.Println(err)
+	}
+	if !IsSubmitted(clusterConfig) {
+		if scanInfo.Submit {
+			return clusterConfig // submit - Create tenant & Submit report
+		}
+		return NewEmptyConfig() // local/default - Do not send report
+	}
+	if !IsRegistered(clusterConfig) {
+		if scanInfo.Local {
+			DeleteConfig(k8s)
+			return NewEmptyConfig() // local - Delete local config & Do not send report
+		}
+		return clusterConfig // submit/default -  Submit report
+	}
+	if scanInfo.Local {
+		return NewEmptyConfig() // local - Do not send report
+	}
+	return clusterConfig // submit/default -  Submit report
 }

 // ======================================================================================
-// ============================ Local Config ============================================
+// ============================= Mock Config ============================================
 // ======================================================================================
-// Config when scanning YAML files or URL but not a Kubernetes cluster
-type LocalConfig struct {
-	backendAPI getter.IBackend
-	configObj  *ConfigObj
+type EmptyConfig struct {
 }

-func NewLocalConfig(backendAPI getter.IBackend, customerGUID string) *LocalConfig {
-	var configObj *ConfigObj
-
-	lc := &LocalConfig{
-		backendAPI: backendAPI,
-		configObj:  &ConfigObj{},
-	}
-	// get from configMap
-	if existsConfigFile() { // get from file
-		configObj, _ = loadConfigFromFile()
-	} else {
-		configObj = &ConfigObj{}
-	}
-	if configObj != nil {
-		lc.configObj = configObj
-	}
-	if customerGUID != "" {
-		lc.configObj.CustomerGUID = customerGUID // override config customerGUID
-	}
-	if lc.configObj.CustomerGUID != "" {
-		if err := lc.SetTenant(); err != nil {
-			fmt.Println(err)
-		}
-	}
-
-	return lc
-}
-
-func (lc *LocalConfig) GetConfigObj() *ConfigObj { return lc.configObj }
-func (lc *LocalConfig) GetCustomerGUID() string  { return lc.configObj.CustomerGUID }
-func (lc *LocalConfig) GetClusterName() string   { return "" }
-func (lc *LocalConfig) IsConfigFound() bool      { return existsConfigFile() }
-func (lc *LocalConfig) SetTenant() error {
-	// ARMO tenant GUID
-	if err := getTenantConfigFromBE(lc.backendAPI, lc.configObj); err != nil {
-		return err
-	}
-	updateConfigFile(lc.configObj)
-	return nil
-
-}
-
-func getTenantConfigFromBE(backendAPI getter.IBackend, configObj *ConfigObj) error {
-
-	// get from armoBE
-	tenantResponse, err := backendAPI.GetCustomerGUID(configObj.CustomerGUID)
-	if err == nil && tenantResponse != nil {
-		if tenantResponse.AdminMail != "" { // registered tenant
-			configObj.CustomerAdminEMail = tenantResponse.AdminMail
-		} else { // new tenant
-			configObj.Token = tenantResponse.Token
-			configObj.CustomerGUID = tenantResponse.TenantID
-		}
-	} else {
-		if err != nil && !strings.Contains(err.Error(), "already exists") {
-			return err
-		}
-	}
-
-	return nil
+func NewEmptyConfig() *EmptyConfig                               { return &EmptyConfig{} }
+func (c *EmptyConfig) GetConfigObj() *ConfigObj                  { return &ConfigObj{} }
+func (c *EmptyConfig) SetCustomerGUID(customerGUID string) error { return nil }
+func (c *EmptyConfig) GetCustomerGUID() string                   { return "" }
+func (c *EmptyConfig) GetK8sAPI() *k8sinterface.KubernetesApi    { return nil } // TODO: return mock obj
+func (c *EmptyConfig) GetDefaultNS() string                      { return k8sinterface.GetDefaultNamespace() }
+func (c *EmptyConfig) GetBackendAPI() getter.IBackend            { return nil } // TODO: return mock obj
+func (c *EmptyConfig) GenerateURL() {
+	message := fmt.Sprintf("If you wish to submit your cluster so you can control exceptions and maintain chronological scan results, please run Kubescape with the `--submit` flag or sign-up here: https://%s", getter.ArmoFEURL)
+	InfoTextDisplay(os.Stdout, message+"\n")
 }

 // ======================================================================================
@@ -152,79 +127,108 @@ type ClusterConfig struct {
 	configObj  *ConfigObj
 }

-func NewClusterConfig(k8s *k8sinterface.KubernetesApi, backendAPI getter.IBackend, customerGUID string) *ClusterConfig {
-	defaultNS := k8sinterface.GetDefaultNamespace()
-	var configObj *ConfigObj
-	c := &ClusterConfig{
+func NewClusterConfig(k8s *k8sinterface.KubernetesApi, backendAPI getter.IBackend) *ClusterConfig {
+	return &ClusterConfig{
 		k8s:        k8s,
 		backendAPI: backendAPI,
-		configObj:  &ConfigObj{},
-		defaultNS:  defaultNS,
+		defaultNS:  k8sinterface.GetDefaultNamespace(),
 	}
+}
+func (c *ClusterConfig) GetConfigObj() *ConfigObj               { return c.configObj }
+func (c *ClusterConfig) GetK8sAPI() *k8sinterface.KubernetesApi { return c.k8s }
+func (c *ClusterConfig) GetDefaultNS() string                   { return c.defaultNS }
+func (c *ClusterConfig) GetBackendAPI() getter.IBackend         { return c.backendAPI }
+
+func (c *ClusterConfig) GenerateURL() {
+	u := url.URL{}
+	u.Scheme = "https"
+	u.Host = getter.ArmoFEURL
+	if c.configObj == nil {
+		return
+	}
+	if c.configObj.CustomerAdminEMail != "" {
+		msgStr := fmt.Sprintf("To view all controls and get remediation's ask access permissions to %s from %s", u.String(), c.configObj.CustomerAdminEMail)
+		InfoTextDisplay(os.Stdout, msgStr+"\n")
+		return
+	}
+	u.Path = "account/sign-up"
+	q := u.Query()
+	q.Add("invitationToken", c.configObj.Token)
+	q.Add("customerGUID", c.configObj.CustomerGUID)
+
+	u.RawQuery = q.Encode()
+	fmt.Println("To view all controls and get remediation's visit:")
+	InfoTextDisplay(os.Stdout, u.String()+"\n")
+
+}
+
+func (c *ClusterConfig) GetCustomerGUID() string {
+	if c.configObj != nil {
+		return c.configObj.CustomerGUID
+	}
+	return ""
+}
+
+func (c *ClusterConfig) SetCustomerGUID(customerGUID string) error {
+
+	updateConfig := false
+	createConfig := false

 	// get from configMap
-	if existsConfigMap(k8s, defaultNS) {
-		configObj, _ = loadConfigFromConfigMap(k8s, defaultNS)
+	if c.existsConfigMap() {
+		c.configObj, _ = c.loadConfigFromConfigMap()
 	} else if existsConfigFile() { // get from file
-		configObj, _ = loadConfigFromFile()
+		c.configObj, _ = loadConfigFromFile()
+	} else {
+		c.configObj = &ConfigObj{}
+		createConfig = true
 	}
-	if configObj != nil {
-		c.configObj = configObj
-	}
-	if customerGUID != "" {
+	if customerGUID != "" && c.GetCustomerGUID() != customerGUID {
 		c.configObj.CustomerGUID = customerGUID // override config customerGUID
+		updateConfig = true
 	}
-	if c.configObj.CustomerGUID != "" {
-		if err := c.SetTenant(); err != nil {
-			fmt.Println(err)
+
+	customerGUID = c.GetCustomerGUID()
+
+	// get from armoBE
+	tenantResponse, err := c.backendAPI.GetCustomerGUID(customerGUID)
+	if err == nil && tenantResponse != nil {
+		if tenantResponse.AdminMail != "" { // this customer already belongs to some user
+			c.configObj.CustomerAdminEMail = tenantResponse.AdminMail
+		} else {
+			c.configObj.Token = tenantResponse.Token
+			c.configObj.CustomerGUID = tenantResponse.TenantID
+		}
+		updateConfig = true
+	} else {
+		if err != nil && !strings.Contains(err.Error(), "already exists") {
+			return err
 		}
 	}
-	if c.configObj.ClusterName == "" {
-		c.configObj.ClusterName = AdoptClusterName(k8sinterface.GetClusterName())
-	} else { // override the cluster name if it has unwanted characters
-		c.configObj.ClusterName = AdoptClusterName(c.configObj.ClusterName)
-	}
-
-	return c
-}
-
-func (c *ClusterConfig) GetConfigObj() *ConfigObj { return c.configObj }
-func (c *ClusterConfig) GetDefaultNS() string     { return c.defaultNS }
-func (c *ClusterConfig) GetCustomerGUID() string  { return c.configObj.CustomerGUID }
-func (c *ClusterConfig) IsConfigFound() bool {
-	return existsConfigFile() || existsConfigMap(c.k8s, c.defaultNS)
-}
-
-func (c *ClusterConfig) SetTenant() error {
-
-	// ARMO tenant GUID
-	if err := getTenantConfigFromBE(c.backendAPI, c.configObj); err != nil {
-		return err
-	}
-	// update/create config
-	if existsConfigMap(c.k8s, c.defaultNS) {
-		c.updateConfigMap()
-	} else {
+	if createConfig {
 		c.createConfigMap()
+		c.createConfigFile()
+	} else if updateConfig {
+		if c.existsConfigMap() {
+			c.updateConfigMap()
+		}
+		if existsConfigFile() {
+			c.updateConfigFile()
+		}
 	}
-	updateConfigFile(c.configObj)
 	return nil
-
 }
-
-func (c *ClusterConfig) GetClusterName() string {
-	return c.configObj.ClusterName
-}
-
 func (c *ClusterConfig) ToMapString() map[string]interface{} {
 	m := map[string]interface{}{}
-	if bc, err := json.Marshal(c.configObj); err == nil {
-		json.Unmarshal(bc, &m)
-	}
+	bc, _ := json.Marshal(c.configObj)
+	json.Unmarshal(bc, &m)
 	return m
 }
-func loadConfigFromConfigMap(k8s *k8sinterface.KubernetesApi, ns string) (*ConfigObj, error) {
-	configMap, err := k8s.KubernetesClient.CoreV1().ConfigMaps(ns).Get(context.Background(), configMapName, metav1.GetOptions{})
+func (c *ClusterConfig) loadConfigFromConfigMap() (*ConfigObj, error) {
+	if c.k8s == nil {
+		return nil, nil
+	}
+	configMap, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.defaultNS).Get(context.Background(), configMapName, metav1.GetOptions{})
 	if err != nil {
 		return nil, err
 	}
@@ -235,8 +239,8 @@ func loadConfigFromConfigMap(k8s *k8sinterface.KubernetesApi, ns string) (*Confi
 	return nil, nil
 }

-func existsConfigMap(k8s *k8sinterface.KubernetesApi, ns string) bool {
-	_, err := k8s.KubernetesClient.CoreV1().ConfigMaps(ns).Get(context.Background(), configMapName, metav1.GetOptions{})
+func (c *ClusterConfig) existsConfigMap() bool {
+	_, err := c.k8s.KubernetesClient.CoreV1().ConfigMaps(c.defaultNS).Get(context.Background(), configMapName, metav1.GetOptions{})
 	// TODO - check if has customerGUID
 	return err == nil
 }
@@ -355,8 +359,15 @@ func (c *ClusterConfig) updateConfigMap() error {
 	return err
 }

-func updateConfigFile(configObj *ConfigObj) error {
-	if err := os.WriteFile(ConfigFileFullPath(), configObj.Config(), 0664); err != nil {
+func (c *ClusterConfig) updateConfigFile() error {
+	if err := os.WriteFile(ConfigFileFullPath(), c.configObj.Json(), 0664); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (c *ClusterConfig) createConfigFile() error {
+	if err := os.WriteFile(ConfigFileFullPath(), c.configObj.Json(), 0664); err != nil {
 		return err
 	}
 	return nil
@@ -393,12 +404,12 @@ func readConfig(dat []byte) (*ConfigObj, error) {
 }

 // Check if the customer is submitted
-func (clusterConfig *ClusterConfig) IsSubmitted() bool {
-	return existsConfigMap(clusterConfig.k8s, clusterConfig.defaultNS) || existsConfigFile()
+func IsSubmitted(clusterConfig *ClusterConfig) bool {
+	return clusterConfig.existsConfigMap() || existsConfigFile()
 }

 // Check if the customer is registered
-func (clusterConfig *ClusterConfig) IsRegistered() bool {
+func IsRegistered(clusterConfig *ClusterConfig) bool {

 	// get from armoBE
 	tenantResponse, err := clusterConfig.backendAPI.GetCustomerGUID(clusterConfig.GetCustomerGUID())
@@ -410,8 +421,8 @@ func (clusterConfig *ClusterConfig) IsRegistered() bool {
 	return false
 }

-func (clusterConfig *ClusterConfig) DeleteConfig() error {
-	if err := DeleteConfigMap(clusterConfig.k8s); err != nil {
+func DeleteConfig(k8s *k8sinterface.KubernetesApi) error {
+	if err := DeleteConfigMap(k8s); err != nil {
 		return err
 	}
 	if err := DeleteConfigFile(); err != nil {
@@ -426,7 +437,3 @@ func DeleteConfigMap(k8s *k8sinterface.KubernetesApi) error {
 func DeleteConfigFile() error {
 	return os.Remove(ConfigFileFullPath())
 }
-
-func AdoptClusterName(clusterName string) string {
-	return strings.ReplaceAll(clusterName, "/", "-")
-}
--- a/cautils/datastructures.go
+++ b/cautils/datastructures.go
@@ -1,35 +1,25 @@
 package cautils

 import (
-	"github.com/armosec/armoapi-go/armotypes"
-	"github.com/armosec/k8s-interface/workloadinterface"
-	"github.com/armosec/opa-utils/reporthandling"
-	"github.com/armosec/opa-utils/reporthandling/results/v1/resourcesresults"
-	reporthandlingv2 "github.com/armosec/opa-utils/reporthandling/v2"
+	"github.com/armosec/kubescape/cautils/armotypes"
+	"github.com/armosec/kubescape/cautils/opapolicy"
 )

-// K8SResources map[<api group>/<api version>/<resource>][]<resourceID>
-type K8SResources map[string][]string
+// K8SResources map[<api group>/<api version>/<resource>]<resource object>
+type K8SResources map[string]interface{}

 type OPASessionObj struct {
-	K8SResources    *K8SResources                          // input k8s objects
-	Frameworks      []reporthandling.Framework             // list of frameworks to scan
-	AllResources    map[string]workloadinterface.IMetadata // all scanned resources, map[<rtesource ID>]<resource>
-	ResourcesResult map[string]resourcesresults.Result     // resources scan results, map[<rtesource ID>]<resource result>
-	PostureReport   *reporthandling.PostureReport          // scan results v1
-	Report          *reporthandlingv2.PostureReport        // scan results v2
-	Exceptions      []armotypes.PostureExceptionPolicy     // list of exceptions to apply on scan results
-	RegoInputData   RegoInputData                          // input passed to rgo for scanning. map[<control name>][<input arguments>]
+	Frameworks    []opapolicy.Framework
+	K8SResources  *K8SResources
+	Exceptions    []armotypes.PostureExceptionPolicy
+	PostureReport *opapolicy.PostureReport
 }

-func NewOPASessionObj(frameworks []reporthandling.Framework, k8sResources *K8SResources) *OPASessionObj {
+func NewOPASessionObj(frameworks []opapolicy.Framework, k8sResources *K8SResources) *OPASessionObj {
 	return &OPASessionObj{
-		Report:          &reporthandlingv2.PostureReport{},
-		Frameworks:      frameworks,
-		K8SResources:    k8sResources,
-		AllResources:    make(map[string]workloadinterface.IMetadata),
-		ResourcesResult: make(map[string]resourcesresults.Result),
-		PostureReport: &reporthandling.PostureReport{
+		Frameworks:   frameworks,
+		K8SResources: k8sResources,
+		PostureReport: &opapolicy.PostureReport{
 			ClusterName:  ClusterName,
 			CustomerGUID: CustomerGUID,
 		},
@@ -38,12 +28,9 @@ func NewOPASessionObj(frameworks []reporthandling.Framework, k8sResources *K8SRe

 func NewOPASessionObjMock() *OPASessionObj {
 	return &OPASessionObj{
-		Frameworks:      nil,
-		K8SResources:    nil,
-		AllResources:    make(map[string]workloadinterface.IMetadata),
-		ResourcesResult: make(map[string]resourcesresults.Result),
-		Report:          &reporthandlingv2.PostureReport{},
-		PostureReport: &reporthandling.PostureReport{
+		Frameworks:   nil,
+		K8SResources: nil,
+		PostureReport: &opapolicy.PostureReport{
 			ClusterName:  "",
 			CustomerGUID: "",
 			ReportID:     "",
@@ -57,19 +44,8 @@ type ComponentConfig struct {
 }

 type Exception struct {
-	Ignore        *bool                      `json:"ignore"`        // ignore test results
-	MultipleScore *reporthandling.AlertScore `json:"multipleScore"` // MultipleScore number - float32
-	Namespaces    []string                   `json:"namespaces"`
-	Regex         string                     `json:"regex"` // not supported
-}
-
-type RegoInputData struct {
-	PostureControlInputs map[string][]string `json:"postureControlInputs"`
-	// ClusterName          string              `json:"clusterName"`
-	// K8sConfig            RegoK8sConfig       `json:"k8sconfig"`
-}
-
-type Policies struct {
-	Frameworks []string
-	Controls   map[string]reporthandling.Control // map[<control ID>]<control>
+	Ignore        *bool                 `json:"ignore"`        // ignore test results
+	MultipleScore *opapolicy.AlertScore `json:"multipleScore"` // MultipleScore number - float32
+	Namespaces    []string              `json:"namespaces"`
+	Regex         string                `json:"regex"` // not supported
 }
--- a/cautils/datastructuresmethods.go
+++ b/cautils/datastructuresmethods.go
@@ -1,65 +0,0 @@
-package cautils
-
-import (
-	pkgcautils "github.com/armosec/utils-go/utils"
-
-	"github.com/armosec/opa-utils/reporthandling"
-)
-
-func NewPolicies() *Policies {
-	return &Policies{
-		Frameworks: make([]string, 0),
-		Controls:   make(map[string]reporthandling.Control),
-	}
-}
-
-func (policies *Policies) Set(frameworks []reporthandling.Framework, version string) {
-	for i := range frameworks {
-		if frameworks[i].Name != "" {
-			policies.Frameworks = append(policies.Frameworks, frameworks[i].Name)
-		}
-		for j := range frameworks[i].Controls {
-			compatibleRules := []reporthandling.PolicyRule{}
-			for r := range frameworks[i].Controls[j].Rules {
-				if !ruleWithArmoOpaDependency(frameworks[i].Controls[j].Rules[r].Attributes) && isRuleKubescapeVersionCompatible(frameworks[i].Controls[j].Rules[r].Attributes, version) {
-					compatibleRules = append(compatibleRules, frameworks[i].Controls[j].Rules[r])
-				}
-			}
-			frameworks[i].Controls[j].Rules = compatibleRules
-			policies.Controls[frameworks[i].Controls[j].ControlID] = frameworks[i].Controls[j]
-		}
-	}
-}
-
-func ruleWithArmoOpaDependency(attributes map[string]interface{}) bool {
-	if attributes == nil {
-		return false
-	}
-	if s, ok := attributes["armoOpa"]; ok { // TODO - make global
-		return pkgcautils.StringToBool(s.(string))
-	}
-	return false
-}
-
-// Checks that kubescape version is in range of use for this rule
-// In local build (BuildNumber = ""):
-// returns true only if rule doesn't have the "until" attribute
-func isRuleKubescapeVersionCompatible(attributes map[string]interface{}, version string) bool {
-	if from, ok := attributes["useFromKubescapeVersion"]; ok && from != nil {
-		if version != "" {
-			if from.(string) > BuildNumber {
-				return false
-			}
-		}
-	}
-	if until, ok := attributes["useUntilKubescapeVersion"]; ok && until != nil {
-		if version != "" {
-			if until.(string) <= BuildNumber {
-				return false
-			}
-		} else {
-			return false
-		}
-	}
-	return true
-}
--- a/cautils/display.go
+++ b/cautils/display.go
@@ -35,15 +35,15 @@ func ScanStartDisplay() {
 	if IsSilent() {
 		return
 	}
-	InfoDisplay(os.Stderr, "ARMO security scanner starting\n")
+	InfoDisplay(os.Stdout, "ARMO security scanner starting\n")
 }

 func SuccessTextDisplay(str string) {
 	if IsSilent() {
 		return
 	}
-	SuccessDisplay(os.Stderr, "[success] ")
-	SimpleDisplay(os.Stderr, fmt.Sprintf("%s\n", str))
+	SuccessDisplay(os.Stdout, "[success] ")
+	SimpleDisplay(os.Stdout, fmt.Sprintf("%s\n", str))

 }

@@ -51,8 +51,8 @@ func ErrorDisplay(str string) {
 	if IsSilent() {
 		return
 	}
-	FailureDisplay(os.Stderr, "[Error] ")
-	SimpleDisplay(os.Stderr, fmt.Sprintf("%s\n", str))
+	SuccessDisplay(os.Stdout, "[Error] ")
+	SimpleDisplay(os.Stdout, fmt.Sprintf("%s\n", str))

 }

@@ -60,8 +60,8 @@ func ProgressTextDisplay(str string) {
 	if IsSilent() {
 		return
 	}
-	InfoDisplay(os.Stderr, "[progress] ")
-	SimpleDisplay(os.Stderr, fmt.Sprintf("%s\n", str))
+	InfoDisplay(os.Stdout, "[progress] ")
+	SimpleDisplay(os.Stdout, fmt.Sprintf("%s\n", str))

 }
 func StartSpinner() {
--- a/cautils/downloadinfo.go
+++ b/cautils/downloadinfo.go
@@ -3,5 +3,4 @@ package cautils
 type DownloadInfo struct {
 	Path          string
 	FrameworkName string
-	ControlName   string
 }
--- a/cautils/getter/armoapi.go
+++ b/cautils/getter/armoapi.go
@@ -1,15 +1,11 @@
 package getter

 import (
-	"encoding/json"
 	"fmt"
 	"net/http"
-	"strings"
-	"time"

-	"github.com/armosec/armoapi-go/armotypes"
-	"github.com/armosec/opa-utils/reporthandling"
-	"github.com/golang/glog"
+	"github.com/armosec/kubescape/cautils/armotypes"
+	"github.com/armosec/kubescape/cautils/opapolicy"
 )

 // =======================================================================================================================
@@ -19,91 +15,29 @@ import (
 var (
 	// ATTENTION!!!
 	// Changes in this URLs variable names, or in the usage is affecting the build process! BE CAREFULL
-	armoERURL = "report.armo.cloud"
-	armoBEURL = "api.armo.cloud"
-	armoFEURL = "portal.armo.cloud"
-
-	armoDevERURL = "report.eudev3.cyberarmorsoft.com"
-	armoDevBEURL = "eggdashbe.eudev3.cyberarmorsoft.com"
-	armoDevFEURL = "armoui-dev.eudev3.cyberarmorsoft.com"
+	ArmoBEURL = "eggdashbe.eudev3.cyberarmorsoft.com"
+	ArmoERURL = "report.eudev3.cyberarmorsoft.com"
+	ArmoFEURL = "armoui.eudev3.cyberarmorsoft.com"
+	// ArmoURL = "https://dashbe.euprod1.cyberarmorsoft.com"
 )

 // Armo API for downloading policies
 type ArmoAPI struct {
-	httpClient   *http.Client
-	apiURL       string
-	erURL        string
-	feURL        string
-	customerGUID string
+	httpClient *http.Client
 }

-var globalArmoAPIConnecctor *ArmoAPI
-
-func SetARMOAPIConnector(armoAPI *ArmoAPI) {
-	globalArmoAPIConnecctor = armoAPI
-}
-
-func GetArmoAPIConnector() *ArmoAPI {
-	if globalArmoAPIConnecctor == nil {
-		glog.Error("returning nil API connector")
-	}
-	return globalArmoAPIConnecctor
-}
-
-func NewARMOAPIDev() *ArmoAPI {
-	apiObj := newArmoAPI()
-
-	apiObj.apiURL = armoDevBEURL
-	apiObj.erURL = armoDevERURL
-	apiObj.feURL = armoDevFEURL
-
-	return apiObj
-}
-
-func NewARMOAPIProd() *ArmoAPI {
-	apiObj := newArmoAPI()
-
-	apiObj.apiURL = armoBEURL
-	apiObj.erURL = armoERURL
-	apiObj.feURL = armoFEURL
-
-	return apiObj
-}
-
-func NewARMOAPICustomized(armoERURL, armoBEURL, armoFEURL string) *ArmoAPI {
-	apiObj := newArmoAPI()
-
-	apiObj.erURL = armoERURL
-	apiObj.apiURL = armoBEURL
-	apiObj.feURL = armoFEURL
-
-	return apiObj
-}
-
-func newArmoAPI() *ArmoAPI {
+func NewArmoAPI() *ArmoAPI {
 	return &ArmoAPI{
-		httpClient: &http.Client{Timeout: time.Duration(61) * time.Second},
+		httpClient: &http.Client{},
 	}
 }
-func (armoAPI *ArmoAPI) SetCustomerGUID(customerGUID string) {
-	armoAPI.customerGUID = customerGUID
-
-}
-func (armoAPI *ArmoAPI) GetFrontendURL() string {
-	return armoAPI.feURL
-}
-
-func (armoAPI *ArmoAPI) GetReportReceiverURL() string {
-	return armoAPI.erURL
-}
-
-func (armoAPI *ArmoAPI) GetFramework(name string) (*reporthandling.Framework, error) {
-	respStr, err := HttpGetter(armoAPI.httpClient, armoAPI.getFrameworkURL(name), nil)
+func (armoAPI *ArmoAPI) GetFramework(name string) (*opapolicy.Framework, error) {
+	respStr, err := HttpGetter(armoAPI.httpClient, armoAPI.getFrameworkURL(name))
 	if err != nil {
 		return nil, err
 	}

-	framework := &reporthandling.Framework{}
+	framework := &opapolicy.Framework{}
 	if err = JSONDecoder(respStr).Decode(framework); err != nil {
 		return nil, err
 	}
@@ -112,16 +46,12 @@ func (armoAPI *ArmoAPI) GetFramework(name string) (*reporthandling.Framework, er
 	return framework, err
 }

-func (armoAPI *ArmoAPI) GetControl(policyName string) (*reporthandling.Control, error) {
-	return nil, fmt.Errorf("control api is not public")
-}
-
 func (armoAPI *ArmoAPI) GetExceptions(customerGUID, clusterName string) ([]armotypes.PostureExceptionPolicy, error) {
 	exceptions := []armotypes.PostureExceptionPolicy{}
 	if customerGUID == "" {
 		return exceptions, nil
 	}
-	respStr, err := HttpGetter(armoAPI.httpClient, armoAPI.getExceptionsURL(customerGUID, clusterName), nil)
+	respStr, err := HttpGetter(armoAPI.httpClient, armoAPI.getExceptionsURL(customerGUID, clusterName))
 	if err != nil {
 		return nil, err
 	}
@@ -138,7 +68,7 @@ func (armoAPI *ArmoAPI) GetCustomerGUID(customerGUID string) (*TenantResponse, e
 	if customerGUID != "" {
 		url = fmt.Sprintf("%s?customerGUID=%s", url, customerGUID)
 	}
-	respStr, err := HttpGetter(armoAPI.httpClient, url, nil)
+	respStr, err := HttpGetter(armoAPI.httpClient, url)
 	if err != nil {
 		return nil, err
 	}
@@ -150,75 +80,6 @@ func (armoAPI *ArmoAPI) GetCustomerGUID(customerGUID string) (*TenantResponse, e
 	return tenant, nil
 }

-// ControlsInputs  // map[<control name>][<input arguments>]
-func (armoAPI *ArmoAPI) GetAccountConfig(customerGUID, clusterName string) (*armotypes.CustomerConfig, error) {
-	accountConfig := &armotypes.CustomerConfig{}
-	if customerGUID == "" {
-		return accountConfig, nil
-	}
-	respStr, err := HttpGetter(armoAPI.httpClient, armoAPI.getAccountConfig(customerGUID, clusterName), nil)
-	if err != nil {
-		return nil, err
-	}
-
-	if err = JSONDecoder(respStr).Decode(&accountConfig); err != nil {
-		return nil, err
-	}
-
-	return accountConfig, nil
-}
-
-// ControlsInputs  // map[<control name>][<input arguments>]
-func (armoAPI *ArmoAPI) GetControlsInputs(customerGUID, clusterName string) (map[string][]string, error) {
-	accountConfig, err := armoAPI.GetAccountConfig(customerGUID, clusterName)
-	if err == nil {
-		return accountConfig.Settings.PostureControlInputs, nil
-	}
-	return nil, err
-}
-
-func (armoAPI *ArmoAPI) ListCustomFrameworks(customerGUID string) ([]string, error) {
-	respStr, err := HttpGetter(armoAPI.httpClient, armoAPI.getListFrameworkURL(), nil)
-	if err != nil {
-		return nil, err
-	}
-	frs := []reporthandling.Framework{}
-	if err = json.Unmarshal([]byte(respStr), &frs); err != nil {
-		return nil, err
-	}
-
-	frameworkList := []string{}
-	for _, fr := range frs {
-		if !isNativeFramework(fr.Name) {
-			frameworkList = append(frameworkList, fr.Name)
-		}
-	}
-
-	return frameworkList, nil
-}
-
-func (armoAPI *ArmoAPI) ListFrameworks(customerGUID string) ([]string, error) {
-	respStr, err := HttpGetter(armoAPI.httpClient, armoAPI.getListFrameworkURL(), nil)
-	if err != nil {
-		return nil, err
-	}
-	frs := []reporthandling.Framework{}
-	if err = json.Unmarshal([]byte(respStr), &frs); err != nil {
-		return nil, err
-	}
-
-	frameworkList := []string{}
-	for _, fr := range frs {
-		if isNativeFramework(fr.Name) {
-			frameworkList = append(frameworkList, strings.ToLower(fr.Name))
-		} else {
-			frameworkList = append(frameworkList, fr.Name)
-		}
-	}
-
-	return frameworkList, nil
-}
-
 type TenantResponse struct {
 	TenantID  string `json:"tenantId"`
 	Token     string `json:"token"`
--- a/cautils/getter/armoapiutils.go
+++ b/cautils/getter/armoapiutils.go
@@ -5,41 +5,24 @@ import (
 	"strings"
 )

-var NativeFrameworks = []string{"nsa", "mitre", "armobest"}
-
 func (armoAPI *ArmoAPI) getFrameworkURL(frameworkName string) string {
 	u := url.URL{}
 	u.Scheme = "https"
-	u.Host = armoAPI.apiURL
-	u.Path = "api/v1/armoFrameworks"
+	u.Host = ArmoBEURL
+	u.Path = "v1/armoFrameworks"
 	q := u.Query()
-	q.Add("customerGUID", armoAPI.customerGUID)
-	if isNativeFramework(frameworkName) {
-		q.Add("frameworkName", strings.ToUpper(frameworkName))
-	} else {
-		// For customer framework has to be the way it was added
-		q.Add("frameworkName", frameworkName)
-	}
+	q.Add("customerGUID", "11111111-1111-1111-1111-111111111111")
+	q.Add("frameworkName", strings.ToUpper(frameworkName))
+	q.Add("getRules", "true")
 	u.RawQuery = q.Encode()

 	return u.String()
 }

-func (armoAPI *ArmoAPI) getListFrameworkURL() string {
-	u := url.URL{}
-	u.Scheme = "https"
-	u.Host = armoAPI.apiURL
-	u.Path = "api/v1/armoFrameworks"
-	q := u.Query()
-	q.Add("customerGUID", armoAPI.customerGUID)
-	u.RawQuery = q.Encode()
-
-	return u.String()
-}
 func (armoAPI *ArmoAPI) getExceptionsURL(customerGUID, clusterName string) string {
 	u := url.URL{}
 	u.Scheme = "https"
-	u.Host = armoAPI.apiURL
+	u.Host = ArmoBEURL
 	u.Path = "api/v1/armoPostureExceptions"

 	q := u.Query()
@@ -52,26 +35,10 @@ func (armoAPI *ArmoAPI) getExceptionsURL(customerGUID, clusterName string) strin
 	return u.String()
 }

-func (armoAPI *ArmoAPI) getAccountConfig(customerGUID, clusterName string) string {
-	u := url.URL{}
-	u.Scheme = "https"
-	u.Host = armoAPI.apiURL
-	u.Path = "api/v1/armoCustomerConfiguration"
-
-	q := u.Query()
-	q.Add("customerGUID", customerGUID)
-	if clusterName != "" { // TODO - fix customer name support in Armo BE
-		q.Add("clusterName", clusterName)
-	}
-	u.RawQuery = q.Encode()
-
-	return u.String()
-}
-
 func (armoAPI *ArmoAPI) getCustomerURL() string {
 	u := url.URL{}
 	u.Scheme = "https"
-	u.Host = armoAPI.apiURL
+	u.Host = ArmoBEURL
 	u.Path = "api/v1/createTenant"
 	return u.String()
 }
--- a/cautils/getter/downloadreleasedpolicy.go
+++ b/cautils/getter/downloadreleasedpolicy.go
@@ -1,71 +1,85 @@
 package getter

 import (
-	"strings"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"

-	"github.com/armosec/opa-utils/gitregostore"
-	"github.com/armosec/opa-utils/reporthandling"
+	"github.com/armosec/kubescape/cautils/opapolicy"
 )

 // =======================================================================================================================
 // ======================================== DownloadReleasedPolicy =======================================================
 // =======================================================================================================================

-// Use gitregostore to get policies from github release
+// Download released version
 type DownloadReleasedPolicy struct {
-	gs *gitregostore.GitRegoStore
+	hostURL    string
+	httpClient *http.Client
 }

 func NewDownloadReleasedPolicy() *DownloadReleasedPolicy {
 	return &DownloadReleasedPolicy{
-		gs: gitregostore.NewDefaultGitRegoStore(-1),
+		hostURL:    "",
+		httpClient: &http.Client{},
 	}
 }

-func (drp *DownloadReleasedPolicy) GetControl(policyName string) (*reporthandling.Control, error) {
-	var control *reporthandling.Control
-	var err error
-
-	control, err = drp.gs.GetOPAControl(policyName)
+func (drp *DownloadReleasedPolicy) GetFramework(name string) (*opapolicy.Framework, error) {
+	if err := drp.setURL(name); err != nil {
+		return nil, err
+	}
+	respStr, err := HttpGetter(drp.httpClient, drp.hostURL)
 	if err != nil {
 		return nil, err
 	}
-	return control, nil
-}

-func (drp *DownloadReleasedPolicy) GetFramework(name string) (*reporthandling.Framework, error) {
-	framework, err := drp.gs.GetOPAFrameworkByName(name)
-	if err != nil {
-		return nil, err
+	framework := &opapolicy.Framework{}
+	if err = JSONDecoder(respStr).Decode(framework); err != nil {
+		return framework, err
 	}
+
+	SaveFrameworkInFile(framework, GetDefaultPath(name+".json"))
 	return framework, err
 }

-func (drp *DownloadReleasedPolicy) GetControlsInputs(customerGUID, clusterName string) (map[string][]string, error) {
-	defaultConfigInputs, err := drp.gs.GetDefaultConfigInputs()
+func (drp *DownloadReleasedPolicy) setURL(frameworkName string) error {
+
+	latestReleases := "https://api.github.com/repos/armosec/regolibrary/releases/latest"
+	resp, err := http.Get(latestReleases)
 	if err != nil {
-		return nil, err
+		return fmt.Errorf("failed to get latest releases from '%s', reason: %s", latestReleases, err.Error())
 	}
-	return defaultConfigInputs.Settings.PostureControlInputs, err
-}
-
-func (drp *DownloadReleasedPolicy) SetRegoObjects() error {
-	fwNames, err := drp.gs.GetOPAFrameworksNamesList()
-	if len(fwNames) != 0 && err == nil {
-		return nil
+	defer resp.Body.Close()
+	if resp.StatusCode < 200 || 301 < resp.StatusCode {
+		return fmt.Errorf("failed to download file, status code: %s", resp.Status)
 	}
-	return drp.gs.SetRegoObjects()
-}

-func isNativeFramework(framework string) bool {
-	return contains(NativeFrameworks, framework)
-}
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return fmt.Errorf("failed to read response body from '%s', reason: %s", latestReleases, err.Error())
+	}
+	var data map[string]interface{}
+	err = json.Unmarshal(body, &data)
+	if err != nil {
+		return fmt.Errorf("failed to unmarshal response body from '%s', reason: %s", latestReleases, err.Error())
+	}

-func contains(s []string, str string) bool {
-	for _, v := range s {
-		if strings.EqualFold(v, str) {
-			return true
+	if assets, ok := data["assets"].([]interface{}); ok {
+		for i := range assets {
+			if asset, ok := assets[i].(map[string]interface{}); ok {
+				if name, ok := asset["name"].(string); ok {
+					if name == frameworkName {
+						if url, ok := asset["browser_download_url"].(string); ok {
+							drp.hostURL = url
+							return nil
+						}
+					}
+				}
+			}
 		}
 	}
-	return false
+	return fmt.Errorf("failed to download '%s' - not found", frameworkName)
+
 }
--- a/cautils/getter/getpolicies.go
+++ b/cautils/getter/getpolicies.go
@@ -1,13 +1,12 @@
 package getter

 import (
-	"github.com/armosec/armoapi-go/armotypes"
-	"github.com/armosec/opa-utils/reporthandling"
+	"github.com/armosec/kubescape/cautils/armotypes"
+	"github.com/armosec/kubescape/cautils/opapolicy"
 )

 type IPolicyGetter interface {
-	GetFramework(name string) (*reporthandling.Framework, error)
-	GetControl(name string) (*reporthandling.Control, error)
+	GetFramework(name string) (*opapolicy.Framework, error)
 }

 type IExceptionsGetter interface {
@@ -16,7 +15,3 @@ type IExceptionsGetter interface {
 type IBackend interface {
 	GetCustomerGUID(customerGUID string) (*TenantResponse, error)
 }
-
-type IControlsInputsGetter interface {
-	GetControlsInputs(customerGUID, clusterName string) (map[string][]string, error)
-}
--- a/cautils/getter/getpoliciesutils.go
+++ b/cautils/getter/getpoliciesutils.go
@@ -1,17 +1,16 @@
 package getter

 import (
-	"bytes"
 	"encoding/json"
 	"fmt"
 	"io"
 	"net/http"
+	"net/url"
 	"os"
-	"path"
 	"path/filepath"
 	"strings"

-	"github.com/armosec/opa-utils/reporthandling"
+	"github.com/armosec/kubescape/cautils/opapolicy"
 )

 func GetDefaultPath(name string) string {
@@ -22,51 +21,14 @@ func GetDefaultPath(name string) string {
 	return defaultfilePath
 }

-// Save control as json in file
-func SaveControlInFile(control *reporthandling.Control, pathStr string) error {
-	encodedData, err := json.Marshal(control)
-	if err != nil {
-		return err
-	}
-	err = os.WriteFile(pathStr, []byte(fmt.Sprintf("%v", string(encodedData))), 0644)
-	if err != nil {
-		if os.IsNotExist(err) {
-			pathDir := path.Dir(pathStr)
-			if err := os.Mkdir(pathDir, 0744); err != nil {
-				return err
-			}
-		} else {
-			return err
-
-		}
-		err = os.WriteFile(pathStr, []byte(fmt.Sprintf("%v", string(encodedData))), 0644)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func SaveFrameworkInFile(framework *reporthandling.Framework, pathStr string) error {
+func SaveFrameworkInFile(framework *opapolicy.Framework, path string) error {
 	encodedData, err := json.Marshal(framework)
 	if err != nil {
 		return err
 	}
-	err = os.WriteFile(pathStr, []byte(fmt.Sprintf("%v", string(encodedData))), 0644)
+	err = os.WriteFile(path, []byte(fmt.Sprintf("%v", string(encodedData))), 0644)
 	if err != nil {
-		if os.IsNotExist(err) {
-			pathDir := path.Dir(pathStr)
-			if err := os.Mkdir(pathDir, 0744); err != nil {
-				return err
-			}
-		} else {
-			return err
-
-		}
-		err = os.WriteFile(pathStr, []byte(fmt.Sprintf("%v", string(encodedData))), 0644)
-		if err != nil {
-			return err
-		}
+		return err
 	}
 	return nil
 }
@@ -78,14 +40,12 @@ func JSONDecoder(origin string) *json.Decoder {
 	return dec
 }

-func HttpGetter(httpClient *http.Client, fullURL string, headers map[string]string) (string, error) {
+func HttpGetter(httpClient *http.Client, fullURL string) (string, error) {

 	req, err := http.NewRequest("GET", fullURL, nil)
 	if err != nil {
 		return "", err
 	}
-	addHeaders(req, headers)
-
 	resp, err := httpClient.Do(req)
 	if err != nil {
 		return "", err
@@ -97,32 +57,6 @@ func HttpGetter(httpClient *http.Client, fullURL string, headers map[string]stri
 	return respStr, nil
 }

-func HttpPost(httpClient *http.Client, fullURL string, headers map[string]string, body []byte) (string, error) {
-
-	req, err := http.NewRequest("POST", fullURL, bytes.NewReader(body))
-	if err != nil {
-		return "", err
-	}
-	addHeaders(req, headers)
-	resp, err := httpClient.Do(req)
-	if err != nil {
-		return "", err
-	}
-	respStr, err := httpRespToString(resp)
-	if err != nil {
-		return "", err
-	}
-	return respStr, nil
-}
-
-func addHeaders(req *http.Request, headers map[string]string) {
-	if len(headers) >= 0 { // might be nil
-		for k, v := range headers {
-			req.Header.Add(k, v)
-		}
-	}
-}
-
 // HTTPRespToString parses the body as string and checks the HTTP status code, it closes the body reader at the end
 func httpRespToString(resp *http.Response) (string, error) {
 	if resp == nil || resp.Body == nil {
@@ -152,3 +86,29 @@ func httpRespToString(resp *http.Response) (string, error) {

 	return respStr, err
 }
+
+// URLEncoder encode url
+func urlEncoder(oldURL string) string {
+	fullURL := strings.Split(oldURL, "?")
+	baseURL, err := url.Parse(fullURL[0])
+	if err != nil {
+		return ""
+	}
+
+	// Prepare Query Parameters
+	if len(fullURL) > 1 {
+		params := url.Values{}
+		queryParams := strings.Split(fullURL[1], "&")
+		for _, i := range queryParams {
+			queryParam := strings.Split(i, "=")
+			val := ""
+			if len(queryParam) > 1 {
+				val = queryParam[1]
+			}
+			params.Add(queryParam[0], val)
+		}
+		baseURL.RawQuery = params.Encode()
+	}
+
+	return baseURL.String()
+}
--- a/cautils/getter/loadpolicy.go
+++ b/cautils/getter/loadpolicy.go
@@ -6,8 +6,8 @@ import (
 	"os"
 	"strings"

-	"github.com/armosec/armoapi-go/armotypes"
-	"github.com/armosec/opa-utils/reporthandling"
+	"github.com/armosec/kubescape/cautils/armotypes"
+	"github.com/armosec/kubescape/cautils/opapolicy"
 )

 // =======================================================================================================================
@@ -17,71 +17,34 @@ const DefaultLocalStore = ".kubescape"

 // Load policies from a local repository
 type LoadPolicy struct {
-	filePaths []string
+	filePath string
 }

-func NewLoadPolicy(filePaths []string) *LoadPolicy {
+func NewLoadPolicy(filePath string) *LoadPolicy {
 	return &LoadPolicy{
-		filePaths: filePaths,
+		filePath: filePath,
 	}
 }

-// Return control from file
-func (lp *LoadPolicy) GetControl(controlName string) (*reporthandling.Control, error) {
+func (lp *LoadPolicy) GetFramework(frameworkName string) (*opapolicy.Framework, error) {

-	control := &reporthandling.Control{}
-	filePath := lp.filePath()
-	f, err := os.ReadFile(filePath)
+	framework := &opapolicy.Framework{}
+	f, err := os.ReadFile(lp.filePath)
 	if err != nil {
 		return nil, err
 	}

-	if err = json.Unmarshal(f, control); err != nil {
-		return control, err
-	}
-	if controlName != "" && !strings.EqualFold(controlName, control.Name) && !strings.EqualFold(controlName, control.ControlID) {
-		framework, err := lp.GetFramework(control.Name)
-		if err != nil {
-			return nil, fmt.Errorf("control from file not matching")
-		} else {
-			for _, ctrl := range framework.Controls {
-				if strings.EqualFold(ctrl.Name, controlName) || strings.EqualFold(ctrl.ControlID, controlName) {
-					control = &ctrl
-					break
-				}
-			}
-		}
-	}
-	return control, err
-}
-
-func (lp *LoadPolicy) GetFramework(frameworkName string) (*reporthandling.Framework, error) {
-	framework := &reporthandling.Framework{}
-	var err error
-	for _, filePath := range lp.filePaths {
-		f, err := os.ReadFile(filePath)
-		if err != nil {
-			return nil, err
-		}
-
-		if err = json.Unmarshal(f, framework); err != nil {
-			return framework, err
-		}
-		if strings.EqualFold(frameworkName, framework.Name) {
-			break
-		}
-	}
+	err = json.Unmarshal(f, framework)
 	if frameworkName != "" && !strings.EqualFold(frameworkName, framework.Name) {
-
 		return nil, fmt.Errorf("framework from file not matching")
 	}
 	return framework, err
 }

 func (lp *LoadPolicy) GetExceptions(customerGUID, clusterName string) ([]armotypes.PostureExceptionPolicy, error) {
-	filePath := lp.filePath()
+
 	exception := []armotypes.PostureExceptionPolicy{}
-	f, err := os.ReadFile(filePath)
+	f, err := os.ReadFile(lp.filePath)
 	if err != nil {
 		return nil, err
 	}
@@ -89,25 +52,3 @@ func (lp *LoadPolicy) GetExceptions(customerGUID, clusterName string) ([]armotyp
 	err = json.Unmarshal(f, &exception)
 	return exception, err
 }
-
-func (lp *LoadPolicy) GetControlsInputs(customerGUID, clusterName string) (map[string][]string, error) {
-	filePath := lp.filePath()
-	accountConfig := &armotypes.CustomerConfig{}
-	f, err := os.ReadFile(filePath)
-	if err != nil {
-		return nil, err
-	}
-
-	if err = json.Unmarshal(f, &accountConfig); err == nil {
-		return accountConfig.Settings.PostureControlInputs, nil
-	}
-	return nil, err
-}
-
-// temporary support for a list of files
-func (lp *LoadPolicy) filePath() string {
-	if len(lp.filePaths) > 0 {
-		return lp.filePaths[0]
-	}
-	return ""
-}
--- a/cautils/getter/loadpolicy_test.go
+++ b/cautils/getter/loadpolicy_test.go
@@ -1,20 +0,0 @@
-package getter
-
-import (
-	"os"
-	"path/filepath"
-	"testing"
-)
-
-var mockFrameworkBasePath = filepath.Join("examples", "mocks", "frameworks")
-
-func MockNewLoadPolicy() *LoadPolicy {
-	return &LoadPolicy{
-		filePaths: []string{""},
-	}
-}
-
-func TestBla(t *testing.T) {
-	dir, _ := os.Getwd()
-	t.Error(dir)
-}
--- a/cautils/k8sinterface/cloudvendorregistrycreds.go
+++ b/cautils/k8sinterface/cloudvendorregistrycreds.go
@@ -0,0 +1,265 @@
+package k8sinterface
+
+import (
+	"bytes"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"strings"
+	"time"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/session"
+	"github.com/aws/aws-sdk-go/service/ecr"
+	"github.com/docker/docker/api/types"
+)
+
+// For GCR there are some permissions one need to assign in order to allow ARMO to pull images:
+// https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
+// gcloud iam service-accounts create armo-controller-sa
+// gcloud projects add-iam-policy-binding <PROJECT_NAME> --role roles/storage.objectViewer --member "serviceAccount:armo-controller-sa@<PROJECT_NAME>.iam.gserviceaccount.com"
+// gcloud iam service-accounts add-iam-policy-binding   --role roles/iam.workloadIdentityUser   --member "serviceAccount:<PROJECT_NAME>.svc.id.goog[cyberarmor-system/ca-controller-service-account]"   armo-controller-sa@<PROJECT_NAME>.iam.gserviceaccount.com
+// kubectl annotate serviceaccount --overwrite   --namespace cyberarmor-system   ca-controller-service-account iam.gke.io/gcp-service-account=armo-controller-sa@<PROJECT_NAME>.iam.gserviceaccount.com
+
+const (
+	gcrDefaultServiceAccountName = "default"
+	// armoServiceAccountName = "ca-controller-service-account"
+)
+
+var (
+	httpClient = http.Client{Timeout: 5 * time.Second}
+)
+
+// CheckIsECRImage check if this image is suspected as ECR hosted image
+func CheckIsECRImage(imageTag string) bool {
+	return strings.Contains(imageTag, "dkr.ecr")
+}
+
+// GetLoginDetailsForECR return user name + password using the default iam-role OR ~/.aws/config of the machine
+func GetLoginDetailsForECR(imageTag string) (string, string, error) {
+	// imageTag := "015253967648.dkr.ecr.eu-central-1.amazonaws.com/armo:1"
+	imageTagSlices := strings.Split(imageTag, ".")
+	repo := imageTagSlices[0]
+	region := imageTagSlices[3]
+	mySession := session.Must(session.NewSession())
+	ecrClient := ecr.New(mySession, aws.NewConfig().WithRegion(region))
+	input := &ecr.GetAuthorizationTokenInput{
+		RegistryIds: []*string{&repo},
+	}
+	res, err := ecrClient.GetAuthorizationToken(input)
+	if err != nil {
+		return "", "", fmt.Errorf("in PullFromECR, failed to GetAuthorizationToken: %v", err)
+	}
+	res64 := (*res.AuthorizationData[0].AuthorizationToken)
+	resB, err := base64.StdEncoding.DecodeString(res64)
+	if err != nil {
+		return "", "", fmt.Errorf("in PullFromECR, failed to DecodeString: %v", err)
+	}
+	delimiterIdx := bytes.IndexByte(resB, ':')
+	// userName := resB[:delimiterIdx]
+	// resB = resB[delimiterIdx+1:]
+	// resB, err = base64.StdEncoding.DecodeString(string(resB))
+	// if err != nil {
+	// 	t.Errorf("failed to DecodeString #2: %v\n\n", err)
+	// }
+	return string(resB[:delimiterIdx]), string(resB[delimiterIdx+1:]), nil
+}
+
+func CheckIsACRImage(imageTag string) bool {
+	// atest1.azurecr.io/go-inf:1
+	return strings.Contains(imageTag, ".azurecr.io/")
+}
+
+type azureADDResponseJson struct {
+	AccessToken  string `json:"access_token"`
+	RefreshToken string `json:"refresh_token"`
+	ExpiresIn    string `json:"expires_in"`
+	ExpiresOn    string `json:"expires_on"`
+	NotBefore    string `json:"not_before"`
+	Resource     string `json:"resource"`
+	TokenType    string `json:"token_type"`
+}
+
+func getAzureAADAccessToken() (string, error) {
+	msi_endpoint, err := url.Parse("http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01")
+	if err != nil {
+		return "", fmt.Errorf("creating URL : %v", err)
+	}
+	msi_parameters := url.Values{}
+	msi_parameters.Add("resource", "https://management.azure.com/")
+	msi_parameters.Add("api-version", "2018-02-01")
+	msi_endpoint.RawQuery = msi_parameters.Encode()
+	req, err := http.NewRequest("GET", msi_endpoint.String(), nil)
+	if err != nil {
+		return "", fmt.Errorf("creating HTTP request : %v", err)
+	}
+	req.Header.Add("Metadata", "true")
+
+	// Call managed services for Azure resources token endpoint
+	resp, err := httpClient.Do(req)
+	if err != nil {
+		return "", fmt.Errorf("calling token endpoint : %v", err)
+	}
+
+	// Pull out response body
+	responseBytes, err := io.ReadAll(resp.Body)
+	defer resp.Body.Close()
+	if err != nil {
+		return "", fmt.Errorf("reading response body : %v", err)
+	}
+	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
+		return "", fmt.Errorf("azure ActiveDirectory AT resp: %v, %v", resp.Status, string(responseBytes))
+	}
+
+	// Unmarshall response body into struct
+	var r azureADDResponseJson
+	err = json.Unmarshal(responseBytes, &r)
+	if err != nil {
+		return "", fmt.Errorf("unmarshalling the response: %v", err)
+	}
+	return r.AccessToken, nil
+}
+
+// GetLoginDetailsForAzurCR return user name + password to use
+func GetLoginDetailsForAzurCR(imageTag string) (string, string, error) {
+	// imageTag := "atest1.azurecr.io/go-inf:1"
+	imageTagSlices := strings.Split(imageTag, "/")
+	azureIdensAT, err := getAzureAADAccessToken()
+	if err != nil {
+		return "", "", err
+	}
+	atMap := make(map[string]interface{})
+	azureIdensATSlices := strings.Split(azureIdensAT, ".")
+	if len(azureIdensATSlices) < 2 {
+		return "", "", fmt.Errorf("len(azureIdensATSlices) < 2")
+	}
+	resB, err := base64.RawStdEncoding.DecodeString(azureIdensATSlices[1])
+	if err != nil {
+		return "", "", fmt.Errorf("in GetLoginDetailsForAzurCR, failed to DecodeString: %v, %s", err, azureIdensATSlices[1])
+	}
+	if err := json.Unmarshal(resB, &atMap); err != nil {
+		return "", "", fmt.Errorf("failed to unmarshal azureIdensAT: %v, %s", err, string(resB))
+	}
+	// excahnging AAD for ACR refresh token
+	refreshToken, err := excahngeAzureAADAccessTokenForACRRefreshToken(imageTagSlices[0], fmt.Sprintf("%v", atMap["tid"]), azureIdensAT)
+	if err != nil {
+		return "", "", fmt.Errorf("failed to excahngeAzureAADAccessTokenForACRRefreshToken: %v, registry: %s, tenantID: %s, azureAADAT: %s", err, imageTagSlices[0], fmt.Sprintf("%v", atMap["tid"]), azureIdensAT)
+	}
+
+	return "00000000-0000-0000-0000-000000000000", refreshToken, nil
+}
+
+func excahngeAzureAADAccessTokenForACRRefreshToken(registry, tenantID, azureAADAT string) (string, error) {
+	msi_parameters := url.Values{}
+	msi_parameters.Add("service", registry)
+	msi_parameters.Add("grant_type", "access_token")
+	msi_parameters.Add("tenant", tenantID)
+	msi_parameters.Add("access_token", azureAADAT)
+	postBodyStr := msi_parameters.Encode()
+	req, err := http.NewRequest("POST", fmt.Sprintf("https://%v/oauth2/exchange", registry), strings.NewReader(postBodyStr))
+	if err != nil {
+		return "", fmt.Errorf("creating HTTP request : %v", err)
+	}
+	req.Header.Add("Metadata", "true")
+	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
+
+	// Call managed services for Azure resources token endpoint
+	resp, err := httpClient.Do(req)
+	if err != nil {
+		return "", fmt.Errorf("calling token endpoint : %v", err)
+	}
+
+	// Pull out response body
+	responseBytes, err := io.ReadAll(resp.Body)
+	defer resp.Body.Close()
+	if err != nil {
+		return "", fmt.Errorf("reading response body : %v", err)
+	}
+	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
+		return "", fmt.Errorf("azure exchange AT resp: %v, %v", resp.Status, string(responseBytes))
+	}
+	resultMap := make(map[string]string)
+	err = json.Unmarshal(responseBytes, &resultMap)
+	if err != nil {
+		return "", fmt.Errorf("unmarshalling the response: %v", err)
+	}
+	return resultMap["refresh_token"], nil
+}
+
+func CheckIsGCRImage(imageTag string) bool {
+	// gcr.io/elated-pottery-310110/golang-inf:2
+	return strings.Contains(imageTag, "gcr.io/")
+}
+
+// GetLoginDetailsForGCR return user name + password to use
+func GetLoginDetailsForGCR(imageTag string) (string, string, error) {
+	msi_endpoint, err := url.Parse(fmt.Sprintf("http://169.254.169.254/computeMetadata/v1/instance/service-accounts/%s/token", gcrDefaultServiceAccountName))
+	if err != nil {
+		return "", "", fmt.Errorf("creating URL : %v", err)
+	}
+	req, err := http.NewRequest("GET", msi_endpoint.String(), nil)
+	if err != nil {
+		return "", "", fmt.Errorf("creating HTTP request : %v", err)
+	}
+	req.Header.Add("Metadata-Flavor", "Google")
+
+	// Call managed services for Azure resources token endpoint
+	resp, err := httpClient.Do(req)
+	if err != nil {
+		return "", "", fmt.Errorf("calling token endpoint : %v", err)
+	}
+	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
+		return "", "", fmt.Errorf("HTTP Status : %v, make sure the '%s' service account is configured for ARMO pod", resp.Status, gcrDefaultServiceAccountName)
+	}
+	defer resp.Body.Close()
+	respMap := make(map[string]interface{})
+	if err := json.NewDecoder(resp.Body).Decode(&respMap); err != nil {
+		return "", "", fmt.Errorf("json Decode : %v", err)
+	}
+	return "oauth2accesstoken", fmt.Sprintf("%v", respMap["access_token"]), nil
+}
+
+func GetCloudVendorRegistryCredentials(imageTag string) (map[string]types.AuthConfig, error) {
+	secrets := map[string]types.AuthConfig{}
+	var errRes error
+	if CheckIsACRImage(imageTag) {
+		userName, password, err := GetLoginDetailsForAzurCR(imageTag)
+		if err != nil {
+			errRes = fmt.Errorf("failed to GetLoginDetailsForACR(%s): %v", imageTag, err)
+		} else {
+			secrets[imageTag] = types.AuthConfig{
+				Username: userName,
+				Password: password,
+			}
+		}
+	}
+
+	if CheckIsECRImage(imageTag) {
+		userName, password, err := GetLoginDetailsForECR(imageTag)
+		if err != nil {
+			errRes = fmt.Errorf("failed to GetLoginDetailsForECR(%s): %v", imageTag, err)
+		} else {
+			secrets[imageTag] = types.AuthConfig{
+				Username: userName,
+				Password: password,
+			}
+		}
+	}
+
+	if CheckIsGCRImage(imageTag) {
+		userName, password, err := GetLoginDetailsForGCR(imageTag)
+		if err != nil {
+			errRes = fmt.Errorf("failed to GetLoginDetailsForGCR(%s): %v", imageTag, err)
+		} else {
+			secrets[imageTag] = types.AuthConfig{
+				Username: userName,
+				Password: password,
+			}
+		}
+	}
+
+	return secrets, errRes
+}
--- a/cautils/k8sinterface/k8sconfig.go
+++ b/cautils/k8sinterface/k8sconfig.go
@@ -0,0 +1,121 @@
+package k8sinterface
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"strings"
+
+	"k8s.io/client-go/dynamic"
+	"k8s.io/client-go/kubernetes"
+	restclient "k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/clientcmd"
+
+	// DO NOT REMOVE - load cloud providers auth
+	_ "k8s.io/client-go/plugin/pkg/client/auth"
+	"sigs.k8s.io/controller-runtime/pkg/client/config"
+)
+
+var ConnectedToCluster = true
+
+// K8SConfig pointer to k8s config
+var K8SConfig *restclient.Config
+
+// KubernetesApi -
+type KubernetesApi struct {
+	KubernetesClient kubernetes.Interface
+	DynamicClient    dynamic.Interface
+	Context          context.Context
+}
+
+// NewKubernetesApi -
+func NewKubernetesApi() *KubernetesApi {
+	var kubernetesClient *kubernetes.Clientset
+	var err error
+
+	if !IsConnectedToCluster() {
+		fmt.Println(fmt.Errorf("failed to load kubernetes config: no configuration has been provided, try setting KUBECONFIG environment variable"))
+		os.Exit(1)
+	}
+
+	kubernetesClient, err = kubernetes.NewForConfig(GetK8sConfig())
+	if err != nil {
+		fmt.Printf("Failed to load config file, reason: %s", err.Error())
+		os.Exit(1)
+	}
+	dynamicClient, err := dynamic.NewForConfig(K8SConfig)
+	if err != nil {
+		fmt.Printf("Failed to load config file, reason: %s", err.Error())
+		os.Exit(1)
+	}
+
+	return &KubernetesApi{
+		KubernetesClient: kubernetesClient,
+		DynamicClient:    dynamicClient,
+		Context:          context.Background(),
+	}
+}
+
+// RunningIncluster whether running in cluster
+var RunningIncluster bool
+
+// LoadK8sConfig load config from local file or from cluster
+func LoadK8sConfig() error {
+	kubeconfig, err := config.GetConfig()
+	if err != nil {
+		return fmt.Errorf("failed to load kubernetes config: %s", strings.ReplaceAll(err.Error(), "KUBERNETES_MASTER", "KUBECONFIG"))
+	}
+	if _, err := restclient.InClusterConfig(); err == nil {
+		RunningIncluster = true
+	}
+
+	K8SConfig = kubeconfig
+	return nil
+}
+
+// GetK8sConfig get config. load if not loaded yet
+func GetK8sConfig() *restclient.Config {
+	if !IsConnectedToCluster() {
+		return nil
+	}
+	return K8SConfig
+}
+
+func IsConnectedToCluster() bool {
+	if K8SConfig == nil {
+		if err := LoadK8sConfig(); err != nil {
+			ConnectedToCluster = false
+		}
+	}
+	return ConnectedToCluster
+}
+func GetClusterName() string {
+	if !ConnectedToCluster {
+		return ""
+	}
+
+	kubeConfig := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(clientcmd.NewDefaultClientConfigLoadingRules(), &clientcmd.ConfigOverrides{})
+	config, err := kubeConfig.RawConfig()
+	if err != nil {
+		return ""
+	}
+	// TODO - Handle if empty
+	return config.CurrentContext
+}
+
+func GetDefaultNamespace() string {
+	defaultNamespace := "default"
+	clientCfg, err := clientcmd.NewDefaultClientConfigLoadingRules().Load()
+	if err != nil {
+		return defaultNamespace
+	}
+	apiContext, ok := clientCfg.Contexts[clientCfg.CurrentContext]
+	if !ok || apiContext == nil {
+		return defaultNamespace
+	}
+	namespace := apiContext.Namespace
+	if apiContext.Namespace == "" {
+		namespace = defaultNamespace
+	}
+	return namespace
+}
--- a/cautils/k8sinterface/k8sconfig_test.go
+++ b/cautils/k8sinterface/k8sconfig_test.go
@@ -0,0 +1,34 @@
+package k8sinterface
+
+import (
+	"testing"
+
+	"github.com/armosec/kubescape/cautils/cautils"
+)
+
+func TestGetGroupVersionResource(t *testing.T) {
+	wlid := "wlid://cluster-david-v1/namespace-default/deployment-nginx-deployment"
+	r, err := GetGroupVersionResource(cautils.GetKindFromWlid(wlid))
+	if err != nil {
+		t.Error(err)
+		return
+	}
+	if r.Group != "apps" {
+		t.Errorf("wrong group")
+	}
+	if r.Version != "v1" {
+		t.Errorf("wrong Version")
+	}
+	if r.Resource != "deployments" {
+		t.Errorf("wrong Resource")
+	}
+
+	r2, err := GetGroupVersionResource("NetworkPolicy")
+	if err != nil {
+		t.Error(err)
+		return
+	}
+	if r2.Resource != "networkpolicies" {
+		t.Errorf("wrong Resource")
+	}
+}
--- a/cautils/k8sinterface/k8sdynamic.go
+++ b/cautils/k8sinterface/k8sdynamic.go
@@ -0,0 +1,145 @@
+package k8sinterface
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/armosec/kubescape/cautils/cautils"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/dynamic"
+	//
+	// Uncomment to load all auth plugins
+	// _ "k8s.io/client-go/plugin/pkg/client/auth
+	//
+	// Or uncomment to load specific auth plugins
+	// _ "k8s.io/client-go/plugin/pkg/client/auth/azure"
+	// _ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
+	// _ "k8s.io/client-go/plugin/pkg/client/auth/oidc"
+	// _ "k8s.io/client-go/plugin/pkg/client/auth/openstack"
+)
+
+func (k8sAPI *KubernetesApi) GetWorkloadByWlid(wlid string) (*Workload, error) {
+	return k8sAPI.GetWorkload(cautils.GetNamespaceFromWlid(wlid), cautils.GetKindFromWlid(wlid), cautils.GetNameFromWlid(wlid))
+}
+
+func (k8sAPI *KubernetesApi) GetWorkload(namespace, kind, name string) (*Workload, error) {
+	groupVersionResource, err := GetGroupVersionResource(kind)
+	if err != nil {
+		return nil, err
+	}
+
+	w, err := k8sAPI.ResourceInterface(&groupVersionResource, namespace).Get(k8sAPI.Context, name, metav1.GetOptions{})
+	if err != nil {
+		return nil, fmt.Errorf("failed to GET resource, kind: '%s', namespace: '%s', name: '%s', reason: %s", kind, namespace, name, err.Error())
+	}
+	return NewWorkloadObj(w.Object), nil
+}
+
+func (k8sAPI *KubernetesApi) ListWorkloads(groupVersionResource *schema.GroupVersionResource, namespace string, podLabels, fieldSelector map[string]string) ([]Workload, error) {
+	listOptions := metav1.ListOptions{}
+	if podLabels != nil && len(podLabels) > 0 {
+		set := labels.Set(podLabels)
+		listOptions.LabelSelector = SelectorToString(set)
+	}
+	if fieldSelector != nil && len(fieldSelector) > 0 {
+		set := labels.Set(fieldSelector)
+		listOptions.FieldSelector = SelectorToString(set)
+	}
+	uList, err := k8sAPI.ResourceInterface(groupVersionResource, namespace).List(k8sAPI.Context, listOptions)
+	if err != nil {
+		return nil, fmt.Errorf("failed to LIST resources, reason: %s", err.Error())
+	}
+	workloads := make([]Workload, len(uList.Items))
+	for i := range uList.Items {
+		workloads[i] = *NewWorkloadObj(uList.Items[i].Object)
+	}
+	return workloads, nil
+}
+
+func (k8sAPI *KubernetesApi) DeleteWorkloadByWlid(wlid string) error {
+	groupVersionResource, err := GetGroupVersionResource(cautils.GetKindFromWlid(wlid))
+	if err != nil {
+		return err
+	}
+	err = k8sAPI.ResourceInterface(&groupVersionResource, cautils.GetNamespaceFromWlid(wlid)).Delete(k8sAPI.Context, cautils.GetNameFromWlid(wlid), metav1.DeleteOptions{})
+	if err != nil {
+		return fmt.Errorf("failed to DELETE resource, workloadID: '%s', reason: %s", wlid, err.Error())
+	}
+	return nil
+}
+
+func (k8sAPI *KubernetesApi) CreateWorkload(workload *Workload) (*Workload, error) {
+	groupVersionResource, err := GetGroupVersionResource(workload.GetKind())
+	if err != nil {
+		return nil, err
+	}
+	obj, err := workload.ToUnstructured()
+	if err != nil {
+		return nil, err
+	}
+	w, err := k8sAPI.ResourceInterface(&groupVersionResource, workload.GetNamespace()).Create(k8sAPI.Context, obj, metav1.CreateOptions{})
+	if err != nil {
+		return nil, fmt.Errorf("failed to CREATE resource, workload: '%s', reason: %s", workload.Json(), err.Error())
+	}
+	return NewWorkloadObj(w.Object), nil
+}
+
+func (k8sAPI *KubernetesApi) UpdateWorkload(workload *Workload) (*Workload, error) {
+	groupVersionResource, err := GetGroupVersionResource(workload.GetKind())
+	if err != nil {
+		return nil, err
+	}
+
+	obj, err := workload.ToUnstructured()
+	if err != nil {
+		return nil, err
+	}
+
+	w, err := k8sAPI.ResourceInterface(&groupVersionResource, workload.GetNamespace()).Update(k8sAPI.Context, obj, metav1.UpdateOptions{})
+	if err != nil {
+		return nil, fmt.Errorf("failed to UPDATE resource, workload: '%s', reason: %s", workload.Json(), err.Error())
+	}
+	return NewWorkloadObj(w.Object), nil
+}
+
+func (k8sAPI *KubernetesApi) GetNamespace(ns string) (*Workload, error) {
+	groupVersionResource, err := GetGroupVersionResource("namespace")
+	if err != nil {
+		return nil, err
+	}
+	w, err := k8sAPI.DynamicClient.Resource(groupVersionResource).Get(k8sAPI.Context, ns, metav1.GetOptions{})
+	if err != nil {
+		return nil, fmt.Errorf("failed to get namespace: '%s', reason: %s", ns, err.Error())
+	}
+	return NewWorkloadObj(w.Object), nil
+}
+
+func (k8sAPI *KubernetesApi) ResourceInterface(resource *schema.GroupVersionResource, namespace string) dynamic.ResourceInterface {
+	if IsNamespaceScope(resource.Group, resource.Resource) {
+		return k8sAPI.DynamicClient.Resource(*resource).Namespace(namespace)
+	}
+	return k8sAPI.DynamicClient.Resource(*resource)
+}
+
+func (k8sAPI *KubernetesApi) CalculateWorkloadParentRecursive(workload *Workload) (string, string, error) {
+	ownerReferences, err := workload.GetOwnerReferences() // OwnerReferences in workload
+	if err != nil {
+		return workload.GetKind(), workload.GetName(), err
+	}
+	if len(ownerReferences) == 0 {
+		return workload.GetKind(), workload.GetName(), nil // parent found
+	}
+	ownerReference := ownerReferences[0]
+
+	parentWorkload, err := k8sAPI.GetWorkload(workload.GetNamespace(), ownerReference.Kind, ownerReference.Name)
+	if err != nil {
+		if strings.Contains(err.Error(), "not found in resourceMap") { // if parent is RCD
+			return workload.GetKind(), workload.GetName(), nil // parent found
+		}
+		return workload.GetKind(), workload.GetName(), err
+	}
+	return k8sAPI.CalculateWorkloadParentRecursive(parentWorkload)
+}
--- a/cautils/k8sinterface/k8sdynamic_test.go
+++ b/cautils/k8sinterface/k8sdynamic_test.go
@@ -0,0 +1,43 @@
+package k8sinterface
+
+import (
+	"context"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	dynamicfake "k8s.io/client-go/dynamic/fake"
+	kubernetesfake "k8s.io/client-go/kubernetes/fake"
+	//
+	// metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	// Uncomment to load all auth plugins
+	// _ "k8s.io/client-go/plugin/pkg/client/auth
+	//
+	// Or uncomment to load specific auth plugins
+	// _ "k8s.io/client-go/plugin/pkg/client/auth/azure"
+	// _ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
+	// _ "k8s.io/client-go/plugin/pkg/client/auth/oidc"
+	// _ "k8s.io/client-go/plugin/pkg/client/auth/openstack"
+)
+
+// NewKubernetesApi -
+func NewKubernetesApiMock() *KubernetesApi {
+
+	return &KubernetesApi{
+		KubernetesClient: kubernetesfake.NewSimpleClientset(),
+		DynamicClient:    dynamicfake.NewSimpleDynamicClient(&runtime.Scheme{}),
+		Context:          context.Background(),
+	}
+}
+
+// func TestListDynamic(t *testing.T) {
+// 	k8s := NewKubernetesApi()
+// 	resource := schema.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"}
+// 	clientResource, err := k8s.DynamicClient.Resource(resource).Namespace("default").List(k8s.Context, metav1.ListOptions{})
+// 	if err != nil {
+// 		t.Errorf("err: %v", err)
+// 	} else {
+// 		bla, _ := json.Marshal(clientResource)
+// 		// t.Errorf("BearerToken: %v", *K8SConfig)
+// 		// os.WriteFile("bla.json", bla, 777)
+// 		t.Errorf("clientResource: %s", string(bla))
+// 	}
+// }
--- a/cautils/k8sinterface/k8sdynamicutils.go
+++ b/cautils/k8sinterface/k8sdynamicutils.go
@@ -0,0 +1,66 @@
+package k8sinterface
+
+import (
+	"sort"
+	"strings"
+
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/labels"
+)
+
+//
+// Uncomment to load all auth plugins
+// _ "k8s.io/client-go/plugin/pkg/client/auth
+//
+// Or uncomment to load specific auth plugins
+// _ "k8s.io/client-go/plugin/pkg/client/auth/azure"
+// _ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
+// _ "k8s.io/client-go/plugin/pkg/client/auth/oidc"
+// _ "k8s.io/client-go/plugin/pkg/client/auth/openstack"
+
+func ConvertUnstructuredSliceToMap(unstructuredSlice []unstructured.Unstructured) []map[string]interface{} {
+	converted := make([]map[string]interface{}, len(unstructuredSlice))
+	for i := range unstructuredSlice {
+		converted[i] = unstructuredSlice[i].Object
+	}
+	return converted
+}
+
+func FilterOutOwneredResources(result []unstructured.Unstructured) []unstructured.Unstructured {
+	response := []unstructured.Unstructured{}
+	recognizedOwners := []string{"Deployment", "ReplicaSet", "DaemonSet", "StatefulSet", "Job", "CronJob"}
+	for i := range result {
+		ownerReferences := result[i].GetOwnerReferences()
+		if len(ownerReferences) == 0 {
+			response = append(response, result[i])
+		} else if !IsStringInSlice(recognizedOwners, ownerReferences[0].Kind) {
+			response = append(response, result[i])
+		}
+	}
+	return response
+}
+
+func IsStringInSlice(slice []string, val string) bool {
+	for _, item := range slice {
+		if item == val {
+			return true
+		}
+	}
+	return false
+}
+
+// String returns all labels listed as a human readable string.
+// Conveniently, exactly the format that ParseSelector takes.
+func SelectorToString(ls labels.Set) string {
+	selector := make([]string, 0, len(ls))
+	for key, value := range ls {
+		if value != "" {
+			selector = append(selector, key+"="+value)
+		} else {
+			selector = append(selector, key)
+		}
+	}
+	// Sort for determinism.
+	sort.StringSlice(selector).Sort()
+	return strings.Join(selector, ",")
+}
--- a/cautils/k8sinterface/k8sdynamicutils_test.go
+++ b/cautils/k8sinterface/k8sdynamicutils_test.go
@@ -0,0 +1,10 @@
+package k8sinterface
+
+import "testing"
+
+func TestConvertUnstructuredSliceToMap(t *testing.T) {
+	converted := ConvertUnstructuredSliceToMap(V1KubeSystemNamespaceMock().Items)
+	if len(converted) == 0 { // != 7
+		t.Errorf("len(converted) == 0")
+	}
+}
--- a/cautils/k8sinterface/k8sstatic.go
+++ b/cautils/k8sinterface/k8sstatic.go
@@ -0,0 +1,71 @@
+package k8sinterface
+
+import (
+	"context"
+
+	"github.com/armosec/kubescape/cautils/cautils"
+
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+)
+
+func IsAttached(labels map[string]string) *bool {
+	return IsLabel(labels, cautils.ArmoAttach)
+}
+
+func IsAgentCompatibleLabel(labels map[string]string) *bool {
+	return IsLabel(labels, cautils.ArmoCompatibleLabel)
+}
+func IsAgentCompatibleAnnotation(annotations map[string]string) *bool {
+	return IsLabel(annotations, cautils.ArmoCompatibleAnnotation)
+}
+func SetAgentCompatibleLabel(labels map[string]string, val bool) {
+	SetLabel(labels, cautils.ArmoCompatibleLabel, val)
+}
+func SetAgentCompatibleAnnotation(annotations map[string]string, val bool) {
+	SetLabel(annotations, cautils.ArmoCompatibleAnnotation, val)
+}
+func IsLabel(labels map[string]string, key string) *bool {
+	if labels == nil || len(labels) == 0 {
+		return nil
+	}
+	var k bool
+	if l, ok := labels[key]; ok {
+		if l == "true" {
+			k = true
+		} else if l == "false" {
+			k = false
+		}
+		return &k
+	}
+	return nil
+}
+func SetLabel(labels map[string]string, key string, val bool) {
+	if labels == nil {
+		return
+	}
+	v := ""
+	if val {
+		v = "true"
+	} else {
+		v = "false"
+	}
+	labels[key] = v
+}
+func (k8sAPI *KubernetesApi) ListAttachedPods(namespace string) ([]corev1.Pod, error) {
+	return k8sAPI.ListPods(namespace, map[string]string{cautils.ArmoAttach: cautils.BoolToString(true)})
+}
+
+func (k8sAPI *KubernetesApi) ListPods(namespace string, podLabels map[string]string) ([]corev1.Pod, error) {
+	listOptions := metav1.ListOptions{}
+	if podLabels != nil && len(podLabels) > 0 {
+		set := labels.Set(podLabels)
+		listOptions.LabelSelector = set.AsSelector().String()
+	}
+	pods, err := k8sAPI.KubernetesClient.CoreV1().Pods(namespace).List(context.Background(), listOptions)
+	if err != nil {
+		return []corev1.Pod{}, err
+	}
+	return pods.Items, nil
+}
--- a/cautils/k8sinterface/mockdynamicobjects.go
+++ b/cautils/k8sinterface/mockdynamicobjects.go
--- a/cautils/k8sinterface/resourcegroupmapping.go
+++ b/cautils/k8sinterface/resourcegroupmapping.go
@@ -0,0 +1,142 @@
+package k8sinterface
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/golang/glog"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+const ValueNotFound = -1
+
+// https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#-strong-api-groups-strong-
+var ResourceGroupMapping = map[string]string{
+	"services":                        "/v1",
+	"pods":                            "/v1",
+	"replicationcontrollers":          "/v1",
+	"podtemplates":                    "/v1",
+	"namespaces":                      "/v1",
+	"nodes":                           "/v1",
+	"configmaps":                      "/v1",
+	"secrets":                         "/v1",
+	"serviceaccounts":                 "/v1",
+	"persistentvolumeclaims":          "/v1",
+	"limitranges":                     "/v1",
+	"resourcequotas":                  "/v1",
+	"daemonsets":                      "apps/v1",
+	"deployments":                     "apps/v1",
+	"replicasets":                     "apps/v1",
+	"statefulsets":                    "apps/v1",
+	"controllerrevisions":             "apps/v1",
+	"jobs":                            "batch/v1",
+	"cronjobs":                        "batch/v1beta1",
+	"horizontalpodautoscalers":        "autoscaling/v1",
+	"ingresses":                       "extensions/v1beta1",
+	"networkpolicies":                 "networking.k8s.io/v1",
+	"clusterroles":                    "rbac.authorization.k8s.io/v1",
+	"clusterrolebindings":             "rbac.authorization.k8s.io/v1",
+	"roles":                           "rbac.authorization.k8s.io/v1",
+	"rolebindings":                    "rbac.authorization.k8s.io/v1",
+	"mutatingwebhookconfigurations":   "admissionregistration.k8s.io/v1",
+	"validatingwebhookconfigurations": "admissionregistration.k8s.io/v1",
+}
+
+var GroupsClusterScope = []string{}
+var ResourceClusterScope = []string{"nodes", "namespaces", "clusterroles", "clusterrolebindings"}
+
+func GetGroupVersionResource(resource string) (schema.GroupVersionResource, error) {
+	resource = updateResourceKind(resource)
+	if r, ok := ResourceGroupMapping[resource]; ok {
+		gv := strings.Split(r, "/")
+		return schema.GroupVersionResource{Group: gv[0], Version: gv[1], Resource: resource}, nil
+	}
+	return schema.GroupVersionResource{}, fmt.Errorf("resource '%s' not found in resourceMap", resource)
+}
+
+func IsNamespaceScope(apiGroup, resource string) bool {
+	return StringInSlice(GroupsClusterScope, apiGroup) == ValueNotFound &&
+		StringInSlice(ResourceClusterScope, resource) == ValueNotFound
+}
+
+func StringInSlice(strSlice []string, str string) int {
+	for i := range strSlice {
+		if strSlice[i] == str {
+			return i
+		}
+	}
+	return ValueNotFound
+}
+
+func JoinResourceTriplets(group, version, resource string) string {
+	return fmt.Sprintf("%s/%s/%s", group, version, resource)
+}
+func GetResourceTriplets(group, version, resource string) []string {
+	resourceTriplets := []string{}
+	if resource == "" {
+		// load full map
+		for k, v := range ResourceGroupMapping {
+			g := strings.Split(v, "/")
+			resourceTriplets = append(resourceTriplets, JoinResourceTriplets(g[0], g[1], k))
+		}
+	} else if version == "" {
+		// load by resource
+		if v, ok := ResourceGroupMapping[resource]; ok {
+			g := strings.Split(v, "/")
+			if group == "" {
+				group = g[0]
+			}
+			resourceTriplets = append(resourceTriplets, JoinResourceTriplets(group, g[1], resource))
+		} else {
+			glog.Errorf("Resource '%s' unknown", resource)
+		}
+	} else if group == "" {
+		// load by resource and version
+		if v, ok := ResourceGroupMapping[resource]; ok {
+			g := strings.Split(v, "/")
+			resourceTriplets = append(resourceTriplets, JoinResourceTriplets(g[0], version, resource))
+		} else {
+			glog.Errorf("Resource '%s' unknown", resource)
+		}
+	} else {
+		resourceTriplets = append(resourceTriplets, JoinResourceTriplets(group, version, resource))
+	}
+	return resourceTriplets
+}
+func ResourceGroupToString(group, version, resource string) []string {
+	if group == "*" {
+		group = ""
+	}
+	if version == "*" {
+		version = ""
+	}
+	if resource == "*" {
+		resource = ""
+	}
+	resource = updateResourceKind(resource)
+	return GetResourceTriplets(group, version, resource)
+}
+
+func StringToResourceGroup(str string) (string, string, string) {
+	splitted := strings.Split(str, "/")
+	for i := range splitted {
+		if splitted[i] == "*" {
+			splitted[i] = ""
+		}
+	}
+	return splitted[0], splitted[1], splitted[2]
+}
+
+func updateResourceKind(resource string) string {
+	resource = strings.ToLower(resource)
+
+	if resource != "" && !strings.HasSuffix(resource, "s") {
+		if strings.HasSuffix(resource, "y") {
+			return fmt.Sprintf("%sies", strings.TrimSuffix(resource, "y")) // e.g. NetworkPolicy -> networkpolicies
+		} else {
+			return fmt.Sprintf("%ss", resource) // add 's' at the end of a resource
+		}
+	}
+	return resource
+
+}
--- a/cautils/k8sinterface/resourcegroupmapping_test.go
+++ b/cautils/k8sinterface/resourcegroupmapping_test.go
@@ -0,0 +1,22 @@
+package k8sinterface
+
+import "testing"
+
+func TestResourceGroupToString(t *testing.T) {
+	allResources := ResourceGroupToString("*", "*", "*")
+	if len(allResources) != len(ResourceGroupMapping) {
+		t.Errorf("Expected len: %d, received: %d", len(ResourceGroupMapping), len(allResources))
+	}
+	pod := ResourceGroupToString("*", "*", "Pod")
+	if len(pod) == 0 || pod[0] != "/v1/pods" {
+		t.Errorf("pod: %v", pod)
+	}
+	deployments := ResourceGroupToString("*", "*", "Deployment")
+	if len(deployments) == 0 || deployments[0] != "apps/v1/deployments" {
+		t.Errorf("deployments: %v", deployments)
+	}
+	cronjobs := ResourceGroupToString("*", "*", "cronjobs")
+	if len(cronjobs) == 0 || cronjobs[0] != "batch/v1beta1/cronjobs" {
+		t.Errorf("cronjobs: %v", cronjobs)
+	}
+}
--- a/cautils/k8sinterface/workload.go
+++ b/cautils/k8sinterface/workload.go
@@ -0,0 +1,161 @@
+package k8sinterface
+
+import (
+	"encoding/json"
+
+	"github.com/armosec/kubescape/cautils/apis"
+
+	corev1 "k8s.io/api/core/v1"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+)
+
+type IWorkload interface {
+	IBasicWorkload
+
+	// Convert
+	ToUnstructured() (*unstructured.Unstructured, error)
+	ToString() string
+	Json() string // DEPRECATED
+
+	// GET
+	GetWlid() string
+	GetJobID() *apis.JobTracking
+	GetVersion() string
+	GetGroup() string
+
+	// SET
+	SetWlid(string)
+	SetInject()
+	SetIgnore()
+	SetUpdateTime()
+	SetJobID(apis.JobTracking)
+	SetCompatible()
+	SetIncompatible()
+	SetReplaceheaders()
+
+	// EXIST
+	IsIgnore() bool
+	IsInject() bool
+	IsAttached() bool
+	IsCompatible() bool
+	IsIncompatible() bool
+
+	// REMOVE
+	RemoveWlid()
+	RemoveSecretData()
+	RemoveInject()
+	RemoveIgnore()
+	RemoveUpdateTime()
+	RemoveJobID()
+	RemoveCompatible()
+	RemoveArmoMetadata()
+	RemoveArmoLabels()
+	RemoveArmoAnnotations()
+}
+type IBasicWorkload interface {
+
+	// Set
+	SetKind(string)
+	SetWorkload(map[string]interface{})
+	SetLabel(key, value string)
+	SetAnnotation(key, value string)
+	SetNamespace(string)
+	SetName(string)
+
+	// Get
+	GetNamespace() string
+	GetName() string
+	GetGenerateName() string
+	GetApiVersion() string
+	GetKind() string
+	GetInnerAnnotation(string) (string, bool)
+	GetPodAnnotation(string) (string, bool)
+	GetAnnotation(string) (string, bool)
+	GetLabel(string) (string, bool)
+	GetAnnotations() map[string]string
+	GetInnerAnnotations() map[string]string
+	GetPodAnnotations() map[string]string
+	GetLabels() map[string]string
+	GetInnerLabels() map[string]string
+	GetPodLabels() map[string]string
+	GetVolumes() ([]corev1.Volume, error)
+	GetReplicas() int
+	GetContainers() ([]corev1.Container, error)
+	GetInitContainers() ([]corev1.Container, error)
+	GetOwnerReferences() ([]metav1.OwnerReference, error)
+	GetImagePullSecret() ([]corev1.LocalObjectReference, error)
+	GetServiceAccountName() string
+	GetSelector() (*metav1.LabelSelector, error)
+	GetResourceVersion() string
+	GetUID() string
+	GetPodSpec() (*corev1.PodSpec, error)
+
+	GetWorkload() map[string]interface{}
+
+	// REMOVE
+	RemoveLabel(string)
+	RemoveAnnotation(string)
+	RemovePodStatus()
+	RemoveResourceVersion()
+}
+
+type Workload struct {
+	workload map[string]interface{}
+}
+
+func NewWorkload(bWorkload []byte) (*Workload, error) {
+	workload := make(map[string]interface{})
+	if bWorkload != nil {
+		if err := json.Unmarshal(bWorkload, &workload); err != nil {
+			return nil, err
+		}
+	}
+	return &Workload{
+		workload: workload,
+	}, nil
+}
+
+func NewWorkloadObj(workload map[string]interface{}) *Workload {
+	return &Workload{
+		workload: workload,
+	}
+}
+
+func (w *Workload) Json() string {
+	return w.ToString()
+}
+func (w *Workload) ToString() string {
+	if w.GetWorkload() == nil {
+		return ""
+	}
+	bWorkload, err := json.Marshal(w.GetWorkload())
+	if err != nil {
+		return err.Error()
+	}
+	return string(bWorkload)
+}
+
+func (workload *Workload) DeepCopy(w map[string]interface{}) {
+	workload.workload = make(map[string]interface{})
+	byt, _ := json.Marshal(w)
+	json.Unmarshal(byt, &workload.workload)
+}
+
+func (w *Workload) ToUnstructured() (*unstructured.Unstructured, error) {
+	obj := &unstructured.Unstructured{}
+	if w.workload == nil {
+		return obj, nil
+	}
+	bWorkload, err := json.Marshal(w.workload)
+	if err != nil {
+		return obj, err
+	}
+	if err := json.Unmarshal(bWorkload, obj); err != nil {
+		return obj, err
+
+	}
+
+	return obj, nil
+}
--- a/cautils/k8sinterface/workloadmethods.go
+++ b/cautils/k8sinterface/workloadmethods.go
@@ -0,0 +1,642 @@
+package k8sinterface
+
+import (
+	"encoding/json"
+	"fmt"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/armosec/kubescape/cautils/apis"
+	"github.com/armosec/kubescape/cautils/cautils"
+
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// ======================================= DELETE ========================================
+
+func (w *Workload) RemoveInject() {
+	w.RemovePodLabel(cautils.CAInject)      // DEPRECATED
+	w.RemovePodLabel(cautils.CAAttachLabel) // DEPRECATED
+	w.RemovePodLabel(cautils.ArmoAttach)
+
+	w.RemoveLabel(cautils.CAInject)      // DEPRECATED
+	w.RemoveLabel(cautils.CAAttachLabel) // DEPRECATED
+	w.RemoveLabel(cautils.ArmoAttach)
+}
+
+func (w *Workload) RemoveIgnore() {
+	w.RemovePodLabel(cautils.CAIgnore) // DEPRECATED
+	w.RemovePodLabel(cautils.ArmoAttach)
+
+	w.RemoveLabel(cautils.CAIgnore) // DEPRECATED
+	w.RemoveLabel(cautils.ArmoAttach)
+}
+
+func (w *Workload) RemoveWlid() {
+	w.RemovePodAnnotation(cautils.CAWlid) // DEPRECATED
+	w.RemovePodAnnotation(cautils.ArmoWlid)
+
+	w.RemoveAnnotation(cautils.CAWlid) // DEPRECATED
+	w.RemoveAnnotation(cautils.ArmoWlid)
+}
+
+func (w *Workload) RemoveCompatible() {
+	w.RemovePodAnnotation(cautils.ArmoCompatibleAnnotation)
+}
+func (w *Workload) RemoveJobID() {
+	w.RemovePodAnnotation(cautils.ArmoJobIDPath)
+	w.RemovePodAnnotation(cautils.ArmoJobParentPath)
+	w.RemovePodAnnotation(cautils.ArmoJobActionPath)
+
+	w.RemoveAnnotation(cautils.ArmoJobIDPath)
+	w.RemoveAnnotation(cautils.ArmoJobParentPath)
+	w.RemoveAnnotation(cautils.ArmoJobActionPath)
+}
+func (w *Workload) RemoveArmoMetadata() {
+	w.RemoveArmoLabels()
+	w.RemoveArmoAnnotations()
+}
+
+func (w *Workload) RemoveArmoAnnotations() {
+	l := w.GetAnnotations()
+	if l != nil {
+		for k := range l {
+			if strings.HasPrefix(k, cautils.ArmoPrefix) {
+				w.RemoveAnnotation(k)
+			}
+			if strings.HasPrefix(k, cautils.CAPrefix) { // DEPRECATED
+				w.RemoveAnnotation(k)
+			}
+		}
+	}
+	lp := w.GetPodAnnotations()
+	if lp != nil {
+		for k := range lp {
+			if strings.HasPrefix(k, cautils.ArmoPrefix) {
+				w.RemovePodAnnotation(k)
+			}
+			if strings.HasPrefix(k, cautils.CAPrefix) { // DEPRECATED
+				w.RemovePodAnnotation(k)
+			}
+		}
+	}
+}
+func (w *Workload) RemoveArmoLabels() {
+	l := w.GetLabels()
+	if l != nil {
+		for k := range l {
+			if strings.HasPrefix(k, cautils.ArmoPrefix) {
+				w.RemoveLabel(k)
+			}
+			if strings.HasPrefix(k, cautils.CAPrefix) { // DEPRECATED
+				w.RemoveLabel(k)
+			}
+		}
+	}
+	lp := w.GetPodLabels()
+	if lp != nil {
+		for k := range lp {
+			if strings.HasPrefix(k, cautils.ArmoPrefix) {
+				w.RemovePodLabel(k)
+			}
+			if strings.HasPrefix(k, cautils.CAPrefix) { // DEPRECATED
+				w.RemovePodLabel(k)
+			}
+		}
+	}
+}
+func (w *Workload) RemoveUpdateTime() {
+
+	// remove from pod
+	w.RemovePodAnnotation(cautils.CAUpdate) // DEPRECATED
+	w.RemovePodAnnotation(cautils.ArmoUpdate)
+
+	// remove from workload
+	w.RemoveAnnotation(cautils.CAUpdate) // DEPRECATED
+	w.RemoveAnnotation(cautils.ArmoUpdate)
+}
+func (w *Workload) RemoveSecretData() {
+	w.RemoveAnnotation("kubectl.kubernetes.io/last-applied-configuration")
+	delete(w.workload, "data")
+}
+
+func (w *Workload) RemovePodStatus() {
+	delete(w.workload, "status")
+}
+
+func (w *Workload) RemoveResourceVersion() {
+	if _, ok := w.workload["metadata"]; !ok {
+		return
+	}
+	meta, _ := w.workload["metadata"].(map[string]interface{})
+	delete(meta, "resourceVersion")
+}
+
+func (w *Workload) RemoveLabel(key string) {
+	w.RemoveMetadata([]string{"metadata"}, "labels", key)
+}
+
+func (w *Workload) RemoveAnnotation(key string) {
+	w.RemoveMetadata([]string{"metadata"}, "annotations", key)
+}
+
+func (w *Workload) RemovePodAnnotation(key string) {
+	w.RemoveMetadata(PodMetadata(w.GetKind()), "annotations", key)
+}
+
+func (w *Workload) RemovePodLabel(key string) {
+	w.RemoveMetadata(PodMetadata(w.GetKind()), "labels", key)
+}
+
+func (w *Workload) RemoveMetadata(scope []string, metadata, key string) {
+
+	workload := w.workload
+	for i := range scope {
+		if _, ok := workload[scope[i]]; !ok {
+			return
+		}
+		workload, _ = workload[scope[i]].(map[string]interface{})
+	}
+
+	if _, ok := workload[metadata]; !ok {
+		return
+	}
+
+	labels, _ := workload[metadata].(map[string]interface{})
+	delete(labels, key)
+
+}
+
+// ========================================= SET =========================================
+
+func (w *Workload) SetWorkload(workload map[string]interface{}) {
+	w.workload = workload
+}
+
+func (w *Workload) SetKind(kind string) {
+	w.workload["kind"] = kind
+}
+
+func (w *Workload) SetInject() {
+	w.SetPodLabel(cautils.ArmoAttach, cautils.BoolToString(true))
+}
+
+func (w *Workload) SetJobID(jobTracking apis.JobTracking) {
+	w.SetPodAnnotation(cautils.ArmoJobIDPath, jobTracking.JobID)
+	w.SetPodAnnotation(cautils.ArmoJobParentPath, jobTracking.ParentID)
+	w.SetPodAnnotation(cautils.ArmoJobActionPath, fmt.Sprintf("%d", jobTracking.LastActionNumber))
+}
+
+func (w *Workload) SetIgnore() {
+	w.SetPodLabel(cautils.ArmoAttach, cautils.BoolToString(false))
+}
+
+func (w *Workload) SetCompatible() {
+	w.SetPodAnnotation(cautils.ArmoCompatibleAnnotation, cautils.BoolToString(true))
+}
+
+func (w *Workload) SetIncompatible() {
+	w.SetPodAnnotation(cautils.ArmoCompatibleAnnotation, cautils.BoolToString(false))
+}
+
+func (w *Workload) SetReplaceheaders() {
+	w.SetPodAnnotation(cautils.ArmoReplaceheaders, cautils.BoolToString(true))
+}
+
+func (w *Workload) SetWlid(wlid string) {
+	w.SetPodAnnotation(cautils.ArmoWlid, wlid)
+}
+
+func (w *Workload) SetUpdateTime() {
+	w.SetPodAnnotation(cautils.ArmoUpdate, string(time.Now().UTC().Format("02-01-2006 15:04:05")))
+}
+
+func (w *Workload) SetNamespace(namespace string) {
+	w.SetMetadata([]string{"metadata"}, "namespace", namespace)
+}
+
+func (w *Workload) SetName(name string) {
+	w.SetMetadata([]string{"metadata"}, "name", name)
+}
+
+func (w *Workload) SetLabel(key, value string) {
+	w.SetMetadata([]string{"metadata", "labels"}, key, value)
+}
+
+func (w *Workload) SetPodLabel(key, value string) {
+	w.SetMetadata(append(PodMetadata(w.GetKind()), "labels"), key, value)
+}
+func (w *Workload) SetAnnotation(key, value string) {
+	w.SetMetadata([]string{"metadata", "annotations"}, key, value)
+}
+func (w *Workload) SetPodAnnotation(key, value string) {
+	w.SetMetadata(append(PodMetadata(w.GetKind()), "annotations"), key, value)
+}
+
+func (w *Workload) SetMetadata(scope []string, key string, val interface{}) {
+	workload := w.workload
+	for i := range scope {
+		if _, ok := workload[scope[i]]; !ok {
+			workload[scope[i]] = make(map[string]interface{})
+		}
+		workload, _ = workload[scope[i]].(map[string]interface{})
+	}
+
+	workload[key] = val
+}
+
+// ========================================= GET =========================================
+func (w *Workload) GetWorkload() map[string]interface{} {
+	return w.workload
+}
+func (w *Workload) GetNamespace() string {
+	if v, ok := InspectWorkload(w.workload, "metadata", "namespace"); ok {
+		return v.(string)
+	}
+	return ""
+}
+
+func (w *Workload) GetName() string {
+	if v, ok := InspectWorkload(w.workload, "metadata", "name"); ok {
+		return v.(string)
+	}
+	return ""
+}
+
+func (w *Workload) GetApiVersion() string {
+	if v, ok := InspectWorkload(w.workload, "apiVersion"); ok {
+		return v.(string)
+	}
+	return ""
+}
+
+func (w *Workload) GetVersion() string {
+	apiVersion := w.GetApiVersion()
+	splitted := strings.Split(apiVersion, "/")
+	if len(splitted) == 1 {
+		return splitted[0]
+	} else if len(splitted) == 2 {
+		return splitted[1]
+	}
+	return ""
+}
+
+func (w *Workload) GetGroup() string {
+	apiVersion := w.GetApiVersion()
+	splitted := strings.Split(apiVersion, "/")
+	if len(splitted) == 2 {
+		return splitted[0]
+	}
+	return ""
+}
+
+func (w *Workload) GetGenerateName() string {
+	if v, ok := InspectWorkload(w.workload, "metadata", "generateName"); ok {
+		return v.(string)
+	}
+	return ""
+}
+
+func (w *Workload) GetReplicas() int {
+	if v, ok := InspectWorkload(w.workload, "spec", "replicas"); ok {
+		replicas, isok := v.(float64)
+		if isok {
+			return int(replicas)
+		}
+	}
+	return 1
+}
+
+func (w *Workload) GetKind() string {
+	if v, ok := InspectWorkload(w.workload, "kind"); ok {
+		return v.(string)
+	}
+	return ""
+}
+func (w *Workload) GetSelector() (*metav1.LabelSelector, error) {
+	selector := &metav1.LabelSelector{}
+	if v, ok := InspectWorkload(w.workload, "spec", "selector", "matchLabels"); ok && v != nil {
+		b, err := json.Marshal(v)
+		if err != nil {
+			return selector, err
+		}
+		if err := json.Unmarshal(b, selector); err != nil {
+			return selector, err
+		}
+		return selector, nil
+	}
+	return selector, nil
+}
+
+func (w *Workload) GetAnnotation(annotation string) (string, bool) {
+	if v, ok := InspectWorkload(w.workload, "metadata", "annotations", annotation); ok {
+		return v.(string), ok
+	}
+	return "", false
+}
+func (w *Workload) GetLabel(label string) (string, bool) {
+	if v, ok := InspectWorkload(w.workload, "metadata", "labels", label); ok {
+		return v.(string), ok
+	}
+	return "", false
+}
+
+func (w *Workload) GetPodLabel(label string) (string, bool) {
+	if v, ok := InspectWorkload(w.workload, append(PodMetadata(w.GetKind()), "labels", label)...); ok && v != nil {
+		return v.(string), ok
+	}
+	return "", false
+}
+
+func (w *Workload) GetLabels() map[string]string {
+	if v, ok := InspectWorkload(w.workload, "metadata", "labels"); ok && v != nil {
+		labels := make(map[string]string)
+		for k, i := range v.(map[string]interface{}) {
+			labels[k] = i.(string)
+		}
+		return labels
+	}
+	return nil
+}
+
+// GetInnerLabels - DEPRECATED
+func (w *Workload) GetInnerLabels() map[string]string {
+	return w.GetPodLabels()
+}
+
+func (w *Workload) GetPodLabels() map[string]string {
+	if v, ok := InspectWorkload(w.workload, append(PodMetadata(w.GetKind()), "labels")...); ok && v != nil {
+		labels := make(map[string]string)
+		for k, i := range v.(map[string]interface{}) {
+			labels[k] = i.(string)
+		}
+		return labels
+	}
+	return nil
+}
+
+// GetInnerAnnotations - DEPRECATED
+func (w *Workload) GetInnerAnnotations() map[string]string {
+	return w.GetPodAnnotations()
+}
+
+// GetPodAnnotations
+func (w *Workload) GetPodAnnotations() map[string]string {
+	if v, ok := InspectWorkload(w.workload, append(PodMetadata(w.GetKind()), "annotations")...); ok && v != nil {
+		annotations := make(map[string]string)
+		for k, i := range v.(map[string]interface{}) {
+			annotations[k] = fmt.Sprintf("%v", i)
+		}
+		return annotations
+	}
+	return nil
+}
+
+// GetInnerAnnotation DEPRECATED
+func (w *Workload) GetInnerAnnotation(annotation string) (string, bool) {
+	return w.GetPodAnnotation(annotation)
+}
+
+func (w *Workload) GetPodAnnotation(annotation string) (string, bool) {
+	if v, ok := InspectWorkload(w.workload, append(PodMetadata(w.GetKind()), "annotations", annotation)...); ok && v != nil {
+		return v.(string), ok
+	}
+	return "", false
+}
+
+func (w *Workload) GetAnnotations() map[string]string {
+	if v, ok := InspectWorkload(w.workload, "metadata", "annotations"); ok && v != nil {
+		annotations := make(map[string]string)
+		for k, i := range v.(map[string]interface{}) {
+			annotations[k] = fmt.Sprintf("%v", i)
+		}
+		return annotations
+	}
+	return nil
+}
+
+// GetVolumes -
+func (w *Workload) GetVolumes() ([]corev1.Volume, error) {
+	volumes := []corev1.Volume{}
+
+	interVolumes, _ := InspectWorkload(w.workload, append(PodSpec(w.GetKind()), "volumes")...)
+	if interVolumes == nil {
+		return volumes, nil
+	}
+	volumesBytes, err := json.Marshal(interVolumes)
+	if err != nil {
+		return volumes, err
+	}
+	err = json.Unmarshal(volumesBytes, &volumes)
+
+	return volumes, err
+}
+
+func (w *Workload) GetServiceAccountName() string {
+
+	if v, ok := InspectWorkload(w.workload, append(PodSpec(w.GetKind()), "serviceAccountName")...); ok && v != nil {
+		return v.(string)
+	}
+	return ""
+}
+
+func (w *Workload) GetPodSpec() (*corev1.PodSpec, error) {
+	podSpec := &corev1.PodSpec{}
+	podSepcRaw, _ := InspectWorkload(w.workload, PodSpec(w.GetKind())...)
+	if podSepcRaw == nil {
+		return podSpec, fmt.Errorf("no PodSpec for workload: %v", w)
+	}
+	b, err := json.Marshal(podSepcRaw)
+	if err != nil {
+		return podSpec, err
+	}
+	err = json.Unmarshal(b, podSpec)
+
+	return podSpec, err
+}
+
+func (w *Workload) GetImagePullSecret() ([]corev1.LocalObjectReference, error) {
+	imgPullSecrets := []corev1.LocalObjectReference{}
+
+	iImgPullSecrets, _ := InspectWorkload(w.workload, append(PodSpec(w.GetKind()), "imagePullSecrets")...)
+	b, err := json.Marshal(iImgPullSecrets)
+	if err != nil {
+		return imgPullSecrets, err
+	}
+	err = json.Unmarshal(b, &imgPullSecrets)
+
+	return imgPullSecrets, err
+}
+
+// GetContainers -
+func (w *Workload) GetContainers() ([]corev1.Container, error) {
+	containers := []corev1.Container{}
+
+	interContainers, _ := InspectWorkload(w.workload, append(PodSpec(w.GetKind()), "containers")...)
+	if interContainers == nil {
+		return containers, nil
+	}
+	containersBytes, err := json.Marshal(interContainers)
+	if err != nil {
+		return containers, err
+	}
+	err = json.Unmarshal(containersBytes, &containers)
+
+	return containers, err
+}
+
+// GetInitContainers -
+func (w *Workload) GetInitContainers() ([]corev1.Container, error) {
+	containers := []corev1.Container{}
+
+	interContainers, _ := InspectWorkload(w.workload, append(PodSpec(w.GetKind()), "initContainers")...)
+	if interContainers == nil {
+		return containers, nil
+	}
+	containersBytes, err := json.Marshal(interContainers)
+	if err != nil {
+		return containers, err
+	}
+	err = json.Unmarshal(containersBytes, &containers)
+
+	return containers, err
+}
+
+// GetOwnerReferences -
+func (w *Workload) GetOwnerReferences() ([]metav1.OwnerReference, error) {
+	ownerReferences := []metav1.OwnerReference{}
+	interOwnerReferences, ok := InspectWorkload(w.workload, "metadata", "ownerReferences")
+	if !ok {
+		return ownerReferences, nil
+	}
+
+	ownerReferencesBytes, err := json.Marshal(interOwnerReferences)
+	if err != nil {
+		return ownerReferences, err
+	}
+	err = json.Unmarshal(ownerReferencesBytes, &ownerReferences)
+	if err != nil {
+		return ownerReferences, err
+
+	}
+	return ownerReferences, nil
+}
+func (w *Workload) GetResourceVersion() string {
+	if v, ok := InspectWorkload(w.workload, "metadata", "resourceVersion"); ok {
+		return v.(string)
+	}
+	return ""
+}
+func (w *Workload) GetUID() string {
+	if v, ok := InspectWorkload(w.workload, "metadata", "uid"); ok {
+		return v.(string)
+	}
+	return ""
+}
+func (w *Workload) GetWlid() string {
+	if wlid, ok := w.GetAnnotation(cautils.ArmoWlid); ok {
+		return wlid
+	}
+	return ""
+}
+
+func (w *Workload) GetJobID() *apis.JobTracking {
+	jobTracking := apis.JobTracking{}
+	if job, ok := w.GetPodAnnotation(cautils.ArmoJobIDPath); ok {
+		jobTracking.JobID = job
+	}
+	if parent, ok := w.GetPodAnnotation(cautils.ArmoJobParentPath); ok {
+		jobTracking.ParentID = parent
+	}
+	if action, ok := w.GetPodAnnotation(cautils.ArmoJobActionPath); ok {
+		if i, err := strconv.Atoi(action); err == nil {
+			jobTracking.LastActionNumber = i
+		}
+	}
+	if jobTracking.LastActionNumber == 0 { // start the counter at 1
+		jobTracking.LastActionNumber = 1
+	}
+	return &jobTracking
+}
+
+// func (w *Workload) GetJobID() string {
+// 	if status, ok := w.GetAnnotation(cautils.ArmoJobID); ok {
+// 		return status
+// 	}
+// 	return ""
+// }
+
+// ========================================= IS =========================================
+
+func (w *Workload) IsInject() bool {
+	return w.IsAttached()
+}
+
+func (w *Workload) IsIgnore() bool {
+	if attach := cautils.IsAttached(w.GetPodLabels()); attach != nil {
+		return !(*attach)
+	}
+	if attach := cautils.IsAttached(w.GetLabels()); attach != nil {
+		return !(*attach)
+	}
+	return false
+}
+
+func (w *Workload) IsCompatible() bool {
+	if c, ok := w.GetPodAnnotation(cautils.ArmoCompatibleAnnotation); ok {
+		return cautils.StringToBool(c)
+
+	}
+	if c, ok := w.GetAnnotation(cautils.ArmoCompatibleAnnotation); ok {
+		return cautils.StringToBool(c)
+
+	}
+	return false
+}
+
+func (w *Workload) IsIncompatible() bool {
+	if c, ok := w.GetPodAnnotation(cautils.ArmoCompatibleAnnotation); ok {
+		return !cautils.StringToBool(c)
+	}
+	if c, ok := w.GetAnnotation(cautils.ArmoCompatibleAnnotation); ok {
+		return !cautils.StringToBool(c)
+	}
+	return false
+}
+func (w *Workload) IsAttached() bool {
+	if attach := cautils.IsAttached(w.GetPodLabels()); attach != nil {
+		return *attach
+	}
+	if attach := cautils.IsAttached(w.GetLabels()); attach != nil {
+		return *attach
+	}
+	return false
+}
+
+func (w *Workload) IsReplaceheaders() bool {
+	if c, ok := w.GetPodAnnotation(cautils.ArmoReplaceheaders); ok {
+		return cautils.StringToBool(c)
+	}
+	return false
+}
+
+// ======================================= UTILS =========================================
+
+// InspectWorkload -
+func InspectWorkload(workload interface{}, scopes ...string) (val interface{}, k bool) {
+
+	val, k = nil, false
+	if len(scopes) == 0 {
+		if workload != nil {
+			return workload, true
+		}
+		return nil, false
+	}
+	if data, ok := workload.(map[string]interface{}); ok {
+		val, k = InspectWorkload(data[scopes[0]], scopes[1:]...)
+	}
+	return val, k
+
+}
--- a/cautils/k8sinterface/workloadmethods_test.go
+++ b/cautils/k8sinterface/workloadmethods_test.go
@@ -0,0 +1,155 @@
+package k8sinterface
+
+import (
+	"testing"
+)
+
+// ========================================= IS =========================================
+
+func TestLabels(t *testing.T) {
+	w := `{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":{"deployment.kubernetes.io/revision":"1"},"creationTimestamp":"2021-05-03T13:10:32Z","generation":1,"labels":{"app":"demoservice-server","cyberarmor.inject":"true"},"managedFields":[{"apiVersion":"apps/v1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:labels":{".":{},"f:app":{},"f:cyberarmor.inject":{}}},"f:spec":{"f:progressDeadlineSeconds":{},"f:replicas":{},"f:revisionHistoryLimit":{},"f:selector":{},"f:strategy":{"f:rollingUpdate":{".":{},"f:maxSurge":{},"f:maxUnavailable":{}},"f:type":{}},"f:template":{"f:metadata":{"f:labels":{".":{},"f:app":{}}},"f:spec":{"f:containers":{"k:{\"name\":\"demoservice\"}":{".":{},"f:env":{".":{},"k:{\"name\":\"ARMO_TEST_NAME\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"CAA_ENABLE_CRASH_REPORTER\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"DEMO_FOLDERS\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"SERVER_PORT\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"SLEEP_DURATION\"}":{".":{},"f:name":{},"f:value":{}}},"f:image":{},"f:imagePullPolicy":{},"f:name":{},"f:ports":{".":{},"k:{\"containerPort\":8089,\"protocol\":\"TCP\"}":{".":{},"f:containerPort":{},"f:protocol":{}}},"f:resources":{},"f:terminationMessagePath":{},"f:terminationMessagePolicy":{}}},"f:dnsPolicy":{},"f:restartPolicy":{},"f:schedulerName":{},"f:securityContext":{},"f:terminationGracePeriodSeconds":{}}}}},"manager":"OpenAPI-Generator","operation":"Update","time":"2021-05-03T13:10:32Z"},{"apiVersion":"apps/v1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:deployment.kubernetes.io/revision":{}}},"f:status":{"f:availableReplicas":{},"f:conditions":{".":{},"k:{\"type\":\"Available\"}":{".":{},"f:lastTransitionTime":{},"f:lastUpdateTime":{},"f:message":{},"f:reason":{},"f:status":{},"f:type":{}},"k:{\"type\":\"Progressing\"}":{".":{},"f:lastTransitionTime":{},"f:lastUpdateTime":{},"f:message":{},"f:reason":{},"f:status":{},"f:type":{}}},"f:observedGeneration":{},"f:readyReplicas":{},"f:replicas":{},"f:updatedReplicas":{}}},"manager":"kube-controller-manager","operation":"Update","time":"2021-05-03T13:52:58Z"}],"name":"demoservice-server","namespace":"default","resourceVersion":"1016043","uid":"e9e8a3e9-6cb4-4301-ace1-2c0cef3bd61e"},"spec":{"progressDeadlineSeconds":600,"replicas":1,"revisionHistoryLimit":10,"selector":{"matchLabels":{"app":"demoservice-server"}},"strategy":{"rollingUpdate":{"maxSurge":"25%","maxUnavailable":"25%"},"type":"RollingUpdate"},"template":{"metadata":{"creationTimestamp":null,"labels":{"app":"demoservice-server"}},"spec":{"containers":[{"env":[{"name":"SERVER_PORT","value":"8089"},{"name":"SLEEP_DURATION","value":"1"},{"name":"DEMO_FOLDERS","value":"/app"},{"name":"ARMO_TEST_NAME","value":"auto_attach_deployment"},{"name":"CAA_ENABLE_CRASH_REPORTER","value":"1"}],"image":"quay.io/armosec/demoservice:v25","imagePullPolicy":"IfNotPresent","name":"demoservice","ports":[{"containerPort":8089,"protocol":"TCP"}],"resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File"}],"dnsPolicy":"ClusterFirst","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"terminationGracePeriodSeconds":30}}},"status":{"availableReplicas":1,"conditions":[{"lastTransitionTime":"2021-05-03T13:10:32Z","lastUpdateTime":"2021-05-03T13:10:37Z","message":"ReplicaSet \"demoservice-server-7d478b6998\" has successfully progressed.","reason":"NewReplicaSetAvailable","status":"True","type":"Progressing"},{"lastTransitionTime":"2021-05-03T13:52:58Z","lastUpdateTime":"2021-05-03T13:52:58Z","message":"Deployment has minimum availability.","reason":"MinimumReplicasAvailable","status":"True","type":"Available"}],"observedGeneration":1,"readyReplicas":1,"replicas":1,"updatedReplicas":1}}`
+	workload, err := NewWorkload([]byte(w))
+	if err != nil {
+		t.Errorf(err.Error())
+	}
+	if workload.GetKind() != "Deployment" {
+		t.Errorf("wrong kind")
+	}
+	if workload.GetNamespace() != "default" {
+		t.Errorf("wrong namespace")
+	}
+	if workload.GetName() != "demoservice-server" {
+		t.Errorf("wrong name")
+	}
+	if !workload.IsInject() {
+		t.Errorf("expect to find inject label")
+	}
+	if workload.IsIgnore() {
+		t.Errorf("expect to find ignore label")
+	}
+}
+
+func TestSetNamespace(t *testing.T) {
+	w := `{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"name":"demoservice-server"},"spec":{"replicas":1,"selector":{"matchLabels":{"app":"demoservice-server"}},"template":{"metadata":{"creationTimestamp":null,"labels":{"app":"demoservice-server"}},"spec":{"containers":[{"env":[{"name":"SERVER_PORT","value":"8089"},{"name":"SLEEP_DURATION","value":"1"},{"name":"DEMO_FOLDERS","value":"/app"},{"name":"ARMO_TEST_NAME","value":"auto_attach_deployment"},{"name":"CAA_ENABLE_CRASH_REPORTER","value":"1"}],"image":"quay.io/armosec/demoservice:v25","imagePullPolicy":"IfNotPresent","name":"demoservice","ports":[{"containerPort":8089,"protocol":"TCP"}],"resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File"}],"dnsPolicy":"ClusterFirst","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"terminationGracePeriodSeconds":30}}}}`
+	workload, err := NewWorkload([]byte(w))
+	if err != nil {
+		t.Errorf(err.Error())
+	}
+	workload.SetNamespace("default")
+	if workload.GetNamespace() != "default" {
+		t.Errorf("wrong namespace")
+	}
+}
+func TestSetLabels(t *testing.T) {
+	w := `{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":{"deployment.kubernetes.io/revision":"1"},"creationTimestamp":"2021-05-03T13:10:32Z","generation":1,"managedFields":[{"apiVersion":"apps/v1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:labels":{".":{},"f:app":{},"f:cyberarmor.inject":{}}},"f:spec":{"f:progressDeadlineSeconds":{},"f:replicas":{},"f:revisionHistoryLimit":{},"f:selector":{},"f:strategy":{"f:rollingUpdate":{".":{},"f:maxSurge":{},"f:maxUnavailable":{}},"f:type":{}},"f:template":{"f:metadata":{"f:labels":{".":{},"f:app":{}}},"f:spec":{"f:containers":{"k:{\"name\":\"demoservice\"}":{".":{},"f:env":{".":{},"k:{\"name\":\"ARMO_TEST_NAME\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"CAA_ENABLE_CRASH_REPORTER\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"DEMO_FOLDERS\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"SERVER_PORT\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"SLEEP_DURATION\"}":{".":{},"f:name":{},"f:value":{}}},"f:image":{},"f:imagePullPolicy":{},"f:name":{},"f:ports":{".":{},"k:{\"containerPort\":8089,\"protocol\":\"TCP\"}":{".":{},"f:containerPort":{},"f:protocol":{}}},"f:resources":{},"f:terminationMessagePath":{},"f:terminationMessagePolicy":{}}},"f:dnsPolicy":{},"f:restartPolicy":{},"f:schedulerName":{},"f:securityContext":{},"f:terminationGracePeriodSeconds":{}}}}},"manager":"OpenAPI-Generator","operation":"Update","time":"2021-05-03T13:10:32Z"},{"apiVersion":"apps/v1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:deployment.kubernetes.io/revision":{}}},"f:status":{"f:availableReplicas":{},"f:conditions":{".":{},"k:{\"type\":\"Available\"}":{".":{},"f:lastTransitionTime":{},"f:lastUpdateTime":{},"f:message":{},"f:reason":{},"f:status":{},"f:type":{}},"k:{\"type\":\"Progressing\"}":{".":{},"f:lastTransitionTime":{},"f:lastUpdateTime":{},"f:message":{},"f:reason":{},"f:status":{},"f:type":{}}},"f:observedGeneration":{},"f:readyReplicas":{},"f:replicas":{},"f:updatedReplicas":{}}},"manager":"kube-controller-manager","operation":"Update","time":"2021-05-03T13:52:58Z"}],"name":"demoservice-server","namespace":"default","resourceVersion":"1016043","uid":"e9e8a3e9-6cb4-4301-ace1-2c0cef3bd61e"},"spec":{"progressDeadlineSeconds":600,"replicas":1,"revisionHistoryLimit":10,"selector":{"matchLabels":{"app":"demoservice-server"}},"strategy":{"rollingUpdate":{"maxSurge":"25%","maxUnavailable":"25%"},"type":"RollingUpdate"},"template":{"metadata":{"creationTimestamp":null,"labels":{"app":"demoservice-server"}},"spec":{"containers":[{"env":[{"name":"SERVER_PORT","value":"8089"},{"name":"SLEEP_DURATION","value":"1"},{"name":"DEMO_FOLDERS","value":"/app"},{"name":"ARMO_TEST_NAME","value":"auto_attach_deployment"},{"name":"CAA_ENABLE_CRASH_REPORTER","value":"1"}],"image":"quay.io/armosec/demoservice:v25","imagePullPolicy":"IfNotPresent","name":"demoservice","ports":[{"containerPort":8089,"protocol":"TCP"}],"resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File"}],"dnsPolicy":"ClusterFirst","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"terminationGracePeriodSeconds":30}}},"status":{"availableReplicas":1,"conditions":[{"lastTransitionTime":"2021-05-03T13:10:32Z","lastUpdateTime":"2021-05-03T13:10:37Z","message":"ReplicaSet \"demoservice-server-7d478b6998\" has successfully progressed.","reason":"NewReplicaSetAvailable","status":"True","type":"Progressing"},{"lastTransitionTime":"2021-05-03T13:52:58Z","lastUpdateTime":"2021-05-03T13:52:58Z","message":"Deployment has minimum availability.","reason":"MinimumReplicasAvailable","status":"True","type":"Available"}],"observedGeneration":1,"readyReplicas":1,"replicas":1,"updatedReplicas":1}}`
+	workload, err := NewWorkload([]byte(w))
+	if err != nil {
+		t.Errorf(err.Error())
+	}
+	workload.SetLabel("bla", "daa")
+	v, ok := workload.GetLabel("bla")
+	if !ok || v != "daa" {
+		t.Errorf("expect to find label")
+	}
+	workload.RemoveLabel("bla")
+	v2, ok2 := workload.GetLabel("bla")
+	if ok2 || v2 == "daa" {
+		t.Errorf("label not deleted")
+	}
+}
+
+func TestSetAnnotations(t *testing.T) {
+	w := `{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":{"deployment.kubernetes.io/revision":"1"},"creationTimestamp":"2021-05-03T13:10:32Z","generation":1,"managedFields":[{"apiVersion":"apps/v1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:labels":{".":{},"f:app":{},"f:cyberarmor.inject":{}}},"f:spec":{"f:progressDeadlineSeconds":{},"f:replicas":{},"f:revisionHistoryLimit":{},"f:selector":{},"f:strategy":{"f:rollingUpdate":{".":{},"f:maxSurge":{},"f:maxUnavailable":{}},"f:type":{}},"f:template":{"f:metadata":{"f:labels":{".":{},"f:app":{}}},"f:spec":{"f:containers":{"k:{\"name\":\"demoservice\"}":{".":{},"f:env":{".":{},"k:{\"name\":\"ARMO_TEST_NAME\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"CAA_ENABLE_CRASH_REPORTER\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"DEMO_FOLDERS\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"SERVER_PORT\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"SLEEP_DURATION\"}":{".":{},"f:name":{},"f:value":{}}},"f:image":{},"f:imagePullPolicy":{},"f:name":{},"f:ports":{".":{},"k:{\"containerPort\":8089,\"protocol\":\"TCP\"}":{".":{},"f:containerPort":{},"f:protocol":{}}},"f:resources":{},"f:terminationMessagePath":{},"f:terminationMessagePolicy":{}}},"f:dnsPolicy":{},"f:restartPolicy":{},"f:schedulerName":{},"f:securityContext":{},"f:terminationGracePeriodSeconds":{}}}}},"manager":"OpenAPI-Generator","operation":"Update","time":"2021-05-03T13:10:32Z"},{"apiVersion":"apps/v1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:deployment.kubernetes.io/revision":{}}},"f:status":{"f:availableReplicas":{},"f:conditions":{".":{},"k:{\"type\":\"Available\"}":{".":{},"f:lastTransitionTime":{},"f:lastUpdateTime":{},"f:message":{},"f:reason":{},"f:status":{},"f:type":{}},"k:{\"type\":\"Progressing\"}":{".":{},"f:lastTransitionTime":{},"f:lastUpdateTime":{},"f:message":{},"f:reason":{},"f:status":{},"f:type":{}}},"f:observedGeneration":{},"f:readyReplicas":{},"f:replicas":{},"f:updatedReplicas":{}}},"manager":"kube-controller-manager","operation":"Update","time":"2021-05-03T13:52:58Z"}],"name":"demoservice-server","namespace":"default","resourceVersion":"1016043","uid":"e9e8a3e9-6cb4-4301-ace1-2c0cef3bd61e"},"spec":{"progressDeadlineSeconds":600,"replicas":1,"revisionHistoryLimit":10,"selector":{"matchLabels":{"app":"demoservice-server"}},"strategy":{"rollingUpdate":{"maxSurge":"25%","maxUnavailable":"25%"},"type":"RollingUpdate"},"template":{"metadata":{"creationTimestamp":null,"labels":{"app":"demoservice-server"}},"spec":{"containers":[{"env":[{"name":"SERVER_PORT","value":"8089"},{"name":"SLEEP_DURATION","value":"1"},{"name":"DEMO_FOLDERS","value":"/app"},{"name":"ARMO_TEST_NAME","value":"auto_attach_deployment"},{"name":"CAA_ENABLE_CRASH_REPORTER","value":"1"}],"image":"quay.io/armosec/demoservice:v25","imagePullPolicy":"IfNotPresent","name":"demoservice","ports":[{"containerPort":8089,"protocol":"TCP"}],"resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File"}],"dnsPolicy":"ClusterFirst","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"terminationGracePeriodSeconds":30}}},"status":{"availableReplicas":1,"conditions":[{"lastTransitionTime":"2021-05-03T13:10:32Z","lastUpdateTime":"2021-05-03T13:10:37Z","message":"ReplicaSet \"demoservice-server-7d478b6998\" has successfully progressed.","reason":"NewReplicaSetAvailable","status":"True","type":"Progressing"},{"lastTransitionTime":"2021-05-03T13:52:58Z","lastUpdateTime":"2021-05-03T13:52:58Z","message":"Deployment has minimum availability.","reason":"MinimumReplicasAvailable","status":"True","type":"Available"}],"observedGeneration":1,"readyReplicas":1,"replicas":1,"updatedReplicas":1}}`
+	workload, err := NewWorkload([]byte(w))
+	if err != nil {
+		t.Errorf(err.Error())
+	}
+	workload.SetAnnotation("bla", "daa")
+	v, ok := workload.GetAnnotation("bla")
+	if !ok || v != "daa" {
+		t.Errorf("expect to find annotation")
+	}
+	workload.RemoveAnnotation("bla")
+	v2, ok2 := workload.GetAnnotation("bla")
+	if ok2 || v2 == "daa" {
+		t.Errorf("annotation not deleted")
+	}
+}
+func TestSetPodLabels(t *testing.T) {
+	w := `{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":{"deployment.kubernetes.io/revision":"1"},"creationTimestamp":"2021-05-03T13:10:32Z","generation":1,"managedFields":[{"apiVersion":"apps/v1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:labels":{".":{},"f:app":{},"f:cyberarmor.inject":{}}},"f:spec":{"f:progressDeadlineSeconds":{},"f:replicas":{},"f:revisionHistoryLimit":{},"f:selector":{},"f:strategy":{"f:rollingUpdate":{".":{},"f:maxSurge":{},"f:maxUnavailable":{}},"f:type":{}},"f:template":{"f:metadata":{"f:labels":{".":{},"f:app":{}}},"f:spec":{"f:containers":{"k:{\"name\":\"demoservice\"}":{".":{},"f:env":{".":{},"k:{\"name\":\"ARMO_TEST_NAME\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"CAA_ENABLE_CRASH_REPORTER\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"DEMO_FOLDERS\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"SERVER_PORT\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"SLEEP_DURATION\"}":{".":{},"f:name":{},"f:value":{}}},"f:image":{},"f:imagePullPolicy":{},"f:name":{},"f:ports":{".":{},"k:{\"containerPort\":8089,\"protocol\":\"TCP\"}":{".":{},"f:containerPort":{},"f:protocol":{}}},"f:resources":{},"f:terminationMessagePath":{},"f:terminationMessagePolicy":{}}},"f:dnsPolicy":{},"f:restartPolicy":{},"f:schedulerName":{},"f:securityContext":{},"f:terminationGracePeriodSeconds":{}}}}},"manager":"OpenAPI-Generator","operation":"Update","time":"2021-05-03T13:10:32Z"},{"apiVersion":"apps/v1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:deployment.kubernetes.io/revision":{}}},"f:status":{"f:availableReplicas":{},"f:conditions":{".":{},"k:{\"type\":\"Available\"}":{".":{},"f:lastTransitionTime":{},"f:lastUpdateTime":{},"f:message":{},"f:reason":{},"f:status":{},"f:type":{}},"k:{\"type\":\"Progressing\"}":{".":{},"f:lastTransitionTime":{},"f:lastUpdateTime":{},"f:message":{},"f:reason":{},"f:status":{},"f:type":{}}},"f:observedGeneration":{},"f:readyReplicas":{},"f:replicas":{},"f:updatedReplicas":{}}},"manager":"kube-controller-manager","operation":"Update","time":"2021-05-03T13:52:58Z"}],"name":"demoservice-server","namespace":"default","resourceVersion":"1016043","uid":"e9e8a3e9-6cb4-4301-ace1-2c0cef3bd61e"},"spec":{"progressDeadlineSeconds":600,"replicas":1,"revisionHistoryLimit":10,"selector":{"matchLabels":{"app":"demoservice-server"}},"strategy":{"rollingUpdate":{"maxSurge":"25%","maxUnavailable":"25%"},"type":"RollingUpdate"},"template":{"metadata":{"creationTimestamp":null,"labels":{"app":"demoservice-server"}},"spec":{"containers":[{"env":[{"name":"SERVER_PORT","value":"8089"},{"name":"SLEEP_DURATION","value":"1"},{"name":"DEMO_FOLDERS","value":"/app"},{"name":"ARMO_TEST_NAME","value":"auto_attach_deployment"},{"name":"CAA_ENABLE_CRASH_REPORTER","value":"1"}],"image":"quay.io/armosec/demoservice:v25","imagePullPolicy":"IfNotPresent","name":"demoservice","ports":[{"containerPort":8089,"protocol":"TCP"}],"resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File"}],"dnsPolicy":"ClusterFirst","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"terminationGracePeriodSeconds":30}}},"status":{"availableReplicas":1,"conditions":[{"lastTransitionTime":"2021-05-03T13:10:32Z","lastUpdateTime":"2021-05-03T13:10:37Z","message":"ReplicaSet \"demoservice-server-7d478b6998\" has successfully progressed.","reason":"NewReplicaSetAvailable","status":"True","type":"Progressing"},{"lastTransitionTime":"2021-05-03T13:52:58Z","lastUpdateTime":"2021-05-03T13:52:58Z","message":"Deployment has minimum availability.","reason":"MinimumReplicasAvailable","status":"True","type":"Available"}],"observedGeneration":1,"readyReplicas":1,"replicas":1,"updatedReplicas":1}}`
+	workload, err := NewWorkload([]byte(w))
+	if err != nil {
+		t.Errorf(err.Error())
+	}
+	workload.SetPodLabel("bla", "daa")
+	v, ok := workload.GetPodLabel("bla")
+	if !ok || v != "daa" {
+		t.Errorf("expect to find label")
+	}
+	workload.RemovePodLabel("bla")
+	v2, ok2 := workload.GetPodLabel("bla")
+	if ok2 || v2 == "daa" {
+		t.Errorf("label not deleted")
+	}
+}
+func TestRemoveArmo(t *testing.T) {
+	w := `{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":{"deployment.kubernetes.io/revision":"1"},"creationTimestamp":"2021-05-03T13:10:32Z","generation":1,"managedFields":[{"apiVersion":"apps/v1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:labels":{".":{},"f:app":{},"f:cyberarmor.inject":{}}},"f:spec":{"f:progressDeadlineSeconds":{},"f:replicas":{},"f:revisionHistoryLimit":{},"f:selector":{},"f:strategy":{"f:rollingUpdate":{".":{},"f:maxSurge":{},"f:maxUnavailable":{}},"f:type":{}},"f:template":{"f:metadata":{"f:labels":{".":{},"f:app":{}}},"f:spec":{"f:containers":{"k:{\"name\":\"demoservice\"}":{".":{},"f:env":{".":{},"k:{\"name\":\"ARMO_TEST_NAME\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"CAA_ENABLE_CRASH_REPORTER\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"DEMO_FOLDERS\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"SERVER_PORT\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"SLEEP_DURATION\"}":{".":{},"f:name":{},"f:value":{}}},"f:image":{},"f:imagePullPolicy":{},"f:name":{},"f:ports":{".":{},"k:{\"containerPort\":8089,\"protocol\":\"TCP\"}":{".":{},"f:containerPort":{},"f:protocol":{}}},"f:resources":{},"f:terminationMessagePath":{},"f:terminationMessagePolicy":{}}},"f:dnsPolicy":{},"f:restartPolicy":{},"f:schedulerName":{},"f:securityContext":{},"f:terminationGracePeriodSeconds":{}}}}},"manager":"OpenAPI-Generator","operation":"Update","time":"2021-05-03T13:10:32Z"},{"apiVersion":"apps/v1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:deployment.kubernetes.io/revision":{}}},"f:status":{"f:availableReplicas":{},"f:conditions":{".":{},"k:{\"type\":\"Available\"}":{".":{},"f:lastTransitionTime":{},"f:lastUpdateTime":{},"f:message":{},"f:reason":{},"f:status":{},"f:type":{}},"k:{\"type\":\"Progressing\"}":{".":{},"f:lastTransitionTime":{},"f:lastUpdateTime":{},"f:message":{},"f:reason":{},"f:status":{},"f:type":{}}},"f:observedGeneration":{},"f:readyReplicas":{},"f:replicas":{},"f:updatedReplicas":{}}},"manager":"kube-controller-manager","operation":"Update","time":"2021-05-03T13:52:58Z"}],"name":"demoservice-server","namespace":"default","resourceVersion":"1016043","uid":"e9e8a3e9-6cb4-4301-ace1-2c0cef3bd61e"},"spec":{"progressDeadlineSeconds":600,"replicas":1,"revisionHistoryLimit":10,"selector":{"matchLabels":{"app":"demoservice-server"}},"strategy":{"rollingUpdate":{"maxSurge":"25%","maxUnavailable":"25%"},"type":"RollingUpdate"},"template":{"metadata":{"creationTimestamp":null,"labels":{"app":"demoservice-server", "armo.attach": "true"}},"spec":{"containers":[{"env":[{"name":"SERVER_PORT","value":"8089"},{"name":"SLEEP_DURATION","value":"1"},{"name":"DEMO_FOLDERS","value":"/app"},{"name":"ARMO_TEST_NAME","value":"auto_attach_deployment"},{"name":"CAA_ENABLE_CRASH_REPORTER","value":"1"}],"image":"quay.io/armosec/demoservice:v25","imagePullPolicy":"IfNotPresent","name":"demoservice","ports":[{"containerPort":8089,"protocol":"TCP"}],"resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File"}],"dnsPolicy":"ClusterFirst","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"terminationGracePeriodSeconds":30}}},"status":{"availableReplicas":1,"conditions":[{"lastTransitionTime":"2021-05-03T13:10:32Z","lastUpdateTime":"2021-05-03T13:10:37Z","message":"ReplicaSet \"demoservice-server-7d478b6998\" has successfully progressed.","reason":"NewReplicaSetAvailable","status":"True","type":"Progressing"},{"lastTransitionTime":"2021-05-03T13:52:58Z","lastUpdateTime":"2021-05-03T13:52:58Z","message":"Deployment has minimum availability.","reason":"MinimumReplicasAvailable","status":"True","type":"Available"}],"observedGeneration":1,"readyReplicas":1,"replicas":1,"updatedReplicas":1}}`
+	workload, err := NewWorkload([]byte(w))
+	if err != nil {
+		t.Errorf(err.Error())
+	}
+	if !workload.IsAttached() {
+		t.Errorf("expect to be attached")
+	}
+	workload.RemoveArmoMetadata()
+	if workload.IsAttached() {
+		t.Errorf("expect to be clear")
+	}
+
+}
+
+func TestSetWlid(t *testing.T) {
+	w := `{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":{"deployment.kubernetes.io/revision":"1"},"creationTimestamp":"2021-05-03T13:10:32Z","generation":1,"managedFields":[{"apiVersion":"apps/v1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:labels":{".":{},"f:app":{},"f:cyberarmor.inject":{}}},"f:spec":{"f:progressDeadlineSeconds":{},"f:replicas":{},"f:revisionHistoryLimit":{},"f:selector":{},"f:strategy":{"f:rollingUpdate":{".":{},"f:maxSurge":{},"f:maxUnavailable":{}},"f:type":{}},"f:template":{"f:metadata":{"f:labels":{".":{},"f:app":{}}},"f:spec":{"f:containers":{"k:{\"name\":\"demoservice\"}":{".":{},"f:env":{".":{},"k:{\"name\":\"ARMO_TEST_NAME\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"CAA_ENABLE_CRASH_REPORTER\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"DEMO_FOLDERS\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"SERVER_PORT\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"SLEEP_DURATION\"}":{".":{},"f:name":{},"f:value":{}}},"f:image":{},"f:imagePullPolicy":{},"f:name":{},"f:ports":{".":{},"k:{\"containerPort\":8089,\"protocol\":\"TCP\"}":{".":{},"f:containerPort":{},"f:protocol":{}}},"f:resources":{},"f:terminationMessagePath":{},"f:terminationMessagePolicy":{}}},"f:dnsPolicy":{},"f:restartPolicy":{},"f:schedulerName":{},"f:securityContext":{},"f:terminationGracePeriodSeconds":{}}}}},"manager":"OpenAPI-Generator","operation":"Update","time":"2021-05-03T13:10:32Z"},{"apiVersion":"apps/v1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:deployment.kubernetes.io/revision":{}}},"f:status":{"f:availableReplicas":{},"f:conditions":{".":{},"k:{\"type\":\"Available\"}":{".":{},"f:lastTransitionTime":{},"f:lastUpdateTime":{},"f:message":{},"f:reason":{},"f:status":{},"f:type":{}},"k:{\"type\":\"Progressing\"}":{".":{},"f:lastTransitionTime":{},"f:lastUpdateTime":{},"f:message":{},"f:reason":{},"f:status":{},"f:type":{}}},"f:observedGeneration":{},"f:readyReplicas":{},"f:replicas":{},"f:updatedReplicas":{}}},"manager":"kube-controller-manager","operation":"Update","time":"2021-05-03T13:52:58Z"}],"name":"demoservice-server","namespace":"default","resourceVersion":"1016043","uid":"e9e8a3e9-6cb4-4301-ace1-2c0cef3bd61e"},"spec":{"progressDeadlineSeconds":600,"replicas":1,"revisionHistoryLimit":10,"selector":{"matchLabels":{"app":"demoservice-server"}},"strategy":{"rollingUpdate":{"maxSurge":"25%","maxUnavailable":"25%"},"type":"RollingUpdate"},"template":{"metadata":{"creationTimestamp":null,"labels":{"app":"demoservice-server"}},"spec":{"containers":[{"env":[{"name":"SERVER_PORT","value":"8089"},{"name":"SLEEP_DURATION","value":"1"},{"name":"DEMO_FOLDERS","value":"/app"},{"name":"ARMO_TEST_NAME","value":"auto_attach_deployment"},{"name":"CAA_ENABLE_CRASH_REPORTER","value":"1"}],"image":"quay.io/armosec/demoservice:v25","imagePullPolicy":"IfNotPresent","name":"demoservice","ports":[{"containerPort":8089,"protocol":"TCP"}],"resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File"}],"dnsPolicy":"ClusterFirst","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"terminationGracePeriodSeconds":30}}},"status":{"availableReplicas":1,"conditions":[{"lastTransitionTime":"2021-05-03T13:10:32Z","lastUpdateTime":"2021-05-03T13:10:37Z","message":"ReplicaSet \"demoservice-server-7d478b6998\" has successfully progressed.","reason":"NewReplicaSetAvailable","status":"True","type":"Progressing"},{"lastTransitionTime":"2021-05-03T13:52:58Z","lastUpdateTime":"2021-05-03T13:52:58Z","message":"Deployment has minimum availability.","reason":"MinimumReplicasAvailable","status":"True","type":"Available"}],"observedGeneration":1,"readyReplicas":1,"replicas":1,"updatedReplicas":1}}`
+	workload, err := NewWorkload([]byte(w))
+	if err != nil {
+		t.Errorf(err.Error())
+	}
+	workload.SetWlid("wlid://bla")
+	// t.Errorf(workload.Json())
+
+}
+
+func TestGetResourceVersion(t *testing.T) {
+	w := `{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":{"deployment.kubernetes.io/revision":"1"},"creationTimestamp":"2021-05-03T13:10:32Z","generation":1,"managedFields":[{"apiVersion":"apps/v1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:labels":{".":{},"f:app":{},"f:cyberarmor.inject":{}}},"f:spec":{"f:progressDeadlineSeconds":{},"f:replicas":{},"f:revisionHistoryLimit":{},"f:selector":{},"f:strategy":{"f:rollingUpdate":{".":{},"f:maxSurge":{},"f:maxUnavailable":{}},"f:type":{}},"f:template":{"f:metadata":{"f:labels":{".":{},"f:app":{}}},"f:spec":{"f:containers":{"k:{\"name\":\"demoservice\"}":{".":{},"f:env":{".":{},"k:{\"name\":\"ARMO_TEST_NAME\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"CAA_ENABLE_CRASH_REPORTER\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"DEMO_FOLDERS\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"SERVER_PORT\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"SLEEP_DURATION\"}":{".":{},"f:name":{},"f:value":{}}},"f:image":{},"f:imagePullPolicy":{},"f:name":{},"f:ports":{".":{},"k:{\"containerPort\":8089,\"protocol\":\"TCP\"}":{".":{},"f:containerPort":{},"f:protocol":{}}},"f:resources":{},"f:terminationMessagePath":{},"f:terminationMessagePolicy":{}}},"f:dnsPolicy":{},"f:restartPolicy":{},"f:schedulerName":{},"f:securityContext":{},"f:terminationGracePeriodSeconds":{}}}}},"manager":"OpenAPI-Generator","operation":"Update","time":"2021-05-03T13:10:32Z"},{"apiVersion":"apps/v1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:deployment.kubernetes.io/revision":{}}},"f:status":{"f:availableReplicas":{},"f:conditions":{".":{},"k:{\"type\":\"Available\"}":{".":{},"f:lastTransitionTime":{},"f:lastUpdateTime":{},"f:message":{},"f:reason":{},"f:status":{},"f:type":{}},"k:{\"type\":\"Progressing\"}":{".":{},"f:lastTransitionTime":{},"f:lastUpdateTime":{},"f:message":{},"f:reason":{},"f:status":{},"f:type":{}}},"f:observedGeneration":{},"f:readyReplicas":{},"f:replicas":{},"f:updatedReplicas":{}}},"manager":"kube-controller-manager","operation":"Update","time":"2021-05-03T13:52:58Z"}],"name":"demoservice-server","namespace":"default","resourceVersion":"1016043","uid":"e9e8a3e9-6cb4-4301-ace1-2c0cef3bd61e"},"spec":{"progressDeadlineSeconds":600,"replicas":1,"revisionHistoryLimit":10,"selector":{"matchLabels":{"app":"demoservice-server"}},"strategy":{"rollingUpdate":{"maxSurge":"25%","maxUnavailable":"25%"},"type":"RollingUpdate"},"template":{"metadata":{"creationTimestamp":null,"labels":{"app":"demoservice-server"}},"spec":{"containers":[{"env":[{"name":"SERVER_PORT","value":"8089"},{"name":"SLEEP_DURATION","value":"1"},{"name":"DEMO_FOLDERS","value":"/app"},{"name":"ARMO_TEST_NAME","value":"auto_attach_deployment"},{"name":"CAA_ENABLE_CRASH_REPORTER","value":"1"}],"image":"quay.io/armosec/demoservice:v25","imagePullPolicy":"IfNotPresent","name":"demoservice","ports":[{"containerPort":8089,"protocol":"TCP"}],"resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File"}],"dnsPolicy":"ClusterFirst","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"terminationGracePeriodSeconds":30}}},"status":{"availableReplicas":1,"conditions":[{"lastTransitionTime":"2021-05-03T13:10:32Z","lastUpdateTime":"2021-05-03T13:10:37Z","message":"ReplicaSet \"demoservice-server-7d478b6998\" has successfully progressed.","reason":"NewReplicaSetAvailable","status":"True","type":"Progressing"},{"lastTransitionTime":"2021-05-03T13:52:58Z","lastUpdateTime":"2021-05-03T13:52:58Z","message":"Deployment has minimum availability.","reason":"MinimumReplicasAvailable","status":"True","type":"Available"}],"observedGeneration":1,"readyReplicas":1,"replicas":1,"updatedReplicas":1}}`
+	workload, err := NewWorkload([]byte(w))
+	if err != nil {
+		t.Errorf(err.Error())
+	}
+	if workload.GetResourceVersion() != "1016043" {
+		t.Errorf("wrong resourceVersion")
+	}
+
+}
+func TestGetUID(t *testing.T) {
+	w := `{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":{"deployment.kubernetes.io/revision":"1"},"creationTimestamp":"2021-05-03T13:10:32Z","generation":1,"managedFields":[{"apiVersion":"apps/v1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:labels":{".":{},"f:app":{},"f:cyberarmor.inject":{}}},"f:spec":{"f:progressDeadlineSeconds":{},"f:replicas":{},"f:revisionHistoryLimit":{},"f:selector":{},"f:strategy":{"f:rollingUpdate":{".":{},"f:maxSurge":{},"f:maxUnavailable":{}},"f:type":{}},"f:template":{"f:metadata":{"f:labels":{".":{},"f:app":{}}},"f:spec":{"f:containers":{"k:{\"name\":\"demoservice\"}":{".":{},"f:env":{".":{},"k:{\"name\":\"ARMO_TEST_NAME\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"CAA_ENABLE_CRASH_REPORTER\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"DEMO_FOLDERS\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"SERVER_PORT\"}":{".":{},"f:name":{},"f:value":{}},"k:{\"name\":\"SLEEP_DURATION\"}":{".":{},"f:name":{},"f:value":{}}},"f:image":{},"f:imagePullPolicy":{},"f:name":{},"f:ports":{".":{},"k:{\"containerPort\":8089,\"protocol\":\"TCP\"}":{".":{},"f:containerPort":{},"f:protocol":{}}},"f:resources":{},"f:terminationMessagePath":{},"f:terminationMessagePolicy":{}}},"f:dnsPolicy":{},"f:restartPolicy":{},"f:schedulerName":{},"f:securityContext":{},"f:terminationGracePeriodSeconds":{}}}}},"manager":"OpenAPI-Generator","operation":"Update","time":"2021-05-03T13:10:32Z"},{"apiVersion":"apps/v1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:deployment.kubernetes.io/revision":{}}},"f:status":{"f:availableReplicas":{},"f:conditions":{".":{},"k:{\"type\":\"Available\"}":{".":{},"f:lastTransitionTime":{},"f:lastUpdateTime":{},"f:message":{},"f:reason":{},"f:status":{},"f:type":{}},"k:{\"type\":\"Progressing\"}":{".":{},"f:lastTransitionTime":{},"f:lastUpdateTime":{},"f:message":{},"f:reason":{},"f:status":{},"f:type":{}}},"f:observedGeneration":{},"f:readyReplicas":{},"f:replicas":{},"f:updatedReplicas":{}}},"manager":"kube-controller-manager","operation":"Update","time":"2021-05-03T13:52:58Z"}],"name":"demoservice-server","namespace":"default","resourceVersion":"1016043","uid":"e9e8a3e9-6cb4-4301-ace1-2c0cef3bd61e"},"spec":{"progressDeadlineSeconds":600,"replicas":1,"revisionHistoryLimit":10,"selector":{"matchLabels":{"app":"demoservice-server"}},"strategy":{"rollingUpdate":{"maxSurge":"25%","maxUnavailable":"25%"},"type":"RollingUpdate"},"template":{"metadata":{"creationTimestamp":null,"labels":{"app":"demoservice-server"}},"spec":{"containers":[{"env":[{"name":"SERVER_PORT","value":"8089"},{"name":"SLEEP_DURATION","value":"1"},{"name":"DEMO_FOLDERS","value":"/app"},{"name":"ARMO_TEST_NAME","value":"auto_attach_deployment"},{"name":"CAA_ENABLE_CRASH_REPORTER","value":"1"}],"image":"quay.io/armosec/demoservice:v25","imagePullPolicy":"IfNotPresent","name":"demoservice","ports":[{"containerPort":8089,"protocol":"TCP"}],"resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File"}],"dnsPolicy":"ClusterFirst","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"terminationGracePeriodSeconds":30}}},"status":{"availableReplicas":1,"conditions":[{"lastTransitionTime":"2021-05-03T13:10:32Z","lastUpdateTime":"2021-05-03T13:10:37Z","message":"ReplicaSet \"demoservice-server-7d478b6998\" has successfully progressed.","reason":"NewReplicaSetAvailable","status":"True","type":"Progressing"},{"lastTransitionTime":"2021-05-03T13:52:58Z","lastUpdateTime":"2021-05-03T13:52:58Z","message":"Deployment has minimum availability.","reason":"MinimumReplicasAvailable","status":"True","type":"Available"}],"observedGeneration":1,"readyReplicas":1,"replicas":1,"updatedReplicas":1}}`
+	workload, err := NewWorkload([]byte(w))
+	if err != nil {
+		t.Errorf(err.Error())
+	}
+	if workload.GetUID() != "e9e8a3e9-6cb4-4301-ace1-2c0cef3bd61e" {
+		t.Errorf("wrong UID")
+	}
+
+}
+
+func TestIsAttached(t *testing.T) {
+	w := `{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":{"deployment.kubernetes.io/revision":"3"},"creationTimestamp":"2021-06-21T04:52:05Z","generation":3,"name":"emailservice","namespace":"default"},"spec":{"progressDeadlineSeconds":600,"replicas":1,"revisionHistoryLimit":10,"selector":{"matchLabels":{"app":"emailservice"}},"strategy":{"rollingUpdate":{"maxSurge":"25%","maxUnavailable":"25%"},"type":"RollingUpdate"},"template":{"metadata":{"annotations":{"armo.last-update":"21-06-2021 06:40:42","armo.wlid":"wlid://cluster-david-demo/namespace-default/deployment-emailservice"},"creationTimestamp":null,"labels":{"app":"emailservice","armo.attach":"true"}},"spec":{"containers":[{"env":[{"name":"PORT","value":"8080"},{"name":"DISABLE_PROFILER","value":"1"}],"image":"gcr.io/google-samples/microservices-demo/emailservice:v0.2.3","imagePullPolicy":"IfNotPresent","livenessProbe":{"exec":{"command":["/bin/grpc_health_probe","-addr=:8080"]},"failureThreshold":3,"periodSeconds":5,"successThreshold":1,"timeoutSeconds":1},"name":"server","ports":[{"containerPort":8080,"protocol":"TCP"}],"readinessProbe":{"exec":{"command":["/bin/grpc_health_probe","-addr=:8080"]},"failureThreshold":3,"periodSeconds":5,"successThreshold":1,"timeoutSeconds":1},"resources":{"limits":{"cpu":"200m","memory":"128Mi"},"requests":{"cpu":"100m","memory":"64Mi"}},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File"}],"dnsPolicy":"ClusterFirst","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"serviceAccount":"default","serviceAccountName":"default","terminationGracePeriodSeconds":5}}}}`
+	workload, err := NewWorkload([]byte(w))
+	if err != nil {
+		t.Errorf(err.Error())
+	}
+	if !workload.IsAttached() {
+		t.Errorf("expected attached")
+	}
+
+}
--- a/cautils/k8sinterface/workloadmethodsutils.go
+++ b/cautils/k8sinterface/workloadmethodsutils.go
@@ -0,0 +1,23 @@
+package k8sinterface
+
+func PodSpec(kind string) []string {
+	switch kind {
+	case "Pod", "Namespace":
+		return []string{"spec"}
+	case "CronJob":
+		return []string{"spec", "jobTemplate", "spec", "template", "spec"}
+	default:
+		return []string{"spec", "template", "spec"}
+	}
+}
+
+func PodMetadata(kind string) []string {
+	switch kind {
+	case "Pod", "Namespace", "Secret":
+		return []string{"metadata"}
+	case "CronJob":
+		return []string{"spec", "jobTemplate", "spec", "template", "metadata"}
+	default:
+		return []string{"spec", "template", "metadata"}
+	}
+}
--- a/cautils/opapolicy/apis.go
+++ b/cautils/opapolicy/apis.go
@@ -0,0 +1,7 @@
+package opapolicy
+
+const (
+	PostureRestAPIPathV1   = "/v1/posture"
+	PostureRedisPrefix     = "_postureReportv1"
+	K8sPostureNotification = "/k8srestapi/v1/newPostureReport"
+)
--- a/cautils/opapolicy/datastructures.go
+++ b/cautils/opapolicy/datastructures.go
@@ -0,0 +1,161 @@
+package opapolicy
+
+import (
+	"time"
+
+	armotypes "github.com/armosec/kubescape/cautils/armotypes"
+)
+
+type AlertScore float32
+type RuleLanguages string
+
+const (
+	RegoLanguage  RuleLanguages = "Rego"
+	RegoLanguage2 RuleLanguages = "rego"
+)
+
+// RegoResponse the expected response of single run of rego policy
+type RuleResponse struct {
+	AlertMessage  string                            `json:"alertMessage"`
+	RuleStatus    string                            `json:"ruleStatus"`
+	PackageName   string                            `json:"packagename"`
+	AlertScore    AlertScore                        `json:"alertScore"`
+	AlertObject   AlertObject                       `json:"alertObject"`
+	Context       []string                          `json:"context,omitempty"`       // TODO - Remove
+	Rulename      string                            `json:"rulename,omitempty"`      // TODO - Remove
+	ExceptionName string                            `json:"exceptionName,omitempty"` // Not in use
+	Exception     *armotypes.PostureExceptionPolicy `json:"exception,omitempty"`
+}
+
+type AlertObject struct {
+	K8SApiObjects   []map[string]interface{} `json:"k8sApiObjects,omitempty"`
+	ExternalObjects map[string]interface{}   `json:"externalObjects,omitempty"`
+}
+
+type FrameworkReport struct {
+	Name            string          `json:"name"`
+	ControlReports  []ControlReport `json:"controlReports"`
+	Score           float32         `json:"score,omitempty"`
+	ARMOImprovement float32         `json:"ARMOImprovement,omitempty"`
+	WCSScore        float32         `json:"wcsScore,omitempty"`
+}
+type ControlReport struct {
+	armotypes.PortalBase `json:",inline"`
+	ControlID            string       `json:"id"`
+	Name                 string       `json:"name"`
+	RuleReports          []RuleReport `json:"ruleReports"`
+	Remediation          string       `json:"remediation"`
+	Description          string       `json:"description"`
+	Score                float32      `json:"score"`
+	BaseScore            float32      `json:"baseScore,omitempty"`
+	ARMOImprovement      float32      `json:"ARMOImprovement,omitempty"`
+}
+type RuleReport struct {
+	Name               string                   `json:"name"`
+	Remediation        string                   `json:"remediation"`
+	RuleStatus         RuleStatus               `json:"ruleStatus"` // did we run the rule or not (if there where compile errors, the value will be failed)
+	RuleResponses      []RuleResponse           `json:"ruleResponses"`
+	ListInputResources []map[string]interface{} `json:"-"`
+	ListInputKinds     []string                 `json:"-"`
+}
+type RuleStatus struct {
+	Status  string `json:"status"`
+	Message string `json:"message"`
+}
+
+// PostureReport
+type PostureReport struct {
+	CustomerGUID         string            `json:"customerGUID"`
+	ClusterName          string            `json:"clusterName"`
+	ReportID             string            `json:"reportID"`
+	JobID                string            `json:"jobID"`
+	ReportGenerationTime time.Time         `json:"generationTime"`
+	FrameworkReports     []FrameworkReport `json:"frameworks"`
+}
+
+// RuleMatchObjects defines which objects this rule applied on
+type RuleMatchObjects struct {
+	APIGroups   []string `json:"apiGroups"`   // apps
+	APIVersions []string `json:"apiVersions"` // v1/ v1beta1 / *
+	Resources   []string `json:"resources"`   // dep.., pods,
+}
+
+// RuleMatchObjects defines which objects this rule applied on
+type RuleDependency struct {
+	PackageName string `json:"packageName"` // package name
+}
+
+// PolicyRule represents single rule, the fundamental executable block of policy
+type PolicyRule struct {
+	armotypes.PortalBase `json:",inline"`
+	CreationTime         string             `json:"creationTime"`
+	Rule                 string             `json:"rule"` // multiline string!
+	RuleLanguage         RuleLanguages      `json:"ruleLanguage"`
+	Match                []RuleMatchObjects `json:"match"`
+	RuleDependencies     []RuleDependency   `json:"ruleDependencies"`
+	Description          string             `json:"description"`
+	Remediation          string             `json:"remediation"`
+	RuleQuery            string             `json:"ruleQuery"` // default "armo_builtins" - DEPRECATED
+}
+
+// Control represents a collection of rules which are combined together to single purpose
+type Control struct {
+	armotypes.PortalBase `json:",inline"`
+	ControlID            string       `json:"id"`
+	CreationTime         string       `json:"creationTime"`
+	Description          string       `json:"description"`
+	Remediation          string       `json:"remediation"`
+	Rules                []PolicyRule `json:"rules"`
+	// for new list of  rules in POST/UPADTE requests
+	RulesIDs *[]string `json:"rulesIDs,omitempty"`
+}
+
+type UpdatedControl struct {
+	Control `json:",inline"`
+	Rules   []interface{} `json:"rules"`
+}
+
+// Framework represents a collection of controls which are combined together to expose comprehensive behavior
+type Framework struct {
+	armotypes.PortalBase `json:",inline"`
+	CreationTime         string    `json:"creationTime"`
+	Description          string    `json:"description"`
+	Controls             []Control `json:"controls"`
+	// for new list of  controls in POST/UPADTE requests
+	ControlsIDs *[]string `json:"controlsIDs,omitempty"`
+}
+
+type UpdatedFramework struct {
+	Framework `json:",inline"`
+	Controls  []interface{} `json:"controls"`
+}
+
+type NotificationPolicyType string
+type NotificationPolicyKind string
+
+// Supported NotificationTypes
+const (
+	TypeValidateRules   NotificationPolicyType = "validateRules"
+	TypeExecPostureScan NotificationPolicyType = "execPostureScan"
+	TypeUpdateRules     NotificationPolicyType = "updateRules"
+)
+
+// Supported NotificationKinds
+const (
+	KindFramework NotificationPolicyKind = "Framework"
+	KindControl   NotificationPolicyKind = "Control"
+	KindRule      NotificationPolicyKind = "Rule"
+)
+
+type PolicyNotification struct {
+	NotificationType NotificationPolicyType     `json:"notificationType"`
+	Rules            []PolicyIdentifier         `json:"rules"`
+	ReportID         string                     `json:"reportID"`
+	JobID            string                     `json:"jobID"`
+	Designators      armotypes.PortalDesignator `json:"designators"`
+}
+
+type PolicyIdentifier struct {
+	Kind NotificationPolicyKind `json:"kind"`
+	Name string                 `json:"name"`
+}
--- a/cautils/opapolicy/datastructures_mock.go
+++ b/cautils/opapolicy/datastructures_mock.go
@@ -0,0 +1,301 @@
+package opapolicy
+
+import (
+	"time"
+
+	armotypes "github.com/armosec/kubescape/cautils/armotypes"
+)
+
+// Mock A
+var (
+	AMockCustomerGUID  = "5d817063-096f-4d91-b39b-8665240080af"
+	AMockJobID         = "36b6f9e1-3b63-4628-994d-cbe16f81e9c7"
+	AMockReportID      = "2c31e4da-c6fe-440d-9b8a-785b80c8576a"
+	AMockClusterName   = "clusterA"
+	AMockFrameworkName = "testFrameworkA"
+	AMockControlName   = "testControlA"
+	AMockRuleName      = "testRuleA"
+	AMockPortalBase    = *armotypes.MockPortalBase(AMockCustomerGUID, "", nil)
+)
+
+func MockRuleResponseA() *RuleResponse {
+	return &RuleResponse{
+		AlertMessage: "test alert message A",
+		AlertScore:   0,
+		Rulename:     AMockRuleName,
+		PackageName:  "test.package.name.A",
+		Context:      []string{},
+	}
+}
+
+func MockFrameworkReportA() *FrameworkReport {
+	return &FrameworkReport{
+		Name: AMockFrameworkName,
+		ControlReports: []ControlReport{
+			{
+				ControlID: "C-0010",
+				Name:      AMockControlName,
+				RuleReports: []RuleReport{
+					{
+						Name:        AMockRuleName,
+						Remediation: "remove privilegedContainer: True flag from your pod spec",
+						RuleResponses: []RuleResponse{
+							*MockRuleResponseA(),
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func MockPostureReportA() *PostureReport {
+	return &PostureReport{
+		CustomerGUID:         AMockCustomerGUID,
+		ClusterName:          AMockClusterName,
+		ReportID:             AMockReportID,
+		JobID:                AMockJobID,
+		ReportGenerationTime: time.Now().UTC(),
+		FrameworkReports:     []FrameworkReport{*MockFrameworkReportA()},
+	}
+}
+
+func MockFrameworkA() *Framework {
+	return &Framework{
+		PortalBase:   *armotypes.MockPortalBase("aaaaaaaa-096f-4d91-b39b-8665240080af", AMockFrameworkName, nil),
+		CreationTime: "",
+		Description:  "mock framework descryption",
+		Controls: []Control{
+			{
+				PortalBase: *armotypes.MockPortalBase("aaaaaaaa-aaaa-4d91-b39b-8665240080af", AMockControlName, nil),
+				Rules: []PolicyRule{
+					*MockRuleA(),
+				},
+			},
+		},
+	}
+}
+
+func MockRuleUntrustedRegistries() *PolicyRule {
+	return &PolicyRule{
+		PortalBase: *armotypes.MockPortalBase("aaaaaaaa-aaaa-aaaa-b39b-8665240080af", AMockControlName, nil),
+		Rule: `
+package armo_builtins
+# Check for images from blacklisted repos
+
+untrusted_registries(z) = x {
+	x := ["015253967648.dkr.ecr.eu-central-1.amazonaws.com/"]	
+}
+
+public_registries(z) = y{
+	y := ["quay.io/kiali/","quay.io/datawire/","quay.io/keycloak/","quay.io/bitnami/"]
+}
+
+untrustedImageRepo[msga] {
+	pod := input[_]
+	k := pod.kind
+	k == "Pod"
+	container := pod.spec.containers[_]
+	image := container.image
+    repo_prefix := untrusted_registries(image)[_]
+	startswith(image, repo_prefix)
+	selfLink := pod.metadata.selfLink
+	containerName := container.name
+
+	msga := {
+		"alertMessage": sprintf("image '%v' in container '%s' in [%s] comes from untrusted registry", [image, containerName, selfLink]),
+		"alert": true,
+		"prevent": false,
+		"alertScore": 2,
+		"alertObject": [{"pod":pod}]
+	}
+}
+
+untrustedImageRepo[msga] {
+    pod := input[_]
+	k := pod.kind
+	k == "Pod"
+	container := pod.spec.containers[_]
+	image := container.image
+    repo_prefix := public_registries(image)[_]
+	startswith(pod, repo_prefix)
+	selfLink := input.metadata.selfLink
+	containerName := container.name
+
+	msga := {
+		"alertMessage": sprintf("image '%v' in container '%s' in [%s] comes from public registry", [image, containerName, selfLink]),
+		"alert": true,
+		"prevent": false,
+		"alertScore": 1,
+		"alertObject": [{"pod":pod}]
+	}
+}
+		`,
+		RuleLanguage: RegoLanguage,
+		Match: []RuleMatchObjects{
+			{
+				APIVersions: []string{"v1"},
+				APIGroups:   []string{"*"},
+				Resources:   []string{"pods"},
+			},
+		},
+		RuleDependencies: []RuleDependency{
+			{
+				PackageName: "kubernetes.api.client",
+			},
+		},
+	}
+}
+
+func MockRuleA() *PolicyRule {
+	return &PolicyRule{
+		PortalBase:   *armotypes.MockPortalBase("aaaaaaaa-aaaa-aaaa-b39b-8665240080af", AMockControlName, nil),
+		Rule:         MockRegoPrivilegedPods(), //
+		RuleLanguage: RegoLanguage,
+		Match: []RuleMatchObjects{
+			{
+				APIVersions: []string{"v1"},
+				APIGroups:   []string{"*"},
+				Resources:   []string{"pods"},
+			},
+		},
+		RuleDependencies: []RuleDependency{
+			{
+				PackageName: "kubernetes.api.client",
+			},
+		},
+	}
+}
+
+func MockRuleB() *PolicyRule {
+	return &PolicyRule{
+		PortalBase:   *armotypes.MockPortalBase("bbbbbbbb-aaaa-aaaa-b39b-8665240080af", AMockControlName, nil),
+		Rule:         MockExternalFacingService(), //
+		RuleLanguage: RegoLanguage,
+		Match: []RuleMatchObjects{
+			{
+				APIVersions: []string{"v1"},
+				APIGroups:   []string{""},
+				Resources:   []string{"pods"},
+			},
+		},
+		RuleDependencies: []RuleDependency{
+			{
+				PackageName: "kubernetes.api.client",
+			},
+		},
+	}
+}
+
+func MockPolicyNotificationA() *PolicyNotification {
+	return &PolicyNotification{
+		NotificationType: TypeExecPostureScan,
+		ReportID:         AMockReportID,
+		JobID:            AMockJobID,
+		Designators:      armotypes.PortalDesignator{},
+		Rules: []PolicyIdentifier{
+			{
+				Kind: KindFramework,
+				Name: AMockFrameworkName,
+			}},
+	}
+}
+
+func MockTemp() string {
+	return `
+	package armo_builtins
+	import data.kubernetes.api.client as client
+	deny[msga] {
+		#object := input[_]
+		object := client.query_all("pods")
+		obj := object.body.items[_]
+		msga := {
+			"packagename": "armo_builtins",
+			"alertMessage": "found object",
+			"alertScore": 3,
+			"alertObject": {"object": obj},
+		}
+	}
+	`
+}
+
+func MockRegoPrivilegedPods() string {
+	return `package armo_builtins
+
+	import data.kubernetes.api.client as client
+
+	# Deny mutating action unless user is in group owning the resource
+	
+	#privileged pods
+	deny[msga] {
+	   
+		pod := input[_]
+		containers := pod.spec.containers[_]
+		containers.securityContext.privileged == true
+		msga := {
+			"packagename": "armo_builtins",
+			"alertMessage": sprintf("the following pods are defined as privileged: %v", [pod]),
+			"alertScore": 3,
+			"alertObject": pod,
+		}
+	}
+	
+	#handles majority of workload resources
+	deny[msga] {
+		wl := input[_]
+		spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"}
+		spec_template_spec_patterns[wl.kind]
+		containers := wl.spec.template.spec.containers[_]
+		containers.securityContext.privileged == true
+		msga := {
+			"packagename": "armo_builtins",
+			"alertMessage": sprintf("the following workloads are defined as privileged: %v", [wl]),
+			"alertScore": 3,
+			"alertObject": wl,
+		}
+	}
+	
+	#handles cronjob
+	deny[msga] {
+		wl := input[_]
+		wl.kind == "CronJob"
+		containers := wl.spec.jobTemplate.spec.template.spec.containers[_]
+		containers.securityContext.privileged == true
+		msga := {
+			"packagename": "armo_builtins",
+			"alertMessage": sprintf("the following cronjobs are defined as privileged: %v", [wl]),
+			"alertScore": 3,
+			"alertObject": wl,
+		}
+	}
+	`
+}
+
+func MockExternalFacingService() string {
+	return "\n\tpackage armo_builtins\n\n\timport data.kubernetes.api.client as client\n\timport data.cautils as cautils\n\ndeny[msga] {\n\n\twl := input[_]\n\tcluster_resource := client.query_all(\n\t\t\"services\"\n\t)\n\n\tlabels := wl.metadata.labels\n\tfiltered_labels := json.remove(labels, [\"pod-template-hash\"])\n    \n#service := cluster_resource.body.items[i]\nservices := [svc | cluster_resource.body.items[i].metadata.namespace == wl.metadata.namespace; svc := cluster_resource.body.items[i]]\nservice := services[_]\nnp_or_lb := {\"NodePort\", \"LoadBalancer\"}\nnp_or_lb[service.spec.type]\ncautils.is_subobject(service.spec.selector,filtered_labels)\n\n    msga := {\n\t\t\"alertMessage\": sprintf(\"%v pod %v  expose external facing service: %v\",[wl.metadata.namespace, wl.metadata.name, service.metadata.name]),\n\t\t\"alertScore\": 2,\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertObject\": {\"srvc\":service}\n\t}\n}\n\t"
+}
+func GetRuntimePods() string {
+	return `
+    package armo_builtins
+
+    import data.kubernetes.api.client as client
+    
+
+deny[msga] {
+
+    
+    cluster_resource := client.query_all(
+      "pods"
+  )
+
+	pod := cluster_resource.body.items[i]
+    msga := {
+        "alertMessage": "got something",
+        "alertScore": 2,
+        "packagename": "armo_builtins",
+        "alertObject": {"pod": pod}
+    }
+}
+    
+    `
+}
--- a/cautils/opapolicy/datastructures_test.go
+++ b/cautils/opapolicy/datastructures_test.go
@@ -0,0 +1,42 @@
+package opapolicy
+
+import (
+	"encoding/json"
+	"testing"
+)
+
+func TestMockPolicyNotificationA(t *testing.T) {
+	policy := MockPolicyNotificationA()
+	bp, err := json.Marshal(policy)
+	if err != nil {
+		t.Error(err)
+	} else {
+		t.Logf("%s\n", string(bp))
+		// t.Errorf("%s\n", string(bp))
+	}
+
+}
+
+func TestMockFrameworkA(t *testing.T) {
+	policy := MockFrameworkA()
+	bp, err := json.Marshal(policy)
+	if err != nil {
+		t.Error(err)
+	} else {
+		t.Logf("%s\n", string(bp))
+		// t.Errorf("%s\n", string(bp))
+	}
+
+}
+
+func TestMockPostureReportA(t *testing.T) {
+	policy := MockPostureReportA()
+	bp, err := json.Marshal(policy)
+	if err != nil {
+		t.Error(err)
+	} else {
+		// t.Errorf("%s\n", string(bp))
+		t.Logf("%s\n", string(bp))
+	}
+
+}
--- a/cautils/opapolicy/datastructuresmethods.go
+++ b/cautils/opapolicy/datastructuresmethods.go
@@ -0,0 +1,236 @@
+package opapolicy
+
+import (
+	"bytes"
+	"encoding/json"
+
+	"github.com/armosec/kubescape/cautils/k8sinterface"
+)
+
+func (pn *PolicyNotification) ToJSONBytesBuffer() (*bytes.Buffer, error) {
+	res, err := json.Marshal(pn)
+	if err != nil {
+		return nil, err
+	}
+	return bytes.NewBuffer(res), err
+}
+
+func (RuleResponse *RuleResponse) GetSingleResultStatus() string {
+	if RuleResponse.Exception != nil {
+		if RuleResponse.Exception.IsAlertOnly() {
+			return "warning"
+		}
+		if RuleResponse.Exception.IsDisable() {
+			return "ignore"
+		}
+	}
+	return "failed"
+
+}
+
+func (ruleReport *RuleReport) GetRuleStatus() (string, []RuleResponse, []RuleResponse) {
+	if len(ruleReport.RuleResponses) == 0 {
+		return "success", nil, nil
+	}
+	exceptions := make([]RuleResponse, 0)
+	failed := make([]RuleResponse, 0)
+
+	for _, rule := range ruleReport.RuleResponses {
+		if rule.ExceptionName != "" {
+			exceptions = append(exceptions, rule)
+		} else if rule.Exception != nil {
+			exceptions = append(exceptions, rule)
+		} else {
+			failed = append(failed, rule)
+		}
+	}
+
+	status := "failed"
+	if len(failed) == 0 && len(exceptions) > 0 {
+		status = "warning"
+	}
+	return status, failed, exceptions
+}
+
+func (controlReport *ControlReport) GetNumberOfResources() int {
+	sum := 0
+	for i := range controlReport.RuleReports {
+		sum += controlReport.RuleReports[i].GetNumberOfResources()
+	}
+	return sum
+}
+
+func (controlReport *ControlReport) GetNumberOfFailedResources() int {
+	sum := 0
+	for i := range controlReport.RuleReports {
+		sum += controlReport.RuleReports[i].GetNumberOfFailedResources()
+	}
+	return sum
+}
+
+func (controlReport *ControlReport) GetNumberOfWarningResources() int {
+	sum := 0
+	for i := range controlReport.RuleReports {
+		sum += controlReport.RuleReports[i].GetNumberOfWarningResources()
+	}
+	return sum
+}
+func (controlReport *ControlReport) ListControlsInputKinds() []string {
+	listControlsInputKinds := []string{}
+	for i := range controlReport.RuleReports {
+		listControlsInputKinds = append(listControlsInputKinds, controlReport.RuleReports[i].ListInputKinds...)
+	}
+	return listControlsInputKinds
+}
+
+func (controlReport *ControlReport) Passed() bool {
+	for i := range controlReport.RuleReports {
+		if len(controlReport.RuleReports[i].RuleResponses) != 0 {
+			return false
+		}
+	}
+	return true
+}
+
+func (controlReport *ControlReport) Warning() bool {
+	if controlReport.Passed() || controlReport.Failed() {
+		return false
+	}
+	for i := range controlReport.RuleReports {
+		if status, _, _ := controlReport.RuleReports[i].GetRuleStatus(); status == "warning" {
+			return true
+		}
+	}
+	return false
+}
+
+func (controlReport *ControlReport) Failed() bool {
+	if controlReport.Passed() {
+		return false
+	}
+	for i := range controlReport.RuleReports {
+		if status, _, _ := controlReport.RuleReports[i].GetRuleStatus(); status == "failed" {
+			return true
+		}
+	}
+	return false
+}
+
+func (ruleReport *RuleReport) GetNumberOfResources() int {
+	return len(ruleReport.ListInputResources)
+}
+
+func (ruleReport *RuleReport) GetNumberOfFailedResources() int {
+	sum := 0
+	for i := len(ruleReport.RuleResponses) - 1; i >= 0; i-- {
+		if ruleReport.RuleResponses[i].GetSingleResultStatus() == "failed" {
+			if !ruleReport.DeleteIfRedundantResponse(&ruleReport.RuleResponses[i], i) {
+				sum++
+			}
+		}
+	}
+	return sum
+}
+
+func (ruleReport *RuleReport) DeleteIfRedundantResponse(RuleResponse *RuleResponse, index int) bool {
+	if b, rr := ruleReport.IsDuplicateResponseOfResource(RuleResponse, index); b {
+		rr.AddMessageToResponse(RuleResponse.AlertMessage)
+		ruleReport.RuleResponses = removeResponse(ruleReport.RuleResponses, index)
+		return true
+	}
+	return false
+}
+
+func (ruleResponse *RuleResponse) AddMessageToResponse(message string) {
+	ruleResponse.AlertMessage += message
+}
+
+func (ruleReport *RuleReport) IsDuplicateResponseOfResource(RuleResponse *RuleResponse, index int) (bool, *RuleResponse) {
+	for i := range ruleReport.RuleResponses {
+		if i != index {
+			for j := range ruleReport.RuleResponses[i].AlertObject.K8SApiObjects {
+				for k := range RuleResponse.AlertObject.K8SApiObjects {
+					w1 := k8sinterface.NewWorkloadObj(ruleReport.RuleResponses[i].AlertObject.K8SApiObjects[j])
+					w2 := k8sinterface.NewWorkloadObj(RuleResponse.AlertObject.K8SApiObjects[k])
+					if w1.GetName() == w2.GetName() && w1.GetNamespace() == w2.GetNamespace() && w1.GetKind() != "Role" && w1.GetKind() != "ClusterRole" {
+						return true, &ruleReport.RuleResponses[i]
+					}
+				}
+			}
+		}
+	}
+	return false, nil
+}
+
+func removeResponse(slice []RuleResponse, index int) []RuleResponse {
+	return append(slice[:index], slice[index+1:]...)
+}
+
+func (ruleReport *RuleReport) GetNumberOfWarningResources() int {
+	sum := 0
+	for i := range ruleReport.RuleResponses {
+		if ruleReport.RuleResponses[i].GetSingleResultStatus() == "warning" {
+			sum += 1
+		}
+	}
+	return sum
+}
+
+func (postureReport *PostureReport) RemoveData() {
+	for i := range postureReport.FrameworkReports {
+		postureReport.FrameworkReports[i].RemoveData()
+	}
+}
+func (frameworkReport *FrameworkReport) RemoveData() {
+	for i := range frameworkReport.ControlReports {
+		frameworkReport.ControlReports[i].RemoveData()
+	}
+}
+func (controlReport *ControlReport) RemoveData() {
+	for i := range controlReport.RuleReports {
+		controlReport.RuleReports[i].RemoveData()
+	}
+}
+
+func (ruleReport *RuleReport) RemoveData() {
+	for i := range ruleReport.RuleResponses {
+		ruleReport.RuleResponses[i].RemoveData()
+	}
+}
+
+func (r *RuleResponse) RemoveData() {
+	r.AlertObject.ExternalObjects = nil
+
+	keepFields := []string{"kind", "apiVersion", "metadata"}
+	keepMetadataFields := []string{"name", "namespace", "labels"}
+
+	for i := range r.AlertObject.K8SApiObjects {
+		deleteFromMap(r.AlertObject.K8SApiObjects[i], keepFields)
+		for k := range r.AlertObject.K8SApiObjects[i] {
+			if k == "metadata" {
+				if b, ok := r.AlertObject.K8SApiObjects[i][k].(map[string]interface{}); ok {
+					deleteFromMap(b, keepMetadataFields)
+					r.AlertObject.K8SApiObjects[i][k] = b
+				}
+			}
+		}
+	}
+}
+
+func deleteFromMap(m map[string]interface{}, keepFields []string) {
+	for k := range m {
+		if StringInSlice(keepFields, k) {
+			continue
+		}
+		delete(m, k)
+	}
+}
+
+func StringInSlice(strSlice []string, str string) bool {
+	for i := range strSlice {
+		if strSlice[i] == str {
+			return true
+		}
+	}
+	return false
+}
--- a/cautils/opapolicy/gojayunmarshaller.go
+++ b/cautils/opapolicy/gojayunmarshaller.go
@@ -0,0 +1,47 @@
+package opapolicy
+
+import (
+	"github.com/francoispqt/gojay"
+	"time"
+)
+
+/*
+  responsible on fast unmarshaling of various COMMON containerscan structures and substructures
+
+*/
+// UnmarshalJSONObject - File inside a pkg
+func (r *PostureReport) UnmarshalJSONObject(dec *gojay.Decoder, key string) (err error) {
+
+	switch key {
+	case "customerGUID":
+		err = dec.String(&(r.CustomerGUID))
+
+	case "clusterName":
+		err = dec.String(&(r.ClusterName))
+
+	case "reportID":
+		err = dec.String(&(r.ReportID))
+	case "jobID":
+		err = dec.String(&(r.JobID))
+	case "generationTime":
+		err = dec.Time(&(r.ReportGenerationTime), time.RFC3339)
+		r.ReportGenerationTime = r.ReportGenerationTime.Local()
+	}
+	return err
+
+}
+
+// func (files *PkgFiles) UnmarshalJSONArray(dec *gojay.Decoder) error {
+// 	lae := PackageFile{}
+// 	if err := dec.Object(&lae); err != nil {
+// 		return err
+// 	}
+
+// 	*files = append(*files, lae)
+// 	return nil
+// }
+
+func (file *PostureReport) NKeys() int {
+	return 0
+}
+//------------------------
--- a/cautils/opapolicy/resources/dependencies.go
+++ b/cautils/opapolicy/resources/dependencies.go
@@ -0,0 +1,219 @@
+package resources
+
+var RegoCAUtils = `
+package cautils
+
+list_contains(lista,element) {
+  some i
+  lista[i] == element
+}
+
+# getPodName(metadata) = name {
+# 	name := metadata.generateName
+#}
+getPodName(metadata) = name {
+	name := metadata.name
+}
+
+#returns subobject ,sub1 is partial to parent,  e.g parent = {a:a,b:b,c:c,d:d}
+# sub1 = {b:b,c:c} - result is {b:b,c:c}, if sub1={b:b,e:f} returns {b:b}
+object_intersection(parent,sub1) = r{
+  
+  r := {k:p  | p := sub1[k]
+              parent[k]== p
+              }
+}
+
+#returns if parent contains sub(both are objects not sets!!)
+is_subobject(sub,parent) {
+object_intersection(sub,parent)  == sub
+}
+`
+
+var RegoDesignators = `
+package designators
+
+import data.cautils
+#functions that related to designators
+
+#allowed_namespace
+#@input@: receive as part of the input object "included_namespaces" list
+#@input@: item's namespace as "namespace"
+#returns true if namespace exists in that list
+included_namespaces(namespace){
+    cautils.list_contains(["default"],namespace)
+}
+
+#forbidden_namespaces
+#@input@: receive as part of the input object "forbidden_namespaces" list
+#@input@: item's namespace as "namespace"
+#returns true if namespace exists in that list
+excluded_namespaces(namespace){
+    not cautils.list_contains(["excluded"],namespace)
+}
+
+forbidden_wlids(wlid){
+    input.forbidden_wlids[_] == wlid
+}
+
+filter_k8s_object(obj) = filtered {
+    #put 
+    filtered := obj
+    	#filtered := [ x | cautils.list_contains(["default"],obj[i].metadata.namespace) ; x := obj[i] ]
+        # filtered := [ x | not cautils.list_contains([],filter1Set[i].metadata.namespace); x := filter1Set[i]]
+        
+}
+`
+var RegoKubernetesApiClient = `
+package kubernetes.api.client
+
+# service account token
+token :=  data.k8sconfig.token
+
+# Cluster host
+host := data.k8sconfig.host
+
+# default certificate path 
+# crt_file := "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+crt_file := data.k8sconfig.crtfile
+
+client_crt_file := data.k8sconfig.clientcrtfile
+client_key_file := data.k8sconfig.clientkeyfile
+ 
+
+# This information could be retrieved from the kubernetes API
+# too, but would essentially require a request per API group,
+# so for now use a lookup table for the most common resources.
+resource_group_mapping := {
+	"services": "api/v1",
+	"pods": "api/v1",
+	"configmaps": "api/v1",
+	"secrets": "api/v1",
+	"persistentvolumeclaims": "api/v1",
+	"daemonsets": "apis/apps/v1",
+	"deployments": "apis/apps/v1",
+	"statefulsets": "apis/apps/v1",
+	"horizontalpodautoscalers": "api/autoscaling/v1",
+	"jobs": "apis/batch/v1",
+	"cronjobs": "apis/batch/v1beta1",
+	"ingresses": "api/extensions/v1beta1",
+	"replicasets": "apis/apps/v1",
+	"networkpolicies": "apis/networking.k8s.io/v1",
+	"clusterroles": "apis/rbac.authorization.k8s.io/v1",
+	"clusterrolebindings": "apis/rbac.authorization.k8s.io/v1",
+	"roles": "apis/rbac.authorization.k8s.io/v1",
+	"rolebindings": "apis/rbac.authorization.k8s.io/v1",
+	"serviceaccounts": "api/v1"
+}
+
+# Query for given resource/name in provided namespace
+# Example: query_ns("deployments", "my-app", "default")
+query_name_ns(resource, name, namespace) = http.send({
+		"url": sprintf("%v/%v/namespaces/%v/%v/%v", [
+		host,
+		resource_group_mapping[resource],
+		namespace,
+		resource,
+		name,
+	]),
+	"method": "get",	
+	"headers": {"authorization": token},
+	"tls_client_cert_file": client_crt_file,
+	"tls_client_key_file": client_key_file,
+	"tls_ca_cert_file": crt_file,
+	"raise_error": true,
+})
+
+# Query for given resource type using label selectors
+# https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+# Example: query_label_selector_ns("deployments", {"app": "opa-kubernetes-api-client"}, "default")
+query_label_selector_ns(resource, selector, namespace) = http.send({
+	"url": sprintf("%v/%v/namespaces/%v/%v?labelSelector=%v", [
+		host,
+		resource_group_mapping[resource],
+		namespace,
+		resource,
+		label_map_to_query_string(selector),
+	]),
+	"method": "get",
+	"headers": {"authorization": token},
+	"tls_client_cert_file": client_crt_file,
+	"tls_client_key_file": client_key_file,
+	"tls_ca_cert_file": crt_file,
+	"raise_error": true,
+})
+
+# x := field_transform_to_qry_param("spec.selector",input)
+# input = {"app": "acmefit", "service": "catalog-db"}
+# result:  "spec.selector.app%3Dacmefit,spec.selector.service%3Dcatalog-db"
+
+
+query_field_selector_ns(resource, field, selector, namespace) = http.send({
+	"url": sprintf("%v/%v/namespaces/%v/%v?fieldSelector=%v", [
+		host,
+		resource_group_mapping[resource],
+		namespace,
+		resource,
+		field_transform_to_qry_param(field,selector),
+	]),
+	"method": "get",
+	"headers": {"authorization": token},
+	"tls_client_cert_file": client_crt_file,
+	"tls_client_key_file": client_key_file,
+	"tls_ca_cert_file": crt_file,
+	"raise_error": true,
+	
+})
+
+# # Query for all resources of type resource in all namespaces
+# # Example: query_all("deployments")
+# query_all(resource) = http.send({
+# 	"url": sprintf("https://%v:%v/%v/%v", [
+# 		ip,
+# 		port,
+# 		resource_group_mapping[resource],
+# 		resource,
+# 	]),
+# 	"method": "get",
+# 	"headers": {"authorization": sprintf("Bearer %v", [token])},
+# 	"tls_client_cert_file": crt_file,
+# 	"raise_error": true,
+# })
+
+# Query for all resources of type resource in all namespaces
+# Example: query_all("deployments")
+query_all(resource) = http.send({
+	"url": sprintf("%v/%v/%v", [
+		host,
+		resource_group_mapping[resource],
+		resource,
+	]),
+	"method": "get",
+	"headers": {"authorization": token},
+	"tls_client_cert_file": client_crt_file,
+	"tls_client_key_file": client_key_file,
+	"tls_ca_cert_file": crt_file,
+	"raise_error": true,
+}) 
+
+
+
+# Query for all resources of type resource in all namespaces - without authentication
+# Example: query_all("deployments")
+query_all_no_auth(resource) = http.send({
+	"url": sprintf("%v/%v/namespaces/default/%v", [
+		host,
+		resource_group_mapping[resource],
+		resource,
+	]),
+	"method": "get",
+	"raise_error": true,
+	"tls_insecure_skip_verify" : true,
+}) 
+
+field_transform_to_qry_param(field,map) = finala {
+	mid := {concat(".",[field,key]): val | val := map[key]}
+    finala := label_map_to_query_string(mid)
+}
+label_map_to_query_string(map) = concat(",", [str | val := map[key]; str := concat("%3D", [key, val])])
+`
--- a/cautils/opapolicy/resources/rego/modules/cronJob.reg
+++ b/cautils/opapolicy/resources/rego/modules/cronJob.reg
@@ -0,0 +1,20 @@
+package armo_builtins
+
+# import data.kubernetes.api.client as client
+import data.cautils as cautils
+
+
+# alert cronjobs
+
+#handles cronjob
+deny[msga] {
+
+	wl := input[_]
+	wl.kind == "CronJob"
+    msga := {
+		"alertMessage": sprintf("the following cronjobs are defined: %v", [wl]),
+		"alertScore": 2,
+		"packagename": "armo_builtins",
+		"alertObject": wl
+	}
+}
--- a/cautils/opapolicy/resources/rego/modules/externalfacing.reg
+++ b/cautils/opapolicy/resources/rego/modules/externalfacing.reg
@@ -0,0 +1,44 @@
+package armo_builtins
+
+import data.kubernetes.api.client as client
+
+
+# input: pod
+# apiversion: v1
+# does: 
+#	returns the external facing services of that pod
+#
+#
+deny[msga] {
+	pod := input[_]
+	podns :=  pod.metadata.namespace
+	podname := getName(pod.metadata)
+	# pod := client.query_name_ns("pods","frontend-86c5ffb485-kfp9d", "default")
+	labels := pod.body.metadata.labels
+	filtered_labels := json.remove(labels, ["pod-template-hash"])
+    
+	 cluster_resource := client.query_all(
+	 	"services"
+	 )
+
+
+	services := [svc | cluster_resource.body.items[i].metadata.namespace == podns; svc := cluster_resource.body.items[i]]
+	service := 	services[_]
+	np_or_lb := {"NodePort", "LoadBalancer"}
+	np_or_lb[service.spec.type]
+	service.spec.selector == filtered_labels
+    
+	msga := {
+		"packagename": "armo_builtins",
+		"alertMessage": sprintf("pod %v/%v exposed services: %v\n", [podns,podname,service]),
+		"alertScore": 7,
+		"alertObject": {"service":service,"labels":filtered_labels, "podname":podname,"namespace":podns}
+	}
+}
+
+getName(metadata) = name {
+	name := metadata.generateName
+}
+getName(metadata) = name {
+	name := metadata.name
+}
--- a/cautils/opapolicy/resources/rego/modules/hostpath.reg
+++ b/cautils/opapolicy/resources/rego/modules/hostpath.reg
@@ -0,0 +1,57 @@
+package armo_builtins
+#import data.kubernetes.api.client as client
+import data.cautils as cautils
+
+# input: pod
+# apiversion: v1
+# does: 
+#	returns hostPath volumes
+#
+#
+deny[msga] {
+    pod := input[_]
+    pod.kind == "Pod"
+    volumes := pod.spec.volumes
+    volume := volumes[_]
+    # crsrcs.body.spec.containers[_].volumeMounts[_].name = volume.name
+    volume.hostPath
+    podname := cautils.getPodName(pod.metadata)
+    obj := {"volume":volume,"podname": podname}
+
+	msga := {
+		"packagename": "armo_builtins",
+		"alertMessage": sprintf("pod: %v has {%v,%v} ashostPath volume \n\n\n", [podname, volume]),
+		"alertScore": 7,
+		"alertObject": [obj]
+	}
+}
+
+isRWMount(mount) {
+ not mount.readOnly
+}
+isRWMount(mount) {
+  mount.readOnly == false
+}
+
+
+#handles majority of workload resources
+deny[msga] {
+
+	wl := input[_]
+	spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"}
+	spec_template_spec_patterns[wl.kind]
+    volumes := wl.spec.template.spec.volumes
+    volume := volumes[_]
+    volume.hostPath
+    wlname := cautils.getPodName(wl.metadata)
+    obj := {"volume":volume,"podname": wlname}
+
+	msga := {
+		"packagename": "armo_builtins",
+		"alertMessage": sprintf("%v: %v has {%v,%v} as hostPath volume\n\n\n", [wl.kind,wlname, volume]),
+		"alertScore": 7,
+		"alertObject": [obj]
+	}
+}
+
+
--- a/cautils/opapolicy/resources/rego/modules/privileged.reg
+++ b/cautils/opapolicy/resources/rego/modules/privileged.reg
@@ -0,0 +1,56 @@
+package armo_builtins
+
+#import data.kubernetes.api.client as client
+
+
+# Deny mutating action unless user is in group owning the resource
+
+
+#privileged pods
+deny[msga] {
+
+   
+	pod := input[_]
+	containers := pod.spec.containers[_]
+	containers.securityContext.privileged == true
+    msga := {
+		"packagename": "armo_builtins",
+		"alertMessage": sprintf("the following pods are defined as privileged: %v", [pod]),
+		"alertScore": 3,
+		"alertObject": pod,
+	}
+}
+
+
+#handles majority of workload resources
+deny[msga] {
+
+	wl := input[_]
+	spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"}
+	spec_template_spec_patterns[wl.kind]
+	containers := wl.spec.template.spec.containers[_]
+	containers.securityContext.privileged == true
+    msga := {
+		"packagename": "armo_builtins",
+		"alertMessage": sprintf("the following workloads are defined as privileged: %v", [wl]),
+		"alertScore": 3,
+		"alertObject": wl,
+	}
+}
+
+
+
+#handles cronjob
+deny[msga] {
+
+	wl := input[_]
+	wl.kind == "CronJob"
+	containers := wl.spec.jobTemplate.spec.template.spec.containers[_]
+	containers.securityContext.privileged == true
+    msga := {
+		"packagename": "armo_builtins",
+		"alertMessage": sprintf("the following cronjobs are defined as privileged: %v", [wl]),
+		"alertScore": 3,
+		"alertObject": wl,
+	}
+}
--- a/cautils/opapolicy/resources/rego/modules/rbacsecrets.reg
+++ b/cautils/opapolicy/resources/rego/modules/rbacsecrets.reg
@@ -0,0 +1,98 @@
+package armo_builtins
+import data.kubernetes.api.client as client
+import data.cautils as cautils
+
+
+# input: None
+# apiversion: v1
+# does: 
+#	returns roles+ related subjects in rolebinding
+
+
+deny[msga] {
+	# rsrc := client.query_all("roles")
+	# role := rsrc.body.items[_]
+	role := input[_]
+	role.kind == "Role"
+	rule := role.rules[_]
+	cautils.list_contains(rule.resources,"secrets")
+	canViewSecrets(rule)
+	rbsrc := client.query_all("rolebindings")
+	rolebinding := rbsrc.body.items[_]
+	rolebinding.roleRef.kind == "Role"
+	rolebinding.roleRef.name == role.metadata.name
+	
+    
+	msga := {
+		"alertMessage": sprintf("the following users: %v , got read secret access roles", [rolebinding.subjects]),
+		"alertScore": 9,
+		"packagename": "armo_builtins",
+		"alertObject": {"role":role,"users":rolebinding.subjects}
+	}
+}
+
+
+
+# input: None
+# apiversion: v1
+# does: 
+#	returns clusterroles+ related subjects in rolebinding
+
+
+deny[msga] {
+	# rsrc := client.query_all("clusterroles")
+	# role := rsrc.body.items[_]
+	role := input[_]
+	role.kind == "ClusterRole"
+	rule := role.rules[_]
+	cautils.list_contains(rule.resources,"secrets")
+	canViewSecrets(rule)
+	rbsrc := client.query_all("rolebindings")
+	rolebinding := rbsrc.body.items[_]
+	rolebinding.roleRef.kind == "ClusterRole"
+	rolebinding.roleRef.name == role.metadata.name
+	
+    
+	msga := {
+		"alertMessage": sprintf("the following users: %v , got read secret access roles", [rolebinding.subjects]),
+		"alertScore": 9,
+		"packagename": "armo_builtins",
+		"alertObject": {"clusterrole":role,"users":rolebinding.subjects}
+	}
+}
+
+
+# input: None
+# apiversion: v1
+# does: 
+#	returns clusterroles+ related subjects in clusterrolebinding
+#
+#
+deny[msga] {
+	# rsrc := client.query_all("clusterroles")
+	# role := rsrc.body.items[_]
+	role := input[_]
+	role.kind == "ClusterRole"
+	rule := role.rules[_]
+	cautils.list_contains(rule.resources,"secrets")
+	canViewSecrets(rule)
+	rbsrc := client.query_all("clusterrolebindings")
+	rolebinding := rbsrc.body.items[_]
+	rolebinding.roleRef.kind == "ClusterRole"
+	rolebinding.roleRef.name == role.metadata.name
+	
+    
+	msga := {
+		"alertMessage": sprintf("the following users: %v , got read secret access roles", [rolebinding.subjects]),
+		"alertScore": 9,
+		"packagename": "armo_builtins",
+		"alertObject": {"clusterrole":role,"users":rolebinding.subjects}
+	}
+}
+
+canViewSecrets(rule) {
+	cautils.list_contains(rule.verbs,"get")
+}
+canViewSecrets(rule) {
+	cautils.list_contains(rule.verbs,"watch")
+}
--- a/cautils/opapolicy/resources/rego/modules/rwhostpath.reg
+++ b/cautils/opapolicy/resources/rego/modules/rwhostpath.reg
@@ -0,0 +1,64 @@
+package armo_builtins
+#import data.kubernetes.api.client as client
+import data.cautils as cautils
+
+# input: pod
+# apiversion: v1
+# does: 
+#	returns rw hostpath volumes of that pod
+#
+#
+deny[msga] {
+    pod := input[_]
+    pod.kind == "Pod"
+    volumes := pod.spec.volumes
+    volume := volumes[_]
+    # crsrcs.body.spec.containers[_].volumeMounts[_].name = volume.name
+    mount := pod.spec.containers[_].volumeMounts[_]
+    mount.name == volume.name
+    volume.hostPath
+    isRWMount(mount)
+    podname := cautils.getPodName(pod.metadata)
+    obj := {"volume":volume,"mount":mount,"podname": podname}
+
+	msga := {
+		"packagename": "armo_builtins",
+		"alertMessage": sprintf("pod: %v has {%v,%v} as rw hostPath volume and volumemount pair\n\n\n", [podname, volume,mount]),
+		"alertScore": 7,
+		"alertObject": [obj],
+	
+	}
+}
+
+isRWMount(mount) {
+ not mount.readOnly
+}
+isRWMount(mount) {
+  mount.readOnly == false
+}
+
+
+#handles majority of workload resources
+deny[msga] {
+
+	wl := input[_]
+	spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"}
+	spec_template_spec_patterns[wl.kind]
+    volumes := wl.spec.template.spec.volumes
+    volume := volumes[_]
+    mount := wl.spec.template.spec.containers[_].volumeMounts[_]
+    mount.name == volume.name
+    volume.hostPath
+    isRWMount(mount)
+    wlname := cautils.getPodName(wl.metadata)
+    obj := {"volume":volume,"mount":mount,"podname": wlname}
+
+	msga := {
+		"packagename": "armo_builtins",
+		"alertMessage": sprintf("%v: %v has {%v,%v} as rw hostPath volume and volumemount pair\n\n\n", [wl.kind,wlname, volume,mount]),
+		"alertScore": 7,
+		"alertObject": [obj],
+	}
+}
+
+
--- a/cautils/opapolicy/resources/rego/modules/sshableworkload.reg
+++ b/cautils/opapolicy/resources/rego/modules/sshableworkload.reg
@@ -0,0 +1,57 @@
+package armo_builtins
+import data.kubernetes.api.client as client
+import data.cautils as cautils
+
+# input: pod
+# apiversion: v1
+# does: 
+#	returns the external facing services of that pod
+#
+#
+deny[msga] {
+	pod := input[_]
+	podns := pod.metadata.namespace
+	podname := cautils.getPodName(pod.metadata)
+	# pod := client.query_name_ns("pods", "catalog-mongo-6f468d99b4-pn242", "default")
+	labels := pod.body.metadata.labels
+	filtered_labels := json.remove(labels, ["pod-template-hash"])
+    
+	 cluster_resource := client.query_all(
+	 	"services"
+	 )
+
+	services := [svc | cluster_resource.body.items[i].metadata.namespace == podns; svc := cluster_resource.body.items[i]]
+	service := 	services[_]
+	service.spec.selector == filtered_labels
+    
+	hasSSHPorts(service)
+
+	msga := {
+		"alertMessage": sprintf("pod %v/%v exposed by SSH services: %v\n", [podns,podname,service]),
+		"packagename": "armo_builtins",
+		"alertScore": 7,
+		"alertObject": [{"pod":pod,"service":{service}}]
+	}
+}
+
+hasSSHPorts(service) {
+	port := service.spec.ports[_]
+	port.port == 22
+}
+
+
+hasSSHPorts(service) {
+	port := service.spec.ports[_]
+	port.port == 2222
+}
+
+hasSSHPorts(service) {
+	port := service.spec.ports[_]
+	port.targetPort == 22
+}
+
+
+hasSSHPorts(service) {
+	port := service.spec.ports[_]
+	port.targetPort == 2222
+}
--- a/cautils/opapolicy/resources/rego/regorulesjsons/access2secrets.json
+++ b/cautils/opapolicy/resources/rego/regorulesjsons/access2secrets.json
@@ -0,0 +1,33 @@
+{
+    "guid": "3b0467c9-488d-c244-99d0-90fbf600aaff",
+    "name": "[Builtin] rule-deny-access-to-secrets",
+    "creationTime": "2019-09-04T12:04:58.461455",
+    "description": "determines which users can get/list/watch secrets",
+    "attributes": {
+        "m$K8sThreatMatrix": "Credential Access::List k8s Secrets"
+    },
+    "ruleDependencies": [
+        {
+            "packageName":"cautils"
+        },
+        {
+            "packageName":"kubernetes.api.client"
+        }
+    ],
+    "remediation": "",
+    "match": [
+        {
+            "resources": [
+                "Role","ClusterRole"
+            ],
+            "apiVersions": [
+                "v1"
+            ],
+            "apiGroups": [
+                "rbac.authorization.k8s.io"
+            ]
+        }
+    ],
+    "ruleLanguage": "Rego",
+    "rule": "\npackage armo_builtins\nimport data.kubernetes.api.client as client\nimport data.cautils as cautils\n\n\n# input: None\n# apiversion: v1\n# does: \n#\treturns roles+ related subjects in rolebinding\n\n\ndeny[msga] {\n\t# rsrc := client.query_all(\"roles\")\n\t# role := rsrc.body.items[_]\n\trole := input[_]\n\trole.kind == \"Role\"\n\trule := role.rules[_]\n\tcautils.list_contains(rule.resources,\"secrets\")\n\tcanViewSecrets(rule)\n\trbsrc := client.query_all(\"rolebindings\")\n\trolebinding := rbsrc.body.items[_]\n\trolebinding.roleRef.kind == \"Role\"\n\trolebinding.roleRef.name == role.metadata.name\n\t\n    \n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"the following users: %v , got read secret access roles\", [rolebinding.subjects]),\n\t\t\"alert\": true,\n\t\t\"prevent\": false,\n\t\t\"alertScore\": 9,\n\t\t\"alertObject\": {\"role\":role,\"users\":rolebinding.subjects}\n\t\n\t}\n}\n\n\n\n# input: None\n# apiversion: v1\n# does: \n#\treturns clusterroles+ related subjects in rolebinding\n\n\ndeny[msga] {\n\t# rsrc := client.query_all(\"clusterroles\")\n\t# role := rsrc.body.items[_]\n\trole := input[_]\n\trole.kind == \"ClusterRole\"\n\trule := role.rules[_]\n\tcautils.list_contains(rule.resources,\"secrets\")\n\tcanViewSecrets(rule)\n\trbsrc := client.query_all(\"rolebindings\")\n\trolebinding := rbsrc.body.items[_]\n\trolebinding.roleRef.kind == \"ClusterRole\"\n\trolebinding.roleRef.name == role.metadata.name\n\t\n    \n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"the following users: %v , got read secret access roles\", [rolebinding.subjects]),\n\t\t\"alert\": true,\n\t\t\"prevent\": false,\n\t\t\"alertScore\": 9,\n\t\t\"alertObject\": {\"clusterrole\":role,\"users\":rolebinding.subjects}\n\t\n\t}\n}\n\n\n# input: None\n# apiversion: v1\n# does: \n#\treturns clusterroles+ related subjects in clusterrolebinding\n#\n#\ndeny[msga] {\n\t# rsrc := client.query_all(\"clusterroles\")\n\t# role := rsrc.body.items[_]\n\trole := input[_]\n\trole.kind == \"ClusterRole\"\n\trule := role.rules[_]\n\tcautils.list_contains(rule.resources,\"secrets\")\n\tcanViewSecrets(rule)\n\trbsrc := client.query_all(\"clusterrolebindings\")\n\trolebinding := rbsrc.body.items[_]\n\trolebinding.roleRef.kind == \"ClusterRole\"\n\trolebinding.roleRef.name == role.metadata.name\n\t\n    \n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"the following users: %v , got read secret access roles\", [rolebinding.subjects]),\n\t\t\"alert\": true,\n\t\t\"prevent\": false,\n\t\t\"alertScore\": 9,\n\t\t\"alertObject\": {\"clusterrole\":role,\"users\":rolebinding.subjects}\n\t\n\t}\n}\n\ncanViewSecrets(rule) {\n\tcautils.list_contains(rule.verbs,\"get\")\n}\ncanViewSecrets(rule) {\n\tcautils.list_contains(rule.verbs,\"watch\")\n}\n"
+}
--- a/cautils/opapolicy/resources/rego/regorulesjsons/cansshtopod.json
+++ b/cautils/opapolicy/resources/rego/regorulesjsons/cansshtopod.json
@@ -0,0 +1,34 @@
+{
+    "guid": "3b0467c9-488d-c244-99d0-90fbf600aaff",
+    "name": "[Builtin] rule-can-ssh-to-pod",
+    "creationTime": "2019-09-04T12:04:58.461455",
+    "description": "denies pods with SSH ports opened(22/222)",
+    "attributes": {
+        "microsoftK8sThreatMatrix": "val1"
+    },
+    "ruleDependencies": [
+        {
+            "packageName":"cautils"
+        },
+        {
+            "packageName":"kubernetes.api.client"
+        }
+    ],
+    "remediation": "create a network policy that protects SSH ports",
+    "match": [
+        {
+            "resources": [
+                "Pods"
+            ],
+            "apiVersions": [
+                "v1"
+            ],
+            "apiGroups": [
+                "*"
+            ]
+        }
+    ],
+    "ruleLanguage": "Rego",
+    "rule": "\npackage armo_builtins\nimport data.kubernetes.api.client as client\nimport data.cautils as cautils\n\n# input: pod\n# apiversion: v1\n# does: \n#\treturns the external facing services of that pod\n#\n#\ndeny[msga] {\n\tpod := input[_]\n\tpodns := pod.metadata.namespace\n\tpodname := cautils.getPodName(pod.metadata)\n\t# pod := client.query_name_ns(\"pods\", \"catalog-mongo-6f468d99b4-pn242\", \"default\")\n\tlabels := pod.body.metadata.labels\n\tfiltered_labels := json.remove(labels, [\"pod-template-hash\"])\n    \n\t cluster_resource := client.query_all(\n\t \t\"services\"\n\t )\n\n\tservices := [svc | cluster_resource.body.items[i].metadata.namespace == podns; svc := cluster_resource.body.items[i]]\n\tservice := \tservices[_]\n\tservice.spec.selector == filtered_labels\n    \n\thasSSHPorts(service)\n\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"pod %v/%v exposed by SSH services: %v\n\", [podns,podname,service]),\n\t\t\"alert\": true,\n\t\t\"prevent\": false,\n\t\t\"alertScore\": 7,\n\t\t\"alertObject\": [{\"pod\":pod,\"service\":{service}}]\n\t\n\t}\n}\n\nhasSSHPorts(service) {\n\tport := service.spec.ports[_]\n\tport.port == 22\n}\n\n\nhasSSHPorts(service) {\n\tport := service.spec.ports[_]\n\tport.port == 2222\n}\n\nhasSSHPorts(service) {\n\tport := service.spec.ports[_]\n\tport.targetPort == 22\n}\n\n\nhasSSHPorts(service) {\n\tport := service.spec.ports[_]\n\tport.targetPort == 2222\n}\n"
+
+}
--- a/cautils/opapolicy/resources/rego/regorulesjsons/compromisedregistries.json
+++ b/cautils/opapolicy/resources/rego/regorulesjsons/compromisedregistries.json
@@ -0,0 +1,33 @@
+{
+    "guid": "",
+    "name": "[Builtin] rule-identify-blacklisted-image-registries",
+    "creationTime": "",
+    "description": "Identifying if pod container images are from unallowed registries",
+    "attributes": {
+        "m$K8sThreatMatrix": "Initial Access::Compromised images in registry"
+    },
+    "ruleDependencies": [
+        {
+            "packageName": "cautils"
+        },
+        {
+            "packageName": "kubernetes.api.client"
+        }
+    ],
+    "remediation": "Use images from safe registry",
+    "match": [
+        {
+            "resources": [
+                "Pods"
+            ],
+            "apiVersions": [
+                "v1"
+            ],
+            "apiGroups": [
+                "*"
+            ]
+        }
+    ],
+    "ruleLanguage": "Rego",
+    "rule": "\npackage armo_builtins\n# Check for images from blacklisted repos\n\nuntrusted_registries(z) = x {\n\tx := [\"015253967648.dkr.ecr.eu-central-1.amazonaws.com/\"]\t\n}\n\npublic_registries(z) = y{\n\ty := [\"quay.io/kiali/\",\"quay.io/datawire/\",\"quay.io/keycloak/\",\"quay.io/bitnami/\"]\n}\n\nuntrustedImageRepo[msga] {\n\tpod := input[_]\n\tk := pod.kind\n\tk == \"Pod\"\n\tcontainer := pod.spec.containers[_]\n\timage := container.image\n    repo_prefix := untrusted_registries(image)[_]\n\tstartswith(image, repo_prefix)\n\tselfLink := pod.metadata.selfLink\n\tcontainerName := container.name\n\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"image '%v' in container '%s' in [%s] comes from untrusted registry\", [image, containerName, selfLink]),\n\t\t\"alert\": true,\n\t\t\"prevent\": false,\n\t\t\"alertScore\": 2,\n\t\t\"alertObject\": [{\"pod\":pod}]\n\t}\n}\n\nuntrustedImageRepo[msga] {\n    pod := input[_]\n\tk := pod.kind\n\tk == \"Pod\"\n\tcontainer := pod.spec.containers[_]\n\timage := container.image\n    repo_prefix := public_registries(image)[_]\n\tstartswith(pod, repo_prefix)\n\tselfLink := input.metadata.selfLink\n\tcontainerName := container.name\n\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"image '%v' in container '%s' in [%s] comes from public registry\", [image, containerName, selfLink]),\n\t\t\"alert\": true,\n\t\t\"prevent\": false,\n\t\t\"alertScore\": 1,\n\t\t\"alertObject\": [{\"pod\":pod}]\n\t}\n}"
+}
--- a/cautils/opapolicy/resources/rego/regorulesjsons/externalfacingservicesbypod.json
+++ b/cautils/opapolicy/resources/rego/regorulesjsons/externalfacingservicesbypod.json
@@ -0,0 +1,31 @@
+{
+    "guid": "3b0467c9-488d-c244-99d0-90fbf600aaff",
+    "name": "[Builtin] rule-pod-external-facing",
+    "creationTime": "2019-09-04T12:04:58.461455",
+    "description": "denies pods with external facing services, grabs related services",
+    "attributes": {
+        "microsoftK8sThreatMatrix": "val1"
+    },
+    "ruleDependencies": [
+        {
+            "packageName":"kubernetes.api.client"
+        }
+    ],
+    "remediation": "create a network policy that controls which protect your cluster from unwanted connections and the outside world",
+    "match": [
+        {
+            "resources": [
+                "Pods"
+            ],
+            "apiVersions": [
+                "v1"
+            ],
+            "apiGroups": [
+                "*"
+            ]
+        }
+    ],
+    "ruleLanguage": "Rego",
+    "rule": "\npackage armo_builtins\n\nimport data.kubernetes.api.client as client\n\n\n# input: pod\n# apiversion: v1\n# does: \n#\treturns the external facing services of that pod\n#\n#\ndeny[msga] {\n\tpod := input[_]\n\tpodns :=  pod.metadata.namespace\n\tpodname := getName(pod.metadata)\n\t# pod := client.query_name_ns(\"pods\",\"frontend-86c5ffb485-kfp9d\", \"default\")\n\tlabels := pod.body.metadata.labels\n\tfiltered_labels := json.remove(labels, [\"pod-template-hash\"])\n    \n\t cluster_resource := client.query_all(\n\t \t\"services\"\n\t )\n\n\n\tservices := [svc | cluster_resource.body.items[i].metadata.namespace == podns; svc := cluster_resource.body.items[i]]\n\tservice := \tservices[_]\n\tnp_or_lb := {\"NodePort\", \"LoadBalancer\"}\n\tnp_or_lb[service.spec.type]\n\tservice.spec.selector == filtered_labels\n    \n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"pod %v/%v exposed services: %v\n\", [podns,podname,service]),\n\t\t\"alert\": true,\n\t\t\"prevent\": false,\n\t\t\"alertScore\": 7,\n\t\t\"alertObject\": {\"service\":service,\"labels\":filtered_labels, \"podname\":podname,\"namespace\":podns}\n\t\n\t}\n}\n\ngetName(metadata) = name {\n\tname := metadata.generateName\n}\ngetName(metadata) = name {\n\tname := metadata.name\n}\n"
+
+}
--- a/cautils/opapolicy/resources/rego/regorulesjsons/hostpath.json
+++ b/cautils/opapolicy/resources/rego/regorulesjsons/hostpath.json
@@ -0,0 +1,31 @@
+{
+    "guid": "3b0467c9-488d-c244-99d0-90fbf600aaff",
+    "name": "[Builtin] alert-any-hostpath",
+    "creationTime": "2019-09-04T12:04:58.461455",
+    "description": "determines if any workload contains a hostPath volume",
+    "attributes": {
+        "m$K8sThreatMatrix": "Privilege Escalation::hostPath mount"
+    },
+    "ruleDependencies": [
+        {
+            "packageName":"cautils"
+        }
+    ],
+    "remediation": "consider if hostPath is really necessary - reading sensitive data like hostPath credentials might endanger cluster, if so consider encrypting the data",
+
+    "match": [
+        {
+            "resources": [
+                "Deployment","ReplicaSet","DaemonSet","StatefulSet","Job","Pod"
+            ],
+            "apiVersions": [
+                "v1"
+            ],
+            "apiGroups": [
+                "*"
+            ]
+        }
+    ],
+    "ruleLanguage": "Rego",
+    "rule": "\npackage armo_builtins\nimport data.kubernetes.api.client as client\nimport data.cautils as cautils\n\n# input: pod\n# apiversion: v1\n# does: \n#\treturns hostPath volumes\n#\n#\ndeny[msga] {\n    pod := input[_]\n    pod.kind == \"Pod\"\n    volumes := pod.spec.volumes\n    volume := volumes[_]\n    # crsrcs.body.spec.containers[_].volumeMounts[_].name = volume.name\n    volume.hostPath\n    podname := cautils.getPodName(pod.metadata)\n    obj := {\"volume\":volume,\"podname\": podname}\n\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"pod: %v has {%v,%v} ashostPath volume \n\n\n\", [podname, volume]),\n\t\t\"alert\": true,\n\t\t\"prevent\": false,\n\t\t\"alertScore\": 7,\n\t\t\"alertObject\": [obj],\n\t\n\t}\n}\n\nisRWMount(mount) {\n not mount.readOnly\n}\nisRWMount(mount) {\n  mount.readOnly == false\n}\n\n\n#handles majority of workload resources\ndeny[msga] {\n\n\twl := input[_]\n\tspec_template_spec_patterns := {\"Deployment\",\"ReplicaSet\",\"DaemonSet\",\"StatefulSet\",\"Job\"}\n\tspec_template_spec_patterns[wl.kind]\n    volumes := wl.spec.template.spec.volumes\n    volume := volumes[_]\n    volume.hostPath\n    wlname := cautils.getPodName(wl.metadata)\n    obj := {\"volume\":volume,\"podname\": wlname}\n\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"%v: %v has {%v,%v} as hostPath volume\n\n\n\", [wl.kind,wlname, volume]),\n\t\t\"alert\": true,\n\t\t\"prevent\": false,\n\t\t\"alertScore\": 7,\n\t\t\"alertObject\": [obj],\n\t\n\t}\n}\n\n\n"
+    }
--- a/cautils/opapolicy/resources/rego/regorulesjsons/instancemetadataapi.json
+++ b/cautils/opapolicy/resources/rego/regorulesjsons/instancemetadataapi.json
@@ -0,0 +1,27 @@
+{
+    "guid": "82f19070-2826-4fe4-a079-f5f7e7a1b04d",
+    "name": "[Builtin] instance-metadata-api-access",
+    "attributes": {
+        "m$K8sThreatMatrix": "Credential Access::Instance Metadata API"
+    },
+    "creationTime": "2021-04-25T10:48:48.861806",
+    "rule": "package armo_builtins\n# Check for images from blacklisted repos\n\nmetadata_azure(z) = http.send({\n\t\"url\": \"http://169.254.169.254/metadata/instance?api-version=2020-09-01\",\n\t\"method\": \"get\",\n\t\"headers\": {\"Metadata\": \"true\"},\n\t\"raise_error\": true,\t\n})\n\nmetadata_gcp(z) = http.send({\n\t\"url\": \"http://169.254.169.254/computeMetadata/v1/?alt=json&recursive=true\",\n\t\"method\": \"get\",\n\t\"headers\": {\"Metadata-Flavor\": \"Google\"},\n\t\"raise_error\": true,\t\n})\n\nmetadata_aws(z) = metadata_object { \n\thostname := http.send({\n\t\"url\": \"http://169.254.169.254/latest/meta-data/local-hostname\",\n\t\"method\": \"get\",\n\t\"raise_error\": true,\t\n    })\n\tmetadata_object := {\n\t\t\"raw_body\": hostname.raw_body,\n\t\t\"hostname\" : hostname.raw_body,\n\t\t\"status_code\" : hostname.status_code\n\t}\n}\n\nazure_metadata[msga] {\t\n\tmetadata_object := metadata_azure(\"aaa\")\n\tmetadata_object.status_code == 200\n\tnode_name := metadata_object.body.compute.name\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"Node '%s' has access to Instance Metadata Services of Azure.\", [node_name]),\n\t\t\"alert\": true,\n\t\t\"prevent\": false,\n\t\t\"alertScore\": 1,\n\t\t\"alertObject\": [{\"nodeMetadata\":metadata_object.body}]\n\t}\n}\n\ngcp_metadata[msga] {\t\n\tmetadata_object := metadata_gcp(\"aaa\")\n\tmetadata_object.status_code == 200\n\tnode_name := metadata_object.body.instance.hostname\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"Node '%s' has access to Instance Metadata Services of GCP.\", [node_name]),\n\t\t\"alert\": true,\n\t\t\"prevent\": false,\n\t\t\"alertScore\": 1,\n\t\t\"alertObject\": [{\"nodeMetadata\": metadata_object.raw_body}]\n\t}\n}\n\naws_metadata[msga] {\t\n\tmetadata_object := metadata_aws(\"aaa\")\n\tmetadata_object.status_code == 200\n\tnode_name := metadata_object.hostname\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"Node '%s' has access to Instance Metadata Services of AWS.\", [node_name]),\n\t\t\"alert\": true,\n\t\t\"prevent\": false,\n\t\t\"alertScore\": 1,\n\t\t\"alertObject\": [{\"nodeMetadata\": metadata_object.raw_body}]\n\t}\n}",
+    "ruleLanguage": "Rego",
+    "match": [
+        {
+            "apiGroups": [
+                "*"
+            ],
+            "apiVersions": [
+                "*"
+            ],
+            "resources": [
+                "nodes"
+            ]
+        }
+    ],
+    "ruleDependencies": [],
+    "description": "Checks if there is access from the nodes to cloud prividers instance metadata services",
+    "remediation": "From https://attack.mitre.org/techniques/T1552/005/ :Option A: Disable or Remove Feature or Program, Option B: Filter Network Traffic",
+    "ruleQuery": ""
+}
--- a/cautils/opapolicy/resources/rego/regorulesjsons/iscronjob.json
+++ b/cautils/opapolicy/resources/rego/regorulesjsons/iscronjob.json
@@ -0,0 +1,30 @@
+{
+    "guid": "[Builtin] 3b0467c9-488d-c244-99d0-90fbf600aaff",
+    "name": "rule-deny-cronjobs",
+    "creationTime": "2019-09-04T12:04:58.461455",
+    "description": "determines if it's cronjob",
+    "attributes": {
+        "m$K8sThreatMatrix": "Persistence::Cronjob"
+    },
+    "ruleDependencies": [
+        {
+            "packageName":"cautils"
+        }
+    ],
+    "remediation": "",
+    "match": [
+        {
+            "resources": [
+                "CronJob"
+            ],
+            "apiVersions": [
+                "v1beta1"
+            ],
+            "apiGroups": [
+                "batch"
+            ]
+        }
+    ],
+    "ruleLanguage": "Rego",
+    "rule": "\npackage armo_builtins\n\n# import data.kubernetes.api.client as client\nimport data.cautils as cautils\n\n\n# alert cronjobs\n\n#handles cronjob\ndeny[msga] {\n\n\twl := input[_]\n\twl.kind == \"CronJob\"\n    msga := {\n\t\t\"alertMessage\": sprintf(\"the following cronjobs are defined: %v\", [wl]),\n\t\t\"alert\": true,\n\t\t\"prevent\": false,\n\t\t\"alertScore\": 2,\n\t\t\"alertObject\": wl\n\t\n\t}\n}\n"
+}
--- a/cautils/opapolicy/resources/rego/regorulesjsons/privilegedworkload.json
+++ b/cautils/opapolicy/resources/rego/regorulesjsons/privilegedworkload.json
@@ -0,0 +1,29 @@
+{
+    "guid": "",
+    "name": "[Builtin] rule-privilege-escalation",
+    "creationTime": "2019-09-04T12:04:58.461455",
+    "description": "determines if pods/deployments defined as privileged true",
+    "attributes": {
+        "mitre": "Privilege Escalation",
+        "mitreCode": "TA0004",
+        "m$K8sThreatMatrix": "Privilege Escalation::privileged container"
+    },
+    "ruleDependencies": [
+    ],
+    "remediation": "avoid defining pods as privilleged",
+    "match": [
+        {
+            "resources": [
+                "Deployment","ReplicaSet","DaemonSet","StatefulSet","Job","Pod","CronJob"
+            ],
+            "apiVersions": [
+                "v1"
+            ],
+            "apiGroups": [
+                "*"
+            ]
+        }
+    ],
+    "ruleLanguage": "Rego",
+    "rule": "\npackage armo_builtins\n\nimport data.kubernetes.api.client as client\nimport data.designators as scope\nimport data.cautils as cautils\n\n\n# Deny mutating action unless user is in group owning the resource\n\n\n#privileged pods\ndeny[msga] {\n\n   \n\tpod := input[_]\n\tcontainers := pod.spec.containers[_]\n\tcontainers.securityContext.privileged == true\n    msga := {\n\t\t\"alertMessage\": sprintf(\"the following pods are defined as privileged: %v\", [pod]),\n\t\t\"alert\": true,\n\t\t\"prevent\": false,\n\t\t\"alertScore\": 3,\n\t\t\"alertObject\": pod,\n\t\n\t}\n}\n\n\n#handles majority of workload resources\ndeny[msga] {\n\n\twl := input[_]\n\tspec_template_spec_patterns := {\"Deployment\",\"ReplicaSet\",\"DaemonSet\",\"StatefulSet\",\"Job\"}\n\tspec_template_spec_patterns[wl.kind]\n\tcontainers := wl.spec.template.spec.containers[_]\n\tcontainers.securityContext.privileged == true\n    msga := {\n\t\t\"alertMessage\": sprintf(\"the following workloads are defined as privileged: %v\", [wl]),\n\t\t\"alert\": true,\n\t\t\"prevent\": false,\n\t\t\"alertScore\": 3,\n\t\t\"alertObject\": wl,\n\t\n\t}\n}\n\n\n\n#handles cronjob\ndeny[msga] {\n\n\twl := input[_]\n\twl.kind == \"CronJob\"\n\tcontainers := wl.spec.jobTemplate.spec.template.spec.containers[_]\n\tcontainers.securityContext.privileged == true\n    msga := {\n\t\t\"alertMessage\": sprintf(\"the following cronjobs are defined as privileged: %v\", [wl]),\n\t\t\"alert\": true,\n\t\t\"prevent\": false,\n\t\t\"alertScore\": 3,\n\t\t\"alertObject\": wl,\n\t\n\t}\n}\n\n"
+}
--- a/cautils/opapolicy/resources/rego/regorulesjsons/rwhostpath.json
+++ b/cautils/opapolicy/resources/rego/regorulesjsons/rwhostpath.json
@@ -0,0 +1,31 @@
+{
+    "guid": "3b0467c9-488d-c244-99d0-90fbf600aaff",
+    "name": "[Builtin] alert-rw-hostpath",
+    "creationTime": "2019-09-04T12:04:58.461455",
+    "description": "determines if any workload contains a hostPath volume with rw permissions",
+    "attributes": {
+        "m$K8sThreatMatrix": "Persistance::Writable hostPath mount"
+    },
+    "ruleDependencies": [
+        {
+            "packageName":"cautils"
+        }
+    ],
+    "remediation": "consider if hostPath is really necessary- sensitive data like hostPath credentials might endanger cluster, if so consider encrypting the data",
+
+    "match": [
+        {
+            "resources": [
+                "Deployment","ReplicaSet","DaemonSet","StatefulSet","Job","Pod"
+            ],
+            "apiVersions": [
+                "v1"
+            ],
+            "apiGroups": [
+                "*"
+            ]
+        }
+    ],
+    "ruleLanguage": "Rego",
+    "rule": "\"\\npackage armo_builtins\\nimport data.kubernetes.api.client as client\\nimport data.cautils as cautils\\n\\n# input: pod\\n# apiversion: v1\\n# does: \\n#\\treturns hostPath volumes\\n#\\n#\\ndeny[msga] {\\n    pod := input[_]\\n    pod.kind == \\\"Pod\\\"\\n    volumes := pod.spec.volumes\\n    volume := volumes[_]\\n    # crsrcs.body.spec.containers[_].volumeMounts[_].name = volume.name\\n    volume.hostPath\\n    podname := cautils.getPodName(pod.metadata)\\n    obj := {\\\"volume\\\":volume,\\\"podname\\\": podname}\\n\\n\\tmsga := {\\n\\t\\t\\\"alertMessage\\\": sprintf(\\\"pod: %v has {%v,%v} ashostPath volume \\n\\n\\n\\\", [podname, volume]),\\n\\t\\t\\\"alert\\\": true,\\n\\t\\t\\\"prevent\\\": false,\\n\\t\\t\\\"alertScore\\\": 7,\\n\\t\\t\\\"alertObject\\\": [obj],\\n\\t\\n\\t}\\n}\\n\\nisRWMount(mount) {\\n not mount.readOnly\\n}\\nisRWMount(mount) {\\n  mount.readOnly == false\\n}\\n\\n\\n#handles majority of workload resources\\ndeny[msga] {\\n\\n\\twl := input[_]\\n\\tspec_template_spec_patterns := {\\\"Deployment\\\",\\\"ReplicaSet\\\",\\\"DaemonSet\\\",\\\"StatefulSet\\\",\\\"Job\\\"}\\n\\tspec_template_spec_patterns[wl.kind]\\n    volumes := wl.spec.template.spec.volumes\\n    volume := volumes[_]\\n    volume.hostPath\\n    wlname := cautils.getPodName(wl.metadata)\\n    obj := {\\\"volume\\\":volume,\\\"podname\\\": wlname}\\n\\n\\tmsga := {\\n\\t\\t\\\"alertMessage\\\": sprintf(\\\"%v: %v has {%v,%v} as hostPath volume\\n\\n\\n\\\", [wl.kind,wlname, volume]),\\n\\t\\t\\\"alert\\\": true,\\n\\t\\t\\\"prevent\\\": false,\\n\\t\\t\\\"alertScore\\\": 7,\\n\\t\\t\\\"alertObject\\\": [obj],\\n\\t\\n\\t}\\n}\\n\\n\\n\""
+}
--- a/cautils/opapolicy/resources/resourcesutils.go
+++ b/cautils/opapolicy/resources/resourcesutils.go
@@ -0,0 +1,118 @@
+package resources
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/armosec/kubescape/cautils/k8sinterface"
+
+	"github.com/golang/glog"
+	"github.com/open-policy-agent/opa/storage"
+	"github.com/open-policy-agent/opa/storage/inmem"
+	"github.com/open-policy-agent/opa/util"
+	"k8s.io/client-go/rest"
+)
+
+var (
+	RegoDependenciesPath = "/resources/rego/dependencies"
+)
+
+type RegoDependenciesData struct {
+	K8sConfig RegoK8sConfig `json:"k8sconfig"`
+}
+
+type RegoK8sConfig struct {
+	Token         string `json:"token"`
+	IP            string `json:"ip"`
+	Host          string `json:"host"`
+	Port          string `json:"port"`
+	CrtFile       string `json:"crtfile"`
+	ClientCrtFile string `json:"clientcrtfile"`
+	ClientKeyFile string `json:"clientkeyfile"`
+	// ClientKeyFile string `json:"crtfile"`
+}
+
+func NewRegoDependenciesDataMock() *RegoDependenciesData {
+	return NewRegoDependenciesData(k8sinterface.GetK8sConfig())
+}
+
+func NewRegoDependenciesData(k8sConfig *rest.Config) *RegoDependenciesData {
+
+	regoDependenciesData := RegoDependenciesData{}
+
+	if k8sConfig != nil {
+		regoDependenciesData.K8sConfig = *NewRegoK8sConfig(k8sConfig)
+	}
+
+	return &regoDependenciesData
+}
+func NewRegoK8sConfig(k8sConfig *rest.Config) *RegoK8sConfig {
+
+	host := k8sConfig.Host
+	if host == "" {
+		ip := os.Getenv("KUBERNETES_SERVICE_HOST")
+		port := os.Getenv("KUBERNETES_SERVICE_PORT")
+		host = fmt.Sprintf("https://%s:%s", ip, port)
+	}
+
+	token := ""
+	if k8sConfig.BearerToken != "" {
+		token = fmt.Sprintf("Bearer %s", k8sConfig.BearerToken)
+	}
+
+	regoK8sConfig := RegoK8sConfig{
+		Token:         token,
+		Host:          host,
+		CrtFile:       k8sConfig.CAFile,
+		ClientCrtFile: k8sConfig.CertFile,
+		ClientKeyFile: k8sConfig.KeyFile,
+	}
+	return &regoK8sConfig
+}
+func (data *RegoDependenciesData) TOStorage() (storage.Store, error) {
+	var jsonObj map[string]interface{}
+	bytesData, err := json.Marshal(*data)
+	if err != nil {
+		return nil, err
+	}
+	// glog.Infof("RegoDependenciesData: %s", bytesData)
+	if err := util.UnmarshalJSON(bytesData, &jsonObj); err != nil {
+		return nil, err
+	}
+	return inmem.NewFromObject(jsonObj), nil
+}
+
+// LoadRegoDependenciesFromDir loads the policies list from *.rego file in given directory
+func LoadRegoFiles(dir string) map[string]string {
+
+	modules := make(map[string]string)
+
+	// Compile the module. The keys are used as identifiers in error messages.
+	filepath.Walk(dir, func(path string, info os.FileInfo, err error) error {
+		if err == nil && strings.HasSuffix(path, ".rego") && !info.IsDir() {
+			content, err := os.ReadFile(path)
+			if err != nil {
+				glog.Errorf("LoadRegoFiles, Failed to load: %s: %v", path, err)
+			} else {
+				modules[strings.Trim(filepath.Base(path), ".rego")] = string(content)
+			}
+		}
+		return nil
+	})
+
+	return modules
+}
+
+// LoadRegoModules loads the policies from variables
+func LoadRegoModules() map[string]string {
+
+	modules := make(map[string]string)
+	modules["cautils"] = RegoCAUtils
+	modules["designators"] = RegoDesignators
+	modules["kubernetes.api.client"] = RegoKubernetesApiClient
+
+	return modules
+}
--- a/cautils/opapolicy/resources/resourcesutils_test.go
+++ b/cautils/opapolicy/resources/resourcesutils_test.go
@@ -0,0 +1 @@
+package resources
--- a/cautils/rbac.go
+++ b/cautils/rbac.go
@@ -1,117 +0,0 @@
-package cautils
-
-import (
-	"encoding/json"
-	"time"
-
-	"github.com/armosec/k8s-interface/workloadinterface"
-	"github.com/armosec/opa-utils/reporthandling"
-	"github.com/armosec/rbac-utils/rbacscanner"
-	"github.com/armosec/rbac-utils/rbacutils"
-	uuid "github.com/satori/go.uuid"
-)
-
-type RBACObjects struct {
-	scanner *rbacscanner.RbacScannerFromK8sAPI
-}
-
-func NewRBACObjects(scanner *rbacscanner.RbacScannerFromK8sAPI) *RBACObjects {
-	return &RBACObjects{scanner: scanner}
-}
-
-func (rbacObjects *RBACObjects) SetResourcesReport() (*reporthandling.PostureReport, error) {
-	return &reporthandling.PostureReport{
-		ReportID:             uuid.NewV4().String(),
-		ReportGenerationTime: time.Now().UTC(),
-		CustomerGUID:         rbacObjects.scanner.CustomerGUID,
-		ClusterName:          rbacObjects.scanner.ClusterName,
-	}, nil
-}
-
-func (rbacObjects *RBACObjects) ListAllResources() (map[string]workloadinterface.IMetadata, error) {
-	resources, err := rbacObjects.scanner.ListResources()
-	if err != nil {
-		return nil, err
-	}
-	allresources, err := rbacObjects.rbacObjectsToResources(resources)
-	if err != nil {
-		return nil, err
-	}
-	return allresources, nil
-}
-
-func (rbacObjects *RBACObjects) rbacObjectsToResources(resources *rbacutils.RbacObjects) (map[string]workloadinterface.IMetadata, error) {
-	allresources := map[string]workloadinterface.IMetadata{}
-	// wrap rbac aggregated objects in IMetadata and add to allresources
-	rbacIMeta, err := rbacutils.RbacObjectIMetadataWrapper(resources.Rbac)
-	if err != nil {
-		return nil, err
-	}
-	allresources[rbacIMeta.GetID()] = rbacIMeta
-	rbacTableIMeta, err := rbacutils.RbacTableObjectIMetadataWrapper(resources.RbacT)
-	if err != nil {
-		return nil, err
-	}
-	allresources[rbacTableIMeta.GetID()] = rbacTableIMeta
-	SA2WLIDmapIMeta, err := rbacutils.SA2WLIDmapIMetadataWrapper(resources.SA2WLIDmap)
-	if err != nil {
-		return nil, err
-	}
-	allresources[SA2WLIDmapIMeta.GetID()] = SA2WLIDmapIMeta
-
-	// convert rbac k8s resources to IMetadata and add to allresources
-	for _, cr := range resources.ClusterRoles.Items {
-		crmap, err := convertToMap(cr)
-		if err != nil {
-			return nil, err
-		}
-		crmap["apiVersion"] = "rbac.authorization.k8s.io/v1"
-		crIMeta := workloadinterface.NewWorkloadObj(crmap)
-		crIMeta.SetKind("ClusterRole")
-		allresources[crIMeta.GetID()] = crIMeta
-	}
-	for _, cr := range resources.Roles.Items {
-		crmap, err := convertToMap(cr)
-		if err != nil {
-			return nil, err
-		}
-		crmap["apiVersion"] = "rbac.authorization.k8s.io/v1"
-		crIMeta := workloadinterface.NewWorkloadObj(crmap)
-		crIMeta.SetKind("Role")
-		allresources[crIMeta.GetID()] = crIMeta
-	}
-	for _, cr := range resources.ClusterRoleBindings.Items {
-		crmap, err := convertToMap(cr)
-		if err != nil {
-			return nil, err
-		}
-		crmap["apiVersion"] = "rbac.authorization.k8s.io/v1"
-		crIMeta := workloadinterface.NewWorkloadObj(crmap)
-		crIMeta.SetKind("ClusterRoleBinding")
-		allresources[crIMeta.GetID()] = crIMeta
-	}
-	for _, cr := range resources.RoleBindings.Items {
-		crmap, err := convertToMap(cr)
-		if err != nil {
-			return nil, err
-		}
-		crmap["apiVersion"] = "rbac.authorization.k8s.io/v1"
-		crIMeta := workloadinterface.NewWorkloadObj(crmap)
-		crIMeta.SetKind("RoleBinding")
-		allresources[crIMeta.GetID()] = crIMeta
-	}
-	return allresources, nil
-}
-
-func convertToMap(obj interface{}) (map[string]interface{}, error) {
-	var inInterface map[string]interface{}
-	inrec, err := json.Marshal(obj)
-	if err != nil {
-		return nil, err
-	}
-	err = json.Unmarshal(inrec, &inInterface)
-	if err != nil {
-		return nil, err
-	}
-	return inInterface, nil
-}
--- a/cautils/reporterutils.go
+++ b/cautils/reporterutils.go
@@ -0,0 +1,5 @@
+package cautils
+
+const (
+	ComponentIdentifier = "Posture"
+)
--- a/cautils/scaninfo.go
+++ b/cautils/scaninfo.go
@@ -1,100 +1,67 @@
 package cautils

 import (
-	"fmt"
 	"path/filepath"

 	"github.com/armosec/kubescape/cautils/getter"
-	"github.com/armosec/opa-utils/reporthandling"
+	"github.com/armosec/kubescape/cautils/opapolicy"
 )

-const (
-	ScanCluster    string = "cluster"
-	ScanLocalFiles string = "yaml"
-)
-
-type BoolPtrFlag struct {
-	valPtr *bool
-}
-
-func (bpf *BoolPtrFlag) Type() string {
-	return "bool"
-}
-
-func (bpf *BoolPtrFlag) String() string {
-	if bpf.valPtr != nil {
-		return fmt.Sprintf("%v", *bpf.valPtr)
-	}
-	return ""
-}
-func (bpf *BoolPtrFlag) Get() *bool {
-	return bpf.valPtr
-}
-
-func (bpf *BoolPtrFlag) SetBool(val bool) {
-	bpf.valPtr = &val
-}
-
-func (bpf *BoolPtrFlag) Set(val string) error {
-	switch val {
-	case "true":
-		bpf.SetBool(true)
-	case "false":
-		bpf.SetBool(false)
-	}
-	return nil
-}
-
 type ScanInfo struct {
 	Getters
-	PolicyIdentifier   []reporthandling.PolicyIdentifier
-	UseExceptions      string      // Load file with exceptions configuration
-	ControlsInputs     string      // Load file with inputs for controls
-	UseFrom            []string    // Load framework from local file (instead of download). Use when running offline
-	UseDefault         bool        // Load framework from cached file (instead of download). Use when running offline
-	VerboseMode        bool        // Display all of the input resources and not only failed resources
-	Format             string      // Format results (table, json, junit ...)
-	Output             string      // Store results in an output file, Output file name
-	ExcludedNamespaces string      // used for host sensor namespace
-	IncludeNamespaces  string      // DEPRECATED?
-	InputPatterns      []string    // Yaml files input patterns
-	Silent             bool        // Silent mode - Do not print progress logs
-	FailThreshold      uint16      // Failure score threshold
-	Submit             bool        // Submit results to Armo BE
-	HostSensor         BoolPtrFlag // Deploy ARMO K8s host sensor to collect data from certain controls
-	Local              bool        // Do not submit results
-	Account            string      // account ID
-	FrameworkScan      bool        // false if scanning control
-	ScanAll            bool        // true if scan all frameworks
+	PolicyIdentifier   opapolicy.PolicyIdentifier
+	UseExceptions      string   // Load exceptions configuration
+	UseFrom            string   // Load framework from local file (instead of download). Use when running offline
+	UseDefault         bool     // Load framework from cached file (instead of download). Use when running offline
+	Format             string   // Format results (table, json, junit ...)
+	Output             string   // Store results in an output file, Output file name
+	ExcludedNamespaces string   // DEPRECATED?
+	InputPatterns      []string // Yaml files input patterns
+	Silent             bool     // Silent mode - Do not print progress logs
+	FailThreshold      uint16   // Failure score threshold
+	DoNotSendResults   bool     // DEPRECATED
+	Submit             bool     // Submit results to Armo BE
+	Local              bool     // Do not submit results
+	Account            string   // account ID
 }

 type Getters struct {
-	ExceptionsGetter     getter.IExceptionsGetter
-	ControlsInputsGetter getter.IControlsInputsGetter
-	PolicyGetter         getter.IPolicyGetter
+	ExceptionsGetter getter.IExceptionsGetter
+	PolicyGetter     getter.IPolicyGetter
 }

 func (scanInfo *ScanInfo) Init() {
 	scanInfo.setUseFrom()
 	scanInfo.setUseExceptions()
 	scanInfo.setOutputFile()
+	scanInfo.setGetter()

 }

 func (scanInfo *ScanInfo) setUseExceptions() {
 	if scanInfo.UseExceptions != "" {
 		// load exceptions from file
-		scanInfo.ExceptionsGetter = getter.NewLoadPolicy([]string{scanInfo.UseExceptions})
+		scanInfo.ExceptionsGetter = getter.NewLoadPolicy(scanInfo.UseExceptions)
 	} else {
-		scanInfo.ExceptionsGetter = getter.GetArmoAPIConnector()
+		scanInfo.ExceptionsGetter = getter.NewArmoAPI()
 	}
-}

+}
 func (scanInfo *ScanInfo) setUseFrom() {
+	if scanInfo.UseFrom != "" {
+		return
+	}
 	if scanInfo.UseDefault {
-		for _, policy := range scanInfo.PolicyIdentifier {
-			scanInfo.UseFrom = append(scanInfo.UseFrom, getter.GetDefaultPath(policy.Name+".json"))
-		}
+		scanInfo.UseFrom = getter.GetDefaultPath(scanInfo.PolicyIdentifier.Name + ".json")
+	}
+
+}
+func (scanInfo *ScanInfo) setGetter() {
+	if scanInfo.UseFrom != "" {
+		// load from file
+		scanInfo.PolicyGetter = getter.NewLoadPolicy(scanInfo.UseFrom)
+	} else {
+		scanInfo.PolicyGetter = getter.NewDownloadReleasedPolicy()
 	}
 }

@@ -114,29 +81,11 @@ func (scanInfo *ScanInfo) setOutputFile() {
 	}
 }

-func (scanInfo *ScanInfo) GetScanningEnvironment() string {
-	if len(scanInfo.InputPatterns) != 0 {
-		return ScanLocalFiles
-	}
-	return ScanCluster
+func (scanInfo *ScanInfo) ScanRunningCluster() bool {
+	return len(scanInfo.InputPatterns) == 0
 }

-func (scanInfo *ScanInfo) SetPolicyIdentifiers(policies []string, kind reporthandling.NotificationPolicyKind) {
-	for _, policy := range policies {
-		if !scanInfo.contains(policy) {
-			newPolicy := reporthandling.PolicyIdentifier{}
-			newPolicy.Kind = kind // reporthandling.KindFramework
-			newPolicy.Name = policy
-			scanInfo.PolicyIdentifier = append(scanInfo.PolicyIdentifier, newPolicy)
-		}
-	}
-}
-
-func (scanInfo *ScanInfo) contains(policyName string) bool {
-	for _, policy := range scanInfo.PolicyIdentifier {
-		if policy.Name == policyName {
-			return true
-		}
-	}
-	return false
-}
+// func (scanInfo *ScanInfo) ConnectedToCluster(k8s k8sinterface.) bool {
+// 	_, err := k8s.KubernetesClient.CoreV1().Pods("").List(context.TODO(), metav1.ListOptions{})
+// 	return err == nil
+// }
--- a/cautils/versioncheck.go
+++ b/cautils/versioncheck.go
@@ -1,136 +0,0 @@
-package cautils
-
-import (
-	"encoding/json"
-	"fmt"
-	"net/http"
-	"os"
-
-	"github.com/armosec/kubescape/cautils/getter"
-	pkgutils "github.com/armosec/utils-go/utils"
-)
-
-const SKIP_VERSION_CHECK = "KUBESCAPE_SKIP_UPDATE_CHECK"
-
-var BuildNumber string
-
-const UnknownBuildNumber = "unknown"
-
-type IVersionCheckHandler interface {
-	CheckLatestVersion(*VersionCheckRequest) error
-}
-
-func NewIVersionCheckHandler() IVersionCheckHandler {
-	if BuildNumber == "" {
-		WarningDisplay(os.Stderr, "Warning: unknown build number, this might affect your scan results. Please make sure you are updated to latest version.\n")
-	}
-	if v, ok := os.LookupEnv(SKIP_VERSION_CHECK); ok && pkgutils.StringToBool(v) {
-		return NewVersionCheckHandlerMock()
-	}
-	return NewVersionCheckHandler()
-}
-
-type VersionCheckHandlerMock struct {
-}
-
-func NewVersionCheckHandlerMock() *VersionCheckHandlerMock {
-	return &VersionCheckHandlerMock{}
-}
-
-type VersionCheckHandler struct {
-	versionURL string
-}
-type VersionCheckRequest struct {
-	Client           string `json:"client"`           // kubescape
-	ClientVersion    string `json:"clientVersion"`    // kubescape version
-	Framework        string `json:"framework"`        // framework name
-	FrameworkVersion string `json:"frameworkVersion"` // framework version
-	ScanningTarget   string `json:"target"`           // scanning target- cluster/yaml
-}
-
-type VersionCheckResponse struct {
-	Client          string `json:"client"`          // kubescape
-	ClientUpdate    string `json:"clientUpdate"`    // kubescape latest version
-	Framework       string `json:"framework"`       // framework name
-	FrameworkUpdate string `json:"frameworkUpdate"` // framework latest version
-	Message         string `json:"message"`         // alert message
-}
-
-func NewVersionCheckHandler() *VersionCheckHandler {
-	return &VersionCheckHandler{
-		versionURL: "https://us-central1-elated-pottery-310110.cloudfunctions.net/ksgf1v1",
-	}
-}
-func NewVersionCheckRequest(buildNumber, frameworkName, frameworkVersion, scanningTarget string) *VersionCheckRequest {
-	if buildNumber == "" {
-		buildNumber = UnknownBuildNumber
-	}
-	if scanningTarget == "" {
-		scanningTarget = "unknown"
-	}
-	return &VersionCheckRequest{
-		Client:           "kubescape",
-		ClientVersion:    buildNumber,
-		Framework:        frameworkName,
-		FrameworkVersion: frameworkVersion,
-		ScanningTarget:   scanningTarget,
-	}
-}
-
-func (v *VersionCheckHandlerMock) CheckLatestVersion(versionData *VersionCheckRequest) error {
-	fmt.Println("Skipping version check")
-	return nil
-}
-
-func (v *VersionCheckHandler) CheckLatestVersion(versionData *VersionCheckRequest) error {
-	defer func() {
-		if err := recover(); err != nil {
-			WarningDisplay(os.Stderr, "failed to get latest version\n")
-		}
-	}()
-
-	latestVersion, err := v.getLatestVersion(versionData)
-	if err != nil || latestVersion == nil {
-		return fmt.Errorf("failed to get latest version")
-	}
-
-	if latestVersion.ClientUpdate != "" {
-		if BuildNumber != "" && BuildNumber < latestVersion.ClientUpdate {
-			WarningDisplay(os.Stderr, warningMessage(latestVersion.Client, latestVersion.ClientUpdate), "\n")
-		}
-	}
-
-	// TODO - Enable after supporting framework version
-	// if latestVersion.FrameworkUpdate != "" {
-	// 	fmt.Println(warningMessage(latestVersion.Framework, latestVersion.FrameworkUpdate))
-	// }
-
-	if latestVersion.Message != "" {
-		InfoDisplay(os.Stderr, latestVersion.Message, "\n")
-	}
-
-	return nil
-}
-
-func (v *VersionCheckHandler) getLatestVersion(versionData *VersionCheckRequest) (*VersionCheckResponse, error) {
-
-	reqBody, err := json.Marshal(*versionData)
-	if err != nil {
-		return nil, fmt.Errorf("in 'CheckLatestVersion' failed to json.Marshal, reason: %s", err.Error())
-	}
-
-	resp, err := getter.HttpPost(http.DefaultClient, v.versionURL, map[string]string{"Content-Type": "application/json"}, reqBody)
-	if err != nil {
-		return nil, err
-	}
-
-	vResp := &VersionCheckResponse{}
-	if err = getter.JSONDecoder(resp).Decode(vResp); err != nil {
-		return nil, err
-	}
-	return vResp, nil
-}
-
-func warningMessage(kind, release string) string {
-	return fmt.Sprintf("Warning: '%s' is not updated to the latest release: '%s'", kind, release)
-}
--- a/clihandler/cliinterfaces/submit.go
+++ b/clihandler/cliinterfaces/submit.go
@@ -1,19 +0,0 @@
-package cliinterfaces
-
-import (
-	"github.com/armosec/k8s-interface/workloadinterface"
-	"github.com/armosec/kubescape/cautils"
-	"github.com/armosec/kubescape/resultshandling/reporter"
-	"github.com/armosec/opa-utils/reporthandling"
-)
-
-type ISubmitObjects interface {
-	SetResourcesReport() (*reporthandling.PostureReport, error)
-	ListAllResources() (map[string]workloadinterface.IMetadata, error)
-}
-
-type SubmitInterfaces struct {
-	SubmitObjects ISubmitObjects
-	Reporter      reporter.IReport
-	ClusterConfig cautils.ITenantConfig
-}
--- a/clihandler/cmd/control.go
+++ b/clihandler/cmd/control.go
@@ -1,104 +0,0 @@
-package cmd
-
-import (
-	"fmt"
-	"io"
-	"os"
-	"strings"
-
-	"github.com/armosec/kubescape/cautils"
-	"github.com/armosec/kubescape/cautils/getter"
-	"github.com/armosec/kubescape/clihandler"
-	"github.com/armosec/opa-utils/reporthandling"
-	"github.com/spf13/cobra"
-)
-
-// controlCmd represents the control command
-var controlCmd = &cobra.Command{
-	Use:   "control <control names list>/<control ids list>.\nExamples:\n$ kubescape scan control C-0058,C-0057 [flags]\n$ kubescape scan contol C-0058 [flags]\n$ kubescape scan control 'privileged container,allowed hostpath' [flags]",
-	Short: fmt.Sprintf("The control you wish to use for scan. It must be present in at least one of the following frameworks: %s", getter.NativeFrameworks),
-	Args: func(cmd *cobra.Command, args []string) error {
-		if len(args) > 0 {
-			controls := strings.Split(args[0], ",")
-			if len(controls) > 1 {
-				if controls[1] == "" {
-					return fmt.Errorf("usage: <control-0>,<control-1>")
-				}
-			}
-		} else {
-			return fmt.Errorf("requires at least one control name")
-		}
-		return nil
-	},
-	RunE: func(cmd *cobra.Command, args []string) error {
-		flagValidationControl()
-		scanInfo.PolicyIdentifier = []reporthandling.PolicyIdentifier{}
-
-		if len(args) == 0 {
-			scanInfo.SetPolicyIdentifiers(getter.NativeFrameworks, reporthandling.KindFramework)
-			scanInfo.ScanAll = true
-		} else { // expected control or list of control sepparated by ","
-
-			// Read controls from input args
-			scanInfo.SetPolicyIdentifiers(strings.Split(args[0], ","), reporthandling.KindControl)
-
-			if len(args) > 1 {
-				if len(args[1:]) == 0 || args[1] != "-" {
-					scanInfo.InputPatterns = args[1:]
-				} else { // store stdin to file - do NOT move to separate function !!
-					tempFile, err := os.CreateTemp(".", "tmp-kubescape*.yaml")
-					if err != nil {
-						return err
-					}
-					defer os.Remove(tempFile.Name())
-
-					if _, err := io.Copy(tempFile, os.Stdin); err != nil {
-						return err
-					}
-					scanInfo.InputPatterns = []string{tempFile.Name()}
-				}
-			}
-		}
-
-		scanInfo.FrameworkScan = false
-		scanInfo.Init()
-		cautils.SetSilentMode(scanInfo.Silent)
-		err := clihandler.ScanCliSetup(&scanInfo)
-		if err != nil {
-			fmt.Fprintf(os.Stderr, "error: %v\n", err)
-			os.Exit(1)
-		}
-		return nil
-	},
-}
-
-func init() {
-	scanInfo = cautils.ScanInfo{}
-	scanCmd.AddCommand(controlCmd)
-}
-
-func flagValidationControl() {
-	if 100 < scanInfo.FailThreshold {
-		fmt.Println("bad argument: out of range threshold")
-		os.Exit(1)
-	}
-}
-
-func setScanForFirstControl(controls []string) []reporthandling.PolicyIdentifier {
-	newPolicy := reporthandling.PolicyIdentifier{}
-	newPolicy.Kind = reporthandling.KindControl
-	newPolicy.Name = controls[0]
-	scanInfo.PolicyIdentifier = append(scanInfo.PolicyIdentifier, newPolicy)
-	return scanInfo.PolicyIdentifier
-}
-
-func SetScanForGivenControls(controls []string) []reporthandling.PolicyIdentifier {
-	for _, control := range controls {
-		control := strings.TrimLeft(control, " ")
-		newPolicy := reporthandling.PolicyIdentifier{}
-		newPolicy.Kind = reporthandling.KindControl
-		newPolicy.Name = control
-		scanInfo.PolicyIdentifier = append(scanInfo.PolicyIdentifier, newPolicy)
-	}
-	return scanInfo.PolicyIdentifier
-}
--- a/clihandler/cmd/download.go
+++ b/clihandler/cmd/download.go
@@ -1,95 +0,0 @@
-package cmd
-
-import (
-	"fmt"
-	"os"
-	"strings"
-
-	"github.com/armosec/kubescape/cautils"
-	"github.com/armosec/kubescape/cautils/getter"
-	"github.com/spf13/cobra"
-)
-
-var downloadInfo cautils.DownloadInfo
-
-var downloadCmd = &cobra.Command{
-	Use:   fmt.Sprintf("download framework/control <framework-name>/<control-name> [flags]\nSupported frameworks: %s", getter.NativeFrameworks),
-	Short: "Download framework/control",
-	Long:  ``,
-	Args: func(cmd *cobra.Command, args []string) error {
-		if len(args) != 2 {
-			return fmt.Errorf("requires two arguments : framework/control <framework-name>/<control-name>")
-		}
-		if !strings.EqualFold(args[0], "framework") && !strings.EqualFold(args[0], "control") {
-			return fmt.Errorf("invalid parameter '%s'. Supported parameters: framework, control", args[0])
-		}
-		return nil
-	},
-	RunE: func(cmd *cobra.Command, args []string) error {
-		if err := download(args); err != nil {
-			fmt.Fprintf(os.Stderr, "error: %v\n", err)
-			os.Exit(1)
-		}
-		return nil
-	},
-}
-
-func init() {
-	rootCmd.AddCommand(downloadCmd)
-	downloadInfo = cautils.DownloadInfo{}
-	downloadCmd.Flags().StringVarP(&downloadInfo.Path, "output", "o", "", "Output file. If specified, will store save to `~/.kubescape/<framework name>.json`")
-}
-
-func download(args []string) error {
-	switch strings.ToLower(args[0]) {
-	case "framework":
-		return downloadFramework(args[1])
-	case "control":
-		return downloadControl(args[1])
-	// case "exceptions":
-	// case "artifacts":
-	default:
-		return fmt.Errorf("unknown command to download")
-	}
-}
-
-func downloadFramework(frameworkName string) error {
-	downloadInfo.FrameworkName = strings.ToLower(frameworkName)
-	g := getter.NewDownloadReleasedPolicy()
-	if err := g.SetRegoObjects(); err != nil {
-		return err
-	}
-
-	if downloadInfo.Path == "" {
-		downloadInfo.Path = getter.GetDefaultPath(downloadInfo.FrameworkName + ".json")
-	}
-	frameworks, err := g.GetFramework(downloadInfo.FrameworkName)
-	if err != nil {
-		return err
-	}
-	err = getter.SaveFrameworkInFile(frameworks, downloadInfo.Path)
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-func downloadControl(controlName string) error {
-	downloadInfo.ControlName = strings.ToLower(controlName)
-	g := getter.NewDownloadReleasedPolicy()
-	if err := g.SetRegoObjects(); err != nil {
-		return err
-	}
-	if downloadInfo.Path == "" {
-		downloadInfo.Path = getter.GetDefaultPath(downloadInfo.ControlName + ".json")
-	}
-	controls, err := g.GetControl(downloadInfo.ControlName)
-	if err != nil {
-		return err
-	}
-	err = getter.SaveControlInFile(controls, downloadInfo.Path)
-	if err != nil {
-		return err
-	}
-	return nil
-}
--- a/clihandler/cmd/framework.go
+++ b/clihandler/cmd/framework.go
@@ -1,123 +0,0 @@
-package cmd
-
-import (
-	"fmt"
-	"io"
-	"os"
-	"strings"
-
-	"github.com/armosec/kubescape/cautils"
-	"github.com/armosec/kubescape/cautils/getter"
-	"github.com/armosec/kubescape/clihandler"
-	"github.com/armosec/opa-utils/reporthandling"
-	"github.com/spf13/cobra"
-)
-
-var (
-	frameworkExample = `
-  # Scan all frameworks and submit the results
-  kubescape scan --submit
-  
-  # Scan the NSA framework
-  kubescape scan framework nsa
-  
-  # Scan the NSA and MITRE framework
-  kubescape scan framework nsa,mitre
-  
-  # Scan kubernetes YAML manifest files
-  kubescape scan framework nsa *.yaml
-
-  # Scan and save the results in the JSON format
-  kubescape scan --format json --output results.json
-
-  # Save scan results in JSON format
-  kubescape scan --format json --output results.json
-
-  # Display all resources
-  kubescape scan --verbose
-`
-)
-var frameworkCmd = &cobra.Command{
-	Use:       "framework <framework names list> [`<glob pattern>`/`-`] [flags]",
-	Short:     fmt.Sprintf("The framework you wish to use. Supported frameworks: %s", strings.Join(getter.NativeFrameworks, ", ")),
-	Example:   frameworkExample,
-	Long:      "Execute a scan on a running Kubernetes cluster or `yaml`/`json` files (use glob) or `-` for stdin",
-	ValidArgs: getter.NativeFrameworks,
-	Args: func(cmd *cobra.Command, args []string) error {
-		if len(args) > 0 {
-			frameworks := strings.Split(args[0], ",")
-			if len(frameworks) > 1 {
-				if frameworks[1] == "" {
-					return fmt.Errorf("usage: <framework-0>,<framework-1>")
-				}
-			}
-		} else {
-			return fmt.Errorf("requires at least one framework name")
-		}
-		return nil
-	},
-	RunE: func(cmd *cobra.Command, args []string) error {
-		flagValidationFramework()
-		var frameworks []string
-
-		if len(args) == 0 { // scan all frameworks
-			frameworks = getter.NativeFrameworks
-			scanInfo.ScanAll = true
-		} else {
-			// Read frameworks from input args
-			frameworks = strings.Split(args[0], ",")
-
-			if len(args) > 1 {
-				if len(args[1:]) == 0 || args[1] != "-" {
-					scanInfo.InputPatterns = args[1:]
-				} else { // store stdin to file - do NOT move to separate function !!
-					tempFile, err := os.CreateTemp(".", "tmp-kubescape*.yaml")
-					if err != nil {
-						return err
-					}
-					defer os.Remove(tempFile.Name())
-
-					if _, err := io.Copy(tempFile, os.Stdin); err != nil {
-						return err
-					}
-					scanInfo.InputPatterns = []string{tempFile.Name()}
-				}
-			}
-		}
-		scanInfo.SetPolicyIdentifiers(frameworks, reporthandling.KindFramework)
-
-		scanInfo.Init()
-		cautils.SetSilentMode(scanInfo.Silent)
-		err := clihandler.ScanCliSetup(&scanInfo)
-		if err != nil {
-			fmt.Fprintf(os.Stderr, "error: %v\n\n", err)
-			os.Exit(1)
-		}
-		return nil
-	},
-}
-
-func init() {
-	scanCmd.AddCommand(frameworkCmd)
-	scanInfo = cautils.ScanInfo{}
-	scanInfo.FrameworkScan = true
-}
-
-// func SetScanForFirstFramework(frameworks []string) []reporthandling.PolicyIdentifier {
-// 	newPolicy := reporthandling.PolicyIdentifier{}
-// 	newPolicy.Kind = reporthandling.KindFramework
-// 	newPolicy.Name = frameworks[0]
-// 	scanInfo.PolicyIdentifier = append(scanInfo.PolicyIdentifier, newPolicy)
-// 	return scanInfo.PolicyIdentifier
-// }
-
-func flagValidationFramework() {
-	if scanInfo.Submit && scanInfo.Local {
-		fmt.Println("You can use `keep-local` or `submit`, but not both")
-		os.Exit(1)
-	}
-	if 100 < scanInfo.FailThreshold {
-		fmt.Println("bad argument: out of range threshold")
-		os.Exit(1)
-	}
-}
--- a/clihandler/cmd/rbac.go
+++ b/clihandler/cmd/rbac.go
@@ -1,53 +0,0 @@
-package cmd
-
-import (
-	"fmt"
-	"os"
-
-	"github.com/armosec/k8s-interface/k8sinterface"
-	"github.com/armosec/kubescape/cautils"
-	"github.com/armosec/kubescape/clihandler"
-	"github.com/armosec/kubescape/clihandler/cliinterfaces"
-	reporterv1 "github.com/armosec/kubescape/resultshandling/reporter/v1"
-	"github.com/armosec/rbac-utils/rbacscanner"
-	"github.com/spf13/cobra"
-)
-
-// rabcCmd represents the RBAC command
-var rabcCmd = &cobra.Command{
-	Use:   "rbac \nExample:\n$ kubescape submit rbac",
-	Short: "Submit cluster's Role-Based Access Control(RBAC)",
-	Long:  ``,
-	RunE: func(cmd *cobra.Command, args []string) error {
-
-		k8s := k8sinterface.NewKubernetesApi()
-
-		// get config
-		clusterConfig, err := getSubmittedClusterConfig(k8s)
-		if err != nil {
-			return err
-		}
-
-		// list RBAC
-		rbacObjects := cautils.NewRBACObjects(rbacscanner.NewRbacScannerFromK8sAPI(k8s, clusterConfig.GetCustomerGUID(), clusterConfig.GetClusterName()))
-
-		// submit resources
-		r := reporterv1.NewReportEventReceiver(clusterConfig.GetConfigObj())
-
-		submitInterfaces := cliinterfaces.SubmitInterfaces{
-			ClusterConfig: clusterConfig,
-			SubmitObjects: rbacObjects,
-			Reporter:      r,
-		}
-
-		if err := clihandler.Submit(submitInterfaces); err != nil {
-			fmt.Println(err)
-			os.Exit(1)
-		}
-		return nil
-	},
-}
-
-func init() {
-	submitCmd.AddCommand(rabcCmd)
-}
--- a/clihandler/cmd/results.go
+++ b/clihandler/cmd/results.go
@@ -1,107 +0,0 @@
-package cmd
-
-import (
-	"encoding/json"
-	"fmt"
-	"os"
-	"time"
-
-	"github.com/armosec/k8s-interface/k8sinterface"
-	"github.com/armosec/k8s-interface/workloadinterface"
-	"github.com/armosec/kubescape/clihandler"
-	"github.com/armosec/kubescape/clihandler/cliinterfaces"
-	reporterv1 "github.com/armosec/kubescape/resultshandling/reporter/v1"
-	"github.com/armosec/opa-utils/reporthandling"
-	uuid "github.com/satori/go.uuid"
-	"github.com/spf13/cobra"
-)
-
-type ResultsObject struct {
-	filePath     string
-	customerGUID string
-	clusterName  string
-}
-
-func NewResultsObject(customerGUID, clusterName, filePath string) *ResultsObject {
-	return &ResultsObject{
-		filePath:     filePath,
-		customerGUID: customerGUID,
-		clusterName:  clusterName,
-	}
-}
-
-func (resultsObject *ResultsObject) SetResourcesReport() (*reporthandling.PostureReport, error) {
-	// load framework results from json file
-	frameworkReports, err := loadResultsFromFile(resultsObject.filePath)
-	if err != nil {
-		return nil, err
-	}
-
-	return &reporthandling.PostureReport{
-		FrameworkReports:     frameworkReports,
-		ReportID:             uuid.NewV4().String(),
-		ReportGenerationTime: time.Now().UTC(),
-		CustomerGUID:         resultsObject.customerGUID,
-		ClusterName:          resultsObject.clusterName,
-	}, nil
-}
-
-func (resultsObject *ResultsObject) ListAllResources() (map[string]workloadinterface.IMetadata, error) {
-	return map[string]workloadinterface.IMetadata{}, nil
-}
-
-var resultsCmd = &cobra.Command{
-	Use:   "results <json file>\nExample:\n$ kubescape submit results path/to/results.json",
-	Short: "Submit a pre scanned results file. The file must be in json format",
-	Long:  ``,
-	RunE: func(cmd *cobra.Command, args []string) error {
-		if len(args) == 0 {
-			return fmt.Errorf("missing results file")
-		}
-
-		k8s := k8sinterface.NewKubernetesApi()
-
-		// get config
-		clusterConfig, err := getSubmittedClusterConfig(k8s)
-		if err != nil {
-			return err
-		}
-
-		resultsObjects := NewResultsObject(clusterConfig.GetCustomerGUID(), clusterConfig.GetClusterName(), args[0])
-
-		// submit resources
-		r := reporterv1.NewReportEventReceiver(clusterConfig.GetConfigObj())
-
-		submitInterfaces := cliinterfaces.SubmitInterfaces{
-			ClusterConfig: clusterConfig,
-			SubmitObjects: resultsObjects,
-			Reporter:      r,
-		}
-
-		if err := clihandler.Submit(submitInterfaces); err != nil {
-			fmt.Println(err)
-			os.Exit(1)
-		}
-		return nil
-	},
-}
-
-func init() {
-	submitCmd.AddCommand(resultsCmd)
-}
-
-func loadResultsFromFile(filePath string) ([]reporthandling.FrameworkReport, error) {
-	frameworkReports := []reporthandling.FrameworkReport{}
-	f, err := os.ReadFile(filePath)
-	if err != nil {
-		return nil, err
-	}
-	if err = json.Unmarshal(f, &frameworkReports); err != nil {
-		frameworkReport := reporthandling.FrameworkReport{}
-		if err = json.Unmarshal(f, &frameworkReport); err != nil {
-			return frameworkReports, err
-		}
-		frameworkReports = append(frameworkReports, frameworkReport)
-	}
-	return frameworkReports, nil
-}
--- a/clihandler/cmd/root.go
+++ b/clihandler/cmd/root.go
@@ -1,69 +0,0 @@
-package cmd
-
-import (
-	"flag"
-	"os"
-	"strings"
-
-	"github.com/armosec/kubescape/cautils/getter"
-	"github.com/golang/glog"
-	"github.com/spf13/cobra"
-)
-
-var cfgFile string
-var armoBEURLs = ""
-
-const envFlagUsage = "Send report results to specific URL. Format:<ReportReceiver>,<Backend>,<Frontend>.\n\t\tExample:report.armo.cloud,api.armo.cloud,portal.armo.cloud"
-
-var rootCmd = &cobra.Command{
-	Use:   "kubescape",
-	Short: "Kubescape is a tool for testing Kubernetes security posture",
-	Long:  `Kubescape is a tool for testing Kubernetes security posture based on NSA \ MITRE ATT&CK® specifications.`,
-	PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
-		flag.Parse()
-		InitArmoBEConnector()
-		return nil
-	},
-}
-
-func Execute() {
-	rootCmd.Execute()
-}
-
-func init() {
-	rootCmd.PersistentFlags().StringVarP(&scanInfo.Account, "account", "", "", "Armo portal account ID. Default will load account ID from configMap or config file")
-	flag.CommandLine.StringVar(&armoBEURLs, "environment", "", envFlagUsage)
-	rootCmd.PersistentFlags().StringVar(&armoBEURLs, "environment", "", envFlagUsage)
-	rootCmd.PersistentFlags().MarkHidden("environment")
-	cobra.OnInitialize(initConfig)
-
-}
-
-// initConfig reads in config file and ENV variables if set.
-func initConfig() {
-}
-
-func InitArmoBEConnector() {
-	urlSlices := strings.Split(armoBEURLs, ",")
-	if len(urlSlices) > 3 {
-		glog.Errorf("Too many URLs")
-		os.Exit(1)
-	}
-	switch len(urlSlices) {
-	case 1:
-		switch urlSlices[0] {
-		case "dev":
-			getter.SetARMOAPIConnector(getter.NewARMOAPIDev())
-		case "":
-			getter.SetARMOAPIConnector(getter.NewARMOAPIProd())
-		default:
-			glog.Errorf("--environment flag usage: %s", envFlagUsage)
-			os.Exit(1)
-		}
-	case 2:
-		glog.Errorf("--environment flag usage: %s", envFlagUsage)
-		os.Exit(1)
-	case 3:
-		getter.SetARMOAPIConnector(getter.NewARMOAPICustomized(urlSlices[0], urlSlices[1], urlSlices[2]))
-	}
-}
--- a/clihandler/cmd/scan.go
+++ b/clihandler/cmd/scan.go
@@ -1,56 +0,0 @@
-package cmd
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/armosec/kubescape/cautils"
-	"github.com/armosec/kubescape/cautils/getter"
-	"github.com/spf13/cobra"
-)
-
-var scanInfo cautils.ScanInfo
-
-// scanCmd represents the scan command
-var scanCmd = &cobra.Command{
-	Use:   "scan <command>",
-	Short: "Scan the current running cluster or yaml files",
-	Long:  `The action you want to perform`,
-	Args: func(cmd *cobra.Command, args []string) error {
-		if len(args) > 0 {
-			if !strings.EqualFold(args[0], "framework") && !strings.EqualFold(args[0], "control") {
-				return fmt.Errorf("invalid parameter '%s'. Supported parameters: framework, control", args[0])
-			}
-		}
-		return nil
-	},
-	Run: func(cmd *cobra.Command, args []string) {
-		if len(args) == 0 {
-			scanInfo.ScanAll = true
-			frameworks := getter.NativeFrameworks
-			frameworkArgs := []string{strings.Join(frameworks, ",")}
-			frameworkCmd.RunE(cmd, frameworkArgs)
-		}
-	},
-}
-
-func init() {
-	rootCmd.AddCommand(scanCmd)
-	scanCmd.PersistentFlags().StringVar(&scanInfo.ControlsInputs, "controls-config", "", "Path to an controls-config obj. If not set will download controls-config from ARMO management portal")
-	scanCmd.PersistentFlags().StringVar(&scanInfo.UseExceptions, "exceptions", "", "Path to an exceptions obj. If not set will download exceptions from ARMO management portal")
-	scanCmd.PersistentFlags().StringVarP(&scanInfo.ExcludedNamespaces, "exclude-namespaces", "e", "", "Namespaces to exclude from scanning. Recommended: kube-system,kube-public")
-	scanCmd.PersistentFlags().Uint16VarP(&scanInfo.FailThreshold, "fail-threshold", "t", 100, "Failure threshold is the percent above which the command fails and returns exit code 1")
-	scanCmd.PersistentFlags().StringVarP(&scanInfo.Format, "format", "f", "pretty-printer", `Output format. Supported formats: "pretty-printer"/"json"/"junit"/"prometheus"`)
-	scanCmd.PersistentFlags().StringVar(&scanInfo.IncludeNamespaces, "include-namespaces", "", "scan specific namespaces. e.g: --include-namespaces ns-a,ns-b")
-	scanCmd.PersistentFlags().BoolVarP(&scanInfo.Local, "keep-local", "", false, "If you do not want your Kubescape results reported to Armo backend. Use this flag if you ran with the '--submit' flag in the past and you do not want to submit your current scan results")
-	scanCmd.PersistentFlags().StringVarP(&scanInfo.Output, "output", "o", "", "Output file. Print output to file and not stdout")
-	scanCmd.PersistentFlags().BoolVar(&scanInfo.VerboseMode, "verbose", false, "Display all of the input resources and not only failed resources")
-	scanCmd.PersistentFlags().BoolVar(&scanInfo.UseDefault, "use-default", false, "Load local policy object from default path. If not used will download latest")
-	scanCmd.PersistentFlags().StringSliceVar(&scanInfo.UseFrom, "use-from", nil, "Load local policy object from specified path. If not used will download latest")
-	scanCmd.PersistentFlags().BoolVarP(&scanInfo.Silent, "silent", "s", false, "Silent progress messages")
-	scanCmd.PersistentFlags().BoolVarP(&scanInfo.Submit, "submit", "", false, "Send the scan results to Armo management portal where you can see the results in a user-friendly UI, choose your preferred compliance framework, check risk results history and trends, manage exceptions, get remediation recommendations and much more. By default the results are not submitted")
-
-	hostF := scanCmd.PersistentFlags().VarPF(&scanInfo.HostSensor, "enable-host-scan", "", "Deploy ARMO K8s host-sensor daemonset in the scanned cluster. Deleting it right after we collecting the data. Required to collect valueable data from cluster nodes for certain controls")
-	hostF.NoOptDefVal = "true"
-	hostF.DefValue = "false, for no TTY in stdin"
-}
--- a/clihandler/cmd/submit.go
+++ b/clihandler/cmd/submit.go
@@ -1,31 +0,0 @@
-package cmd
-
-import (
-	"github.com/armosec/k8s-interface/k8sinterface"
-	"github.com/armosec/kubescape/cautils"
-	"github.com/armosec/kubescape/cautils/getter"
-	"github.com/spf13/cobra"
-)
-
-var submitCmd = &cobra.Command{
-	Use:   "submit <command>",
-	Short: "Submit an object to the Kubescape SaaS version",
-	Long:  ``,
-	Run: func(cmd *cobra.Command, args []string) {
-	},
-}
-
-func init() {
-	rootCmd.AddCommand(submitCmd)
-}
-
-func getSubmittedClusterConfig(k8s *k8sinterface.KubernetesApi) (*cautils.ClusterConfig, error) {
-	clusterConfig := cautils.NewClusterConfig(k8s, getter.GetArmoAPIConnector(), scanInfo.Account) // TODO - support none cluster env submit
-	if clusterConfig.GetCustomerGUID() != "" {
-		if err := clusterConfig.SetTenant(); err != nil {
-			return clusterConfig, err
-		}
-	}
-
-	return clusterConfig, nil
-}
--- a/clihandler/cmd/version.go
+++ b/clihandler/cmd/version.go
@@ -1,24 +0,0 @@
-package cmd
-
-import (
-	"fmt"
-
-	"github.com/armosec/kubescape/cautils"
-	"github.com/spf13/cobra"
-)
-
-var versionCmd = &cobra.Command{
-	Use:   "version",
-	Short: "Get current version",
-	Long:  ``,
-	RunE: func(cmd *cobra.Command, args []string) error {
-		v := cautils.NewIVersionCheckHandler()
-		v.CheckLatestVersion(cautils.NewVersionCheckRequest(cautils.BuildNumber, "", "", "version"))
-		fmt.Println("Your current version is: " + cautils.BuildNumber)
-		return nil
-	},
-}
-
-func init() {
-	rootCmd.AddCommand(versionCmd)
-}
--- a/clihandler/initcli.go
+++ b/clihandler/initcli.go
@@ -1,198 +0,0 @@
-package clihandler
-
-import (
-	"fmt"
-	"io/fs"
-	"os"
-
-	"github.com/armosec/kubescape/resultshandling/printer"
-	printerv1 "github.com/armosec/kubescape/resultshandling/printer/v1"
-
-	// printerv2 "github.com/armosec/kubescape/resultshandling/printer/v2"
-
-	"github.com/armosec/armoapi-go/armotypes"
-	"github.com/armosec/kubescape/cautils"
-	"github.com/armosec/kubescape/cautils/getter"
-	"github.com/armosec/kubescape/clihandler/cliinterfaces"
-	"github.com/armosec/kubescape/hostsensorutils"
-	"github.com/armosec/kubescape/opaprocessor"
-	"github.com/armosec/kubescape/policyhandler"
-	"github.com/armosec/kubescape/resourcehandler"
-	"github.com/armosec/kubescape/resultshandling"
-	"github.com/armosec/kubescape/resultshandling/reporter"
-	"github.com/armosec/opa-utils/reporthandling"
-	"github.com/mattn/go-isatty"
-)
-
-type componentInterfaces struct {
-	tenantConfig      cautils.ITenantConfig
-	resourceHandler   resourcehandler.IResourceHandler
-	report            reporter.IReport
-	printerHandler    printer.IPrinter
-	hostSensorHandler hostsensorutils.IHostSensor
-}
-
-func getInterfaces(scanInfo *cautils.ScanInfo) componentInterfaces {
-
-	k8s := getKubernetesApi(scanInfo)
-
-	tenantConfig := getTenantConfig(scanInfo, k8s)
-
-	// Set submit behavior AFTER loading tenant config
-	setSubmitBehavior(scanInfo, tenantConfig)
-
-	hostSensorHandler := getHostSensorHandler(scanInfo, k8s)
-	if err := hostSensorHandler.Init(); err != nil {
-		errMsg := "failed to init host sensor"
-		if scanInfo.VerboseMode {
-			errMsg = fmt.Sprintf("%s: %v", errMsg, err)
-		}
-		cautils.ErrorDisplay(errMsg)
-		hostSensorHandler = &hostsensorutils.HostSensorHandlerMock{}
-	}
-	// excluding hostsensor namespace
-	if len(scanInfo.IncludeNamespaces) == 0 && hostSensorHandler.GetNamespace() != "" {
-		scanInfo.ExcludedNamespaces = fmt.Sprintf("%s,%s", scanInfo.ExcludedNamespaces, hostSensorHandler.GetNamespace())
-	}
-
-	resourceHandler := getResourceHandler(scanInfo, tenantConfig, k8s, hostSensorHandler)
-
-	// reporting behavior - setup reporter
-	reportHandler := getReporter(tenantConfig, scanInfo.Submit)
-
-	v := cautils.NewIVersionCheckHandler()
-	v.CheckLatestVersion(cautils.NewVersionCheckRequest(cautils.BuildNumber, policyIdentifierNames(scanInfo.PolicyIdentifier), "", scanInfo.GetScanningEnvironment()))
-
-	// setup printer
-	printerHandler := printerv1.GetPrinter(scanInfo.Format, scanInfo.VerboseMode)
-	// printerHandler = printerv2.GetPrinter(scanInfo.Format, scanInfo.VerboseMode)
-	printerHandler.SetWriter(scanInfo.Output)
-
-	return componentInterfaces{
-		tenantConfig:      tenantConfig,
-		resourceHandler:   resourceHandler,
-		report:            reportHandler,
-		printerHandler:    printerHandler,
-		hostSensorHandler: hostSensorHandler,
-	}
-}
-
-func ScanCliSetup(scanInfo *cautils.ScanInfo) error {
-	cautils.ScanStartDisplay()
-
-	interfaces := getInterfaces(scanInfo)
-	// setPolicyGetter(scanInfo, interfaces.clusterConfig.GetCustomerGUID())
-
-	processNotification := make(chan *cautils.OPASessionObj)
-	reportResults := make(chan *cautils.OPASessionObj)
-
-	cautils.ClusterName = interfaces.tenantConfig.GetClusterName()   // TODO - Deprecated
-	cautils.CustomerGUID = interfaces.tenantConfig.GetCustomerGUID() // TODO - Deprecated
-	interfaces.report.SetClusterName(interfaces.tenantConfig.GetClusterName())
-	interfaces.report.SetCustomerGUID(interfaces.tenantConfig.GetCustomerGUID())
-
-	downloadReleasedPolicy := getter.NewDownloadReleasedPolicy() // download config inputs from github release
-	// set policy getter only after setting the customerGUID
-	setPolicyGetter(scanInfo, interfaces.tenantConfig.GetCustomerGUID(), downloadReleasedPolicy)
-	setConfigInputsGetter(scanInfo, interfaces.tenantConfig.GetCustomerGUID(), downloadReleasedPolicy)
-
-	defer func() {
-		if err := interfaces.hostSensorHandler.TearDown(); err != nil {
-			errMsg := "failed to tear down host sensor"
-			if scanInfo.VerboseMode {
-				errMsg = fmt.Sprintf("%s: %v", errMsg, err)
-			}
-			cautils.ErrorDisplay(errMsg)
-		}
-	}()
-
-	// cli handler setup
-	go func() {
-		// policy handler setup
-		policyHandler := policyhandler.NewPolicyHandler(&processNotification, interfaces.resourceHandler)
-
-		if err := Scan(policyHandler, scanInfo); err != nil {
-			fmt.Println(err)
-			os.Exit(1)
-		}
-	}()
-
-	// processor setup - rego run
-	go func() {
-		opaprocessorObj := opaprocessor.NewOPAProcessorHandler(&processNotification, &reportResults)
-		opaprocessorObj.ProcessRulesListenner()
-	}()
-
-	resultsHandling := resultshandling.NewResultsHandler(&reportResults, interfaces.report, interfaces.printerHandler)
-	score := resultsHandling.HandleResults(scanInfo)
-
-	// print report url
-	interfaces.report.DisplayReportURL()
-
-	if score >= float32(scanInfo.FailThreshold) {
-		return fmt.Errorf("scan risk-score %.2f is above permitted threshold %d", score, scanInfo.FailThreshold)
-	}
-
-	return nil
-}
-
-func Scan(policyHandler *policyhandler.PolicyHandler, scanInfo *cautils.ScanInfo) error {
-	policyNotification := &reporthandling.PolicyNotification{
-		NotificationType: reporthandling.TypeExecPostureScan,
-		Rules:            scanInfo.PolicyIdentifier,
-		Designators:      armotypes.PortalDesignator{},
-	}
-	switch policyNotification.NotificationType {
-	case reporthandling.TypeExecPostureScan:
-		if err := policyHandler.HandleNotificationRequest(policyNotification, scanInfo); err != nil {
-			return err
-		}
-
-	default:
-		return fmt.Errorf("notification type '%s' Unknown", policyNotification.NotificationType)
-	}
-	return nil
-}
-
-func Submit(submitInterfaces cliinterfaces.SubmitInterfaces) error {
-
-	// list resources
-	postureReport, err := submitInterfaces.SubmitObjects.SetResourcesReport()
-	if err != nil {
-		return err
-	}
-	allresources, err := submitInterfaces.SubmitObjects.ListAllResources()
-	if err != nil {
-		return err
-	}
-	// report
-	if err := submitInterfaces.Reporter.ActionSendReport(&cautils.OPASessionObj{PostureReport: postureReport, AllResources: allresources}); err != nil {
-		return err
-	}
-	fmt.Printf("\nData has been submitted successfully")
-	submitInterfaces.Reporter.DisplayReportURL()
-
-	return nil
-}
-
-func askUserForHostSensor() bool {
-	return false
-
-	if !isatty.IsTerminal(os.Stdin.Fd()) {
-		return false
-	}
-	if ssss, err := os.Stdin.Stat(); err == nil {
-		// fmt.Printf("Found stdin type: %s\n", ssss.Mode().Type())
-		if ssss.Mode().Type()&(fs.ModeDevice|fs.ModeCharDevice) > 0 { //has TTY
-			fmt.Printf("Would you like to scan K8s nodes? [y/N]. This is required to collect valuable data for certain controls\n")
-			fmt.Printf("Use --enable-host-scan flag to suppress this message\n")
-			var b []byte = make([]byte, 1)
-			if n, err := os.Stdin.Read(b); err == nil {
-				if n > 0 && len(b) > 0 && (b[0] == 'y' || b[0] == 'Y') {
-					return true
-				}
-			}
-		}
-	}
-	return false
-}
--- a/clihandler/initcliutils.go
+++ b/clihandler/initcliutils.go
@@ -1,196 +0,0 @@
-package clihandler
-
-import (
-	"fmt"
-	"os"
-
-	"github.com/armosec/k8s-interface/k8sinterface"
-	"github.com/armosec/kubescape/cautils"
-	"github.com/armosec/kubescape/cautils/getter"
-	"github.com/armosec/kubescape/hostsensorutils"
-	"github.com/armosec/kubescape/resourcehandler"
-	"github.com/armosec/kubescape/resultshandling/reporter"
-	reporterv1 "github.com/armosec/kubescape/resultshandling/reporter/v1"
-	"github.com/armosec/opa-utils/reporthandling"
-	"github.com/armosec/rbac-utils/rbacscanner"
-	"github.com/golang/glog"
-	// reporterv2 "github.com/armosec/kubescape/resultshandling/reporter/v2"
-)
-
-func getKubernetesApi(scanInfo *cautils.ScanInfo) *k8sinterface.KubernetesApi {
-	if scanInfo.GetScanningEnvironment() == cautils.ScanLocalFiles {
-		return nil
-	}
-	return k8sinterface.NewKubernetesApi()
-}
-func getTenantConfig(scanInfo *cautils.ScanInfo, k8s *k8sinterface.KubernetesApi) cautils.ITenantConfig {
-	if scanInfo.GetScanningEnvironment() == cautils.ScanLocalFiles {
-		return cautils.NewLocalConfig(getter.GetArmoAPIConnector(), scanInfo.Account)
-	}
-	return cautils.NewClusterConfig(k8s, getter.GetArmoAPIConnector(), scanInfo.Account)
-}
-
-func getRBACHandler(tenantConfig cautils.ITenantConfig, k8s *k8sinterface.KubernetesApi, submit bool) *cautils.RBACObjects {
-	if submit {
-		return cautils.NewRBACObjects(rbacscanner.NewRbacScannerFromK8sAPI(k8s, tenantConfig.GetCustomerGUID(), tenantConfig.GetClusterName()))
-	}
-	return nil
-}
-
-func getReporter(tenantConfig cautils.ITenantConfig, submit bool) reporter.IReport {
-	if submit {
-		return reporterv1.NewReportEventReceiver(tenantConfig.GetConfigObj())
-	}
-	return reporterv1.NewReportMock()
-}
-func getResourceHandler(scanInfo *cautils.ScanInfo, tenantConfig cautils.ITenantConfig, k8s *k8sinterface.KubernetesApi, hostSensorHandler hostsensorutils.IHostSensor) resourcehandler.IResourceHandler {
-	if scanInfo.GetScanningEnvironment() == cautils.ScanLocalFiles {
-		return resourcehandler.NewFileResourceHandler(scanInfo.InputPatterns)
-	}
-	rbacObjects := getRBACHandler(tenantConfig, k8s, scanInfo.Submit)
-	return resourcehandler.NewK8sResourceHandler(k8s, getFieldSelector(scanInfo), hostSensorHandler, rbacObjects)
-}
-
-func getHostSensorHandler(scanInfo *cautils.ScanInfo, k8s *k8sinterface.KubernetesApi) hostsensorutils.IHostSensor {
-	if scanInfo.GetScanningEnvironment() == cautils.ScanLocalFiles {
-		return &hostsensorutils.HostSensorHandlerMock{}
-	}
-	hasHostSensorControls := true
-	// we need to determined which controls needs host sensor
-	if scanInfo.HostSensor.Get() == nil && hasHostSensorControls {
-		scanInfo.HostSensor.SetBool(askUserForHostSensor())
-	}
-	if hostSensorVal := scanInfo.HostSensor.Get(); hostSensorVal != nil && *hostSensorVal {
-		hostSensorHandler, err := hostsensorutils.NewHostSensorHandler(k8s)
-		if err != nil || hostSensorHandler == nil {
-			glog.Errorf("failed to create host sensor: %v", err)
-			return &hostsensorutils.HostSensorHandlerMock{}
-		}
-		return hostSensorHandler
-	}
-	return &hostsensorutils.HostSensorHandlerMock{}
-}
-func getFieldSelector(scanInfo *cautils.ScanInfo) resourcehandler.IFieldSelector {
-	if scanInfo.IncludeNamespaces != "" {
-		return resourcehandler.NewIncludeSelector(scanInfo.IncludeNamespaces)
-	}
-	if scanInfo.ExcludedNamespaces != "" {
-		return resourcehandler.NewExcludeSelector(scanInfo.ExcludedNamespaces)
-	}
-
-	return &resourcehandler.EmptySelector{}
-}
-
-func policyIdentifierNames(pi []reporthandling.PolicyIdentifier) string {
-	policiesNames := ""
-	for i := range pi {
-		policiesNames += pi[i].Name
-		if i+1 < len(pi) {
-			policiesNames += ","
-		}
-	}
-	if policiesNames == "" {
-		policiesNames = "all"
-	}
-	return policiesNames
-}
-
-// setSubmitBehavior - Setup the desired cluster behavior regarding submittion to the Armo BE
-func setSubmitBehavior(scanInfo *cautils.ScanInfo, tenantConfig cautils.ITenantConfig) {
-
-	/*
-
-		If "First run (local config not found)" -
-			Default/keep-local - Do not send report
-			Submit - Create tenant & Submit report
-
-		If "Submitted" -
-			keep-local - Do not send report
-			Default/Submit - Submit report
-
-	*/
-
-	// do not submit control scanning
-	if !scanInfo.FrameworkScan {
-		scanInfo.Submit = false
-		return
-	}
-
-	// do not submit yaml/url scanning
-	if scanInfo.GetScanningEnvironment() == cautils.ScanLocalFiles {
-		scanInfo.Submit = false
-		return
-	}
-
-	if tenantConfig.IsConfigFound() { // config found in cache (submitted)
-		if !scanInfo.Local {
-			// Submit report
-			scanInfo.Submit = true
-		}
-	} else { // config not found in cache (not submitted)
-		if scanInfo.Submit {
-			// submit - Create tenant & Submit report
-			if err := tenantConfig.SetTenant(); err != nil {
-				fmt.Println(err)
-			}
-		}
-	}
-}
-
-// setPolicyGetter set the policy getter - local file/github release/ArmoAPI
-func setPolicyGetter(scanInfo *cautils.ScanInfo, customerGUID string, downloadReleasedPolicy *getter.DownloadReleasedPolicy) {
-	if len(scanInfo.UseFrom) > 0 {
-		scanInfo.PolicyGetter = getter.NewLoadPolicy(scanInfo.UseFrom)
-	} else {
-		if customerGUID == "" || !scanInfo.FrameworkScan {
-			setDownloadReleasedPolicy(scanInfo, downloadReleasedPolicy)
-		} else {
-			setGetArmoAPIConnector(scanInfo, customerGUID)
-		}
-	}
-}
-
-// setConfigInputsGetter sets the config input getter - local file/github release/ArmoAPI
-func setConfigInputsGetter(scanInfo *cautils.ScanInfo, customerGUID string, downloadReleasedPolicy *getter.DownloadReleasedPolicy) {
-	if len(scanInfo.ControlsInputs) > 0 {
-		scanInfo.Getters.ControlsInputsGetter = getter.NewLoadPolicy([]string{scanInfo.ControlsInputs})
-	} else {
-		if customerGUID != "" {
-			scanInfo.Getters.ControlsInputsGetter = getter.GetArmoAPIConnector()
-		} else {
-			if err := downloadReleasedPolicy.SetRegoObjects(); err != nil { // if failed to pull config inputs, fallback to BE
-				cautils.WarningDisplay(os.Stderr, "Warning: failed to get config inputs from github release, this may affect the scanning results\n")
-			}
-			scanInfo.Getters.ControlsInputsGetter = downloadReleasedPolicy
-		}
-	}
-}
-
-func setDownloadReleasedPolicy(scanInfo *cautils.ScanInfo, downloadReleasedPolicy *getter.DownloadReleasedPolicy) {
-	if err := downloadReleasedPolicy.SetRegoObjects(); err != nil { // if failed to pull policy, fallback to cache
-		cautils.WarningDisplay(os.Stderr, "Warning: failed to get policies from github release, loading policies from cache\n")
-		scanInfo.PolicyGetter = getter.NewLoadPolicy(getDefaultFrameworksPaths())
-	} else {
-		scanInfo.PolicyGetter = downloadReleasedPolicy
-	}
-}
-func setGetArmoAPIConnector(scanInfo *cautils.ScanInfo, customerGUID string) {
-	g := getter.GetArmoAPIConnector() // download policy from ARMO backend
-	g.SetCustomerGUID(customerGUID)
-	scanInfo.PolicyGetter = g
-	if scanInfo.ScanAll {
-		frameworks, err := g.ListCustomFrameworks(customerGUID)
-		if err != nil {
-			glog.Error("failed to get custom frameworks") // handle error
-			return
-		}
-		scanInfo.SetPolicyIdentifiers(frameworks, reporthandling.KindFramework)
-	}
-}
-func getDefaultFrameworksPaths() []string {
-	fwPaths := []string{}
-	for i := range getter.NativeFrameworks {
-		fwPaths = append(fwPaths, getter.GetDefaultPath(getter.NativeFrameworks[i]))
-	}
-	return fwPaths
-}
--- a/clihandler/cmd/cluster.go
+++ b/clihandler/cmd/cluster.go
--- a/clihandler/cmd/cluster_get.go
+++ b/clihandler/cmd/cluster_get.go
@@ -4,9 +4,9 @@ import (
 	"fmt"
 	"strings"

-	"github.com/armosec/k8s-interface/k8sinterface"
 	"github.com/armosec/kubescape/cautils"
 	"github.com/armosec/kubescape/cautils/getter"
+	"github.com/armosec/kubescape/cautils/k8sinterface"
 	"github.com/spf13/cobra"
 )

@@ -14,7 +14,7 @@ var getCmd = &cobra.Command{
 	Use:       "get <key>",
 	Short:     "Get configuration in cluster",
 	Long:      ``,
-	ValidArgs: getter.NativeFrameworks,
+	ValidArgs: supportedFrameworks,
 	Args: func(cmd *cobra.Command, args []string) error {
 		if len(args) < 1 || len(args) > 1 {
 			return fmt.Errorf("requires  one argument")
@@ -31,7 +31,7 @@ var getCmd = &cobra.Command{
 		key := keyValue[0]

 		k8s := k8sinterface.NewKubernetesApi()
-		clusterConfig := cautils.NewClusterConfig(k8s, getter.GetArmoAPIConnector(), scanInfo.Account)
+		clusterConfig := cautils.NewClusterConfig(k8s, getter.NewArmoAPI())
 		val, err := clusterConfig.GetValueByKeyFromConfigMap(key)
 		if err != nil {
 			if err.Error() == "value does not exist." {
--- a/clihandler/cmd/cluster_set.go
+++ b/clihandler/cmd/cluster_set.go
@@ -4,9 +4,9 @@ import (
 	"fmt"
 	"strings"

-	"github.com/armosec/k8s-interface/k8sinterface"
 	"github.com/armosec/kubescape/cautils"
 	"github.com/armosec/kubescape/cautils/getter"
+	"github.com/armosec/kubescape/cautils/k8sinterface"
 	"github.com/spf13/cobra"
 )

@@ -30,7 +30,7 @@ var setCmd = &cobra.Command{
 		data := keyValue[1]

 		k8s := k8sinterface.NewKubernetesApi()
-		clusterConfig := cautils.NewClusterConfig(k8s, getter.GetArmoAPIConnector(), scanInfo.Account)
+		clusterConfig := cautils.NewClusterConfig(k8s, getter.NewArmoAPI())
 		if err := clusterConfig.SetKeyValueInConfigmap(key, data); err != nil {
 			return err
 		}
--- a/clihandler/cmd/config.go
+++ b/clihandler/cmd/config.go
--- a/Show More
+++ b/Show More