Compare commits

..

8 Commits

Author SHA1 Message Date
dwertent
222b154505 store file localy 2021-08-31 17:08:02 +03:00
dwertent
67c2de74f1 adding download script 2021-08-31 17:05:16 +03:00
dwertent
4a9b36807a remove sudo 2021-08-31 16:43:37 +03:00
dwertent
c6241fab38 remove sudo 2021-08-31 16:42:12 +03:00
dwertent
afbc69c6d2 Merge remote-tracking branch 'upstream/dev' 2021-08-31 16:41:44 +03:00
dwertent
8a00a5c54b Add input table to readme 2021-08-31 16:29:11 +03:00
Daniel Grunberger
8f8aaf70d9 Update README.md 2021-08-31 13:00:17 +03:00
David Wertenteil
d3f4af0f9c Update module to github (#47)
* update module
2021-08-31 12:00:42 +03:00
5 changed files with 53 additions and 29 deletions

View File

@@ -28,20 +28,17 @@ If you wish to scan all namespaces in your cluster, remove the `--exclude-namesp
<img src="docs/summary.png">
### Flags
| flag | default | description | options |
| --- | --- | --- | --- |
| `-e`/`--exclude-namespaces` | Scan all namespaces | Namespaces to exclude from scanning, Recommended to exclude `kube-system` and `kube-public` namespaces |
| `-s`/`--silent` | Display progress messages | Silent progress messages |
| `-f`/`--format` | `pretty-printer` | Output format | `pretty-printer`/`json`/`junit` |
| `-o`/`--output` | print to stdout | Save scan result in file |
## Usage & Examples
### Pre-Deployment Testing
Check your YAML files before you're deploying, simply add them at the end of command line:
```
kubescape scan framework nsa *.yaml
```
### Integration with other tools
Kubescape can produce output fitting for later processing:
* JSON (`-f json`)
* JUnit XML (`-f junit`)
### Examples
* Scan a running Kubernetes cluster with [`nsa`](https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/) framework
@@ -49,32 +46,32 @@ Kubescape can produce output fitting for later processing:
kubescape scan framework nsa --exclude-namespaces kube-system,kube-public
```
* Scan local `yaml`/`json` files
* Scan local `yaml`/`json` files before deploying <img src="docs/new-feature.svg">
```
kubescape scan framework nsa examples/online-boutique/*
kubescape scan framework nsa *.yaml
```
* Scan `yaml`/`json` files from url
* Scan `yaml`/`json` files from url <img src="docs/new-feature.svg">
```
kubescape scan framework nsa https://raw.githubusercontent.com/GoogleCloudPlatform/microservices-demo/master/release/kubernetes-manifests.yaml
```
* Output in `json` format
* Output in `json` format <img src="docs/new-feature.svg">
```
kubescape scan framework nsa --exclude-namespaces kube-system,kube-public --format json --output results.json
```
* Output in `junit xml` format
* Output in `junit xml` format <img src="docs/new-feature.svg">
```
kubescape scan framework nsa --exclude-namespaces kube-system,kube-public --format junit --output results.xml
```
### Helm Support
Render the helm template and pass as stdout
* Render the helm chart using [`helm template`](https://helm.sh/docs/helm/helm_template/) and pass to stdout <img src="docs/new-feature.svg">
```
helm template [CHART] [flags] --generate-name --dry-run | kubescape scan framework nsa -
helm template [NAME] [CHART] [flags] --dry-run | kubescape scan framework nsa -
```
for example:
@@ -126,7 +123,7 @@ Kubescape is running the following tests according to what is defined by [Kubern
* Linux hardening
* Ingress and Egress blocked
* Container hostPort
* Anonymous requests
## Technology

View File

@@ -75,10 +75,10 @@ func isValidFramework(framework string) bool {
func init() {
scanCmd.AddCommand(frameworkCmd)
scanInfo = opapolicy.ScanInfo{}
frameworkCmd.Flags().StringVarP(&scanInfo.ExcludedNamespaces, "exclude-namespaces", "e", "", "namespaces to exclude from check")
frameworkCmd.Flags().StringVarP(&scanInfo.Format, "format", "f", "pretty-printer", `output format. supported formats: "pretty-printer"/"json"/"junit"`)
frameworkCmd.Flags().StringVarP(&scanInfo.Output, "output", "o", "", "output file. print output to file and not stdout")
frameworkCmd.Flags().BoolVarP(&scanInfo.Silent, "silent", "s", false, "silent progress output")
frameworkCmd.Flags().StringVarP(&scanInfo.ExcludedNamespaces, "exclude-namespaces", "e", "", "Namespaces to exclude from check")
frameworkCmd.Flags().StringVarP(&scanInfo.Format, "format", "f", "pretty-printer", `Output format. supported formats: "pretty-printer"/"json"/"junit"`)
frameworkCmd.Flags().StringVarP(&scanInfo.Output, "output", "o", "", "Output file. print output to file and not stdout")
frameworkCmd.Flags().BoolVarP(&scanInfo.Silent, "silent", "s", false, "Silent progress messages")
}
func CliSetup() error {

View File

@@ -9,7 +9,7 @@ var cfgFile string
var rootCmd = &cobra.Command{
Use: "kubescape",
Short: "Kubescape is a tool for testing Kubernetes security posture",
Long: `Kubescape is a tool for testing Kubernetes security posture based on NSA and MITRE specifications.`,
Long: `Kubescape is a tool for testing Kubernetes security posture based on NSA specifications.`,
}
func Execute() {

27
download.sh Executable file
View File

@@ -0,0 +1,27 @@
#!/bin/bash
set -e
echo "Downloading Kubescape..."
echo
osName=$(uname -s)
if [[ $osName == *"MINGW"* ]]; then
osName=windows-latest
elif [[ $osName == *"Darwin"* ]]; then
osName=macos-latest
else
osName=ubuntu-latest
fi
GITHUB_OWNER=armosec
DOWNLOAD_URL=$(curl --silent "https://api.github.com/repos/$GITHUB_OWNER/kubescape/releases/latest" | grep -o "browser_download_url.*${osName}.*")
DOWNLOAD_URL=${DOWNLOAD_URL//\"}
DOWNLOAD_URL=${DOWNLOAD_URL/browser_download_url: /}
KUBESCAPE_EXEC=kubescape
curl --progress-bar -L $DOWNLOAD_URL -o $KUBESCAPE_EXEC
echo -e "\033[32m[V] Downloaded Kubescape"
chmod +x $KUBESCAPE_EXEC || sudo chmod +x $KUBESCAPE_EXEC

View File

@@ -29,9 +29,9 @@ OUTPUT=$BASE_DIR/$KUBESCAPE_EXEC
curl --progress-bar -L $DOWNLOAD_URL -o $OUTPUT
echo -e "\033[32m[V] Downloaded Kubescape"
sudo chmod +x $OUTPUT
sudo rm -f /usr/local/bin/$KUBESCAPE_EXEC
sudo cp $OUTPUT /usr/local/bin
chmod +x $OUTPUT || sudo chmod +x $OUTPUT
rm -f /usr/local/bin/$KUBESCAPE_EXEC || sudo rm -f /usr/local/bin/$KUBESCAPE_EXEC
cp $OUTPUT /usr/local/bin || sudo cp $OUTPUT /usr/local/bin
rm -rf $BASE_DIR
echo -e "[V] Finished Installation"