fixed eks cluster name

[housekeeper] add readiness checks

.github/workflows/build.yaml

@@ -80,14 +80,14 @@ jobs:
 
       - name: Set image version
         id: image-version
-        run: echo '::set-output version=IMAGE_VERSION::v2.0.${{ github.run_number }}'
+        run: echo '::set-output name=IMAGE_VERSION::v2.0.${{ github.run_number }}'
 
       - name: Set image name
         id: image-name
         run: echo '::set-output name=IMAGE_NAME::quay.io/${{ github.repository_owner }}/kubescape'
 
       - name: Build the Docker image
-        run: docker build . --file build/Dockerfile --tag ${{ steps.image-name.outputs.IMAGE_NAME }}:${{ steps.image-version.outputs.IMAGE_VERSION }} --build-arg run_number=${{ github.run_number }}
+        run: docker build . --file build/Dockerfile --tag ${{ steps.image-name.outputs.IMAGE_NAME }}:${{ steps.image-version.outputs.IMAGE_VERSION }} --build-arg image_version=${{ steps.image-version.outputs.IMAGE_VERSION }}
       
       - name: Re-Tag Image to latest
         run: docker tag ${{ steps.image-name.outputs.IMAGE_NAME }}:${{ steps.image-version.outputs.IMAGE_VERSION }} ${{ steps.image-name.outputs.IMAGE_NAME }}:latest
@@ -108,13 +108,15 @@ jobs:
           docker push ${{ steps.image-name.outputs.IMAGE_NAME }}:${{ steps.image-version.outputs.IMAGE_VERSION }}
           docker push ${{ steps.image-name.outputs.IMAGE_NAME }}:latest
       
-      - name: Install cosign
-        uses: sigstore/cosign-installer@main
-        with:
-          cosign-release: 'v1.5.1' # optional
-      - name: sign kubescape container image
-        env:
-          COSIGN_EXPERIMENTAL: "true"
-        run: |
-            cosign sign --force ${{ steps.image-name.outputs.IMAGE_NAME }}:latest
+      # TODO - Wait for casign to support fixed tags -> https://github.com/sigstore/cosign/issues/1424
+      # - name: Install cosign
+      #   uses: sigstore/cosign-installer@main
+      #   with:
+      #     cosign-release: 'v1.5.1' # optional
+      # - name: sign kubescape container image
+      #   env:
+      #     COSIGN_EXPERIMENTAL: "true"
+      #   run: |
+      #       cosign sign --force ${{ steps.image-name.outputs.IMAGE_NAME }}:latest
+      #       cosign sign --force ${{ steps.image-name.outputs.IMAGE_NAME }}:${{ steps.image-version.outputs.IMAGE_VERSION }}
 

.github/workflows/build_dev.yaml

@@ -65,7 +65,7 @@ jobs:
         run: echo '::set-output name=IMAGE_NAME::quay.io/${{ github.repository_owner }}/kubescape'
 
       - name: Build the Docker image
-        run: docker build . --file build/Dockerfile --tag ${{ steps.image-name.outputs.IMAGE_NAME }}:${{ steps.image-version.outputs.IMAGE_VERSION }} --build-arg run_number=${{ github.run_number }}
+        run: docker build . --file build/Dockerfile --tag ${{ steps.image-name.outputs.IMAGE_NAME }}:${{ steps.image-version.outputs.IMAGE_VERSION }} --build-arg image_version=${{ steps.image-version.outputs.IMAGE_VERSION }}
       
       - name: Login to Quay.io
         env:

.github/workflows/publish_image.yaml

@@ -1,53 +0,0 @@
-name: build
-
-on:
-  push:
-    branches: [ master ]
-jobs:
-
-  build-docker:
-    name: Build docker container, tag and upload to registry
-    needs: build
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: write
-      packages: write
-      contents: read
-
-    steps:
-      - uses: actions/checkout@v2
-
-      - name: Set name
-        id: set-name
-        run: echo '::set-output name=IMAGE_NAME::quay.io/${{ github.repository_owner }}/kubescape:v2.0.${{ github.run_number }}'
-
-      - name: Build the Docker image
-        run: docker build . --file build/Dockerfile --tag ${{ steps.set-name.outputs.IMAGE_NAME }} --build-arg run_number=${{ github.run_number }}
-      - name: Re-Tag Image to latest
-        run: docker tag ${{ steps.set-name.outputs.IMAGE_NAME }} quay.io/${{ github.repository_owner }}/kubescape:latest
-      - name: Login to Quay.io
-        env: # Or as an environment variable
-          QUAY_PASSWORD: ${{ secrets.QUAYIO_REGISTRY_PASSWORD }}
-          QUAY_USERNAME: ${{ secrets.QUAYIO_REGISTRY_USERNAME }}
-        run: docker login -u="${QUAY_USERNAME}" -p="${QUAY_PASSWORD}" quay.io
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v1
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Push Docker image
-        run: |
-          docker push ${{ steps.set-name.outputs.IMAGE_NAME }}
-          docker push quay.io/${{ github.repository_owner }}/kubescape:latest
-      - name: Install cosign
-        uses: sigstore/cosign-installer@main
-        with:
-          cosign-release: 'v1.5.1' # optional
-      - name: sign kubescape container image
-        env:
-          COSIGN_EXPERIMENTAL: "true"
-        run: |
-            cosign sign --force ${{ steps.set-name.outputs.IMAGE_NAME }}
-            cosign sign --force quay.io/${{ github.repository_owner }}/kubescape:latest
-

README.md

@@ -140,58 +140,58 @@ kubescape scan control "Privileged container"
 
 #### Scan specific namespaces
 ```
-kubescape scan framework nsa --include-namespaces development,staging,production
+kubescape scan --include-namespaces development,staging,production
 ```
 
 #### Scan cluster and exclude some namespaces
 ```
-kubescape scan framework nsa --exclude-namespaces kube-system,kube-public
+kubescape scan --exclude-namespaces kube-system,kube-public
 ```
 
 #### Scan local `yaml`/`json` files before deploying. [Take a look at the demonstration](https://youtu.be/Ox6DaR7_4ZI)
 ```
-kubescape scan framework nsa *.yaml
+kubescape scan *.yaml
 ```
 
 #### Scan kubernetes manifest files from a public github repository 
 ```
-kubescape scan framework nsa https://github.com/armosec/kubescape
+kubescape scan https://github.com/armosec/kubescape
 ```
 
 #### Display all scanned resources (including the resources who passed) 
 ```
-kubescape scan framework nsa --verbose
+kubescape scan --verbose
 ```
 
 #### Output in `json` format
 ```
-kubescape scan framework nsa --format json --output results.json
+kubescape scan --format json --output results.json
 ```
 
 #### Output in `junit xml` format
 ```
-kubescape scan framework nsa --format junit --output results.xml
+kubescape scan --format junit --output results.xml
 ```
 
 #### Output in `prometheus` metrics format - Contributed by [@Joibel](https://github.com/Joibel)
 ```
-kubescape scan framework nsa --format prometheus
+kubescape scan --format prometheus
 ```
 
 #### Scan with exceptions, objects with exceptions will be presented as `exclude` and not `fail`
 [Full documentation](examples/exceptions/README.md)
 ```
-kubescape scan framework nsa --exceptions examples/exceptions/exclude-kube-namespaces.json
+kubescape scan --exceptions examples/exceptions/exclude-kube-namespaces.json
 ```
 
 #### Scan Helm charts - Render the helm chart using [`helm template`](https://helm.sh/docs/helm/helm_template/) and pass to stdout
 ```
-helm template [NAME] [CHART] [flags] --dry-run | kubescape scan framework nsa -
+helm template [NAME] [CHART] [flags] --dry-run | kubescape scan -
 ```
 
 e.g.
 ```
-helm template bitnami/mysql --generate-name --dry-run | kubescape scan framework nsa -
+helm template bitnami/mysql --generate-name --dry-run | kubescape scan -
 ```
 
 
@@ -228,19 +228,15 @@ kubescape scan framework nsa --use-artifacts-from path/to/local/dir
 ```
 
 ## Scan Periodically using Helm - Contributed by [@yonahd](https://github.com/yonahd)  
- 
-You can scan your cluster periodically by adding a `CronJob` that will repeatedly trigger kubescape
-
-```
-helm install kubescape examples/helm_chart/
-```
+[Please follow the instructions here](https://hub.armo.cloud/docs/installation-of-armo-in-cluster)
+[helm chart repo](https://github.com/armosec/armo-helm)
 
 ## Scan using docker image
 
 Official Docker image `quay.io/armosec/kubescape`
 
 ```
-docker run -v "$(pwd)/example.yaml:/app/example.yaml  quay.io/armosec/kubescape scan framework nsa /app/example.yaml
+docker run -v "$(pwd)/example.yaml:/app/example.yaml  quay.io/armosec/kubescape scan /app/example.yaml
 ```
 
 # Submit data manually

build/Dockerfile

@@ -1,9 +1,9 @@
 FROM golang:1.17-alpine as builder
 #ENV GOPROXY=https://goproxy.io,direct
 
-ARG run_number
+ARG image_version
 
-ENV RELEASE=v1.0.${run_number}
+ENV RELEASE=image_version
 
 ENV GO111MODULE=
 

cautils/logger/prettylogger/logger.go

@@ -57,7 +57,10 @@ func (pl *PrettyLogger) print(level helpers.Level, msg string, details ...helper
 	if !level.Skip(pl.level) {
 		pl.mutex.Lock()
 		prefix(level)(pl.writer, "[%s] ", level.String())
-		message(pl.writer, fmt.Sprintf("%s. %s\n", msg, detailsToString(details)))
+		if d := detailsToString(details); d != "" {
+			msg = fmt.Sprintf("%s. %s", msg, d)
+		}
+		message(pl.writer, fmt.Sprintf("%s\n", msg))
 		pl.mutex.Unlock()
 	}
 

clihandler/clidownload.go

@@ -8,6 +8,8 @@ import (
 	"github.com/armosec/armoapi-go/armotypes"
 	"github.com/armosec/kubescape/cautils"
 	"github.com/armosec/kubescape/cautils/getter"
+	"github.com/armosec/kubescape/cautils/logger"
+	"github.com/armosec/kubescape/cautils/logger/helpers"
 )
 
 var downloadFunc = map[string]func(*cautils.DownloadInfo) error{
@@ -67,7 +69,7 @@ func downloadArtifacts(downloadInfo *cautils.DownloadInfo) error {
 	}
 	for artifact := range artifacts {
 		if err := downloadArtifact(&cautils.DownloadInfo{Target: artifact, Path: downloadInfo.Path, FileName: fmt.Sprintf("%s.json", artifact)}, artifacts); err != nil {
-			fmt.Printf("error downloading %s, error: %s", artifact, err)
+			logger.L().Error("error downloading", helpers.String("artifact", artifact), helpers.Error(err))
 		}
 	}
 	return nil
@@ -88,7 +90,7 @@ func downloadConfigInputs(downloadInfo *cautils.DownloadInfo) error {
 	if err != nil {
 		return err
 	}
-	fmt.Printf("'%s' downloaded successfully and saved at: '%s'\n", downloadInfo.Target, filepath.Join(downloadInfo.Path, downloadInfo.FileName))
+	logger.L().Success("Downloaded", helpers.String("artifact", downloadInfo.Target), helpers.String("path", filepath.Join(downloadInfo.Path, downloadInfo.FileName)))
 	return nil
 }
 
@@ -111,7 +113,7 @@ func downloadExceptions(downloadInfo *cautils.DownloadInfo) error {
 	if err != nil {
 		return err
 	}
-	fmt.Printf("'%s' downloaded successfully and saved at: '%s'\n", downloadInfo.Target, filepath.Join(downloadInfo.Path, downloadInfo.FileName))
+	logger.L().Success("Downloaded", helpers.String("artifact", downloadInfo.Target), helpers.String("path", filepath.Join(downloadInfo.Path, downloadInfo.FileName)))
 	return nil
 }
 
@@ -131,7 +133,7 @@ func downloadFramework(downloadInfo *cautils.DownloadInfo) error {
 			if err != nil {
 				return err
 			}
-			fmt.Printf("'%s': '%s' downloaded successfully and saved at: '%s'\n", downloadInfo.Target, fw.Name, filepath.Join(downloadInfo.Path, (strings.ToLower(fw.Name)+".json")))
+			logger.L().Success("Downloaded", helpers.String("artifact", downloadInfo.Target), helpers.String("name", fw.Name), helpers.String("path", filepath.Join(downloadInfo.Path, downloadInfo.FileName)))
 		}
 		// return fmt.Errorf("missing framework name")
 	} else {
@@ -146,7 +148,7 @@ func downloadFramework(downloadInfo *cautils.DownloadInfo) error {
 		if err != nil {
 			return err
 		}
-		fmt.Printf("'%s' downloaded successfully and saved at: '%s'\n", downloadInfo.Target, filepath.Join(downloadInfo.Path, downloadInfo.FileName))
+		logger.L().Success("Downloaded", helpers.String("artifact", downloadInfo.Target), helpers.String("name", framework.Name), helpers.String("path", filepath.Join(downloadInfo.Path, downloadInfo.FileName)))
 	}
 	return nil
 }
@@ -171,6 +173,6 @@ func downloadControl(downloadInfo *cautils.DownloadInfo) error {
 	if err != nil {
 		return err
 	}
-	fmt.Printf("'%s' downloaded successfully and saved at: '%s'\n", downloadInfo.Target, filepath.Join(downloadInfo.Path, downloadInfo.FileName))
+	logger.L().Success("Downloaded", helpers.String("artifact", downloadInfo.Target), helpers.String("name", downloadInfo.Name), helpers.String("path", filepath.Join(downloadInfo.Path, downloadInfo.FileName)))
 	return nil
 }

clihandler/cliview.go

@@ -1,9 +1,12 @@
 package clihandler
 
-import "fmt"
+import (
+	"fmt"
+	"os"
+)
 
 func CliView() error {
 	tenant := getTenantConfig("", "", getKubernetesApi()) // change k8sinterface
-	fmt.Printf("%s\n", tenant.GetConfigObj().Config())
+	fmt.Fprintf(os.Stderr, "%s\n", tenant.GetConfigObj().Config())
 	return nil
 }

clihandler/cmd/cluster_get.go

@@ -36,8 +36,7 @@ var getCmd = &cobra.Command{
 		val, err := clusterConfig.GetValueByKeyFromConfigMap(key)
 		if err != nil {
 			if err.Error() == "value does not exist." {
-				fmt.Printf("Could net get value from configmap, reason: %s\n", err)
-				return nil
+				return fmt.Errorf("failed to get value from configmap, reason: %s", err.Error())
 			}
 			return err
 		}

clihandler/cmd/local_get.go

@@ -31,8 +31,7 @@ var localGetCmd = &cobra.Command{
 		val, err := cautils.GetValueFromConfigJson(key)
 		if err != nil {
 			if err.Error() == "value does not exist." {
-				fmt.Printf("Could net get value from: %s, reason: %s\n", cautils.ConfigFileFullPath(), err)
-				return nil
+				return fmt.Errorf("failed to get value from: %s, reason: %s", cautils.ConfigFileFullPath(), err.Error())
 			}
 			return err
 		}

clihandler/cmd/version.go

@@ -1,8 +1,10 @@
 package cmd
 
 import (
+	"fmt"
+	"os"
+
 	"github.com/armosec/kubescape/cautils"
-	"github.com/armosec/kubescape/cautils/logger"
 	"github.com/spf13/cobra"
 )
 
@@ -13,7 +15,7 @@ var versionCmd = &cobra.Command{
 	RunE: func(cmd *cobra.Command, args []string) error {
 		v := cautils.NewIVersionCheckHandler()
 		v.CheckLatestVersion(cautils.NewVersionCheckRequest(cautils.BuildNumber, "", "", "version"))
-		logger.L().Info("Your current version is: " + cautils.BuildNumber)
+		fmt.Fprintln(os.Stdout, "Your current version is: "+cautils.BuildNumber)
 		return nil
 	},
 }

clihandler/initcli.go

@@ -36,6 +36,7 @@ type componentInterfaces struct {
 
 func getInterfaces(scanInfo *cautils.ScanInfo) componentInterfaces {
 
+	// ================== setup k8s interface object ======================================
 	var k8s *k8sinterface.KubernetesApi
 	if scanInfo.GetScanningEnvironment() == cautils.ScanCluster {
 		k8s = getKubernetesApi()
@@ -44,11 +45,20 @@ func getInterfaces(scanInfo *cautils.ScanInfo) componentInterfaces {
 		}
 	}
 
+	// ================== setup tenant object ======================================
+
 	tenantConfig := getTenantConfig(scanInfo.Account, scanInfo.KubeContext, k8s)
 
 	// Set submit behavior AFTER loading tenant config
 	setSubmitBehavior(scanInfo, tenantConfig)
 
+	// ================== version testing ======================================
+
+	v := cautils.NewIVersionCheckHandler()
+	v.CheckLatestVersion(cautils.NewVersionCheckRequest(cautils.BuildNumber, policyIdentifierNames(scanInfo.PolicyIdentifier), "", scanInfo.GetScanningEnvironment()))
+
+	// ================== setup host sensor object ======================================
+
 	hostSensorHandler := getHostSensorHandler(scanInfo, k8s)
 	if err := hostSensorHandler.Init(); err != nil {
 		logger.L().Error("failed to init host sensor", helpers.Error(err))
@@ -59,24 +69,29 @@ func getInterfaces(scanInfo *cautils.ScanInfo) componentInterfaces {
 		scanInfo.ExcludedNamespaces = fmt.Sprintf("%s,%s", scanInfo.ExcludedNamespaces, hostSensorHandler.GetNamespace())
 	}
 
+	// ================== setup registry adaptors ======================================
+
 	registryAdaptors, err := resourcehandler.NewRegistryAdaptors()
 	if err != nil {
 		logger.L().Error("failed to initialize registry adaptors", helpers.Error(err))
 	}
 
+	// ================== setup resource collector object ======================================
+
 	resourceHandler := getResourceHandler(scanInfo, tenantConfig, k8s, hostSensorHandler, registryAdaptors)
 
+	// ================== setup reporter & printer objects ======================================
+
 	// reporting behavior - setup reporter
 	reportHandler := getReporter(tenantConfig, scanInfo.Submit)
 
-	v := cautils.NewIVersionCheckHandler()
-	v.CheckLatestVersion(cautils.NewVersionCheckRequest(cautils.BuildNumber, policyIdentifierNames(scanInfo.PolicyIdentifier), "", scanInfo.GetScanningEnvironment()))
-
 	// setup printer
 	printerHandler := printerv1.GetPrinter(scanInfo.Format, scanInfo.VerboseMode)
 	// printerHandler = printerv2.GetPrinter(scanInfo.Format, scanInfo.VerboseMode)
 	printerHandler.SetWriter(scanInfo.Output)
 
+	// ================== return interface ======================================
+
 	return componentInterfaces{
 		tenantConfig:      tenantConfig,
 		resourceHandler:   resourceHandler,
@@ -177,8 +192,8 @@ func askUserForHostSensor() bool {
 	if ssss, err := os.Stdin.Stat(); err == nil {
 		// fmt.Printf("Found stdin type: %s\n", ssss.Mode().Type())
 		if ssss.Mode().Type()&(fs.ModeDevice|fs.ModeCharDevice) > 0 { //has TTY
-			fmt.Printf("Would you like to scan K8s nodes? [y/N]. This is required to collect valuable data for certain controls\n")
-			fmt.Printf("Use --enable-host-scan flag to suppress this message\n")
+			fmt.Fprintf(os.Stderr, "Would you like to scan K8s nodes? [y/N]. This is required to collect valuable data for certain controls\n")
+			fmt.Fprintf(os.Stderr, "Use --enable-host-scan flag to suppress this message\n")
 			var b []byte = make([]byte, 1)
 			if n, err := os.Stdin.Read(b); err == nil {
 				if n > 0 && len(b) > 0 && (b[0] == 'y' || b[0] == 'Y') {

examples/cronJob-support/README.md

@@ -1,85 +0,0 @@
-# Periodically Kubescape Scanning
-
-You can scan your cluster periodically by adding a `CronJob` that will repeatedly trigger kubescape
-
-* Setup [scanning & submitting](#scanning-and-submitting)
-* Setup [scanning without submitting](#scanning-without-submitting)
-
-## Scanning And Submitting
-
-If you wish to periodically scan and submit the result to the [Kubescape SaaS version](https://portal.armo.cloud/) where you can benefit the features the SaaS version provides, please follow this instructions ->
-
-1. Apply kubescape namespace
-    ```
-    kubectl apply ks-namespace.yaml
-    ```
-
-2. Apply serviceAccount and roles
-    ```
-    kubectl apply ks-serviceAccount.yaml
-    ```
-
-3. Setup and apply configMap
-   
-    Before you apply the configMap you need to set the account ID and cluster name in the `ks-configMap.yaml` file.
-
-    * Set cluster name:
-        Run `kubectl config current-context` and set the result in the `data.clusterName` field
-    * Set account ID:
-        1. Navigate to the [Kubescape SaaS version](https://portal.armo.cloud/) and login/sign up for free 
-        2. Click the `Add Cluster` button on the top right of the page 
-            </br>
-            <img src="screenshots/add-cluster.png"  alt="add-cluster">
-        3. Copy the value of `--account` and set it in the `data.customerGUID` field
-            </br>
-            <img src="screenshots/account.png"  alt="account">
-
-        Make sure the configMap looks as following;
-        ```
-        kind: ConfigMap 
-        apiVersion: v1 
-        metadata:
-        name: kubescape 
-        labels:
-            app: kubescape
-        namespace: kubescape
-        data:
-        config.json: |
-            {
-                "customerGUID": "XXXXXXXX-XXXX-XXXX-XXXXXXXXXXXX",
-                "clusterName": "my-awesome-cluster-name"
-            }
-        ```
-
-    Finally, apply the configMap
-    ```
-    kubectl apply ks-configMap.yaml
-    ```
-
-4. Apply CronJob
-
-    Before you apply the cronJob, make sure the scanning frequency suites your needs
-    ```
-    kubectl apply ks-cronJob-submit.yaml
-    ```
-
-## Scanning Without Submitting
-
-If you wish to periodically scan but not submit the scan results, follow this instructions ->
-
-1. Apply kubescape namespace
-    ```
-    kubectl apply ks-namespace.yaml
-    ```
-
-2. Apply serviceAccount and roles
-    ```
-    kubectl apply ks-serviceAccount.yaml
-    ```
-
-3. Apply CronJob
-
-    Before you apply the cronJob, make sure the scanning frequency suites your needs
-    ```
-    kubectl apply ks-cronJob-non-submit.yaml
-    ```

examples/cronJob-support/ks-configMap.yaml

@@ -1,14 +0,0 @@
-# ------------------- Kubescape User/Customer ID ------------------- #
-kind: ConfigMap 
-apiVersion: v1 
-metadata:
-  name: kubescape 
-  labels:
-    app: kubescape
-  namespace: kubescape
-data:
-  config.json: |
-    {
-      "customerGUID": "<ID>",
-      "clusterName": "<cluster name>"
-    }

examples/cronJob-support/ks-cronJob-non-submit.yaml

@@ -1,32 +0,0 @@
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: kubescape
-  labels:
-    app: kubescape
-  namespace: kubescape
-spec:
-  #      ┌────────────────── timezone (optional)
-  #      |      ┌───────────── minute (0 - 59)
-  #      |      │ ┌───────────── hour (0 - 23)
-  #      |      │ │ ┌───────────── day of the month (1 - 31)
-  #      |      │ │ │ ┌───────────── month (1 - 12)
-  #      |      │ │ │ │ ┌───────────── day of the week (0 - 6) (Sunday to Saturday;
-  #      |      │ │ │ │ │                         7 is also Sunday on some systems)
-  #      |      │ │ │ │ │
-  #      |      │ │ │ │ │
-  # CRON_TZ=UTC * * * * *
-  schedule: "0 0 1 * *"
-  jobTemplate:
-    spec:
-      template:
-        spec:
-          containers:
-          - name: kubescape
-            image: quay.io/armosec/kubescape:latest
-            imagePullPolicy: IfNotPresent
-            command: ["/bin/sh","-c"]
-            args: 
-            - kubescape scan framework nsa
-          restartPolicy: OnFailure
-          serviceAccountName: kubescape-discovery

examples/cronJob-support/ks-cronJob-submit.yaml

@@ -1,40 +0,0 @@
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: kubescape
-  labels:
-    app: kubescape
-  namespace: kubescape
-spec:
-  #      ┌────────────────── timezone (optional)
-  #      |      ┌───────────── minute (0 - 59)
-  #      |      │ ┌───────────── hour (0 - 23)
-  #      |      │ │ ┌───────────── day of the month (1 - 31)
-  #      |      │ │ │ ┌───────────── month (1 - 12)
-  #      |      │ │ │ │ ┌───────────── day of the week (0 - 6) (Sunday to Saturday;
-  #      |      │ │ │ │ │                         7 is also Sunday on some systems)
-  #      |      │ │ │ │ │
-  #      |      │ │ │ │ │
-  # CRON_TZ=UTC * * * * *
-  schedule: "0 0 1 * *"
-  jobTemplate:
-    spec:
-      template:
-        spec:
-          containers:
-          - name: kubescape
-            image: quay.io/armosec/kubescape:latest
-            imagePullPolicy: IfNotPresent
-            command: ["/bin/sh","-c"]
-            args: 
-            - kubescape scan framework nsa --submit
-            volumeMounts:
-            - name: kubescape-config-volume
-              mountPath: /root/.kubescape/config.json
-              subPath: config.json
-          restartPolicy: OnFailure
-          serviceAccountName: kubescape-discovery
-          volumes:
-          - name: kubescape-config-volume
-            configMap:
-              name: kubescape

examples/cronJob-support/ks-namespace.yaml

@@ -1,7 +0,0 @@
-# ------------------- Kubescape User/Customer ID ------------------- #
-kind: Namespace 
-apiVersion: v1 
-metadata:
-  name: kubescape
-  labels:
-    app: kubescape

examples/cronJob-support/ks-serviceAccount.yaml

@@ -1,61 +0,0 @@
----
-# ------------------- Kubescape Service Account ------------------- #
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    app: kubescape
-  name: kubescape-discovery
-  namespace: kubescape
-
----
-# ------------------- Kubescape Role & Role Binding ------------------- #
-kind: Role
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kubescape-discovery-role
-  namespace: kubescape
-rules:
-- apiGroups: ["*"]
-  resources: ["*"]
-  verbs: ["get", "list", "describe"]
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: kubescape-discovery-binding
-  namespace: kubescape
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: kubescape-discovery-role
-subjects:
-- kind: ServiceAccount
-  name: kubescape-discovery
-
----
-# ------------------- Kubescape Cluster Role & Cluster Role Binding ------------------- #
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kubescape-discovery-clusterroles
-  # "namespace" omitted since ClusterRoles are not namespaced
-rules:
-- apiGroups: ["*"]
-  resources: ["*"]
-  verbs: ["get", "list", "describe"]
-
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kubescape-discovery-role-binding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: kubescape-discovery-clusterroles
-subjects:
-- kind: ServiceAccount
-  name: kubescape-discovery
-  namespace: kubescape

examples/cronjob/ks-cronjob.yaml

@@ -1,130 +0,0 @@
-# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-# 
-# This file is DEPRECATE, please navigate to the official docs ->
-# https://github.com/armosec/kubescape/tree/master/examples/cronJob-support/README.md
-#
-# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-
----
-# ------------------- Kubescape Service Account ------------------- #
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    app: kubescape
-  name: kubescape-discovery
-  namespace: kubescape
-
----
-# ------------------- Kubescape Role & Role Binding ------------------- #
-kind: Role
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kubescape-discovery-role
-  namespace: kubescape
-rules:
-- apiGroups: ["*"]
-  resources: ["*"]
-  verbs: ["get", "list", "describe"]
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: kubescape-discovery-binding
-  namespace: kubescape
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: kubescape-discovery-role
-subjects:
-- kind: ServiceAccount
-  name: kubescape-discovery
-
----
-# ------------------- Kubescape Cluster Role & Cluster Role Binding ------------------- #
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kubescape-discovery-clusterroles
-  # "namespace" omitted since ClusterRoles are not namespaced
-rules:
-- apiGroups: ["*"]
-  resources: ["*"]
-  verbs: ["get", "list", "describe"]
-
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kubescape-discovery-role-binding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: kubescape-discovery-clusterroles
-subjects:
-- kind: ServiceAccount
-  name: kubescape-discovery
-  namespace: kubescape
-
----
-# ------------------- Kubescape User/Customer GUID ------------------- #
-kind: ConfigMap 
-apiVersion: v1 
-metadata:
-  name: kubescape-configmap 
-  labels:
-    app: kubescape
-  namespace: kubescape
-data:
-  config.json: |
-    {
-      "customerGUID": <MyGUID>,
-      "clusterName": <MyK8sClusterName>
-    }
-
----
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: kubescape
-  labels:
-    app: kubescape
-  namespace: kubescape
-spec:
-  #      ┌────────────────── timezone (optional)
-  #      |      ┌───────────── minute (0 - 59)
-  #      |      │ ┌───────────── hour (0 - 23)
-  #      |      │ │ ┌───────────── day of the month (1 - 31)
-  #      |      │ │ │ ┌───────────── month (1 - 12)
-  #      |      │ │ │ │ ┌───────────── day of the week (0 - 6) (Sunday to Saturday;
-  #      |      │ │ │ │ │                         7 is also Sunday on some systems)
-  #      |      │ │ │ │ │
-  #      |      │ │ │ │ │
-  # CRON_TZ=UTC * * * * *
-  schedule: "0 0 1 * *"
-  jobTemplate:
-    spec:
-      template:
-        spec:
-          containers:
-          - name: kubescape
-            image: quay.io/armosec/kubescape:latest
-            imagePullPolicy: IfNotPresent
-            command: ["/bin/sh","-c"]
-            args: 
-            - kubescape scan framework nsa --submit
-            volumeMounts:
-            - name: kubescape-config-volume
-              mountPath: /root/.kubescape/config.json
-              subPath: config.json
-          restartPolicy: OnFailure
-          serviceAccountName: kubescape-discovery
-          volumes:
-          - name: kubescape-config-volume
-            configMap:
-              name: kubescape-configmap
-
----
-
-

examples/helm_chart/README.md

@@ -1,8 +1,7 @@
-# kubescape
+# Helm chart - DEPRECATED
 
-![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.0.128](https://img.shields.io/badge/AppVersion-v1.0.128-informational?style=flat-square)
+[helm chart repo](https://github.com/armosec/armo-helm)
 
-Kubescape is the first open-source tool for testing if Kubernetes is deployed securely according to multiple frameworks regulatory, customized company policies and DevSecOps best practices, such as the  [NSA-CISA](https://www.armosec.io/blog/kubernetes-hardening-guidance-summary-by-armo) and the [MITRE ATT&CK®](https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/) . Kubescape scans K8s clusters, YAML files, and HELM charts, and detect misconfigurations and software vulnerabilities at early stages of the CI/CD pipeline and provides a risk score instantly and risk trends over time. Kubescape integrates natively with other DevOps tools, including Jenkins, CircleCI and Github workflows.
 
 ## Values
 

go.mod

@@ -5,7 +5,7 @@ go 1.17
 require (
 	github.com/armosec/armoapi-go v0.0.49
 	github.com/armosec/k8s-interface v0.0.60
-	github.com/armosec/opa-utils v0.0.107
+	github.com/armosec/opa-utils v0.0.110
 	github.com/armosec/rbac-utils v0.0.14
 	github.com/armosec/utils-go v0.0.3
 	github.com/armosec/utils-k8s-go v0.0.1

go.sum

@@ -93,8 +93,8 @@ github.com/armosec/k8s-interface v0.0.50/go.mod h1:vHxGWqD/uh6+GQb9Sqv7OGMs+Rvc2
 github.com/armosec/k8s-interface v0.0.60 h1:jTCiO15QQbHVuxFQ928rp4srf1rQoUzeybfcbv/cuss=
 github.com/armosec/k8s-interface v0.0.60/go.mod h1:g0jv/fG+VqpT5ivO6D2gJcJ/w68BiffDz+PcU9YFbL4=
 github.com/armosec/opa-utils v0.0.64/go.mod h1:6tQP8UDq2EvEfSqh8vrUdr/9QVSCG4sJfju1SXQOn4c=
-github.com/armosec/opa-utils v0.0.107 h1:P+SACquUDMbXcOYIbQ+uzwcdJlrguXOTI42PHEJG2NU=
-github.com/armosec/opa-utils v0.0.107/go.mod h1:Wc1P4gkB6UQeGW8I76zCuitGGl15Omp0bKw7N0tR9dk=
+github.com/armosec/opa-utils v0.0.110 h1:qncGcbnYjiGULP3yK+4geRNNpRoWqKXQL+Xg+iXc1cM=
+github.com/armosec/opa-utils v0.0.110/go.mod h1:Wc1P4gkB6UQeGW8I76zCuitGGl15Omp0bKw7N0tR9dk=
 github.com/armosec/rbac-utils v0.0.1/go.mod h1:pQ8CBiij8kSKV7aeZm9FMvtZN28VgA7LZcYyTWimq40=
 github.com/armosec/rbac-utils v0.0.14 h1:CKYKcgqJEXWF2Hen/B1pVGtS3nDAG1wp9dDv6oNtq90=
 github.com/armosec/rbac-utils v0.0.14/go.mod h1:Ex/IdGWhGv9HZq6Hs8N/ApzCKSIvpNe/ETqDfnuyah0=

hostsensorutils/hostsensor.yaml

@@ -50,6 +50,12 @@ spec:
         volumeMounts:
         - mountPath: /host_fs
           name: host-filesystem
+        readinessProbe:
+          httpGet:
+            path: /kernelVersion
+            port: 7888
+            initialDelaySeconds: 1
+            periodSeconds: 1
       terminationGracePeriodSeconds: 120
       dnsPolicy: ClusterFirstWithHostNet
       automountServiceAccountToken: false

hostsensorutils/hostsensordeploy.go

@@ -161,7 +161,7 @@ func (hsh *HostSensorHandler) populatePodNamesToNodeNames() {
 			LabelSelector: fmt.Sprintf("name=%s", hsh.DaemonSet.Spec.Template.Labels["name"]),
 		})
 		if err != nil {
-			fmt.Printf("Failed to watch over daemonset pods")
+			logger.L().Error("failed to watch over daemonset pods", helpers.Error(err))
 		}
 		for eve := range watchRes.ResultChan() {
 			pod, ok := eve.Object.(*corev1.Pod)
@@ -179,7 +179,7 @@ func (hsh *HostSensorHandler) updatePodInListAtomic(eventType watch.EventType, p
 
 	switch eventType {
 	case watch.Added, watch.Modified:
-		if podObj.Status.Phase == corev1.PodRunning {
+		if podObj.Status.Phase == corev1.PodRunning && podObj.Status.ContainerStatuses[0].Ready {
 			hsh.HostSensorPodNames[podObj.ObjectMeta.Name] = podObj.Spec.NodeName
 		} else {
 			delete(hsh.HostSensorPodNames, podObj.ObjectMeta.Name)

hostsensorutils/hostsensorgetfrompod.go

@@ -8,6 +8,7 @@ import (
 	"github.com/armosec/k8s-interface/k8sinterface"
 	"github.com/armosec/kubescape/cautils"
 	"github.com/armosec/kubescape/cautils/logger"
+	"github.com/armosec/kubescape/cautils/logger/helpers"
 	"github.com/armosec/opa-utils/objectsenvelopes/hostsensor"
 	"sigs.k8s.io/yaml"
 )
@@ -72,7 +73,7 @@ func (hsh *HostSensorHandler) sendAllPodsHTTPGETRequest(path, requestKind string
 			defer wg.Done()
 			resBytes, err := hsh.HTTPGetToPod(podName, path)
 			if err != nil {
-				fmt.Printf("In sendAllPodsHTTPGETRequest failed to get data '%s' from pod '%s': %v", path, podName, err)
+				logger.L().Error("failed to get data", helpers.String("path", path), helpers.String("podName", podName), helpers.Error(err))
 			} else {
 				resLock.Lock()
 				defer resLock.Unlock()
@@ -142,7 +143,7 @@ func (hsh *HostSensorHandler) GetKubeletConfigurations() ([]hostsensor.HostSenso
 	for resIdx := range res {
 		jsonBytes, err := yaml.YAMLToJSON(res[resIdx].Data)
 		if err != nil {
-			fmt.Printf("In GetKubeletConfigurations failed to YAMLToJSON: %v;\n%v", err, res[resIdx])
+			logger.L().Error("failed to convert kubelet configurations from yaml to json", helpers.Error(err))
 			continue
 		}
 		res[resIdx].SetData(jsonBytes)
@@ -156,7 +157,7 @@ func (hsh *HostSensorHandler) CollectResources() ([]hostsensor.HostSensorDataEnv
 		return res, nil
 	}
 
-	logger.L().Info("Accessing host sensor")
+	logger.L().Debug("Accessing host sensor")
 	cautils.StartSpinner()
 	defer cautils.StopSpinner()
 	kcData, err := hsh.GetKubeletConfigurations()
@@ -196,6 +197,6 @@ func (hsh *HostSensorHandler) CollectResources() ([]hostsensor.HostSensorDataEnv
 	res = append(res, kcData...)
 	// finish
 
-	logger.L().Success("Read host information from host sensor")
+	logger.L().Debug("Done reading information from host sensor")
 	return res, nil
 }

resourcehandler/ekssupport.go

@@ -58,15 +58,18 @@ func NewEKSProviderContext() *EKSProviderContext {
 }
 
 func (eksProviderContext *EKSProviderContext) getKubeClusterName() string {
-	cluster := k8sinterface.GetCurrentContext().Cluster
-	var splittedCluster []string
+	context := k8sinterface.GetCurrentContext()
+	if context == nil {
+		return ""
+	}
+	cluster := context.Cluster
 	if cluster != "" {
-		splittedCluster = strings.Split(cluster, ".")
+		splittedCluster := strings.Split(cluster, ".")
 		if len(splittedCluster) > 1 {
 			return splittedCluster[0]
 		}
 	}
-	splittedCluster = strings.Split(k8sinterface.GetClusterName(), ".")
+	splittedCluster := strings.Split(k8sinterface.GetClusterName(), ".")
 	if len(splittedCluster) > 1 {
 		return splittedCluster[0]
 	}
@@ -78,9 +81,8 @@ func (eksProviderContext *EKSProviderContext) getKubeCluster() string {
 	if context == nil {
 		return ""
 	}
-	cluster := context.Cluster
-	if cluster != "" {
-		return cluster
+	if context.Cluster != "" {
+		return context.Cluster
 	}
 	return k8sinterface.GetClusterName()
 }

resourcehandler/gkesupport.go

@@ -89,8 +89,7 @@ func (gkeProviderContext *GKEProviderContext) getKubeClusterName() string {
 	if len(parsedName) < 3 {
 		return ""
 	}
-	clusterName = parsedName[3]
-	return clusterName
+	return parsedName[3]
 }
 
 func (gkeProviderContext *GKEProviderContext) getKubeCluster() string {
@@ -98,9 +97,8 @@ func (gkeProviderContext *GKEProviderContext) getKubeCluster() string {
 	if context == nil {
 		return ""
 	}
-	cluster := context.Cluster
-	if cluster != "" {
-		return cluster
+	if context.Cluster != "" {
+		return context.Cluster
 	}
 	return k8sinterface.GetClusterName()
 

resourcehandler/k8sresources.go

@@ -80,7 +80,7 @@ func (k8sHandler *K8sResourceHandler) GetResources(frameworks []reporthandling.F
 	}
 
 	cautils.StopSpinner()
-	logger.L().Success("Accessed successfully to Kubernetes objects")
+	logger.L().Success("Accessed to Kubernetes objects")
 
 	return k8sResourcesMap, allResources, nil
 }

resourcehandler/repositoryscanner.go

@@ -127,7 +127,6 @@ func (g *GitHubRepository) setTree() error {
 	err = json.Unmarshal([]byte(body), &tree)
 	if err != nil {
 		return fmt.Errorf("failed to unmarshal response body from '%s', reason: %s", g.treeAPI(), err.Error())
-		// fmt.Printf("failed to unmarshal response body from '%s', reason: %s", urlCommand, err.Error())
 		// return nil
 	}
 	g.tree = tree