Merge pull request #428 from armosec/dev

Release

MAINTAINERS.md

@@ -2,8 +2,9 @@
 
 The following table lists Kubescape project maintainers 
 
-| Name | GitHub | Email | Organization | Repositories/Area of Expertise | Added/Renewed On |
+| Name | GitHub | Email | Organization | Role | Added/Renewed On |
 | --- | --- | --- | --- | --- | --- |
-| Ben Hirschberg | @slashben | ben@armosec.io | ARMO | Kubescape CLI | 2021-09-01 |
-| Rotem Refael | @rotemamsa | rrefael@armosec.io | ARMO | Kubescape CLI | 2021-10-11 |
-| David Wertenteil | @dwertent | dwertent@armosec.io | ARMO | Kubescape CLI | 2021-09-01 |
+| [Ben Hirschberg](https://www.linkedin.com/in/benyamin-ben-hirschberg-66141890) | [@slashben](https://github.com/slashben) | ben@armosec.io | [ARMO](https://www.armosec.io/) | VP R&D | 2021-09-01 |
+| [Rotem Refael](https://www.linkedin.com/in/rotem-refael) | [@rotemamsa](https://github.com/rotemamsa) | rrefael@armosec.io | [ARMO](https://www.armosec.io/) | Team Leader | 2021-10-11 |
+| [David Wertenteil](https://www.linkedin.com/in/david-wertenteil-0ba277b9) | [@dwertent](https://github.com/dwertent) | dwertent@armosec.io | [ARMO](https://www.armosec.io/) | Kubescape CLI Developer | 2021-09-01 |
+| [Bezalel Brandwine](https://www.linkedin.com/in/bezalel-brandwine) | [@Bezbran](https://github.com/Bezbran) | bbrandwine@armosec.io | [ARMO](https://www.armosec.io/) | Kubescape SaaS Developer | 2021-09-01 |

README.md

@@ -48,9 +48,9 @@ We invite you to our team! We are excited about this project and want to return
 
 Want to contribute? Want to discuss something? Have an issue?
 
+* Feel free to pick a task from the [roadmap](docs/roadmap.md) or suggest a feature of your own. [Contact us](MAINTAINERS.md) directly for more information :) 
 * Open a issue, we are trying to respond within 48 hours
-* [Join us](https://armosec.github.io/kubescape/) in a discussion on our discord server! 
-
+* [Join us](https://armosec.github.io/kubescape/) in a discussion on our discord server!
 
 [<img src="docs/discord-banner.png" width="100" alt="logo" align="center">](https://armosec.github.io/kubescape/)
 ![discord](https://img.shields.io/discord/893048809884643379)

clihandler/cmd/completion.go

@@ -10,10 +10,12 @@ import (
 var completionCmdExamples = `
 
   # Enable BASH shell autocompletion 
-  echo 'source <(kubescape completion bash)' >> ~/.bashrc
+  $ source <(kubescape completion bash) 
+  $ echo 'source <(kubescape completion bash)' >> ~/.bashrc
 
   # Enable ZSH shell autocompletion 
-  echo 'source <(kubectl completion zsh)' >> "${fpath[1]}/_kubectl"
+  $ source <(kubectl completion zsh)
+  $ echo 'source <(kubectl completion zsh)' >> "${fpath[1]}/_kubectl"
 
 `
 var completionCmd = &cobra.Command{

clihandler/initcli.go

@@ -49,6 +49,13 @@ func getInterfaces(scanInfo *cautils.ScanInfo) componentInterfaces {
 	// Set submit behavior AFTER loading tenant config
 	setSubmitBehavior(scanInfo, tenantConfig)
 
+	if scanInfo.Submit {
+		// submit - Create tenant & Submit report
+		if err := tenantConfig.SetTenant(); err != nil {
+			logger.L().Error(err.Error())
+		}
+	}
+
 	// ================== version testing ======================================
 
 	v := cautils.NewIVersionCheckHandler()

clihandler/initcliutils.go

@@ -148,14 +148,8 @@ func setSubmitBehavior(scanInfo *cautils.ScanInfo, tenantConfig cautils.ITenantC
 			// Submit report
 			scanInfo.Submit = true
 		}
-	} else { // config not found in cache (not submitted)
-		if scanInfo.Submit {
-			// submit - Create tenant & Submit report
-			if err := tenantConfig.SetTenant(); err != nil {
-				logger.L().Error(err.Error())
-			}
-		}
 	}
+
 }
 
 // setPolicyGetter set the policy getter - local file/github release/ArmoAPI

docs/release.md

@@ -1,91 +0,0 @@
-# Kubescape Release 
-
-
-## Input
-
-### Scan a running Kubernetes cluster
-
-* Scan your Kubernetes cluster. Ignore `kube-system` and `kube-public` namespaces
-```
-kubescape scan framework nsa --exclude-namespaces kube-system,kube-public
-```
-
-* Scan your Kubernetes cluster
-```
-kubescape scan framework nsa 
-```
-
-### Scan a local Kubernetes manifest
- 
-* Scan single Kubernetes manifest file <img src="new-feature.svg">
-```
-kubescape scan framework nsa <my-workload.yaml>
-```
-
-* Scan many Kubernetes manifest files <img src="new-feature.svg">
-```
-kubescape scan framework nsa <my-workload-1.yaml> <my-workload-2.yaml>
-```
-
-* Scan all Kubernetes manifest files in directory  <img src="new-feature.svg">
-```
-kubescape scan framework nsa *.yaml
-```
-
-* Scan Kubernetes manifest from stdout  <img src="new-feature.svg">
-```
-cat <my-workload.yaml> | kubescape scan framework nsa -
-```
-
-
-* Scan Kubernetes manifest url  <img src="new-feature.svg">
-```
-kubescape scan framework nsa https://raw.githubusercontent.com/GoogleCloudPlatform/microservices-demo/master/release/kubernetes-manifests.yaml
-```
-
-### Scan HELM chart
-
-* Render the helm chart using [`helm template`](https://helm.sh/docs/helm/helm_template/) and pass to stdout <img src="new-feature.svg">
-```
-helm template [CHART] [flags] --generate-name --dry-run | kubescape scan framework nsa -
-```
-
-### Scan on-prem (offline)
-
-* Scan using a framework from the local file system 
-```
-kubescape scan framework --use-from <path> 
-```
-
-* Scan using the framework from the default location in file system  
-```
-kubescape scan framework  --use-default 
-```
-
-## Output formats
-
-By default, the output is user friendly.
-
-For the sake of automation, it is possible to receive the result in a `json` or `junit xml` format.
-
-* Output in `json` format <img src="new-feature.svg">
-```
-kubescape scan framework nsa --format json --output results.json
-```
-
-* Output in `junit xml` format <img src="new-feature.svg">
-```
-kubescape scan framework nsa --format junit --output results.xml
-```
-
-## Download
-
-* Download and save in file <img src="new-feature.svg">
-```
-kubescape download framework nsa --output nsa.json
-```
-
-* Download and save in default file (`~/.kubescape/<framework name>.json`)
-```
-kubescape download framework nsa 
-```

docs/roadmap.md

@@ -5,38 +5,52 @@
 Kubescape roadmap items are labeled based on where the feature is used and by their maturity.
 
 The features serve different stages of the workflow of the users:
-* development phase (writing Kubernetes manifests) - example: VS Code extension is used while editing YAMLs
-* CI phase (integrating manifests to GIT repo) - example: GitHub action validating HELM charts on PRs
-* delivery phase (deploying applications in Kubernetes) - example: running cluster scan after a new deployment
-* monitoring phase (scanning application in Kubernetes) - example: Prometheus scraping the cluster security risk 
+* **Development phase** (writing Kubernetes manifests) - example: VS Code extension is used while editing YAMLs
+* **CI phase** (integrating manifests to GIT repo) - example: GitHub action validating HELM charts on PRs
+* **CD phase** (deploying applications in Kubernetes) - example: running cluster scan after a new deployment
+* **Monitoring phase** (scanning application in Kubernetes) - example: Prometheus scraping the cluster security risk 
 
-Items in Kubescape roadmap are split to 3 major groups based on the feature planning maturity:
+The items in Kubescape roadmap are split to 3 major groups based on the feature planning maturity:
 
-* Planning - we have tickets open for these issues with more or less clear vision of design
-* Backlog  - feature which were discussed at a high level but are not ready for development 
-* Wishlist -  features we are dreaming of 😀 and want to push them gradually forward 
+* [Planning](#planning) - we have tickets open for these issues with more or less clear vision of design
+* [Backlog](#backlog)  - feature which were discussed at a high level but are not ready for development 
+* [Wishlist](#wishlist) -  features we are dreaming of 😀 and want to push them gradually forward 
 
 
 ## Planning 👷
-* **Integration with image registries**: we want to expand Kubescape to integrate with differnet image registries and read image vulnerability information from there. This will allow Kubescape to give contextual security information about vulnerabilities [Container registry integration](/docs/proposals/container-image-vulnerability-adaptor.md)
-* **Kubescape as a microservice**: create a REST API for Kubescape so it can run constantly in a cluster and other components like Prometheus can scrape results
-* **Kubescape CLI control over cluster operations**: add functionality to Kubescape CLI to trigger operations in Kubescape cluster components (example: trigger images scans and etc.)
-* **Produce md/HTML reports**: create scan reports for different output formats
-* **Git integration for pull requests**: create insightful GitHub actions for Kubescape
+* ##### Integration with image registries 
+  We want to expand Kubescape to integrate with differnet image registries and read image vulnerability information from there. This will allow Kubescape to give contextual security information about vulnerabilities [Container registry integration](/docs/proposals/container-image-vulnerability-adaptor.md)
+* ##### Kubescape as a microservice 
+  Create a REST API for Kubescape so it can run constantly in a cluster and other components like Prometheus can scrape results
+* ##### Kubescape CLI control over cluster operations 
+  Add functionality to Kubescape CLI to trigger operations in Kubescape cluster components (example: trigger images scans and etc.)
+* ##### Produce md/HTML reports 
+  Create scan reports for different output formats
+* ##### Git integration for pull requests 
+  Create insightful GitHub actions for Kubescape
 
 ## Backlog 📅
-* **JSON path for HELM charts**: today Kubescape can point to issues in the Kubernetes object, we want to develop this feature so Kubescape will be able to point to the misconfigured source file (HELM)
-* **Create Kubescape HELM plugin**
-* **Kubescape based admission controller**: Implement admission controller API for Kubescape microservice to enable users to use Kubescape rules as policies
+* ##### JSON path for HELM charts 
+  Today Kubescape can point to issues in the Kubernetes object, we want to develop this feature so Kubescape will be able to point to the misconfigured source file (HELM)
+* ##### Create Kubescape HELM plugin
+* ##### Kubescape based admission controller 
+  Implement admission controller API for Kubescape microservice to enable users to use Kubescape rules as policies
 
 ## Wishlist 💭
-* **Integrate with other Kubernetes CLI tools** use Kubescape as a YAML validator for `kubectl` and others.
-* **Kubernetes audit log integration**: connect Kubescape to audit log stream to enable it to produce more contextual security information based on how the API service is used.
-* **TUI for Kubescape**: interactive terminal based user interface which helps to analyze and fix issues
-* **Scanning images with GO for vulnerabilities**: Images scanners cannot determine which packages were used to build Go executables and we want to scan them for vulnerabilities
-* **Scanning Dockerfile-s for security best practices**: Scan image or Dockerfile to determine whether it is using security best practices (like root containers)
-* **Custom controls and rules**: enable users to define their own Rego base rules
-* **More CI/CD tool integration**: Jenkins and etc. 😀
+* ##### Integrate with other Kubernetes CLI tools
+  Use Kubescape as a YAML validator for `kubectl` and others.
+* ##### Kubernetes audit log integration 
+  Connect Kubescape to audit log stream to enable it to produce more contextual security information based on how the API service is used.
+* ##### TUI for Kubescape 
+  Interactive terminal based user interface which helps to analyze and fix issues
+* ##### Scanning images with GO for vulnerabilities
+  Images scanners cannot determine which packages were used to build Go executables and we want to scan them for vulnerabilities
+* ##### Scanning Dockerfile-s for security best practices
+  Scan image or Dockerfile to determine whether it is using security best practices (like root containers)
+* ##### Custom controls and rules
+  Enable users to define their own Rego base rules
+* ##### More CI/CD tool integration
+  Jenkins and etc. 😀
 
 
 ## Completed features 🎓

docs/run-options.md

@@ -1,87 +0,0 @@
-<img src="kubescape.png" width="300" alt="logo" align="center">
-
-# More detailed look on command line arguments and options
-
-## Simple run:
-```
-kubescape scan framework nsa --exclude-namespaces kube-system,kube-public
-```
-
-## Flags
-
-| flag |  default | description | options |
-| --- | --- | --- | --- |
-| `-e`/`--exclude-namespaces` | Scan all namespaces | Namespaces to exclude from scanning. Recommended to exclude `kube-system` and `kube-public` namespaces |
-| `-s`/`--silent` | Display progress messages | Silent progress messages |
-| `-t`/`--fail-threshold` | `0` (do not fail) | fail command (return exit code 1) if result is below threshold| `0` -> `100` |
-| `-f`/`--format` | `pretty-printer` | Output format | `pretty-printer`/`json`/`junit` | 
-| `-o`/`--output` | print to stdout | Save scan result in file |
-| `--use-from` | | Load local framework object from specified path. If not used will download latest |
-| `--use-default` | `false` | Load local framework object from default path. If not used will download latest | `true`/`false` |
-| `--exceptions` | | Path to an [exceptions obj](examples/exceptions.json). If not set will download exceptions from Armo management portal |
-| `--results-locally` | `false` | Kubescape sends scan results to Armo management portal to allow users to control exceptions and maintain chronological scan results. Use this flag if you do not wish to use these features | `true`/`false`|
-
-## Usage & Examples
- 
-### Examples
-
-* Scan a running Kubernetes cluster with [`nsa`](https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/) framework
-```
-kubescape scan framework nsa --exclude-namespaces kube-system,kube-public
-```
-
-* Scan local `yaml`/`json` files before deploying
-```
-kubescape scan framework nsa *.yaml
-```
-
-
-* Scan `yaml`/`json` files from url 
-```
-kubescape scan framework nsa https://raw.githubusercontent.com/GoogleCloudPlatform/microservices-demo/master/release/kubernetes-manifests.yaml
-```
-
-* Output in `json` format 
-```
-kubescape scan framework nsa --exclude-namespaces kube-system,kube-public --format json --output results.json
-```
-
-* Output in `junit xml` format 
-```
-kubescape scan framework nsa --exclude-namespaces kube-system,kube-public --format junit --output results.xml
-```
-
-* Scan with exceptions, objects with exceptions will be presented as `warning` and not `fail`
-```
-kubescape scan framework nsa --exceptions examples/exceptions.json
-```
-
-### Helm Support
-
-* Render the helm chart using [`helm template`](https://helm.sh/docs/helm/helm_template/) and pass to stdout 
-```
-helm template [NAME] [CHART] [flags] --dry-run | kubescape scan framework nsa -
-```
-
-for example:
-```
-helm template bitnami/mysql --generate-name --dry-run | kubescape scan framework nsa -
-```
-
-### Offline Support <img src="docs/new-feature.svg">
-
-It is possible to run Kubescape offline!
-
-First download the framework and then scan with `--use-from` flag
-
-* Download and save in file, if file name not specified, will store save to `~/.kubescape/<framework name>.json`
-```
-kubescape download framework nsa --output nsa.json
-```
-
-* Scan using the downloaded framework 
-```
-kubescape scan framework nsa --use-from nsa.json
-```
-
-Kubescape is an open source project, we welcome your feedback and ideas for improvement. We’re also aiming to collaborate with the Kubernetes community to help make the tests themselves more robust and complete as Kubernetes develops.

examples/example.md

@@ -1,5 +0,0 @@
-#! /bin/bash
-
-echo "Testing Online Boutique yamls (https://github.com/GoogleCloudPlatform/microservices-demo)"
-
-kubescape scan framework nsa online-boutique/*  

hostsensorutils/hostsensorgetfrompod.go

@@ -91,6 +91,12 @@ func (hsh *HostSensorHandler) sendAllPodsHTTPGETRequest(path, requestKind string
 	return res, nil
 }
 
+// return list of LinuxKernelVariables
+func (hsh *HostSensorHandler) GetKernelVariables() ([]hostsensor.HostSensorDataEnvelope, error) {
+	// loop over pods and port-forward it to each of them
+	return hsh.sendAllPodsHTTPGETRequest("/LinuxKernelVariables", "LinuxKernelVariables")
+}
+
 // return list of OpenPortsList
 func (hsh *HostSensorHandler) GetOpenPortsList() ([]hostsensor.HostSensorDataEnvelope, error) {
 	// loop over pods and port-forward it to each of them
@@ -195,6 +201,12 @@ func (hsh *HostSensorHandler) CollectResources() ([]hostsensor.HostSensorDataEnv
 		return kcData, err
 	}
 	res = append(res, kcData...)
+	// GetKernelVariables
+	kcData, err = hsh.GetKernelVariables()
+	if err != nil {
+		return kcData, err
+	}
+	res = append(res, kcData...)
 	// finish
 
 	logger.L().Debug("Done reading information from host sensor")

resultshandling/reporter/v2/reporteventreceiver.go

@@ -172,7 +172,7 @@ func (report *ReportEventReceiver) generateMessage() {
 	u.Scheme = "https"
 	u.Host = getter.GetArmoAPIConnector().GetFrontendURL()
 
-	if report.customerAdminEMail != "" { // data has been submitted
+	if report.customerAdminEMail != "" || report.token == "" { // data has been submitted
 		u.Path = fmt.Sprintf("configuration-scanning/%s", report.clusterName)
 	} else {
 		u.Path = "account/sign-up"