github/kubescape
1
0
Fork 0
mirror of https://github.com/kubescape/kubescape.git synced 2026-04-15 06:58:11 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
v2.0.173
kubescape/httphandler/README.md
David Wertenteil 0f3ce6917e Release (#844) 
* Fix issue for scanning list obj

* Fix go mod in httphandler pkg

* Broken links fix in roadmap.md 

Planning, backlog, and wishlist links were not taking to the required section.

* override infoMap only if it's not nil

* improved icon of kubescape in readme

* Support scanning several files

* gramatical improvements

* docs(readme): Star → star

* Fix issues according to review

* Handle with issues  caused by updating opa-utils

* Fix scanning ListObj following reviews

* Update core/pkg/resourcehandler/filesloader.go

Co-authored-by: Vlad Klokun <vladklokun@users.noreply.github.com>

* Update completion.go

* Added fixed control input

* update go.mod

* Print chart name log when fail to generate

* Change formatting to %s

* Added resource prioritization information, raw resource will be sent on the result object

* Merging typo fixes from master (#772)

* greetings

* Update aws.sh

simplified the comment

* typo: In the title and h1 element

Their was a typo in index.html file.

* punctuation changes

* docs : added gitpod badge in readme.md

* fixed typos

* ƒ some grammar mistake is corrected inPULL_REQUEST_TEMPLATE.md file

* Updated README.md file

Added link to CONTRIBUTING.md file in a line in README.

* Added link to code of conduct file

I have added link to the code of conduct file and fixed some problems in the Readme file.

* Fixed readme

* Added alpine tag

Adding alpine tag instead of latest and removing repeating commands

* roadmap.md file is modified

* Automatically Close "Typo" labelled Issue

* build.py is modified

* modified PR template

* Fixed some typos in feature_request.md

"." at the end of the headings were missing and all the text were in same line.
Now this gives a clear and concise view of the texts.

* fixed the typo in docs/index.html

Found and fixed typo in the 'alt' attribute of img tag

* Update PULL_REQUEST_TEMPLATE.md

Co-authored-by: Krishna Agarwal <dmkrishna.agarwal@gmail.com>
Co-authored-by: Saswata Senapati <74651639+saswat16@users.noreply.github.com>
Co-authored-by: Rahul Singh <110548934+rahuldhirendersingh@users.noreply.github.com>
Co-authored-by: deepuyadav004 <deepuyadavze@gmail.com>
Co-authored-by: kartik <97971066+kartikgajjar7@users.noreply.github.com>
Co-authored-by: Rounak-28 <95576871+Rounak-28@users.noreply.github.com>
Co-authored-by: pwnb0y <vickykr07@yahoo.com>
Co-authored-by: Ben Hirschberg <59160382+slashben@users.noreply.github.com>
Co-authored-by: Saptarshi Sarkar <saptarshi.programmer@gmail.com>
Co-authored-by: Rahul Surwade <93492791+RahulSurwade08@users.noreply.github.com>
Co-authored-by: Suhas Gumma <43647369+suhasgumma@users.noreply.github.com>
Co-authored-by: Kamal Nayan <95926324+legendarykamal@users.noreply.github.com>
Co-authored-by: TarangVerma <90996971+TarangVerma@users.noreply.github.com>
Co-authored-by: avikittu <65793296+avikittu@users.noreply.github.com>

* update logger version

* update logger version (#773)

* Fixed: Kubescape fails to authenticate remote private Github repo (#721)

* grammar error fixer in CONTRIBUTING.md

* scanning private git repository is available

* giturl to gitapi

* NO TOKEN error functionality added

* Used GetToken method of giturl.IGitAPPI for auth

Co-authored-by: satyam kale <satyamkale271@gmail.com>
Co-authored-by: Ben Hirschberg <59160382+slashben@users.noreply.github.com>

* bump opa-utils to 181

* Option to force enable color output (closes #560) (#767)

* Option to force enable color output (closes #560)

(cherry picked from commit 4f951781ee8dd6bb451ac7d159787f47e4b07379)

* Update go.mod

* update scanner image

* Update host scanner image  (#774)

* update logger version

* update scanner image

* remove windows exe extension

* Remove windows extension build (#775)

* update logger version

* update scanner image

* remove windows exe extension

* commened out prioritization logic

* Edit Junit output (#802)

* Edit Junit output

* Update go sum

* Following review

* update AdoptClusterName

* Print line separator only if some controls failed (#813)

* removed the extra 'download' word from the example (#810)

it was confusing to understand the download command because there was an extra 'download' mentioned

* Prioritization (#815)

* removed commented out code

* Added attack tracks information to prioritization algorithm

* bump opa-utils

* go mod tidy

* go mod tidy

* CR changes

* Issue 613 cluster name (#783)

* added --clusterName flag (#613)

Signed-off-by: Anubhav Gupta <mail.anubhav06@gmail.com>

* update flag name to --cluster-name

Signed-off-by: Anubhav Gupta <mail.anubhav06@gmail.com>

Signed-off-by: Anubhav Gupta <mail.anubhav06@gmail.com>

* Per 307 fail on severity counters (#831)

* feat: fail on exceeding severity thresholds (#830)

- Add support for severity counters
- Add support for CLI flags that set severity thresholds
- Terminate Kubescape with an exit code 1 if scan results exceed the
  severity thresholds

* Update opa-utils pkg version

Co-authored-by: Vlad Klokun <vladklokun@users.noreply.github.com>

* Fix merge conflict

* typo in .gitignore file (#833)

* remove unsupported installation method

* fixed welcome message

* fixed merge

* fixed attack tracks loading logic

* add flag validation for --account-id (#605) (#793)

* add flag validation for --account-id (#605)

Signed-off-by: Anubhav Gupta <mail.anubhav06@gmail.com>

* add flag validation for --client-id & --secret-key

Signed-off-by: Anubhav Gupta <mail.anubhav06@gmail.com>

* Validation method should be a member function

* Adding unit tests for credentials validate

Signed-off-by: Anubhav Gupta <mail.anubhav06@gmail.com>
Co-authored-by: David Wertenteil <dwertent@armosec.io>

* Scan Kustomize Directory (#795)

* Scan Kustomize Files

* update 'scam Kustomize Directory' documentation in  Readme.md

* go get

* go get inside httphandler

* SourceTypeKustomizeDirectory

* Added Scan for Kustomization File

Co-authored-by: David Wertenteil <dwertent@armosec.io>

* feat: unify severity threshold into one CLI flag (#838)

* feat: unify severity threshold into one CLI flag

Before this commit, severity threshold flags were separated by severity.
This commit unifies these thresholds into one flag that forces Kubescape
to terminate with an exit code 1 if there was at least one failed
control at the specified severity threshold or above.

* chore: update opa utils version

* chore: update opa-utils in httphandler

* feat: dont enforce severity by default

Previous iteration of supporting the severity threshold enforced it even
if the severity threshold was not explicitly specified.
This change enforces the severity threshold only if it has been
explicitly set.

* refactor: clarify flagValidationFramework func name

This change clarifies the meaning of the function that validates the
scan info for the `scan framework` command.
It achieves this by renaming the `flagValidationFramework` function to
`validateFrameworkScanInfo`.

* Merge branch 'master' into dev

Signed-off-by: Anubhav Gupta <mail.anubhav06@gmail.com>
Co-authored-by: Moshe-Rappaport-CA <moshep@armosec.io>
Co-authored-by: Moshe Rappaport <89577611+Moshe-Rappaport-CA@users.noreply.github.com>
Co-authored-by: Om Raut <33827410+om2137@users.noreply.github.com>
Co-authored-by: Kamal Nayan <95926324+legendarykamal@users.noreply.github.com>
Co-authored-by: Vlad Klokun <vladklokun@users.noreply.github.com>
Co-authored-by: Chirag Arora <84070677+Chirag8023@users.noreply.github.com>
Co-authored-by: shm12 <shmuelb@armosec.io>
Co-authored-by: Amir Malka <amirm@armosec.io>
Co-authored-by: Krishna Agarwal <dmkrishna.agarwal@gmail.com>
Co-authored-by: Saswata Senapati <74651639+saswat16@users.noreply.github.com>
Co-authored-by: Rahul Singh <110548934+rahuldhirendersingh@users.noreply.github.com>
Co-authored-by: deepuyadav004 <deepuyadavze@gmail.com>
Co-authored-by: kartik <97971066+kartikgajjar7@users.noreply.github.com>
Co-authored-by: Rounak-28 <95576871+Rounak-28@users.noreply.github.com>
Co-authored-by: pwnb0y <vickykr07@yahoo.com>
Co-authored-by: Ben Hirschberg <59160382+slashben@users.noreply.github.com>
Co-authored-by: Saptarshi Sarkar <saptarshi.programmer@gmail.com>
Co-authored-by: Rahul Surwade <93492791+RahulSurwade08@users.noreply.github.com>
Co-authored-by: Suhas Gumma <43647369+suhasgumma@users.noreply.github.com>
Co-authored-by: TarangVerma <90996971+TarangVerma@users.noreply.github.com>
Co-authored-by: avikittu <65793296+avikittu@users.noreply.github.com>
Co-authored-by: satyam kale <satyamkale271@gmail.com>
Co-authored-by: Aditya Pratap Singh <adityapratapsingh51@gmail.com>
Co-authored-by: Ashray Shetty <ashrayshetty1999@gmail.com>
Co-authored-by: Anubhav Gupta <mail.anubhav06@gmail.com>
Co-authored-by: Meyazhagan <meyazhagan.ofcl@gmail.com>
2022-09-29 08:48:09 +03:00

6.8 KiB
Raw Permalink Blame History

Kubescape HTTP Handler Package

Running kubescape will start up a web-server on port 8080 which will serve the following API's:

Trigger scan

  • POST /v1/scan - triggers a Kubescape scan. The server will return an ID and will execute the scanning asynchronously. The request body should look as follows.
    • wait=true: scan synchronously (return results and not ID). Use only in small clusters or with an increased timeout. Default is wait=false
    • keep=true: do not delete results from local storage after returning. Default is keep=false
  • POST /v1/metrics - trigger kubescape for Prometheus support. read more

Response:

{
  "id": <str>,                      // scan ID
  "type": "busy",                   // response object type
  "response": <message:string>      // message indicating scanning is still in progress
}

When scanning was triggered with the wait=true query param, the response is like the /v1/results API response

Get results

  • GET /v1/results - request kubescape scan results
    • query id=<string> -> request results of a specific scan ID. If empty will return the latest results
    • query keep=true -> keep the results in the local storage after returning. default is keep=false - the results will be deleted from local storage after they are returned

Response:

When scanning was done successfully

{
  "id": <str>,                      // scan ID
  "type": "v1results",              // response object type
  "response": <object:v1results>    // v1 results payload
}

When scanning failed

{
  "id": <str>,                  // scan ID
  "type": "error",              // response object type
  "response": <error:string>    // error string
}

When scanning is in progress

{
  "id": <str>,                    // scan ID
  "type": "busy",                 // response object type
  "response": <message:string>    // message indicating scanning is still in progress
}

Check scanning progress status

Check the scanning status - is the scanning in progress or done? This is meant for a waiting mechanize since the API does not return the entire results object when the scanning is done

  • GET /v1/status - Request kubescape scan status
    • query id=<string> -> Check status of a specific scan. If empty, it will check if any scan is still in progress

Response:

When scanning is in progress

{
  "id": <str>,                    // scan ID
  "type": "busy",                 // response object type
  "response": <message:string>    // message indicating scanning is still in process
}

When scanning is not in progress

{
  "id": <str>,                    // scan ID
  "type": "notBusy",              // response object type
  "response": <message:string>    // message indicating scanning is successfully done
}

Delete cached results

  • DELETE /v1/results - Delete kubescape scan results from storage. If empty will delete the latest results
    • query id=<string>: Delete ID of specific results
    • query all: Delete all cached results

Prometheus support API

  • GET/POST /v1/metrics - will trigger cluster scan. will respond with prometheus metrics once they have been scanned. This will respond 503 if the scan failed.
  • /livez - will respond 200 if the server is alive
  • /readyz - will respond 200 if the server can receive requests

Objects

Trigger scan object

{
  "format": <str>,               // results format [default: json] (same as 'kubescape scan --format')
  "excludedNamespaces": [<str>], // list of namespaces to exclude (same as 'kubescape scan --excluded-namespaces')
  "includeNamespaces": [<str>],  // list of namespaces to include (same as 'kubescape scan --include-namespaces')
  "useCachedArtifacts"`: <bool>, // use the cached artifacts instead of downloading (offline support)
  "submit": <bool>,              // submit results to Kubescape cloud (same as 'kubescape scan --submit')
  "hostScanner": <bool>,         // deploy Kubescape K8s host-scanner DaemonSet in the scanned cluster (same as 'kubescape scan --enable-host-scan')
  "keepLocal": <bool>,           // do not submit results to Kubescape cloud (same as 'kubescape scan --keep-local')
  "account": <str>,              // account ID (same as 'kubescape scan --account')
  "targetType": <str>,           // framework/control
  "targetNames": [<str>]         // names. e.g. when targetType==framework, targetNames=["nsa", "mitre"]
}

Response object

{
  "id": <str>,                      // scan ID
  "type": <responseType:str>,       // response object type
  "response": <object:interface>    // response payload as list of bytes
}

Response object types

  • "v1results" - v1 results object
  • "busy" - server is busy processing previous requests
  • "notBusy" - server is not busy processing previous requests
  • "ready" - server is done processing request and results are ready
  • "error" - error object

API Examples

Default scan

  1. Trigger kubescape scan
curl --header "Content-Type: application/json" --request POST --data '{"hostScanner":true, "submit": true}' http://127.0.0.1:8080/v1/scan
  1. Get kubescape scan results
curl --request GET http://127.0.0.1:8080/v1/results -o response.json

Trigger scan and wait for the scan to end

curl --header "Content-Type: application/json" --request POST --data '{"hostScanner":true, "submit": true}' http://127.0.0.1:8080/v1/scan?wait -o scan_results.json

Scan single namespace with a specific framework

curl --header "Content-Type: application/json" \
  --request POST \
  --data '{"hostScanner":true, "submit":true, "includeNamespaces": ["kubescape"], "targetType": "framework", "targetNames": ["nsa"] }' \
  http://127.0.0.1:8080/v1/scan

Data profiling

Analyze profiled data using pprof. How to use

example:

go tool pprof http://localhost:6060/debug/pprof/heap

Examples

Supported environment variables

  • KS_ACCOUNT: Account ID
  • KS_SUBMIT: Submit the results to the Kubescape SaaS version
  • KS_EXCLUDE_NAMESPACES: List of namespaces to exclude, e.g. KS_EXCLUDE_NAMESPACES=kube-system,kube-public
  • KS_INCLUDE_NAMESPACES: List of namespaces to include, rest of the namespaces will be ignored. e.g. KS_INCLUDE_NAMESPACES=dev,prod
  • KS_HOST_SCAN_YAML: Full path to the host scanner YAML
  • KS_FORMAT: Output file format. default is json
  • KS_ENABLE_HOST_SCANNER: Enable the host scanner feature
  • KS_DOWNLOAD_ARTIFACTS: Download the artifacts every scan
  • KS_LOGGER_NAME: Set logger name
  • KS_LOGGER_LEVEL: Set logger level
Reference in New Issue View Git Blame Copy Permalink