Skip to content

Commit

Permalink
Merge pull request #10 from DelusionalOptimist/chore/renaming-jobs
Browse files Browse the repository at this point in the history 
chore: strip `accuknox-` from jobs
  • Loading branch information
@nyrahul
nyrahul authored Apr 26, 2024
2 parents 35c6335 + 7033a7b commit 396b1eb
Show file tree
Hide file tree
Showing 31 changed files with 147 additions and 98 deletions.
36 changes: 18 additions & 18 deletions .github/workflows/action.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,18 +11,18 @@ on:

env:
REPO: public.ecr.aws/k9v9d5v2
CHART_NAME_K8S: accuknox-cis-k8s
CHART_PATH_K8S: ./accuknox-cis-k8s
CHART_REVISION_NAME_K8S: accuknox-cis-k8s
CHART_NAME_K8TLS: accuknox-k8tls-job
CHART_PATH_K8TLS: ./accuknox-k8tls-job
CHART_REVISION_NAME_K8TLS: accuknox-k8tls-job
CHART_NAME_KIEM: accuknox-kiem-job
CHART_PATH_KIEM: ./accuknox-kiem-job
CHART_REVISION_NAME_KIEM: accuknox-kiem-job
CHART_NAME_KUBESCAPE: accuknox-kubescape-job
CHART_PATH_KUBESCAPE: ./accuknox-kubescape-job
CHART_REVISION_NAME_KUBESCAPE: accuknox-kubescape-job
CHART_NAME_K8S: cis-k8s-job
CHART_PATH_K8S: ./cis-k8s-job
CHART_REVISION_NAME_K8S: cis-k8s-job
CHART_NAME_K8TLS: k8tls-job
CHART_PATH_K8TLS: ./k8tls-job
CHART_REVISION_NAME_K8TLS: k8tls-job
CHART_NAME_KIEM: kiem-job
CHART_PATH_KIEM: ./kiem-job
CHART_REVISION_NAME_KIEM: kiem-job
CHART_NAME_K8S_RISK_ASSESSMENT: k8s-risk-assessment-job
CHART_PATH_K8S_RISK_ASSESSMENT: ./k8s-risk-assessment-job
CHART_REVISION_NAME_K8S_RISK_ASSESSMENT: k8s-risk-assessment-job
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_DEV_ACCESS_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_DEV_SECRET_ID }}
AWS_REGION: us-east-1
Expand Down Expand Up @@ -77,7 +77,7 @@ jobs:
chart-path: ${{ env.CHART_PATH_KIEM }}
revision-name: ${{ env.CHART_REVISION_NAME_KIEM}}

chart-validate-kubescape:
chart-validate-k8s-risk-assessment:
runs-on: ubuntu-latest
if: always() && !contains(needs.tag-validate.result, 'failure')
needs: [tag-validate]
Expand All @@ -87,8 +87,8 @@ jobs:
- name: Validate helm chart
uses: accuknox/common-gh-actions/actions/helm-check@main
with:
chart-path: ${{ env.CHART_PATH_KUBESCAPE }}
revision-name: ${{ env.CHART_REVISION_NAME_KUBESCAPE}}
chart-path: ${{ env.CHART_PATH_K8S_RISK_ASSESSMENT }}
revision-name: ${{ env.CHART_REVISION_NAME_K8S_RISK_ASSESSMENT}}

chart-push-k8s:
runs-on: ubuntu-latest
Expand Down Expand Up @@ -138,17 +138,17 @@ jobs:
ecr-repo: ${{ env.REPO }}
type: public

chart-push-kubescape:
chart-push-k8s-risk-assessment:
runs-on: ubuntu-latest
needs: [chart-validate-kubescape]
needs: [chart-validate-k8s-risk-assessment]
if: startsWith(github.ref, 'refs/tags/v')
steps:
- name: Checkout source
uses: accuknox/common-gh-actions/actions/checkout-source@main
- name: Push helm chart to ECR
uses: accuknox/common-gh-actions/actions/helm-push@main
with:
chart-path: ${{ env.CHART_PATH_KUBESCAPE }}
chart-path: ${{ env.CHART_PATH_K8S_RISK_ASSESSMENT }}
version: ${{ github.ref_name }}
ecr-region: ${{ env.AWS_REGION }}
ecr-repo: ${{ env.REPO }}
Expand Down
12 changes: 10 additions & 2 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,16 @@ Set of jobs that integrate with AccuKnox SaaS to provide reporting/assessment.

## K8s CIS Scanning job

[accuknox-cis-job](accuknox-cis-job)
[cis-k8s-job](cis-k8s-job)

## K8s Service Endpoint scanning job

[accuknox-k8tls-job](accuknox-k8tls-job)
[k8tls-job](k8tls-job)

## Kubernetes Identity and Entitlement Management (KIEM) job

[kiem-job](kiem-job)

## Kubernetes Risk Assessment job

[k8s-risk-assessment-job](k8s-risk-assessment-job)
0 accuknox-cis-k8s/.helmignore → cis-k8s-job/.helmignore
View file
File renamed without changes.
2 changes: 1 addition & 1 deletion accuknox-cis-k8s/Chart.yaml → cis-k8s-job/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
apiVersion: v2
name: accuknox-cis-k8s
name: cis-k8s-job
description: A Helm chart for Kubernetes

# A chart can be either an 'application' or a 'library' chart.
Expand Down
4 changes: 2 additions & 2 deletions accuknox-cis-k8s/README.md → cis-k8s-job/README.md
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
# AccuKnox CIS Job
# AccuKnox CIS K8s Job

## Helm install

```
helm upgrade --install accuknox-cis-job . --set accuknox.authToken="TOKEN"
helm upgrade --install cis-k8s-job . --set accuknox.authToken="TOKEN"
```
where TOKEN is issued from AccuKnox SaaS.

Expand Down
20 changes: 10 additions & 10 deletions accuknox-cis-k8s/templates/_helpers.tpl → cis-k8s-job/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "accuknox-cis-job.name" -}}
{{- define "cis-k8s-job.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}

Expand All @@ -10,7 +10,7 @@ Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "accuknox-cis-job.fullname" -}}
{{- define "cis-k8s-job.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
Expand All @@ -26,16 +26,16 @@ If release name contains chart name it will be used as a full name.
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "accuknox-cis-job.chart" -}}
{{- define "cis-k8s-job.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}

{{/*
Common labels
*/}}
{{- define "accuknox-cis-job.labels" -}}
helm.sh/chart: {{ include "accuknox-cis-job.chart" . }}
{{ include "accuknox-cis-job.selectorLabels" . }}
{{- define "cis-k8s-job.labels" -}}
helm.sh/chart: {{ include "cis-k8s-job.chart" . }}
{{ include "cis-k8s-job.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
Expand All @@ -45,17 +45,17 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
{{/*
Selector labels
*/}}
{{- define "accuknox-cis-job.selectorLabels" -}}
app.kubernetes.io/name: {{ include "accuknox-cis-job.name" . }}
{{- define "cis-k8s-job.selectorLabels" -}}
app.kubernetes.io/name: {{ include "cis-k8s-job.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}

{{/*
Create the name of the service account to use
*/}}
{{- define "accuknox-cis-job.serviceAccountName" -}}
{{- define "cis-k8s-job.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "accuknox-cis-job.fullname" .) .Values.serviceAccount.name }}
{{- default (include "cis-k8s-job.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
Expand Down
8 changes: 4 additions & 4 deletions accuknox-cis-k8s/templates/cis-job.yaml → cis-k8s-job/templates/cis-job.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,20 +1,20 @@
apiVersion: batch/v1
kind: CronJob
metadata:
name: accuknox-cis-cronjob
name: cis-k8s-cronjob
namespace: {{ .Release.Namespace }}
spec:
jobTemplate:
metadata:
name: accuknox-cis-cronjob
name: cis-k8s-cronjob
spec:
template:
spec:
containers:
- image: accuknox/accuknox-job:latest
command: ["/bin/sh", "-c"]
args: ['curl --location --request POST "https://cspm.$ENV_URL.accuknox.com/api/v1/artifact/?tenant_id=$TENANT_ID&data_type=KB&save_to_s3=true" --header "Authorization: Bearer $AUTH_TOKEN" --form "file=@\"./data/report.json\""']
name: accuknox-cis-cronjob
args: ['curl --location --request POST "https://$ENV_URL/api/v1/artifact/?tenant_id=$TENANT_ID&data_type=KB&save_to_s3=true" --header "Authorization: Bearer $AUTH_TOKEN" --form "file=@\"./data/report.json\""']
name: cis-k8s-cronjob
resources: {}
env:
- name: AUTH_TOKEN
Expand Down
6 changes: 3 additions & 3 deletions accuknox-cis-k8s/values.yaml → cis-k8s-job/values.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
# Default values for accuknox-cis-job.
# Default values for cis-k8s-job.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

accuknox:
authToken: "NO-TOKEN-SET"
cronTab: "0 */4 * * *"
cronTab: "30 9 * * *"
clusterName: ""
label: ""
clusterId: ""
tenantId: ""
URL: "dev"
URL: "cspm.demo.accuknox.com"
0 accuknox-k8tls-job/.helmignore → k8s-risk-assessment-job/.helmignore
View file
File renamed without changes.
4 changes: 2 additions & 2 deletions accuknox-kubescape-job/Chart.yaml → k8s-risk-assessment-job/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
apiVersion: v2
name: accuknox-kubescape-job
description: A Helm chart for creating AccuKnox kubescape job
name: k8s-risk-assessment-job
description: A Helm chart for creating AccuKnox k8s-risk-assessment job
type: application
version: 0.1.0

Expand Down
32 changes: 32 additions & 0 deletions k8s-risk-assessment-job/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
# AccuKnox k8s-risk-assessment Job

A job for scanning cluster misconfiguration through kubescape

## Helm install

### Local

```
helm upgrade --install k8s-risk-assessment-job -n k8s-risk-assessment --create-namespace --set accuknox.authToken="TOKEN" .
```

### Published

```
helm upgrade --install k8s-risk-assessment-job oci://public.ecr.aws/k9v9d5v2/k8s-risk-assessment-job -n k8s-risk-assessment --create-namespace --set accuknox.authToken="TOKEN"
```

where TOKEN is issued from AccuKnox SaaS.

### Configuration

| Helm key | Default Value | Description | Required |
|----------|---------------|-------------| -------- |
| accuknox.authToken | "NO-TOKEN-SET" | Auth token from AccuKnox SaaS | YES (auto-populated by SaaS) |
| accuknox.URL | "cspm.dev.accuknox.com" | URL of the environment | YES (auto-populated by SaaS) |
| accuknox.clusterName | "default" | name of the cluster | YES (auto-populated by SaaS) |
| accuknox.tenantID | "" | ID of AccuKnox tenant | YES (auto-populated by SaaS) |
| accuknox.cronTab | "0 */6 * * *" | cron tab for the job - timezone: UTC | NO |
| accunkox.label | "default" | label of the cluster | NO |
| kubescape.image.repository | "quay.io/kubescape/kubescape-cli" | kubescape image repo | NO |
| kubescape.image.tag | v3.0.8 | kubescape version - taken from appVersion by default | NO |
2 changes: 1 addition & 1 deletion ...-kubescape-job/templates/clusterrole.yaml → ...assessment-job/templates/clusterrole.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubescape-clusterrole
name: k8s-risk-assessment-job-clusterrole
rules:
- apiGroups:
- ""
Expand Down
6 changes: 3 additions & 3 deletions ...ape-job/templates/clusterrolebinding.yaml → ...ent-job/templates/clusterrolebinding.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubescape-clusterrole-binding
name: k8s-risk-assessment-job-clusterrole-binding
subjects:
- namespace: {{ .Release.Namespace }}
kind: ServiceAccount
name: kubescape-service-account
name: k8s-risk-assessment-job-service-account
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubescape-clusterrole
name: k8s-risk-assessment-job-clusterrole
6 changes: 4 additions & 2 deletions ...ox-kubescape-job/templates/configmap.yaml → ...k-assessment-job/templates/configmap.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: accuknox-kubescape-cronjob-script-configmap
name: k8s-risk-assessment-job-script-configmap
namespace: {{ .Release.Namespace }}
data:
augment-and-push-results.sh: |
Expand All @@ -27,9 +27,11 @@ data:
}
}" /data/report.json --slurpfile controllist /data/controllist.json) > /data/report.json
cat /data/report.json
# push
curl --location --request POST \
--header "Authorization: Bearer ${AUTH_TOKEN}" \
--header "Tenant-Id: ${TENANT_ID}" \
--form "file=@\"/data/report.json\"" \
"https://${URL}/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=kubescape&save_to_s3=false"
"https://${URL}/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=KS&save_to_s3=false"
12 changes: 6 additions & 6 deletions ...knox-kubescape-job/templates/cronjob.yaml → ...isk-assessment-job/templates/cronjob.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
apiVersion: batch/v1
kind: CronJob
metadata:
name: accuknox-kubescape-job
name: k8s-risk-assessment-job
namespace: {{ .Release.Namespace }}
spec:
schedule: "{{ .Values.accuknox.cronTab }}"
Expand All @@ -11,12 +11,12 @@ spec:
jobTemplate:
metadata:
labels:
app: accuknox-kubescape-job
app: k8s-risk-assessment-job
spec:
template:
spec:
initContainers:
- name: kubescape-init
- name: job-init-container
image: "{{ .Values.kubescape.image.repository }}:{{ if ne .Values.kubescape.image.tag "" }}{{ .Values.kubescape.image.tag }}{{ else }}v{{ .Chart.AppVersion }}{{ end }}"
args: ["scan", "framework", "allcontrols,clusterscan,mitre,nsa", "--format", "json", "--cache-dir", "/data/kubescape-cache", "--output", "/data/report.json", "--cluster-name=$(CLUSTER_NAME)"]
env:
Expand All @@ -27,7 +27,7 @@ spec:
mountPath: /data
containers:
- image: accuknox/accuknox-job:latest
name: accuknox-kubescape-cronjob
name: artifact-api-container
command:
- '/bin/bash'
- '/script/augment-and-push-results.sh'
Expand All @@ -52,6 +52,6 @@ spec:
emptyDir: {}
- name: scriptpath
configMap:
name: accuknox-kubescape-cronjob-script-configmap
name: k8s-risk-assessment-job-script-configmap
restartPolicy: OnFailure
serviceAccount: kubescape-service-account
serviceAccount: k8s-risk-assessment-job-service-account
2 changes: 1 addition & 1 deletion ...bescape-job/templates/serviceaccount.yaml → ...essment-job/templates/serviceaccount.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: kubescape-service-account
name: k8s-risk-assessment-job-service-account
namespace: {{ .Release.Namespace }}
6 changes: 3 additions & 3 deletions accuknox-kubescape-job/values.yaml → k8s-risk-assessment-job/values.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Default values for accuknox-kubescape-job.
# Default values for k8s-risk-assessment-job.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

Expand All @@ -12,8 +12,8 @@ replicaCount: 1

accuknox:
authToken: "NO-TOKEN-SET"
URL: "cspm.dev.accuknox.com"
URL: "cspm.demo.accuknox.com"
tenantID: ""
cronTab: "0 */6 * * *"
cronTab: "30 9 * * *"
clusterName: ""
label: ""
0 accuknox-kiem-job/.helmignore → k8tls-job/.helmignore
View file
File renamed without changes.
4 changes: 2 additions & 2 deletions accuknox-k8tls-job/Chart.yaml → k8tls-job/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
apiVersion: v2
name: accuknox-k8tls-job
description: A Helm chart for Kubernetes
name: k8tls-job
description: A Helm chart for running k8tls

# A chart can be either an 'application' or a 'library' chart.
#
Expand Down
2 changes: 1 addition & 1 deletion accuknox-k8tls-job/README.md → k8tls-job/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
## Helm install

```
helm upgrade --install accuknox-k8tls-job . --set accuknox.authToken="TOKEN"
helm upgrade --install k8tls-job . --set accuknox.authToken="TOKEN"
```
where TOKEN is issued from AccuKnox SaaS.

Expand Down
Loading

0 comments on commit 396b1eb

Please sign in to comment.