Skip to content

Commit

Permalink
Insecure connection handling (accuknox#38)
Browse files Browse the repository at this point in the history 
* handling insecure connections

* handling insecure connections

* handling insecure connections

* handling insecure connections

* removed hardcorded data_type for curl command

* modifing docker file

* modifing docker file

* modifing K8s-risk-management

* modifing K8s-risk-management

* values update

* values update

* new_requirement of allowing local cert

* Update curl_command.sh

* logic for cert from local

* changes for local cert

* changes for local cert

---------

Co-authored-by: Sujith Reddy <60265529+SujithKasireddy@users.noreply.github.com>
  • Loading branch information
@surya9839 @SujithKasireddy
surya9839 and SujithKasireddy authored Nov 11, 2024
1 parent 7581539 commit fa61f4c
Show file tree
Hide file tree
Showing 16 changed files with 211 additions and 41 deletions.
Binary file added .DS_Store
View file
Binary file not shown.
4 changes: 4 additions & 0 deletions Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,5 +2,9 @@ FROM alpine:latest

RUN apk --update add jq curl
COPY entrypoint.sh .
COPY curl_command.sh .

# Grant execute permissions to the scripts
RUN chmod +x entrypoint.sh curl_command.sh

ENTRYPOINT ["/bin/sh", "entrypoint.sh"]
Binary file added cis-k8s-job/.DS_Store
View file
Binary file not shown.
112 changes: 87 additions & 25 deletions cis-k8s-job/templates/cis-cron-job.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,53 +10,115 @@ spec:
spec:
template:
spec:
{{- if or (or (contains "master" .Values.toolConfig.nodeType) (contains "controlplane" .Values.toolConfig.nodeType)) (or (contains "master" .Values.toolConfig.targets) (contains "controlplane" .Values.toolConfig.targets)) }}
{{- include "masterConfig" .Values.toolConfig | trim | nindent 10 }}
{{- end }}
{{- if .Values.imagePullSecrets.name }}
imagePullSecrets:
- name: {{ .Values.imagePullSecrets.name }}
{{- end }}
containers:
- image: "{{ .Values.accuknoxJob.image.repository }}:{{ .Values.accuknoxJob.image.tag }}"
- image: accuknox/accuknox-job:latest
command: ["/bin/sh", "-c"]
args: ['/bin/sh entrypoint.sh && curl --location --request POST "https://${URL}/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=KB&label_id=${LABEL_NAME}&save_to_s3=true" --header "Tenant-Id: ${TENANT_ID}" --header "Authorization: Bearer ${AUTH_TOKEN}" --form "file=@\"./data/report.json\"" && cat /data/report.json']
args: ['/bin/sh entrypoint.sh && ./curl_command.sh']
name: cis-k8s-cronjob
resources: {}
env:
- name: AUTH_TOKEN
valueFrom:
secretKeyRef:
key: AUTH_TOKEN
{{- if (.Values.accuknox.secretName | empty) }}
name: cis-k8s-job-auth-token
{{- else }}
name: {{ .Values.accuknox.secretName }}
{{- end }}
value: {{ .Values.accuknox.authToken }}
- name: CLUSTER_NAME
value: {{ .Values.accuknox.clusterName }}
- name: LABEL_NAME
value: {{ .Values.accuknox.label }}
- name: CLUSTER_ID
value: {{ .Values.accuknox.clusterId }}
value: {{ .Values.accuknox.clusterID }}
- name: TENANT_ID
value: {{ .Values.accuknox.tenantId | quote}}
value: {{ .Values.accuknox.tenantID | quote}}
- name: URL
value: {{ .Values.accuknox.url }}
value: {{ .Values.accuknox.URL }}
- name: CERT_BUNDLE_PATH
value: {{ .Values.accuknox.certBundlePath | quote }}
- name: CERT_BUNDLE_URL
value: {{ .Values.accuknox.certBundleURL }}
- name: USE_INSECURE_CONNECTION
value: {{ .Values.accuknox.useInsecureConnection | quote }}
- name: DATA_TYPE
value: "KB"
volumeMounts:
- mountPath: /data
name: datapath
initContainers:
- image: "{{ .Values.kubeBench.image.repository }}:{{ .Values.kubeBench.image.tag }}"
command:
{{- include "cmd" .Values.toolConfig | trim | nindent 13 }}
- image: docker.io/aquasec/kube-bench:v0.6.19
command: ["/bin/sh", "-c"]
args: ["kube-bench run --json > /data/report.json"]
name: kube-bench
volumeMounts:
{{- include "volumeMounts" .Values.toolConfig | trim | nindent 13 }}
- mountPath: /data
name: datapath
- mountPath: /var/lib/etcd
name: var-lib-etcd
readOnly: true
- mountPath: /var/lib/kubelet
name: var-lib-kubelet
readOnly: true
- mountPath: /var/lib/kube-scheduler
name: var-lib-kube-scheduler
readOnly: true
- mountPath: /var/lib/kube-controller-manager
name: var-lib-kube-controller-manager
readOnly: true
- mountPath: /etc/systemd
name: etc-systemd
readOnly: true
- mountPath: /lib/systemd/
name: lib-systemd
readOnly: true
- mountPath: /srv/kubernetes/
name: srv-kubernetes
readOnly: true
- mountPath: /etc/kubernetes
name: etc-kubernetes
readOnly: true
- mountPath: /usr/local/mount-from-host/bin
name: usr-bin
readOnly: true
- mountPath: /etc/cni/net.d/
name: etc-cni-netd
readOnly: true
- mountPath: /opt/cni/bin/
name: opt-cni-bin
readOnly: true
hostPID: true
restartPolicy: Never
volumes:
{{- include "volumes" .Values.toolConfig | trim | nindent 11 }}
- name: datapath
emptyDir: {}
- hostPath:
path: /var/lib/etcd
name: var-lib-etcd
- hostPath:
path: /var/lib/kubelet
name: var-lib-kubelet
- hostPath:
path: /var/lib/kube-scheduler
name: var-lib-kube-scheduler
- hostPath:
path: /var/lib/kube-controller-manager
name: var-lib-kube-controller-manager
- hostPath:
path: /etc/systemd
name: etc-systemd
- hostPath:
path: /lib/systemd
name: lib-systemd
- hostPath:
path: /srv/kubernetes
name: srv-kubernetes
- hostPath:
path: /etc/kubernetes
name: etc-kubernetes
- hostPath:
path: /usr/bin
name: usr-bin
- hostPath:
path: /etc/cni/net.d/
name: etc-cni-netd
- hostPath:
path: /opt/cni/bin/
name: opt-cni-bin

schedule: "{{ .Values.accuknox.cronTab }}"
successfulJobsHistoryLimit: 1
Expand Down
16 changes: 12 additions & 4 deletions cis-k8s-job/templates/cis-job.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ spec:
containers:
- image: "{{ .Values.accuknoxJob.image.repository }}:{{ .Values.accuknoxJob.image.tag }}"
command: ["/bin/sh", "-c"]
args: ['/bin/sh entrypoint.sh && curl --location --request POST "https://${URL}/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=KB&label_id=${LABEL_NAME}&save_to_s3=true" --header "Tenant-Id: ${TENANT_ID}" --header "Authorization: Bearer ${AUTH_TOKEN}" --form "file=@\"./data/report.json\"" && cat /data/report.json']
args: ['/bin/sh entrypoint.sh && ./curl_command.sh']
name: cis-k8s-cronjob
resources: {}
env:
Expand All @@ -41,11 +41,19 @@ spec:
- name: LABEL_NAME
value: {{ .Values.accuknox.label }}
- name: CLUSTER_ID
value: {{ .Values.accuknox.clusterId }}
value: {{ .Values.accuknox.clusterID }}
- name: TENANT_ID
value: {{ .Values.accuknox.tenantId | quote}}
value: {{ .Values.accuknox.tenantID | quote}}
- name: URL
value: {{ .Values.accuknox.url }}
value: {{ .Values.accuknox.URL }}
- name: CERT_BUNDLE_PATH
value: {{ .Values.accuknox.certBundlePath | quote }}
- name: CERT_BUNDLE_URL
value: {{ .Values.accuknox.certBundleURL }}
- name: USE_INSECURE_CONNECTION
value: {{ .Values.accuknox.useInsecureConnection | quote }}
- name: DATA_TYPE
value: "KB"
volumeMounts:
- mountPath: /data
name: datapath
Expand Down
34 changes: 34 additions & 0 deletions curl_command.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
#!/bin/sh

# Initialize CURL_FLAGS to handle both insecure and certificate usage
CURL_FLAGS=""

# Always add --insecure if USE_INSECURE_CONNECTION is true
if [ "$USE_INSECURE_CONNECTION" = "true" ]; then
CURL_FLAGS="$CURL_FLAGS --insecure"
fi

# Add certificate flags if CERT_BUNDLE_PATH is provided
if [ -n "$CERT_BUNDLE_PATH" ]; then
echo "Using in-line certificate content from CERT_BUNDLE_PATH..."
printf "%b" "$CERT_BUNDLE_PATH" > /tmp/cert.pem
CURL_FLAGS="$CURL_FLAGS --cacert /tmp/cert.pem"
elif [ -n "$CERT_BUNDLE_URL" ]; then
echo "Attempting to download certificate from $CERT_BUNDLE_URL..."
if curl -o /tmp/cert.pem "$CERT_BUNDLE_URL"; then
CURL_FLAGS="$CURL_FLAGS --cacert /tmp/cert.pem"
else
echo "Certificate not available or failed to download."
fi
fi

# main curl command
curl --location --request POST "https://${URL}/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=${DATA_TYPE}&label_id=${LABEL_NAME}&save_to_s3=true" \
--header "Tenant-Id: ${TENANT_ID}" \
--header "Authorization: Bearer ${AUTH_TOKEN}" \
$CURL_FLAGS \
--form "file=@/data/report.json" || exit 1

# Print the report
cat /data/report.json

8 changes: 3 additions & 5 deletions k8s-risk-assessment-job/templates/configmap.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,8 +33,6 @@ data:
cat /data/report.json
# push
curl --location --request POST \
--header "Authorization: Bearer ${AUTH_TOKEN}" \
--header "Tenant-Id: ${TENANT_ID}" \
--form "file=@\"/data/report.json\"" \
"https://${URL}/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=KS&save_to_s3=true&label_id=${LABEL_NAME}"
/curl_command.sh
8 changes: 8 additions & 0 deletions k8s-risk-assessment-job/templates/cronjob.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,14 @@ spec:
value: {{ .Values.accuknox.clusterID | quote }}
- name: LABEL_NAME
value: {{ .Values.accuknox.label }}
- name: CERT_BUNDLE_PATH
value: {{ .Values.accuknox.certBundlePath | quote }}
- name: CERT_BUNDLE_URL
value: {{ .Values.accuknox.certBundleURL }}
- name: USE_INSECURE_CONNECTION
value: {{ .Values.accuknox.useInsecureConnection | quote }}
- name: DATA_TYPE
value: "KS"
volumeMounts:
- mountPath: /data
name: datapath
Expand Down
8 changes: 8 additions & 0 deletions k8s-risk-assessment-job/templates/job.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,14 @@ spec:
value: {{ .Values.accuknox.clusterID | quote }}
- name: LABEL_NAME
value: {{ .Values.accuknox.label }}
- name: CERT_BUNDLE_PATH
value: {{ .Values.accuknox.certBundlePath | quote }}
- name: CERT_BUNDLE_URL
value: {{ .Values.accuknox.certBundleURL }}
- name: USE_INSECURE_CONNECTION
value: {{ .Values.accuknox.useInsecureConnection | quote }}
- name: DATA_TYPE
value: "KS"
volumeMounts:
- mountPath: /data
name: datapath
Expand Down
4 changes: 4 additions & 0 deletions k8s-risk-assessment-job/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,3 +31,7 @@ accuknox:
clusterID: 0
label: ""
secretName: ""
certBundlePath: "" # Set this for cert local path if needed .
certBundleURL: "" # Set this for cert URL if needed (if certBundlePath is set as well certBundlePath will take precedent)
useInsecureConnection: false # Set to true if insecure connection is needed

11 changes: 10 additions & 1 deletion k8tls-job/templates/k8tls-cronjob.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,8 @@ spec:
containers:
- image: "{{ .Values.accuknoxJob.image.repository }}:{{ .Values.accuknoxJob.image.tag }}"
command: ["/bin/sh", "-c"]
args: ['curl --location --request POST "https://${URL}/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=K8TLS&save_to_s3=true" --header "Tenant-Id: ${TENANT_ID}" --header "Authorization: Bearer ${AUTH_TOKEN}" --form "file=@\"/data/report.json\"" && cat /data/report.json']
args: ['./curl_command.sh']

name: k8tls-job
resources: {}
env:
Expand All @@ -67,6 +68,14 @@ spec:
value: {{ if ne .Values.accuknox.clusterName "" }}{{ .Values.accuknox.clusterName }}{{ else }}{{ "default" }}{{ end }}
- name: LABEL_NAME
value: {{ if ne .Values.accuknox.label "" }}{{ .Values.accuknox.label }}{{ else }}{{ "default" }}{{ end }}
- name: CERT_BUNDLE_PATH
value: {{ .Values.accuknox.certBundlePath | quote }}
- name: CERT_BUNDLE_URL
value: {{ .Values.accuknox.certBundleURL }}
- name: USE_INSECURE_CONNECTION
value: {{ .Values.accuknox.useInsecureConnection | quote }}
- name: DATA_TYPE
value: "K8TLS"
volumeMounts:
- mountPath: /data
name: datapath
Expand Down
10 changes: 9 additions & 1 deletion k8tls-job/templates/k8tls-job.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ spec:
containers:
- image: "{{ .Values.accuknoxJob.image.repository }}:{{ .Values.accuknoxJob.image.tag }}"
command: ["/bin/sh", "-c"]
args: ['curl --location --request POST "https://${URL}/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=K8TLS&save_to_s3=true" --header "Tenant-Id: ${TENANT_ID}" --header "Authorization: Bearer ${AUTH_TOKEN}" --form "file=@\"/data/report.json\"" && cat /data/report.json']
args: ['./curl_command.sh']
name: k8tls-job
resources: {}
env:
Expand All @@ -39,6 +39,14 @@ spec:
value: {{ if ne .Values.accuknox.clusterName "" }}{{ .Values.accuknox.clusterName }}{{ else }}{{ "default" }}{{ end }}
- name: LABEL_NAME
value: {{ if ne .Values.accuknox.label "" }}{{ .Values.accuknox.label }}{{ else }}{{ "default" }}{{ end }}
- name: CERT_BUNDLE_PATH
value: {{ .Values.accuknox.certBundlePath | quote }}
- name: CERT_BUNDLE_URL
value: {{ .Values.accuknox.certBundleURL }}
- name: USE_INSECURE_CONNECTION
value: {{ .Values.accuknox.useInsecureConnection | quote }}
- name: DATA_TYPE
value: "K8TLS"
volumeMounts:
- mountPath: /data
name: datapath
Expand Down
4 changes: 3 additions & 1 deletion k8tls-job/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,4 +26,6 @@ accuknox:
clusterName: ""
label: ""
URL: "cspm.demo.accuknox.com"
secretName: ""
certBundlePath: "" # Set this for cert local path if needed .
certBundleURL: "" # Set this for cert URL if needed (if certBundlePath is set as well certBundlePath will take precedent)
useInsecureConnection: false # Set to true if insecure connection is needed
15 changes: 13 additions & 2 deletions kiem-job/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,8 +29,11 @@ spec:
- name: datapath
mountPath: /data
containers:
- image: "{{ .Values.accuknoxJob.image.repository }}:{{ .Values.accuknoxJob.image.tag }}"
command: ['sh', '-c', 'curl --location --request POST "https://${URL}/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=KIEM&save_to_s3=true&label_id=${LABEL_NAME}" --header "Tenant-Id: ${TENANT_ID}" --header "Authorization: Bearer ${AUTH_TOKEN}" --form "file=@\"/data/report.json\""']

- image: accuknox/accuknox-job:latest
command: ["/bin/sh", "-c"]
args: ['./curl_command.sh']

name: accuknox-kiem-cronjob
resources: {}
env:
Expand All @@ -51,6 +54,14 @@ spec:
value: {{ .Values.accuknox.clusterName }}
- name: LABEL_NAME
value: {{ .Values.accuknox.label | quote}}
- name: CERT_BUNDLE_PATH
value: {{ .Values.accuknox.certBundlePath | quote }}
- name: CERT_BUNDLE_URL
value: {{ .Values.accuknox.certBundleURL }}
- name: USE_INSECURE_CONNECTION
value: {{ .Values.accuknox.useInsecureConnection | quote }}
- name: DATA_TYPE
value: "KIEM"
volumeMounts:
- mountPath: /data
name: datapath
Expand Down
13 changes: 12 additions & 1 deletion kiem-job/templates/job.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,10 @@ spec:
mountPath: /data
containers:
- image: accuknox/accuknox-job:latest
command: ['sh', '-c', 'curl --location --request POST "https://${URL}/api/v1/artifact/?tenant_id=${TENANT_ID}&data_type=KIEM&save_to_s3=true&label_id=${LABEL_NAME}" --header "Tenant-Id: ${TENANT_ID}" --header "Authorization: Bearer ${AUTH_TOKEN}" --form "file=@\"/data/report.json\""']

command: ["/bin/sh", "-c"]
args: ['./curl_command.sh']

name: accuknox-kiem-job
resources: {}
env:
Expand All @@ -48,6 +51,14 @@ spec:
value: {{ .Values.accuknox.clusterName }}
- name: LABEL_NAME
value: {{ .Values.accuknox.label | quote}}
- name: CERT_BUNDLE_PATH
value: {{ .Values.accuknox.certBundlePath | quote }}
- name: CERT_BUNDLE_URL
value: {{ .Values.accuknox.certBundleURL }}
- name: USE_INSECURE_CONNECTION
value: {{ .Values.accuknox.useInsecureConnection | quote }}
- name: DATA_TYPE
value: "KIEM"
volumeMounts:
- mountPath: /data
name: datapath
Expand Down
5 changes: 4 additions & 1 deletion kiem-job/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,4 +30,7 @@ accuknox:
cronTab: "30 9 * * *"
clusterName: ""
label: ""
secretName: ""
certBundlePath: "" # Set this for cert local path if needed .
certBundleURL: "" # Set this for cert URL if needed (if certBundlePath is set as well certBundlePath will take precedent)
useInsecureConnection: false # Set to true if insecure connection is needed

0 comments on commit fa61f4c

Please sign in to comment.