diff --git a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer/001_kube_enforcer_config.yaml b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer/001_kube_enforcer_config.yaml index e858e9c7c..326336031 100644 --- a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer/001_kube_enforcer_config.yaml +++ b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer/001_kube_enforcer_config.yaml @@ -20,10 +20,10 @@ data: AQUA_LOGICAL_NAME: "" # Cluster display name in aqua enterprise. CLUSTER_NAME: "Default-cluster-name" - # Enable KA policy scanning via starboard + # Enable KA policy scanning via Trivy-Operator AQUA_KAP_ADD_ALL_CONTROL: "true" AQUA_WATCH_CONFIG_AUDIT_REPORT: "true" - AQUA_KB_IMAGE_NAME: "aquasec/kube-bench:v0.7.1" + AQUA_KB_IMAGE_NAME: "aquasec/kube-bench:v0.7.3" AQUA_ME_IMAGE_NAME: "registry.aquasec.com/microenforcer:2022.4" AQUA_KB_ME_REGISTRY_NAME: "aqua-registry" AQUA_ENFORCER_DS_NAME: "aqua-agent" #Sets Daemonset name @@ -81,7 +81,7 @@ webhooks: # values: # - kube-system # - kube-node-lease -# scope: Namespaced +# scope: Namespaced --- apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration @@ -105,15 +105,6 @@ webhooks: failurePolicy: Ignore admissionReviewVersions: ["v1beta1"] sideEffects: "None" -# Uncomment the below to ensure that the webhook executes exclusively on objects in namespaces other than kube-system and kube-node-lease. -# namespaceSelector: -# matchExpressions: -# - key: kubernetes.io/metadata.name -# operator: NotIn -# values: -# - kube-system -# - kube-node-lease -# scope: Namespaced --- apiVersion: v1 kind: ServiceAccount @@ -140,29 +131,6 @@ rules: - apiGroups: ["aquasecurity.github.io"] resources: ["configauditreports", "clusterconfigauditreports"] verbs: ["get", "list", "watch"] -#### Please uncomment the below block if your platform is Openshift -# - apiGroups: ["*"] -# resources: ["pods","namespaces"] -# verbs: ["create", "delete"] -# - apiGroups: [""] -# resources: ["pods/exec"] -# verbs: ["create"] -# - apiGroups: ["operator.openshift.io"] -# resources: ["imagecontentsourcepolicies", "openshiftapiservers", "kubeapiservers"] -# verbs: ["get", "list", "watch"] -# - apiGroups: [ "" ] -# resources: [ "serviceaccounts", "endpoints" ] -# verbs: [ "list" ] -# - apiGroups: [ "config.openshift.io" ] -# resources: [ "clusteroperators" ] -# verbs: [ "get", "list" ] -# - apiGroups: ["security.openshift.io"] -# resources: ["securitycontextconstraints"] -# verbs: ["get", "list"] -# - apiGroups: ["machineconfiguration.openshift.io"] -# resources: ["machineconfigs", "machineconfigpools"] -# verbs: ["get", "list"] -#### - apiGroups: ["*"] resources: ["configmaps"] verbs: ["get", "list", "watch"] @@ -194,9 +162,32 @@ rules: - list - watch # Comment the below 3 verbs if Pod-Enforcer injection is not going to be used - - create + - create - update - delete +#### Please uncomment the below block if your platform is Openshift +# - apiGroups: ["*"] +# resources: ["pods","namespaces"] +# verbs: ["create", "delete"] +# - apiGroups: [""] +# resources: ["pods/exec"] +# verbs: ["create"] +# - apiGroups: ["operator.openshift.io"] +# resources: ["imagecontentsourcepolicies", "openshiftapiservers", "kubeapiservers"] +# verbs: ["get", "list", "watch"] +# - apiGroups: [ "" ] +# resources: [ "serviceaccounts", "endpoints" ] +# verbs: [ "list" ] +# - apiGroups: [ "config.openshift.io" ] +# resources: [ "clusteroperators" ] +# verbs: [ "get", "list" ] +# - apiGroups: ["security.openshift.io"] +# resources: ["securitycontextconstraints"] +# verbs: ["get", "list"] +# - apiGroups: ["machineconfiguration.openshift.io"] +# resources: ["machineconfigs", "machineconfigpools"] +# verbs: ["get", "list"] +#### --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -252,161 +243,827 @@ subjects: name: aqua-kube-enforcer-sa namespace: aqua --- -# Starboard resource yamls################ +###### Trivy-Operator resource yamls################ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - name: configauditreports.aquasecurity.github.io - labels: - app.kubernetes.io/managed-by: starboard - app.kubernetes.io/version: "0.15.20" + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: clusterconfigauditreports.aquasecurity.github.io spec: group: aquasecurity.github.io + names: + kind: ClusterConfigAuditReport + listKind: ClusterConfigAuditReportList + plural: clusterconfigauditreports + shortNames: + - clusterconfigaudit + singular: clusterconfigauditreport + scope: Cluster versions: - - name: v1alpha1 + - additionalPrinterColumns: + - description: The name of the config audit scanner + jsonPath: .report.scanner.name + name: Scanner + type: string + - description: The age of the report + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The number of failed checks with critical severity + jsonPath: .report.summary.criticalCount + name: Critical + priority: 1 + type: integer + - description: The number of failed checks with high severity + jsonPath: .report.summary.highCount + name: High + priority: 1 + type: integer + - description: The number of failed checks with medium severity + jsonPath: .report.summary.mediumCount + name: Medium + priority: 1 + type: integer + - description: The number of failed checks with low severity + jsonPath: .report.summary.lowCount + name: Low + priority: 1 + type: integer + name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterConfigAuditReport is a specification for the ClusterConfigAuditReport + resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + report: + properties: + checks: + description: Checks provides results of conducting audit steps. + items: + description: Check provides the result of conducting a single audit + step. + properties: + category: + type: string + checkID: + type: string + description: + type: string + messages: + items: + type: string + type: array + remediation: + description: Remediation provides description or links to external + resources to remediate failing check. + type: string + scope: + description: Scope indicates the section of config that was + audited. + properties: + type: + description: Type indicates type of this scope, e.g. Container, + ConfigMapKey or JSONPath. + type: string + value: + description: Value indicates value of this scope that depends + on Type, e.g. container name, ConfigMap key or JSONPath + expression + type: string + required: + - type + - value + type: object + severity: + description: Severity level of a vulnerability or a configuration + audit check. + type: string + success: + type: boolean + title: + type: string + required: + - checkID + - severity + - success + type: object + type: array + scanner: + description: Scanner is the spec for a scanner generating a security + assessment report. + properties: + name: + description: Name the name of the scanner. + type: string + vendor: + description: Vendor the name of the vendor providing the scanner. + type: string + version: + description: Version the version of the scanner. + type: string + required: + - name + - vendor + - version + type: object + summary: + description: ConfigAuditSummary counts failed checks by severity. + properties: + criticalCount: + description: CriticalCount is the number of failed checks with + critical severity. + type: integer + highCount: + description: HighCount is the number of failed checks with high + severity. + type: integer + lowCount: + description: LowCount is the number of failed check with low severity. + type: integer + mediumCount: + description: MediumCount is the number of failed checks with medium + severity. + type: integer + required: + - criticalCount + - highCount + - lowCount + - mediumCount + type: object + updateTimestamp: + format: date-time + type: string + required: + - checks + type: object + required: + - report + type: object served: true storage: true - additionalPrinterColumns: - - jsonPath: .report.scanner.name - type: string + subresources: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: clusterrbacassessmentreports.aquasecurity.github.io +spec: + group: aquasecurity.github.io + names: + kind: ClusterRbacAssessmentReport + listKind: ClusterRbacAssessmentReportList + plural: clusterrbacassessmentreports + shortNames: + - clusterrbacassessmentreport + singular: clusterrbacassessmentreport + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The name of the rbac assessment scanner + jsonPath: .report.scanner.name name: Scanner - description: The name of the config audit scanner - - jsonPath: .metadata.creationTimestamp - type: date + type: string + - description: The age of the report + jsonPath: .metadata.creationTimestamp name: Age - description: The age of the report - - jsonPath: .report.summary.criticalCount - type: integer - name: Critial + type: date + - description: The number of failed checks with critical severity + jsonPath: .report.summary.criticalCount + name: Critical priority: 1 - description: The number of failed checks with critial severity - - jsonPath: .report.summary.highCount type: integer + - description: The number of failed checks with high severity + jsonPath: .report.summary.highCount name: High priority: 1 - description: The number of failed checks with high severity - - jsonPath: .report.summary.mediumCount type: integer + - description: The number of failed checks with medium severity + jsonPath: .report.summary.mediumCount name: Medium priority: 1 - description: The number of failed checks with medium severity - - jsonPath: .report.summary.lowCount type: integer + - description: The number of failed checks with low severity + jsonPath: .report.summary.lowCount name: Low priority: 1 - description: The number of failed checks with low severity + type: integer + name: v1alpha1 schema: openAPIV3Schema: - x-kubernetes-preserve-unknown-fields: true + description: ClusterRbacAssessmentReport is a specification for the ClusterRbacAssessmentReport + resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + report: + properties: + checks: + description: Checks provides results of conducting audit steps. + items: + description: Check provides the result of conducting a single audit + step. + properties: + category: + type: string + checkID: + type: string + description: + type: string + messages: + items: + type: string + type: array + remediation: + description: Remediation provides description or links to external + resources to remediate failing check. + type: string + scope: + description: Scope indicates the section of config that was + audited. + properties: + type: + description: Type indicates type of this scope, e.g. Container, + ConfigMapKey or JSONPath. + type: string + value: + description: Value indicates value of this scope that depends + on Type, e.g. container name, ConfigMap key or JSONPath + expression + type: string + required: + - type + - value + type: object + severity: + description: Severity level of a vulnerability or a configuration + audit check. + type: string + success: + type: boolean + title: + type: string + required: + - checkID + - severity + - success + type: object + type: array + scanner: + description: Scanner is the spec for a scanner generating a security + assessment report. + properties: + name: + description: Name the name of the scanner. + type: string + vendor: + description: Vendor the name of the vendor providing the scanner. + type: string + version: + description: Version the version of the scanner. + type: string + required: + - name + - vendor + - version + type: object + summary: + description: RbacAssessmentSummary counts failed checks by severity. + properties: + criticalCount: + description: CriticalCount is the number of failed checks with + critical severity. + type: integer + highCount: + description: HighCount is the number of failed checks with high + severity. + type: integer + lowCount: + description: LowCount is the number of failed check with low severity. + type: integer + mediumCount: + description: MediumCount is the number of failed checks with medium + severity. + type: integer + required: + - criticalCount + - highCount + - lowCount + - mediumCount + type: object + required: + - checks + - scanner + - summary + type: object + required: + - report type: object - scope: Namespaced + served: true + storage: true + subresources: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: configauditreports.aquasecurity.github.io +spec: + group: aquasecurity.github.io names: - singular: configauditreport - plural: configauditreports kind: ConfigAuditReport listKind: ConfigAuditReportList - categories: [] + plural: configauditreports shortNames: - configaudit + - configaudits + singular: configauditreport + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The name of the config audit scanner + jsonPath: .report.scanner.name + name: Scanner + type: string + - description: The age of the report + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The number of failed checks with critical severity + jsonPath: .report.summary.criticalCount + name: Critical + priority: 1 + type: integer + - description: The number of failed checks with high severity + jsonPath: .report.summary.highCount + name: High + priority: 1 + type: integer + - description: The number of failed checks with medium severity + jsonPath: .report.summary.mediumCount + name: Medium + priority: 1 + type: integer + - description: The number of failed checks with low severity + jsonPath: .report.summary.lowCount + name: Low + priority: 1 + type: integer + name: v1alpha1 + schema: + openAPIV3Schema: + description: ConfigAuditReport is a specification for the ConfigAuditReport + resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + report: + properties: + checks: + description: Checks provides results of conducting audit steps. + items: + description: Check provides the result of conducting a single audit + step. + properties: + category: + type: string + checkID: + type: string + description: + type: string + messages: + items: + type: string + type: array + remediation: + description: Remediation provides description or links to external + resources to remediate failing check. + type: string + scope: + description: Scope indicates the section of config that was + audited. + properties: + type: + description: Type indicates type of this scope, e.g. Container, + ConfigMapKey or JSONPath. + type: string + value: + description: Value indicates value of this scope that depends + on Type, e.g. container name, ConfigMap key or JSONPath + expression + type: string + required: + - type + - value + type: object + severity: + description: Severity level of a vulnerability or a configuration + audit check. + type: string + success: + type: boolean + title: + type: string + required: + - checkID + - severity + - success + type: object + type: array + scanner: + description: Scanner is the spec for a scanner generating a security + assessment report. + properties: + name: + description: Name the name of the scanner. + type: string + vendor: + description: Vendor the name of the vendor providing the scanner. + type: string + version: + description: Version the version of the scanner. + type: string + required: + - name + - vendor + - version + type: object + summary: + description: ConfigAuditSummary counts failed checks by severity. + properties: + criticalCount: + description: CriticalCount is the number of failed checks with + critical severity. + type: integer + highCount: + description: HighCount is the number of failed checks with high + severity. + type: integer + lowCount: + description: LowCount is the number of failed check with low severity. + type: integer + mediumCount: + description: MediumCount is the number of failed checks with medium + severity. + type: integer + required: + - criticalCount + - highCount + - lowCount + - mediumCount + type: object + updateTimestamp: + format: date-time + type: string + required: + - checks + type: object + required: + - report + type: object + served: true + storage: true + subresources: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - name: clusterconfigauditreports.aquasecurity.github.io - labels: - app.kubernetes.io/managed-by: starboard + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: rbacassessmentreports.aquasecurity.github.io spec: group: aquasecurity.github.io + names: + kind: RbacAssessmentReport + listKind: RbacAssessmentReportList + plural: rbacassessmentreports + shortNames: + - rbacassessment + - rbacassessments + singular: rbacassessmentreport + scope: Namespaced versions: - - name: v1alpha1 - served: true - storage: true - additionalPrinterColumns: - - jsonPath: .report.scanner.name - type: string + - additionalPrinterColumns: + - description: The name of the rbac assessment scanner + jsonPath: .report.scanner.name name: Scanner - description: The name of the config audit scanner - - jsonPath: .metadata.creationTimestamp - type: date + type: string + - description: The age of the report + jsonPath: .metadata.creationTimestamp name: Age - description: The age of the report - - jsonPath: .report.summary.dangerCount + type: date + - description: The number of failed checks with critical severity + jsonPath: .report.summary.criticalCount + name: Critical + priority: 1 type: integer - name: Danger + - description: The number of failed checks with high severity + jsonPath: .report.summary.highCount + name: High priority: 1 - description: The number of checks that failed with Danger status - - jsonPath: .report.summary.warningCount type: integer - name: Warning + - description: The number of failed checks with medium severity + jsonPath: .report.summary.mediumCount + name: Medium priority: 1 - description: The number of checks that failed with Warning status - - jsonPath: .report.summary.passCount type: integer - name: Pass + - description: The number of failed checks with low severity + jsonPath: .report.summary.lowCount + name: Low priority: 1 - description: The number of checks that passed + type: integer + name: v1alpha1 schema: openAPIV3Schema: - x-kubernetes-preserve-unknown-fields: true + description: RbacAssessmentReport is a specification for the RbacAssessmentReport + resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + report: + properties: + checks: + description: Checks provides results of conducting audit steps. + items: + description: Check provides the result of conducting a single audit + step. + properties: + category: + type: string + checkID: + type: string + description: + type: string + messages: + items: + type: string + type: array + remediation: + description: Remediation provides description or links to external + resources to remediate failing check. + type: string + scope: + description: Scope indicates the section of config that was + audited. + properties: + type: + description: Type indicates type of this scope, e.g. Container, + ConfigMapKey or JSONPath. + type: string + value: + description: Value indicates value of this scope that depends + on Type, e.g. container name, ConfigMap key or JSONPath + expression + type: string + required: + - type + - value + type: object + severity: + description: Severity level of a vulnerability or a configuration + audit check. + type: string + success: + type: boolean + title: + type: string + required: + - checkID + - severity + - success + type: object + type: array + scanner: + description: Scanner is the spec for a scanner generating a security + assessment report. + properties: + name: + description: Name the name of the scanner. + type: string + vendor: + description: Vendor the name of the vendor providing the scanner. + type: string + version: + description: Version the version of the scanner. + type: string + required: + - name + - vendor + - version + type: object + summary: + description: RbacAssessmentSummary counts failed checks by severity. + properties: + criticalCount: + description: CriticalCount is the number of failed checks with + critical severity. + type: integer + highCount: + description: HighCount is the number of failed checks with high + severity. + type: integer + lowCount: + description: LowCount is the number of failed check with low severity. + type: integer + mediumCount: + description: MediumCount is the number of failed checks with medium + severity. + type: integer + required: + - criticalCount + - highCount + - lowCount + - mediumCount + type: object + required: + - checks + - scanner + - summary + type: object + required: + - report type: object - scope: Cluster - names: - singular: clusterconfigauditreport - plural: clusterconfigauditreports - kind: ClusterConfigAuditReport - listKind: ClusterConfigAuditReportList - categories: [] - shortNames: - - clusterconfigaudit + served: true + storage: true + subresources: {} --- apiVersion: v1 -kind: ServiceAccount +kind: ConfigMap metadata: - name: starboard-operator + name: trivy-operator-trivy-config namespace: aqua -imagePullSecrets: - - name: aqua-registry + labels: + app.kubernetes.io/name: trivy-operator + app.kubernetes.io/instance: trivy-operator + app.kubernetes.io/version: "0.20.1" + app.kubernetes.io/managed-by: kubectl +data: + trivy.repository: "ghcr.io/aquasecurity/trivy" + trivy.tag: "0.36.0" + trivy.additionalVulnerabilityReportFields: "" + trivy.severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" + trivy.slow: "true" + trivy.dbRepository: "ghcr.io/aquasecurity/trivy-db" + trivy.command: "image" + trivy.dbRepositoryInsecure: "false" + trivy.useBuiltinRegoPolicies: "false" + trivy.supportedConfigAuditKinds: "Workload,Service,Role,RoleBinding,ClusterRole,ClusterRoleBinding,NetworkPolicy,Ingress,LimitRange,ResourceQuota,ConfigMap" + trivy.timeout: "5m0s" + trivy.mode: "Standalone" + trivy.resources.requests.cpu: 100m + trivy.resources.requests.memory: 100M + trivy.resources.limits.cpu: 500m + trivy.resources.limits.memory: 500M --- apiVersion: v1 kind: ConfigMap metadata: - name: starboard + name: trivy-operator namespace: aqua + labels: + app.kubernetes.io/name: trivy-operator + app.kubernetes.io/instance: trivy-operator + app.kubernetes.io/version: "0.20.1" + app.kubernetes.io/managed-by: kubectl data: - configAuditReports.scanner: Conftest + scanJob.podTemplateContainerSecurityContext: "{\"allowPrivilegeEscalation\":false,\"capabilities\":{\"drop\":[\"ALL\"]},\"privileged\":false,\"readOnlyRootFilesystem\":true}" + scanJob.compressLogs: "true" + vulnerabilityReports.scanner: "Trivy" + configAuditReports.scanner: "Trivy" + report.recordFailedChecksOnly: "false" --- apiVersion: v1 kind: Secret metadata: - name: starboard + name: trivy-operator-trivy-config namespace: aqua + labels: + app.kubernetes.io/name: trivy-operator + app.kubernetes.io/instance: trivy-operator + app.kubernetes.io/version: "0.20.1" + app.kubernetes.io/managed-by: kubectl +data: --- apiVersion: v1 kind: ConfigMap metadata: - name: starboard-policies-config + name: trivy-operator-policies-config namespace: aqua labels: - app.kubernetes.io/name: starboard-operator - app.kubernetes.io/instance: starboard-operator - app.kubernetes.io/version: "0.15.20" + app.kubernetes.io/name: trivy-operator + app.kubernetes.io/instance: trivy-operator + app.kubernetes.io/version: "0.20.1" + app.kubernetes.io/managed-by: kubectl +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: trivy-operator + namespace: aqua + labels: + app.kubernetes.io/name: trivy-operator + app.kubernetes.io/instance: trivy-operator + app.kubernetes.io/version: "0.20.1" + app.kubernetes.io/managed-by: kubectl --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: starboard-operator + creationTimestamp: null + name: trivy-operator rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - limitranges + verbs: + - get + - list + - watch - apiGroups: - "" resources: - pods + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: - pods/log + verbs: + - get + - list + - apiGroups: + - "" + resources: - replicationcontrollers + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: - resourcequotas - - limitranges - - services - - configmaps - - serviceaccounts verbs: - get - list @@ -414,22 +1071,51 @@ rules: - apiGroups: - "" resources: - - nodes + - services verbs: - get - list - - watch + - watch + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch - apiGroups: - apps resources: - - replicasets - - statefulsets - daemonsets + verbs: + - get + - list + - watch + - apiGroups: + - apps + resources: - deployments verbs: - get - list - watch + - apiGroups: + - apps + resources: + - replicasets + verbs: + - get + - list + - watch + - apiGroups: + - apps + resources: + - statefulsets + verbs: + - get + - list + - watch - apiGroups: - apps.openshift.io resources: @@ -438,136 +1124,189 @@ rules: - get - list - watch + - apiGroups: + - aquasecurity.github.io + resources: + - clusterconfigauditreports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - aquasecurity.github.io + resources: + - clusterrbacassessmentreports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - aquasecurity.github.io + resources: + - configauditreports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - aquasecurity.github.io + resources: + - rbacassessmentreports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - batch resources: - - jobs - cronjobs verbs: - get - list - watch - apiGroups: - - rbac.authorization.k8s.io + - batch resources: - - roles - - rolebindings - - clusterroles - - clusterrolebindings + - jobs verbs: - get - list - watch - apiGroups: - - apiextensions.k8s.io + - networking.k8s.io resources: - - customresourcedefinitions + - ingresses verbs: - get - list - - watch + - watch - apiGroups: - networking.k8s.io - - extensions resources: - networkpolicies - - ingresses verbs: - get - list - watch - apiGroups: - - policy + - rbac.authorization.k8s.io resources: - - podsecuritypolicies + - clusterrolebindings verbs: - get - list - watch - apiGroups: - - aquasecurity.github.io + - rbac.authorization.k8s.io resources: - - vulnerabilityreports - - configauditreports - - clusterconfigauditreports - - ciskubebenchreports + - clusterroles verbs: - get - list - watch - - create - - update - - delete - apiGroups: - - coordination.k8s.io + - rbac.authorization.k8s.io resources: - - leases + - rolebindings + verbs: + - get + - list + - watch + - apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - serviceaccounts verbs: - - create - get - - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: starboard-operator - namespace: aqua + name: trivy-operator + labels: + app.kubernetes.io/name: trivy-operator + app.kubernetes.io/instance: trivy-operator + app.kubernetes.io/version: "0.20.1" + app.kubernetes.io/managed-by: kubectl roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: starboard-operator + name: trivy-operator subjects: - kind: ServiceAccount - name: starboard-operator + name: trivy-operator namespace: aqua --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: starboard-operator + name: trivy-operator namespace: aqua + labels: + app.kubernetes.io/name: trivy-operator + app.kubernetes.io/instance: trivy-operator + app.kubernetes.io/version: "0.20.1" + app.kubernetes.io/managed-by: kubectl rules: - - apiGroups: - - "" - resources: - - secrets - verbs: - - get - - create - - update - - apiGroups: - - "" - resources: - - configmaps - - serviceaccounts - verbs: - - create - - update - apiGroups: - "" resources: - - events + - configmaps verbs: - create + - get + - list + - watch - apiGroups: - - batch + - "" resources: - - jobs + - secrets verbs: - create - - delete - + - get + - delete + - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: starboard-operator + name: trivy-operator namespace: aqua + labels: + app.kubernetes.io/name: trivy-operator + app.kubernetes.io/instance: trivy-operator + app.kubernetes.io/version: "0.20.1" + app.kubernetes.io/managed-by: kubectl roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: starboard-operator + name: trivy-operator subjects: -- kind: ServiceAccount - name: starboard-operator - namespace: aqua \ No newline at end of file + - kind: ServiceAccount + name: trivy-operator + namespace: aqua +--- diff --git a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer/003_kube_enforcer_deploy.yaml b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer/003_kube_enforcer_deploy.yaml index d04cb0221..b61354809 100644 --- a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer/003_kube_enforcer_deploy.yaml +++ b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer/003_kube_enforcer_deploy.yaml @@ -93,63 +93,100 @@ spec: apiVersion: apps/v1 kind: Deployment metadata: - name: starboard-operator + name: trivy-operator namespace: aqua labels: - app: starboard-operator + app.kubernetes.io/name: trivy-operator + app.kubernetes.io/instance: trivy-operator + app.kubernetes.io/version: "0.20.1" + app.kubernetes.io/managed-by: kubectl spec: replicas: 1 strategy: type: Recreate selector: matchLabels: - app: starboard-operator + app.kubernetes.io/name: trivy-operator + app.kubernetes.io/instance: trivy-operator template: metadata: labels: - app: starboard-operator + app.kubernetes.io/name: trivy-operator + app.kubernetes.io/instance: trivy-operator spec: - serviceAccountName: starboard-operator + serviceAccountName: trivy-operator automountServiceAccountToken: true - securityContext: {} containers: - - name: operator - image: docker.io/aquasec/starboard-operator:0.15.20 + - name: "trivy-operator" + image: "docker.io/aquasec/trivy-operator:0.20.1" imagePullPolicy: IfNotPresent - securityContext: - privileged: false - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL env: - name: OPERATOR_NAMESPACE value: aqua - name: OPERATOR_TARGET_NAMESPACES value: "" + - name: OPERATOR_EXCLUDE_NAMESPACES + value: "" + - name: OPERATOR_TARGET_WORKLOADS + value: "pod,replicaset,replicationcontroller,statefulset,daemonset,cronjob,job" + - name: OPERATOR_SERVICE_ACCOUNT + value: "trivy-operator" - name: OPERATOR_LOG_DEV_MODE - value: "false" + value: "true" + - name: OPERATOR_SCAN_JOB_TIMEOUT + value: "5m" - name: OPERATOR_CONCURRENT_SCAN_JOBS_LIMIT value: "10" - name: OPERATOR_SCAN_JOB_RETRY_AFTER - value: 30s + value: "30s" + - name: OPERATOR_BATCH_DELETE_LIMIT + value: "10" + - name: OPERATOR_BATCH_DELETE_DELAY + value: "10s" - name: OPERATOR_METRICS_BIND_ADDRESS - value: :8080 - - name: OPERATOR_HEALTH_PROBE_BIND_ADDRESS - value: :9090 - - name: OPERATOR_CIS_KUBERNETES_BENCHMARK_ENABLED + value: ":8080" + - name: OPERATOR_METRICS_FINDINGS_ENABLED + value: "true" + - name: OPERATOR_METRICS_VULN_ID_ENABLED value: "false" + - name: OPERATOR_HEALTH_PROBE_BIND_ADDRESS + value: ":9090" - name: OPERATOR_VULNERABILITY_SCANNER_ENABLED value: "false" - - name: OPERATOR_CONFIG_AUDIT_SCANNER_SCAN_ONLY_CURRENT_REVISIONS + - name: OPERATOR_VULNERABILITY_SCANNER_SCAN_ONLY_CURRENT_REVISIONS + value: "true" + - name: OPERATOR_SCANNER_REPORT_TTL + value: "24h" + - name: OPERATOR_SBOM_GENERATION_ENABLED + value: "false" + - name: OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED value: "true" - - name: OPERATOR_BATCH_DELETE_LIMIT - value: "10" - - name: OPERATOR_BATCH_DELETE_DELAY - value: "10s" - name: OPERATOR_CLUSTER_COMPLIANCE_ENABLED value: "false" + - name: OPERATOR_RBAC_ASSESSMENT_SCANNER_ENABLED + value: "true" + - name: OPERATOR_INFRA_ASSESSMENT_SCANNER_ENABLED + value: "false" + - name: OPERATOR_CONFIG_AUDIT_SCANNER_SCAN_ONLY_CURRENT_REVISIONS + value: "true" + - name: OPERATOR_EXPOSED_SECRET_SCANNER_ENABLED + value: "false" + - name: OPERATOR_WEBHOOK_BROADCAST_URL + value: "" + - name: OPERATOR_WEBHOOK_BROADCAST_TIMEOUT + value: "30s" + - name: OPERATOR_PRIVATE_REGISTRY_SCAN_SECRETS_NAMES + value: "{}" + - name: OPERATOR_ACCESS_GLOBAL_SECRETS_SERVICE_ACCOUNTS + value: "true" + - name: OPERATOR_BUILT_IN_TRIVY_SERVER + value: "false" + - name: TRIVY_SERVER_HEALTH_CHECK_CACHE_EXPIRATION + value: "10h" + - name: OPERATOR_MERGE_RBAC_FINDING_WITH_CONFIG_AUDIT + value: "true" + - name: CONTROLLER_CACHE_SYNC_TIMEOUT + value: "5m" ports: - name: metrics containerPort: 8080 @@ -171,3 +208,14 @@ spec: periodSeconds: 10 successThreshold: 1 failureThreshold: 10 + resources: + {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + securityContext: + {} diff --git a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer/README.md b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer/README.md index bebe1f6dd..15d0d2278 100644 --- a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer/README.md +++ b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer/README.md @@ -7,9 +7,9 @@ This repository shows the manifest yaml files required to deploy Aqua KubeEnforc * OpenShift * Kubernetes engines: EKS, GKE, ICP, AKS, TKG, and TKGI -Starboard is deployed with the KubeEnforcer to increase the effectiveness of Kubernetes security. +Trivy Operator is deployed with the KubeEnforcer to increase the effectiveness of Kubernetes security. -Starboard assesses workload compliance throughout the lifecycle of the workloads. This enables the KubeEnforcer to: +Trivy Operator assesses workload compliance throughout the lifecycle of the workloads. This enables the KubeEnforcer to: * Re-evaluate workload compliance during workload runtime, taking any workload and policy changes into account * Reflect the results of compliance evaluation in the Aqua UI at all times, not only when workloads are created diff --git a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer/gen_ke_certs.sh b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer/gen_ke_certs.sh index 0a6d754e7..96079dcaa 100755 --- a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer/gen_ke_certs.sh +++ b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer/gen_ke_certs.sh @@ -100,39 +100,30 @@ EOF fi } -# for using custom namespace instead of AQUA NS download the 001_kube_enforcer_config.yaml, make changes to it and keep it in current directory where this script is running -_prepare_ke() { +_prepare_ke() { script_dir=$(cd "$(dirname "${BASH_SOURCE[0]}")" &> /dev/null && pwd) _rootCA=$(cat rootCA.crt | base64 | tr -d '\n' | tr -d '\r') - local_config_file="./001_kube_enforcer_config.yaml" # path of local 001_kube_enforcer_config.yaml file - - if test -f "$local_config_file"; then - # Add CA bundle to the local KubeEnforcer config file + githubBranch="2022.4" + if test -f "$script_dir/001_kube_enforcer_config.yaml"; then _addCABundle=$(sed -i'.original' "s/caBundle.*/caBundle\:\ $_rootCA/g" "$script_dir/001_kube_enforcer_config.yaml") if eval "$_addCABundle"; then - printf "\nInfo: Successfully prepared config.yaml manifest file.\n" + printf "\nInfo: Successfully prepared 001_kube_enforcer_config.yaml manifest file.\n" _deploy_ke_admin else printf "\nError: Failed to prepare KubeEnforcer config file from local" exit 1 fi - else # for deploying kube enforcer in default namespace, i.e., AQUA. - printf "\nInfo: Local config file not found, attempting to download from GitHub\n" - githubBranch="2022.4" - if curl https://raw.githubusercontent.com/aquasecurity/deployments/$githubBranch/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer/001_kube_enforcer_config.yaml -o "$local_config_file"; then - # Add CA bundle to the downloaded KubeEnforcer config file - _addCABundle=$(sed -i'.original' "s/caBundle.*/caBundle\:\ $_rootCA/g" "$local_config_file") - if eval "$_addCABundle"; then - printf "\nInfo: Successfully prepared config.yaml manifest file.\n" - _deploy_ke_admin - else - printf "\nError: Failed to prepare KubeEnforcer config file from GitHub" - exit 1 - fi + elif curl https://raw.githubusercontent.com/aquasecurity/deployments/$githubBranch/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer/001_kube_enforcer_config.yaml -o "001_kube_enforcer_config.yaml"; then + _addCABundle=$(sed -i'.original' "s/caBundle.*/caBundle\:\ $_rootCA/g" "$script_dir/001_kube_enforcer_config.yaml") + if eval "$_addCABundle"; then + printf "\nInfo: Successfully prepared 001_kube_enforcer_config.yaml manifest file.\n" + _deploy_ke_admin else - printf "\nError: Failed to download config.yaml manifest file from GitHub" + printf "\nError: Failed to prepare KubeEnforcer config file from github" exit 1 fi + else + printf "\nError: Failed to download 001_kube_enforcer_config.yaml manifest file" fi } diff --git a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced/001_kube_enforcer_config.yaml b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced/001_kube_enforcer_config.yaml index 873354173..acfa3eb6b 100644 --- a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced/001_kube_enforcer_config.yaml +++ b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced/001_kube_enforcer_config.yaml @@ -272,13 +272,13 @@ rules: resources: ["pods", "nodes", "namespaces", "deployments", "jobs", "cronjobs", "daemonsets", "replicasets", "replicationcontrollers", "statefulsets", "clusterroles", "clusterrolebindings", "componentstatuses", "services" ] verbs: ["get", "list", "watch"] - apiGroups: - - apps.openshift.io + - apps.openshift.io resources: - - deploymentconfigs + - deploymentconfigs verbs: - - get - - list - - watch + - get + - list + - watch - apiGroups: ["aquasecurity.github.io"] resources: ["configauditreports", "clusterconfigauditreports"] verbs: ["get", "list", "watch"] @@ -394,161 +394,827 @@ subjects: name: aqua-kube-enforcer-sa namespace: aqua --- -# Starboard resource yamls################ +###### Trivy-Operator resource yamls################ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - name: configauditreports.aquasecurity.github.io - labels: - app.kubernetes.io/managed-by: starboard - app.kubernetes.io/version: "0.15.20" + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: clusterconfigauditreports.aquasecurity.github.io spec: group: aquasecurity.github.io + names: + kind: ClusterConfigAuditReport + listKind: ClusterConfigAuditReportList + plural: clusterconfigauditreports + shortNames: + - clusterconfigaudit + singular: clusterconfigauditreport + scope: Cluster versions: - - name: v1alpha1 + - additionalPrinterColumns: + - description: The name of the config audit scanner + jsonPath: .report.scanner.name + name: Scanner + type: string + - description: The age of the report + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The number of failed checks with critical severity + jsonPath: .report.summary.criticalCount + name: Critical + priority: 1 + type: integer + - description: The number of failed checks with high severity + jsonPath: .report.summary.highCount + name: High + priority: 1 + type: integer + - description: The number of failed checks with medium severity + jsonPath: .report.summary.mediumCount + name: Medium + priority: 1 + type: integer + - description: The number of failed checks with low severity + jsonPath: .report.summary.lowCount + name: Low + priority: 1 + type: integer + name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterConfigAuditReport is a specification for the ClusterConfigAuditReport + resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + report: + properties: + checks: + description: Checks provides results of conducting audit steps. + items: + description: Check provides the result of conducting a single audit + step. + properties: + category: + type: string + checkID: + type: string + description: + type: string + messages: + items: + type: string + type: array + remediation: + description: Remediation provides description or links to external + resources to remediate failing check. + type: string + scope: + description: Scope indicates the section of config that was + audited. + properties: + type: + description: Type indicates type of this scope, e.g. Container, + ConfigMapKey or JSONPath. + type: string + value: + description: Value indicates value of this scope that depends + on Type, e.g. container name, ConfigMap key or JSONPath + expression + type: string + required: + - type + - value + type: object + severity: + description: Severity level of a vulnerability or a configuration + audit check. + type: string + success: + type: boolean + title: + type: string + required: + - checkID + - severity + - success + type: object + type: array + scanner: + description: Scanner is the spec for a scanner generating a security + assessment report. + properties: + name: + description: Name the name of the scanner. + type: string + vendor: + description: Vendor the name of the vendor providing the scanner. + type: string + version: + description: Version the version of the scanner. + type: string + required: + - name + - vendor + - version + type: object + summary: + description: ConfigAuditSummary counts failed checks by severity. + properties: + criticalCount: + description: CriticalCount is the number of failed checks with + critical severity. + type: integer + highCount: + description: HighCount is the number of failed checks with high + severity. + type: integer + lowCount: + description: LowCount is the number of failed check with low severity. + type: integer + mediumCount: + description: MediumCount is the number of failed checks with medium + severity. + type: integer + required: + - criticalCount + - highCount + - lowCount + - mediumCount + type: object + updateTimestamp: + format: date-time + type: string + required: + - checks + type: object + required: + - report + type: object served: true storage: true - additionalPrinterColumns: - - jsonPath: .report.scanner.name - type: string + subresources: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: clusterrbacassessmentreports.aquasecurity.github.io +spec: + group: aquasecurity.github.io + names: + kind: ClusterRbacAssessmentReport + listKind: ClusterRbacAssessmentReportList + plural: clusterrbacassessmentreports + shortNames: + - clusterrbacassessmentreport + singular: clusterrbacassessmentreport + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The name of the rbac assessment scanner + jsonPath: .report.scanner.name name: Scanner - description: The name of the config audit scanner - - jsonPath: .metadata.creationTimestamp - type: date + type: string + - description: The age of the report + jsonPath: .metadata.creationTimestamp name: Age - description: The age of the report - - jsonPath: .report.summary.criticalCount - type: integer - name: Critial + type: date + - description: The number of failed checks with critical severity + jsonPath: .report.summary.criticalCount + name: Critical priority: 1 - description: The number of failed checks with critial severity - - jsonPath: .report.summary.highCount type: integer + - description: The number of failed checks with high severity + jsonPath: .report.summary.highCount name: High priority: 1 - description: The number of failed checks with high severity - - jsonPath: .report.summary.mediumCount type: integer + - description: The number of failed checks with medium severity + jsonPath: .report.summary.mediumCount name: Medium priority: 1 - description: The number of failed checks with medium severity - - jsonPath: .report.summary.lowCount type: integer + - description: The number of failed checks with low severity + jsonPath: .report.summary.lowCount name: Low priority: 1 - description: The number of failed checks with low severity + type: integer + name: v1alpha1 schema: openAPIV3Schema: - x-kubernetes-preserve-unknown-fields: true + description: ClusterRbacAssessmentReport is a specification for the ClusterRbacAssessmentReport + resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + report: + properties: + checks: + description: Checks provides results of conducting audit steps. + items: + description: Check provides the result of conducting a single audit + step. + properties: + category: + type: string + checkID: + type: string + description: + type: string + messages: + items: + type: string + type: array + remediation: + description: Remediation provides description or links to external + resources to remediate failing check. + type: string + scope: + description: Scope indicates the section of config that was + audited. + properties: + type: + description: Type indicates type of this scope, e.g. Container, + ConfigMapKey or JSONPath. + type: string + value: + description: Value indicates value of this scope that depends + on Type, e.g. container name, ConfigMap key or JSONPath + expression + type: string + required: + - type + - value + type: object + severity: + description: Severity level of a vulnerability or a configuration + audit check. + type: string + success: + type: boolean + title: + type: string + required: + - checkID + - severity + - success + type: object + type: array + scanner: + description: Scanner is the spec for a scanner generating a security + assessment report. + properties: + name: + description: Name the name of the scanner. + type: string + vendor: + description: Vendor the name of the vendor providing the scanner. + type: string + version: + description: Version the version of the scanner. + type: string + required: + - name + - vendor + - version + type: object + summary: + description: RbacAssessmentSummary counts failed checks by severity. + properties: + criticalCount: + description: CriticalCount is the number of failed checks with + critical severity. + type: integer + highCount: + description: HighCount is the number of failed checks with high + severity. + type: integer + lowCount: + description: LowCount is the number of failed check with low severity. + type: integer + mediumCount: + description: MediumCount is the number of failed checks with medium + severity. + type: integer + required: + - criticalCount + - highCount + - lowCount + - mediumCount + type: object + required: + - checks + - scanner + - summary + type: object + required: + - report type: object - scope: Namespaced + served: true + storage: true + subresources: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: configauditreports.aquasecurity.github.io +spec: + group: aquasecurity.github.io names: - singular: configauditreport - plural: configauditreports kind: ConfigAuditReport listKind: ConfigAuditReportList - categories: [] + plural: configauditreports shortNames: - configaudit + - configaudits + singular: configauditreport + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The name of the config audit scanner + jsonPath: .report.scanner.name + name: Scanner + type: string + - description: The age of the report + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The number of failed checks with critical severity + jsonPath: .report.summary.criticalCount + name: Critical + priority: 1 + type: integer + - description: The number of failed checks with high severity + jsonPath: .report.summary.highCount + name: High + priority: 1 + type: integer + - description: The number of failed checks with medium severity + jsonPath: .report.summary.mediumCount + name: Medium + priority: 1 + type: integer + - description: The number of failed checks with low severity + jsonPath: .report.summary.lowCount + name: Low + priority: 1 + type: integer + name: v1alpha1 + schema: + openAPIV3Schema: + description: ConfigAuditReport is a specification for the ConfigAuditReport + resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + report: + properties: + checks: + description: Checks provides results of conducting audit steps. + items: + description: Check provides the result of conducting a single audit + step. + properties: + category: + type: string + checkID: + type: string + description: + type: string + messages: + items: + type: string + type: array + remediation: + description: Remediation provides description or links to external + resources to remediate failing check. + type: string + scope: + description: Scope indicates the section of config that was + audited. + properties: + type: + description: Type indicates type of this scope, e.g. Container, + ConfigMapKey or JSONPath. + type: string + value: + description: Value indicates value of this scope that depends + on Type, e.g. container name, ConfigMap key or JSONPath + expression + type: string + required: + - type + - value + type: object + severity: + description: Severity level of a vulnerability or a configuration + audit check. + type: string + success: + type: boolean + title: + type: string + required: + - checkID + - severity + - success + type: object + type: array + scanner: + description: Scanner is the spec for a scanner generating a security + assessment report. + properties: + name: + description: Name the name of the scanner. + type: string + vendor: + description: Vendor the name of the vendor providing the scanner. + type: string + version: + description: Version the version of the scanner. + type: string + required: + - name + - vendor + - version + type: object + summary: + description: ConfigAuditSummary counts failed checks by severity. + properties: + criticalCount: + description: CriticalCount is the number of failed checks with + critical severity. + type: integer + highCount: + description: HighCount is the number of failed checks with high + severity. + type: integer + lowCount: + description: LowCount is the number of failed check with low severity. + type: integer + mediumCount: + description: MediumCount is the number of failed checks with medium + severity. + type: integer + required: + - criticalCount + - highCount + - lowCount + - mediumCount + type: object + updateTimestamp: + format: date-time + type: string + required: + - checks + type: object + required: + - report + type: object + served: true + storage: true + subresources: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - name: clusterconfigauditreports.aquasecurity.github.io - labels: - app.kubernetes.io/managed-by: starboard + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: rbacassessmentreports.aquasecurity.github.io spec: group: aquasecurity.github.io + names: + kind: RbacAssessmentReport + listKind: RbacAssessmentReportList + plural: rbacassessmentreports + shortNames: + - rbacassessment + - rbacassessments + singular: rbacassessmentreport + scope: Namespaced versions: - - name: v1alpha1 - served: true - storage: true - additionalPrinterColumns: - - jsonPath: .report.scanner.name - type: string + - additionalPrinterColumns: + - description: The name of the rbac assessment scanner + jsonPath: .report.scanner.name name: Scanner - description: The name of the config audit scanner - - jsonPath: .metadata.creationTimestamp - type: date + type: string + - description: The age of the report + jsonPath: .metadata.creationTimestamp name: Age - description: The age of the report - - jsonPath: .report.summary.dangerCount + type: date + - description: The number of failed checks with critical severity + jsonPath: .report.summary.criticalCount + name: Critical + priority: 1 type: integer - name: Danger + - description: The number of failed checks with high severity + jsonPath: .report.summary.highCount + name: High priority: 1 - description: The number of checks that failed with Danger status - - jsonPath: .report.summary.warningCount type: integer - name: Warning + - description: The number of failed checks with medium severity + jsonPath: .report.summary.mediumCount + name: Medium priority: 1 - description: The number of checks that failed with Warning status - - jsonPath: .report.summary.passCount type: integer - name: Pass + - description: The number of failed checks with low severity + jsonPath: .report.summary.lowCount + name: Low priority: 1 - description: The number of checks that passed + type: integer + name: v1alpha1 schema: openAPIV3Schema: - x-kubernetes-preserve-unknown-fields: true + description: RbacAssessmentReport is a specification for the RbacAssessmentReport + resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + report: + properties: + checks: + description: Checks provides results of conducting audit steps. + items: + description: Check provides the result of conducting a single audit + step. + properties: + category: + type: string + checkID: + type: string + description: + type: string + messages: + items: + type: string + type: array + remediation: + description: Remediation provides description or links to external + resources to remediate failing check. + type: string + scope: + description: Scope indicates the section of config that was + audited. + properties: + type: + description: Type indicates type of this scope, e.g. Container, + ConfigMapKey or JSONPath. + type: string + value: + description: Value indicates value of this scope that depends + on Type, e.g. container name, ConfigMap key or JSONPath + expression + type: string + required: + - type + - value + type: object + severity: + description: Severity level of a vulnerability or a configuration + audit check. + type: string + success: + type: boolean + title: + type: string + required: + - checkID + - severity + - success + type: object + type: array + scanner: + description: Scanner is the spec for a scanner generating a security + assessment report. + properties: + name: + description: Name the name of the scanner. + type: string + vendor: + description: Vendor the name of the vendor providing the scanner. + type: string + version: + description: Version the version of the scanner. + type: string + required: + - name + - vendor + - version + type: object + summary: + description: RbacAssessmentSummary counts failed checks by severity. + properties: + criticalCount: + description: CriticalCount is the number of failed checks with + critical severity. + type: integer + highCount: + description: HighCount is the number of failed checks with high + severity. + type: integer + lowCount: + description: LowCount is the number of failed check with low severity. + type: integer + mediumCount: + description: MediumCount is the number of failed checks with medium + severity. + type: integer + required: + - criticalCount + - highCount + - lowCount + - mediumCount + type: object + required: + - checks + - scanner + - summary + type: object + required: + - report type: object - scope: Cluster - names: - singular: clusterconfigauditreport - plural: clusterconfigauditreports - kind: ClusterConfigAuditReport - listKind: ClusterConfigAuditReportList - categories: [] - shortNames: - - clusterconfigaudit + served: true + storage: true + subresources: {} --- apiVersion: v1 -kind: ServiceAccount +kind: ConfigMap metadata: - name: starboard-operator + name: trivy-operator-trivy-config namespace: aqua -imagePullSecrets: - - name: aqua-registry + labels: + app.kubernetes.io/name: trivy-operator + app.kubernetes.io/instance: trivy-operator + app.kubernetes.io/version: "0.20.1" + app.kubernetes.io/managed-by: kubectl +data: + trivy.repository: "ghcr.io/aquasecurity/trivy" + trivy.tag: "0.36.0" + trivy.additionalVulnerabilityReportFields: "" + trivy.severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" + trivy.slow: "true" + trivy.dbRepository: "ghcr.io/aquasecurity/trivy-db" + trivy.command: "image" + trivy.dbRepositoryInsecure: "false" + trivy.useBuiltinRegoPolicies: "false" + trivy.supportedConfigAuditKinds: "Workload,Service,Role,RoleBinding,ClusterRole,ClusterRoleBinding,NetworkPolicy,Ingress,LimitRange,ResourceQuota,ConfigMap" + trivy.timeout: "5m0s" + trivy.mode: "Standalone" + trivy.resources.requests.cpu: 100m + trivy.resources.requests.memory: 100M + trivy.resources.limits.cpu: 500m + trivy.resources.limits.memory: 500M --- apiVersion: v1 kind: ConfigMap metadata: - name: starboard + name: trivy-operator namespace: aqua + labels: + app.kubernetes.io/name: trivy-operator + app.kubernetes.io/instance: trivy-operator + app.kubernetes.io/version: "0.20.1" + app.kubernetes.io/managed-by: kubectl data: - configAuditReports.scanner: Conftest + scanJob.podTemplateContainerSecurityContext: "{\"allowPrivilegeEscalation\":false,\"capabilities\":{\"drop\":[\"ALL\"]},\"privileged\":false,\"readOnlyRootFilesystem\":true}" + scanJob.compressLogs: "true" + vulnerabilityReports.scanner: "Trivy" + configAuditReports.scanner: "Trivy" + report.recordFailedChecksOnly: "false" --- apiVersion: v1 kind: Secret metadata: - name: starboard + name: trivy-operator-trivy-config namespace: aqua + labels: + app.kubernetes.io/name: trivy-operator + app.kubernetes.io/instance: trivy-operator + app.kubernetes.io/version: "0.20.1" + app.kubernetes.io/managed-by: kubectl +data: --- apiVersion: v1 kind: ConfigMap metadata: - name: starboard-policies-config + name: trivy-operator-policies-config namespace: aqua labels: - app.kubernetes.io/name: starboard-operator - app.kubernetes.io/instance: starboard-operator - app.kubernetes.io/version: "0.15.20" + app.kubernetes.io/name: trivy-operator + app.kubernetes.io/instance: trivy-operator + app.kubernetes.io/version: "0.20.1" + app.kubernetes.io/managed-by: kubectl +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: trivy-operator + namespace: aqua + labels: + app.kubernetes.io/name: trivy-operator + app.kubernetes.io/instance: trivy-operator + app.kubernetes.io/version: "0.20.1" + app.kubernetes.io/managed-by: kubectl --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: starboard-operator + creationTimestamp: null + name: trivy-operator rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - limitranges + verbs: + - get + - list + - watch - apiGroups: - "" resources: - pods + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: - pods/log + verbs: + - get + - list + - apiGroups: + - "" + resources: - replicationcontrollers + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: - resourcequotas - - limitranges - - services - - configmaps - - serviceaccounts verbs: - get - list @@ -556,22 +1222,51 @@ rules: - apiGroups: - "" resources: - - nodes + - services + verbs: + - get + - list + - watch + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions verbs: - get - list - - watch + - watch - apiGroups: - apps resources: - - replicasets - - statefulsets - daemonsets + verbs: + - get + - list + - watch + - apiGroups: + - apps + resources: - deployments verbs: - get - list - watch + - apiGroups: + - apps + resources: + - replicasets + verbs: + - get + - list + - watch + - apiGroups: + - apps + resources: + - statefulsets + verbs: + - get + - list + - watch - apiGroups: - apps.openshift.io resources: @@ -580,136 +1275,189 @@ rules: - get - list - watch + - apiGroups: + - aquasecurity.github.io + resources: + - clusterconfigauditreports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - aquasecurity.github.io + resources: + - clusterrbacassessmentreports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - aquasecurity.github.io + resources: + - configauditreports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - aquasecurity.github.io + resources: + - rbacassessmentreports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - batch resources: - - jobs - cronjobs verbs: - get - list - watch - apiGroups: - - rbac.authorization.k8s.io + - batch resources: - - roles - - rolebindings - - clusterroles - - clusterrolebindings + - jobs verbs: - get - list - watch - apiGroups: - - apiextensions.k8s.io + - networking.k8s.io resources: - - customresourcedefinitions + - ingresses verbs: - get - list - - watch + - watch - apiGroups: - networking.k8s.io - - extensions resources: - networkpolicies - - ingresses verbs: - get - list - watch - apiGroups: - - policy + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + verbs: + - get + - list + - watch + - apiGroups: + - rbac.authorization.k8s.io resources: - - podsecuritypolicies + - clusterroles verbs: - get - list - watch - apiGroups: - - aquasecurity.github.io + - rbac.authorization.k8s.io resources: - - vulnerabilityreports - - configauditreports - - clusterconfigauditreports - - ciskubebenchreports + - rolebindings verbs: - get - list - watch - - create - - update - - delete - apiGroups: - - coordination.k8s.io + - rbac.authorization.k8s.io resources: - - leases + - roles + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - serviceaccounts verbs: - - create - get - - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: starboard-operator - namespace: aqua + name: trivy-operator + labels: + app.kubernetes.io/name: trivy-operator + app.kubernetes.io/instance: trivy-operator + app.kubernetes.io/version: "0.20.1" + app.kubernetes.io/managed-by: kubectl roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: starboard-operator + name: trivy-operator subjects: - kind: ServiceAccount - name: starboard-operator + name: trivy-operator namespace: aqua --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: starboard-operator + name: trivy-operator namespace: aqua + labels: + app.kubernetes.io/name: trivy-operator + app.kubernetes.io/instance: trivy-operator + app.kubernetes.io/version: "0.20.1" + app.kubernetes.io/managed-by: kubectl rules: - - apiGroups: - - "" - resources: - - secrets - verbs: - - get - - create - - update - apiGroups: - "" resources: - - configmaps - - serviceaccounts - verbs: - - create - - update - - apiGroups: - - "" - resources: - - events + - configmaps verbs: - create + - get + - list + - watch - apiGroups: - - batch + - "" resources: - - jobs + - secrets verbs: - create - - delete - + - get + - delete + - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: starboard-operator + name: trivy-operator namespace: aqua + labels: + app.kubernetes.io/name: trivy-operator + app.kubernetes.io/instance: trivy-operator + app.kubernetes.io/version: "0.20.1" + app.kubernetes.io/managed-by: kubectl roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: starboard-operator + name: trivy-operator subjects: -- kind: ServiceAccount - name: starboard-operator - namespace: aqua \ No newline at end of file + - kind: ServiceAccount + name: trivy-operator + namespace: aqua +--- diff --git a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced/003_kube_enforcer_deploy.yaml b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced/003_kube_enforcer_deploy.yaml index e494131bd..d2f563dd8 100644 --- a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced/003_kube_enforcer_deploy.yaml +++ b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced/003_kube_enforcer_deploy.yaml @@ -78,7 +78,7 @@ spec: - name: CLUSTER_NAME value: "Default-cluster-name" # Cluster display name in aqua enterprise. - name: AQUA_KB_IMAGE_NAME - value: "aquasec/kube-bench:v0.7.1" + value: "aquasec/kube-bench:v0.7.3" - name: AQUA_ME_IMAGE_NAME value: "registry.aquasec.com/microenforcer:2022.4" - name: AQUA_KB_ME_REGISTRY_NAME @@ -87,7 +87,7 @@ spec: value: "aqua-agent" #Sets Daemonset name - name: AQUA_ENVOY_MODE value: "true" - # Enable KA policy scanning via starboard + # Enable KA policy scanning via Trivy-Operator - name: AQUA_KAP_ADD_ALL_CONTROL value: "true" - name: AQUA_WATCH_CONFIG_AUDIT_REPORT @@ -153,63 +153,100 @@ spec: apiVersion: apps/v1 kind: Deployment metadata: - name: starboard-operator + name: trivy-operator namespace: aqua labels: - app: starboard-operator + app.kubernetes.io/name: trivy-operator + app.kubernetes.io/instance: trivy-operator + app.kubernetes.io/version: "0.20.1" + app.kubernetes.io/managed-by: kubectl spec: replicas: 1 strategy: type: Recreate selector: matchLabels: - app: starboard-operator + app.kubernetes.io/name: trivy-operator + app.kubernetes.io/instance: trivy-operator template: metadata: labels: - app: starboard-operator + app.kubernetes.io/name: trivy-operator + app.kubernetes.io/instance: trivy-operator spec: - serviceAccountName: starboard-operator + serviceAccountName: trivy-operator automountServiceAccountToken: true - securityContext: {} containers: - - name: operator - image: docker.io/aquasec/starboard-operator:0.15.20 + - name: "trivy-operator" + image: "docker.io/aquasec/trivy-operator:0.20.1" imagePullPolicy: IfNotPresent - securityContext: - privileged: false - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL env: - name: OPERATOR_NAMESPACE value: aqua - name: OPERATOR_TARGET_NAMESPACES value: "" + - name: OPERATOR_EXCLUDE_NAMESPACES + value: "" + - name: OPERATOR_TARGET_WORKLOADS + value: "pod,replicaset,replicationcontroller,statefulset,daemonset,cronjob,job" + - name: OPERATOR_SERVICE_ACCOUNT + value: "trivy-operator" - name: OPERATOR_LOG_DEV_MODE - value: "false" + value: "true" + - name: OPERATOR_SCAN_JOB_TIMEOUT + value: "5m" - name: OPERATOR_CONCURRENT_SCAN_JOBS_LIMIT value: "10" - name: OPERATOR_SCAN_JOB_RETRY_AFTER - value: 30s + value: "30s" + - name: OPERATOR_BATCH_DELETE_LIMIT + value: "10" + - name: OPERATOR_BATCH_DELETE_DELAY + value: "10s" - name: OPERATOR_METRICS_BIND_ADDRESS - value: :8080 - - name: OPERATOR_HEALTH_PROBE_BIND_ADDRESS - value: :9090 - - name: OPERATOR_CIS_KUBERNETES_BENCHMARK_ENABLED + value: ":8080" + - name: OPERATOR_METRICS_FINDINGS_ENABLED + value: "true" + - name: OPERATOR_METRICS_VULN_ID_ENABLED value: "false" + - name: OPERATOR_HEALTH_PROBE_BIND_ADDRESS + value: ":9090" - name: OPERATOR_VULNERABILITY_SCANNER_ENABLED value: "false" - - name: OPERATOR_CONFIG_AUDIT_SCANNER_SCAN_ONLY_CURRENT_REVISIONS + - name: OPERATOR_VULNERABILITY_SCANNER_SCAN_ONLY_CURRENT_REVISIONS + value: "true" + - name: OPERATOR_SCANNER_REPORT_TTL + value: "24h" + - name: OPERATOR_SBOM_GENERATION_ENABLED + value: "false" + - name: OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED value: "true" - - name: OPERATOR_BATCH_DELETE_LIMIT - value: "10" - - name: OPERATOR_BATCH_DELETE_DELAY - value: "10s" - name: OPERATOR_CLUSTER_COMPLIANCE_ENABLED value: "false" + - name: OPERATOR_RBAC_ASSESSMENT_SCANNER_ENABLED + value: "true" + - name: OPERATOR_INFRA_ASSESSMENT_SCANNER_ENABLED + value: "false" + - name: OPERATOR_CONFIG_AUDIT_SCANNER_SCAN_ONLY_CURRENT_REVISIONS + value: "true" + - name: OPERATOR_EXPOSED_SECRET_SCANNER_ENABLED + value: "false" + - name: OPERATOR_WEBHOOK_BROADCAST_URL + value: "" + - name: OPERATOR_WEBHOOK_BROADCAST_TIMEOUT + value: "30s" + - name: OPERATOR_PRIVATE_REGISTRY_SCAN_SECRETS_NAMES + value: "{}" + - name: OPERATOR_ACCESS_GLOBAL_SECRETS_SERVICE_ACCOUNTS + value: "true" + - name: OPERATOR_BUILT_IN_TRIVY_SERVER + value: "false" + - name: TRIVY_SERVER_HEALTH_CHECK_CACHE_EXPIRATION + value: "10h" + - name: OPERATOR_MERGE_RBAC_FINDING_WITH_CONFIG_AUDIT + value: "true" + - name: CONTROLLER_CACHE_SYNC_TIMEOUT + value: "5m" ports: - name: metrics containerPort: 8080 @@ -231,3 +268,14 @@ spec: periodSeconds: 10 successThreshold: 1 failureThreshold: 10 + resources: + {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + securityContext: + {} diff --git a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced/README.md b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced/README.md index 4b2e5106a..693700b0e 100644 --- a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced/README.md +++ b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced/README.md @@ -7,9 +7,9 @@ This repository shows the manifest yaml files required to deploy Aqua KubeEnforc * OpenShift * Kubernetes engines: EKS, GKE, ICP, AKS, TKG, and TKGI -Starboard is deployed with KubeEnforcer, by default which increases the effectiveness of Kubernetes security. +Trivy Operator is deployed with KubeEnforcer, by default which increases the effectiveness of Kubernetes security. -Starboard assesses workload compliance throughout the lifecycle of the workloads. This enables the KubeEnforcer to: +Trivy Operator assesses workload compliance throughout the lifecycle of the workloads. This enables the KubeEnforcer to: * Re-evaluate workload compliance during workload runtime, taking any workload and policy changes into account * Reflect the results of compliance evaluation in the Aqua UI at all times, not only when workloads are created @@ -20,7 +20,7 @@ Before you follow the deployment steps explained below, Aqua strongly recommends Deploying KubeEnforcer with advanced configuration will cause Pod Enforcer traffic to be routed to the KubeEnforcers via a local envoy, which then forwards the traffic to an Aqua Gateway. This configuration improves performance and reduces remote network connections between pods and Gateways. ## Specific OpenShift notes -The deployment commands shown below use the **kubectl** cli, however they can be easily replaced with the **oc** cli commands, to work on all platforms including OpenShift. +The deployment commands shown below use the **kubectl** cli, however they can be easliy replaced with the **oc** cli commands, to work on all platforms including OpenShift. ## Prerequisites @@ -70,11 +70,11 @@ You can skip any step in this section, if you have already performed. 1. Generate certs for aqua namespace. ```shell - curl -s https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced/gen_ke_certs.sh | bash + curl -s https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/enforcers/kube_enforcer/kubernetes_and_openshift/manifest/kube_enforcer_advanced/gen_ke_certs.sh | bash ``` 2. Generate certs for custom namespace, Replace the `` in the below command with the namespace where KE is going to be deployed, and run the command. ```shell - curl https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced/gen_ke_certs.sh | bash -s -- + curl https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/enforcers/kube_enforcer/kubernetes_and_openshift/manifest/kube_enforcer_advanced/gen_ke_certs.sh | bash -s -- ``` - **Option B (Manual)**: Perform the steps mentioned in the [Deploy the KubeEnforcer Config manually](#deploy-the-kubeenforcer-config-manually) section. @@ -98,19 +98,19 @@ kubectl create secret generic aqua-kube-enforcer-certs --from-file server.key -- * Download, edit, and apply the secrets manifest file to create the token and SSL cert secrets. ```SHELL -kubectl apply -f https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced/002_kube_enforcer_secrets.yaml +kubectl apply -f https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/enforcers/kube_enforcer/kubernetes_and_openshift/manifest/kube_enforcer_advanced/002_kube_enforcer_secrets.yaml ``` ***Note: For KubeEnforcer deployment in OpenShift environments*** * Prior to deployment of the KubeEnforcer, apply kube-enforcer scc: ```shell - kubectl apply -f https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced/004_kube_enforcer_scc.yaml + kubectl apply -f https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/enforcers/kube_enforcer/kubernetes_and_openshift/manifest/kube_enforcer_advanced/004_kube_enforcer_scc.yaml ``` **Step 3. Deploy KubeEnforcer advanced** ```shell -kubectl apply -f https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced/003_kube_enforcer_deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/enforcers/kube_enforcer/kubernetes_and_openshift/manifest/kube_enforcer_advanced/003_kube_enforcer_deploy.yaml ``` ### Deploy the KubeEnforcer Config manually @@ -141,25 +141,25 @@ You should pass the following deployment options through flags, as required. #### Aquactl operation -| Flag and parameter type | Values | -|---------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------| -| -p or --platform, (string) (mandatory flag) | Orchestration platform to deploy Aqua Enterprise on. you should pass one of the following as required: **kubernetes, aks, eks, gke, icp, openshift, tkg, tkgi** | -| -v or --version | | -| (string) (mandatory flag) | Major version of Aqua Enterprise to deploy. For example: **2022.4** | -| -r or --registry (string) | Docker registry containing the Aqua Enterprise product images, it defaults to **registry.aquasec.com** | -| --pull-policy (string) | The Docker image pull policy that should be used in deployment for the Aqua product images, it defaults to **IfNotPresent** | -| --service-account (string) | Kubernetes service account name, it defaults to **aqua-sa** | -| -n, --namespace (string) | Kubernetes namespace name, it defaults to **aqua** | -| --output-dir (string) | Output directory for the manifests (YAML files), it defaults to **aqua-deploy**, the directory aquactl was launched in | +Flag and parameter type | Values | +| ---------------------- | ------------------------------------------------------------ | +| -p or --platform, (string) (mandatory flag) | Orchestration platform to deploy Aqua Enterprise on. you should pass one of the following as required: **kubernetes, aks, eks, gke, icp, openshift, tkg, tkgi** | +| -v or --version +(string) (mandatory flag) | Major version of Aqua Enterprise to deploy. For example: **2022.4** | +| -r or --registry (string) | Docker registry containing the Aqua Enterprise product images, it defaults to **registry.aquasec.com** | +| --pull-policy (string) | The Docker image pull policy that should be used in deployment for the Aqua product images, it defaults to **IfNotPresent** | +| --service-account (string) | Kubernetes service account name, it defaults to **aqua-sa** | +| -n, --namespace (string) | Kubernetes namespace name, it defaults to **aqua** | +| --output-dir (string) | Output directory for the manifests (YAML files), it defaults to **aqua-deploy**, the directory aquactl was launched in | #### configuration of KubeEnforcer advanced -| Flag and type | Values | -|--------------------------|-------------------------------------------------------------------------------------------------------------| -| --advanced-configuration | To configure advanced deployment (for Pod Enforcer injection) of the KubeEnforcer | -| --gateway-url (string) | Aqua Gateway URL (IP, DNS, or service name) and port, it defaults to **aqua-gateway:8443** | -| --token (string) | Deployment token for the KubeEnforcer group, it does not have a default value | -| --ke-no-ssl (Boolean) | If specified as **true**, the SSL cert for the KubeEnforcer will not be generated. It defaults to **false** | +Flag and type | Values | +| ---------------------- | ------------------------------------------------------------ | +| --advanced-configuration | To configure advanced deployment (for Pod Enforcer injection) of the KubeEnforcer| +| --gateway-url (string) | Aqua Gateway URL (IP, DNS, or service name) and port, it defaults to **aqua-gateway:8443**| +| --token (string) | Deployment token for the KubeEnforcer group, it does not have a default value| +| --ke-no-ssl (Boolean) | If specified as **true**, the SSL cert for the KubeEnforcer will not be generated. It defaults to **false**| The **--gateway-url** flag identifies an existing Aqua Gateway used to connect the KubeEnforcer. This flag is not used to configure a new Gateway, as in *aquactl download all* or *aquactl download server*. diff --git a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_starboard/001_kube_enforcer_config.yaml b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_starboard/001_kube_enforcer_config.yaml new file mode 100644 index 000000000..873354173 --- /dev/null +++ b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_starboard/001_kube_enforcer_config.yaml @@ -0,0 +1,715 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: ke-envoy-conf + namespace: aqua +data: + # Enable the below Env for mTLS between kube-enforcer and gateway + # AQUA_PUBLIC_KEY: "/opt/aquasec/ssl/aqua_kube-enforcer.crt" + # AQUA_PRIVATE_KEY: "/opt/aquasec/ssl/aqua_kube-enforcer.key" + # AQUA_ROOT_CA: "/opt/aquasec/ssl/rootCA.crt" + envoy.yaml: | + node: + cluster: k8s + id: + + dynamic_resources: + cds_config: + path: /etc/aquasec/envoy/cds.yaml + initial_fetch_timeout: 0s + lds_config: + path: /etc/envoy/lds.yaml + lds.yaml: | + resources: + - "@type": type.googleapis.com/envoy.config.listener.v3.Listener + name: listener_0 + address: + socket_address: + address: 0.0.0.0 + port_value: 8443 + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stream_idle_timeout: 0s + drain_timeout: 20s + access_log: + - name: envoy.access_loggers.file + typed_config: + "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog + path: "/dev/stdout" + codec_type: AUTO + stat_prefix: ingress_https + route_config: + name: local_route + virtual_hosts: + - name: https + domains: + - "*" + routes: + - match: + prefix: "/agent_grpc_channel.GWChannelV2/PushNotificationHandler" + grpc: { } + route: + cluster: aqua-kube-enforcer + timeout: 0s + - match: + prefix: "/" + grpc: { } + route: + cluster: aqua-gateway + timeout: 0s + - match: + prefix: "/" + route: + cluster: aqua-kube-enforcer-k8s + timeout: 0s + + http_filters: + - name: envoy.filters.http.health_check + typed_config: + "@type": type.googleapis.com/envoy.config.filter.http.health_check.v2.HealthCheck + pass_through_mode: false + headers: + - name: ":path" + exact_match: "/healthz" + - name: "x-envoy-livenessprobe" + exact_match: "healthz" + - name: envoy.filters.http.router + typed_config: { } + transport_socket: + name: envoy.transport_sockets.tls + typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext + common_tls_context: + alpn_protocols: "h2,http/1.1" + tls_certificates: + - certificate_chain: + filename: "/etc/ssl/envoy/server.crt" + private_key: + filename: "/etc/ssl/envoy/server.key" + cds.yaml: | + resources: + - "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster + name: aqua-kube-enforcer + connect_timeout: 180s + type: STRICT_DNS + dns_lookup_family: V4_ONLY + lb_policy: ROUND_ROBIN + http2_protocol_options: + hpack_table_size: 4294967 + max_concurrent_streams: 2147483647 + circuit_breakers: + thresholds: + max_pending_requests: 2147483647 + max_requests: 2147483647 + load_assignment: + cluster_name: aqua-kube-enforcer + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: localhost + port_value: 8442 + transport_socket: + name: envoy.transport_sockets.tls + typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + sni: aqua-kube-enforcer + - "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster + name: aqua-kube-enforcer-k8s + connect_timeout: 180s + type: STRICT_DNS + dns_lookup_family: V4_ONLY + lb_policy: ROUND_ROBIN + circuit_breakers: + thresholds: + max_pending_requests: 2147483647 + max_requests: 2147483647 + load_assignment: + cluster_name: aqua-kube-enforcer-k8s + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: localhost + port_value: 8449 + transport_socket: + name: envoy.transport_sockets.tls + typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + sni: aqua-kube-enforcer-k8s + - "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster + name: aqua-gateway + connect_timeout: 180s + type: STRICT_DNS + dns_lookup_family: V4_ONLY + lb_policy: ROUND_ROBIN + http2_protocol_options: + hpack_table_size: 4294967 + max_concurrent_streams: 2147483647 + circuit_breakers: + thresholds: + max_pending_requests: 2147483647 + max_requests: 2147483647 + load_assignment: + cluster_name: aqua-gateway + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: aqua-gateway.aqua + port_value: 8443 + transport_socket: + name: envoy.transport_sockets.tls + typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + sni: aqua-gateway + validation_context_sds_secret.yaml: | + resources: + - "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret" + name: "validation_context_sds" + validation_context: + trusted_ca: + filename: /etc/aquasec/envoy/ca-certificates.crt +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: kube-enforcer-admission-hook-config + namespace: aqua +webhooks: + - name: imageassurance.aquasec.com + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["*"] + apiVersions: ["*"] + resources: + - pods + - deployments + - replicasets + - replicationcontrollers + - statefulsets + - daemonsets + - jobs + - cronjobs + - configmaps + - services + - roles + - rolebindings + - clusterroles + - clusterrolebindings + - customresourcedefinitions + clientConfig: + # Please follow instruction in document to generate new CA cert + caBundle: + service: + namespace: aqua + name: aqua-kube-enforcer + timeoutSeconds: 2 + failurePolicy: Ignore + admissionReviewVersions: ["v1beta1"] + sideEffects: "None" +# Uncomment the below to ensure that the webhook executes exclusively on objects in namespaces other than kube-system and kube-node-lease. +# namespaceSelector: +# matchExpressions: +# - key: kubernetes.io/metadata.name +# operator: NotIn +# values: +# - kube-system +# - kube-node-lease +# scope: Namespaced +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: kube-enforcer-me-injection-hook-config + namespace: aqua +webhooks: + - name: microenforcer.aquasec.com + clientConfig: + service: + name: aqua-kube-enforcer + namespace: aqua + path: "/mutate" + caBundle: + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["*"] + apiVersions: ["v1"] + resources: ["pods"] + timeoutSeconds: 2 + failurePolicy: Ignore + admissionReviewVersions: ["v1beta1"] + sideEffects: "None" +# Uncomment the below to ensure that the webhook executes exclusively on objects in namespaces other than kube-system and kube-node-lease. +# namespaceSelector: +# matchExpressions: +# - key: kubernetes.io/metadata.name +# operator: NotIn +# values: +# - kube-system +# - kube-node-lease +# scope: Namespaced +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: aqua-kube-enforcer-sa + namespace: aqua +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: aqua-kube-enforcer +rules: + - apiGroups: ["*"] + resources: ["pods", "nodes", "namespaces", "deployments", "jobs", "cronjobs", "daemonsets", "replicasets", "replicationcontrollers", "statefulsets", "clusterroles", "clusterrolebindings", "componentstatuses", "services" ] + verbs: ["get", "list", "watch"] + - apiGroups: + - apps.openshift.io + resources: + - deploymentconfigs + verbs: + - get + - list + - watch + - apiGroups: ["aquasecurity.github.io"] + resources: ["configauditreports", "clusterconfigauditreports"] + verbs: ["get", "list", "watch"] + - apiGroups: ["*"] + resources: ["configmaps"] + verbs: ["get", "list", "watch"] + - apiGroups: + - "*" + resources: + - roles + - rolebindings + - clusterroles + - clusterrolebindings + verbs: + - get + - list + - watch + - apiGroups: + - "*" + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - apiGroups: + - "*" + resources: + - secrets + verbs: + - get + - list + - watch + # Comment the below 3 verbs if Pod-Enforcer injection is not going to be used + - create + - update + - delete +#### Please uncomment the below block if your platform is Openshift +# - apiGroups: ["*"] +# resources: ["pods","namespaces"] +# verbs: ["create", "delete"] +# - apiGroups: [""] +# resources: ["pods/exec"] +# verbs: ["create"] +# - apiGroups: ["operator.openshift.io"] +# resources: ["imagecontentsourcepolicies", "openshiftapiservers", "kubeapiservers"] +# verbs: ["get", "list", "watch"] +# - apiGroups: [ "" ] +# resources: [ "serviceaccounts", "endpoints" ] +# verbs: [ "list" ] +# - apiGroups: [ "config.openshift.io" ] +# resources: [ "clusteroperators" ] +# verbs: [ "get", "list" ] +# - apiGroups: ["security.openshift.io"] +# resources: ["securitycontextconstraints"] +# verbs: ["get", "list"] +# - apiGroups: ["machineconfiguration.openshift.io"] +# resources: ["machineconfigs", "machineconfigpools"] +# verbs: ["get", "list"] +#### +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: aqua-kube-enforcer + namespace: aqua +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: aqua-kube-enforcer +subjects: + - kind: ServiceAccount + name: aqua-kube-enforcer-sa + namespace: aqua +--- +# This role specific to kube-bench scans permissions +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: aqua-kube-enforcer + namespace: aqua +rules: + - apiGroups: ["*"] + resources: ["pods/log"] + verbs: ["get", "list", "watch"] + - apiGroups: ["*"] + resources: ["jobs"] + verbs: ["create", "delete"] + - apiGroups: ["*"] + resources: ["pods"] + verbs: ["create", "delete"] + - apiGroups: ["*"] + resources: ["leases"] + verbs: ["get", "list", "create", "update"] + - apiGroups: [ "*" ] + resources: [ "secrets" ] + verbs: ["create", "delete"] + - apiGroups: [ "*" ] + resources: [ "configmaps" ] + verbs: ["update", "create"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: aqua-kube-enforcer + namespace: aqua +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: aqua-kube-enforcer +subjects: +- kind: ServiceAccount + name: aqua-kube-enforcer-sa + namespace: aqua +--- +# Starboard resource yamls################ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: configauditreports.aquasecurity.github.io + labels: + app.kubernetes.io/managed-by: starboard + app.kubernetes.io/version: "0.15.20" +spec: + group: aquasecurity.github.io + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - jsonPath: .report.scanner.name + type: string + name: Scanner + description: The name of the config audit scanner + - jsonPath: .metadata.creationTimestamp + type: date + name: Age + description: The age of the report + - jsonPath: .report.summary.criticalCount + type: integer + name: Critial + priority: 1 + description: The number of failed checks with critial severity + - jsonPath: .report.summary.highCount + type: integer + name: High + priority: 1 + description: The number of failed checks with high severity + - jsonPath: .report.summary.mediumCount + type: integer + name: Medium + priority: 1 + description: The number of failed checks with medium severity + - jsonPath: .report.summary.lowCount + type: integer + name: Low + priority: 1 + description: The number of failed checks with low severity + schema: + openAPIV3Schema: + x-kubernetes-preserve-unknown-fields: true + type: object + scope: Namespaced + names: + singular: configauditreport + plural: configauditreports + kind: ConfigAuditReport + listKind: ConfigAuditReportList + categories: [] + shortNames: + - configaudit +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterconfigauditreports.aquasecurity.github.io + labels: + app.kubernetes.io/managed-by: starboard +spec: + group: aquasecurity.github.io + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - jsonPath: .report.scanner.name + type: string + name: Scanner + description: The name of the config audit scanner + - jsonPath: .metadata.creationTimestamp + type: date + name: Age + description: The age of the report + - jsonPath: .report.summary.dangerCount + type: integer + name: Danger + priority: 1 + description: The number of checks that failed with Danger status + - jsonPath: .report.summary.warningCount + type: integer + name: Warning + priority: 1 + description: The number of checks that failed with Warning status + - jsonPath: .report.summary.passCount + type: integer + name: Pass + priority: 1 + description: The number of checks that passed + schema: + openAPIV3Schema: + x-kubernetes-preserve-unknown-fields: true + type: object + scope: Cluster + names: + singular: clusterconfigauditreport + plural: clusterconfigauditreports + kind: ClusterConfigAuditReport + listKind: ClusterConfigAuditReportList + categories: [] + shortNames: + - clusterconfigaudit +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: starboard-operator + namespace: aqua +imagePullSecrets: + - name: aqua-registry +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: starboard + namespace: aqua +data: + configAuditReports.scanner: Conftest +--- +apiVersion: v1 +kind: Secret +metadata: + name: starboard + namespace: aqua +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: starboard-policies-config + namespace: aqua + labels: + app.kubernetes.io/name: starboard-operator + app.kubernetes.io/instance: starboard-operator + app.kubernetes.io/version: "0.15.20" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: starboard-operator +rules: + - apiGroups: + - "" + resources: + - pods + - pods/log + - replicationcontrollers + - resourcequotas + - limitranges + - services + - configmaps + - serviceaccounts + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch + - apiGroups: + - apps + resources: + - replicasets + - statefulsets + - daemonsets + - deployments + verbs: + - get + - list + - watch + - apiGroups: + - apps.openshift.io + resources: + - deploymentconfigs + verbs: + - get + - list + - watch + - apiGroups: + - batch + resources: + - jobs + - cronjobs + verbs: + - get + - list + - watch + - apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + - clusterroles + - clusterrolebindings + verbs: + - get + - list + - watch + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - apiGroups: + - networking.k8s.io + - extensions + resources: + - networkpolicies + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - policy + resources: + - podsecuritypolicies + verbs: + - get + - list + - watch + - apiGroups: + - aquasecurity.github.io + resources: + - vulnerabilityreports + - configauditreports + - clusterconfigauditreports + - ciskubebenchreports + verbs: + - get + - list + - watch + - create + - update + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: starboard-operator + namespace: aqua +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: starboard-operator +subjects: + - kind: ServiceAccount + name: starboard-operator + namespace: aqua +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: starboard-operator + namespace: aqua +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create + - update + - apiGroups: + - "" + resources: + - configmaps + - serviceaccounts + verbs: + - create + - update + - apiGroups: + - "" + resources: + - events + verbs: + - create + - apiGroups: + - batch + resources: + - jobs + verbs: + - create + - delete + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: starboard-operator + namespace: aqua +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: starboard-operator +subjects: +- kind: ServiceAccount + name: starboard-operator + namespace: aqua \ No newline at end of file diff --git a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_trivy/002_kube_enforcer_secrets.yaml b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_starboard/002_kube_enforcer_secrets.yaml similarity index 100% rename from enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_trivy/002_kube_enforcer_secrets.yaml rename to enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_starboard/002_kube_enforcer_secrets.yaml diff --git a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_trivy/003_kube_enforcer_deploy.yaml b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_starboard/003_kube_enforcer_deploy.yaml similarity index 73% rename from enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_trivy/003_kube_enforcer_deploy.yaml rename to enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_starboard/003_kube_enforcer_deploy.yaml index 1fc498970..a8d0a8998 100644 --- a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_trivy/003_kube_enforcer_deploy.yaml +++ b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_starboard/003_kube_enforcer_deploy.yaml @@ -78,7 +78,7 @@ spec: - name: CLUSTER_NAME value: "Default-cluster-name" # Cluster display name in aqua enterprise. - name: AQUA_KB_IMAGE_NAME - value: "aquasec/kube-bench:v0.7.1" + value: "aquasec/kube-bench:v0.7.3" - name: AQUA_ME_IMAGE_NAME value: "registry.aquasec.com/microenforcer:2022.4" - name: AQUA_KB_ME_REGISTRY_NAME @@ -87,7 +87,7 @@ spec: value: "aqua-agent" #Sets Daemonset name - name: AQUA_ENVOY_MODE value: "true" - # Enable KA policy scanning via Trivy-Operator + # Enable KA policy scanning via starboard - name: AQUA_KAP_ADD_ALL_CONTROL value: "true" - name: AQUA_WATCH_CONFIG_AUDIT_REPORT @@ -153,98 +153,63 @@ spec: apiVersion: apps/v1 kind: Deployment metadata: - name: trivy-operator + name: starboard-operator namespace: aqua labels: - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.16.1" - app.kubernetes.io/managed-by: kubectl + app: starboard-operator spec: replicas: 1 strategy: type: Recreate selector: matchLabels: - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy-operator + app: starboard-operator template: metadata: labels: - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy-operator + app: starboard-operator spec: - serviceAccountName: trivy-operator + serviceAccountName: starboard-operator automountServiceAccountToken: true + securityContext: {} containers: - - name: "trivy-operator" - image: "docker.io/aquasec/trivy-operator:0.16.1" + - name: operator + image: docker.io/aquasec/starboard-operator:0.15.20 imagePullPolicy: IfNotPresent + securityContext: + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL env: - name: OPERATOR_NAMESPACE value: aqua - name: OPERATOR_TARGET_NAMESPACES value: "" - - name: OPERATOR_EXCLUDE_NAMESPACES - value: "" - - name: OPERATOR_TARGET_WORKLOADS - value: "pod,replicaset,replicationcontroller,statefulset,daemonset,cronjob,job" - - name: OPERATOR_SERVICE_ACCOUNT - value: "trivy-operator" - name: OPERATOR_LOG_DEV_MODE - value: "true" - - name: OPERATOR_SCAN_JOB_TIMEOUT - value: "5m" + value: "false" - name: OPERATOR_CONCURRENT_SCAN_JOBS_LIMIT value: "10" - name: OPERATOR_SCAN_JOB_RETRY_AFTER - value: "30s" - - name: OPERATOR_BATCH_DELETE_LIMIT - value: "10" - - name: OPERATOR_BATCH_DELETE_DELAY - value: "10s" + value: 30s - name: OPERATOR_METRICS_BIND_ADDRESS - value: ":8080" - - name: OPERATOR_METRICS_FINDINGS_ENABLED - value: "true" - - name: OPERATOR_METRICS_VULN_ID_ENABLED - value: "false" + value: :8080 - name: OPERATOR_HEALTH_PROBE_BIND_ADDRESS - value: ":9090" - - name: OPERATOR_VULNERABILITY_SCANNER_ENABLED - value: "false" - - name: OPERATOR_VULNERABILITY_SCANNER_SCAN_ONLY_CURRENT_REVISIONS - value: "true" - - name: OPERATOR_SCANNER_REPORT_TTL - value: "24h" - - name: OPERATOR_SBOM_GENERATION_ENABLED - value: "false" - - name: OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED - value: "true" - - name: OPERATOR_CLUSTER_COMPLIANCE_ENABLED + value: :9090 + - name: OPERATOR_CIS_KUBERNETES_BENCHMARK_ENABLED value: "false" - - name: OPERATOR_RBAC_ASSESSMENT_SCANNER_ENABLED - value: "true" - - name: OPERATOR_INFRA_ASSESSMENT_SCANNER_ENABLED + - name: OPERATOR_VULNERABILITY_SCANNER_ENABLED value: "false" - name: OPERATOR_CONFIG_AUDIT_SCANNER_SCAN_ONLY_CURRENT_REVISIONS value: "true" - - name: OPERATOR_EXPOSED_SECRET_SCANNER_ENABLED - value: "false" - - name: OPERATOR_WEBHOOK_BROADCAST_URL - value: "" - - name: OPERATOR_WEBHOOK_BROADCAST_TIMEOUT - value: "30s" - - name: OPERATOR_PRIVATE_REGISTRY_SCAN_SECRETS_NAMES - value: "{}" - - name: OPERATOR_ACCESS_GLOBAL_SECRETS_SERVICE_ACCOUNTS - value: "true" - - name: OPERATOR_BUILT_IN_TRIVY_SERVER + - name: OPERATOR_BATCH_DELETE_LIMIT + value: "10" + - name: OPERATOR_BATCH_DELETE_DELAY + value: "10s" + - name: OPERATOR_CLUSTER_COMPLIANCE_ENABLED value: "false" - - name: TRIVY_SERVER_HEALTH_CHECK_CACHE_EXPIRATION - value: "10h" - - name: OPERATOR_MERGE_RBAC_FINDING_WITH_CONFIG_AUDIT - value: "true" ports: - name: metrics containerPort: 8080 @@ -266,14 +231,3 @@ spec: periodSeconds: 10 successThreshold: 1 failureThreshold: 10 - resources: - {} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - securityContext: - {} diff --git a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_trivy/004_kube_enforcer_scc.yaml b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_starboard/004_kube_enforcer_scc.yaml similarity index 100% rename from enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_trivy/004_kube_enforcer_scc.yaml rename to enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_starboard/004_kube_enforcer_scc.yaml diff --git a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_trivy/README.md b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_starboard/README.md similarity index 68% rename from enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_trivy/README.md rename to enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_starboard/README.md index ca3a174b2..5b4628ab7 100644 --- a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_trivy/README.md +++ b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_starboard/README.md @@ -7,9 +7,9 @@ This repository shows the manifest yaml files required to deploy Aqua KubeEnforc * OpenShift * Kubernetes engines: EKS, GKE, ICP, AKS, TKG, and TKGI -Trivy Operator is deployed with KubeEnforcer, by default which increases the effectiveness of Kubernetes security. +Starboard is deployed with KubeEnforcer, by default which increases the effectiveness of Kubernetes security. -Trivy Operator assesses workload compliance throughout the lifecycle of the workloads. This enables the KubeEnforcer to: +Starboard assesses workload compliance throughout the lifecycle of the workloads. This enables the KubeEnforcer to: * Re-evaluate workload compliance during workload runtime, taking any workload and policy changes into account * Reflect the results of compliance evaluation in the Aqua UI at all times, not only when workloads are created @@ -20,7 +20,7 @@ Before you follow the deployment steps explained below, Aqua strongly recommends Deploying KubeEnforcer with advanced configuration will cause Pod Enforcer traffic to be routed to the KubeEnforcers via a local envoy, which then forwards the traffic to an Aqua Gateway. This configuration improves performance and reduces remote network connections between pods and Gateways. ## Specific OpenShift notes -The deployment commands shown below use the **kubectl** cli, however they can be easliy replaced with the **oc** cli commands, to work on all platforms including OpenShift. +The deployment commands shown below use the **kubectl** cli, however they can be easily replaced with the **oc** cli commands, to work on all platforms including OpenShift. ## Prerequisites @@ -70,11 +70,11 @@ You can skip any step in this section, if you have already performed. 1. Generate certs for aqua namespace. ```shell - curl -s https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_trivy/gen_ke_certs.sh | bash + curl -s https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/enforcers/kube_enforcer/kubernetes_and_openshift/manifest/kube_enforcer_advanced_starboard/gen_ke_certs.sh | bash ``` 2. Generate certs for custom namespace, Replace the `` in the below command with the namespace where KE is going to be deployed, and run the command. ```shell - curl https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_trivy/gen_ke_certs.sh | bash -s -- + curl https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/enforcers/kube_enforcer/kubernetes_and_openshift/manifest/kube_enforcer_advanced_starboard/gen_ke_certs.sh | bash -s -- ``` - **Option B (Manual)**: Perform the steps mentioned in the [Deploy the KubeEnforcer Config manually](#deploy-the-kubeenforcer-config-manually) section. @@ -98,19 +98,19 @@ kubectl create secret generic aqua-kube-enforcer-certs --from-file server.key -- * Download, edit, and apply the secrets manifest file to create the token and SSL cert secrets. ```SHELL -kubectl apply -f https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_trivy/002_kube_enforcer_secrets.yaml +kubectl apply -f https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/enforcers/kube_enforcer/kubernetes_and_openshift/manifest/kube_enforcer_advanced_starboard/002_kube_enforcer_secrets.yaml ``` ***Note: For KubeEnforcer deployment in OpenShift environments*** * Prior to deployment of the KubeEnforcer, apply kube-enforcer scc: ```shell - kubectl apply -f https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_trivy/004_kube_enforcer_scc.yaml + kubectl apply -f https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/enforcers/kube_enforcer/kubernetes_and_openshift/manifest/kube_enforcer_advanced_starboard/004_kube_enforcer_scc.yaml ``` **Step 3. Deploy KubeEnforcer advanced** ```shell -kubectl apply -f https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_trivy/003_kube_enforcer_deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/enforcers/kube_enforcer/kubernetes_and_openshift/manifest/kube_enforcer_advanced_starboard/003_kube_enforcer_deploy.yaml ``` ### Deploy the KubeEnforcer Config manually @@ -141,25 +141,25 @@ You should pass the following deployment options through flags, as required. #### Aquactl operation -Flag and parameter type | Values | -| ---------------------- | ------------------------------------------------------------ | -| -p or --platform, (string) (mandatory flag) | Orchestration platform to deploy Aqua Enterprise on. you should pass one of the following as required: **kubernetes, aks, eks, gke, icp, openshift, tkg, tkgi** | -| -v or --version -(string) (mandatory flag) | Major version of Aqua Enterprise to deploy. For example: **2022.4** | -| -r or --registry (string) | Docker registry containing the Aqua Enterprise product images, it defaults to **registry.aquasec.com** | -| --pull-policy (string) | The Docker image pull policy that should be used in deployment for the Aqua product images, it defaults to **IfNotPresent** | -| --service-account (string) | Kubernetes service account name, it defaults to **aqua-sa** | -| -n, --namespace (string) | Kubernetes namespace name, it defaults to **aqua** | -| --output-dir (string) | Output directory for the manifests (YAML files), it defaults to **aqua-deploy**, the directory aquactl was launched in | +| Flag and parameter type | Values | +|---------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------| +| -p or --platform, (string) (mandatory flag) | Orchestration platform to deploy Aqua Enterprise on. you should pass one of the following as required: **kubernetes, aks, eks, gke, icp, openshift, tkg, tkgi** | +| -v or --version | | +| (string) (mandatory flag) | Major version of Aqua Enterprise to deploy. For example: **2022.4** | +| -r or --registry (string) | Docker registry containing the Aqua Enterprise product images, it defaults to **registry.aquasec.com** | +| --pull-policy (string) | The Docker image pull policy that should be used in deployment for the Aqua product images, it defaults to **IfNotPresent** | +| --service-account (string) | Kubernetes service account name, it defaults to **aqua-sa** | +| -n, --namespace (string) | Kubernetes namespace name, it defaults to **aqua** | +| --output-dir (string) | Output directory for the manifests (YAML files), it defaults to **aqua-deploy**, the directory aquactl was launched in | #### configuration of KubeEnforcer advanced -Flag and type | Values | -| ---------------------- | ------------------------------------------------------------ | -| --advanced-configuration | To configure advanced deployment (for Pod Enforcer injection) of the KubeEnforcer| -| --gateway-url (string) | Aqua Gateway URL (IP, DNS, or service name) and port, it defaults to **aqua-gateway:8443**| -| --token (string) | Deployment token for the KubeEnforcer group, it does not have a default value| -| --ke-no-ssl (Boolean) | If specified as **true**, the SSL cert for the KubeEnforcer will not be generated. It defaults to **false**| +| Flag and type | Values | +|--------------------------|-------------------------------------------------------------------------------------------------------------| +| --advanced-configuration | To configure advanced deployment (for Pod Enforcer injection) of the KubeEnforcer | +| --gateway-url (string) | Aqua Gateway URL (IP, DNS, or service name) and port, it defaults to **aqua-gateway:8443** | +| --token (string) | Deployment token for the KubeEnforcer group, it does not have a default value | +| --ke-no-ssl (Boolean) | If specified as **true**, the SSL cert for the KubeEnforcer will not be generated. It defaults to **false** | The **--gateway-url** flag identifies an existing Aqua Gateway used to connect the KubeEnforcer. This flag is not used to configure a new Gateway, as in *aquactl download all* or *aquactl download server*. diff --git a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_trivy/gen_ke_certs.sh b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_starboard/gen_ke_certs.sh similarity index 97% rename from enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_trivy/gen_ke_certs.sh rename to enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_starboard/gen_ke_certs.sh index c92b31e18..89ecb7168 100755 --- a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_trivy/gen_ke_certs.sh +++ b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_starboard/gen_ke_certs.sh @@ -113,7 +113,7 @@ _prepare_ke() { printf "\nError: Failed to prepare KubeEnforcer config file from local" exit 1 fi - elif curl https://raw.githubusercontent.com/aquasecurity/deployments/$githubBranch/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_trivy/001_kube_enforcer_config.yaml -o "001_kube_enforcer_config.yaml"; then + elif curl https://raw.githubusercontent.com/aquasecurity/deployments/$githubBranch/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_starboard/001_kube_enforcer_config.yaml -o "001_kube_enforcer_config.yaml"; then _addCABundle=$(sed -i'.original' "s/caBundle.*/caBundle\:\ $_rootCA/g" "$script_dir/001_kube_enforcer_config.yaml") if eval "$_addCABundle"; then printf "\nInfo: Successfully prepared 001_kube_enforcer_config.yaml manifest file.\n" diff --git a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_trivy/001_kube_enforcer_config.yaml b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_trivy/001_kube_enforcer_config.yaml deleted file mode 100644 index 97ad1cc69..000000000 --- a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_trivy/001_kube_enforcer_config.yaml +++ /dev/null @@ -1,1463 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: ke-envoy-conf - namespace: aqua -data: - # Enable the below Env for mTLS between kube-enforcer and gateway - # AQUA_PUBLIC_KEY: "/opt/aquasec/ssl/aqua_kube-enforcer.crt" - # AQUA_PRIVATE_KEY: "/opt/aquasec/ssl/aqua_kube-enforcer.key" - # AQUA_ROOT_CA: "/opt/aquasec/ssl/rootCA.crt" - envoy.yaml: | - node: - cluster: k8s - id: - - dynamic_resources: - cds_config: - path: /etc/aquasec/envoy/cds.yaml - initial_fetch_timeout: 0s - lds_config: - path: /etc/envoy/lds.yaml - lds.yaml: | - resources: - - "@type": type.googleapis.com/envoy.config.listener.v3.Listener - name: listener_0 - address: - socket_address: - address: 0.0.0.0 - port_value: 8443 - filter_chains: - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stream_idle_timeout: 0s - drain_timeout: 20s - access_log: - - name: envoy.access_loggers.file - typed_config: - "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog - path: "/dev/stdout" - codec_type: AUTO - stat_prefix: ingress_https - route_config: - name: local_route - virtual_hosts: - - name: https - domains: - - "*" - routes: - - match: - prefix: "/agent_grpc_channel.GWChannelV2/PushNotificationHandler" - grpc: { } - route: - cluster: aqua-kube-enforcer - timeout: 0s - - match: - prefix: "/" - grpc: { } - route: - cluster: aqua-gateway - timeout: 0s - - match: - prefix: "/" - route: - cluster: aqua-kube-enforcer-k8s - timeout: 0s - - http_filters: - - name: envoy.filters.http.health_check - typed_config: - "@type": type.googleapis.com/envoy.config.filter.http.health_check.v2.HealthCheck - pass_through_mode: false - headers: - - name: ":path" - exact_match: "/healthz" - - name: "x-envoy-livenessprobe" - exact_match: "healthz" - - name: envoy.filters.http.router - typed_config: { } - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext - common_tls_context: - alpn_protocols: "h2,http/1.1" - tls_certificates: - - certificate_chain: - filename: "/etc/ssl/envoy/server.crt" - private_key: - filename: "/etc/ssl/envoy/server.key" - cds.yaml: | - resources: - - "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster - name: aqua-kube-enforcer - connect_timeout: 180s - type: STRICT_DNS - dns_lookup_family: V4_ONLY - lb_policy: ROUND_ROBIN - http2_protocol_options: - hpack_table_size: 4294967 - max_concurrent_streams: 2147483647 - circuit_breakers: - thresholds: - max_pending_requests: 2147483647 - max_requests: 2147483647 - load_assignment: - cluster_name: aqua-kube-enforcer - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: localhost - port_value: 8442 - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - sni: aqua-kube-enforcer - - "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster - name: aqua-kube-enforcer-k8s - connect_timeout: 180s - type: STRICT_DNS - dns_lookup_family: V4_ONLY - lb_policy: ROUND_ROBIN - circuit_breakers: - thresholds: - max_pending_requests: 2147483647 - max_requests: 2147483647 - load_assignment: - cluster_name: aqua-kube-enforcer-k8s - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: localhost - port_value: 8449 - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - sni: aqua-kube-enforcer-k8s - - "@type": type.googleapis.com/envoy.config.cluster.v3.Cluster - name: aqua-gateway - connect_timeout: 180s - type: STRICT_DNS - dns_lookup_family: V4_ONLY - lb_policy: ROUND_ROBIN - http2_protocol_options: - hpack_table_size: 4294967 - max_concurrent_streams: 2147483647 - circuit_breakers: - thresholds: - max_pending_requests: 2147483647 - max_requests: 2147483647 - load_assignment: - cluster_name: aqua-gateway - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: aqua-gateway.aqua - port_value: 8443 - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - sni: aqua-gateway - validation_context_sds_secret.yaml: | - resources: - - "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret" - name: "validation_context_sds" - validation_context: - trusted_ca: - filename: /etc/aquasec/envoy/ca-certificates.crt ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: kube-enforcer-admission-hook-config - namespace: aqua -webhooks: - - name: imageassurance.aquasec.com - rules: - - operations: ["CREATE", "UPDATE"] - apiGroups: ["*"] - apiVersions: ["*"] - resources: - - pods - - deployments - - replicasets - - replicationcontrollers - - statefulsets - - daemonsets - - jobs - - cronjobs - - configmaps - - services - - roles - - rolebindings - - clusterroles - - clusterrolebindings - - customresourcedefinitions - clientConfig: - # Please follow instruction in document to generate new CA cert - caBundle: - service: - namespace: aqua - name: aqua-kube-enforcer - timeoutSeconds: 2 - failurePolicy: Ignore - admissionReviewVersions: ["v1beta1"] - sideEffects: "None" -# Uncomment the below to ensure that the webhook executes exclusively on objects in namespaces other than kube-system and kube-node-lease. -# namespaceSelector: -# matchExpressions: -# - key: kubernetes.io/metadata.name -# operator: NotIn -# values: -# - kube-system -# - kube-node-lease -# scope: Namespaced ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: kube-enforcer-me-injection-hook-config - namespace: aqua -webhooks: - - name: microenforcer.aquasec.com - clientConfig: - service: - name: aqua-kube-enforcer - namespace: aqua - path: "/mutate" - caBundle: - rules: - - operations: ["CREATE", "UPDATE"] - apiGroups: ["*"] - apiVersions: ["v1"] - resources: ["pods"] - timeoutSeconds: 2 - failurePolicy: Ignore - admissionReviewVersions: ["v1beta1"] - sideEffects: "None" -# Uncomment the below to ensure that the webhook executes exclusively on objects in namespaces other than kube-system and kube-node-lease. -# namespaceSelector: -# matchExpressions: -# - key: kubernetes.io/metadata.name -# operator: NotIn -# values: -# - kube-system -# - kube-node-lease -# scope: Namespaced ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: aqua-kube-enforcer-sa - namespace: aqua ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: aqua-kube-enforcer -rules: - - apiGroups: ["*"] - resources: ["pods", "nodes", "namespaces", "deployments", "jobs", "cronjobs", "daemonsets", "replicasets", "replicationcontrollers", "statefulsets", "clusterroles", "clusterrolebindings", "componentstatuses", "services" ] - verbs: ["get", "list", "watch"] - - apiGroups: - - apps.openshift.io - resources: - - deploymentconfigs - verbs: - - get - - list - - watch - - apiGroups: ["aquasecurity.github.io"] - resources: ["configauditreports", "clusterconfigauditreports"] - verbs: ["get", "list", "watch"] - - apiGroups: ["*"] - resources: ["configmaps"] - verbs: ["get", "list", "watch"] - - apiGroups: - - "*" - resources: - - roles - - rolebindings - - clusterroles - - clusterrolebindings - verbs: - - get - - list - - watch - - apiGroups: - - "*" - resources: - - customresourcedefinitions - verbs: - - get - - list - - watch - - apiGroups: - - "*" - resources: - - secrets - verbs: - - get - - list - - watch - # Comment the below 3 verbs if Pod-Enforcer injection is not going to be used - - create - - update - - delete -#### Please uncomment the below block if your platform is Openshift -# - apiGroups: ["*"] -# resources: ["pods","namespaces"] -# verbs: ["create", "delete"] -# - apiGroups: [""] -# resources: ["pods/exec"] -# verbs: ["create"] -# - apiGroups: ["operator.openshift.io"] -# resources: ["imagecontentsourcepolicies", "openshiftapiservers", "kubeapiservers"] -# verbs: ["get", "list", "watch"] -# - apiGroups: [ "" ] -# resources: [ "serviceaccounts", "endpoints" ] -# verbs: [ "list" ] -# - apiGroups: [ "config.openshift.io" ] -# resources: [ "clusteroperators" ] -# verbs: [ "get", "list" ] -# - apiGroups: ["security.openshift.io"] -# resources: ["securitycontextconstraints"] -# verbs: ["get", "list"] -# - apiGroups: ["machineconfiguration.openshift.io"] -# resources: ["machineconfigs", "machineconfigpools"] -# verbs: ["get", "list"] -#### ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: aqua-kube-enforcer - namespace: aqua -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: aqua-kube-enforcer -subjects: - - kind: ServiceAccount - name: aqua-kube-enforcer-sa - namespace: aqua ---- -# This role specific to kube-bench scans permissions -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: aqua-kube-enforcer - namespace: aqua -rules: - - apiGroups: ["*"] - resources: ["pods/log"] - verbs: ["get", "list", "watch"] - - apiGroups: ["*"] - resources: ["jobs"] - verbs: ["create", "delete"] - - apiGroups: ["*"] - resources: ["pods"] - verbs: ["create", "delete"] - - apiGroups: ["*"] - resources: ["leases"] - verbs: ["get", "list", "create", "update"] - - apiGroups: [ "*" ] - resources: [ "secrets" ] - verbs: ["create", "delete"] - - apiGroups: [ "*" ] - resources: [ "configmaps" ] - verbs: ["update", "create"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: aqua-kube-enforcer - namespace: aqua -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: aqua-kube-enforcer -subjects: -- kind: ServiceAccount - name: aqua-kube-enforcer-sa - namespace: aqua ---- -###### Trivy-Operator resource yamls################ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.9.2 - creationTimestamp: null - name: clusterconfigauditreports.aquasecurity.github.io -spec: - group: aquasecurity.github.io - names: - kind: ClusterConfigAuditReport - listKind: ClusterConfigAuditReportList - plural: clusterconfigauditreports - shortNames: - - clusterconfigaudit - singular: clusterconfigauditreport - scope: Cluster - versions: - - additionalPrinterColumns: - - description: The name of the config audit scanner - jsonPath: .report.scanner.name - name: Scanner - type: string - - description: The age of the report - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: The number of failed checks with critical severity - jsonPath: .report.summary.criticalCount - name: Critical - priority: 1 - type: integer - - description: The number of failed checks with high severity - jsonPath: .report.summary.highCount - name: High - priority: 1 - type: integer - - description: The number of failed checks with medium severity - jsonPath: .report.summary.mediumCount - name: Medium - priority: 1 - type: integer - - description: The number of failed checks with low severity - jsonPath: .report.summary.lowCount - name: Low - priority: 1 - type: integer - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClusterConfigAuditReport is a specification for the ClusterConfigAuditReport - resource. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - report: - properties: - checks: - description: Checks provides results of conducting audit steps. - items: - description: Check provides the result of conducting a single audit - step. - properties: - category: - type: string - checkID: - type: string - description: - type: string - messages: - items: - type: string - type: array - remediation: - description: Remediation provides description or links to external - resources to remediate failing check. - type: string - scope: - description: Scope indicates the section of config that was - audited. - properties: - type: - description: Type indicates type of this scope, e.g. Container, - ConfigMapKey or JSONPath. - type: string - value: - description: Value indicates value of this scope that depends - on Type, e.g. container name, ConfigMap key or JSONPath - expression - type: string - required: - - type - - value - type: object - severity: - description: Severity level of a vulnerability or a configuration - audit check. - type: string - success: - type: boolean - title: - type: string - required: - - checkID - - severity - - success - type: object - type: array - scanner: - description: Scanner is the spec for a scanner generating a security - assessment report. - properties: - name: - description: Name the name of the scanner. - type: string - vendor: - description: Vendor the name of the vendor providing the scanner. - type: string - version: - description: Version the version of the scanner. - type: string - required: - - name - - vendor - - version - type: object - summary: - description: ConfigAuditSummary counts failed checks by severity. - properties: - criticalCount: - description: CriticalCount is the number of failed checks with - critical severity. - type: integer - highCount: - description: HighCount is the number of failed checks with high - severity. - type: integer - lowCount: - description: LowCount is the number of failed check with low severity. - type: integer - mediumCount: - description: MediumCount is the number of failed checks with medium - severity. - type: integer - required: - - criticalCount - - highCount - - lowCount - - mediumCount - type: object - updateTimestamp: - format: date-time - type: string - required: - - checks - type: object - required: - - report - type: object - served: true - storage: true - subresources: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.9.2 - creationTimestamp: null - name: clusterrbacassessmentreports.aquasecurity.github.io -spec: - group: aquasecurity.github.io - names: - kind: ClusterRbacAssessmentReport - listKind: ClusterRbacAssessmentReportList - plural: clusterrbacassessmentreports - shortNames: - - clusterrbacassessmentreport - singular: clusterrbacassessmentreport - scope: Cluster - versions: - - additionalPrinterColumns: - - description: The name of the rbac assessment scanner - jsonPath: .report.scanner.name - name: Scanner - type: string - - description: The age of the report - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: The number of failed checks with critical severity - jsonPath: .report.summary.criticalCount - name: Critical - priority: 1 - type: integer - - description: The number of failed checks with high severity - jsonPath: .report.summary.highCount - name: High - priority: 1 - type: integer - - description: The number of failed checks with medium severity - jsonPath: .report.summary.mediumCount - name: Medium - priority: 1 - type: integer - - description: The number of failed checks with low severity - jsonPath: .report.summary.lowCount - name: Low - priority: 1 - type: integer - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClusterRbacAssessmentReport is a specification for the ClusterRbacAssessmentReport - resource. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - report: - properties: - checks: - description: Checks provides results of conducting audit steps. - items: - description: Check provides the result of conducting a single audit - step. - properties: - category: - type: string - checkID: - type: string - description: - type: string - messages: - items: - type: string - type: array - remediation: - description: Remediation provides description or links to external - resources to remediate failing check. - type: string - scope: - description: Scope indicates the section of config that was - audited. - properties: - type: - description: Type indicates type of this scope, e.g. Container, - ConfigMapKey or JSONPath. - type: string - value: - description: Value indicates value of this scope that depends - on Type, e.g. container name, ConfigMap key or JSONPath - expression - type: string - required: - - type - - value - type: object - severity: - description: Severity level of a vulnerability or a configuration - audit check. - type: string - success: - type: boolean - title: - type: string - required: - - checkID - - severity - - success - type: object - type: array - scanner: - description: Scanner is the spec for a scanner generating a security - assessment report. - properties: - name: - description: Name the name of the scanner. - type: string - vendor: - description: Vendor the name of the vendor providing the scanner. - type: string - version: - description: Version the version of the scanner. - type: string - required: - - name - - vendor - - version - type: object - summary: - description: RbacAssessmentSummary counts failed checks by severity. - properties: - criticalCount: - description: CriticalCount is the number of failed checks with - critical severity. - type: integer - highCount: - description: HighCount is the number of failed checks with high - severity. - type: integer - lowCount: - description: LowCount is the number of failed check with low severity. - type: integer - mediumCount: - description: MediumCount is the number of failed checks with medium - severity. - type: integer - required: - - criticalCount - - highCount - - lowCount - - mediumCount - type: object - required: - - checks - - scanner - - summary - type: object - required: - - report - type: object - served: true - storage: true - subresources: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.9.2 - creationTimestamp: null - name: configauditreports.aquasecurity.github.io -spec: - group: aquasecurity.github.io - names: - kind: ConfigAuditReport - listKind: ConfigAuditReportList - plural: configauditreports - shortNames: - - configaudit - - configaudits - singular: configauditreport - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The name of the config audit scanner - jsonPath: .report.scanner.name - name: Scanner - type: string - - description: The age of the report - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: The number of failed checks with critical severity - jsonPath: .report.summary.criticalCount - name: Critical - priority: 1 - type: integer - - description: The number of failed checks with high severity - jsonPath: .report.summary.highCount - name: High - priority: 1 - type: integer - - description: The number of failed checks with medium severity - jsonPath: .report.summary.mediumCount - name: Medium - priority: 1 - type: integer - - description: The number of failed checks with low severity - jsonPath: .report.summary.lowCount - name: Low - priority: 1 - type: integer - name: v1alpha1 - schema: - openAPIV3Schema: - description: ConfigAuditReport is a specification for the ConfigAuditReport - resource. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - report: - properties: - checks: - description: Checks provides results of conducting audit steps. - items: - description: Check provides the result of conducting a single audit - step. - properties: - category: - type: string - checkID: - type: string - description: - type: string - messages: - items: - type: string - type: array - remediation: - description: Remediation provides description or links to external - resources to remediate failing check. - type: string - scope: - description: Scope indicates the section of config that was - audited. - properties: - type: - description: Type indicates type of this scope, e.g. Container, - ConfigMapKey or JSONPath. - type: string - value: - description: Value indicates value of this scope that depends - on Type, e.g. container name, ConfigMap key or JSONPath - expression - type: string - required: - - type - - value - type: object - severity: - description: Severity level of a vulnerability or a configuration - audit check. - type: string - success: - type: boolean - title: - type: string - required: - - checkID - - severity - - success - type: object - type: array - scanner: - description: Scanner is the spec for a scanner generating a security - assessment report. - properties: - name: - description: Name the name of the scanner. - type: string - vendor: - description: Vendor the name of the vendor providing the scanner. - type: string - version: - description: Version the version of the scanner. - type: string - required: - - name - - vendor - - version - type: object - summary: - description: ConfigAuditSummary counts failed checks by severity. - properties: - criticalCount: - description: CriticalCount is the number of failed checks with - critical severity. - type: integer - highCount: - description: HighCount is the number of failed checks with high - severity. - type: integer - lowCount: - description: LowCount is the number of failed check with low severity. - type: integer - mediumCount: - description: MediumCount is the number of failed checks with medium - severity. - type: integer - required: - - criticalCount - - highCount - - lowCount - - mediumCount - type: object - updateTimestamp: - format: date-time - type: string - required: - - checks - type: object - required: - - report - type: object - served: true - storage: true - subresources: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.9.2 - creationTimestamp: null - name: rbacassessmentreports.aquasecurity.github.io -spec: - group: aquasecurity.github.io - names: - kind: RbacAssessmentReport - listKind: RbacAssessmentReportList - plural: rbacassessmentreports - shortNames: - - rbacassessment - - rbacassessments - singular: rbacassessmentreport - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The name of the rbac assessment scanner - jsonPath: .report.scanner.name - name: Scanner - type: string - - description: The age of the report - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: The number of failed checks with critical severity - jsonPath: .report.summary.criticalCount - name: Critical - priority: 1 - type: integer - - description: The number of failed checks with high severity - jsonPath: .report.summary.highCount - name: High - priority: 1 - type: integer - - description: The number of failed checks with medium severity - jsonPath: .report.summary.mediumCount - name: Medium - priority: 1 - type: integer - - description: The number of failed checks with low severity - jsonPath: .report.summary.lowCount - name: Low - priority: 1 - type: integer - name: v1alpha1 - schema: - openAPIV3Schema: - description: RbacAssessmentReport is a specification for the RbacAssessmentReport - resource. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - report: - properties: - checks: - description: Checks provides results of conducting audit steps. - items: - description: Check provides the result of conducting a single audit - step. - properties: - category: - type: string - checkID: - type: string - description: - type: string - messages: - items: - type: string - type: array - remediation: - description: Remediation provides description or links to external - resources to remediate failing check. - type: string - scope: - description: Scope indicates the section of config that was - audited. - properties: - type: - description: Type indicates type of this scope, e.g. Container, - ConfigMapKey or JSONPath. - type: string - value: - description: Value indicates value of this scope that depends - on Type, e.g. container name, ConfigMap key or JSONPath - expression - type: string - required: - - type - - value - type: object - severity: - description: Severity level of a vulnerability or a configuration - audit check. - type: string - success: - type: boolean - title: - type: string - required: - - checkID - - severity - - success - type: object - type: array - scanner: - description: Scanner is the spec for a scanner generating a security - assessment report. - properties: - name: - description: Name the name of the scanner. - type: string - vendor: - description: Vendor the name of the vendor providing the scanner. - type: string - version: - description: Version the version of the scanner. - type: string - required: - - name - - vendor - - version - type: object - summary: - description: RbacAssessmentSummary counts failed checks by severity. - properties: - criticalCount: - description: CriticalCount is the number of failed checks with - critical severity. - type: integer - highCount: - description: HighCount is the number of failed checks with high - severity. - type: integer - lowCount: - description: LowCount is the number of failed check with low severity. - type: integer - mediumCount: - description: MediumCount is the number of failed checks with medium - severity. - type: integer - required: - - criticalCount - - highCount - - lowCount - - mediumCount - type: object - required: - - checks - - scanner - - summary - type: object - required: - - report - type: object - served: true - storage: true - subresources: {} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: trivy-operator-trivy-config - namespace: aqua - labels: - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.16.1" - app.kubernetes.io/managed-by: kubectl -data: - trivy.repository: "ghcr.io/aquasecurity/trivy" - trivy.tag: "0.36.0" - trivy.additionalVulnerabilityReportFields: "" - trivy.severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" - trivy.slow: "true" - trivy.dbRepository: "ghcr.io/aquasecurity/trivy-db" - trivy.command: "image" - trivy.dbRepositoryInsecure: "false" - trivy.useBuiltinRegoPolicies: "false" - trivy.supportedConfigAuditKinds: "Workload,Service,Role,RoleBinding,ClusterRole,ClusterRoleBinding,NetworkPolicy,Ingress,LimitRange,ResourceQuota,ConfigMap" - trivy.timeout: "5m0s" - trivy.mode: "Standalone" - trivy.resources.requests.cpu: 100m - trivy.resources.requests.memory: 100M - trivy.resources.limits.cpu: 500m - trivy.resources.limits.memory: 500M ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: trivy-operator - namespace: aqua - labels: - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.16.1" - app.kubernetes.io/managed-by: kubectl -data: - scanJob.podTemplateContainerSecurityContext: "{\"allowPrivilegeEscalation\":false,\"capabilities\":{\"drop\":[\"ALL\"]},\"privileged\":false,\"readOnlyRootFilesystem\":true}" - scanJob.compressLogs: "true" - vulnerabilityReports.scanner: "Trivy" - configAuditReports.scanner: "Trivy" - report.recordFailedChecksOnly: "false" ---- -apiVersion: v1 -kind: Secret -metadata: - name: trivy-operator-trivy-config - namespace: aqua - labels: - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.16.1" - app.kubernetes.io/managed-by: kubectl -data: ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: trivy-operator-policies-config - namespace: aqua - labels: - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.16.1" - app.kubernetes.io/managed-by: kubectl ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: trivy-operator - namespace: aqua - labels: - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.16.1" - app.kubernetes.io/managed-by: kubectl ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - name: trivy-operator -rules: - - apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - limitranges - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - pods/log - verbs: - - get - - list - - apiGroups: - - "" - resources: - - replicationcontrollers - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - resourcequotas - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - list - - watch - - apiGroups: - - apps - resources: - - daemonsets - verbs: - - get - - list - - watch - - apiGroups: - - apps - resources: - - deployments - verbs: - - get - - list - - watch - - apiGroups: - - apps - resources: - - replicasets - verbs: - - get - - list - - watch - - apiGroups: - - apps - resources: - - statefulsets - verbs: - - get - - list - - watch - - apiGroups: - - apps.openshift.io - resources: - - deploymentconfigs - verbs: - - get - - list - - watch - - apiGroups: - - aquasecurity.github.io - resources: - - clusterconfigauditreports - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - aquasecurity.github.io - resources: - - clusterrbacassessmentreports - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - aquasecurity.github.io - resources: - - configauditreports - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - aquasecurity.github.io - resources: - - rbacassessmentreports - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - batch - resources: - - cronjobs - verbs: - - get - - list - - watch - - apiGroups: - - batch - resources: - - jobs - verbs: - - get - - list - - watch - - apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - networking.k8s.io - resources: - - networkpolicies - verbs: - - get - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - verbs: - - get - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterroles - verbs: - - get - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - rolebindings - verbs: - - get - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: trivy-operator - labels: - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.16.1" - app.kubernetes.io/managed-by: kubectl -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: trivy-operator -subjects: - - kind: ServiceAccount - name: trivy-operator - namespace: aqua ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: trivy-operator - namespace: aqua - labels: - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.16.1" - app.kubernetes.io/managed-by: kubectl -rules: - - apiGroups: - - "" - resources: - - configmaps - verbs: - - create - - get - - list - - watch - - apiGroups: - - "" - resources: - - secrets - verbs: - - create - - get - - delete - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: trivy-operator - namespace: aqua - labels: - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.16.1" - app.kubernetes.io/managed-by: kubectl -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: trivy-operator -subjects: - - kind: ServiceAccount - name: trivy-operator - namespace: aqua ---- diff --git a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_ocp3x/001_kube_enforcer_config.yaml b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_ocp3x/001_kube_enforcer_config.yaml index ca4fd269b..bc8e9db39 100644 --- a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_ocp3x/001_kube_enforcer_config.yaml +++ b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_ocp3x/001_kube_enforcer_config.yaml @@ -23,7 +23,7 @@ data: # Enable KA policy scanning via starboard AQUA_KAP_ADD_ALL_CONTROL: "true" AQUA_WATCH_CONFIG_AUDIT_REPORT: "true" - AQUA_KB_IMAGE_NAME: "aquasec/kube-bench:v0.7.1" + AQUA_KB_IMAGE_NAME: "aquasec/kube-bench:v0.7.3" AQUA_ME_IMAGE_NAME: "registry.aquasec.com/microenforcer:2022.4" AQUA_KB_ME_REGISTRY_NAME: "aqua-registry" AQUA_ENFORCER_DS_NAME: "aqua-agent" #Sets Daemonset name diff --git a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_starboard/001_kube_enforcer_config.yaml b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_starboard/001_kube_enforcer_config.yaml new file mode 100644 index 000000000..41ab81174 --- /dev/null +++ b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_starboard/001_kube_enforcer_config.yaml @@ -0,0 +1,573 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: aqua-csp-kube-enforcer + namespace: aqua +data: + #Enable/Disable KB scanning on tainted nodes + AQUA_KB_SCAN_TAINTED_NODES: "true" + # Specify whether to enable/disable the cache by using "yes", "true", "no", "false" values. + # Default value is "yes". + AQUA_ENABLE_CACHE: "yes" + # Specify cache expiration period in seconds. + # Default value is 60 + AQUA_CACHE_EXPIRATION_PERIOD: "60" + TLS_SERVER_CERT_FILEPATH: "/certs/aqua_ke.crt" + TLS_SERVER_KEY_FILEPATH: "/certs/aqua_ke.key" + ## Based on your ingress config update the name here ## + AQUA_GATEWAY_SECURE_ADDRESS: "aqua-gateway.aqua:8443" + AQUA_TLS_PORT: "8443" + AQUA_LOGICAL_NAME: "" + # Cluster display name in aqua enterprise. + CLUSTER_NAME: "Default-cluster-name" + # Enable KA policy scanning via starboard + AQUA_KAP_ADD_ALL_CONTROL: "true" + AQUA_WATCH_CONFIG_AUDIT_REPORT: "true" + AQUA_KB_IMAGE_NAME: "aquasec/kube-bench:v0.7.3" + AQUA_ME_IMAGE_NAME: "registry.aquasec.com/microenforcer:2022.4" + AQUA_KB_ME_REGISTRY_NAME: "aqua-registry" + AQUA_ENFORCER_DS_NAME: "aqua-agent" #Sets Daemonset name + #Enable Skipping Kube-Bench on nodes based on node labels + # AQUA_NODE_LABELS_TO_SKIP_KB: "" #Comma-separated node-labels for nodes on which Kube-Bench is to be skipped. key1=val1,key2=val2,... + + # Enable the below Env for mTLS between kube-enforcer and gateway + # AQUA_PUBLIC_KEY: "/opt/aquasec/ssl/aqua_kube-enforcer.crt" + # AQUA_PRIVATE_KEY: "/opt/aquasec/ssl/aqua_kube-enforcer.key" + # AQUA_ROOT_CA: "/opt/aquasec/ssl/rootCA.crt" +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: kube-enforcer-admission-hook-config + namespace: aqua +webhooks: + - name: imageassurance.aquasec.com + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["*"] + apiVersions: ["*"] + resources: + - pods + - deployments + - deploymentconfigs + - replicasets + - replicationcontrollers + - statefulsets + - daemonsets + - jobs + - cronjobs + - configmaps + - services + - roles + - rolebindings + - clusterroles + - clusterrolebindings + - customresourcedefinitions + clientConfig: + # Please follow instruction in document to generate new CA cert + caBundle: + service: + namespace: aqua + name: aqua-kube-enforcer + timeoutSeconds: 2 + failurePolicy: Ignore + admissionReviewVersions: ["v1beta1"] + sideEffects: "None" +# Uncomment the below to ensure that the webhook executes exclusively on objects in namespaces other than kube-system and kube-node-lease. +# namespaceSelector: +# matchExpressions: +# - key: kubernetes.io/metadata.name +# operator: NotIn +# values: +# - kube-system +# - kube-node-lease +# scope: Namespaced +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: kube-enforcer-me-injection-hook-config + namespace: aqua +webhooks: + - name: microenforcer.aquasec.com + clientConfig: + service: + name: aqua-kube-enforcer + namespace: aqua + path: "/mutate" + caBundle: + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["*"] + apiVersions: ["v1"] + resources: ["pods"] + timeoutSeconds: 2 + failurePolicy: Ignore + admissionReviewVersions: ["v1beta1"] + sideEffects: "None" +# Uncomment the below to ensure that the webhook executes exclusively on objects in namespaces other than kube-system and kube-node-lease. +# namespaceSelector: +# matchExpressions: +# - key: kubernetes.io/metadata.name +# operator: NotIn +# values: +# - kube-system +# - kube-node-lease +# scope: Namespaced +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: aqua-kube-enforcer-sa + namespace: aqua +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: aqua-kube-enforcer +rules: + - apiGroups: ["*"] + resources: ["pods", "nodes", "namespaces", "deployments", "jobs", "cronjobs", "daemonsets", "replicasets", "replicationcontrollers", "statefulsets", "clusterroles", "clusterrolebindings", "componentstatuses", "services" ] + verbs: ["get", "list", "watch"] + - apiGroups: + - apps.openshift.io + resources: + - deploymentconfigs + verbs: + - get + - list + - watch + - apiGroups: ["aquasecurity.github.io"] + resources: ["configauditreports", "clusterconfigauditreports"] + verbs: ["get", "list", "watch"] +#### Please uncomment the below block if your platform is Openshift +# - apiGroups: ["*"] +# resources: ["pods","namespaces"] +# verbs: ["create", "delete"] +# - apiGroups: [""] +# resources: ["pods/exec"] +# verbs: ["create"] +# - apiGroups: ["operator.openshift.io"] +# resources: ["imagecontentsourcepolicies", "openshiftapiservers", "kubeapiservers"] +# verbs: ["get", "list", "watch"] +# - apiGroups: [ "" ] +# resources: [ "serviceaccounts", "endpoints" ] +# verbs: [ "list" ] +# - apiGroups: [ "config.openshift.io" ] +# resources: [ "clusteroperators" ] +# verbs: [ "get", "list" ] +# - apiGroups: ["security.openshift.io"] +# resources: ["securitycontextconstraints"] +# verbs: ["get", "list"] +# - apiGroups: ["machineconfiguration.openshift.io"] +# resources: ["machineconfigs", "machineconfigpools"] +# verbs: ["get", "list"] +#### + - apiGroups: ["*"] + resources: ["configmaps"] + verbs: ["get", "list", "watch"] + - apiGroups: + - "*" + resources: + - roles + - rolebindings + - clusterroles + - clusterrolebindings + verbs: + - get + - list + - watch + - apiGroups: + - "*" + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - apiGroups: + - "*" + resources: + - secrets + verbs: + - get + - list + - watch + # Comment the below 3 verbs if Pod-Enforcer injection is not going to be used + - create + - update + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: aqua-kube-enforcer + namespace: aqua +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: aqua-kube-enforcer +subjects: + - kind: ServiceAccount + name: aqua-kube-enforcer-sa + namespace: aqua +--- +# This role specific to kube-bench scans permissions +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: aqua-kube-enforcer + namespace: aqua +rules: + - apiGroups: ["*"] + resources: ["pods/log"] + verbs: ["get", "list", "watch"] + - apiGroups: ["*"] + resources: ["jobs"] + verbs: ["create", "delete"] + - apiGroups: ["*"] + resources: ["pods"] + verbs: ["create", "delete"] + - apiGroups: ["*"] + resources: ["leases"] + verbs: ["get", "list", "create", "update"] + - apiGroups: [ "*" ] + resources: [ "secrets" ] + verbs: ["create", "delete"] + - apiGroups: [ "*" ] + resources: [ "configmaps" ] + verbs: ["update", "create"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: aqua-kube-enforcer + namespace: aqua +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: aqua-kube-enforcer +subjects: +- kind: ServiceAccount + name: aqua-kube-enforcer-sa + namespace: aqua +--- +# Starboard resource yamls################ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: configauditreports.aquasecurity.github.io + labels: + app.kubernetes.io/managed-by: starboard + app.kubernetes.io/version: "0.15.20" +spec: + group: aquasecurity.github.io + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - jsonPath: .report.scanner.name + type: string + name: Scanner + description: The name of the config audit scanner + - jsonPath: .metadata.creationTimestamp + type: date + name: Age + description: The age of the report + - jsonPath: .report.summary.criticalCount + type: integer + name: Critial + priority: 1 + description: The number of failed checks with critial severity + - jsonPath: .report.summary.highCount + type: integer + name: High + priority: 1 + description: The number of failed checks with high severity + - jsonPath: .report.summary.mediumCount + type: integer + name: Medium + priority: 1 + description: The number of failed checks with medium severity + - jsonPath: .report.summary.lowCount + type: integer + name: Low + priority: 1 + description: The number of failed checks with low severity + schema: + openAPIV3Schema: + x-kubernetes-preserve-unknown-fields: true + type: object + scope: Namespaced + names: + singular: configauditreport + plural: configauditreports + kind: ConfigAuditReport + listKind: ConfigAuditReportList + categories: [] + shortNames: + - configaudit +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterconfigauditreports.aquasecurity.github.io + labels: + app.kubernetes.io/managed-by: starboard +spec: + group: aquasecurity.github.io + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - jsonPath: .report.scanner.name + type: string + name: Scanner + description: The name of the config audit scanner + - jsonPath: .metadata.creationTimestamp + type: date + name: Age + description: The age of the report + - jsonPath: .report.summary.dangerCount + type: integer + name: Danger + priority: 1 + description: The number of checks that failed with Danger status + - jsonPath: .report.summary.warningCount + type: integer + name: Warning + priority: 1 + description: The number of checks that failed with Warning status + - jsonPath: .report.summary.passCount + type: integer + name: Pass + priority: 1 + description: The number of checks that passed + schema: + openAPIV3Schema: + x-kubernetes-preserve-unknown-fields: true + type: object + scope: Cluster + names: + singular: clusterconfigauditreport + plural: clusterconfigauditreports + kind: ClusterConfigAuditReport + listKind: ClusterConfigAuditReportList + categories: [] + shortNames: + - clusterconfigaudit +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: starboard-operator + namespace: aqua +imagePullSecrets: + - name: aqua-registry +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: starboard + namespace: aqua +data: + configAuditReports.scanner: Conftest +--- +apiVersion: v1 +kind: Secret +metadata: + name: starboard + namespace: aqua +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: starboard-policies-config + namespace: aqua + labels: + app.kubernetes.io/name: starboard-operator + app.kubernetes.io/instance: starboard-operator + app.kubernetes.io/version: "0.15.20" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: starboard-operator +rules: + - apiGroups: + - "" + resources: + - pods + - pods/log + - replicationcontrollers + - resourcequotas + - limitranges + - services + - configmaps + - serviceaccounts + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch + - apiGroups: + - apps + resources: + - replicasets + - statefulsets + - daemonsets + - deployments + verbs: + - get + - list + - watch + - apiGroups: + - apps.openshift.io + resources: + - deploymentconfigs + verbs: + - get + - list + - watch + - apiGroups: + - batch + resources: + - jobs + - cronjobs + verbs: + - get + - list + - watch + - apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + - clusterroles + - clusterrolebindings + verbs: + - get + - list + - watch + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - apiGroups: + - networking.k8s.io + - extensions + resources: + - networkpolicies + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - policy + resources: + - podsecuritypolicies + verbs: + - get + - list + - watch + - apiGroups: + - aquasecurity.github.io + resources: + - vulnerabilityreports + - configauditreports + - clusterconfigauditreports + - ciskubebenchreports + verbs: + - get + - list + - watch + - create + - update + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: starboard-operator + namespace: aqua +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: starboard-operator +subjects: + - kind: ServiceAccount + name: starboard-operator + namespace: aqua +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: starboard-operator + namespace: aqua +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create + - update + - apiGroups: + - "" + resources: + - configmaps + - serviceaccounts + verbs: + - create + - update + - apiGroups: + - "" + resources: + - events + verbs: + - create + - apiGroups: + - batch + resources: + - jobs + verbs: + - create + - delete + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: starboard-operator + namespace: aqua +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: starboard-operator +subjects: +- kind: ServiceAccount + name: starboard-operator + namespace: aqua \ No newline at end of file diff --git a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_trivy/002_kube_enforcer_secrets.yaml b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_starboard/002_kube_enforcer_secrets.yaml similarity index 100% rename from enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_trivy/002_kube_enforcer_secrets.yaml rename to enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_starboard/002_kube_enforcer_secrets.yaml diff --git a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_trivy/003_kube_enforcer_deploy.yaml b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_starboard/003_kube_enforcer_deploy.yaml similarity index 64% rename from enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_trivy/003_kube_enforcer_deploy.yaml rename to enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_starboard/003_kube_enforcer_deploy.yaml index 1d1dc2f2b..d04cb0221 100644 --- a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_trivy/003_kube_enforcer_deploy.yaml +++ b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_starboard/003_kube_enforcer_deploy.yaml @@ -93,98 +93,63 @@ spec: apiVersion: apps/v1 kind: Deployment metadata: - name: trivy-operator + name: starboard-operator namespace: aqua labels: - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.16.1" - app.kubernetes.io/managed-by: kubectl + app: starboard-operator spec: replicas: 1 strategy: type: Recreate selector: matchLabels: - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy-operator + app: starboard-operator template: metadata: labels: - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy-operator + app: starboard-operator spec: - serviceAccountName: trivy-operator + serviceAccountName: starboard-operator automountServiceAccountToken: true + securityContext: {} containers: - - name: "trivy-operator" - image: "docker.io/aquasec/trivy-operator:0.16.1" + - name: operator + image: docker.io/aquasec/starboard-operator:0.15.20 imagePullPolicy: IfNotPresent + securityContext: + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL env: - name: OPERATOR_NAMESPACE value: aqua - name: OPERATOR_TARGET_NAMESPACES value: "" - - name: OPERATOR_EXCLUDE_NAMESPACES - value: "" - - name: OPERATOR_TARGET_WORKLOADS - value: "pod,replicaset,replicationcontroller,statefulset,daemonset,cronjob,job" - - name: OPERATOR_SERVICE_ACCOUNT - value: "trivy-operator" - name: OPERATOR_LOG_DEV_MODE - value: "true" - - name: OPERATOR_SCAN_JOB_TIMEOUT - value: "5m" + value: "false" - name: OPERATOR_CONCURRENT_SCAN_JOBS_LIMIT value: "10" - name: OPERATOR_SCAN_JOB_RETRY_AFTER - value: "30s" - - name: OPERATOR_BATCH_DELETE_LIMIT - value: "10" - - name: OPERATOR_BATCH_DELETE_DELAY - value: "10s" + value: 30s - name: OPERATOR_METRICS_BIND_ADDRESS - value: ":8080" - - name: OPERATOR_METRICS_FINDINGS_ENABLED - value: "true" - - name: OPERATOR_METRICS_VULN_ID_ENABLED - value: "false" + value: :8080 - name: OPERATOR_HEALTH_PROBE_BIND_ADDRESS - value: ":9090" - - name: OPERATOR_VULNERABILITY_SCANNER_ENABLED - value: "false" - - name: OPERATOR_VULNERABILITY_SCANNER_SCAN_ONLY_CURRENT_REVISIONS - value: "true" - - name: OPERATOR_SCANNER_REPORT_TTL - value: "24h" - - name: OPERATOR_SBOM_GENERATION_ENABLED + value: :9090 + - name: OPERATOR_CIS_KUBERNETES_BENCHMARK_ENABLED value: "false" - - name: OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED - value: "true" - - name: OPERATOR_CLUSTER_COMPLIANCE_ENABLED - value: "false" - - name: OPERATOR_RBAC_ASSESSMENT_SCANNER_ENABLED - value: "true" - - name: OPERATOR_INFRA_ASSESSMENT_SCANNER_ENABLED + - name: OPERATOR_VULNERABILITY_SCANNER_ENABLED value: "false" - name: OPERATOR_CONFIG_AUDIT_SCANNER_SCAN_ONLY_CURRENT_REVISIONS value: "true" - - name: OPERATOR_EXPOSED_SECRET_SCANNER_ENABLED - value: "false" - - name: OPERATOR_WEBHOOK_BROADCAST_URL - value: "" - - name: OPERATOR_WEBHOOK_BROADCAST_TIMEOUT - value: "30s" - - name: OPERATOR_PRIVATE_REGISTRY_SCAN_SECRETS_NAMES - value: "{}" - - name: OPERATOR_ACCESS_GLOBAL_SECRETS_SERVICE_ACCOUNTS - value: "true" - - name: OPERATOR_BUILT_IN_TRIVY_SERVER + - name: OPERATOR_BATCH_DELETE_LIMIT + value: "10" + - name: OPERATOR_BATCH_DELETE_DELAY + value: "10s" + - name: OPERATOR_CLUSTER_COMPLIANCE_ENABLED value: "false" - - name: TRIVY_SERVER_HEALTH_CHECK_CACHE_EXPIRATION - value: "10h" - - name: OPERATOR_MERGE_RBAC_FINDING_WITH_CONFIG_AUDIT - value: "true" ports: - name: metrics containerPort: 8080 @@ -206,14 +171,3 @@ spec: periodSeconds: 10 successThreshold: 1 failureThreshold: 10 - resources: - {} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - securityContext: - {} diff --git a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_trivy/004_kube_enforcer_scc.yaml b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_starboard/004_kube_enforcer_scc.yaml similarity index 100% rename from enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_trivy/004_kube_enforcer_scc.yaml rename to enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_starboard/004_kube_enforcer_scc.yaml diff --git a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_trivy/README.md b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_starboard/README.md similarity index 94% rename from enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_trivy/README.md rename to enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_starboard/README.md index bc7627af3..aac97381d 100644 --- a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_trivy/README.md +++ b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_starboard/README.md @@ -7,9 +7,9 @@ This repository shows the manifest yaml files required to deploy Aqua KubeEnforc * OpenShift * Kubernetes engines: EKS, GKE, ICP, AKS, TKG, and TKGI -Trivy Operator is deployed with the KubeEnforcer to increase the effectiveness of Kubernetes security. +Starboard is deployed with the KubeEnforcer to increase the effectiveness of Kubernetes security. -Trivy Operator assesses workload compliance throughout the lifecycle of the workloads. This enables the KubeEnforcer to: +Starboard assesses workload compliance throughout the lifecycle of the workloads. This enables the KubeEnforcer to: * Re-evaluate workload compliance during workload runtime, taking any workload and policy changes into account * Reflect the results of compliance evaluation in the Aqua UI at all times, not only when workloads are created @@ -68,11 +68,11 @@ You can skip any step in this section, if you have already performed. 1. Generate certs for aqua namespace. ```shell - curl -s https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_trivy/gen_ke_certs.sh | bash + curl -s https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_starboard/gen_ke_certs.sh | bash ``` 2. Generate certs for custom namespace, Replace the `` in the below command with the namespace where KE is going to be deployed, and run the command. ```shell - curl https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_trivy/gen_ke_certs.sh | bash -s -- + curl https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_starboard/gen_ke_certs.sh | bash -s -- ``` - **Option B (Manual)**: Perform the steps mentioned in the [Deploy the KubeEnforcer Config manually](#deploy-the-kubeenforcer-config-manually) section. @@ -96,19 +96,19 @@ You can skip any step in this section, if you have already performed. * Download, edit, and apply the secrets manifest file to create the token and SSL cert secrets. ```SHELL - kubectl apply -f https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_trivy/002_kube_enforcer_secrets.yaml + kubectl apply -f https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_starboard/002_kube_enforcer_secrets.yaml ``` ***Note: For KubeEnforcer deployment in OpenShift environments*** * Prior to deployment of the KubeEnforcer, apply kube-enforcer scc: ```shell - kubectl apply -f https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_trivy/004_kube_enforcer_scc.yaml + kubectl apply -f https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_starboard/004_kube_enforcer_scc.yaml ``` **Step 3. Deploy KubeEnforcer.** ```SHELL - kubectl apply -f https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_trivy/003_kube_enforcer_deploy.yaml + kubectl apply -f https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_starboard/003_kube_enforcer_deploy.yaml ``` ### Deploy the KubeEnforcer Config manually diff --git a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_trivy/gen_ke_certs.sh b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_starboard/gen_ke_certs.sh similarity index 76% rename from enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_trivy/gen_ke_certs.sh rename to enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_starboard/gen_ke_certs.sh index c5e4c2628..f6397dd98 100755 --- a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_trivy/gen_ke_certs.sh +++ b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_starboard/gen_ke_certs.sh @@ -100,30 +100,39 @@ EOF fi } -_prepare_ke() { +# for using custom namespace instead of AQUA NS download the 001_kube_enforcer_config.yaml, make changes to it and keep it in current directory where this script is running +_prepare_ke() { script_dir=$(cd "$(dirname "${BASH_SOURCE[0]}")" &> /dev/null && pwd) _rootCA=$(cat rootCA.crt | base64 | tr -d '\n' | tr -d '\r') - githubBranch="2022.4" - if test -f "$script_dir/001_kube_enforcer_config.yaml"; then + local_config_file="./001_kube_enforcer_config.yaml" # path of local 001_kube_enforcer_config.yaml file + + if test -f "$local_config_file"; then + # Add CA bundle to the local KubeEnforcer config file _addCABundle=$(sed -i'.original' "s/caBundle.*/caBundle\:\ $_rootCA/g" "$script_dir/001_kube_enforcer_config.yaml") if eval "$_addCABundle"; then - printf "\nInfo: Successfully prepared 001_kube_enforcer_config.yaml manifest file.\n" + printf "\nInfo: Successfully prepared config.yaml manifest file.\n" _deploy_ke_admin else printf "\nError: Failed to prepare KubeEnforcer config file from local" exit 1 fi - elif curl https://raw.githubusercontent.com/aquasecurity/deployments/$githubBranch/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_trivy/001_kube_enforcer_config.yaml -o "001_kube_enforcer_config.yaml"; then - _addCABundle=$(sed -i'.original' "s/caBundle.*/caBundle\:\ $_rootCA/g" "$script_dir/001_kube_enforcer_config.yaml") - if eval "$_addCABundle"; then - printf "\nInfo: Successfully prepared 001_kube_enforcer_config.yaml manifest file.\n" - _deploy_ke_admin + else # for deploying kube enforcer in default namespace, i.e., AQUA. + printf "\nInfo: Local config file not found, attempting to download from GitHub\n" + githubBranch="2022.4" + if curl https://raw.githubusercontent.com/aquasecurity/deployments/$githubBranch/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_starboard/001_kube_enforcer_config.yaml -o "$local_config_file"; then + # Add CA bundle to the downloaded KubeEnforcer config file + _addCABundle=$(sed -i'.original' "s/caBundle.*/caBundle\:\ $_rootCA/g" "$local_config_file") + if eval "$_addCABundle"; then + printf "\nInfo: Successfully prepared config.yaml manifest file.\n" + _deploy_ke_admin + else + printf "\nError: Failed to prepare KubeEnforcer config file from GitHub" + exit 1 + fi else - printf "\nError: Failed to prepare KubeEnforcer config file from github" + printf "\nError: Failed to download config.yaml manifest file from GitHub" exit 1 fi - else - printf "\nError: Failed to download 001_kube_enforcer_config.yaml manifest file" fi } diff --git a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_trivy/001_kube_enforcer_config.yaml b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_trivy/001_kube_enforcer_config.yaml deleted file mode 100644 index 538144f4c..000000000 --- a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_trivy/001_kube_enforcer_config.yaml +++ /dev/null @@ -1,1312 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: aqua-csp-kube-enforcer - namespace: aqua -data: - #Enable/Disable KB scanning on tainted nodes - AQUA_KB_SCAN_TAINTED_NODES: "true" - # Specify whether to enable/disable the cache by using "yes", "true", "no", "false" values. - # Default value is "yes". - AQUA_ENABLE_CACHE: "yes" - # Specify cache expiration period in seconds. - # Default value is 60 - AQUA_CACHE_EXPIRATION_PERIOD: "60" - TLS_SERVER_CERT_FILEPATH: "/certs/aqua_ke.crt" - TLS_SERVER_KEY_FILEPATH: "/certs/aqua_ke.key" - ## Based on your ingress config update the name here ## - AQUA_GATEWAY_SECURE_ADDRESS: "aqua-gateway.aqua:8443" - AQUA_TLS_PORT: "8443" - AQUA_LOGICAL_NAME: "" - # Cluster display name in aqua enterprise. - CLUSTER_NAME: "Default-cluster-name" - # Enable KA policy scanning via Trivy-Operator - AQUA_KAP_ADD_ALL_CONTROL: "true" - AQUA_WATCH_CONFIG_AUDIT_REPORT: "true" - AQUA_KB_IMAGE_NAME: "aquasec/kube-bench:v0.7.1" - AQUA_ME_IMAGE_NAME: "registry.aquasec.com/microenforcer:2022.4" - AQUA_KB_ME_REGISTRY_NAME: "aqua-registry" - AQUA_ENFORCER_DS_NAME: "aqua-agent" #Sets Daemonset name - #Enable Skipping Kube-Bench on nodes based on node labels - # AQUA_NODE_LABELS_TO_SKIP_KB: "" #Comma-separated node-labels for nodes on which Kube-Bench is to be skipped. key1=val1,key2=val2,... - - # Enable the below Env for mTLS between kube-enforcer and gateway - # AQUA_PUBLIC_KEY: "/opt/aquasec/ssl/aqua_kube-enforcer.crt" - # AQUA_PRIVATE_KEY: "/opt/aquasec/ssl/aqua_kube-enforcer.key" - # AQUA_ROOT_CA: "/opt/aquasec/ssl/rootCA.crt" ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: kube-enforcer-admission-hook-config - namespace: aqua -webhooks: - - name: imageassurance.aquasec.com - rules: - - operations: ["CREATE", "UPDATE"] - apiGroups: ["*"] - apiVersions: ["*"] - resources: - - pods - - deployments - - deploymentconfigs - - replicasets - - replicationcontrollers - - statefulsets - - daemonsets - - jobs - - cronjobs - - configmaps - - services - - roles - - rolebindings - - clusterroles - - clusterrolebindings - - customresourcedefinitions - clientConfig: - # Please follow instruction in document to generate new CA cert - caBundle: - service: - namespace: aqua - name: aqua-kube-enforcer - timeoutSeconds: 2 - failurePolicy: Ignore - admissionReviewVersions: ["v1beta1"] - sideEffects: "None" -# Uncomment the below to ensure that the webhook executes exclusively on objects in namespaces other than kube-system and kube-node-lease. -# namespaceSelector: -# matchExpressions: -# - key: kubernetes.io/metadata.name -# operator: NotIn -# values: -# - kube-system -# - kube-node-lease -# scope: Namespaced ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: kube-enforcer-me-injection-hook-config - namespace: aqua -webhooks: - - name: microenforcer.aquasec.com - clientConfig: - service: - name: aqua-kube-enforcer - namespace: aqua - path: "/mutate" - caBundle: - rules: - - operations: ["CREATE", "UPDATE"] - apiGroups: ["*"] - apiVersions: ["v1"] - resources: ["pods"] - timeoutSeconds: 2 - failurePolicy: Ignore - admissionReviewVersions: ["v1beta1"] - sideEffects: "None" ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: aqua-kube-enforcer-sa - namespace: aqua ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: aqua-kube-enforcer -rules: - - apiGroups: ["*"] - resources: ["pods", "nodes", "namespaces", "deployments", "jobs", "cronjobs", "daemonsets", "replicasets", "replicationcontrollers", "statefulsets", "clusterroles", "clusterrolebindings", "componentstatuses", "services" ] - verbs: ["get", "list", "watch"] - - apiGroups: - - apps.openshift.io - resources: - - deploymentconfigs - verbs: - - get - - list - - watch - - apiGroups: ["aquasecurity.github.io"] - resources: ["configauditreports", "clusterconfigauditreports"] - verbs: ["get", "list", "watch"] - - apiGroups: ["*"] - resources: ["configmaps"] - verbs: ["get", "list", "watch"] - - apiGroups: - - "*" - resources: - - roles - - rolebindings - - clusterroles - - clusterrolebindings - verbs: - - get - - list - - watch - - apiGroups: - - "*" - resources: - - customresourcedefinitions - verbs: - - get - - list - - watch - - apiGroups: - - "*" - resources: - - secrets - verbs: - - get - - list - - watch - # Comment the below 3 verbs if Pod-Enforcer injection is not going to be used - - create - - update - - delete -#### Please uncomment the below block if your platform is Openshift -# - apiGroups: ["*"] -# resources: ["pods","namespaces"] -# verbs: ["create", "delete"] -# - apiGroups: [""] -# resources: ["pods/exec"] -# verbs: ["create"] -# - apiGroups: ["operator.openshift.io"] -# resources: ["imagecontentsourcepolicies", "openshiftapiservers", "kubeapiservers"] -# verbs: ["get", "list", "watch"] -# - apiGroups: [ "" ] -# resources: [ "serviceaccounts", "endpoints" ] -# verbs: [ "list" ] -# - apiGroups: [ "config.openshift.io" ] -# resources: [ "clusteroperators" ] -# verbs: [ "get", "list" ] -# - apiGroups: ["security.openshift.io"] -# resources: ["securitycontextconstraints"] -# verbs: ["get", "list"] -# - apiGroups: ["machineconfiguration.openshift.io"] -# resources: ["machineconfigs", "machineconfigpools"] -# verbs: ["get", "list"] -#### ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: aqua-kube-enforcer - namespace: aqua -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: aqua-kube-enforcer -subjects: - - kind: ServiceAccount - name: aqua-kube-enforcer-sa - namespace: aqua ---- -# This role specific to kube-bench scans permissions -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: aqua-kube-enforcer - namespace: aqua -rules: - - apiGroups: ["*"] - resources: ["pods/log"] - verbs: ["get", "list", "watch"] - - apiGroups: ["*"] - resources: ["jobs"] - verbs: ["create", "delete"] - - apiGroups: ["*"] - resources: ["pods"] - verbs: ["create", "delete"] - - apiGroups: ["*"] - resources: ["leases"] - verbs: ["get", "list", "create", "update"] - - apiGroups: [ "*" ] - resources: [ "secrets" ] - verbs: ["create", "delete"] - - apiGroups: [ "*" ] - resources: [ "configmaps" ] - verbs: ["update", "create"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: aqua-kube-enforcer - namespace: aqua -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: aqua-kube-enforcer -subjects: -- kind: ServiceAccount - name: aqua-kube-enforcer-sa - namespace: aqua ---- -###### Trivy-Operator resource yamls################ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.9.2 - creationTimestamp: null - name: clusterconfigauditreports.aquasecurity.github.io -spec: - group: aquasecurity.github.io - names: - kind: ClusterConfigAuditReport - listKind: ClusterConfigAuditReportList - plural: clusterconfigauditreports - shortNames: - - clusterconfigaudit - singular: clusterconfigauditreport - scope: Cluster - versions: - - additionalPrinterColumns: - - description: The name of the config audit scanner - jsonPath: .report.scanner.name - name: Scanner - type: string - - description: The age of the report - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: The number of failed checks with critical severity - jsonPath: .report.summary.criticalCount - name: Critical - priority: 1 - type: integer - - description: The number of failed checks with high severity - jsonPath: .report.summary.highCount - name: High - priority: 1 - type: integer - - description: The number of failed checks with medium severity - jsonPath: .report.summary.mediumCount - name: Medium - priority: 1 - type: integer - - description: The number of failed checks with low severity - jsonPath: .report.summary.lowCount - name: Low - priority: 1 - type: integer - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClusterConfigAuditReport is a specification for the ClusterConfigAuditReport - resource. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - report: - properties: - checks: - description: Checks provides results of conducting audit steps. - items: - description: Check provides the result of conducting a single audit - step. - properties: - category: - type: string - checkID: - type: string - description: - type: string - messages: - items: - type: string - type: array - remediation: - description: Remediation provides description or links to external - resources to remediate failing check. - type: string - scope: - description: Scope indicates the section of config that was - audited. - properties: - type: - description: Type indicates type of this scope, e.g. Container, - ConfigMapKey or JSONPath. - type: string - value: - description: Value indicates value of this scope that depends - on Type, e.g. container name, ConfigMap key or JSONPath - expression - type: string - required: - - type - - value - type: object - severity: - description: Severity level of a vulnerability or a configuration - audit check. - type: string - success: - type: boolean - title: - type: string - required: - - checkID - - severity - - success - type: object - type: array - scanner: - description: Scanner is the spec for a scanner generating a security - assessment report. - properties: - name: - description: Name the name of the scanner. - type: string - vendor: - description: Vendor the name of the vendor providing the scanner. - type: string - version: - description: Version the version of the scanner. - type: string - required: - - name - - vendor - - version - type: object - summary: - description: ConfigAuditSummary counts failed checks by severity. - properties: - criticalCount: - description: CriticalCount is the number of failed checks with - critical severity. - type: integer - highCount: - description: HighCount is the number of failed checks with high - severity. - type: integer - lowCount: - description: LowCount is the number of failed check with low severity. - type: integer - mediumCount: - description: MediumCount is the number of failed checks with medium - severity. - type: integer - required: - - criticalCount - - highCount - - lowCount - - mediumCount - type: object - updateTimestamp: - format: date-time - type: string - required: - - checks - type: object - required: - - report - type: object - served: true - storage: true - subresources: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.9.2 - creationTimestamp: null - name: clusterrbacassessmentreports.aquasecurity.github.io -spec: - group: aquasecurity.github.io - names: - kind: ClusterRbacAssessmentReport - listKind: ClusterRbacAssessmentReportList - plural: clusterrbacassessmentreports - shortNames: - - clusterrbacassessmentreport - singular: clusterrbacassessmentreport - scope: Cluster - versions: - - additionalPrinterColumns: - - description: The name of the rbac assessment scanner - jsonPath: .report.scanner.name - name: Scanner - type: string - - description: The age of the report - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: The number of failed checks with critical severity - jsonPath: .report.summary.criticalCount - name: Critical - priority: 1 - type: integer - - description: The number of failed checks with high severity - jsonPath: .report.summary.highCount - name: High - priority: 1 - type: integer - - description: The number of failed checks with medium severity - jsonPath: .report.summary.mediumCount - name: Medium - priority: 1 - type: integer - - description: The number of failed checks with low severity - jsonPath: .report.summary.lowCount - name: Low - priority: 1 - type: integer - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClusterRbacAssessmentReport is a specification for the ClusterRbacAssessmentReport - resource. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - report: - properties: - checks: - description: Checks provides results of conducting audit steps. - items: - description: Check provides the result of conducting a single audit - step. - properties: - category: - type: string - checkID: - type: string - description: - type: string - messages: - items: - type: string - type: array - remediation: - description: Remediation provides description or links to external - resources to remediate failing check. - type: string - scope: - description: Scope indicates the section of config that was - audited. - properties: - type: - description: Type indicates type of this scope, e.g. Container, - ConfigMapKey or JSONPath. - type: string - value: - description: Value indicates value of this scope that depends - on Type, e.g. container name, ConfigMap key or JSONPath - expression - type: string - required: - - type - - value - type: object - severity: - description: Severity level of a vulnerability or a configuration - audit check. - type: string - success: - type: boolean - title: - type: string - required: - - checkID - - severity - - success - type: object - type: array - scanner: - description: Scanner is the spec for a scanner generating a security - assessment report. - properties: - name: - description: Name the name of the scanner. - type: string - vendor: - description: Vendor the name of the vendor providing the scanner. - type: string - version: - description: Version the version of the scanner. - type: string - required: - - name - - vendor - - version - type: object - summary: - description: RbacAssessmentSummary counts failed checks by severity. - properties: - criticalCount: - description: CriticalCount is the number of failed checks with - critical severity. - type: integer - highCount: - description: HighCount is the number of failed checks with high - severity. - type: integer - lowCount: - description: LowCount is the number of failed check with low severity. - type: integer - mediumCount: - description: MediumCount is the number of failed checks with medium - severity. - type: integer - required: - - criticalCount - - highCount - - lowCount - - mediumCount - type: object - required: - - checks - - scanner - - summary - type: object - required: - - report - type: object - served: true - storage: true - subresources: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.9.2 - creationTimestamp: null - name: configauditreports.aquasecurity.github.io -spec: - group: aquasecurity.github.io - names: - kind: ConfigAuditReport - listKind: ConfigAuditReportList - plural: configauditreports - shortNames: - - configaudit - - configaudits - singular: configauditreport - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The name of the config audit scanner - jsonPath: .report.scanner.name - name: Scanner - type: string - - description: The age of the report - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: The number of failed checks with critical severity - jsonPath: .report.summary.criticalCount - name: Critical - priority: 1 - type: integer - - description: The number of failed checks with high severity - jsonPath: .report.summary.highCount - name: High - priority: 1 - type: integer - - description: The number of failed checks with medium severity - jsonPath: .report.summary.mediumCount - name: Medium - priority: 1 - type: integer - - description: The number of failed checks with low severity - jsonPath: .report.summary.lowCount - name: Low - priority: 1 - type: integer - name: v1alpha1 - schema: - openAPIV3Schema: - description: ConfigAuditReport is a specification for the ConfigAuditReport - resource. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - report: - properties: - checks: - description: Checks provides results of conducting audit steps. - items: - description: Check provides the result of conducting a single audit - step. - properties: - category: - type: string - checkID: - type: string - description: - type: string - messages: - items: - type: string - type: array - remediation: - description: Remediation provides description or links to external - resources to remediate failing check. - type: string - scope: - description: Scope indicates the section of config that was - audited. - properties: - type: - description: Type indicates type of this scope, e.g. Container, - ConfigMapKey or JSONPath. - type: string - value: - description: Value indicates value of this scope that depends - on Type, e.g. container name, ConfigMap key or JSONPath - expression - type: string - required: - - type - - value - type: object - severity: - description: Severity level of a vulnerability or a configuration - audit check. - type: string - success: - type: boolean - title: - type: string - required: - - checkID - - severity - - success - type: object - type: array - scanner: - description: Scanner is the spec for a scanner generating a security - assessment report. - properties: - name: - description: Name the name of the scanner. - type: string - vendor: - description: Vendor the name of the vendor providing the scanner. - type: string - version: - description: Version the version of the scanner. - type: string - required: - - name - - vendor - - version - type: object - summary: - description: ConfigAuditSummary counts failed checks by severity. - properties: - criticalCount: - description: CriticalCount is the number of failed checks with - critical severity. - type: integer - highCount: - description: HighCount is the number of failed checks with high - severity. - type: integer - lowCount: - description: LowCount is the number of failed check with low severity. - type: integer - mediumCount: - description: MediumCount is the number of failed checks with medium - severity. - type: integer - required: - - criticalCount - - highCount - - lowCount - - mediumCount - type: object - updateTimestamp: - format: date-time - type: string - required: - - checks - type: object - required: - - report - type: object - served: true - storage: true - subresources: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.9.2 - creationTimestamp: null - name: rbacassessmentreports.aquasecurity.github.io -spec: - group: aquasecurity.github.io - names: - kind: RbacAssessmentReport - listKind: RbacAssessmentReportList - plural: rbacassessmentreports - shortNames: - - rbacassessment - - rbacassessments - singular: rbacassessmentreport - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The name of the rbac assessment scanner - jsonPath: .report.scanner.name - name: Scanner - type: string - - description: The age of the report - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: The number of failed checks with critical severity - jsonPath: .report.summary.criticalCount - name: Critical - priority: 1 - type: integer - - description: The number of failed checks with high severity - jsonPath: .report.summary.highCount - name: High - priority: 1 - type: integer - - description: The number of failed checks with medium severity - jsonPath: .report.summary.mediumCount - name: Medium - priority: 1 - type: integer - - description: The number of failed checks with low severity - jsonPath: .report.summary.lowCount - name: Low - priority: 1 - type: integer - name: v1alpha1 - schema: - openAPIV3Schema: - description: RbacAssessmentReport is a specification for the RbacAssessmentReport - resource. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - report: - properties: - checks: - description: Checks provides results of conducting audit steps. - items: - description: Check provides the result of conducting a single audit - step. - properties: - category: - type: string - checkID: - type: string - description: - type: string - messages: - items: - type: string - type: array - remediation: - description: Remediation provides description or links to external - resources to remediate failing check. - type: string - scope: - description: Scope indicates the section of config that was - audited. - properties: - type: - description: Type indicates type of this scope, e.g. Container, - ConfigMapKey or JSONPath. - type: string - value: - description: Value indicates value of this scope that depends - on Type, e.g. container name, ConfigMap key or JSONPath - expression - type: string - required: - - type - - value - type: object - severity: - description: Severity level of a vulnerability or a configuration - audit check. - type: string - success: - type: boolean - title: - type: string - required: - - checkID - - severity - - success - type: object - type: array - scanner: - description: Scanner is the spec for a scanner generating a security - assessment report. - properties: - name: - description: Name the name of the scanner. - type: string - vendor: - description: Vendor the name of the vendor providing the scanner. - type: string - version: - description: Version the version of the scanner. - type: string - required: - - name - - vendor - - version - type: object - summary: - description: RbacAssessmentSummary counts failed checks by severity. - properties: - criticalCount: - description: CriticalCount is the number of failed checks with - critical severity. - type: integer - highCount: - description: HighCount is the number of failed checks with high - severity. - type: integer - lowCount: - description: LowCount is the number of failed check with low severity. - type: integer - mediumCount: - description: MediumCount is the number of failed checks with medium - severity. - type: integer - required: - - criticalCount - - highCount - - lowCount - - mediumCount - type: object - required: - - checks - - scanner - - summary - type: object - required: - - report - type: object - served: true - storage: true - subresources: {} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: trivy-operator-trivy-config - namespace: aqua - labels: - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.16.1" - app.kubernetes.io/managed-by: kubectl -data: - trivy.repository: "ghcr.io/aquasecurity/trivy" - trivy.tag: "0.36.0" - trivy.additionalVulnerabilityReportFields: "" - trivy.severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" - trivy.slow: "true" - trivy.dbRepository: "ghcr.io/aquasecurity/trivy-db" - trivy.command: "image" - trivy.dbRepositoryInsecure: "false" - trivy.useBuiltinRegoPolicies: "false" - trivy.supportedConfigAuditKinds: "Workload,Service,Role,RoleBinding,ClusterRole,ClusterRoleBinding,NetworkPolicy,Ingress,LimitRange,ResourceQuota,ConfigMap" - trivy.timeout: "5m0s" - trivy.mode: "Standalone" - trivy.resources.requests.cpu: 100m - trivy.resources.requests.memory: 100M - trivy.resources.limits.cpu: 500m - trivy.resources.limits.memory: 500M ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: trivy-operator - namespace: aqua - labels: - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.16.1" - app.kubernetes.io/managed-by: kubectl -data: - scanJob.podTemplateContainerSecurityContext: "{\"allowPrivilegeEscalation\":false,\"capabilities\":{\"drop\":[\"ALL\"]},\"privileged\":false,\"readOnlyRootFilesystem\":true}" - scanJob.compressLogs: "true" - vulnerabilityReports.scanner: "Trivy" - configAuditReports.scanner: "Trivy" - report.recordFailedChecksOnly: "false" ---- -apiVersion: v1 -kind: Secret -metadata: - name: trivy-operator-trivy-config - namespace: aqua - labels: - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.16.1" - app.kubernetes.io/managed-by: kubectl -data: ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: trivy-operator-policies-config - namespace: aqua - labels: - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.16.1" - app.kubernetes.io/managed-by: kubectl ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: trivy-operator - namespace: aqua - labels: - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.16.1" - app.kubernetes.io/managed-by: kubectl ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - name: trivy-operator -rules: - - apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - limitranges - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - pods/log - verbs: - - get - - list - - apiGroups: - - "" - resources: - - replicationcontrollers - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - resourcequotas - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - list - - watch - - apiGroups: - - apps - resources: - - daemonsets - verbs: - - get - - list - - watch - - apiGroups: - - apps - resources: - - deployments - verbs: - - get - - list - - watch - - apiGroups: - - apps - resources: - - replicasets - verbs: - - get - - list - - watch - - apiGroups: - - apps - resources: - - statefulsets - verbs: - - get - - list - - watch - - apiGroups: - - apps.openshift.io - resources: - - deploymentconfigs - verbs: - - get - - list - - watch - - apiGroups: - - aquasecurity.github.io - resources: - - clusterconfigauditreports - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - aquasecurity.github.io - resources: - - clusterrbacassessmentreports - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - aquasecurity.github.io - resources: - - configauditreports - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - aquasecurity.github.io - resources: - - rbacassessmentreports - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - batch - resources: - - cronjobs - verbs: - - get - - list - - watch - - apiGroups: - - batch - resources: - - jobs - verbs: - - get - - list - - watch - - apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - networking.k8s.io - resources: - - networkpolicies - verbs: - - get - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - verbs: - - get - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterroles - verbs: - - get - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - rolebindings - verbs: - - get - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: trivy-operator - labels: - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.16.1" - app.kubernetes.io/managed-by: kubectl -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: trivy-operator -subjects: - - kind: ServiceAccount - name: trivy-operator - namespace: aqua ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: trivy-operator - namespace: aqua - labels: - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.16.1" - app.kubernetes.io/managed-by: kubectl -rules: - - apiGroups: - - "" - resources: - - configmaps - verbs: - - create - - get - - list - - watch - - apiGroups: - - "" - resources: - - secrets - verbs: - - create - - get - - delete - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: trivy-operator - namespace: aqua - labels: - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.16.1" - app.kubernetes.io/managed-by: kubectl -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: trivy-operator -subjects: - - kind: ServiceAccount - name: trivy-operator - namespace: aqua ---- diff --git a/quick_start/kubernetes_and_openshift/manifests/aqua-csp-quick-default-storage.yaml b/quick_start/kubernetes_and_openshift/manifests/aqua-csp-quick-default-storage.yaml index 3b5f1aaf1..eec9bd5e2 100644 --- a/quick_start/kubernetes_and_openshift/manifests/aqua-csp-quick-default-storage.yaml +++ b/quick_start/kubernetes_and_openshift/manifests/aqua-csp-quick-default-storage.yaml @@ -799,7 +799,7 @@ data: # Enable KA policy scanning via starboard AQUA_KAP_ADD_ALL_CONTROL: "true" AQUA_WATCH_CONFIG_AUDIT_REPORT: "true" - AQUA_KB_IMAGE_NAME: "aquasec/kube-bench:v0.7.1" + AQUA_KB_IMAGE_NAME: "aquasec/kube-bench:v0.7.3" AQUA_ME_IMAGE_NAME: "registry.aquasec.com/microenforcer:2022.4" AQUA_KB_ME_REGISTRY_NAME: "aqua-registry" AQUA_ENFORCER_DS_NAME: "aqua-agent" #Sets Daemonset name diff --git a/quick_start/kubernetes_and_openshift/manifests/aqua-csp-quick-hostpath.yaml b/quick_start/kubernetes_and_openshift/manifests/aqua-csp-quick-hostpath.yaml index 819d7850e..79c86adeb 100644 --- a/quick_start/kubernetes_and_openshift/manifests/aqua-csp-quick-hostpath.yaml +++ b/quick_start/kubernetes_and_openshift/manifests/aqua-csp-quick-hostpath.yaml @@ -816,7 +816,7 @@ data: # Enable KA policy scanning via starboard AQUA_KAP_ADD_ALL_CONTROL: "true" AQUA_WATCH_CONFIG_AUDIT_REPORT: "true" - AQUA_KB_IMAGE_NAME: "aquasec/kube-bench:v0.7.1" + AQUA_KB_IMAGE_NAME: "aquasec/kube-bench:v0.7.3" AQUA_ME_IMAGE_NAME: "registry.aquasec.com/microenforcer:2022.4" AQUA_KB_ME_REGISTRY_NAME: "aqua-registry" AQUA_ENFORCER_DS_NAME: "aqua-agent" #Sets Daemonset name