Skip to content

Operator is an in-cluster component of the Kubescape security platform. It allows clients to connect to itself, listens for commands from the connected clients and controls other in-cluster components according to received commands.

License

Notifications You must be signed in to change notification settings

kubescape/operator

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Operator

OpenSSF Scorecard

The Operator component is at the heart of Kubescape as it is the triggering engine for the different actions in the cluster; It responds to REST API requests and messages received over websocket connections, and triggers the relevant action in the cluster. Such actions could be triggering a configuration scan, an image vulnerability scan, defining a recurring scan (by creating CronJobs), etc.

Running Operator

Build Operator go build .
Run the executable. You can run the executable as a stand-alone and as part of the Kubescape cluster components.

Prerequisites

  • A running Kubernetes cluster

Preparations

If you will be running the Operator as part of the Kubescape cluster components, you need to prepare the environment, as follows:.

  1. install Kubescape cluster components

  2. Port-forward the other in-cluster components ports, this way the Operator will communicate with them.

    kubectl port-forward -n kubescape service/kubescape 8080:8080 & 
    kubectl port-forward -n kubescape service/kubevuln 8081:8080 & 
    
  3. Add configuration files.

/etc/config/capabilities.json
{
  "capabilities": {
    "configurationScan": "enable",
    "continuousScan": "disable",
    "networkGenerator": "disable",
    "nodeScan": "enable",
    "otel": "enable",
    "relevancy": "enable",
    "runtimeObservability": "disable",
    "seccomp": "disable",
    "vulnerabilityScan": "enable"
  },
  "components": {
    "hostScanner": {
      "enabled": true
    },
    "kubescape": {
      "enabled": true
    },
    "kubescapeScheduler": {
      "enabled": true
    },
    "kubevuln": {
      "enabled": true
    },
    "kubevulnScheduler": {
      "enabled": true
    },
    "nodeAgent": {
      "enabled": true
    },
    "operator": {
      "enabled": true
    },
    "otelCollector": {
      "enabled": true
    },
    "storage": {
      "enabled": true
    }
  },
  "configurations": {
    "persistence": "enable",
    "server": {
      "account": null,
      "url": "foo.com"
    }
  }
}
/etc/config/clusterData.json
{
   "kubevulnURL": "127.0.0.1:8081",
   "kubescapeURL": "127.0.0.1:8080",
   "accountID": "*********************",
   "clusterName": "******"
}
/etc/config/config.json
{
  "cleanupdelay": 600000000000,
  "matchingrulesfilename": "/etc/config/matchingRules.json",
  "namespace": "kubescape",
  "port": "4002",
  "triggersecurityframework": false,
  "workerconcurrency": 3
}
/etc/config/services.json
{
  "version": "v1",
  "response": {
    "event-receiver-http": "https://report.armo.cloud",
    "event-receiver-ws": "wss://report.armo.cloud",
    "api-server": "https://api.armosec.io",
    "metrics": "otelcol.armosec.io:443"
  }
}
If continuous scanning is enabled, add the following configuration file (change to the relevant values):
/etc/config/matchingRules.json
{
    "match": [
        {
            "apiGroups": [
                "apps"
            ],
            "apiVersions": [
                "v1"
            ],
            "resources": [
                "deployments"
            ]
        }
    ],
    "namespaces": [
        "default"
    ]
}
## API Documentation

The Operator provides an HTTP API.

You can learn more about the API using one of the provided interactive OpenAPI UIs:

  • SwaggerUI, available at /openapi/v2/swaggerui
  • RapiDoc, available at /openapi/v2/rapi
  • Redoc, available at /openapi/v2/docs

Environment Variables

Check out utils/environmentvariables.go

Example Requests

Trigger an Action

Example
curl -X POST http://<Kuntroller-url>/v1/triggerAction
   -H 'Content-Type: application/json'
   -d '{
	    "commands": [
		{
		    "CommandName": "scan",
		    "WildWlid": "wlid://cluster-minikube-v1"
		}
	    ]
	}'

Trigger Kubescape scanning

Example
curl -X POST \
   -H 'Content-Type: application/json' \
   -d '{
	    "commands": [
		{
		    "CommandName": "kubescapeScan",
		    "args": {
			"scanV1": {
			    "submit": true
			}
		    }
		}
	    ]
	}' \
   http://127.0.0.1:4002/v1/triggerAction

Create a CronJob that will repeatedly trigger a Kubescape scanning all frameworks

Example
curl -X POST \
   -H 'Content-Type: application/json' \
   -d '{
	    "commands": [
		{
		    "CommandName": "setKubescapeCronJob",
		    "args": {
			"kubescapeJobParams": {
			    "cronTabSchedule": "* * * * *"
			},
			"scanV1": {
			    "submit": true
			}
		    }
		}
	    ]
	}' \
   http://127.0.0.1:4002/v1/triggerAction

Create a CronJob that will repeatedly trigger a Kubescape scann according to a specific framework

Example
curl -X POST \
   -H 'Content-Type: application/json' \
   -d '{
	    "commands": [
		{
		    "CommandName": "setKubescapeCronJob",
		    "args": {
			"kubescapeJobParams": {
			    "cronTabSchedule": "* * * * *"
			},
			"scanV1": {
			    "submit": true,
			    "targetType": "framework",
			    "targetNames": [
				"nsa"
			    ]
			}
		    }
		}
	    ]
	}' \
   http://127.0.0.1:4002/v1/triggerAction

Trigger Kubevuln scanning

Example
curl -X POST \
   -H 'Content-Type: application/json' \
   -d '{
	    "commands": [
		{
		    "CommandName": "scan",
		    "WildWlid": "wlid://cluster-minikube-v1"
		}
	    ]
	}' \
   http://127.0.0.1:4002/v1/triggerAction

Create a CronJob that will repeatedly trigger a Kubevuln scan

Example
curl -X POST \
   -H 'Content-Type: application/json' \
   -d '{
         "commands": [
            {
                  "CommandName": "setVulnScanCronJob",
                  "WildWlid": "wlid://cluster-minikube/namespace-systest-ns-chj8",
                  "args": {
                     "jobParams": {
                        "cronTabSchedule": "* * * * *"
                     }
                  }
            }
         ]
      }' \
   http://127.0.0.1:4002/v1/triggerAction

Update a CronJob that repeatedly triggers a Kubevuln scan

Example
curl -X POST \
   -H 'Content-Type: application/json' \
   -d '{
         "commands": [
            {
                  "CommandName": "updateVulnScanCronJob",
                  "args": {
                     "jobParams": {
                        "cronTabSchedule": "* * * * *",
                        "name": "vuln-scan-scheduled-2393196145723502557"
                     }
                  }
            }
         ]
      }' \
   http://127.0.0.1:4002/v1/triggerAction

Delete a CronJob that repeatedly triggers a Kubevuln scan

Example
curl -X POST \
   -H 'Content-Type: application/json' \
   -d '{
         "commands": [
            {
                  "CommandName": "deleteVulnScanCronJob",
                  "args": {
                     "jobParams": {
                        "cronTabSchedule": "2 0 * * *",
                        "name": "vuln-scan-scheduled-605400646375517620"
                     }
                  }
            }
         ]
      }' \
   http://127.0.0.1:4002/v1/triggerAction

VS code configuration samples

You can use the sample files below to setup your VS code environment for building and debugging purposes.

.vscode/launch.json
{
    "version": "0.2.0",
    "configurations": [
        {
            "name": "Launch Package",
            "type": "go",
            "request": "launch",
            "mode": "auto",
            "program":  "${workspaceRoot}",
                 "env": {
                     "PORT": "4002",
                     "NAMESPACE": "kubescape",
                     "CONFIG": "${workspaceRoot}/.vscode/clusterData.json",
            },
            "args": [
                "-alsologtostderr", "-v=4", "2>&1"
            ]
        }
    ]
}

We configured the Operator to listen to port 4002, and define the configuration in the clusterData.json file as mentioned above.

and also need to open the ports of the other in-cluster components, as mentioned above.

Running Operator as stand-alone

The Operator also supports running as a stand-alone. For this you need to define in the config file, for the relevant values that will be empty. For example:

.vscode/clusterData.json
{
    "kubevulnURL": "",
    "kubescapeURL": "",
    "accountID": "*********************",
    "clusterName": "******"
}

Also do not specify a service config file for the backend addresses.

About

Operator is an in-cluster component of the Kubescape security platform. It allows clients to connect to itself, listens for commands from the connected clients and controls other in-cluster components according to received commands.

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Packages

No packages published

Languages