README
¶
Operator
The Operator component is at the heart of Kubescape as it is the triggering engine for the different actions in the cluster; It responds to REST API requests and messages received over websocket connections, and triggers the relevant action in the cluster. Such actions could be triggering a configuration scan, an image vulnerability scan, defining a recurring scan (by creating CronJobs), etc.
Running Operator
Build Operator go build .
Run the executable. You can run the executable as a stand-alone and as part of the Kubescape cluster components.
Prerequisites
- A running Kubernetes cluster
Preparations
If you running the Operator as part of the Kubescape cluster components, you need to prepare the environment, as follows:.
-
Port-forward the other in-cluster components ports, this way the Operator will communicate with them.
kubectl port-forward -n kubescape service/kubescape 8080:8080 & kubectl port-forward -n kubescape service/kubevuln 8081:8080 & kubectl port-forward -n kubescape service/gateway 8001:8001 & -
Add a configuration file.
example/clusterData.json
{ "gatewayWebsocketURL": "127.0.0.1:8001", "gatewayRestURL": "127.0.0.1:8002", "kubevulnURL": "127.0.0.1:8081", "kubescapeURL": "127.0.0.1:8080", "eventReceiverRestURL": "https://report.armo.cloud", "eventReceiverWebsocketURL": "wss://report.armo.cloud", "rootGatewayURL": "wss://ens.euprod1.cyberarmorsoft.com/v1/waitfornotification", "accountID": "*********************", "clusterName": "******", } -
Set the file path to the
CONFIGenvironment variableexport CONFIG=path/to/clusterData.json
API Documentation
The Operator provides an HTTP API.
You can learn more about the API using one of the provided interactive OpenAPI UIs:
- SwaggerUI, available at
/openapi/v2/swaggerui - RapiDoc, available at
/openapi/v2/rapi - Redoc, available at
/openapi/v2/docs
Environment Variables
Check out utils/environmentvariables.go
Example Requests
Trigger an Action
Example
curl -X POST http://<Kuntroller-url>/v1/triggerAction
-H 'Content-Type: application/json'
-d '{
"commands": [
{
"CommandName": "scan",
"WildWlid": "wlid://cluster-minikube-v1"
}
]
}'
Trigger Kubescape scanning
Example
curl -X POST \
-H 'Content-Type: application/json' \
-d '{
"commands": [
{
"CommandName": "kubescapeScan",
"args": {
"scanV1": {
"submit": true
}
}
}
]
}' \
http://127.0.0.1:4002/v1/triggerAction
Create a CronJob that will repeatedly trigger a Kubescape scanning all frameworks
Example
curl -X POST \
-H 'Content-Type: application/json' \
-d '{
"commands": [
{
"CommandName": "setKubescapeCronJob",
"args": {
"kubescapeJobParams": {
"cronTabSchedule": "* * * * *"
},
"scanV1": {
"submit": true
}
}
}
]
}' \
http://127.0.0.1:4002/v1/triggerAction
Create a CronJob that will repeatedly trigger a Kubescape scann according to a specific framework
Example
curl -X POST \
-H 'Content-Type: application/json' \
-d '{
"commands": [
{
"CommandName": "setKubescapeCronJob",
"args": {
"kubescapeJobParams": {
"cronTabSchedule": "* * * * *"
},
"scanV1": {
"submit": true,
"targetType": "framework",
"targetNames": [
"nsa"
]
}
}
}
]
}' \
http://127.0.0.1:4002/v1/triggerAction
Trigger Kubevuln scanning
Example
curl -X POST \
-H 'Content-Type: application/json' \
-d '{
"commands": [
{
"CommandName": "scan",
"WildWlid": "wlid://cluster-minikube-v1"
}
]
}' \
http://127.0.0.1:4002/v1/triggerAction
Create a CronJob that will repeatedly trigger a Kubevuln scan
Example
curl -X POST \
-H 'Content-Type: application/json' \
-d '{
"commands": [
{
"CommandName": "setVulnScanCronJob",
"WildWlid": "wlid://cluster-minikube/namespace-systest-ns-chj8",
"args": {
"jobParams": {
"cronTabSchedule": "* * * * *"
}
}
}
]
}' \
http://127.0.0.1:4002/v1/triggerAction
Update a CronJob that repeatedly triggers a Kubevuln scan
Example
curl -X POST \
-H 'Content-Type: application/json' \
-d '{
"commands": [
{
"CommandName": "updateVulnScanCronJob",
"args": {
"jobParams": {
"cronTabSchedule": "* * * * *",
"name": "vuln-scan-scheduled-2393196145723502557"
}
}
}
]
}' \
http://127.0.0.1:4002/v1/triggerAction
Delete a CronJob that repeatedly triggers a Kubevuln scan
Example
curl -X POST \
-H 'Content-Type: application/json' \
-d '{
"commands": [
{
"CommandName": "deleteVulnScanCronJob",
"args": {
"jobParams": {
"cronTabSchedule": "2 0 * * *",
"name": "vuln-scan-scheduled-605400646375517620"
}
}
}
]
}' \
http://127.0.0.1:4002/v1/triggerAction
VS code configuration samples
You can use the sample files below to setup your VS code environment for building and debugging purposes.
.vscode/launch.json
{
"version": "0.2.0",
"configurations": [
{
"name": "Launch Package",
"type": "go",
"request": "launch",
"mode": "auto",
"program": "${workspaceRoot}",
"env": {
"PORT": "4002",
"NAMESPACE": "kubescape",
"CONFIG": "${workspaceRoot}/.vscode/clusterData.json",
},
"args": [
"-alsologtostderr", "-v=4", "2>&1"
]
}
]
}
We configured the Operator to listen to port 4002, and define the configuration in the clusterData.json file as mentioned above.
and also need to open the ports of the other in-cluster components, as mentioned above.
Running Operator as stand-alone
The Operator also supports running as a stand-alone. For this you need to define in the config file, for the relevant values that will be empty For example:
.vscode/clusterData.json
{
"gatewayWebsocketURL": "",
"gatewayRestURL": "",
"kubevulnURL": "",
"kubescapeURL": "",
"eventReceiverRestURL": ",
"eventReceiverWebsocketURL": "",
"rootGatewayURL": "",
"accountID": "*********************",
"clusterName": "******"
}
Documentation
¶
There is no documentation for this package.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
Package classification Kubescape Operator
|
Package classification Kubescape Operator |
|
Package utils contains utilities common to all units of the Operator
|
Package utils contains utilities common to all units of the Operator |