Skip to content
This repository has been archived by the owner on Oct 9, 2024. It is now read-only.

INT-2121 - Fetch kube_bench findings #31

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

INT-2121 - Fetch kube_bench findings #31

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
22fe32f
Ingest kube_bench findings
eXtremeX Nov 29, 2021
9009e2b
Finalize kube_bench findings ingestion, include kube_bench integrated…
eXtremeX Nov 29, 2021
56683ab
Small fix
eXtremeX Nov 29, 2021
5558eef
Add missing tests
eXtremeX Nov 29, 2021
5b62cc0
Update jupiterone.md
eXtremeX Jan 24, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
351 changes: 351 additions & 0 deletions configs/k8s/cronjobClusterKubeBench.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,351 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: fluent-bit-agent-conf
labels:
app: fluent-bit
component: fluent-bit-agent-conf
data:
fluent-bit: |
[SERVICE]
Parsers_File ./parsers.conf
Grace 15
[INPUT]
Name tail
Path /var/log/containers/graph-kubernetes*.log
Exclude_Path /var/log/containers/*otel-collector*.log
Parser cri
Tag kube.*
Mem_Buf_Limit 5MB
[OUTPUT]
Name forward
Host 0.0.0.0
Port 8006
Match *
parsers: |
[PARSER]
Name jupiter_one
Format json
Time_Key time
Time_Format %Y-%m-%dT%H:%M:%S.%LZ
Time_Keep On
---
apiVersion: v1
kind: ConfigMap
metadata:
name: otel-agent-conf
labels:
app: opentelemetry
component: otel-agent-conf
data:
otel-agent-config: |
receivers:
hostmetrics:
collection_interval: 10s
scrapers:
cpu:
load:
memory:
disk:
filesystem:
network:
paging:
processes:
otlp:
protocols:
grpc:
http:
fluentforward:
endpoint: 0.0.0.0:8006

processors:
batch:
memory_limiter:
limit_mib: 400
spike_limit_mib: 100
check_interval: 5s

exporters:
logging:
loglevel: debug
sampling_initial: 5
sampling_thereafter: 200

extensions:
memory_ballast:
size_mib: 165

service:
pipelines:
logs:
receivers: [fluentforward]
processors: [memory_limiter, batch]
exporters: [logging]
metrics:
receivers: [hostmetrics]
processors: [memory_limiter, batch]
exporters: [logging]
traces:
receivers: [otlp]
processors: [memory_limiter, batch]
exporters: [logging]
---
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: integration-deployment-cron
labels:
name: jupiterone-integration
app: integration-cron
spec:
# Lowered cron timeframe for easier testing
schedule: "*/2 * * * *"
jobTemplate:
spec:
template:
spec:
serviceAccountName: jupiterone-integration-cluster
# backoffLimit: 4
initContainers:
- name: kubexit
image: cortexlabs/kubexit:0.40.0
command: ['cp']
args: ['/bin/kubexit', '/kubexit/kubexit']
volumeMounts:
- mountPath: /kubexit
name: kubexit
containers:
- name: graph-kubernetes
# Used my custom image (same code)
image: extremex/k8s
# Always so that we always see latest changes
imagePullPolicy: Always
command: ['/kubexit/kubexit', 'yarn']
args: ['collect']
env:
- name: KUBEXIT_NAME
value: graph-kubernetes
- name: KUBEXIT_GRAVEYARD
value: /graveyard
- name: KUBEXIT_BIRTH_DEPS
value: kube-bench,fluent-bit,otel-collector
# Tried increasing duration to see if it'll help (spoiler: it didn't)
- name: KUBEXIT_BIRTH_TIMEOUT
value: "90s"
- name: KUBEXIT_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KUBEXIT_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
# - name: JUPITERONE_DEV
# value: 'true'
- name: ACCESS_TYPE
value: 'cluster'
- name: NAMESPACE
value: 'default'
- name: LOAD_KUBERNETES_CONFIG_FROM_DEFAULT
value: 'false'
- name: JUPITERONE_ACCOUNT_ID
valueFrom:
secretKeyRef:
name: jupiterone-integration-secret
key: jupiteroneAccountId
- name: JUPITERONE_API_KEY
valueFrom:
secretKeyRef:
name: jupiterone-integration-secret
key: jupiteroneApiKey
- name: INTEGRATION_INSTANCE_ID
valueFrom:
secretKeyRef:
name: jupiterone-integration-secret
key: jupiteroneIntegrationInstanceId
volumeMounts:
- mountPath: /graveyard
name: graveyard
- mountPath: /kubexit
name: kubexit
- name: otel-collector
image: otel/opentelemetry-collector-contrib:0.33.0
imagePullPolicy: IfNotPresent
command: ['/kubexit/kubexit', '/otelcontribcol']
args: ['--config=/conf/otel-agent-config.yaml']
env:
- name: KUBEXIT_NAME
value: otel-collector
- name: KUBEXIT_GRAVEYARD
value: /graveyard
- name: KUBEXIT_DEATH_DEPS
value: fluent-bit
- name: KUBEXIT_BIRTH_DEPS
value: fluent-bit
- name: KUBEXIT_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KUBEXIT_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
volumeMounts:
- name: otel-agent-config-vol
mountPath: /conf
- mountPath: /graveyard
name: graveyard
- mountPath: /kubexit
name: kubexit
- name: fluent-bit
image: fluent/fluent-bit:1.8
imagePullPolicy: IfNotPresent
command: ['/kubexit/kubexit', '/fluent-bit/bin/fluent-bit']
args: ['--config=/fluent-bit/etc/fluent-bit.conf']
env:
- name: KUBEXIT_NAME
value: fluent-bit
- name: KUBEXIT_GRAVEYARD
value: /graveyard
- name: KUBEXIT_DEATH_DEPS
value: graph-kubernetes
volumeMounts:
- name: log-storage
mountPath: /mnt/log/
readOnly: true
- name: fluent-bit-agent-config-vol
mountPath: /fluent-bit/etc/
- mountPath: /graveyard
name: graveyard
- mountPath: /kubexit
name: kubexit
- name: varlog
mountPath: /var/log
readOnly: true
- name: varlibdockercontainers
mountPath: /var/lib/docker/containers
readOnly: true
- name: kube-bench
image: aquasec/kube-bench:0.6.3
imagePullPolicy: IfNotPresent
command: ['/kubexit/kubexit', 'kube-bench']
env:
- name: KUBEXIT_NAME
value: kube-bench
- name: KUBEXIT_GRAVEYARD
value: /graveyard
- name: KUBEXIT_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KUBEXIT_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
volumeMounts:
- mountPath: /graveyard
name: graveyard
- mountPath: /kubexit
name: kubexit
- name: var-lib-etcd
mountPath: /var/lib/etcd
readOnly: true
- name: var-lib-kubelet
mountPath: /var/lib/kubelet
readOnly: true
- name: var-lib-kube-scheduler
mountPath: /var/lib/kube-scheduler
readOnly: true
- name: var-lib-kube-controller-manager
mountPath: /var/lib/kube-controller-manager
readOnly: true
- name: etc-systemd
mountPath: /etc/systemd
readOnly: true
- name: lib-systemd
mountPath: /lib/systemd/
readOnly: true
- name: srv-kubernetes
mountPath: /srv/kubernetes/
readOnly: true
- name: etc-kubernetes
mountPath: /etc/kubernetes
readOnly: true
# /usr/local/mount-from-host/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
# You can omit this mount if you specify --version as part of the command.
- name: usr-bin
mountPath: /usr/local/mount-from-host/bin
readOnly: true
- name: etc-cni-netd
mountPath: /etc/cni/net.d/
readOnly: true
- name: opt-cni-bin
mountPath: /opt/cni/bin/
readOnly: true
# - name: shared-data
# mountPath: /pod-data
restartPolicy: Never
terminationGracePeriodSeconds: 10
volumes:
- name: fluent-bit-agent-config-vol
configMap:
name: fluent-bit-agent-conf
items:
- key: fluent-bit
path: fluent-bit.conf
- key: parsers
path: parsers.conf
- name: otel-agent-config-vol
configMap:
name: otel-agent-conf
items:
- key: otel-agent-config
path: otel-agent-config.yaml
- name: graveyard
emptyDir:
medium: Memory
- name: kubexit
emptyDir: {}
- name: log-storage
emptyDir: {}
- name: varlog
hostPath:
path: /var/log
- name: varlibdockercontainers
hostPath:
path: /var/lib/docker/containers
- name: var-lib-etcd
hostPath:
path: "/var/lib/etcd"
- name: var-lib-kubelet
hostPath:
path: "/var/lib/kubelet"
- name: var-lib-kube-scheduler
hostPath:
path: "/var/lib/kube-scheduler"
- name: var-lib-kube-controller-manager
hostPath:
path: "/var/lib/kube-controller-manager"
- name: etc-systemd
hostPath:
path: "/etc/systemd"
- name: lib-systemd
hostPath:
path: "/lib/systemd"
- name: srv-kubernetes
hostPath:
path: "/srv/kubernetes"
- name: etc-kubernetes
hostPath:
path: "/etc/kubernetes"
- name: usr-bin
hostPath:
path: "/usr/bin"
- name: etc-cni-netd
hostPath:
path: "/etc/cni/net.d/"
- name: opt-cni-bin
hostPath:
path: "/opt/cni/bin/"
# - name: shared-data
# emptyDir: {}
2 changes: 2 additions & 0 deletions docs/jupiterone.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -203,6 +203,7 @@ The following entities are created:
| Kubernetes CronJob | `kube_cron_job` | `Task` |
| Kubernetes DaemonSet | `kube_daemon_set` | `Deployment` |
| Kubernetes Deployment | `kube_deployment` | `Deployment` |
| Kubernetes Finding | `kube_finding` | `Finding` |
| Kubernetes Job | `kube_job` | `Task` |
| Kubernetes Namespace | `kube_namespace` | `Group` |
| Kubernetes Network Policy | `kube_network_policy` | `Configuration` |
Expand All @@ -228,6 +229,7 @@ The following relationships are created:
| `kube_cluster` | **CONTAINS** | `kube_cluster_role_binding` |
| `kube_cluster` | **CONTAINS** | `kube_namespace` |
| `kube_cluster` | **CONTAINS** | `kube_pod_security_policy` |
| `kube_cluster` | **HAS** | `kube_finding` |
| `kube_cluster` | **IS** | `azure_kubernetes_cluster` |
| `kube_cluster` | **IS** | `google_container_cluster` |
| `kube_container_spec` | **USES** | `kube_volume` |
Expand Down
Loading