Comments (8)
Perfect kubeapi
and kubenodes
make sense. I also agree about changing config
to credentials
from mondoo-operator.
mondoo picks up the default kubectl config from ~/.kube/config
If you define the inventory as following:
apiVersion: v1
kind: Inventory
metadata:
name: mondoo-k8s-api-inventory
labels:
environment: production
spec:
assets:
- id: api
connections:
- backend: k8s
mondoo scan --inventory mondoo-app-inventory.yaml will scan the Kubernetes API.
CIS Kubernetes Benchmark Level 1 Profile
is for the HostsKubernetes Application Benchmark by Mondoo
is for the API scan
from mondoo-operator.
In order to configure both the node and app scanning, we need to adapt the configuration for the operator:
apiVersion: k8s.mondoo.com/v1alpha1
kind: MondooClient
metadata:
name: mondoo-client
namespace: mondoo-operator-system
data:
config: |
..
kubeapi:
disable: false
inventory: |
...
daemonset:
disable: false
inventory: |
...
The first version could look like this:
apiVersion: k8s.mondoo.com/v1alpha1
kind: MondooClient
metadata:
name: mondoo-client
namespace: mondoo-operator-system
data:
config: |
mrn: //agents.api.mondoo.app/spaces/test-infallible-taussig-796596/serviceaccounts/1u20vCfgWqaxOjGmWFFCH4qi2se
space_mrn: //captain.api.mondoo.app/spaces/test-infallible-taussig-796596
private_key: |
-----BEGIN PRIVATE KEY-----
MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDB4SxLzF7ZQvD0dxoWa
...
pJLAp0cuKBUrUNpOQ62qaQ9F17/r6/TBejq6FaYkok7og+MkQVr8gos=
-----END PRIVATE KEY-----
certificate: |
-----BEGIN CERTIFICATE-----
MIICfDCCAgGgAwIBAgIRAKqQ9zkDA/rIBj96r4g+qJswCgYIKoZIzj0EAwMwSTFH
...
Rc3OFH5K0IWA0yDdL5QVoQ==
-----END CERTIFICATE-----
api_endpoint: https://api.mondoo.app
kubeapi:
disable: true
inventory: |
apiVersion: v1
kind: Inventory
metadata:
name: mondoo-k8s-api-inventory
labels:
environment: production
spec:
assets:
- id: api
connections:
- backend: k8s
kubenodes:
disable: true
inventory: |
apiVersion: v1
kind: ConfigMap
metadata:
name: mondoo-inventory
data:
inventory: |
apiVersion: v1
kind: Inventory
metadata:
name: mondoo-k8s-inventory
labels:
environment: production
spec:
assets:
- id: host
connections:
- host: /mnt/host
backend: fs
To simplify the configuration for the user, we want to provide defaults in case the user does not set anything in yaml. The operator would set the following default if kubeapi
or kubenodes
are not set:
kubeapi:
disable: false
inventory: (set default inventory for kubeapi
nodes:
disable: false
inventory: (set default inventory for nodes)
Optionally users could also just not overwrite the inventory
and the operator would set the sensible default. With those changes the simple config with the credential would enable Kubernetes nodes and api scanning as default:
```yaml
apiVersion: k8s.mondoo.com/v1alpha1
kind: MondooClient
metadata:
name: mondoo-client
namespace: mondoo-operator-system
data:
config: |
mrn: //agents.api.mondoo.app/spaces/test-infallible-taussig-796596/serviceaccounts/1u20vCfgWqaxOjGmWFFCH4qi2se
space_mrn: //captain.api.mondoo.app/spaces/test-infallible-taussig-796596
private_key: |
-----BEGIN PRIVATE KEY-----
MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDB4SxLzF7ZQvD0dxoWa
...
pJLAp0cuKBUrUNpOQ62qaQ9F17/r6/TBejq6FaYkok7og+MkQVr8gos=
-----END PRIVATE KEY-----
certificate: |
-----BEGIN CERTIFICATE-----
MIICfDCCAgGgAwIBAgIRAKqQ9zkDA/rIBj96r4g+qJswCgYIKoZIzj0EAwMwSTFH
...
Rc3OFH5K0IWA0yDdL5QVoQ==
-----END CERTIFICATE-----
api_endpoint: https://api.mondoo.app
from mondoo-operator.
In order to configure both the node and app scanning, we need to adapt the configuration for the operator:
apiVersion: k8s.mondoo.com/v1alpha1 kind: MondooClient metadata: name: mondoo-client namespace: mondoo-operator-system data: config: | .. kubeapi: disable: false inventory: | ... daemonset: disable: false inventory: | ...The first version could look like this:
apiVersion: k8s.mondoo.com/v1alpha1 kind: MondooClient metadata: name: mondoo-client namespace: mondoo-operator-system data: config: | mrn: //agents.api.mondoo.app/spaces/test-infallible-taussig-796596/serviceaccounts/1u20vCfgWqaxOjGmWFFCH4qi2se space_mrn: //captain.api.mondoo.app/spaces/test-infallible-taussig-796596 private_key: | -----BEGIN PRIVATE KEY----- MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDB4SxLzF7ZQvD0dxoWa ... pJLAp0cuKBUrUNpOQ62qaQ9F17/r6/TBejq6FaYkok7og+MkQVr8gos= -----END PRIVATE KEY----- certificate: | -----BEGIN CERTIFICATE----- MIICfDCCAgGgAwIBAgIRAKqQ9zkDA/rIBj96r4g+qJswCgYIKoZIzj0EAwMwSTFH ... Rc3OFH5K0IWA0yDdL5QVoQ== -----END CERTIFICATE----- api_endpoint: https://api.mondoo.app kubeapi: disable: true inventory: | apiVersion: v1 kind: Inventory metadata: name: mondoo-k8s-api-inventory labels: environment: production spec: assets: - id: api connections: - backend: k8s kubenodes: disable: true inventory: | apiVersion: v1 kind: ConfigMap metadata: name: mondoo-inventory data: inventory: | apiVersion: v1 kind: Inventory metadata: name: mondoo-k8s-inventory labels: environment: production spec: assets: - id: host connections: - host: /mnt/host backend: fsTo simplify the configuration for the user, we want to provide defaults in case the user does not set anything in yaml. The operator would set the following default if
kubeapi
orkubenodes
are not set:kubeapi: disable: false inventory: (set default inventory for kubeapi nodes: disable: false inventory: (set default inventory for nodes)
Optionally users could also just not overwrite the
inventory
and the operator would set the sensible default. With those changes the simple config with the credential would enable Kubernetes nodes and api scanning as default:```yaml apiVersion: k8s.mondoo.com/v1alpha1 kind: MondooClient metadata: name: mondoo-client namespace: mondoo-operator-system data: config: | mrn: //agents.api.mondoo.app/spaces/test-infallible-taussig-796596/serviceaccounts/1u20vCfgWqaxOjGmWFFCH4qi2se space_mrn: //captain.api.mondoo.app/spaces/test-infallible-taussig-796596 private_key: | -----BEGIN PRIVATE KEY----- MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDB4SxLzF7ZQvD0dxoWa ... pJLAp0cuKBUrUNpOQ62qaQ9F17/r6/TBejq6FaYkok7og+MkQVr8gos= -----END PRIVATE KEY----- certificate: | -----BEGIN CERTIFICATE----- MIICfDCCAgGgAwIBAgIRAKqQ9zkDA/rIBj96r4g+qJswCgYIKoZIzj0EAwMwSTFH ... Rc3OFH5K0IWA0yDdL5QVoQ== -----END CERTIFICATE----- api_endpoint: https://api.mondoo.app
I want to remove the term daemonset from CRD. While coding it might cause confusion even though we are using a daemonset controller under covers.
apiVersion: k8s.mondoo.com/v1alpha1
kind: MondooClient
metadata:
name: mondoo-client
namespace: mondoo-operator-system
data:
config: |
..
kubeapi:
disable: false
inventory: |
...
nodescanner:
disable: false
inventory: |
...
from mondoo-operator.
I agree, lets not use daemon
. I want to avoid the term scanner. Maybe we use kubeapi
and kubenodes
? Also it seems that config
should really be credentials
from mondoo-operator.
apiVersion: k8s.mondoo.com/v1alpha1
kind: MondooClient
metadata:
name: mondoo-client
namespace: mondoo-operator-system
data:
credential: |
..
kubeapi:
enable: true
inventory: |
...
kubenodes:
enable: true
inventory: |
...
Checking non existence of false value is tricky and to keep it simple the switch should be enable : true and disable by default
from mondoo-operator.
Can you give an example why this is tricky? Can we not just check if the struct kubenodes
is nil and if so just set the default values then?
from mondoo-operator.
I cant give you an example of the top of my head right now but I will try what you suggested and get back to you.
from mondoo-operator.
Related Issues (20)
- Container scanning "spec.schedule: Required value" in 1.19.3 HOT 1
- Client Node scanner pods don't get scheduled to “full” nodes HOT 4
- Mondoo-Integration with RKE2 crashes HOT 3
- Scan API errors on server connection HOT 4
- Scan API cannot access file HOT 1
- The operator fails to scan objects in kube-system namespace HOT 4
- Scan API keeps crashing because of corrupted queue file HOT 2
- expose the proxy configuration HOT 1
- Container scan image is does not follow MondooAuditConifg overrides
- Make `CronJob` schedule configurable
- Kubernetes resources garbage collection is not working in v9 HOT 3
- no connection `type` provided in inventory, falling back to deprecated `backend` field HOT 1
- Create docs for clean removal of the operator HOT 1
- Fix logging in GKE
- cronjobs failing with: cannot find field 'family' in platform HOT 4
- Create e2e test for OOMkilled status message
- Expose resource defaults via MondooAuditconfig
- `TestOOMControllerReporting` fails for OLM tests
- add tags to scanned k8s objects HOT 3
- set concurrency policy for cronjobs to forbid
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from mondoo-operator.