Skip to content

validator-plugin-kubescape provides configurable CVE alerting on top of Kubescape and creates ValidationResults for validator to consume.

License

Notifications You must be signed in to change notification settings

validator-labs/validator-plugin-kubescape

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Contributions Welcome License Test Go Report Card codecov Go Reference

validator-plugin-kubescape

The Kubescape validator plugin validates against Kubescape to provide information regarding vulnerabilities.

Description

The Kubescape validator plugin reconciles KubescapeValidator custom resources to perform the following validations against your Kubescape API:

  1. Define configurable thresholds for Vulnerabilities, by Severity. If the # of CVEs detected exceeds the limit, a failed ValidationResult is generated.
    • Optionally ignore/omit specific CVEs
    • CVE details are included in a ValidationResult
  2. Flag specific Vulnerability IDs
    • Generate a failed ValidationResult if a specific CVE is found in any image

Each KubescapeValidator CR is (re)-processed every two minutes to continuously ensure that your network matches the expected state.

Installation

The Network validator plugin is meant to be installed by validator (via a ValidatorConfig), but it can also be installed directly as follows:

helm repo add validator-plugin-kubescape https://validator-labs.github.io/validator-plugin-kubescape
helm repo update
helm install validator-plugin-network validator-plugin-network/validator-plugin-kubescape -n validator-plugin-kubescape --create-namespace

Getting Started

You’ll need a Kubernetes cluster to run against. You can use KIND to get a local cluster for testing, or run against a remote cluster. Note: Your controller will automatically use the current context in your kubeconfig file (i.e. whatever cluster kubectl cluster-info shows).

Running on the cluster

  1. Install Instances of Custom Resources:
kubectl apply -f config/samples/
  1. Build and push your image to the location specified by IMG:
make docker-build docker-push IMG=<some-registry>/validator-plugin-kubescape:tag
  1. Deploy the controller to the cluster with the image specified by IMG:
make deploy IMG=<some-registry>/validator-plugin-kubescape:tag

Uninstall CRDs

To delete the CRDs from the cluster:

make uninstall

Undeploy controller

UnDeploy the controller from the cluster:

make undeploy

How it works

This project aims to follow the Kubernetes Operator pattern.

It uses Controllers, which provide a reconcile function responsible for synchronizing resources until the desired state is reached on the cluster.

Test It Out

  1. Install the CRDs into the cluster:
make install
  1. Run your controller (this will run in the foreground, so switch to a new terminal if you want to leave it running):
make run

NOTE: You can also run this in one step by running: make install run

Modifying the API definitions

If you are editing the API definitions, generate the manifests such as CRs or CRDs using:

make manifests

NOTE: Run make --help for more information on all potential make targets

More information can be found via the Kubebuilder Documentation

Contributing

All contributions are welcome! Feel free to reach out on the Spectro Cloud community Slack.

Make sure pre-commit is installed.

Install the pre-commit scripts:

pre-commit install --hook-type commit-msg
pre-commit install --hook-type pre-commit

License

Copyright 2024.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

About

validator-plugin-kubescape provides configurable CVE alerting on top of Kubescape and creates ValidationResults for validator to consume.

Topics

Resources

License

Code of conduct

Stars

Watchers

Forks

Packages

No packages published