Skip to content

Latest commit

 

History

History

cis-k8s-job

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
templates
templates
 
 
.helmignore
.helmignore
 
 
Chart.yaml
Chart.yaml
 
 
README.md
README.md
 
 
values.yaml
values.yaml
 
 

README.md

AccuKnox CIS K8s Job

Instruction to perform CIS Benchmark on Cluster via AccuKnox CIS K8s Job

Prerequisites:

Parameters:

Variable Sample Value Description
accuknox.url cspm.demo.accuknox.com AccuKnox CSPM Endpoint URL
accuknox.tenantId 2 AccuKnox Tenant ID
accuknox.label CIS AccuKnox Label
accuknox.authToken $token AccuKnox Token
accuknox.clusterName $clusterName Cluster Name
accuknox.cronTab 30 9 * * * CronJob (UTC)
toolConfig.platform "GKE" OR "AKS" Name of the platform. Default: empty
toolConfig.nodeType master OR controlplane For node selection
toolConfig.targets "master,controlplane,node" Ref
toolConfig.benchmark "gke-1.6.0" Ref
toolConfig.check "1.1.1,1.2.3" Control IDs to check
toolConfig.skip "1.1.1,1.3.1" Control IDs to skip

Schedule CIS Job on cluster

Clone GitHub and switch to CIS K8s Job folder

git clone https://github.com/accuknox/accuknox-jobs.git && cd accuknox-jobs/cis-k8s-job

Helm Command to deploy AccuKnox CIS K8s Job locally:

helm upgrade --install accuknox-cis-k8s . \
    --set accuknox.url="cspm.demo.accuknox.com" \
    --set accuknox.tenantId="$tenantId" \
    --set accuknox.label="$label" \
    --set accuknox.authToken="$token" \
    --set accuknox.clusterName="$clusterName" \
    --set accuknox.cronTab="30 9 * * *"

Note:

  • You can get AccuKnox Token & Tenant ID from AccuKnox SaaS under navigation Settings > Tokens
  • You can get AccuKnox Label from AccuKNox SaaS under navigation Settings > Labels

Manual Procedure

Instruction to perform CIS Benchmark manually using kube-bench binary

Prerequisites:

Steps to follow:

  • Getting output file as results.json on current-context of selected cluster
kube-bench run --config-dir ~/test/KubeBench/cfg/ --json --outputfile results.json

Make sure you provide correct --config-dir.

  • Adding Metadata to above output file
cat <<<$(jq '. += {
    "Metadata": {
        "cluster_name":"$cluster",
        "label_name":"$label"}}
    ' results.json) >results.json

Replace value of $cluster with cluster name & $label with AccuKnox Label

  • Sending output file to AccuKnox SaaS
curl --location --request POST 'https://cspm.demo.accuknox.com/api/v1/artifact/?tenant_id=$tenantId&data_type=KB&save_to_s3=true' --header 'Tenant-Id: $tenantId' --header "Authorization: Bearer $token" --form 'file=@"./results.json"'

Replace value of $tenantId from AccuKnox Tenant ID & $token from AccuKnox Token

  • You should be able to see a successful message as {"detail":"File received successfully"}