Merge pull request #1 from skairali/sdk_integration

Sdk integration

Dockerfile

@@ -4,8 +4,8 @@ RUN apt-get update && \
       apt-get -y install sudo
 RUN apt-get install curl -y
 RUN apt-get update
-RUN apt-get install python-pip -y
-RUN pip install requests
+RUN apt-get install python3-pip -y
+RUN pip3 install requests ibm-cloud-security-advisor-findingsapi-sdk==2.0.5
 
 RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl
 RUN chmod +x ./kubectl

README.md

@@ -4,118 +4,120 @@
 
 ![Definition of Terms](https://github.com/ibm-cloud-security/security-advisor-k8s-hunter-integration/blob/master/kube-definitions.png) 
 
-# Prerequisites 
-- Install python (Only if you want to do the cleanup of cards, notes and occurances)
-- Install [Kubernetes Helm (package manager)](https://docs.helm.sh/using_helm/#from-script) v2.9.0 or higher
-- you need to have an IBM Cloud account where you are able to navigate to IBM Cloud Security Advisor Dashboard. Account ID and other account details refered in this document is corresponding to that account
+## Prerequisites 
+- An installation of Python *>=3.5* on your local machine (Only if you want to do the cleanup of cards, notes and occurrences).
+- An installation of [Helm Package Manager](https://docs.helm.sh/using_helm/#from-script) *>=2.9.0* for Kubernetes.
+- You need to have an IBM Cloud account where you are able to navigate to IBM Cloud Security Advisor Dashboard. Account ID and other account details refered in this document is corresponding to that account.
+
+<hr>
 
 ## public-k8s cloud 
 ### Install steps for public-k8s cloud:
 - Clone this repo
-- `cd security-advisor-k8s-hunter-integration/scripts/public`
+- `cd security-advisor-k8s-hunter-integration`
 - Inorder to point to security advisor london endpoint do following changes:
   uncomment line#16 and comment line#15 in /config/helm/kubehunter-adapter-public/values.yaml 
-- `./sa_kubehunter_install.sh <account-id> <apikey> <target-clustername> "<complete path of kubeconfig of target cluster>"`
+- `sh ./scripts/public/sa_kubehunter_install.sh <account-id> <apikey> <target-clustername> <complete-path-of-kubeconfig-of-target-cluster>`
 - for example: 
 ```
 ./sa_kubehunter_install.sh account_id apikey mycluster "/Users/sunilsingh/.bluemix/plugins/container-ser-ice/clusters/mycluster"
 
 <account-id>: Account id on which the card needs to be generated
 <apikey>: api-key of the above account-id.
-<target-clustername>: The target public k8s cluster on which kube-hunter needs to be configured 
-<complete path of kubeconfig of target cluster>: Run `ibmcloud cs cluster-config <clustername>` to get kube-config
+<target-clustername>: The target public k8s cluster on which kube-bench needs to be configured 
+<complete-path-of-kubeconfig-of-target-cluster>: Run `ibmcloud ks cluster config <clustername>` to get kube-config
 ```
 
 ### Cleanup setup for public-k8s cloud:
-- Clone this repo
-- `cd security-advisor-k8s-hunter-integration/scripts/public`
+- `cd security-advisor-k8s-hunter-integration`
 - Run below automated script to cleanup all in once.
-`./sa_kubehunter_cleanup.sh <account id> <api key> "full path to directory of kube configs>" <cloud-env>`
+`sh ./scripts/public/sa_kubehunter_cleanup.sh <account-id> <apikey> <complete-path-of-kubeconfig-of-target-cluster> <sa-endpoint> <cloud-env>`
 - For example: 
  ```
- ./sa_kubehunter_cleanup.sh  accountid apikey myrhelcluster oc-login-apikey 
-
- ./sa_kubehunter_cleanup.sh  accountid apikey "/Users/sunilsingh/.bluemix/plugins/container-service/clusters/mycluster" "https://us-south.secadvisor.cloud.ibm.com/findings/v1" ibmcloud
+ ./sa_kubehunter_cleanup.sh  accountid apikey "/Users/sunilsingh/.bluemix/plugins/container-service/clusters/mycluster" "https://us-south.secadvisor.cloud.ibm.com/findings" ibmcloud
 
-<account id>: Account id on which the card needs to be generated
+<account-id>: Account id on which the card needs to be deleted
 <apikey>: api-key of the above account-id.
-<target-clustername>: The target public k8s cluster on which kube-hunter needs to be configured 
-<complete path of kubeconfig of target cluster>: Run `ibmcloud cs cluster-config <clustername>` to get kube-config
+<complete-path-of-kubeconfig-of-target-cluster>: Run `ibmcloud cs cluster-config <clustername>` to get kube-config
+<sa-endpoint>: Endpoint of Security Advisor
 <cloud-env>: Value is `ibmcloud`
 ```
+<hr>
 
 ## Redhat Openshift
 ### Install steps for source is public-k8s cloud and target is redhat-openshift cloud:
 - Clone this repo
-- `cd security-advisor-k8s-hunter-integration/scripts/redhat`
+- `cd security-advisor-k8s-hunter-integration`
 - Inorder to point to security advisor london endpoint do following changes:
-  uncomment line#6 and comment line#15 in /config/helm/kubehunter-adapter/values.yaml 
-- `./sa_kubehunter_install.sh <account-id> <api key> <target-clustername> <oc login api-key>`
+  uncomment line#14 and comment line#13 in /config/helm/kubebench-adapter/values.yaml 
+- `sh ./scripts/public/sa_kubehunter_install.sh <account-id> <apikey> <target-clustername> <oc login api-key>`
 - for example: 
 ```
-./sa_kubehunter_install.sh account_id apikey mycluster-rhel "oc-login-api-key"
+./sa_kubebench_install.sh account-id apikey mycluster-rhel "oc-login-api-key"
 
 <account-id>: Account id on which the card needs to be generated
 <apikey>: api-key of the above account-id.
-<target-clustername>: The target rhel-openshift cluster on which kube-hunter needs to be configured 
+<target-clustername>: The target rhel-openshift cluster on which kube-bench needs to be configured 
 <oc-login-api-key>: The api-key to login to cluster
 ```
 
 ### Cleanup of setup for source is public-k8s cloud and target is redhat-openshift cloud:
 - Clone this repo
-- `cd security-advisor-k8s-hunter-integration/scripts/redhat`
+- `cd security-advisor-k8s-hunter-integration`
 - Run below automated script to cleanup all in once.
-- `./sa_kubehunter_cleanup.sh <account id> <apikey> <target-clustername> <oc-login-api-key> <sa-endpoint>`
+- `sh ./scripts/public/sa_kubehunter_cleanup.sh <account-id> <apikey> <target-clustername> <oc-login-api-key> <sa-endpoint> <cloud-env>`
 -  For example: 
 ```
-./sa_hunter_cleanup.sh  accountid apikey myrhelcluster oc-login-apikey "https://us-south.secadvisor.cloud.ibm.com/findings/v1"
+./sa_kubehunter_cleanup.sh  accountid apikey myrhelcluster oc-login-apikey "https://us-south.secadvisor.cloud.ibm.com/findings" redhat
 
-<account id>: Account id on which the card needs to be generated
+<account-id>: Account id on which the card needs to be generated
 <apikey>: api-key of the above account-id.
-<target-clustername>: The target rhel-openshift cluster on which kube-hunter needs to be configured 
+<target-clustername>: The target rhel-openshift cluster on which kube-bench needs to be configured 
 <oc-login-api-key>: The api-key to login to cluster
-<sa-endpoint>: The value is `https://us-south.secadvisor.cloud.ibm.com/findings/v1`
-<source-server>: The value is `redhat`
+<sa-endpoint>: The value is `https://us-south.secadvisor.cloud.ibm.com/findings`
+<cloud-env>: The value is `redhat`
 ```
 
 ### Install steps for source and target as redhat-openshift cloud:
 - Clone this repo
-- `cd security-advisor-k8s-hunter-integration/scripts/redhat`
+- `cd security-advisor-k8s-hunter-integration`
 - Inorder to point to security advisor london endpoint do following changes:
-  uncomment line#16 and comment line#15 in /config/helm/kubehunter-adapter/values.yaml 
-- `./sa_kubehunter_install.sh <account id> <api key> <cluster name> <oc login api-key> redhat`
+  uncomment line#14 and comment line#13 in /config/helm/kubebench-adapter/values.yaml 
+- `sh ./scripts/redhat/sa_kubehunter_install.sh <account-id> <apikey> <target-clustername> <oc-login-api-key> <cloud-env>`
 - for example: 
 ```
-./sa_kubehunter_install.sh account_id apikey mycluster-rhel "oc login api-key" redhat
+sh ./scripts/redhat/sa_kubehunter_install.sh account_id apikey mycluster-rhel "oc login api-key" redhat
 
-<account id>: Account id on which the card needs to be generated
+<account-id>: Account id on which the card needs to be generated
 <apikey>: api-key of the above account-id.
-<target-clustername>: The target rhel-openshift k8s cluster on which kube-hunter needs to be configured 
+<target-clustername>: The target rhel-openshift k8s cluster on which kube-bench needs to be configured 
 <oc-login-api-key>: The api-key to login to cluster
+<cloud-env>: The value is `redhat`
 ```
 
 ### Cleanup of setup for source and target as redhat-openshift:
 
 - Clone this repo
-- `cd security-advisor-k8s-hunter-integration/scripts/redhat`
+- `cd security-advisor-k8s-hunter-integration`
 - Run below automated script to cleanup all in once.
-- `./sa_kubehunter_cleanup.sh <account id> <api key> <target-clustername> <oc-login-api-key> <sa-endpoint> <source-server>`
+- `sh ./scripts/redhat/sa_kubehunter_cleanup.sh <account-id> <apikey> <target-clustername> <oc-login-api-key> <sa-endpoint> <cloud-env>`
 -  For example: 
 ```
-./sa_kubehunter_cleanup.sh  accountid apikey mycluster-rhel oc-login-apikey "https://us-south.secadvisor.cloud.ibm.com/findings/v1 redhat"
+sh ./scripts/redhat/sa_kubehunter_cleanup.sh  accountid apikey mycluster-rhel oc-login-apikey "https://us-south.secadvisor.cloud.ibm.com/findings redhat"
 
-<account id>: Account id on which the card needs to be generated
+<account-id>: Account id on which the card needs to be generated
 <apikey>: api-key of the above account-id.
-<target-clustername>: The target rhel-openshift cluster on which kube-hunter needs to be configured 
+<target-clustername>: The target rhel-openshift cluster on which kube-bench needs to be configured 
 <oc-login-api-key>: The api-key to login to cluster
-<sa-endpoint>: The value is `https://us-south.secadvisor.cloud.ibm.com/findings/v1`
-<source-server>: The value is `redhat`
+<sa-endpoint>: The value is `https://us-south.secadvisor.cloud.ibm.com/findings`
+<cloud-env>: The value is `redhat`
 ```
+<hr>
 
 ## Configure cronjob:
 - The cronjobs are scheduled to run every 15 mins, which is configurable. Change the schedule to run the cronjobs at: 
 ```
-security-advisor-k8s-hunter-integration/blob/master/config/helm/kubehunter-adapter-public/templates/kube-cronjob.yaml#L8
+https://github.com/ibm-cloud-security/security-advisor-k8s-hunter-integration/blob/master/config/helm/kubehunter-adapter-public/templates/kubehunter-cronjob.yaml#L8
 ```
 
 ## Troubleshooting

config/helm/kubehunter-adapter-public/templates/kubehunter-cronjob.yaml

@@ -25,7 +25,7 @@ spec:
             - name: {{ .Values.global.imagePullSecrets }}
            containers:
            - name: {{ .Values.global.name }}
-             image: us.icr.io/{{ .Values.global.registryNamespace }}/{{ .Values.global.imageName }}:{{ .Values.global.tag | default "dummy" }}
+             image: {{ .Values.global.registryNamespace }}/{{ .Values.global.imageName }}:{{ .Values.global.tag | default "dummy" }}
              command:
                - "/bin/sh"
                - "-c"

config/helm/kubehunter-adapter-public/values.yaml

@@ -2,18 +2,18 @@
 global:
 
   name: kubehunter-sa-adapter-public
-  imageName: kubehunter-sa-adapter
-  tag: "0.0.42"
-  imagePullSecrets: secadv-dev-secret
-  registryNamespace: secadv_dev
+  imageName: hunter-int
+  tag: "latest"
+  #imagePullSecrets: secadv-dev-secret
+  registryNamespace: gary29198
   imagePullPolicy: IfNotPresent
   clusterNamespace: default
   cloudEnv: ibmcloud
   region: us-south
   loginEndpoint: "test.cloud.ibm.com"  
 
-  saEndpoint: "https://us-south.secadvisor.cloud.ibm.com/findings/v1"
-  # saEndpoint: "https://eu-gb.secadvisor.cloud.ibm.com/findings/v1"
+  saEndpoint: "https://us-south.secadvisor.cloud.ibm.com/findings"
+  # saEndpoint: "https://eu-gb.secadvisor.cloud.ibm.com/findings"
 
   tokenUrl: "https://iam.cloud.ibm.com/identity/token"
   # token_url: "https://iam.test.cloud.ibm.com/identity/token"

scripts/public/generate_kubeconfig_secrets.sh

@@ -1,4 +1,11 @@
-set -x
+#*******************************************************************************
+# * Licensed Materials - Property of IBM
+# * IBM Bluemix Container Service, 5737-D43
+# * (C) Copyright IBM Corp. 2020 All Rights Reserved.
+# * US Government Users Restricted Rights - Use, duplication or 
+# * disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
+#******************************************************************************
+
 if [ "$#" -ne 3 ]; then
     echo "Required arguments missing!"
     echo "Usage : ./$(basename "$0") <full path to directory of kube configs> <secret name> <namespace>"

scripts/public/generate_kubehunter_secrets.sh

@@ -1,4 +1,11 @@
-set -x
+#*******************************************************************************
+# * Licensed Materials - Property of IBM
+# * IBM Bluemix Container Service, 5737-D43
+# * (C) Copyright IBM Corp. 2020 All Rights Reserved.
+# * US Government Users Restricted Rights - Use, duplication or 
+# * disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
+#******************************************************************************
+
 if [ "$#" -ne 5 ]; then
     echo "Required arguments missing!"
     echo "Usage : ./$(basename "$0") <account_id> <api_key> <cluster_name> <kube config name> <namespace>"

scripts/public/sa_kubehunter_cleanup.sh

@@ -1,26 +1,53 @@
+#*******************************************************************************
+# * Licensed Materials - Property of IBM
+# * IBM Bluemix Container Service, 5737-D43
+# * (C) Copyright IBM Corp. 2020 All Rights Reserved.
+# * US Government Users Restricted Rights - Use, duplication or 
+# * disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
+#******************************************************************************
 
-set +x
+# To check if helm is installed on system or not.
+command -v helm >/dev/null 2>&1 || { echo >&2 "helm is required. Aborting."; exit 1; }
+command -v kubectl >/dev/null 2>&1 || { echo >&2 "kubectl is required. Aborting."; exit 1; }
+
+# To check what version of helm is installed on system.
+helmVer=`helm version --template {{.Version}}`
+helmVerMajor="$(cut -d'.' -f 1 <<< ${helmVer:1})"
+
+# CLI Arguments check
 if [ "$#" -ne 5 ]; then
-    echo "Required arguments missing!"
+    if [ "$#" -lt 5 ]; then
+        echo "Required arguments missing!"
+    else
+        echo "Wrong usage!"
+    fi
     echo "Usage : ./$(basename "$0") <account id> <api key> <full path to directory of kube configs> <cloud-env> <sa-endpoint>"
     exit 1
 fi
 
+# Arguments assignment
 account_id=$1
 api_key=$2
 kube_config_dir=$3
-cloud_env=$4
-sa_endpoint=$5
-kubeconfig_name=$(ls $kube_config_dir |grep yml)
+sa_endpoint=$4
+cloud_env=$5
 
-python ../../src/$cloud_env/kubeHunterCleanup.py $account_id $api_key $sa_endpoint
+# Remove notes and occurrences emitted by kube-hunter
+python3 src/$cloud_env/kubehunterCleanup.py $account_id $api_key $sa_endpoint
 
+# Delete secrets from target cluster
 kubectl delete secret kubehunter-public-secret
 kubectl delete secret kubehunter-public-credentials
-helm del --purge kubehunter-sa-adapter-public
-podname=$(kubectl get job |grep kubehunter-sa-adapter-public|awk '{ print $1 }')
-kubectl delete job $podname
 
 # Delete kube-hunter Job running on target cluster: 
+kubeconfig_name=$(ls $kube_config_dir |grep yml)
 export KUBECONFIG=$kube_config_dir/$kubeconfig_name
 kubectl delete job kube-hunter-public
+kubectl delete cronjob kubehunter-sa-adapter-public
+
+# Remove helm chart from target cluster
+if [ $helmVerMajor -gt 2 ]; then
+    helm uninstall kubehunter-sa-adapter-public
+else
+    helm del --purge kubehunter-sa-adapter-public .
+fi

scripts/public/sa_kubehunter_install.sh

@@ -1,29 +1,49 @@
 #*******************************************************************************
 # * Licensed Materials - Property of IBM
 # * IBM Bluemix Container Service, 5737-D43
-# * (C) Copyright IBM Corp. 2017 All Rights Reserved.
+# * (C) Copyright IBM Corp. 2020 All Rights Reserved.
 # * US Government Users Restricted Rights - Use, duplication or 
 # * disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
 #******************************************************************************
 
-set +x
+# To check if helm is installed on system or not.
+command -v helm >/dev/null 2>&1 || { echo >&2 "helm is required. Aborting."; exit 1; }
+command -v kubectl >/dev/null 2>&1 || { echo >&2 "kubectl is required. Aborting."; exit 1; }
+
+# To check what version of helm is installed on system.
+helmVer=`helm version --template {{.Version}}`
+helmVerMajor="$(cut -d'.' -f 1 <<< ${helmVer:1})"
+
+# CLI Arguments check
 if [ "$#" -ne 4 ]; then
-    echo "Required arguments missing!"
+    if [ "$#" -lt 4 ]; then
+        echo "Required arguments missing!"
+    else
+        echo "Wrong usage!"
+    fi
     echo "Usage : ./$(basename "$0") <account id> <api key> <cluster name> <full path to directory of kube configs>"
     exit 1
 fi
 
+# Arguments assignment
 account_id=$1
 api_key=$2
 cluster_name=$3
 kube_config_dir=$4
 kubeconfig_name=$(ls $kube_config_dir |grep yml)
 
-chmod +x generate_kubeconfig_secrets.sh
-chmod +x generate_kubehunter_secrets.sh
+# Change mode of scripts for creating kubernetes secrets
+chmod +x ./scripts/public/generate_kubeconfig_secrets.sh
+chmod +x ./scripts/public/generate_kubehunter_secrets.sh
 
-./generate_kubeconfig_secrets.sh $kube_config_dir kubehunter-public-secret default
-./generate_kubehunter_secrets.sh $account_id $api_key $cluster_name $kubeconfig_name default
+# Execute scripts for creating kubernetes secrets
+./scripts/public/generate_kubeconfig_secrets.sh $kube_config_dir kubehunter-public-secret default
+./scripts/public/generate_kubehunter_secrets.sh $account_id $api_key $cluster_name $kubeconfig_name default
 
-cd ../../config/helm/kubehunter-adapter-public
-helm install --name kubehunter-sa-adapter-public .
+# Install helm chart in kubernetes
+cd config/helm/kubehunter-adapter-public
+if [ $helmVerMajor -gt 2 ]; then
+    helm install kubehunter-sa-adapter-public .
+else
+    helm install --name kubehunter-sa-adapter-public .
+fi

scripts/redhat/generate_kubehunter_secrets.sh

@@ -1,4 +1,11 @@
-set +x
+#*******************************************************************************
+# * Licensed Materials - Property of IBM
+# * IBM Bluemix Container Service, 5737-D43
+# * (C) Copyright IBM Corp. 2020 All Rights Reserved.
+# * US Government Users Restricted Rights - Use, duplication or 
+# * disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
+#******************************************************************************
+
 if [ "$#" -ne 5 ]; then
     echo "Required arguments missing!"
     echo "Usage : ./$(basename "$0") <account_id> <api_key> <cluster_name> <kube config name> <namespace>"