The Security Insights feature is deprecated and will no longer be supported.
- An installation of Python >=3.5 on your local machine (Only if you want to do the cleanup of cards, notes and occurrences).
- An installation of Helm Package Manager >=2.9.0 for Kubernetes.
- An installation of OpenShift Origin CLI.
- You need to have an IBM Cloud account where you are able to navigate to IBM Cloud Security Advisor Dashboard. Account ID and other account details refered in this document is corresponding to that account.
- Clone this repo
cd security-advisor-k8s-bench-integration
- Inorder to point to security advisor london endpoint do following changes: uncomment line#14 and comment line#13 in /config/helm/kubebench-adapter/values.yaml
sh ./scripts/public/sa_kubebench_install.sh <account-id> <apikey> <target-clustername> <complete-path-of-kubeconfig-of-target-cluster>
- for example:
./sa_kubebench_install.sh account_id apikey mycluster "/Users/sunilsingh/.bluemix/plugins/container-ser-ice/clusters/mycluster"
<account-id>: Account id on which the card needs to be generated
<apikey>: api-key of the above account-id.
<target-clustername>: The target public k8s cluster on which kube-bench needs to be configured
<complete-path-of-kubeconfig-of-target-cluster>: Run `ibmcloud ks cluster config <clustername>` to get kube-config
cd security-advisor-k8s-bench-integration
- Run below automated script to cleanup all in once.
sh ./scripts/public/sa_kubebench_cleanup.sh <account-id> <apikey> <complete-path-of-kubeconfig-of-target-cluster> <sa-endpoint> <cloud-env>
- For example:
./sa_kubebench_cleanup.sh accountid apikey "/Users/sunilsingh/.bluemix/plugins/container-service/clusters/mycluster" "https://us-south.secadvisor.cloud.ibm.com/findings" ibmcloud
<account-id>: Account id on which the card needs to be deleted
<apikey>: api-key of the above account-id.
<complete-path-of-kubeconfig-of-target-cluster>: Run `ibmcloud cs cluster-config <clustername>` to get kube-config
<sa-endpoint>: Endpoint of Security Advisor
<cloud-env>: Value is `ibmcloud`
- Clone this repo
cd security-advisor-k8s-bench-integration
- Inorder to point to security advisor london endpoint do following changes: uncomment line#14 and comment line#13 in /config/helm/kubebench-adapter/values.yaml
sh ./scripts/public/sa_kubebench_install.sh <account-id> <apikey> <target-clustername> <oc login api-key>
- for example:
./sa_kubebench_install.sh account-id apikey mycluster-rhel "oc-login-api-key"
<account-id>: Account id on which the card needs to be generated
<apikey>: api-key of the above account-id.
<target-clustername>: The target rhel-openshift cluster on which kube-bench needs to be configured
<oc-login-api-key>: The api-key to login to cluster
- Clone this repo
cd security-advisor-k8s-bench-integration
- Run below automated script to cleanup all in once.
sh ./scripts/public/sa_kubebench_cleanup.sh <account-id> <apikey> <target-clustername> <oc-login-api-key> <sa-endpoint> <cloud-env>
- For example:
./sa_kubebench_cleanup.sh accountid apikey myrhelcluster oc-login-apikey "https://us-south.secadvisor.cloud.ibm.com/findings" redhat
<account-id>: Account id on which the card needs to be generated
<apikey>: api-key of the above account-id.
<target-clustername>: The target rhel-openshift cluster on which kube-bench needs to be configured
<oc-login-api-key>: The api-key to login to cluster
<sa-endpoint>: The value is `https://us-south.secadvisor.cloud.ibm.com/findings`
<cloud-env>: The value is `redhat`
- Clone this repo
cd security-advisor-k8s-bench-integration
- Inorder to point to security advisor london endpoint do following changes: uncomment line#14 and comment line#13 in /config/helm/kubebench-adapter/values.yaml
sh ./scripts/redhat/sa_kubebench_install.sh <account-id> <apikey> <target-clustername> <oc-login-api-key> <cloud-env>
- for example:
sh ./scripts/redhat/sa_kubebench_install.sh account_id apikey mycluster-rhel "oc login api-key" redhat
<account-id>: Account id on which the card needs to be generated
<apikey>: api-key of the above account-id.
<target-clustername>: The target rhel-openshift k8s cluster on which kube-bench needs to be configured
<oc-login-api-key>: The api-key to login to cluster
<cloud-env>: The value is `redhat`
- Clone this repo
cd security-advisor-k8s-bench-integration
- Run below automated script to cleanup all in once.
sh ./scripts/redhat/sa_kubebench_cleanup.sh <account-id> <apikey> <target-clustername> <oc-login-api-key> <sa-endpoint> <cloud-env>
- For example:
sh ./scripts/redhat/sa_kubebench_cleanup.sh accountid apikey mycluster-rhel oc-login-apikey "https://us-south.secadvisor.cloud.ibm.com/findings redhat"
<account-id>: Account id on which the card needs to be generated
<apikey>: api-key of the above account-id.
<target-clustername>: The target rhel-openshift cluster on which kube-bench needs to be configured
<oc-login-api-key>: The api-key to login to cluster
<sa-endpoint>: The value is `https://us-south.secadvisor.cloud.ibm.com/findings`
<cloud-env>: The value is `redhat`
- The cronjobs are scheduled to run every 15 mins, which is configurable. Change the schedule to run the cronjobs at:
https://github.com/ibm-cloud-security/security-advisor-k8s-bench-integration/blob/master/config/helm/kubebench-adapter-public/templates/kube-cronjob.yaml#L8
- If you get an error something like
Error: incompatible versions client and server
, runhelm init --upgrade
- If you get an error like :
namespaces security-advisor-insights is forbidden: User system:serviceaccount:kube-system:default cannot get resource namespaces in API group in the namespace security-advisor-insights
, fix the helm using helm setup or follow below steps:kubectl delete deployment tiller-deploy -n kube-system kubectl apply -f https://raw.githubusercontent.com/IBM-Cloud/kube-samples/master/rbac/serviceaccount-tiller.yaml helm init --service-account tiller kubectl get pods -n kube-system -l app=helm helm list