forked from octarinesec/kube-scan
-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathkube-scan.yaml
504 lines (502 loc) · 31.1 KB
/
kube-scan.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
apiVersion: v1
kind: Namespace
metadata:
name: kube-scan
---
apiVersion: v1
kind: ConfigMap
metadata:
name: kube-scan
namespace: kube-scan
labels:
app: kube-scan
data:
risk-config.yaml: |
expConst: 9
impactConst: 4
attackVector:
remote: 0.85
local: 0.55
exploitability:
high: 0.54
moderate: 0.4
low: 0.1
veryLow: 0.05
scopeFactor:
none: 0.25
host: 1
cluster: 1
ciaScore:
high: 0.56
low: 0.22
none: 0
riskCategory:
min: 0
low: 3
medium: 7
max: 10
individualRiskCategory:
min: 0
low: 3
medium: 5
max: 10
basic:
- name: "privileged"
title: "Workload is privileged"
shortDescription: "Processes inside a privileged containers get full access to the host"
description: "Processes inside a privileged container will have full access to the host, which means any third-party library or malicious program can compromise the host. As a result, the compromised host could be used to compromise the entire cluster"
confidentiality: "High"
confidentialityDescription: "Privileged containers may have the option to read and modify any application, such as Docker, Kubernetes, etc"
integrity: "Low"
integrityDescription: "Processes inside a privileged container get full access to the host. This means a malicious program or third-party library can compromise the host and the entire cluster"
availability: "Low"
availabilityDescription: "Processes inside a privileged container may have the ability to modify or stop Kubernetes, Docker and other applications"
exploitability: "Moderate"
attackVector: "Local"
scope: "Host"
handler: "IsPrivileged"
- name: "runningAsRoot"
title: "Workload may have containers running as root"
shortDescription: "Processes in container running as root may be able to escape their container"
description: "Workload does not specify a non-root user for its containers to run as and does not specify runAsNonRoot. Processes inside a container running as root may be able to escape that container and perform malicious actions on the host - basically giving them complete control over the host and the ability to compromise the entire cluster"
confidentiality: "High"
confidentialityDescription: "Root processes that can escape the container have the ability to read secrets from Kubernetes, Docker and other applications"
integrity: "Low"
integrityDescription: "Processes in a container running as root may be able to escape their container and perform malicious actions on the host"
availability: "Low"
availabilityDescription: "Root processes that can escape the container have the ability to modify or stop Kubernetes, Docker and other applications"
exploitability: "Low"
attackVector: "Local"
scope: "Host"
handler: "IsRunningAsRoot"
- name: "AllowPrivilegeEscalation"
shortDescription: "Privilege escalation allows programs inside the container to run as root"
description: "Privilege escalation allows programs inside the container to run as root, even if the main process is not root, which can give those programs control over that container, host and even cluster"
title: "Workload allows privilege escalation"
confidentiality: "Low"
confidentialityDescription: "Root processes that can escape the containers have the ability to read secrets from Kubernetes, Docker and other applications"
integrity: "Low"
integrityDescription: "Processes in a container running as root may be able to escape their container and perform malicious actions on the host"
availability: "Low"
availabilityDescription: "Root processes that can escape the containers have the ability to modify or stop Kubernetes, Docker and other applications"
exploitability: "VeryLow"
attackVector: "Local"
scope: "Host"
handler: "IsPrivilegedEscalation"
- name: "CapNetRaw"
title: "Workload has a container(s) with NET_RAW capability"
shortDescription: "NET_RAW capability enables ARP spoofing from the container\nNET_RAW capability enables the container to craft malicious raw packet"
description: "The capability NET_RAW allows the container to craft any packet, including malformed or malicious packets"
confidentiality: "High"
confidentialityDescription: "This capability enables ARP spoofing from the container, which means UDP packets can be sent with a forged source IP, etc. This enables the container to perform Man-in-the-Middle (MitM) attacks on the host network"
integrity: "None"
integrityDescription: ""
availability: "Low"
availabilityDescription: "This capability enables the container to craft malicious raw packet, such as Ping of Death"
exploitability: "Low"
attackVector: "Local"
scope: "Cluster"
handler: "IsCapNetRaw"
- name: "WritableFileSystem"
title: "Workload has a container(s) with writable file system"
shortDescription: "Writable File System allows the persistence of threats"
description: "A writable file system allows files within the container to be changed. This means a malicious process inside the container can use a writable file system to store or manipulate data inside the container"
confidentiality: "None"
confidentialityDescription: ""
integrity: "Low"
integrityDescription: "This allows malicious processes to write data to disk, making it easier to drop and execute external malicious code"
availability: "None"
availabilityDescription: ""
exploitability: "Moderate"
attackVector: "Local"
scope: "None"
handler: "IsWritableFileSystem"
- name: "UnmaskedProcMount"
title: "Workload exposes unsafe parts of /proc"
shortDescription: "Full access to /proc can reveal information about the host and other containers\n/proc/sys allows a privileged user to change the kernel parameters are runtime"
description: "A container with full access (unmasked) to the host’s /proc command is able to retrieve information about all the activities and users on that host. /proc/sys allows a privileged user to change the runtime kernel parameters and impact how resources are shared amongst containers"
confidentiality: "Low"
confidentialityDescription: "/proc contains information about all network connections on the host, the file systems and permissions, running processes, etc"
integrity: "None"
integrityDescription: ""
availability: "High"
availabilityDescription: "/proc/sys allows a privileged user to change the runtime kernel parameters, which may impact how resources are shared amongst containers"
exploitability: "Moderate"
attackVector: "Local"
scope: "Host"
handler: "IsUnmaskedProcMount"
- name: "AllowedUnsafeSysctls"
title: "Workload allows unsafe allocation of CPU resources"
shortDescription: "Sysctl allows users to modify the kernel settings at run time: networking, memory, etc. Some sysctl interfaces can affect other containers, the host or bypass the CPU quota attributed to the container"
description: "Sysctl is an interface that enables the container’s parameters to be changed, which could allow the container to grab more CPU resources than it’s allowed by its quota. This may starve other containers from CPU cycles, compromising the operations of the container, host and even the entire cluster"
confidentiality: "None"
confidentialityDescription: ""
integrity: "Low"
integrityDescription: "Some of the sysctl interfaces allow the container to affect the performance of other containers and/or the host"
availability: "High"
availabilityDescription: "Some of the sysctl interfaces allow the container to grab more CPU resources than allowed by their quota. This may starve other containers from CPU cycles"
exploitability: "Moderate"
attackVector: "Local"
scope: "Host"
handler: "IsAllowedUnsafeSysctls"
- name: "notConfiguredCpuOrMemoryLimit"
title: "Workload has a container which its CPU or Memory limit was not configured"
shortDescription: "CPU and Memory quotas prevent container from grabbing too many resources from the node, and allow a better scheduling of resources across the cluster"
description: "CPU and Memory quotas prevent container from grabbing too many resources from the node, and allow a better scheduling of resources across the cluster"
confidentiality: "None"
confidentialityDescription: ""
integrity: "None"
integrityDescription: ""
availability: "High"
availabilityDescription: "Workloads with no CPU or memory quota may starve off other workloads on the node, resulting in pod ejections and cascading reschedule of pods on other nodes"
exploitability: "Moderate"
attackVector: "Local"
scope: "Host"
handler: "IsNotConfiguredCpuOrMemoryLimit"
- name: "mountingOSDirectoryRW"
title: "Workload is mounting a volume with OS Directory write permissions"
shortDescription: "Containers can mount sensitive folders from the hosts, giving them potential dangerous access critical host configurations and binaries"
description: "Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries"
confidentiality: "High"
confidentialityDescription: "Sharing sensitive folders and files such as / (root), /var/run/, etc., can allow the container to communicate with other host applications, such as a database, which could expose sensitive information"
integrity: "High"
integrityDescription: "Sharing sensitive folders and files, such as / (root), /var/run/, docker.sock, etc. can allow the container to reconfigure the Kubernetes clusters, run new container images, etc"
availability: "Low"
availabilityDescription: "Sharing sensitive folders and files, such as / (root), /var/run/, docker.sock, etc. can allow the container to reconfigure the container quotas, run new container images, etc"
exploitability: "Moderate"
attackVector: "Local"
scope: "Host"
handler: "IsMountingOSDirectoryRW"
- name: "mountingOSDirectoryRO"
title: "Workload is mounting a volume with OS Directory read-only permissions"
shortDescription: "Containers can mount sensitive folders from the hosts, giving them potential dangerous access critical host configurations"
description: "Containers can mount sensitive folders from the hosts, giving them potential dangerous knowledge of critical host configurations"
confidentiality: "Low"
confidentialityDescription: "Sharing sensitive folders and files, such as /etc, /var/run/, etc., can allow the container to read secrets"
integrity: "None"
integrityDescription: ""
availability: "None"
availabilityDescription: ""
exploitability: "Low"
attackVector: "Local"
scope: "Host"
handler: "IsMountingOSDirectoryRO"
- name: "capSysAdmin"
title: "Workload has container/s with CAP_SYS_ADMIN capability"
shortDescription: "CAP_SYS_ADMIN is the most privileged capability with over 150 privileged system calls allowed"
description: "CAP_SYS_ADMIN is the most privileged capability allowed, out of more than 150 privileged system calls available"
confidentiality: "High"
confidentialityDescription: "CAP_SYS_ADMIN gives processes privileges equivalent to running as root. Processes in a container running as root may be able to escape their container and perform malicious actions on the host"
integrity: "None"
integrityDescription: ""
availability: "None"
availabilityDescription: ""
exploitability: "Moderate"
attackVector: "Local"
scope: "Host"
handler: "IsCapSysAdmin"
- name: "ExposedByLoadBalancer"
title: "Workload is exposed through a load balancer"
shortDescription: "The service is accessible from other networks and/or from the Internet"
description: "A load balancer is exposing the workload, making it accessible from other networks and the Internet"
confidentiality: "High"
confidentialityDescription: "Accidental exposure of sensitive services may lead to the exfiltration of confidential data through remote code vulnerabilities, vulnerable third-party libraries or vulnerable OS services"
integrity: "Low"
integrityDescription: "Services open to the Internet may be used to access unprotected services (move laterally) by leveraging remote code vulnerabilities, vulnerable third-party libraries or vulnerable OS services"
availability: "High"
availabilityDescription: "Accidental exposure to the Internet can make the workload susceptible to DoS attacks from random attackers"
exploitability: "Moderate"
attackVector: "Remote"
scope: "None"
handler: "IsExposedByLoadBalancer"
- name: "ExposedByNodePort"
title: "Workload is exposed through a node port"
shortDescription: "The service is accessible from other networks and/or from the Internet"
description: "A node port is exposing the workload, making it accessible from other networks and the Internet"
confidentiality: "High"
confidentialityDescription: "Accidental exposure of sensitive services may lead to the exfiltration of confidential data through remote code vulnerabilities, vulnerable third-party libraries or vulnerable OS services"
integrity: "Low"
integrityDescription: "Services open to the Internet may be used to access unprotected services (move laterally) by leveraging remote code vulnerabilities, vulnerable third-party libraries or vulnerable OS services"
availability: "High"
availabilityDescription: "Accidental exposure to the Internet can make the workload susceptible to DoS attacks from random attackers"
exploitability: "Moderate"
attackVector: "Remote"
scope: "None"
handler: "IsExposedByNodePort"
- name: "ExposedByIngress"
title: "Workload is exposed through an ingress policy"
shortDescription: "The service is accessible from other networks and/or from the Internet"
description: "An ingress policy is exposing the workload, making it accessible from other networks and the Internet"
confidentiality: "High"
confidentialityDescription: "Accidental exposure of sensitive services may lead to the exfiltration of confidential data through remote code vulnerabilities, vulnerable third-party libraries or vulnerable OS services"
integrity: "Low"
integrityDescription: "Services open to the Internet may be used to access unprotected services (move laterally) by leveraging remote code vulnerabilities, vulnerable third-party libraries or vulnerable OS services"
availability: "Low"
availabilityDescription: "Accidental exposure to the Internet can make the workload susceptible to DoS attacks from random attackers"
exploitability: "Moderate"
attackVector: "Remote"
scope: "None"
handler: "IsExposedByIngress"
- name: "HostPort"
title: "Workload is exposed through a shared host port"
shortDescription: "The service is accessible from other networks and/or from the Internet"
description: "This container setting binds the container listening port to the IP address of the host. This exposes the pod to adjacent networks and/or to the Internet.\nA host port is exposing the workload, making it accessible from other networks and the Internet"
confidentiality: "High"
confidentialityDescription: "This setting binds the workload listening IP address to the host IP, making the service accessible from other networks and/or from the Internet"
integrity: "Low"
integrityDescription: "Services open to the Internet may be used to access unprotected services (move laterally) by leveraging remote code vulnerabilities, vulnerable third-party libraries or vulnerable OS services"
availability: "High"
availabilityDescription: "Accidental exposure to the Internet can make the workload susceptible to DoS attacks from random attackers"
exploitability: "Moderate"
attackVector: "Remote"
scope: "None"
handler: "IsHostPort"
- name: "ShareHostNetwork"
title: "Workload is exposed through a shared host network"
shortDescription: "The service is accessible from other networks and/or from the Internet\nShare Host Network allows containers to sniff traffic from host and other containers"
description: "This Security Context setting allows the workload to share the same network namespace as the host"
confidentiality: "High"
confidentialityDescription: "This allows the network to listen to the loopback interface and sniff the traffic to and from other pods. This setting also allows workloads to bind their listening IP address to the host IP, making the service accessible from other networks and/or from the Internet"
integrity: "Low"
integrityDescription: "Services open to the Internet may be used to access unprotected services (move laterally) by leveraging remote code vulnerabilities, vulnerable third-party libraries or vulnerable OS services"
availability: "High"
availabilityDescription: "Accidental exposure to the Internet can make the workload susceptible to DoS attacks from random attackers"
exploitability: "Low"
attackVector: "Remote"
scope: "Host"
handler: "IsShareHostNetwork"
- name: "ShareHostPID"
title: "Workload shares the host PID"
shortDescription: "Share Host Pid allow containers to manipulate other container processes"
description: "Shared host PIDs enable the sharing of processes with the host and other containers"
confidentiality: "Low"
confidentialityDescription: "Each container has access to password, secrets, certificates, etc. read by other containers"
integrity: "Low"
integrityDescription: "Each container can manipulate other container processes, inject malicious code, modify /proc, etc. A malicious container can move laterally by infecting other containers on the same host"
availability: "Low"
availabilityDescription: "Each container can crash another container’s processes"
exploitability: "Low"
attackVector: "Local"
scope: "Host"
handler: "IsShareHostPID"
- name: "ShareHostIPC"
title: "Workload shares the host IPC"
shortDescription: "Shared Host IPC can leak confidential data sent from trusted applications"
description: "IPC allows containers to communicate directly through shared memory - a shared IPC means that anyone in that namespace can access that memory"
confidentiality: "High"
confidentialityDescription: "Communication between trusted applications and untrusted applications (malicious third-party libraries, rogue containers) can leak confidential data"
integrity: "Low"
integrityDescription: "Untrusted applications can change the behavior of trusted applications through shared memory namespaces by tampering with the memory"
availability: "Low"
availabilityDescription: "An untrusted application can use improper Inter-Process Communications to crash the destination process"
exploitability: "Low"
attackVector: "Local"
scope: "Host"
handler: "IsShareHostIPC"
remediation:
- name: "seccomp"
title: "Workload containers have a seccomp policy"
shortDescription: "A seccomp policy specify which system class can be called by the application. It is a sandboxing technique that reduces the chance that a kernel vulnerability will be successfully exploited"
description: "seccomp stands for Secure Computing mode - a seccomp policy can specify which system class can be called by the application. It is a sandboxing technique that reduces the chance that a kernel vulnerability will be successfully exploited"
confidentiality: "High"
confidentialityDescription: "A seccomp policy can prevent malicious programs from reading files not used by the container"
integrity: "High"
integrityDescription: "A seccomp policy can prevent malicious programs to use kernel exploits to break out of the container"
availability: "High"
availabilityDescription: "A seccomp policy can be used to restrict the system calls and prevent processes from grabbing additional CPU or memory resources"
exploitability: "None"
attackVector: "Local"
scope: "Host"
handler: "IsSecComp"
- name: "selinux"
title: "Workload containers have SELlinux or AppArmor enabled"
shortDescription: "SELinux (RedHat-based distributions) and AppArmor(Debian-based distributions) provides access control policies. They can be used to restrict how processes can communicate"
description: "SELinux (RedHat-based distributions) and AppArmor (Debian-based distributions) provides access control policies that can be used to restrict how processes can communicate to improve the overall security posture of the container and host"
confidentiality: "High"
confidentialityDescription: "The SELinux or AppArmor policy can be used to restrict what processes can read in each folder"
integrity: "High"
integrityDescription: "The SELinux or AppArmor policy can be used to restrict what processes can write to disk and in what folders"
availability: "High"
availabilityDescription: "The SELinux or AppArmor policy can be used to restrict the system calls and prevent processes from grabbing additional CPU or memory resources"
exploitability: "None"
attackVector: "Local"
scope: "Host"
handler: "IsSelinux"
- name: "IngressPolicy"
title: "Workload has ingress policy configured"
shortDescription: "The Kubernetes network policy allows specific workloads or specific external IP addresses (such as an external Load Balancer) to access the application running"
description: "An ingress network policy can prevent a workload from being leveraged to perform lateral movement and data ex-filtration"
confidentiality: "Low"
confidentialityDescription: "An ingress policy cuts down on accidental exposure to the Internet, which can lead to confidential data being leaked. (Accidental exposure can be caused when a Load Balancer, Node Port or Ingress Controller is added or misconfigured"
integrity: "Low"
integrityDescription: "An ingress policy cuts down on accidental exposure to the Internet, which can make vulnerable code or third-party processes available to be exploited by external attackers"
availability: "High"
availabilityDescription: "An ingress policy helps limit accidental exposure to the Internet, which can make workloads susceptible to DoS attacks from random attackers"
exploitability: "None"
attackVector: "Remote"
scope: "None"
handler: "IsIngressPolicy"
- name: "EgressPolicy"
title: "Workload has egress policy configured"
shortDescription: "The Kubernetes network policy allows workloads to communicate with specific workloads or specific external IP addresses"
description: "The Kubernetes egress network policy only allows workloads to communicate with specific workloads or specific external IP addresses, which reduces the attack surface"
confidentiality: "High"
confidentialityDescription: "A Kubernetes egress policy makes it harder for an attacker to exploit a vulnerable application or OS, or compromised third-party library, etc. to move laterally inside the cluster or exfiltrate confidential data"
integrity: "Low"
integrityDescription: "An egress policy makes it harder to leverage a compromised workload to attack other services in the cluster"
availability: "Low"
availabilityDescription: "An egress policy makes it more difficult for a workload to be leveraged to mount a DoS attack on other internal services in the cluster"
exploitability: "None"
attackVector: "Remote"
scope: "Cluster"
handler: "IsEgressPolicy"
- name: "notListeningToContainerPorts"
title: "A listening port isn’t configured"
shortDescription: "A workload with no listening service is not susceptible to remote networking attacks"
description: "A workload with no listening service is not susceptible to remote networking attacks"
confidentiality: "High"
confidentialityDescription: "When there is no listening port configured, workloads are not accessible remotely and are less likely to be leveraged for lateral movement and data exfiltration"
integrity: "High"
integrityDescription: "When there is no listening port, workloads with local vulnerabilities are less likely to be exploited"
availability: "High"
availabilityDescription: "When there is no listening port, workloads not accessible remotely are less likely to be overloaded by external users"
exploitability: "None"
attackVector: "Remote"
scope: "None"
handler: "IsNotListeningToContainerPorts"
- name: "instrumentedByOctarine"
title: "Workload is instrumented by Octarine"
shortDescription: "Service meshes such as Istio and Octarine provide encryption of network traffic as well as strong identity, preventing network sniffing or Man-in-the-Middle (MiTM) attacks"
description: "The Istio and Octarine service mesh encrypts all internal network activities with a mutual TLS connection and uses certificates to provide strong identity to all workloads, which greatly reduces the potential attack surface"
confidentiality: "High"
confidentialityDescription: "Service meshes, such as Istio and Octarine, provide encryption of network traffic, as well as strong identity, which prevents network sniffing and Man-in-the-Middle (MiTM) attacks"
integrity: "Low"
integrityDescription: "The strong identity provided by an Octarine and/or Istio service mesh prevents rogue containers from impersonating trusted workloads"
availability: "Low"
availabilityDescription: "Service meshes, such as Istio and Octarine, can detect and stop abnormal increases in network activities and network errors"
exploitability: "None"
attackVector: "Remote"
scope: "None"
handler: "IsInstrumentedByOctarine"
- name: "instrumentedByIstio"
title: "Workload is instrumented by Istio"
shortDescription: "The Istio and Octarine service mesh encrypts all internal network activities with a mutual TLS connection and uses certificates to provide strong identity to all workloads, which greatly reduces the potential attack surface"
description: "Service meshes such as Istio and Octarine provide encryption of network traffic as well as strong identity, preventing network sniffing or Man-in-the-Middle (MiTM) attacks"
confidentiality: "High"
confidentialityDescription: "Service meshes, such as Istio and Octarine, provide encryption of network traffic, as well as strong identity, which prevents network sniffing and Man-in-the-Middle (MiTM) attacks"
integrity: "Low"
integrityDescription: "The strong identity provided by an Octarine and/or Istio service mesh prevents rogue containers from impersonating trusted workloads"
availability: "Low"
availabilityDescription: "Service meshes, such as Istio and Octarine, can detect and stop abnormal increases in network activities and network errors"
exploitability: "None"
attackVector: "Remote"
scope: "None"
handler: "IsInstrumentedByIstio"
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kube-scan
namespace: kube-scan
labels:
app: kube-scan
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kube-scan
labels:
app: kube-scan
rules:
- apiGroups:
- ''
- 'rbac.authorization.k8s.io'
- 'extensions'
- 'apps'
- 'batch'
- 'networking.k8s.io'
resources:
- '*'
verbs:
- 'get'
- 'list'
- 'watch'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kube-scan
labels:
app: kube-scan
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kube-scan
subjects:
- kind: ServiceAccount
name: kube-scan
namespace: kube-scan
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: kube-scan
namespace: kube-scan
labels:
app: kube-scan
spec:
selector:
matchLabels:
app: kube-scan
template:
metadata:
labels:
app: kube-scan
spec:
containers:
- name: kube-scan-ui
image: octarinesec/kubescan-scanner-ui:20.1.1
imagePullPolicy: Always
env:
- name: API_SERVER_PORT
value: "80"
- name: CONTACT_LINK
value: "mailto:info@octarinesec.com?subject=Octarine%20Contact%20Request"
- name: WEBSITE_LINK
value: "https://www.octarinesec.com"
- name: kube-scan
image: octarinesec/kubescan-scanner:20.1.1
env:
- name: KUBESCAN_PORT
value: "80"
- name: KUBESCAN_RISK_CONFIG_FILE_PATH
value: "/etc/kubescan/risk-config.yaml"
- name: KUBESCAN_REFRESH_STATE_INTERVAL_MINUTES
value: "1440"
imagePullPolicy: Always
volumeMounts:
- name: config
mountPath: /etc/kubescan
volumes:
- name: config
configMap:
name: kube-scan
defaultMode: 420
serviceAccountName: kube-scan
---
apiVersion: v1
kind: Service
metadata:
name: kube-scan-ui
namespace: kube-scan
labels:
app: kube-scan
spec:
ports:
- name: kube-scan-ui
port: 80
protocol: TCP
targetPort: 8080
selector:
app: kube-scan
type: ClusterIP