Discovery Engine discovers the security posture for your workloads and auto-discovers the policy-set required to put the workload in least-permissive mode. The engine leverages the rich visibility provided by KubeArmor and Cilium to auto discover the systems and network security posture.
kubectl apply -f https://raw.githubusercontent.com/accuknox/discovery-engine/dev/deployments/k8s/deployment.yaml
The discovery engine will automatically connect to the kubearmor and cilium agents installed in kube-system
namespace. Discovery engine can connect to either or both the engines and provide necessary insights into the workloads.
Use karmor discover --help
to check all the options. To install karmor cli tool follow the link here.
Example, Get policies discovered for deployment having label "app=wordpress"
in wordpress-mysql
namespace.
karmor discover -n wordpress-mysql -l "app=wordpress" -f yaml > wordpress.yaml
The wordpress.yaml
can then be used to enforce policies using kubearmor by using kubectl apply -f wordpress.yaml
.
kubectl delete -f https://raw.githubusercontent.com/accuknox/discovery-engine/dev/deployments/k8s/deployment.yaml
The discovered policies contains the execution posture for your workloads. You can use these policies to check what the workloads are doing. Check this guide to know more.