Policy discovery 2.0 is used to create YAML-based runtime security policies which can be enforceable by AccuKnox opensource tools. Policy discovery 2.0 offers auto-discovered policies based on the workloads as well as policies that are tailored for specific use cases. We have a dedicated repository that houses various types of policies specific to CVEs, Workloads, Malware, and many more.
To make the tool work you need to have
- a Kubernetes cluster
- a configured kubectl binary
- go version >= 1.17.8
The architecture is pretty straightforward.
The CLI takes in some inputs from the user and starts its action by connecting to the Kubernetes Cluster and checking for deployed workloads. Once these are identified the CLI pulls down the policy-templates repository and creates separate policy files with updated labels and namespace so that these policies are ready to be enforced on the cluster.
autodiscovery2.0 requires go1.17 or higher to install successfully. Run the following commands to build the latest version-
git clone git@github.com:vishnusomank/policy-cli-2.0.git
cd policy-cli-2.0
go build -o autodiscovery2.0
To run the program use-
./autodiscovery2.0
autodiscovery2.0 -h
This will display help for the tool. Here are all the switches it supports.
NAME:
Auto Discovery v2.0 - A simple CLI tool to automatically generate and apply policies or push to GitHub
USAGE:
autodiscovery2.0 [Flags]
Eg. autodiscovery2.0 --git_base_branch=deploy-branch --auto-apply=false --git_branch_name=temp-branch --git_token=gh_token123 --git_repo_url= https://github.com/testuser/demo.git --git_username=testuser
VERSION:
2.0.0
COMMANDS:
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--auto-apply, --auto If true, modifed YAML will be applied to the cluster (default: false)
--git_base_branch value, --basebranch value GitHub base branch name for PR creation
--git_branch_name value, --branch value GitHub branch name for pushing updates
--git_repo_url value, --git_url value GitHub URL to push the updates
--git_token value, --token value GitHub token for authentication
--git_username value, --git_user value GitHub username
--help, -h show help (default: false)
--version, -v print the version (default: false)
autodiscovery2.0 --auto-apply=false --git_branch_name=demo-branch --git_token=ghp_gittokenqwerty --git_repo_url=https://github.com/demo-user/demo-repo.git --git_username=demo-user --git_base_branch=demo-base-branch