Policy Discovery 2.0

Policy discovery 2.0 is used to create YAML-based runtime security policies which can be enforceable by AccuKnox opensource tools. Policy discovery 2.0 offers auto-discovered policies based on the workloads as well as policies that are tailored for specific use cases. We have a dedicated repository that houses various types of policies specific to CVEs, Workloads, Malware, and many more.

Prerequisites

To make the tool work you need to have

  • a Kubernetes cluster
  • a configured kubectl binary
  • go version >= 1.17.8

How it works

The architecture is pretty straightforward.

architecture

The CLI takes in some inputs from the user and starts its action by connecting to the Kubernetes Cluster and checking for deployed workloads. Once these are identified the CLI pulls down the policy-templates repository and creates separate policy files with updated labels and namespace so that these policies are ready to be enforced on the cluster.

output-1

output-2

Final Output in GitHub

output-3

Install autodiscovery2.0

autodiscovery2.0 requires go1.17 or higher to install successfully. Run the following commands to build the latest version-

git clone [email protected]:vishnusomank/policy-cli-2.0.git
cd policy-cli-2.0
go build -o autodiscovery2.0

To run the program use-

./autodiscovery2.0

Usage

autodiscovery2.0 -h

This will display help for the tool. Here are all the switches it supports.

NAME:
   Auto Discovery v2.0 - A simple CLI tool to automatically generate and apply policies or push to GitHub

USAGE:
   autodiscovery2.0 [Flags]
   Eg. autodiscovery2.0 --git_base_branch=deploy-branch --auto-apply=false --git_branch_name=temp-branch --git_token=gh_token123 --git_repo_url= https://github.com/testuser/demo.git --git_username=testuser

VERSION:
   2.0.0

COMMANDS:
   help, h  Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --auto-apply, --auto                         If true, modifed YAML will be applied to the cluster (default: false)
   --git_base_branch value, --basebranch value  GitHub base branch name for PR creation
   --git_branch_name value, --branch value      GitHub branch name for pushing updates
   --git_repo_url value, --git_url value        GitHub URL to push the updates
   --git_token value, --token value             GitHub token for authentication
   --git_username value, --git_user value       GitHub username
   --help, -h                                   show help (default: false)
   --version, -v                                print the version (default: false)

Running autodiscovery2.0

autodiscovery2.0 --auto-apply=false --git_branch_name=demo-branch --git_token=ghp_gittokenqwerty  --git_repo_url=https://github.com/demo-user/demo-repo.git --git_username=demo-user --git_base_branch=demo-base-branch

Resources

GitHub

View Github