diff --git a/deployments/helm/configmapfiles/discovery-engine/conf.yaml b/deployments/helm/configmapfiles/discovery-engine/conf.yaml index eb8b110d..20dd4b67 100644 --- a/deployments/helm/configmapfiles/discovery-engine/conf.yaml +++ b/deployments/helm/configmapfiles/discovery-engine/conf.yaml @@ -94,6 +94,9 @@ feed-consumer: recommend: operation-mode: 1 # 1: cronjob | 2: one-time-job cron-job-time-interval: "1h0m00s" # format: XhYmZs + recommend-host-policy: true + template-version: "" + admission-controller-policy: false # license license: diff --git a/deployments/k8s/default/discovery-engine/configmap.yaml b/deployments/k8s/default/discovery-engine/configmap.yaml index 6d90898a..12856d17 100644 --- a/deployments/k8s/default/discovery-engine/configmap.yaml +++ b/deployments/k8s/default/discovery-engine/configmap.yaml @@ -57,9 +57,9 @@ data: write-logs-to-db: false summary-jobs: publisher: true - write-summary-to-db: false + write-summary-to-db: true cron-interval: "0h1m00s" - + database: driver: sqlite3 host: mysql.explorer.svc.cluster.local @@ -92,6 +92,7 @@ data: level: "INFO" # kubectl -n kube-system port-forward service/hubble-relay --address 0.0.0.0 --address :: 4245:80 + cilium-hubble: url: hubble-relay.kube-system.svc.cluster.local port: 80 @@ -101,14 +102,19 @@ data: port: 32767 # Recommended policies configuration + recommend: operation-mode: 1 # 1: cronjob | 2: one-time-job cron-job-time-interval: "1h0m00s" # format: XhYmZs - + recommend-host-policy: true + template-version: "" + admission-controller-policy: false + # license + license: enabled: false validate: "user-id" - + dsp: - auto-deploy-dsp: true \ No newline at end of file + auto-deploy-dsp: false \ No newline at end of file diff --git a/deployments/k8s/deployment.yaml b/deployments/k8s/deployment.yaml index 3029d24e..e5455129 100644 --- a/deployments/k8s/deployment.yaml +++ b/deployments/k8s/deployment.yaml @@ -266,7 +266,121 @@ subjects: --- apiVersion: v1 data: - conf.yaml: "application:\n name: discovery-engine\n network:\n operation-mode: 1 # 1: cronjob | 2: one-time-job\n cron-job-time-interval: \"0h0m10s\" # format: XhYmZs\n operation-trigger: 5\n network-log-from: \"kubearmor\" # db|hubble|feed-consumer|kubearmor\n network-log-file: \"./flow.json\" # file path\n network-policy-to: \"db\" # db, file\n network-policy-dir: \"./\"\n namespace-filter:\n - \"!kube-system\"\n system:\n operation-mode: 1 # 1: cronjob | 2: one-time-job\n cron-job-time-interval: \"0h0m10s\" # format: XhYmZs\n operation-trigger: 5\n system-log-from: \"kubearmor\" # db|kubearmor|feed-consumer\n system-log-file: \"./log.json\" # file path\n system-policy-to: \"db\" # db, file\n system-policy-dir: \"./\"\n deprecate-old-mode: true\n namespace-filter:\n - \"!kube-system\"\n fromsource-filter:\n - \"knoxAutoPolicy\"\n \n admission-controller:\n generic-policy-list:\n - \"restrict-deprecated-registry\"\n - \"prevent-cr8escape\"\n - \"check-kernel-version\"\n - \"restrict-ingress-defaultbackend\"\n - \"restrict-nginx-ingress-annotations\"\n - \"restrict-ingress-paths\"\n - \"prevent-naked-pods\"\n - \"restrict-wildcard-verbs\"\n - \"restrict-wildcard-resources\"\n - \"require-requests-limits\"\n - \"require-pod-probes\"\n - \"drop-cap-net-raw\"\n\n cluster:\n cluster-info-from: \"k8sclient\" # k8sclient|accuknox\n\nobservability: \n enable: true\n cron-job-time-interval: \"0h0m10s\" # format: XhYmZs\n dbname: ./accuknox-obs.db\n system-observability: true\n network-observability: false\n write-logs-to-db: false\n summary-jobs:\n publisher: true\n write-summary-to-db: false\n cron-interval: \"0h1m00s\"\n\ndatabase:\n driver: sqlite3\n host: mysql.explorer.svc.cluster.local\n port: 3306\n user: root\n password: password\n dbname: discovery-engine\n table-configuration: auto_policy_config\n table-network-log: network_log\n table-network-policy: network_policy\n table-system-log: system_log\n table-system-policy: system_policy\n\nfeed-consumer:\n driver: \"pulsar\"\n servers:\n - \"pulsar-proxy.accuknox-dev-pulsar.svc.cluster.local:6650\"\n topic: \n cilium: \"persistent://accuknox/datapipeline/ciliumalertsflowv1\"\n kubearmor: \"persistent://accuknox/datapipeline/kubearmoralertsflowv1\"\n encryption:\n enable: false\n ca-cert: /kafka-ssl/ca.pem \n auth:\n enable: false\n cert: /kafka-ssl/user.cert.pem\n key: /kafka-ssl/user.key.pem\n\nlogging:\n level: \"INFO\"\n\n# kubectl -n kube-system port-forward service/hubble-relay --address 0.0.0.0 --address :: 4245:80\ncilium-hubble:\n url: hubble-relay.kube-system.svc.cluster.local\n port: 80\n\nkubearmor:\n url: kubearmor.kube-system.svc.cluster.local\n port: 32767\n\n# Recommended policies configuration\nrecommend:\n operation-mode: 1 # 1: cronjob | 2: one-time-job\n cron-job-time-interval: \"1h0m00s\" # format: XhYmZs\n\n# license\nlicense:\n enabled: false\n validate: \"user-id\"\n\ndsp:\n auto-deploy-dsp: true " + conf.yaml: | + application: + name: discovery-engine + network: + operation-mode: 1 # 1: cronjob | 2: one-time-job + cron-job-time-interval: "0h0m10s" # format: XhYmZs + operation-trigger: 5 + network-log-from: "kubearmor" # db|hubble|feed-consumer|kubearmor + network-log-file: "./flow.json" # file path + network-policy-to: "db" # db, file + network-policy-dir: "./" + namespace-filter: + - "!kube-system" + system: + operation-mode: 1 # 1: cronjob | 2: one-time-job + cron-job-time-interval: "0h0m10s" # format: XhYmZs + operation-trigger: 5 + system-log-from: "kubearmor" # db|kubearmor|feed-consumer + system-log-file: "./log.json" # file path + system-policy-to: "db" # db, file + system-policy-dir: "./" + deprecate-old-mode: true + namespace-filter: + - "!kube-system" + fromsource-filter: + - "knoxAutoPolicy" + + admission-controller: + generic-policy-list: + - "restrict-deprecated-registry" + - "prevent-cr8escape" + - "check-kernel-version" + - "restrict-ingress-defaultbackend" + - "restrict-nginx-ingress-annotations" + - "restrict-ingress-paths" + - "prevent-naked-pods" + - "restrict-wildcard-verbs" + - "restrict-wildcard-resources" + - "require-requests-limits" + - "require-pod-probes" + - "drop-cap-net-raw" + + cluster: + cluster-info-from: "k8sclient" # k8sclient|accuknox + + observability: + enable: true + cron-job-time-interval: "0h0m10s" # format: XhYmZs + dbname: ./accuknox-obs.db + system-observability: true + network-observability: false + write-logs-to-db: false + summary-jobs: + publisher: true + write-summary-to-db: true + cron-interval: "0h1m00s" + + database: + driver: sqlite3 + host: mysql.explorer.svc.cluster.local + port: 3306 + user: root + password: password + dbname: discovery-engine + table-configuration: auto_policy_config + table-network-log: network_log + table-network-policy: network_policy + table-system-log: system_log + table-system-policy: system_policy + + feed-consumer: + driver: "pulsar" + servers: + - "pulsar-proxy.accuknox-dev-pulsar.svc.cluster.local:6650" + topic: + cilium: "persistent://accuknox/datapipeline/ciliumalertsflowv1" + kubearmor: "persistent://accuknox/datapipeline/kubearmoralertsflowv1" + encryption: + enable: false + ca-cert: /kafka-ssl/ca.pem + auth: + enable: false + cert: /kafka-ssl/user.cert.pem + key: /kafka-ssl/user.key.pem + + logging: + level: "INFO" + + # kubectl -n kube-system port-forward service/hubble-relay --address 0.0.0.0 --address :: 4245:80 + + cilium-hubble: + url: hubble-relay.kube-system.svc.cluster.local + port: 80 + + kubearmor: + url: kubearmor.kube-system.svc.cluster.local + port: 32767 + + # Recommended policies configuration + + recommend: + operation-mode: 1 # 1: cronjob | 2: one-time-job + cron-job-time-interval: "1h0m00s" # format: XhYmZs + recommend-host-policy: true + template-version: "" + admission-controller-policy: false + + # license + + license: + enabled: false + validate: "user-id" + + dsp: + auto-deploy-dsp: false kind: ConfigMap metadata: name: discovery-engine-config diff --git a/src/conf/local-file.yaml b/src/conf/local-file.yaml index 4a5d3119..b9cbd295 100644 --- a/src/conf/local-file.yaml +++ b/src/conf/local-file.yaml @@ -119,8 +119,8 @@ recommend: operation-mode: 1 # 1: cronjob | 2: one-time-job cron-job-time-interval: "1h0m00s" # format: XhYmZs recommend-host-policy: true - template-version: "v0.2.2" # policy template version to be used for recommendation (keep empty to fetches latest) - + template-version: "" # policy template version to be used for recommendation (keep empty to fetches latest) + admission-controller-policy: false # license license: enabled: false @@ -130,4 +130,4 @@ license: pprof: false # Discovered Policies Configuration dsp: - auto-deploy-dsp: true + auto-deploy-dsp: false diff --git a/src/conf/local.yaml b/src/conf/local.yaml index f8a5b2d8..d4589567 100644 --- a/src/conf/local.yaml +++ b/src/conf/local.yaml @@ -83,7 +83,8 @@ recommend: operation-mode: 1 # 1: cronjob | 2: one-time-job cron-job-time-interval: "1h0m00s" # format: XhYmZs recommend-host-policy: true - template-version: "v0.2.1" + template-version: "" + admission-controller-policy: false # license license: @@ -94,4 +95,4 @@ license: pprof: false # Discovered Policies Configuration dsp: - auto-deploy-dsp: true + auto-deploy-dsp: false