accuknox · Ankurk99 · Jul 10, 2023 · Jul 4, 2023
diff --git a/deployments/helm/configmapfiles/discovery-engine/conf.yaml b/deployments/helm/configmapfiles/discovery-engine/conf.yaml
@@ -94,6 +94,9 @@ feed-consumer:
 recommend:
   operation-mode: 1                       # 1: cronjob | 2: one-time-job
   cron-job-time-interval: "1h0m00s"       # format: XhYmZs
+  recommend-host-policy: true
+  template-version: ""
+  admission-controller-policy: false
 
 # license
 license:

diff --git a/deployments/k8s/default/discovery-engine/configmap.yaml b/deployments/k8s/default/discovery-engine/configmap.yaml
@@ -57,9 +57,9 @@ data:
       write-logs-to-db: false
       summary-jobs:
         publisher: true
-        write-summary-to-db: false
+        write-summary-to-db: true
         cron-interval: "0h1m00s"
-    
+
     database:
       driver: sqlite3
       host: mysql.explorer.svc.cluster.local
@@ -92,6 +92,7 @@ data:
       level: "INFO"
 
     # kubectl -n kube-system port-forward service/hubble-relay --address 0.0.0.0 --address :: 4245:80
+
     cilium-hubble:
       url: hubble-relay.kube-system.svc.cluster.local
       port: 80
@@ -101,14 +102,19 @@ data:
       port: 32767
 
     # Recommended policies configuration
+
     recommend:
       operation-mode: 1                       # 1: cronjob | 2: one-time-job
       cron-job-time-interval: "1h0m00s"       # format: XhYmZs
-
+      recommend-host-policy: true
+      template-version: ""
+      admission-controller-policy: false
+
     # license
+
     license:
       enabled: false
       validate: "user-id"
-    
+
     dsp:
-      auto-deploy-dsp: true  
+      auto-deploy-dsp: false
diff --git a/deployments/k8s/deployment.yaml b/deployments/k8s/deployment.yaml
@@ -266,7 +266,121 @@ subjects:
 ---
 apiVersion: v1
 data:
-  conf.yaml: "application:\n  name: discovery-engine\n  network:\n    operation-mode: 1                         # 1: cronjob | 2: one-time-job\n    cron-job-time-interval: \"0h0m10s\"         # format: XhYmZs\n    operation-trigger: 5\n    network-log-from: \"kubearmor\"             # db|hubble|feed-consumer|kubearmor\n    network-log-file: \"./flow.json\"           # file path\n    network-policy-to: \"db\"                   # db, file\n    network-policy-dir: \"./\"\n    namespace-filter:\n    - \"!kube-system\"\n  system:\n    operation-mode: 1                         # 1: cronjob | 2: one-time-job\n    cron-job-time-interval: \"0h0m10s\"         # format: XhYmZs\n    operation-trigger: 5\n    system-log-from: \"kubearmor\"              # db|kubearmor|feed-consumer\n    system-log-file: \"./log.json\"             # file path\n    system-policy-to: \"db\"                    # db, file\n    system-policy-dir: \"./\"\n    deprecate-old-mode: true\n    namespace-filter:\n    - \"!kube-system\"\n    fromsource-filter:\n    - \"knoxAutoPolicy\"\n    \n  admission-controller:\n    generic-policy-list:\n    - \"restrict-deprecated-registry\"\n    - \"prevent-cr8escape\"\n    - \"check-kernel-version\"\n    - \"restrict-ingress-defaultbackend\"\n    - \"restrict-nginx-ingress-annotations\"\n    - \"restrict-ingress-paths\"\n    - \"prevent-naked-pods\"\n    - \"restrict-wildcard-verbs\"\n    - \"restrict-wildcard-resources\"\n    - \"require-requests-limits\"\n    - \"require-pod-probes\"\n    - \"drop-cap-net-raw\"\n\n  cluster:\n    cluster-info-from: \"k8sclient\"            # k8sclient|accuknox\n\nobservability: \n  enable: true\n  cron-job-time-interval: \"0h0m10s\"         # format: XhYmZs\n  dbname: ./accuknox-obs.db\n  system-observability: true\n  network-observability: false\n  write-logs-to-db: false\n  summary-jobs:\n    publisher: true\n    write-summary-to-db: false\n    cron-interval: \"0h1m00s\"\n\ndatabase:\n  driver: sqlite3\n  host: mysql.explorer.svc.cluster.local\n  port: 3306\n  user: root\n  password: password\n  dbname: discovery-engine\n  table-configuration: auto_policy_config\n  table-network-log: network_log\n  table-network-policy: network_policy\n  table-system-log: system_log\n  table-system-policy: system_policy\n\nfeed-consumer:\n  driver: \"pulsar\"\n  servers:\n    - \"pulsar-proxy.accuknox-dev-pulsar.svc.cluster.local:6650\"\n  topic: \n    cilium: \"persistent://accuknox/datapipeline/ciliumalertsflowv1\"\n    kubearmor: \"persistent://accuknox/datapipeline/kubearmoralertsflowv1\"\n  encryption:\n    enable: false\n    ca-cert: /kafka-ssl/ca.pem \n  auth:\n    enable: false\n    cert: /kafka-ssl/user.cert.pem\n    key: /kafka-ssl/user.key.pem\n\nlogging:\n  level: \"INFO\"\n\n# kubectl -n kube-system port-forward service/hubble-relay --address 0.0.0.0 --address :: 4245:80\ncilium-hubble:\n  url: hubble-relay.kube-system.svc.cluster.local\n  port: 80\n\nkubearmor:\n  url: kubearmor.kube-system.svc.cluster.local\n  port: 32767\n\n# Recommended policies configuration\nrecommend:\n  operation-mode: 1                       # 1: cronjob | 2: one-time-job\n  cron-job-time-interval: \"1h0m00s\"       # format: XhYmZs\n\n# license\nlicense:\n  enabled: false\n  validate: \"user-id\"\n\ndsp:\n  auto-deploy-dsp: true  "
+  conf.yaml: |
+    application:
+      name: discovery-engine
+      network:
+        operation-mode: 1                         # 1: cronjob | 2: one-time-job
+        cron-job-time-interval: "0h0m10s"         # format: XhYmZs
+        operation-trigger: 5
+        network-log-from: "kubearmor"             # db|hubble|feed-consumer|kubearmor
+        network-log-file: "./flow.json"           # file path
+        network-policy-to: "db"                   # db, file
+        network-policy-dir: "./"
+        namespace-filter:
+        - "!kube-system"
+      system:
+        operation-mode: 1                         # 1: cronjob | 2: one-time-job
+        cron-job-time-interval: "0h0m10s"         # format: XhYmZs
+        operation-trigger: 5
+        system-log-from: "kubearmor"              # db|kubearmor|feed-consumer
+        system-log-file: "./log.json"             # file path
+        system-policy-to: "db"                    # db, file
+        system-policy-dir: "./"
+        deprecate-old-mode: true
+        namespace-filter:
+        - "!kube-system"
+        fromsource-filter:
+        - "knoxAutoPolicy"
+
+      admission-controller:
+        generic-policy-list:
+        - "restrict-deprecated-registry"
+        - "prevent-cr8escape"
+        - "check-kernel-version"
+        - "restrict-ingress-defaultbackend"
+        - "restrict-nginx-ingress-annotations"
+        - "restrict-ingress-paths"
+        - "prevent-naked-pods"
+        - "restrict-wildcard-verbs"
+        - "restrict-wildcard-resources"
+        - "require-requests-limits"
+        - "require-pod-probes"
+        - "drop-cap-net-raw"
+
+      cluster:
+        cluster-info-from: "k8sclient"            # k8sclient|accuknox
+
+    observability: 
+      enable: true
+      cron-job-time-interval: "0h0m10s"         # format: XhYmZs
+      dbname: ./accuknox-obs.db
+      system-observability: true
+      network-observability: false
+      write-logs-to-db: false
+      summary-jobs:
+        publisher: true
+        write-summary-to-db: true
+        cron-interval: "0h1m00s"
+
+    database:
+      driver: sqlite3
+      host: mysql.explorer.svc.cluster.local
+      port: 3306
+      user: root
+      password: password
+      dbname: discovery-engine
+      table-configuration: auto_policy_config
+      table-network-log: network_log
+      table-network-policy: network_policy
+      table-system-log: system_log
+      table-system-policy: system_policy
+
+    feed-consumer:
+      driver: "pulsar"
+      servers:
+        - "pulsar-proxy.accuknox-dev-pulsar.svc.cluster.local:6650"
+      topic: 
+        cilium: "persistent://accuknox/datapipeline/ciliumalertsflowv1"
+        kubearmor: "persistent://accuknox/datapipeline/kubearmoralertsflowv1"
+      encryption:
+        enable: false
+        ca-cert: /kafka-ssl/ca.pem 
+      auth:
+        enable: false
+        cert: /kafka-ssl/user.cert.pem
+        key: /kafka-ssl/user.key.pem
+
+    logging:
+      level: "INFO"
+
+    # kubectl -n kube-system port-forward service/hubble-relay --address 0.0.0.0  --address :: 4245:80
+
+    cilium-hubble:
+      url: hubble-relay.kube-system.svc.cluster.local
+      port: 80
+
+    kubearmor:
+      url: kubearmor.kube-system.svc.cluster.local
+      port: 32767
+
+    # Recommended policies configuration
+
+    recommend:
+      operation-mode: 1                       # 1: cronjob | 2: one-time-job
+      cron-job-time-interval: "1h0m00s"       # format: XhYmZs
+      recommend-host-policy: true
+      template-version: ""
+      admission-controller-policy: false
+
+    # license
+
+    license:
+      enabled: false
+      validate: "user-id"
+
+    dsp:
+      auto-deploy-dsp: false  
 kind: ConfigMap
 metadata:
   name: discovery-engine-config

diff --git a/src/conf/local-file.yaml b/src/conf/local-file.yaml
@@ -119,8 +119,8 @@ recommend:
   operation-mode: 1                       # 1: cronjob | 2: one-time-job
   cron-job-time-interval: "1h0m00s"       # format: XhYmZs
   recommend-host-policy: true
-  template-version: "v0.2.2"              # policy template version to be used for recommendation (keep empty to fetches latest)
-
+  template-version: ""                    # policy template version to be used for recommendation (keep empty to fetches latest)
+  admission-controller-policy: false
 # license
 license:
   enabled: false
@@ -130,4 +130,4 @@ license:
 pprof: false
 # Discovered Policies Configuration  
 dsp:
-  auto-deploy-dsp: true
+  auto-deploy-dsp: false
diff --git a/src/conf/local.yaml b/src/conf/local.yaml
@@ -83,7 +83,8 @@ recommend:
   operation-mode: 1                       # 1: cronjob | 2: one-time-job
   cron-job-time-interval: "1h0m00s"       # format: XhYmZs
   recommend-host-policy: true
-  template-version: "v0.2.1"
+  template-version: ""
+  admission-controller-policy: false
 
 # license
 license:
@@ -94,4 +95,4 @@ license:
 pprof: false
 # Discovered Policies Configuration
 dsp:
-  auto-deploy-dsp: true  
+  auto-deploy-dsp: false