diff --git a/contrib/k8s/helm/.helmignore b/contrib/k8s/helm/.helmignore new file mode 100644 index 00000000000..0e8a0eb36f4 --- /dev/null +++ b/contrib/k8s/helm/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/contrib/k8s/helm/Chart.yaml b/contrib/k8s/helm/Chart.yaml new file mode 100644 index 00000000000..21dcbf375ee --- /dev/null +++ b/contrib/k8s/helm/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: prowler +description: Prowler Security Tool Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.1 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.16.0" diff --git a/contrib/k8s/helm/README.md b/contrib/k8s/helm/README.md new file mode 100644 index 00000000000..884733229b1 --- /dev/null +++ b/contrib/k8s/helm/README.md @@ -0,0 +1,78 @@ +# prowler + +![Version: 0.1.1](https://img.shields.io/badge/Version-0.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.0](https://img.shields.io/badge/AppVersion-1.16.0-informational?style=flat-square) + +Prowler Security Tool Helm chart for Kubernetes + +# Prowler Helm Chart Deployment + +This guide provides step-by-step instructions for deploying the Prowler Helm chart. + +## Prerequisites + +Before you begin, ensure you have the following: + +1. A running Kubernetes cluster. +2. Helm installed on your local machine. If you don't have Helm installed, you can follow the [Helm installation guide](https://helm.sh/docs/intro/install/). +3. Proper access to your Kubernetes cluster (e.g., `kubectl` is configured and working). + +## Deployment Steps + +### 1. Clone the Repository + +Clone the repository containing the Helm chart to your local machine. + +```sh +git clone git@github.com:prowler-cloud/prowler.git +cd prowler/contrib/k8s/helm +``` + +### 2. Deploy the helm chart + +``` +helm install prowler . +``` + +### 3. Verify the deployment + +``` +helm status prowler +kubectl get all -n prowler-ns +``` + +### 4. Clean Up +To uninstall the Helm release and clean up the resources, run: + +```helm uninstall prowler +kubectl delete namespace prowler-ns +``` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| clusterRole.name | string | `"prowler-read-cluster"` | | +| clusterRoleBinding.name | string | `"prowler-read-cluster-binding"` | | +| configMap.name | string | `"prowler-hostpaths"` | | +| configMapData.etcCniNetd | string | `"/etc/cni/net.d"` | | +| configMapData.etcKubernetes | string | `"/etc/kubernetes"` | | +| configMapData.etcSystemd | string | `"/etc/systemd"` | | +| configMapData.libSystemd | string | `"/lib/systemd"` | | +| configMapData.optCniBin | string | `"/opt/cni/bin"` | | +| configMapData.usrBin | string | `"/usr/bin"` | | +| configMapData.varLibCni | string | `"/var/lib/cni"` | | +| configMapData.varLibEtcd | string | `"/var/lib/etcd"` | | +| configMapData.varLibKubeControllerManager | string | `"/var/lib/kube-controller-manager"` | | +| configMapData.varLibKubeScheduler | string | `"/var/lib/kube-scheduler"` | | +| configMapData.varLibKubelet | string | `"/var/lib/kubelet"` | | +| cronjob.hostPID | bool | `true` | | +| cronjob.name | string | `"prowler"` | | +| cronjob.schedule | string | `"0 0 * * *"` | | +| image.pullPolicy | string | `"Always"` | | +| image.repository | string | `"toniblyx/prowler"` | | +| image.tag | string | `"stable"` | | +| namespace.name | string | `"prowler"` | | +| serviceAccount.name | string | `"prowler"` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.3](https://github.com/norwoodj/helm-docs/releases/v1.11.3) diff --git a/contrib/k8s/helm/templates/cluster-role.yaml b/contrib/k8s/helm/templates/cluster-role.yaml new file mode 100644 index 00000000000..9edb26b1a62 --- /dev/null +++ b/contrib/k8s/helm/templates/cluster-role.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Values.clusterRole.name }} +rules: +- apiGroups: [""] + resources: ["pods", "configmaps", "nodes", "namespaces"] + verbs: ["get", "list", "watch"] +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["clusterrolebindings", "rolebindings", "clusterroles", "roles"] + verbs: ["get", "list", "watch"] diff --git a/contrib/k8s/helm/templates/cm.yaml b/contrib/k8s/helm/templates/cm.yaml new file mode 100644 index 00000000000..f004279ef3c --- /dev/null +++ b/contrib/k8s/helm/templates/cm.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Values.configMap.name }} + namespace: {{ .Values.namespace.name }} +data: + varLibCni: "{{ .Values.configMap.data.varLibCni }}" + varLibEtcd: "{{ .Values.configMap.data.varLibEtcd }}" + varLibKubelet: "{{ .Values.configMap.data.varLibKubelet }}" + varLibKubeScheduler: "{{ .Values.configMap.data.varLibKubeScheduler }}" + varLibKubeControllerManager: "{{ .Values.configMap.data.varLibKubeControllerManager }}" + etcSystemd: "{{ .Values.configMap.data.etcSystemd }}" + libSystemd: "{{ .Values.configMap.data.libSystemd }}" + etcKubernetes: "{{ .Values.configMap.data.etcKubernetes }}" + usrBin: "{{ .Values.configMap.data.usrBin }}" + etcCniNetd: "{{ .Values.configMap.data.etcCniNetd }}" + optCniBin: "{{ .Values.configMap.data.optCniBin }}" + srvKubernetes: "{{ .Values.configMap.data.srvKubernetes }}" diff --git a/contrib/k8s/helm/templates/job.yaml b/contrib/k8s/helm/templates/job.yaml new file mode 100644 index 00000000000..d8c4588098a --- /dev/null +++ b/contrib/k8s/helm/templates/job.yaml @@ -0,0 +1,42 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: {{ .Values.cronjob.name }} + namespace: {{ .Values.namespace.name }} +spec: + schedule: "{{ .Values.cronjob.schedule }}" + jobTemplate: + spec: + template: + metadata: + labels: + app: prowler + spec: + serviceAccountName: {{ .Values.serviceAccount.name }} + containers: + - name: prowler + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + command: ["prowler"] + args: ["kubernetes", "-z", "-b"] + imagePullPolicy: {{ .Values.image.pullPolicy }} + volumeMounts: + {{- range $key, $value := .Values.configMap.data }} + {{- if and (eq $.Values.clusterType "gke") (eq $key "srvKubernetes") }} + {{- else }} + - name: {{ $key | lower }} + mountPath: {{ $value }} + readOnly: true + {{- end }} + {{- end }} + hostPID: {{ .Values.cronjob.hostPID }} + restartPolicy: Never + volumes: + {{- range $key, $value := .Values.configMap.data }} + {{- if and (eq $.Values.clusterType "gke") (eq $key "srvKubernetes") }} + {{- else }} + - name: {{ $key | lower }} + hostPath: + path: {{ $value }} + {{- end }} + {{- end }} + diff --git a/contrib/k8s/helm/templates/namespace.yaml b/contrib/k8s/helm/templates/namespace.yaml new file mode 100644 index 00000000000..fb46db78413 --- /dev/null +++ b/contrib/k8s/helm/templates/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: {{ .Values.namespace.name }} diff --git a/contrib/k8s/helm/templates/role-binding.yaml b/contrib/k8s/helm/templates/role-binding.yaml new file mode 100644 index 00000000000..77db036d622 --- /dev/null +++ b/contrib/k8s/helm/templates/role-binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Values.clusterRoleBinding.name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.clusterRole.name }} +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount.name }} + namespace: {{ .Values.namespace.name }} diff --git a/contrib/k8s/helm/templates/sa.yaml b/contrib/k8s/helm/templates/sa.yaml new file mode 100644 index 00000000000..44f16b74829 --- /dev/null +++ b/contrib/k8s/helm/templates/sa.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.name }} + namespace: {{ .Values.namespace.name }} diff --git a/contrib/k8s/helm/values.yaml b/contrib/k8s/helm/values.yaml new file mode 100644 index 00000000000..2b1cb9cc008 --- /dev/null +++ b/contrib/k8s/helm/values.yaml @@ -0,0 +1,40 @@ +namespace: + name: prowler-ns + +cronjob: + name: prowler + schedule: "0 0 * * *" + hostPID: true + +serviceAccount: + name: prowler-sa + +image: + repository: toniblyx/prowler + tag: stable + pullPolicy: Always + +clusterType: + +configMap: + name: prowler-config + data: + varLibCni: "/var/lib/cni" + varLibEtcd: "/var/lib/etcd" + varLibKubelet: "/var/lib/kubelet" + varLibKubeScheduler: "/var/lib/kube-scheduler" + varLibKubeControllerManager: "/var/lib/kube-controller-manager" + etcSystemd: "/etc/systemd" + libSystemd: "/lib/systemd" + etcKubernetes: "/etc/kubernetes" + usrBin: "/usr/bin" + etcCniNetd: "/etc/cni/net.d" + optCniBin: "/opt/cni/bin" + srvKubernetes: "/srv/kubernetes" + +clusterRole: + name: prowler-read-cluster + +clusterRoleBinding: + name: prowler-read-cluster-binding + roleName: prowler-read-cluster