profile
viewpoint
Liz Rice lizrice @aquasecurity London http://www.lizrice.com VP Open Source Engineering at @aquasecurity | @cncf Technical Oversight Committee chair | O'Reilly Container Security author

aquasecurity/trivy 5080

A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI

aquasecurity/kube-bench 3089

Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark

aquasecurity/kubectl-who-can 354

Show who has RBAC permissions to perform actions on different resources in Kubernetes

aquasecurity/kube-query 175

[EXPERIMENTAL] Extend osquery to report on Kubernetes

danielsagi/kube-dnsspoof 53

A POC for DNS spoofing in kubernetes clusters. Runs with minimum capabilities, on default installations of kuberentes.

aquasecurity/harbor-scanner-trivy 46

Use Trivy as a plug-in vulnerability scanner in the Harbor registry

aquasecurity/aqua-helm 40

Helm Charts For Installing Aqua Security Components

lizrice/container-security 35

Resources for the O'Reilly Container Security book

danielsagi/kube-pod-escape 32

Kubernetes POC for utilizing write mount to /var/log for getting a root on the host

aquasecurity/starboard-octant-plugin 24

Octant plugin for viewing Starboard security information

push eventlizrice/ebpf-beginners

Liz Rice

commit sha d8495151bc0fa9fcc2ddb12ec1588e89edad4cb8

Add ebpf.py to README

view details

push time in 2 hours

push eventlizrice/ebpf-beginners

Liz Rice

commit sha 400dede813895ecd92a6d32dd32b23c408a680e5

Create ebpf.py

view details

push time in 2 hours

issue commentaquasecurity/trivy

Output the vulnerabilities that are ignored

I'm not convinced with the idea of simply including "ignored" results in the main list of vulnerabilities, even if they were marked somehow as "ignore". I'd guess there is a workaround of running trivy twice, once without the ignore file, and comparing the results?

The best option would be to show all entries in the ignore file, and which of them were also found in the image.

I can see the value in this - so in addition to a list of vulnerabilities, there would be an option to output a separate list of ignore file entries and indicate whether they were found or not.

ajinkya599

comment created time in a day

push eventlizrice/ebpf-beginners

Liz Rice

commit sha 3ae088baffcbd35d1e02c83442ebc09dfe0fd40c

Update README.md

view details

push time in a day

create barnchlizrice/ebpf-beginners

branch : main

created branch time in a day

created repositorylizrice/ebpf-beginners

The beginner's guide to eBPF

created time in a day

issue commentaquasecurity/linux-bench

No binaries are uploaded to github

This is just an oversight, we should include a binary release same as we do for docker-bench and kube-bench

mrueg

comment created time in 6 days

MemberEvent

Pull request review commentcncf/toc

Added requirement to have basic contributor information.

 To be accepted in the sandbox a project must * Require 3 of the 11 TOC members to step forward as sponsors to enter the sandbox * Adopt the CNCF https://github.com/cncf/foundation/blob/master/code-of-conduct.md[Code of Conduct] * Adhere to CNCF https://github.com/cncf/foundation/blob/master/charter.md#11-ip-policy[IP Policy] (including trademark transferred)+* Have a basic CONTRIBUTING.md file or other information on how to contribute to the project 

I don't honestly think we need this - there's no need to duplicate everything that's in the form, it will just get out of sync (and for example we are also asking for sandbox projects to have some form of public roadmap, but that's not listed here).

You could argue that in that case, nothing should be listed here, but I think having the big ticket items here is helpful. We want to make sure it's absolutely clear that, for example, the project is going to have to transfer IP to CNCF.

jberkus

comment created time in 11 days

Pull request review commentcncf/toc

Added requirement to have basic contributor information.

 To be accepted in the sandbox a project must * Require 3 of the 11 TOC members to step forward as sponsors to enter the sandbox

This line should be deleted, it's no longer true

jberkus

comment created time in 11 days

PullRequestReviewEvent
PullRequestReviewEvent

Pull request review commentcilium/ebpf.io

add tracee to projects list

 const ProjectDescriptions = () => (         </div>       </div>     </div>++    <div className="project-box">+      <a name="tracee" />+      <div className="project-major-title">Tracee</div>+      <div className="project-minor-title">Dynamic Security Event Tracing</div>+      <div className="project-body">+        <a+          className="project-logo"+          target="_blank"+          href="https://github.com/aquasecurity/tracee"+        >+          <img src="https://raw.githubusercontent.com/aquasecurity/tracee/master/images/tracee.png" />+        </a>+        <div className="project-description">+          <p>+            <a href="https://github.com/aquasecurity/tracee">+              <b>GitHub</b>+            </a>{" "}+          </p>+          <p>+            Tracee is a lightweight, efficient and easy-to-use tool for dynamically detecting security events from systems, containers, and pods. 

I see you're a fan of the Oxford comma! Point taken on the phrasing, we will come back with a better description.

itaysk

comment created time in 12 days

PullRequestReviewEvent

Pull request review commentcilium/ebpf.io

add tracee to projects list

 const ProjectDescriptions = () => (         </div>       </div>     </div>++    <div className="project-box">+      <a name="tracee" />+      <div className="project-major-title">Tracee</div>+      <div className="project-minor-title">Dynamic Security Event Tracing</div>

As a native English speaker I'm going to respectfully disagree here - "security-event tracing" looks wrong to me. I think it's because "security" is an adjective describing the event(s), but not the tracing of those events.

My first choice here is "Dynamic Security Event Tracing"; if we can't have that, I'd say "Dynamic Tracing for Security Events"

itaysk

comment created time in 12 days

PullRequestReviewEvent

Pull request review commentaquasecurity/starboard

docs: Add operator to the README.md

 The following table lists available configuration parameters. >   -p '[{"op": "remove", "path": "/data/trivy.httpProxy"}]' > ``` -## Custom Security Resources Definitions+## Starboard Operator -This project houses CustomResourceDefinitions (CRDs) related to security and compliance checks along with the code-generated by Kubernetes [code generators][k8s-code-generator] to write such custom resources in a natural way.+This operator automatically updates security report resources in response to workload and other changes on a Kubernetes+cluster - for example, initiating a vulnerability scan when a new pod is started. In other words, the desired state+for this operator is that for each workload there are security reports stored in the cluster as custom resources. -| NAME                                             | SHORTNAMES   | APIGROUP               | NAMESPACED |  KIND               |-| ------------------------------------------------ | ------------ | ---------------------- | ---------- | ------------------- |-| [vulnerabilityreports][vulnerabilityreports-crd] | vulns,vuln   | aquasecurity.github.io | true       | VulnerabilityReport |-| [configauditreports][configauditreports-crd]     | configaudit  | aquasecurity.github.io | true       | ConfigAuditReport   |-| [ciskubebenchreports][ciskubebenchreports-crd]   | kubebench    | aquasecurity.github.io | false      | CISKubeBenchReport  |-| [kubehunterreports][kubehunterreports-crd]       | kubehunter   | aquasecurity.github.io | false      | KubeHunterReport    |+Currently, the operator implements two reconciliation loops and only supports [vulnerabilityreports][vulnerabilityreports-crd]+security resources as depicted below. However, we plan to support all [custom security resources][starboard-crds]. -See [Custom Security Resources Specification][starboard-crds-spec] for the detailed explanation of custom resources-used by Starboard and their lifecycle.+| Controller | Description |+| ---------- | ----------- |+| [PodController](pkg/operator/controller/pod/pod_controller.go) | Watches for pod events in target namespaces to lookup the immediate owner of a pod. Then it checks whether there's the VulnerabilityReport owned by this owner. If not, it schedules a scan job in the operator's namespace. |+| [JobController](pkg/operator/controller/job/job_controller.go) | Watches for job events in the operator's namespace. If a given job is completed it parses the logs of the controlee pod and converts the logs output to an instance of the VulnerabilityReport resource. | -## Starboard CLI+![](docs/images/operator/starboard-operator.png) -Starboard CLI is a single executable binary which can be used to find risks, such as vulnerabilities or insecure Pod-specs, in Kubernetes workloads. By default, the risk assessment reports are stored as-[custom security resources][starboard-crds].+### Environment Variables -To learn more about the available Starboard CLI commands, run `starboard help` or type a command followed by the-`-h` flag:+Configuration of the operator is done via environment variables at startup.++| NAME                                 | DEFAULT                | DESCRIPTION |+| ------------------------------------ | ---------------------- | ----------- |+| `OPERATOR_NAMESPACE`                 | N/A                    | See [Install modes](#install-modes) |+| `OPERATOR_TARGET_NAMESPACES`         | N/A                    | See [Install modes](#install-modes) |+| `OPERATOR_SCANNER_TRIVY_ENABLED`     | `true`                 | The flag to enable Trivy vulnerability scanner |+| `OPERATOR_SCANNER_TRIVY_VERSION`     | `0.11.0`               | The version of Trivy to be used |+| `OPERATOR_SCANNER_TRIVY_IMAGE`       | `aquasec/trivy:0.11.0` | The Docker image of Trivy to be used |+| `OPERATOR_SCANNER_AQUA_CSP_ENABLED`  | `false`                | The flag to enable Aqua vulnerability scanner |+| `OPERATOR_SCANNER_AQUA_CSP_VERSION`  | `5.0`                  | The version of Aqua scanner to be used |+| `OPERATOR_SCANNER_AQUA_CSP_IMAGE`    | `aquasec/scanner:5.0`  | The Docker image of Aqua scanner to be used |+| `OPERATOR_LOG_DEV_MODE`              | `false`                | The flag to use (or not use) development mode (more human-readable output, extra stack traces and logging information, etc). |+| `OPERATOR_SCAN_JOB_TIMEOUT`          | `5m`                   | The length of time to wait before giving up on a scan job |+| `OPERATOR_METRICS_BIND_ADDRESS`      | `:8080`                | The TCP address to bind to for serving [Prometheus][prometheus] metrics. It can be set to `0` to disable the metrics serving. |+| `OPERATOR_HEALTH_PROBE_BIND_ADDRESS` | `:9090`                | The TCP address to bind to for serving health probes, i.e. `/healthz/` and `/readyz/` endpoints. |++### Install Modes++The values of the `OPERATOR_NAMESPACE` and `OPERATOR_TARGET_NAMESPACES` determine the install mode,+which in turn determines the multitenancy support of the operator.++| MODE            | OPERATOR_NAMESPACE | OPERATOR_TARGET_NAMESPACES | DESCRIPTION |+| --------------- | ------------------ | -------------------------- | ----------- |+| OwnNamespace    | `operators`        | `operators`                | The operator can be configured to watch events in the namespace it is deployed in. |+| SingleNamespace | `operators`        | `foo`                      | The operator can be configured to watch for events in a single namespace that the operator is not deployed in. |+| MultiNamespace  | `operators`        | `foo,bar,baz`              | The operator can be configured to watch for events in more than one namespace. |+| AllNamespaces   | `operators`        |                            | The operator can be configured to watch for events in all namespaces. |++> **CAUTION:** Although we do support the *AllNamespaces* install mode, please use it with caution when your cluster+> runs a moderate or high number of workloads. If the desired state of the cluster is much different from the actual+> state, the operator might spin up too many scan jobs and negatively impact the performance of your cluster.+> We're working on improvements to limit the number of parallel scan jobs and implement a back pressure logic.
> We're planning improvements to limit the number of parallel scan jobs and implement a back pressure logic.
danielpacak

comment created time in 13 days

Pull request review commentaquasecurity/starboard

docs: Add operator to the README.md

 vulnerabilities as well as configuration issues that might affect stability, rel To learn more about the available Starboard commands and scanners, such as [kube-bench][aqua-kube-bench] or [kube-hunter][aqua-kube-hunter], use `starboard help`. -## Configuration+## Custom Security Resources Definitions++This project houses CustomResourceDefinitions (CRDs) related to security and compliance checks along with the code+generated by Kubernetes [code generators][k8s-code-generator] to write such custom resources in a natural way.++| NAME                                             | SHORTNAMES   | APIGROUP               | NAMESPACED |  KIND               |+| ------------------------------------------------ | ------------ | ---------------------- | ---------- | ------------------- |+| [vulnerabilityreports][vulnerabilityreports-crd] | vulns,vuln   | aquasecurity.github.io | true       | VulnerabilityReport |+| [configauditreports][configauditreports-crd]     | configaudit  | aquasecurity.github.io | true       | ConfigAuditReport   |+| [ciskubebenchreports][ciskubebenchreports-crd]   | kubebench    | aquasecurity.github.io | false      | CISKubeBenchReport  |+| [kubehunterreports][kubehunterreports-crd]       | kubehunter   | aquasecurity.github.io | false      | KubeHunterReport    |++See [Custom Security Resources Specification][starboard-crds-spec] for the detailed explanation of custom resources+used by Starboard and their lifecycle.++## Starboard CLI++Starboard CLI is a single executable binary which can be used to find risks, such as vulnerabilities or insecure Pod+specs, in Kubernetes workloads. By default, the risk assessment reports are stored as+[custom security resources][starboard-crds].++To learn more about the available Starboard CLI commands, run `starboard help` or type a command followed by the+`-h` flag:++```+$ starboard kube-hunter -h+```++### Configuration

Am I right to think that the Starboard operator will create the vulnerabilityreports CRD - no need to run starboard init first?

danielpacak

comment created time in 13 days

PullRequestReviewEvent
PullRequestReviewEvent

push eventaquasecurity/starboard-operator

Liz Rice

commit sha 680b1aeaa962e0538a87d095442d14ee45409631

Note about archiving this repo

view details

push time in 13 days

pull request commentaquasecurity/starboard-operator

Add Helm chart

Hi @consideRatio, welcome to Starboard! We're actually in the process of moving the Starboard Operator code into the main Starboard repository, and we just recently moved all the issues, including this one about adding a Helm chart. So unfortunately it looks like your work here may be duplicate of what's being done under this PR. Given your experience with Helm charts, if you are interesting in reviewing that PR we would very much welcome your input. (And I don't know if you're motivated by Hacktoberfest but we would absolutely count that as a contribution!)

I'm so sorry about the timing here - we are literally about to archive this repo this morning!

consideRatio

comment created time in 13 days

PullRequestReviewEvent

push eventcncf/toc

Russell Bryant

commit sha 19e26efb22b7ec5abe7412f9d11e3501fae47f3c

Sandbox proposal for metal3-io This PR includes a CNCF Sandbox proposal for the Metal3 project (https://metal3.io). This project explores how to apply cloud native design principles to the provisioning and management of bare metal hosts. The proposal document contains much more detail about the state of the project.

view details

Calvin Weng

commit sha 5b97975a750b58fa9ec17a8a09915864a55f39b8

add tikv graduation proposal Signed-off-by: Calvin Weng <wenghao@pingcap.com>

view details

Calvin Weng

commit sha aac04d38427591ee4cd77103b92c43b6b8b9c3f3

add some more info Signed-off-by: Calvin Weng <wenghao@pingcap.com>

view details

Calvin Weng

commit sha 3f34fa623a46d23f7296cd29fbc08ed19e6eec67

fix format Signed-off-by: Calvin Weng <wenghao@pingcap.com>

view details

Calvin Weng

commit sha 5a959c1fc8e70ac717ed1a9778760c13ee4b4332

minor updates on number and format Signed-off-by: Calvin Weng <wenghao@pingcap.com>

view details

Calvin Weng

commit sha e314da3b15f11fe28b63f5c218031557095ec212

update some numbers and wording Signed-off-by: Calvin Weng <wenghao@pingcap.com>

view details

Calvin Weng

commit sha 1a50294d95273bbdb145dbea74cc93775d331b45

minor wording and formating update Signed-off-by: Calvin Weng <wenghao@pingcap.com>

view details

Richard Li

commit sha b1de8e706d8db63625c0a453021ea53eccd42c06

Add 2020 Telepresence Annual Review

view details

Craig Jellick

commit sha 1560f99d8c6c20d78a63a74eee162596ca78dcc4

Submit k3s as a sandbox project

view details

Vaughn Dice

commit sha 6b843cc027ab5893f953cabe8a0fcd267564ffc1

docs(reviews): add Brigade 2020 Annual Review Signed-off-by: Vaughn Dice <vadice@microsoft.com>

view details

Calvin Weng

commit sha b384001cb877690cfac85b7a8e249b3936653779

update some stats

view details

Calvin Weng

commit sha 0a50e89476791c0c5a46cdb8c559dcc237868469

Update on tikv operator

view details

Kevin Wang

commit sha 161e346e49f85c965d169b848d90d5b3ce32a1e3

add Kubeedge incubation review Signed-off-by: Kevin Wang <kevinwzf0126@gmail.com> Co-authored-by: Yin Ding <dingyin@gmail.com>

view details

Stefan Ålund

commit sha 717cdc620dcb8a2e8094f16d2a41f9a354ce3484

Add Backstage as CNCF Sandbox project This PR contains a proposal to add Backstage to the CNCF as a Sandbox project. We have requested time with the App Delivery SIG to present the project and proposal and will follow up on this PR when that is complete. **Description:** [Backstage](https://backstage.io/) is an open platform for building developer portals. It’s based on the developer portal we’ve been using internally at Spotify for over four years. Backstage can be as simple as a services catalog or as powerful as the UX layer for your entire tech infrastructure.

view details

Stefan Ålund

commit sha 16659973e89899f66b98cee7664cc0a10638d0cd

Rename backstage.adoc to backstage.md

view details

Stefan Ålund

commit sha f9611167870073bf4aac59ff06fc9e3741b7b54b

Fix ADOPTERS link

view details

Vaughn Dice

commit sha 954f998711fbe4de975b6e283936cbf2ce6b7219

add timeline details around Brigade 2.0 Signed-off-by: Vaughn Dice <vadice@microsoft.com>

view details

Vaughn Dice

commit sha 365688130217bf3ef7fac56b650fac35cc0ad0f2

Update with link to formal 2.0 proposal Signed-off-by: Vaughn Dice <vadice@microsoft.com>

view details

Darach Ennis

commit sha 4e8eea25d4167af61fa1b0ababb842306bdc87a4

Add sandbox proposal for tremor projecdt

view details

Luke Hinds

commit sha 0ed5206d3fb7dbe62027b77e6b02799fb04b036b

Add Keylime as a CNCF Sandbox Proposal

view details

push time in 14 days

PullRequestReviewEvent

Pull request review commentcncf/toc

Update due-diligence-guidelines.md to be explicit about dependencies

 the detail where necessary. * What are the most important holes? No High-Availability? No flow control? Inadequate integration points? * Code quality.  Does it look good, bad or mediocre to you (based on a spot review).  How thorough are the code reviews? Substance over form.   Are there explicit coding guidelines for the project?-* Dependencies.  What external dependencies exist, do they seem justified?+* Dependencies.  What external dependencies exist, do they seem justified?  Note: all core dependencies should be listed in the document along with the details of relevant repos

I don't know how to get the terminology right here but I think we need to distinguish between significant functional dependences, and programming language / package dependencies. We don't want to be reviewing giant lists of, say, Go packages or Node dependencies, but we do want to know when a project assumes the existence of a significant external component.

chira001

comment created time in 14 days

Pull request review commentcncf/toc

Clean up and de-dupe TOC repo contents

 Possible ways to contribute: * CNCF SIGs & working groups (various tasks) * Technical content for website -If you are interested in engaging in this way, we would encourage you to issue a pull request to [TOC Contributors](https://github.com/cncf/toc/blob/master/CONTRIBUTORS.md) that you desire to become a TOC Contributor. Although there is not an actual limit of having one Contributor per company, we would encourage CNCF member companies to designate an official TOC Contributor who is tasked with consulting internal experts and expressing a semi-official view on a given project. We will list current TOC Contributors on a page similar to https://www.cncf.io/people/ambassadors/.+If you are interested in becoming a TOC member, we encourage you to create a Pull Request adding yourself to the list of [TOC Contributors](#toc-contributors). Although there is no limit of Contributors per company, we encourage CNCF member companies to designate an official TOC Contributor tasked with consulting internal experts and expressing a semi-official view on a given project.++This is not only about individual contribution.  It is also about rallying help from your employer, for example, if you work for a CNCF Member company. Given the [breadth](https://landscape.cncf.io/) of projects represented in cloud native technology, it is impossible for anyone to be an expert in all technologies that we’re evaluating. We’re particularly interested in contributors who can act as a focal point for tapping relevant expertise from their organizations and colleagues in order to engage with CNCF discussions in a timely manner.++The TOC already has the pattern of encouraging non-members to make non-binding votes, so no change in the TOC charter is necessary to allow contributors.++TOC [meetings](https://github.com/cncf/toc#meeting-time) are only two hours a month, and are mainly taken up with project presentations. While contributors are welcome to share their views during the meeting, the biggest opportunity for comment is on the TOC [mailing list](https://github.com/cncf/toc#mailing-list), on Pull Requests representing project applications, and in voting.++Just as the biggest contributors to open source projects often become maintainers, becoming an active TOC contributor is one of the best paths to distinguish oneself ahead of TOC [elections](https://github.com/cncf/toc/blob/master/process/election-schedule.md).++## TOC contributors++Find out more about the role of TOC contributors [here](https://github.com/cncf/toc/blob/master/CONTRIBUTING.md#toc-contributors)++List below is the official list of TOC contributors, in alphabetical order:

Personally I'd prefer to see the TOC Contributors list remain as a separate file - easier to read (IMO) and easier to quickly review PRs as people add themselves

zacharysarah

comment created time in 14 days

Pull request review commentcncf/toc

Clean up and de-dupe TOC repo contents

 Possible ways to contribute: * CNCF SIGs & working groups (various tasks) * Technical content for website -If you are interested in engaging in this way, we would encourage you to issue a pull request to [TOC Contributors](https://github.com/cncf/toc/blob/master/CONTRIBUTORS.md) that you desire to become a TOC Contributor. Although there is not an actual limit of having one Contributor per company, we would encourage CNCF member companies to designate an official TOC Contributor who is tasked with consulting internal experts and expressing a semi-official view on a given project. We will list current TOC Contributors on a page similar to https://www.cncf.io/people/ambassadors/.+If you are interested in becoming a TOC member, we encourage you to create a Pull Request adding yourself to the list of [TOC Contributors](#toc-contributors). Although there is no limit of Contributors per company, we encourage CNCF member companies to designate an official TOC Contributor tasked with consulting internal experts and expressing a semi-official view on a given project.++This is not only about individual contribution.  It is also about rallying help from your employer, for example, if you work for a CNCF Member company. Given the [breadth](https://landscape.cncf.io/) of projects represented in cloud native technology, it is impossible for anyone to be an expert in all technologies that we’re evaluating. We’re particularly interested in contributors who can act as a focal point for tapping relevant expertise from their organizations and colleagues in order to engage with CNCF discussions in a timely manner.++The TOC already has the pattern of encouraging non-members to make non-binding votes, so no change in the TOC charter is necessary to allow contributors.++TOC [meetings](https://github.com/cncf/toc#meeting-time) are only two hours a month, and are mainly taken up with project presentations. While contributors are welcome to share their views during the meeting, the biggest opportunity for comment is on the TOC [mailing list](https://github.com/cncf/toc#mailing-list), on Pull Requests representing project applications, and in voting.++Just as the biggest contributors to open source projects often become maintainers, becoming an active TOC contributor is one of the best paths to distinguish oneself ahead of TOC [elections](https://github.com/cncf/toc/blob/master/process/election-schedule.md).++## TOC contributors++Find out more about the role of TOC contributors [here](https://github.com/cncf/toc/blob/master/CONTRIBUTING.md#toc-contributors)++List below is the official list of TOC contributors, in alphabetical order:++* Alex Chircop, StorageOS (alex.chircop@storageos.com)+* Allen Sun, Alibaba (allensun.shl@alibaba-inc.com)+* Andrés Vega, Hewlett-Packard Enterprise (andres.vega@hpe.com)+* Andy Santosa, Ebay (asantosa@ebay.com)+* Ara	Pulido, Datadog	(ara.pulido@datadoghq.com)+* Ayrat Khayretdinov (ayratk@google.com)+* Bassam Tabbara, Upbound	(bassam@upbound.io)+* Bob	Wise, Amazon Web Services	(bob@bobsplanet.com)+* Bora Ozkan, Vizlib (bora.ozkan@vizlib.com)+* Cathy	Zhang, Huawei (cathy.h.zhang@huawei.com)+* Calvin Weng, PingCAP (wenghao@pingcap.com)+* Chase	Pettet, Wikimedia	Foundation (cpettet@wikimedia.org)+* Christopher Liljenstople, Tigera (cdl@asgaard.org)+* Clinton	Kitson, Dell (Clinton.Kitson@dell.com)+* Dan	Wilson, Concur	(danw@concur.com)+* Darren Ratcliffe, Atos (darren.ratcliffe@atos.net)+* Davanum Srinivas, VMware (davanum@gmail.com)+* Dave Zolotusky, Spotify (dzolo@spotify.com)+* David McKay, InfluxData (rawkode@influxdata.com)+* Deyuan Deng, Caicloud (deyuan@caicloud.io)+* Doug Davis, IBM (dug@us.ibm.com)+* Drew Rapenchuk, Bloomberg	(drapenchuk@bloomberg.net)+* Dustin Kirkland, Canonical (kirkland@canonical.com)+* Eduardo	Silva, Treasure Data (eduardo@treasure-data.com)+* Edward Lee, Intuit (edward_lee@intuit.com)+* Erin Boyd, Red Hat (eboyd@redhat.com)+* Frederick Kautz, Doc.ai (frederick@doc.ai)+* Gergely Csatari, Nokia (gergely.csatari@nokia.com)+* Geri Jennings, CyberArk (geri.jennings@cyberark.com)+* Gerred Dillon, D2iQ (gerred@d2iq.com)+* Ghe	Rivero, Independent (ghe.rivero@gmail.com)+* Gilbert Song, Mesosphere (gilbert@mesosphere.com)+* Gou	Rao, Portworx (gou@portworx.com)+* Ian Crosby, Container Solutions (ian.crosby@container-solutions.com)+* Jeyappragash JJ, Independent (pragashjj@gmail.com)+* Jinming Yue, Caicloud (yuejinming@caicloud.io)+* Joe Beda, Heptio (joe@heptio.com)+* John Hillegass, Capital One (john.hillegass@capitalone.com)+* Jonghyuk Jong Choi, NCSoft (jongchoi@ncsoft.com)+* Josef Adersberger, QAware (josef.adersberger@qaware.de)+* Joseph Jacks, Independent	(jacks.joe@gmail.com)+* Josh Bernstein, Dell (Joshua.Bernstein@dell.com)+* Justin Cappos, NYU (jcappos@nyu.edu)+* Justin Cormack, Docker (justin.cormack@docker.com)+* Jun Du, Huawei (dujun5@huawei.com)+* Kai Chen, Alauda (kaichen@alauda.io)+* Kiran Mova, MayaData (kiran.mova@mayadata.io)+* Körbächer, Max, Storm Reply (m.koerbaecher@reply.de)+* Lachlan	Evenson, Microsoft (lachlan.evenson@microsoft.com)+* Lee Calcote, SolarWinds (leecalcote@gmail.com)+* Lei	Zhang, HyperHQ (harryzhang@zju.edu.cn)+* Louis Fourie, Huawei (louis.fourie@huawei.com)+* Mark Peek, VMware	(markpeek@vmware.com)+* Matt Farina, Samsung SDS (matt@mattfarina.com)+* Matthew Fornaciari, Gremlin (forni@gremlin.com)+* Matt Young, EverQuote (myoung@everquote.com)+* Nick Chase, Mirantis	(nchase@mirantis.com)+* Nimesh Agarwal, Dunzo (nimesh.mittal@gmail.com)+* Pengfei Ni, Microsoft (peni@microsoft.com)+* Philip Lombardi, Datawire.io (plombardi@datawire.io)+* Piyush Sharrma, Accurics (piyush@accurics.com)+* Praveen Singh, Dunzo (singhpraveen2010@gmail.com)+* Quinton Hoole, Huawei (quinton.hoole@huawei.com)+* Randy	Abernethy, RX-M LLC (randy.abernethy@rx-m.com)+* Ricardo Aravena, Rakuten (raravena80@gmail.com)+* Rick Spencer, Bitnami	(rick@bitnamni.com)+* Sarah Allen, Independent (sarah@ultrasaurus.com)+* Shida Qiu, BoCloud (shidaqiu2018@gmail.com)+* Siddharth Bhadri, Infoblox (sbhadri@infoblox.com)+* Steve Dake, IBM (sdake@ibm.com)+* Swamy D K V, Cisco (swamydkv@gmail.com)+* Tammy Butow, Gremlin (tammy@gremlin.com)+* Timothy Chen, Hyperpilot (tim@hyperpilot.io)+* Vasu Chandrasekhara, SAP SE (vasu.chandrasekhara@sap.com)+* Xiang Li, Alibaba (x.li@alibaba.com)+* Xu Wang, Hyper (xu@hyper.sh)+* Yaron Haviv, iguazio (yaronh@iguaz.io)+* Yong Tang, Infoblox (ytang@infoblox.com)+* Yuri Shkuro, Uber	(ys@uber.com)+* Zefeng (Kevin) Wang, Huawei (wangzefeng@huawei.com)+* Zou Nengren, CMCC (zounengren@cmss.chinamobile.com)+* Jia Xuan, CMCC (jiaxuan@chinamobile.com)+* Zhipeng Huang, Huawei (huangzhipeng@huawei.com) -This is not only about individual contribution.  It is also about rallying help from your employer, e.g., if you work for a CNCF Member company. Given the [breadth](https://landscape.cncf.io/) of projects represented by cloud native, it is impossible for anyone to be an expert in all technologies that we’re evaluating. We’re particularly interested in Contributors that can act as a focal point for tapping relevant expertise from their organizations and colleagues in order to engage with CNCF discussions in a timely manner.+## Emeritus

Let's make it clearer that the Emeritus list is for past (elected) TOC Members (not Contributors). For similar reasons as above I'd recommend leaving them in a separate file

zacharysarah

comment created time in 14 days

PullRequestReviewEvent
PullRequestReviewEvent

issue closedaquasecurity/Hacktoberfest

Issues with links in contrib-content.md and contrib-integrations.md files

The initial contrib-content.md and contrib-integrations.md files have a few issues with broken links.

They are:

  • The anchor link to the external contributions section of the readme is broken (it has an extra .md at the end of the link)
  • The example links are to files that don't exist when they appear to be meant to link to the file being looked at
  • The table header that links to the help section of the readme with the list of repositories to focus only has the last word ('projects') clickable as a link

closed time in 14 days

nightlark

push eventaquasecurity/Hacktoberfest

Ryan Mast

commit sha 5071f1dbfbe313a6b54031a09eca9b9b9e710075

Fix links in contrib-content.md and contrib-integrations.md files (#7) * Fix links in contrib-content.md * Fix links on contrib-integrations.md * Fix example links for contrib-content.md * Fix example link for contrib-integrations.md and point it to the contrib-integrations.md file * Turn all of "related aqua projects" into a link in contrib-integrations * Turn all of "related aqua projects" into a link in contrib-content

view details

push time in 14 days

PR merged aquasecurity/Hacktoberfest

Fix links in contrib-content.md and contrib-integrations.md files hacktoberfest-approved

This addresses the problems identified in issue #6 with the contrib-content.md and contrib-integrations.md files.

Changes:

  • Fixes the anchor links to https://github.com/aquasecurity/Hacktoberfest#external-contributions
  • Makes the link in the example for filling out a table point to the markdown files instead of links that give 404 not found errors
  • The entire table header text "Related Aqua project" is now a link
+6 -6

1 comment

2 changed files

nightlark

pr closed time in 14 days

PullRequestReviewEvent

PR closed aquasecurity/Hacktoberfest

Update Readme.md duplicate

some changes Thanks

+1 -1

0 comment

1 changed file

Sumindar

pr closed time in 14 days

PullRequestReviewEvent

PR closed aquasecurity/Hacktoberfest

Create CONTRIBUTING.md invalid

added a file

+19 -0

0 comment

1 changed file

mayankchaudhary26

pr closed time in 14 days

PullRequestReviewEvent

Pull request review commentaquasecurity/docker-bench

support docker and cis version

 func app(cmd *cobra.Command, args []string) { 	var version string 	var err error -	// Get version of Docker benchmark to run-	if dockerVersion != "" {-		version = dockerVersion+	// Benchmark flag is specify+	if benchmarkVersion != "" {++		// Check for not specify both --version and --benchmark+		if dockerVersion != "" {+			util.ExitWithError(+				fmt.Errorf("Version check failed: Error can't specify both --version and --benchmark flags\nIf not specify neither docker version will be auto detect"))

See https://github.com/aquasecurity/kube-bench/blob/714430c7fcb718de0b9d9d350aec26445d218b46/cmd/common.go#L279

				fmt.Errorf("It is an error to specify both --version and --benchmark flags"))
yoavrotems

comment created time in 15 days

Pull request review commentaquasecurity/docker-bench

support docker and cis version

 func app(cmd *cobra.Command, args []string) { 	var err error  	// Get version of Docker benchmark to run-	if dockerVersion != "" {-		version = dockerVersion+	if benchmarkVersion != "" {+		version = benchmarkVersion

We should be consistent with kube-bench, and that errors if you try to specify both. See the help text at https://github.com/aquasecurity/kube-bench/blob/58bea9c89b9be43ebdf76de256d916a608df43c4/cmd/root.go#L176 (and also the help text you've used in root.go below!)

yoavrotems

comment created time in 15 days

PullRequestReviewEvent
PullRequestReviewEvent

push eventaquasecurity/kube-bench

Oleksandr Slynko

commit sha 58bea9c89b9be43ebdf76de256d916a608df43c4

Fix go vet issues (#720) * Fix go vet issues * to omit the property from JSON parsing one should use "-". "omit" in that case would use omit tag * The error was not reachable in the tests, so I moved it to the place where it make sense for me (but maybe it was just unnecessary) * Run all go vet linters in CI * This return breaks the test

view details

push time in 18 days

PR merged aquasecurity/kube-bench

Fix go vet issues hacktoberfest-accepted
  • to omit the property from JSON parsing one should use "-". "omit" in that case would use omit tag
  • The error was not reachable in the tests, ~so I moved it to the place where it make sense for me (but maybe it was just unnecessary)~ and I deleted it

Additionaly, I have enabled running all go vet linters in Travis CI.

+5 -8

1 comment

3 changed files

alex-slynko

pr closed time in 18 days

PullRequestReviewEvent

push eventaquasecurity/kube-bench

Borko

commit sha f21391855286b6e5a2fd1845c0d061fc549e7570

Updated documentation with section on downloading and installing kube-bench on Linux. (#716) Added section on manually downloading and installing kube-bench

view details

push time in 18 days

PR merged aquasecurity/kube-bench

Updated documentation with section on downloading and installing kube-bench hacktoberfest-accepted

Updated README with section on manually downloading and installing kube-bench on Linux.

Few other small documentation fixes.

Should help in closing #624

+50 -5

1 comment

1 changed file

borkod

pr closed time in 18 days

PullRequestReviewEvent

PR closed aquasecurity/kube-bench

Updated Readme.md docs typos invalid
+4 -4

1 comment

1 changed file

Shivam7-1

pr closed time in 18 days

pull request commentaquasecurity/kube-bench

Updated Readme.md docs typos

Like #730 this PR adds no value and we will not merge it

Shivam7-1

comment created time in 18 days

PR closed aquasecurity/kube-bench

Updated EKS cluster Readme.md invalid
+6 -6

2 comments

1 changed file

Shivam7-1

pr closed time in 18 days

pull request commentaquasecurity/kube-bench

Updated EKS cluster Readme.md

Like #730 this PR adds no value and we will not merge it

Shivam7-1

comment created time in 18 days

pull request commentaquasecurity/kube-bench

Updated Running AKS cluster docs typos

Thanks for your contribution! It is the great spirit of open source to help others. But this particular PR adds no value to the project and is distracting for maintainers who are busy solving real problems. We will not merge it to keep our Git history simple and reduce clutter.

However don't let this discourage you from making more valuable contributions in the future. With more time investment you can hopefully dive deeper, do your homework, understand the projects and make contributions that are actually valuable. As always, mastery requires practice so you'll need to be persistent, learn and invest time before you'll start noticing progress. However this is very rewarding and if done right prepares you for a fun, interesting and fulfilling lifetime in open source. Sending simple PRs like these is a great first step to practice. Being an open-source contributor also improves your chances of finding a good job that recognizes your contributions.

All the best and good luck!

Shivam7-1

comment created time in 18 days

PR closed aquasecurity/kube-bench

Update some typos in readme.md invalid
+1 -1

2 comments

1 changed file

Shivam7-1

pr closed time in 18 days

pull request commentaquasecurity/kube-bench

Update some typos in readme.md

Thanks for your contribution! It is the great spirit of open source to help others. But this particular PR adds no value to the project and is distracting for maintainers who are busy solving real problems. We will not merge it to keep our Git history simple and reduce clutter.

However don't let this discourage you from making more valuable contributions in the future. With more time investment you can hopefully dive deeper, do your homework, understand the projects and make contributions that are actually valuable. As always, mastery requires practice so you'll need to be persistent, learn and invest time before you'll start noticing progress. However this is very rewarding and if done right prepares you for a fun, interesting and fulfilling lifetime in open source. Sending simple PRs like these is a great first step to practice. Being an open-source contributor also improves your chances of finding a good job that recognizes your contributions.

All the best and good luck!

Shivam7-1

comment created time in 18 days

push eventaquasecurity/kube-bench

Huang Huang

commit sha ff0ce661a8f8587b721d987f00f311e468a1c946

Fix typo of 1.1.19 in cis-1.6 (#728)

view details

push time in 18 days

issue closedaquasecurity/kube-bench

Test 1.1.19 Failed

What steps did you take and what happened: kube-bench master -c 1.1.19 -v 3

[A clear and concise description of what the bug is, and what commands you ran. If possible please supply logs generated with the -v 3 parameter.) [FAIL] 1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated) What did you expect to happen:

PASS

  • Output: "root:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\n"

find /etc/kubernetes/pki/ | xargs stat -c %U:%G returns: root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root root:root

Environment Linux version 5.4.0-1024-aws (buildd@lgw01-amd64-035) (gcc version 9.3.0 (Ubuntu 9.3.0-10ubuntu2)) Kubernetes 1.19

[Please specify the version of kube-bench and Kubernetes] kube-bench_0.4.0_linux_amd64.deb Anything else you would like to add:

[Miscellaneous information that will assist in solving the issue.]

I1007 16:49:56.444719 131465 check.go:267] Command "find /etc/kubernetes/pki/ | xargs stat -c %U:%G"

  • Output: "root:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\nroot:root\n" I1007 16:49:56.444785 131465 check.go:202] 1 tests I1007 16:49:56.444803 131465 test.go:129] In flagTestItem.findValue , match false, s root:root, t.Flag root root I1007 16:49:56.445297 131465 test.go:198] flagFound false I1007 16:49:56.445732 131465 test.go:147] In pathTestItem.findValue I1007 16:49:56.445764 131465 test.go:198] flagFound false I1007 16:49:56.445775 131465 check.go:245] Returning from execute on tests: finalOutput &check.testOutput{testResult:false, flagFound:false, actualResult:"", ExpectedResult:"'' is present"} I1007 16:49:56.445803 131465 check.go:173] Check.ID: 1.1.19 Command: "" TestResult: false State: "FAIL" [INFO] 1 Master Node Security Configuration [INFO] 1.1 Master Node Configuration Files [FAIL] 1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)

== Remediations == 1.1.19 Run the below command (based on the file location on your system) on the master node. For example, chown -R root:root /etc/kubernetes/pki/

closed time in 18 days

fenixam

PR merged aquasecurity/kube-bench

Fix typo of 1.1.19 in cis-1.6 hacktoberfest-accepted

Fixes #726

+7 -15

1 comment

3 changed files

mozillazg

pr closed time in 18 days

PullRequestReviewEvent

startedtimqian/star-history

started time in 19 days

issue commentaquasecurity/kube-bench

Test 1.1.19 Failed

Thank you for the logs. From this line I'm pretty sure I can see the problem is a simple typo:

I1007 16:49:56.444803 131465 test.go:129] In flagTestItem.findValue , match false, s root:root, t.Flag root root

The test configuration for 1.1.19 in cis-1.6 is looking for root root (with a space) but it should be looking for root:root(with a colon)

fenixam

comment created time in 19 days

PR closed aquasecurity/kube-bench

Added LICENSE in README.md

Issue: #721

+4 -0

3 comments

1 changed file

mrBingDev

pr closed time in 19 days

pull request commentaquasecurity/kube-bench

Added LICENSE in README.md

Please see #721 on why we are not accepting this change

mrBingDev

comment created time in 19 days

issue closedaquasecurity/kube-bench

Documentation Improvements

Add LICENSE in the Documentation(README.md)

closed time in 19 days

mrBingDev

issue commentaquasecurity/kube-bench

Documentation Improvements

Thanks for the idea, but we have concluded that we don't want to duplicate this info in the README.

mrBingDev

comment created time in 19 days

issue openedcncf/toc

Rename CNCF SIGs to avoid confusion with other types of SIG

It's increasingly confusing that we have groups called Special Interest Groups (SIGs) some of which operate at the CNCF-wide level, and others that are project-specific in Kubernetes. Since the Kubernetes project adopted the term first, I propose they should keep the term SIG and we could rename the CNCF-wide ones that report in to the TOC. For similar reasons let's not use Working Group (WG) since some of those exist already.

Some initial ideas:

  • Special Working Group (SWG)
  • TOC Sub Committee (TSC)
  • TOC Specialist Group (TSG)

Thoughts?

created time in 19 days

issue commentcncf/toc

SIG charters should live in TOC repo

Yes, I completely agree

michelleN

comment created time in 19 days

PullRequestReviewEvent

Pull request review commentaquasecurity/starboard-octant-plugin

feat: Display VulnerabilityReports owned by ReplicaSet for corresponding Deployment and Pods

 func NewReport(workload kube.Object, vulnerabilityReportsDefined bool, reports [  		items = append(items, component.FlexLayoutItem{ 			Width: component.WidthFull,-			View:  createVulnerabilitiesTable(containerReport.Name, containerReport.Report),+			View:  createVulnerabilitiesTable(containerReport.Name, containerReport.Report.Report),

I know naming is hard, but I don't love containerReport.Report.Report!

danielpacak

comment created time in 20 days

Pull request review commentaquasecurity/starboard-octant-plugin

feat: Display VulnerabilityReports owned by ReplicaSet for corresponding Deployment and Pods

 func NewReport(workload kube.Object, vulnerabilityReportsDefined bool, reports [ 	return flexLayout } -func createVulnerabilitiesTable(containerName string, report starboard.VulnerabilityReport) component.Component {+func createVulnerabilitiesTable(containerName string, report starboard.VulnerabilityScanResult) component.Component {+	imageRef := fmt.Sprintf("%s/%s:%s", report.Registry.Server, report.Artifact.Repository, report.Artifact.Tag) 	table := component.NewTableWithRows(-		fmt.Sprintf("Container %s", containerName), "There are no vulnerabilities!",+		fmt.Sprintf("Container %s: %s", containerName, imageRef), "There are no vulnerabilities!",
		fmt.Sprintf("Container %s:%s", containerName, imageRef), "There are no vulnerabilities!",

Would this change result in it looking more like (for example) nginx:1.6

danielpacak

comment created time in 20 days

PullRequestReviewEvent
PullRequestReviewEvent

Pull request review commentoperator-framework/community-operators

Add Starboard Operator v0.0.1

+apiVersion: operators.coreos.com/v1alpha1+kind: ClusterServiceVersion+metadata:+  name: starboard-operator.v0.0.1+  namespace: starboard-operator+  annotations:+    capabilities: Basic Install+    categories: Security+    description: Keeps Starboard resources updated+    certified: "false"+    containerImage: aquasec/starboard-operator:0.0.1+    createdAt: 2020-09-15T08:00:00Z+    support: Aqua Security, Inc.+    repository: https://github.com/aquasecurity/starboard-operator+    alm-examples: |-+      []+spec:+  displayName: Starboard Operator+  version: 0.0.1+  description: |-+    This operator for Starboard automatically updates security report resources in response to workload and other+    changes on a Kubernetes cluster - for example, initiating a vulnerability scan when a new pod is started. Please see+    the main [Starboard](https://github.io/aquasecurity/starboard) repo for more info about the Starboard project.++    ## Deployment++    ### Determine install mode++    The Starboard Operator supports all install modes as defined by the Operator Lifecycle Manager spec. You'll need an+    OperatorGroup to denote which namespaces the operator should watch.++    ### OwnNamespace++    Configure the operator to watch for events in the namespace it is deployed in:++    ```+    cat << EOF | kubectl apply -f -+    apiVersion: operators.coreos.com/v1alpha2+    kind: OperatorGroup+    metadata:+      name: starboard+      namespace: operators+    spec:+      targetNamespaces:+      - operators+    EOF+    ```++    ### SingleNamespace++    Configure the operator to watch for events in a single namespace that the operator is not deployed in:++    ```+    cat << EOF | kubectl apply -f -+    apiVersion: operators.coreos.com/v1alpha2+    kind: OperatorGroup+    metadata:+      name: starboard+      namespace: operators+    spec:+      targetNamespaces:+      - foo+    EOF+    ```++    ### MultiNamespace++    Configure the operator to watch for events in more than one namespace:++    ```+    cat << EOF | kubectl apply -f -+    apiVersion: operators.coreos.com/v1alpha2+    kind: OperatorGroup+    metadata:+      name: starboard+      namespace: operators+    spec:+      targetNamespaces:+      - foo+      - bar+      - baz+    EOF+    ```++    ### AllNamespaces++    Configure the operator to watch for events in all namespaces:++    ```+    cat << EOF | kubectl apply -f -+    apiVersion: operators.coreos.com/v1alpha2+    kind: OperatorGroup+    metadata:+      name: starboard+      namespace: operators+    spec: {}+    EOF+    ```++    ## Install operator++    To install the operator create a new Subscription to the selected channel for the Starboard Operator.+    OLM uses this information to create the ClusterServiceVersion and eventually start the operator pod.++    ```+    cat << EOF | kubectl apply -f -+    apiVersion: operators.coreos.com/v1alpha1+    kind: Subscription+    metadata:+      name: starboard-operator+      namespace: operators+    spec:+      channel: alpha+      name: starboard-operator+      source: upstream-community-operators+      sourceNamespace: marketplace+    EOF+    ```++    ## Vulnerability scanners++    By default the operator uses [Trivy](https://github.com/aquasecurity/trivy) to find security vulnerabilities in+    container images. However, you can configure it to use the Aqua CSP scanner instead.++    Start by creating the `starboard-operator` secret in the `operators` namespace, which holds Aqua CSP config+    keys to connect to the management console:++    ```+    $ kubectl create secret generic starboard-operator \+      --namespace operators \+      --from-literal OPERATOR_SCANNER_AQUA_CSP_USERNAME=$AQUA_CONSOLE_USERNAME \+      --from-literal OPERATOR_SCANNER_AQUA_CSP_PASSWORD=$AQUA_CONSOLE_PASSWORD \+      --from-literal OPERATOR_SCANNER_AQUA_CSP_VERSION=$AQUA_VERSION \+      --from-literal OPERATOR_SCANNER_AQUA_CSP_HOST=http://csp-console-svc.aqua:8080+    ```++    Create a new Subscription to the selected channel for the Starboard Operator and enable Aqua CSP scanner via+    the `config` filed in the Subscription object:++    ```+    cat << EOF | kubectl apply -f -+    apiVersion: operators.coreos.com/v1alpha1+    kind: Subscription+    metadata:+      name: starboard-operator+      namespace: operators+    spec:+      channel: alpha+      name: starboard-operator+      source: upstream-community-operators+      sourceNamespace: marketplace+      config:+        env:+        - name: OPERATOR_SCANNER_TRIVY_ENABLED+          value: "false"+        - name: OPERATOR_SCANNER_AQUA_CSP_ENABLED+          value: "true"+        envFrom:+        - secretRef:+            name: starboard-operator+    EOF+    ```++  keywords: ['aqua-security', 'scanning', 'security']+  maintainers:+    - name: Daniel Pacak+      email: daniel.pacak@aquasec.com+  provider:+    name: Aqua Security, Inc.+  maturity: alpha+  labels:+    name: starboard-operator+  selector:+    matchLabels:+      name: starboard-operator+  links:+    - name: Starboard Operator on GitHub+      url: https://github.com/aquasecurity/starboard-operator

I guess this can be removed since we've agreed to bring the operator into the main repo

danielpacak

comment created time in 20 days

Pull request review commentoperator-framework/community-operators

Add Starboard Operator v0.0.1

+apiVersion: operators.coreos.com/v1alpha1+kind: ClusterServiceVersion+metadata:+  name: starboard-operator.v0.0.1+  namespace: starboard-operator+  annotations:+    capabilities: Basic Install+    categories: Security+    description: Keeps Starboard resources updated+    certified: "false"+    containerImage: aquasec/starboard-operator:0.0.1+    createdAt: 2020-09-15T08:00:00Z+    support: Aqua Security, Inc.+    repository: https://github.com/aquasecurity/starboard-operator+    alm-examples: |-+      []+spec:+  displayName: Starboard Operator+  version: 0.0.1+  description: |-+    This operator for Starboard automatically updates security report resources in response to workload and other+    changes on a Kubernetes cluster - for example, initiating a vulnerability scan when a new pod is started. Please see+    the main [Starboard](https://github.io/aquasecurity/starboard) repo for more info about the Starboard project.
    the [Starboard](https://github.io/aquasecurity/starboard) repo for more info about the Starboard project, which manages a variety of security tools to make their reports accessible as Kubernetes custom resources.
danielpacak

comment created time in 20 days

Pull request review commentoperator-framework/community-operators

Add Starboard Operator v0.0.1

+apiVersion: operators.coreos.com/v1alpha1+kind: ClusterServiceVersion+metadata:+  name: starboard-operator.v0.0.1+  namespace: starboard-operator+  annotations:+    capabilities: Basic Install+    categories: Security+    description: Keeps Starboard resources updated+    certified: "false"+    containerImage: aquasec/starboard-operator:0.0.1+    createdAt: 2020-09-15T08:00:00Z+    support: Aqua Security, Inc.+    repository: https://github.com/aquasecurity/starboard-operator+    alm-examples: |-+      []+spec:+  displayName: Starboard Operator+  version: 0.0.1+  description: |-+    This operator for Starboard automatically updates security report resources in response to workload and other+    changes on a Kubernetes cluster - for example, initiating a vulnerability scan when a new pod is started. Please see+    the main [Starboard](https://github.io/aquasecurity/starboard) repo for more info about the Starboard project.++    ## Deployment++    ### Determine install mode++    The Starboard Operator supports all install modes as defined by the Operator Lifecycle Manager spec. You'll need an+    OperatorGroup to denote which namespaces the operator should watch.++    ### OwnNamespace++    Configure the operator to watch for events in the namespace it is deployed in:++    ```+    cat << EOF | kubectl apply -f -+    apiVersion: operators.coreos.com/v1alpha2+    kind: OperatorGroup+    metadata:+      name: starboard+      namespace: operators+    spec:+      targetNamespaces:+      - operators+    EOF+    ```++    ### SingleNamespace++    Configure the operator to watch for events in a single namespace that the operator is not deployed in:++    ```+    cat << EOF | kubectl apply -f -+    apiVersion: operators.coreos.com/v1alpha2+    kind: OperatorGroup+    metadata:+      name: starboard+      namespace: operators+    spec:+      targetNamespaces:+      - foo+    EOF+    ```++    ### MultiNamespace++    Configure the operator to watch for events in more than one namespace:++    ```+    cat << EOF | kubectl apply -f -+    apiVersion: operators.coreos.com/v1alpha2+    kind: OperatorGroup+    metadata:+      name: starboard+      namespace: operators+    spec:+      targetNamespaces:+      - foo+      - bar+      - baz+    EOF+    ```++    ### AllNamespaces++    Configure the operator to watch for events in all namespaces:++    ```+    cat << EOF | kubectl apply -f -+    apiVersion: operators.coreos.com/v1alpha2+    kind: OperatorGroup+    metadata:+      name: starboard+      namespace: operators+    spec: {}+    EOF+    ```++    ## Install operator++    To install the operator create a new Subscription to the selected channel for the Starboard Operator.+    OLM uses this information to create the ClusterServiceVersion and eventually start the operator pod.++    ```+    cat << EOF | kubectl apply -f -+    apiVersion: operators.coreos.com/v1alpha1+    kind: Subscription+    metadata:+      name: starboard-operator+      namespace: operators+    spec:+      channel: alpha+      name: starboard-operator+      source: upstream-community-operators+      sourceNamespace: marketplace+    EOF+    ```++    ## Vulnerability scanners++    By default the operator uses [Trivy](https://github.com/aquasecurity/trivy) to find security vulnerabilities in+    container images. However, you can configure it to use the Aqua CSP scanner instead.++    Start by creating the `starboard-operator` secret in the `operators` namespace, which holds Aqua CSP config+    keys to connect to the management console:++    ```+    $ kubectl create secret generic starboard-operator \+      --namespace operators \+      --from-literal OPERATOR_SCANNER_AQUA_CSP_USERNAME=$AQUA_CONSOLE_USERNAME \+      --from-literal OPERATOR_SCANNER_AQUA_CSP_PASSWORD=$AQUA_CONSOLE_PASSWORD \+      --from-literal OPERATOR_SCANNER_AQUA_CSP_VERSION=$AQUA_VERSION \+      --from-literal OPERATOR_SCANNER_AQUA_CSP_HOST=http://csp-console-svc.aqua:8080+    ```++    Create a new Subscription to the selected channel for the Starboard Operator and enable Aqua CSP scanner via+    the `config` filed in the Subscription object:++    ```+    cat << EOF | kubectl apply -f -+    apiVersion: operators.coreos.com/v1alpha1+    kind: Subscription+    metadata:+      name: starboard-operator+      namespace: operators+    spec:+      channel: alpha+      name: starboard-operator+      source: upstream-community-operators+      sourceNamespace: marketplace+      config:+        env:+        - name: OPERATOR_SCANNER_TRIVY_ENABLED+          value: "false"+        - name: OPERATOR_SCANNER_AQUA_CSP_ENABLED+          value: "true"+        envFrom:+        - secretRef:+            name: starboard-operator+    EOF+    ```++  keywords: ['aqua-security', 'scanning', 'security']+  maintainers:+    - name: Daniel Pacak+      email: daniel.pacak@aquasec.com+  provider:+    name: Aqua Security, Inc.
    name: Aqua Security
danielpacak

comment created time in 20 days

Pull request review commentoperator-framework/community-operators

Add Starboard Operator v0.0.1

+apiVersion: operators.coreos.com/v1alpha1+kind: ClusterServiceVersion+metadata:+  name: starboard-operator.v0.0.1+  namespace: starboard-operator+  annotations:+    capabilities: Basic Install+    categories: Security+    description: Keeps Starboard resources updated
    description: Keeps Starboard security report resources updated

I'm wondering if "Keeps security report resources updated" might be even better - Starboard is already in the name, and it might slightly hint towards these being generic security reports. Wdyt?

danielpacak

comment created time in 20 days

Pull request review commentoperator-framework/community-operators

Add Starboard Operator v0.0.1

+apiVersion: operators.coreos.com/v1alpha1+kind: ClusterServiceVersion+metadata:+  name: starboard-operator.v0.0.1+  namespace: starboard-operator+  annotations:+    capabilities: Basic Install+    categories: Security+    description: Keeps Starboard resources updated+    certified: "false"+    containerImage: aquasec/starboard-operator:0.0.1+    createdAt: 2020-09-15T08:00:00Z+    support: Aqua Security, Inc.
    support: Aqua Security
danielpacak

comment created time in 20 days

PullRequestReviewEvent
PullRequestReviewEvent

issue openedaquasecurity/kube-bench

Add —exit-code

At the moment, if kube-bench runs successfully, it exits with a zero exit code even if there are failed tests. Let’s add a —exit-code option, much like already exists for Trivy. If —exit-code is specified, and any of the tests result in FAIL, exit the kube-bench executable with the value specified by exit-code

See discussion #566

created time in 22 days

pull request commentaquasecurity/starboard

refactor: Make cli verbs uniform and include scanner aliases

A few thoughts:

  • I wonder if it's the risks part of find risks that currently causes confusion, because it doesn't have any indication that it relates to configauditreports. Would find configaudit or similar be clearer? It would be nice to have consistency with the underlying CRD (vulnerabilityreport, configauditreport etc)

  • With that in mind, could we come up with a more generic verb that would also work for cluster-wide test types?

starboard <verb> vulns <workload type/name> starboard <verb> configaudit <workload type/name> starboard <verb> ciskubebench [<node>] starboard <verb> kubehunter

  • Just to be clear, this verb is different to the get verb which reports existing instances of the CR. find, or whatever we use instead, wouid ideally reflect the idea that we're generating reports. (So, maybe generate?)

  • I'm inclined to agree with @danielpacak about retiring the starboard <toolname> aliases. Where we have multiple tools that could create the same type of CR, we would need to support run for each underlying tool and that might get overly prolific. That said, to play devil's advocate for a moment, starboard run <toolname> does make it very clear which underlying tool is being run.

jan0ski

comment created time in 22 days

pull request commentaquasecurity/kube-bench

Added LICENSE in README.md

Please don't accept until we have decided how to standardize this

mrBingDev

comment created time in 22 days

issue commentaquasecurity/kube-bench

Documentation Improvements

I'm generally not a fan of this because it duplicates what's already defined in the LICENSE file (which GitHub picks up in the UI as well). That said, we inconsistently do include this in some other READMEs, so we are deciding whether we want to standardize one way or another.

mrBingDev

comment created time in 22 days

pull request commentaquasecurity/kube-bench

Improve Proxykubeconfig tests

I'm cutting v0.4.0 now to make sure we have a release that includes CIS 1.6 test files, but we can cut another release 0.4.1 when this is ready

distortedsignal

comment created time in 22 days

created tagaquasecurity/kube-bench

tagv0.4.0

Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark

created time in 22 days

release aquasecurity/kube-bench

v0.4.0

released time in 22 days

push eventaquasecurity/kube-bench

Yoav Rotem

commit sha 714430c7fcb718de0b9d9d350aec26445d218b46

Not exiting when executable not found (#702) Regrading https://github.com/aquasecurity/kube-bench/issues/701 where kube bench is crushing when not finding components

view details

push time in 24 days

PR merged aquasecurity/kube-bench

Not exiting when executable not found bug

Regrading https://github.com/aquasecurity/kube-bench/issues/701 where kube bench is crushing when not finding components

+1 -1

1 comment

1 changed file

yoavrotems

pr closed time in 24 days

issue closedaquasecurity/kube-bench

When missing a component not running

When running kube-bench and missing a component such as kubelet not running. Missing the component could cause problem to individual tests but not to the entire running of kube-bench since its not necessary for running but for testing. image

closed time in 24 days

yoavrotems
PullRequestReviewEvent

pull request commentaquasecurity/kube-bench

Improve Proxykubeconfig tests

Sorry about the docker password issue by the way @distortedsignal, that was our fault!

distortedsignal

comment created time in 24 days

PullRequestReviewEvent

push eventaquasecurity/kube-bench

Neha Viswanathan

commit sha 90b7ae6628bf80950e5a263b1773de97f8b59afc

upgrade to go 1.15 (#706)

view details

push time in 24 days

PR merged aquasecurity/kube-bench

upgrade to go version 1.15

Upgrade golang base image to 1.15

+1 -1

3 comments

1 changed file

neha-viswanathan

pr closed time in 24 days

PullRequestReviewEvent

pull request commentaquasecurity/kube-bench

upgrade to go version 1.15

I’m going to accept this - I think it’s better not to specify the patch version .0, as we might miss a security release version

neha-viswanathan

comment created time in 24 days

push eventaquasecurity/kube-bench

Neha Viswanathan

commit sha 82421e58385f50e460e0d8840380b748ab5e0911

retire cis 1.3 and 1.4 (#693)

view details

push time in 24 days

PR merged aquasecurity/kube-bench

retire cis 1.3 and 1.4

closes #679

This MR removes unsupported K8s versions - cis 1.3 and 1.4 tests

+12 -3926

1 comment

11 changed files

neha-viswanathan

pr closed time in 24 days

more