ThreatMapper
ThreatMapper copied to clipboard
deepfence
Add Helm support for AWS Account posture scanner
Additional context It would be great if the AWS account scanner would be deployed in helm. I Appreaciate that it takes additional effort due to the need to have a Service account and an IAM role attached, but as i have the console and agents already in K8s its awkward to have a seperate ECS cluster for the account scanner.
Is your feature request related to a problem? Please describe. A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
Describe the solution you'd like Ideally it would be a helm chart that would run the cloud-scanner image, and would require me as the end user to create a role with the needed policy, attach that to a service account and pass that to the helm chart.
Describe alternatives you've considered This could be a terraform module, but that wouldnt work for me specifically as we use CDK in house.
Components/Services
- [ ] UI/Frontend
- [ ] API/Backend
- [ ] Agent
- [X] Deployment/YAMLs
- [ ] CI/CD Integration
- [X] Other (specify) Account posture scanner
Additional context This is how i am deploying it at the moment:
cloudscanner.ts
import { ICluster, KubernetesManifest } from "aws-cdk-lib/aws-eks";
import { ManagedPolicy } from "aws-cdk-lib/aws-iam";
const serviceName = "deepfence-cloud-scanner";
export function addCloudScanner(stack: Stack, cluster: ICluster, namespace: string, consoleUrl: url): KubernetesManifest {
const serviceAccount = cluster.addServiceAccount("cloudScannerSA", {
name: serviceName,
namespace,
});
const policy = ManagedPolicy.fromManagedPolicyArn(stack, "auditPolicy", "arn:aws:iam::aws:policy/SecurityAudit");
serviceAccount.role.addManagedPolicy(policy);
return cluster.addManifest("console", {
apiVersion: "apps/v1",
kind: "Deployment",
metadata: {
name: serviceName,
namespace,
},
spec: {
selector: {
matchLabels: {
app: serviceName,
},
},
replicas: 1,
template: {
metadata: {
labels: {
app: serviceName,
},
},
spec: {
serviceAccountName: serviceAccount.serviceAccountName,
nodeSelector: {
"kubernetes.io/arch": "amd64",
},
containers: [
{
name: "cloud-scanner",
image: "deepfenceio/cloud-scanner:2.1.0",
imagePullPolicy: "Always",
args: [
"-mode",
"service",
"-mgmt-console-url",
consoleUrl
"-debug",
"true",
"-cloud-audit-log-ids",
`arn:aws:cloudtrail:${stack.region}:${stack.account}:trail/trail`,
],
env: [
{
name: "DEEPFENCE_KEY",
valueFrom: {
secretKeyRef: {
name: "deepfence-agent-key",
key: "deepfence-key",
},
},
},
],
resources: {
requests: {
cpu: "2048m",
memory: "4096Mi",
},
limits: {
cpu: "4096m",
memory: "8192Mi",
},
},
},
],
},
},
},
});
}
I understand the need of having cloud-scanner as a part of console/agent deployment. Currently we don't have it, but we can look into it. cc: @gnmahanth
@ibreakthecloud @gnmahanth I appreciate you looking into this.
As far as i can see the way i have it running at the moment is working successfully. The only niggle with it is that the Account ID that its showing in the console is the Instance ID of the node the pod is running on.
Is there a way that can be overridden via an environment variable or a command arg or something?
@lumattr thanks for reporting the issue, there is no support for running cloud scanner on kubernetes we are looking into it
cc: @ibreakthecloud @jatin-baweja
Steps to reproduce the issue
- create iam service account using eksctl on existing cluster
export CLUSTER_NAME=<cluster name>
eksctl create iamserviceaccount \
--name cloud-scanner \
--namespace cloud-scanner \
--cluster $CLUSTER_NAME \
--attach-policy-arn arn:aws:iam::aws:policy/SecurityAudit \
--attach-policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess \
--approve \
--override-existing-serviceaccounts
- apply kuberenetes manifests for cloud scanner
kubectl apply -f cloud-scanner.yaml --namespace cloud-scanner
---
apiVersion: v1
kind: Secret
metadata:
name: console-details
type: Opaque
stringData:
deepfenceKey: "<deepfence key>"
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: cloud-scanner
name: cloud-scanner
spec:
replicas: 1
selector:
matchLabels:
app: cloud-scanner
template:
metadata:
labels:
app: cloud-scanner
spec:
serviceAccountName: cloud-scanner
containers:
- image: deepfenceio/cloud-scanner:2.1.1
name: cloud-scanner
args:
- "-mode"
- "service"
- "-mgmt-console-url"
- <console url>
- "-debug"
- "true"
- "-cloud-audit-log-ids"
- arn:aws:cloudtrail:<aws region>:<account id>:trail/trail
env:
- name: DEEPFENCE_KEY
valueFrom:
secretKeyRef:
name: "console-details"
key: "deepfenceKey"
resources:
requests:
cpu: 1000m
memory: 2048Mi
limits:
cpu: 4000m
memory: 8192Mi
logs:
$ kubectl logs cloud-scanner-5747d74c4b-jsz8b -n cloud-scanner
Starting periodic command scheduler: cron.
time="2024-03-21 05:45:20" level=debug msg=NewComplianceScanService file="service.go:62"
{590323219893 x86_64 us-east-1f <nil> <nil> <nil> ami-0c67d4deba6eb4fba **<aws instance id>** t3.xlarge <nil> 2024-02-19 09:42:10 +0000 UTC 10.10.107.149 <nil> us-east-1 2017-09-30}
time="2024-03-21 05:45:20" level=debug msg="Building http client" file="client.go:56"
2024/03/21 05:45:20 [DEBUG] POST https://<console>:443/deepfence/auth/token
time="2024-03-21 05:45:20" level=warning msg="Task role is not set to arn:aws:iam::aws:policy/ReadOnlyAccess. Disabling CloudTrail based updates of cloud resources." file="cloudtrail.go:45"
time="2024-03-21 05:45:20" level=info msg="Registering with Deepfence management console" file="main.go:67"
time="2024-03-21 05:45:20" level=info msg="Restarting steampipe service" file="util.go:96"
time="2024-03-21 05:45:32" level=info msg="Steampipe service restarted" file="util.go:116"
2024/03/21 05:46:08 [DEBUG] POST https://<console>:443/deepfence/cloud-node/account
time="2024-03-21 05:46:08" level=warning msg="no cloudtrails found with management events and write or read-write mode" file="service.go:115"
time="2024-03-21 05:46:08" level=debug msg="Adding scans data to pending scans: map[]" file="client.go:194"
time="2024-03-21 05:46:08" level=info msg="Querying Resources" file="service.go:272"
time="2024-03-21 05:46:08" level=info msg="Started querying resources for aws: [**<aws instance id>**]" file="query.go:86"
time="2024-03-21 05:46:08" level=debug msg="Querying resources for aws_iam_account_summary" file="query.go:155"
2024/03/21 05:46:38 [DEBUG] POST https://<console>:443/deepfence/ingest/cloud-resources
time="2024-03-21 05:46:38" level=debug msg="Got length of 1 for aws_iam_account_summary" file="query.go:191"
time="2024-03-21 05:46:38" level=debug msg="Resources ingested: 1" file="client.go:243"
time="2024-03-21 05:46:38" level=debug msg="Querying resources for aws_account" file="query.go:155"
screen shot:
related https://github.com/deepfence/ThreatMapper/pull/2301
https://docs.deepfence.io/threatmapper/docs/cloudscanner/aws#cloud-scanner-on-eks-cluster-using-irsa