1. alcideio/alcide-advisor@1.0.3

alcideio/alcide-advisor@1.0.3

Partner
Sections
Alcide Advisor is an agentless service for Kubernetes audit and compliance that’s built to ensure a frictionless and secured DevSecOps workflow by layering a hygiene scan of Kubernetes cluster & workloads early in the development process and before moving to production. With Alcide Advisor, you can cover the following security checks: Kubernetes infrastructure vulnerability scanning. Hunting misplaced secrets, or excessive priviliges for secret access. Workload hardening from Pod Security to network policies. Istio security configuration and best practices. Ingress Controllers for security best practices. Kubernetes API server access privileges. Kubernetes operators security best practices. Deployment conformance to labeling, annotating, resource limits and much more ... Orb source | https://github.com/alcideio/circleci-alcide-orb
Created: July 20, 2019Version Published: July 24, 2019Releases: 4
Org Usage:
< 25

Orb Quick Start Guide

Use CircleCI version 2.1 at the top of your .circleci/config.yml file.

1 version: 2.1

Add the orbs stanza below your version, invoking the orb:

1 2 orbs: alcide-advisor: alcideio/alcide-advisor@1.0.3

Use alcide-advisor elements in your existing workflows and jobs.

Opt-in to use of uncertified orbs on your organization’s Security settings page.

Usage Examples

advisor_scan

A Kubernetes Deployment to GKE with Alcide Kubernetes Scan Job

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 version: 2.1 orbs: alcide: alcideio/alcide-advisor@1.0.2 gcp-cli: circleci/gcp-cli@1.0.6 gcr: circleci/gcp-gcr@0.0.2 k8s: circleci/kubernetes@0.3.0 jobs: deploy_and_scan_cluster: description: Deploy resources into a cluster machine: true parameters: cluster: description: The Kubernetes cluster name. type: string steps: - checkout - gcr/gcr-auth - gcp-cli/install - k8s/install - run: | gcloud container clusters get-credentials <<parameters.cluster>> - run: | echo "Deploy resources into the cluster" kubectl get pods --all-namespaces - alcide/alcide_advisor_scan: report_format: html fail_on_critical: false alcide_apiserver: '' policy_profile: '' workflows: advisor_scan: jobs: - deploy_and_scan_cluster: cluster: demo-cluster

Commands

alcide_advisor_scan

Alcide Advisor Kubernetes Cluster Scan

Show command Source
PARAMETER
DESCRIPTION
REQUIRED
DEFAULT
TYPE
report_format
Report format - html or excel
No
html
enum
fail_on_critical
Fail the task if critical findings observed.
No
false
boolean
alcide_apikey
Alcide API Key. (use env var $ALCIDE_APIKEY to populate).
No
ALCIDE_APIKEY
env_var_name
alcide_apiserver
Alcide API Server.
Yes
-
string
policy_profile
Alcide policy profile the cluster will be scanned against.
Yes
-
string

Orb Source

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 # This code is licensed from CircleCI to the user under the MIT license. # See here for details: https://circleci.com/developer/orbs/licensing version: 2.1 description: | Alcide Advisor is an agentless service for Kubernetes audit and compliance that’s built to ensure a frictionless and secured DevSecOps workflow by layering a hygiene scan of Kubernetes cluster & workloads early in the development process and before moving to production. With Alcide Advisor, you can cover the following security checks: Kubernetes infrastructure vulnerability scanning. Hunting misplaced secrets, or excessive priviliges for secret access. Workload hardening from Pod Security to network policies. Istio security configuration and best practices. Ingress Controllers for security best practices. Kubernetes API server access privileges. Kubernetes operators security best practices. Deployment conformance to labeling, annotating, resource limits and much more ... Orb source | https://github.com/alcideio/circleci-alcide-orb # Orb Dependencies orbs: k8s: circleci/kubernetes@0.3.0 commands: alcide_advisor_scan: description: Alcide Advisor Kubernetes Cluster Scan parameters: # cluster_context: # description: Target Kubernetes cluster context. Use 'kubectl config get-contexts' to list available contexts # type: string report_format: description: Report format - html or excel default: html enum: - html - excel type: enum fail_on_critical: description: Fail the task if critical findings observed. type: boolean default: False alcide_apikey: default: ALCIDE_APIKEY type: env_var_name description: Alcide API Key. (use env var $ALCIDE_APIKEY to populate). alcide_apiserver: description: Alcide API Server. type: string policy_profile: description: Alcide policy profile the cluster will be scanned against. type: string steps: - k8s/install #install kubectl - run: name: Alcide Advisor Cluster Scan command: | REPORT_FORMAT="<< parameters.report_format >>" FAIL_ON_CRITICAL="<< parameters.fail_on_critical >>" ALCIDE_APIKEY="<< parameters.alcide_apikey >>" ALCIDE_APISERVER="<< parameters.alcide_apiserver >>" SCAN_POLICY_PROFILE="<< parameters.policy_profile >>" OPT=" " # # Profile based scans requires an API KEY # if [ "${SCAN_POLICY_PROFILE}" == "true" ]; then OPT="$OPT --policy-profile=$SCAN_POLICY_PROFILE" OPT="$OPT --alcide-api-key=$ALCIDE_APIKEY --alcide-api-server=$ALCIDE_APISERVER" fi if [ "${FAIL_ON_CRITICAL}" == "true" ]; then OPT="$OPT --run-mode=pipeline" fi if [ "${REPORT_FORMAT}" == "excel" ]; then OPT="$OPT --output=excel --outfile advisor-report/kube-advisor-report.xlsx" else OPT="$OPT --output=html --outfile advisor-report/kube-advisor-report.html" fi curl -o kube-advisor https://alcide.blob.core.windows.net/generic/stable/linux/advisor chmod +x kube-advisor export CURRENT_CONTEXT=`kubectl config current-context` mkdir -p /tmp/advisor-report ./kube-advisor --eula-sign validate cluster --cluster-context ${CURRENT_CONTEXT} --namespace-include="*" --outfile /tmp/advisor-report/kube-advisor-report.html - store_artifacts: path: /tmp/advisor-report examples: advisor_scan: description: A Kubernetes Deployment to GKE with Alcide Kubernetes Scan Job usage: version: 2.1 orbs: alcide: alcideio/alcide-advisor@1.0.2 gcp-cli: circleci/gcp-cli@1.0.6 gcr: circleci/gcp-gcr@0.0.2 k8s: circleci/kubernetes@0.3.0 jobs: deploy_and_scan_cluster: description: "Deploy resources into a cluster" machine: true parameters: cluster: description: "The Kubernetes cluster name." type: string steps: - checkout # # make sure you have the following environment variables defined: # GCLOUD_SERVICE_KEY, GOOGLE_PROJECT_ID, GOOGLE_COMPUTE_ZONE # - gcr/gcr-auth - gcp-cli/install - k8s/install - run: | gcloud container clusters get-credentials <<parameters.cluster>> - run: | echo "Deploy resources into the cluster" kubectl get pods --all-namespaces - alcide/alcide_advisor_scan: #cluster_context: 'myclustercontext' report_format: 'html' fail_on_critical: false alcide_apiserver: '' policy_profile: '' workflows: advisor_scan: jobs: - deploy_and_scan_cluster: cluster: demo-cluster
Developer Updates
Get tips to optimize your builds
Or join our research panel and give feedback
By submitting this form, you are agreeing to ourTerms of UseandPrivacy Policy.