Use CircleCI version 2.1 at the top of your .circleci/config.yml file.
1
version: 2.1
Add the orbs
stanza below your version, invoking the orb:
1
2
orbs:
alcide-advisor: alcideio/alcide-advisor@1.0.3
Use alcide-advisor
elements in your existing workflows and jobs.
Opt-in to use of uncertified orbs on your organization’s Security settings page.
A Kubernetes Deployment to GKE with Alcide Kubernetes Scan Job
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
version: 2.1
orbs:
alcide: alcideio/alcide-advisor@1.0.2
gcp-cli: circleci/gcp-cli@1.0.6
gcr: circleci/gcp-gcr@0.0.2
k8s: circleci/kubernetes@0.3.0
jobs:
deploy_and_scan_cluster:
description: Deploy resources into a cluster
machine: true
parameters:
cluster:
description: The Kubernetes cluster name.
type: string
steps:
- checkout
- gcr/gcr-auth
- gcp-cli/install
- k8s/install
- run: |
gcloud container clusters get-credentials <<parameters.cluster>>
- run: |
echo "Deploy resources into the cluster"
kubectl get pods --all-namespaces
- alcide/alcide_advisor_scan:
report_format: html
fail_on_critical: false
alcide_apiserver: ''
policy_profile: ''
workflows:
advisor_scan:
jobs:
- deploy_and_scan_cluster:
cluster: demo-cluster
Alcide Advisor Kubernetes Cluster Scan
PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
---|---|---|---|---|
report_format | Report format - html or excel | No | html | enum |
fail_on_critical | Fail the task if critical findings observed. | No | false | boolean |
alcide_apikey | Alcide API Key. (use env var $ALCIDE_APIKEY to populate). | No | ALCIDE_APIKEY | env_var_name |
alcide_apiserver | Alcide API Server. | Yes | - | string |
policy_profile | Alcide policy profile the cluster will be scanned against. | Yes | - | string |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
# This code is licensed from CircleCI to the user under the MIT license.
# See here for details: https://circleci.com/developer/orbs/licensing
version: 2.1
description: |
Alcide Advisor is an agentless service for Kubernetes audit and compliance
that’s built to ensure a frictionless and secured DevSecOps workflow by
layering a hygiene scan of Kubernetes cluster & workloads early in the development process
and before moving to production.
With Alcide Advisor, you can cover the following security checks:
Kubernetes infrastructure vulnerability scanning.
Hunting misplaced secrets, or excessive priviliges for secret access.
Workload hardening from Pod Security to network policies.
Istio security configuration and best practices.
Ingress Controllers for security best practices.
Kubernetes API server access privileges.
Kubernetes operators security best practices.
Deployment conformance to labeling, annotating, resource limits and much more ...
Orb source | https://github.com/alcideio/circleci-alcide-orb
# Orb Dependencies
orbs:
k8s: circleci/kubernetes@0.3.0
commands:
alcide_advisor_scan:
description: Alcide Advisor Kubernetes Cluster Scan
parameters:
# cluster_context:
# description: Target Kubernetes cluster context. Use 'kubectl config get-contexts' to list available contexts
# type: string
report_format:
description: Report format - html or excel
default: html
enum:
- html
- excel
type: enum
fail_on_critical:
description: Fail the task if critical findings observed.
type: boolean
default: False
alcide_apikey:
default: ALCIDE_APIKEY
type: env_var_name
description: Alcide API Key. (use env var $ALCIDE_APIKEY to populate).
alcide_apiserver:
description: Alcide API Server.
type: string
policy_profile:
description: Alcide policy profile the cluster will be scanned against.
type: string
steps:
- k8s/install #install kubectl
- run:
name: Alcide Advisor Cluster Scan
command: |
REPORT_FORMAT="<< parameters.report_format >>"
FAIL_ON_CRITICAL="<< parameters.fail_on_critical >>"
ALCIDE_APIKEY="<< parameters.alcide_apikey >>"
ALCIDE_APISERVER="<< parameters.alcide_apiserver >>"
SCAN_POLICY_PROFILE="<< parameters.policy_profile >>"
OPT=" "
#
# Profile based scans requires an API KEY
#
if [ "${SCAN_POLICY_PROFILE}" == "true" ]; then
OPT="$OPT --policy-profile=$SCAN_POLICY_PROFILE"
OPT="$OPT --alcide-api-key=$ALCIDE_APIKEY --alcide-api-server=$ALCIDE_APISERVER"
fi
if [ "${FAIL_ON_CRITICAL}" == "true" ]; then
OPT="$OPT --run-mode=pipeline"
fi
if [ "${REPORT_FORMAT}" == "excel" ]; then
OPT="$OPT --output=excel --outfile advisor-report/kube-advisor-report.xlsx"
else
OPT="$OPT --output=html --outfile advisor-report/kube-advisor-report.html"
fi
curl -o kube-advisor https://alcide.blob.core.windows.net/generic/stable/linux/advisor
chmod +x kube-advisor
export CURRENT_CONTEXT=`kubectl config current-context`
mkdir -p /tmp/advisor-report
./kube-advisor --eula-sign validate cluster --cluster-context ${CURRENT_CONTEXT} --namespace-include="*" --outfile /tmp/advisor-report/kube-advisor-report.html
- store_artifacts:
path: /tmp/advisor-report
examples:
advisor_scan:
description: A Kubernetes Deployment to GKE with Alcide Kubernetes Scan Job
usage:
version: 2.1
orbs:
alcide: alcideio/alcide-advisor@1.0.2
gcp-cli: circleci/gcp-cli@1.0.6
gcr: circleci/gcp-gcr@0.0.2
k8s: circleci/kubernetes@0.3.0
jobs:
deploy_and_scan_cluster:
description: "Deploy resources into a cluster"
machine: true
parameters:
cluster:
description: "The Kubernetes cluster name."
type: string
steps:
- checkout
#
# make sure you have the following environment variables defined:
# GCLOUD_SERVICE_KEY, GOOGLE_PROJECT_ID, GOOGLE_COMPUTE_ZONE
#
- gcr/gcr-auth
- gcp-cli/install
- k8s/install
- run: |
gcloud container clusters get-credentials <<parameters.cluster>>
- run: |
echo "Deploy resources into the cluster"
kubectl get pods --all-namespaces
- alcide/alcide_advisor_scan:
#cluster_context: 'myclustercontext'
report_format: 'html'
fail_on_critical: false
alcide_apiserver: ''
policy_profile: ''
workflows:
advisor_scan:
jobs:
- deploy_and_scan_cluster:
cluster: demo-cluster