feat: Add Fluent-bit to K8tls

Signed-off-by: Jones Jefferson <[email protected]>
5GSEC · Aug 6, 2024 · 844868e · 844868e
1 parent 8e63ed3
commit 844868e
Show file tree

Hide file tree

Showing 7 changed files with 134 additions and 8 deletions.
diff --git a/deployments/nimbus-k8tls/Readme.md b/deployments/nimbus-k8tls/Readme.md
@@ -23,6 +23,20 @@ helm upgrade --install nimbus-k8tls . -n nimbus
 | image.pullPolicy | string | Always             | `nimbus-k8tls` adapter image pull policy                               |
 | image.tag        | string | latest             | `nimbus-k8tls` adapter image tag                                       |
 
+Set the following values accordingly to send the k8tls report to elasticsearch (By default we send report to STDOUT)
+
+##
+
+| Key                          | Type   | Default            | Description                                                     |
+|------------------------------|--------|--------------------|-----------------------------------------------------------------|
+| output.elasticsearch.enabled | bool   | false              |  Elasticsearch enabled or not                                   |
+| elasticsearch.host           | string | localhost          |  Elasticsearch host                                             |
+| elasticsearch.user           | string | elastic            |  Elastic user                                                   |
+| elasticsearch.port           | string | 9200               |  Elasticsearch port                                             |
+| elasticsearch.index          | string | findings           |  Elasticsearch index                                            |
+| output.elasticsearch.password| string |                    |  The password in base64 encoded format                          |
+
+
 ## Verify if all the resources are up and running
 
 Once done, the following resources will exist in your cluster:

diff --git a/deployments/nimbus-k8tls/templates/configmap.yaml b/deployments/nimbus-k8tls/templates/configmap.yaml
@@ -0,0 +1,39 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: fluent-bit-config
+  namespace: {{ include "nimbus-k8tls.fullname" . }}-env
+data:
+  fluent-bit.conf: |
+     [SERVICE]
+        Flush        1
+        Log_Level    info
+        Parsers_File parsers.conf
+
+     [INPUT]
+        Name           tail
+        Path           /tmp/compact_report.json
+        Parser         JSON
+        Tag            json.data
+        DB             /tmp/compact_report.db
+        Read_from_Head true
+        Exit_On_Eof    true
+    
+     {{- if .Values.output.elasticsearch.enabled }}
+     [OUTPUT]
+        Name  es
+        Match *
+        Host  {{ .Values.output.elasticsearch.host }}
+        Port  {{ .Values.output.elasticsearch.port }}
+        Index {{ .Values.output.elasticsearch.index }}
+        HTTP_User  {{ .Values.output.elasticsearch.user }}
+        HTTP_Passwd ${ES_PASSWORD}
+        tls      On
+        tls.verify Off
+        Suppress_Type_Name On
+        Replace_Dots On
+      {{- end }}
+
+     [OUTPUT]
+        Name stdout
+        Match *
diff --git a/deployments/nimbus-k8tls/templates/daemonset.yaml b/deployments/nimbus-k8tls/templates/daemonset.yaml
@@ -21,4 +21,11 @@ spec:
             {{- toYaml .Values.securityContext | nindent 12 }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          env:
+          - name: K8TLS_NAMESPACE
+            value: {{ include "nimbus-k8tls.fullname" . }}-env
+          {{- if .Values.output.elasticsearch.enabled }}
+          - name: OUTPUT
+            value: "ELASTICSEARCH"
+          {{- end }}
       terminationGracePeriodSeconds: 10
diff --git a/deployments/nimbus-k8tls/templates/secret.yaml b/deployments/nimbus-k8tls/templates/secret.yaml
@@ -0,0 +1,10 @@
+{{- if .Values.output.elasticsearch.enabled -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: elasticsearch-password
+  namespace: {{ include "nimbus-k8tls.fullname" . }}-env
+type: Opaque
+data:
+  es_password: {{ .Values.output.elasticsearch.password }} 
+{{- end }}
diff --git a/deployments/nimbus-k8tls/values.yaml b/deployments/nimbus-k8tls/values.yaml
@@ -16,3 +16,12 @@ serviceAccount:
 securityContext:
   runAsNonRoot: true
   runAsUser: 65533
+
+output:
+  elasticsearch:
+    enabled: false  
+    host: "localhost"
+    user: elastic
+    port: 9200
+    index: "findings"
+    password: "" # Password in base64 encoded format
diff --git a/pkg/adapter/nimbus-k8tls/builder/builder.go b/pkg/adapter/nimbus-k8tls/builder/builder.go
@@ -7,7 +7,7 @@ import (
 	"context"
 	"fmt"
 	"strings"
-
+	"os"
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -20,6 +20,7 @@ import (
 var (
 	DefaultSchedule           = "@weekly"
 	backOffLimit              = int32(5)
+	ttlSecondsAfterFinished   = int32(3600)
 	hostPathDirectoryOrCreate = corev1.HostPathDirectoryOrCreate
 )
 
@@ -66,6 +67,7 @@ func ensureTlsCronJob(rule v1alpha1.NimbusRules) (*batchv1.CronJob, *corev1.Conf
 }
 
 func cronJobForEnsureTls(schedule string, externalAddresses ...string) (*batchv1.CronJob, *corev1.ConfigMap) {
+	output := os.Getenv("OUTPUT")
 	cj := &batchv1.CronJob{
 		Spec: batchv1.CronJobSpec{
 			Schedule: schedule,
@@ -75,7 +77,7 @@ func cronJobForEnsureTls(schedule string, externalAddresses ...string) (*batchv1
 					Template: corev1.PodTemplateSpec{
 						Spec: corev1.PodSpec{
 							RestartPolicy: corev1.RestartPolicyNever,
-							Containers: []corev1.Container{
+							InitContainers: []corev1.Container{
 								{
 									Name:            "k8tls",
 									Image:           "kubearmor/k8tls:latest",
@@ -94,6 +96,24 @@ func cronJobForEnsureTls(schedule string, externalAddresses ...string) (*batchv1
 									},
 								},
 							},
+							Containers: []corev1.Container{
+								{
+									Name:            "fluent-bit",
+									Image:           "fluent/fluent-bit:latest",
+									ImagePullPolicy: corev1.PullAlways,
+									VolumeMounts: []corev1.VolumeMount{
+										{
+											Name:      "fluent-bit-config",
+											MountPath: "/fluent-bit/etc/fluent-bit.conf",
+											SubPath: "fluent-bit.conf",
+										},
+										{
+											Name:      "k8tls-report",
+											MountPath: "/tmp/",
+										},
+									},
+								},
+							},
 							Volumes: []corev1.Volume{
 								{
 									Name: "fips-config",
@@ -106,14 +126,21 @@ func cronJobForEnsureTls(schedule string, externalAddresses ...string) (*batchv1
 									},
 								},
 								{
-									Name: "k8tls-report",
+									Name: "fluent-bit-config",
 									VolumeSource: corev1.VolumeSource{
-										HostPath: &corev1.HostPathVolumeSource{
-											Path: "/tmp/",
-											Type: &hostPathDirectoryOrCreate,
+										ConfigMap: &corev1.ConfigMapVolumeSource{
+											LocalObjectReference: corev1.LocalObjectReference{
+												Name: "fluent-bit-config",
+											},
 										},
 									},
 								},
+								{
+									Name: "k8tls-report",
+									VolumeSource: corev1.VolumeSource{
+										EmptyDir: &corev1.EmptyDirVolumeSource{},
+									},
+								},
 							},
 						},
 					},
@@ -122,6 +149,24 @@ func cronJobForEnsureTls(schedule string, externalAddresses ...string) (*batchv1
 		},
 	}
 
+	if output == "ELASTICSEARCH" {
+		// If we are sending the report to elasticsearch, then we delete the pod spawned by job after 1 hour. Else we keep the pod 
+		cj.Spec.JobTemplate.Spec.TTLSecondsAfterFinished = &ttlSecondsAfterFinished
+		cj.Spec.JobTemplate.Spec.Template.Spec.Containers[0].Env = []corev1.EnvVar{
+			{
+				Name: "ES_PASSWORD",
+				ValueFrom: &corev1.EnvVarSource{
+					SecretKeyRef: &corev1.SecretKeySelector{
+						LocalObjectReference: corev1.LocalObjectReference{
+							Name: "elasticsearch-password",
+						},
+						Key: "es_password",
+					},
+				},
+			},
+		}
+	}
+
 	if len(externalAddresses) > 0 {
 		cm := buildConfigMap(externalAddresses)
 

diff --git a/pkg/adapter/nimbus-k8tls/manager/manager.go b/pkg/adapter/nimbus-k8tls/manager/manager.go
@@ -5,8 +5,8 @@ package manager
 
 import (
 	"context"
+	"os"
 	"strings"
-
 	"github.com/go-logr/logr"
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
@@ -31,7 +31,7 @@ import (
 var (
 	scheme        = runtime.NewScheme()
 	k8sClient     client.Client
-	NamespaceName = "nimbus-k8tls-env"
+	NamespaceName string
 )
 
 func init() {
@@ -55,6 +55,8 @@ func Run(ctx context.Context) {
 	deletedCronJobCh := make(chan common.Request)
 	go watcher.WatchCronJobs(ctx, updateCronJobCh, deletedCronJobCh)
 
+	// Get the namespace name within which the k8tls environment needs to be set
+	NamespaceName = os.Getenv("K8TLS_NAMESPACE")
 	for {
 		select {
 		case <-ctx.Done():