feat: Add Fluent-bit to K8tls

Signed-off-by: Jones Jefferson <[email protected]>
5GSEC · Aug 5, 2024 · df2ba29 · df2ba29
1 parent 8e63ed3
commit df2ba29
Show file tree

Hide file tree

Showing 7 changed files with 123 additions and 11 deletions.
diff --git a/deployments/nimbus-k8tls/templates/configmap.yaml b/deployments/nimbus-k8tls/templates/configmap.yaml
@@ -0,0 +1,39 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: fluent-bit-config
+  namespace: {{ include "nimbus-k8tls.fullname" . }}-env
+data:
+  fluent-bit.conf: |
+     [SERVICE]
+        Flush        1
+        Log_Level    info
+        Parsers_File parsers.conf
+
+     [INPUT]
+        Name           tail
+        Path           /tmp/compact_report.json
+        Parser         JSON
+        Tag            json.data
+        DB             /tmp/compact_report.db
+        Read_from_Head true
+        Exit_On_Eof    true
+    
+     {{- if .Values.output.elasticsearch.enabled }}
+     [OUTPUT]
+        Name  es
+        Match *
+        Host  {{ .Values.output.elasticsearch.host }}
+        Port  {{ .Values.output.elasticsearch.port }}
+        Index {{ .Values.output.elasticsearch.index }}
+        HTTP_User  {{ .Values.output.elasticsearch.user }}
+        HTTP_Passwd ${ES_PASSWORD}
+        tls      On
+        tls.verify Off
+        Suppress_Type_Name On
+        Replace_Dots On
+      {{- end }}
+
+     [OUTPUT]
+        Name stdout
+        Match *
diff --git a/deployments/nimbus-k8tls/templates/daemonset.yaml b/deployments/nimbus-k8tls/templates/daemonset.yaml
@@ -19,6 +19,13 @@ spec:
         - name: {{ .Values.fullnameOverride }}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          image: "jonesjefferson/nimbus-k8tls:latest"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          env:
+          - name: K8TLS_NAMESPACE
+            value: {{ include "nimbus-k8tls.fullname" . }}-env
+          {{- if .Values.output.elasticsearch.enabled }}
+          - name: OUTPUT
+            value: "ELASTICSEARCH"
+          {{- end }}
       terminationGracePeriodSeconds: 10
diff --git a/deployments/nimbus-k8tls/templates/secret.yaml b/deployments/nimbus-k8tls/templates/secret.yaml
@@ -0,0 +1,10 @@
+{{- if .Values.output.elasticsearch.enabled -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: elasticsearch-password
+  namespace: {{ include "nimbus-k8tls.fullname" . }}-env
+type: Opaque
+data:
+  es_password: {{ .Values.output.elasticsearch.password }} 
+{{- end }}
diff --git a/deployments/nimbus-k8tls/values.yaml b/deployments/nimbus-k8tls/values.yaml
@@ -16,3 +16,12 @@ serviceAccount:
 securityContext:
   runAsNonRoot: true
   runAsUser: 65533
+
+output:
+  elasticsearch:
+    enabled: true
+    host: "10.43.98.64"
+    user: elastic
+    port: 9200
+    index: "findings"
+    password: "NlB0OTl1Q2QxbnlJWUJsM0w0czMxNjV4" # Password in base64 encoded format
diff --git a/pkg/adapter/nimbus-k8tls/Makefile b/pkg/adapter/nimbus-k8tls/Makefile
@@ -2,7 +2,7 @@
 # Copyright 2023 Authors of Nimbus
 
 # Image URL to use all building/pushing image targets
-IMG ?= 5gsec/nimbus-k8tls
+IMG ?= jonesjefferson/nimbus-k8tls
 # Image Tag to use all building/pushing image targets
 TAG ?= latest
 

diff --git a/pkg/adapter/nimbus-k8tls/builder/builder.go b/pkg/adapter/nimbus-k8tls/builder/builder.go
@@ -7,7 +7,7 @@ import (
 	"context"
 	"fmt"
 	"strings"
-
+	"os"
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -20,6 +20,7 @@ import (
 var (
 	DefaultSchedule           = "@weekly"
 	backOffLimit              = int32(5)
+	ttlSecondsAfterFinished   = int32(3600)
 	hostPathDirectoryOrCreate = corev1.HostPathDirectoryOrCreate
 )
 
@@ -66,19 +67,37 @@ func ensureTlsCronJob(rule v1alpha1.NimbusRules) (*batchv1.CronJob, *corev1.Conf
 }
 
 func cronJobForEnsureTls(schedule string, externalAddresses ...string) (*batchv1.CronJob, *corev1.ConfigMap) {
+	output := os.Getenv("OUTPUT")
+	var fluentBitEnvironmentVariables []corev1.EnvVar
+	if output == "ELASTICSEARCH" {
+		fluentBitEnvironmentVariables = []corev1.EnvVar{
+			{
+				Name: "ES_PASSWORD",
+				ValueFrom: &corev1.EnvVarSource{
+					SecretKeyRef: &corev1.SecretKeySelector{
+						LocalObjectReference: corev1.LocalObjectReference{
+							Name: "elasticsearch-password",
+						},
+						Key: "es_password",
+					},
+				},
+			},
+		}
+	}
 	cj := &batchv1.CronJob{
 		Spec: batchv1.CronJobSpec{
 			Schedule: schedule,
 			JobTemplate: batchv1.JobTemplateSpec{
 				Spec: batchv1.JobSpec{
 					BackoffLimit: &backOffLimit,
+					TTLSecondsAfterFinished: &ttlSecondsAfterFinished,
 					Template: corev1.PodTemplateSpec{
 						Spec: corev1.PodSpec{
 							RestartPolicy: corev1.RestartPolicyNever,
-							Containers: []corev1.Container{
+							InitContainers: []corev1.Container{
 								{
 									Name:            "k8tls",
-									Image:           "kubearmor/k8tls:latest",
+									Image:           "jonesjefferson/k8tls:latest",
 									Command:         []string{"./k8s_tlsscan"},
 									ImagePullPolicy: corev1.PullAlways,
 									VolumeMounts: []corev1.VolumeMount{
@@ -94,6 +113,25 @@ func cronJobForEnsureTls(schedule string, externalAddresses ...string) (*batchv1
 									},
 								},
 							},
+							Containers: []corev1.Container{
+								{
+									Name:            "fluent-bit",
+									Image:           "fluent/fluent-bit:latest",
+									ImagePullPolicy: corev1.PullAlways,
+									Env: fluentBitEnvironmentVariables,
+									VolumeMounts: []corev1.VolumeMount{
+										{
+											Name:      "fluent-bit-config",
+											MountPath: "/fluent-bit/etc/fluent-bit.conf",
+											SubPath: "fluent-bit.conf",
+										},
+										{
+											Name:      "k8tls-report",
+											MountPath: "/tmp/",
+										},
+									},
+								},
+							},
 							Volumes: []corev1.Volume{
 								{
 									Name: "fips-config",
@@ -106,14 +144,21 @@ func cronJobForEnsureTls(schedule string, externalAddresses ...string) (*batchv1
 									},
 								},
 								{
-									Name: "k8tls-report",
+									Name: "fluent-bit-config",
 									VolumeSource: corev1.VolumeSource{
-										HostPath: &corev1.HostPathVolumeSource{
-											Path: "/tmp/",
-											Type: &hostPathDirectoryOrCreate,
+										ConfigMap: &corev1.ConfigMapVolumeSource{
+											LocalObjectReference: corev1.LocalObjectReference{
+												Name: "fluent-bit-config",
+											},
 										},
 									},
 								},
+								{
+									Name: "k8tls-report",
+									VolumeSource: corev1.VolumeSource{
+										EmptyDir: &corev1.EmptyDirVolumeSource{},
+									},
+								},
 							},
 						},
 					},

diff --git a/pkg/adapter/nimbus-k8tls/manager/manager.go b/pkg/adapter/nimbus-k8tls/manager/manager.go
@@ -5,8 +5,8 @@ package manager
 
 import (
 	"context"
+	"os"
 	"strings"
-
 	"github.com/go-logr/logr"
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
@@ -31,7 +31,7 @@ import (
 var (
 	scheme        = runtime.NewScheme()
 	k8sClient     client.Client
-	NamespaceName = "nimbus-k8tls-env"
+	NamespaceName string
 )
 
 func init() {
@@ -55,6 +55,8 @@ func Run(ctx context.Context) {
 	deletedCronJobCh := make(chan common.Request)
 	go watcher.WatchCronJobs(ctx, updateCronJobCh, deletedCronJobCh)
 
+	// Get the namespace name within which the k8tls environment needs to be set
+	NamespaceName = os.Getenv("K8TLS_NAMESPACE")
 	for {
 		select {
 		case <-ctx.Done():