AutoDiscovery Installation & Configuration
The secureCodeBox (SCB) AutoDiscovery is packaged as a helm chart. As the AutoDiscovery works by creating (Scheduled)Scan custom resources for the discovered resources it requires the operator to be installed first.
helm install --namespace securecodebox-system auto-discovery-kubernetes oci://
The AutoDiscovery chart can be modified by overwriting its default values using helm. See helm install documentation
The values used by the AutoDiscovery chart are documented in the AutoDiscovery Readme, or if you prefer the yaml representation in the default values.
The config values in the config
attribute, e.g. config.serviceAutoDiscovery.enabled
, are used to modify the actual AutoDiscovery behavior.
Gradual AutoDiscovery Rollout
To ease the rollout of the auto-discovery in already existing clusters the auto-discovery by default only works on namespaces specifically enabled by an annotation. This is meant to ensure that the enablement of the auto-discovery can be done in steps, e.g. one team at a time, and to ensure that the initial setup doesn't overwhelm the cluster by creating scans for every resource in it.
This behavior can be configured using one of the following resourceInclusion
- enabled-per-namespace (default) : scans discovered resources in namespaces marked as enabled by an annotation
- enabled-per-resource : only scans resources marked as enabled by an annotation
- all (scans every resource in the whole cluster!)
These modes can be set via the config.resourceInclusion
parameter in the helm chart:
helm upgrade --namespace securecodebox-system --install auto-discovery-kubernetes oci:// --set config.resourceInclusion.mode="enabled-per-resource"
The default mode is enabled-per-namespace
Depending on the resourceInclusionMode one has to annotate each namespace or Kubernetes resource for which the AutoDiscovery should be enabled. If all
is used nothing has to be annotated as everything will be scanned (Which is not recommended unless you know what you're doing). These modes ease the gradual rollout to your cluster.
To enable the AutoDiscovery for a namespace/resource one has to annotate it with "true"
Annotating a namespace can be done as follows. Here the default namespace is annotated:
kubectl annotate namespace default
Annotating a individual resource is done as follows. Here the deployment juice-shop
in the namespace default
is annotated.
It is done by adding the annotation to the chart values, which is then passed to the deployment template. This results into the pod containing the service/deployment always having the annotation. The process may be different in your case:
helm upgrade --install juice-shop oci:// --set-json='annotations={"":"true"}'
You should now see a ZAP-advanced ScheduledScan created for juice-shop or any other service that you have annotated.
$ kubectl get
juice-shop-service-port-3000 zap-advanced-scan 168h0m0s 5