├── .github
└── workflow
│ └── iac_build.yaml
├── .gitignore
├── .trivyignore
├── Jenkinsfile
├── LICENSE
├── README.md
├── cloud_connector
├── README.md
├── ecs
│ └── cloudformation
│ │ └── aqua-ecs-fargate
│ │ ├── CloudConnectorFargate.yaml
│ │ ├── CloudConnectorFargateToken.yaml
│ │ └── README.adoc
└── kubernetes_and_openshift
│ ├── helm
│ └── README.md
│ └── manifests
│ ├── 001_cloud_connector_aqua_sa.yaml
│ ├── 002_cloud_connector_secrets.yaml
│ ├── 003_cloud_connector_configmap.yaml
│ ├── 004_cloud_connector_deployment.yaml
│ └── README.md
├── cyber_center
├── README.md
├── ecs
│ └── cloudformation
│ │ └── aqua-ecs-fargate
│ │ ├── CyberCenterFargate.yaml
│ │ └── README.adoc
└── kubernetes_and_openshift
│ └── manifests
│ ├── 001_cybercenter_serviceAccount.yaml
│ ├── 002_cybercenter_deploy.yaml
│ └── README.md
├── enforcers
├── README.md
├── aqua_enforcer
│ ├── README.md
│ ├── docker
│ │ └── compose
│ │ │ ├── aqua-enforcer.env
│ │ │ └── docker-compose-enforcer.yaml
│ ├── ecs
│ │ └── cloudformation
│ │ │ └── aqua-ecs-ec2
│ │ │ ├── README.adoc
│ │ │ └── aquaEnforcer.yaml
│ └── kubernetes_and_openshift
│ │ ├── helm
│ │ └── README.md
│ │ ├── manifests
│ │ ├── 001_aqua_enforcer_rbac
│ │ │ ├── aks
│ │ │ │ └── aqua_sa.yaml
│ │ │ ├── eks
│ │ │ │ └── aqua_sa.yaml
│ │ │ ├── gke
│ │ │ │ └── aqua_sa.yaml
│ │ │ ├── ibm
│ │ │ │ └── aqua_sa.yaml
│ │ │ ├── k3s
│ │ │ │ └── aqua_sa.yaml
│ │ │ ├── native_k8s
│ │ │ │ └── aqua_sa.yaml
│ │ │ ├── openshift
│ │ │ │ └── aqua_sa.yaml
│ │ │ ├── openshift_ocp3x
│ │ │ │ └── aqua_sa.yaml
│ │ │ ├── rancher
│ │ │ │ └── aqua_sa.yaml
│ │ │ ├── tkg
│ │ │ │ └── aqua_sa.yaml
│ │ │ └── tkgi
│ │ │ │ └── aqua_sa.yaml
│ │ ├── 002_aqua_enforcer_configMap.yaml
│ │ ├── 003_aqua_enforcer_secrets.yaml
│ │ ├── 004_aqua_enforcer_daemonset.yaml
│ │ └── README.md
│ │ └── operator
│ │ └── README.md
├── kube_enforcer
│ ├── README.md
│ └── kubernetes_and_openshift
│ │ ├── helm
│ │ └── README.md
│ │ ├── manifests
│ │ ├── README.md
│ │ ├── kube_enforcer
│ │ │ ├── 001_kube_enforcer_config.yaml
│ │ │ ├── 002_kube_enforcer_secrets.yaml
│ │ │ ├── 003_kube_enforcer_deploy.yaml
│ │ │ ├── 004_kube_enforcer_scc.yaml
│ │ │ ├── README.md
│ │ │ └── gen_ke_certs.sh
│ │ ├── kube_enforcer_advanced
│ │ │ ├── 001_kube_enforcer_config.yaml
│ │ │ ├── 002_kube_enforcer_secrets.yaml
│ │ │ ├── 003_kube_enforcer_deploy.yaml
│ │ │ ├── 004_kube_enforcer_scc.yaml
│ │ │ ├── README.md
│ │ │ └── gen_ke_certs.sh
│ │ ├── kube_enforcer_advanced_trivy
│ │ │ ├── 001_kube_enforcer_config.yaml
│ │ │ ├── 002_kube_enforcer_secrets.yaml
│ │ │ ├── 003_kube_enforcer_deploy.yaml
│ │ │ ├── 004_kube_enforcer_scc.yaml
│ │ │ ├── README.md
│ │ │ └── gen_ke_certs.sh
│ │ ├── kube_enforcer_ocp3x
│ │ │ ├── 001_kube_enforcer_config.yaml
│ │ │ ├── 002_kube_enforcer_secrets.yaml
│ │ │ ├── 003_kube_enforcer_deploy.yaml
│ │ │ ├── README.md
│ │ │ └── gen_ke_certs.sh
│ │ └── kube_enforcer_trivy
│ │ │ ├── 001_kube_enforcer_config.yaml
│ │ │ ├── 002_kube_enforcer_secrets.yaml
│ │ │ ├── 003_kube_enforcer_deploy.yaml
│ │ │ ├── 004_kube_enforcer_scc.yaml
│ │ │ ├── README.md
│ │ │ └── gen_ke_certs.sh
│ │ └── operator
│ │ └── README.md
├── micro_enforcer
│ └── aws_fargate_sidecar
│ │ ├── README.md
│ │ ├── inject_microenforcer.py
│ │ └── requirements.txt
├── vm_enforcer
│ ├── README.md
│ ├── ansible
│ │ ├── .gitignore
│ │ ├── README.md
│ │ ├── roles
│ │ │ └── vm-enforcer-deploy
│ │ │ │ ├── defaults
│ │ │ │ └── main.yml
│ │ │ │ ├── tasks
│ │ │ │ ├── main.yml
│ │ │ │ ├── vme-install.yml
│ │ │ │ ├── vme-rpm-install.yml
│ │ │ │ ├── vme-rpm-uninstall.yml
│ │ │ │ └── vme-uninstall.yml
│ │ │ │ └── templates
│ │ │ │ └── aquasec.j2
│ │ └── vm-enforcer.yaml
│ ├── deb
│ │ ├── .gitignore
│ │ ├── README.md
│ │ ├── archives
│ │ │ └── README.md
│ │ ├── nfpm.yaml
│ │ ├── scripts
│ │ │ ├── README.md
│ │ │ ├── postinstall.sh
│ │ │ ├── postuninstall.sh
│ │ │ └── preuninstall.sh
│ │ └── selinux
│ │ │ └── aquavme
│ │ │ ├── README.md
│ │ │ ├── aquavme.pp
│ │ │ └── aquavme.te
│ ├── golden_image
│ │ ├── AquaGoldenImagePrep.bat
│ │ ├── AquaGoldenImagePrep.sh
│ │ └── README.md
│ ├── rpm
│ │ ├── .gitignore
│ │ ├── README.md
│ │ ├── archives
│ │ │ └── README.md
│ │ ├── nfpm.yaml
│ │ ├── scripts
│ │ │ ├── README.md
│ │ │ ├── postinstall.sh
│ │ │ ├── postuninstall.sh
│ │ │ └── preuninstall.sh
│ │ └── selinux
│ │ │ └── aquavme
│ │ │ ├── README.md
│ │ │ ├── aquavme.pp
│ │ │ ├── aquavme.te
│ │ │ ├── fcos_aquavme.pp
│ │ │ └── fcos_aquavme.te
│ ├── shell
│ │ ├── README.md
│ │ ├── install_vme.sh
│ │ └── uninstall_vme.sh
│ └── templates
│ │ ├── aqua-enforcer-runc-config.json
│ │ ├── aqua-enforcer-v1.0.0-rc2-runc-config.json
│ │ ├── aqua-enforcer.template.old.service
│ │ ├── aqua-enforcer.template.service
│ │ └── run.template.sh
└── windows_enforcer
│ └── kubernetes
│ ├── 001_aqua_windows_enforcer_rbac
│ └── aks
│ │ └── aqua_sa.yaml
│ ├── 002_aqua_windows_enforcer_configMap.yaml
│ ├── 003_aqua_windows_enforcer_secrets.yaml
│ ├── 004_aqua_windows_enforcer_daemonset.yaml
│ └── README.md
├── quick_start
├── README.md
└── kubernetes_and_openshift
│ ├── Aquactl
│ └── README.md
│ ├── helm
│ └── README.md
│ ├── manifests
│ ├── README.md
│ ├── aqua-csp-quick-DaemonSet-hostPath.yaml
│ ├── aqua-csp-quick-DaemonSet-storage.yaml
│ ├── aqua-csp-quick-default-storage.yaml
│ └── aqua-csp-quick-hostpath.yaml
│ └── operator
│ └── README.md
├── scanner
├── README.md
├── ecs
│ └── cloudformation
│ │ └── aqua-ecs-ec2
│ │ ├── README.adoc
│ │ ├── aquaScanner.yaml
│ │ └── aquaScannerToken.yaml
└── kubernetes_and_openshift
│ ├── helm
│ └── README.md
│ ├── manifests
│ ├── 001_scanner_serviceAccount.yaml
│ ├── 002_scanner_secrets.yaml
│ ├── 003_scanner_configmap.yaml
│ ├── 004_scanner_deploy.yaml
│ └── README.md
│ └── operator
│ └── README.md
├── server
├── README.md
├── docker
│ └── compose
│ │ ├── aqua-db.env
│ │ ├── aqua-docker-compose-server.yaml
│ │ ├── aqua-gateway.env
│ │ └── aqua-web.env
├── ecs
│ └── cloudformation
│ │ ├── aqua-ecs-ec2
│ │ ├── README.adoc
│ │ ├── aquaEcs-external.yaml
│ │ └── aquaEcs.yaml
│ │ └── aqua-ecs-fargate
│ │ ├── AquaFargate-nonSSL-external.yaml
│ │ ├── AquaFargate-nonSSL.yaml
│ │ ├── README.adoc
│ │ ├── aqua-ecs-fargate-envoy-external.yaml
│ │ ├── aqua-ecs-fargate-envoy.yaml
│ │ ├── aquaFargate-external.yaml
│ │ └── aquaFargate.yaml
└── kubernetes_and_openshift
│ ├── helm
│ └── README.md
│ ├── manifests
│ ├── README.md
│ ├── aqua_csp_001_namespace
│ │ └── aqua_namespace.yaml
│ ├── aqua_csp_002_RBAC
│ │ ├── aks
│ │ │ └── aqua_sa.yaml
│ │ ├── eks
│ │ │ └── aqua_sa.yaml
│ │ ├── gke
│ │ │ └── aqua_sa.yaml
│ │ ├── ibm
│ │ │ └── aqua_sa.yaml
│ │ ├── k3s
│ │ │ └── aqua_sa.yaml
│ │ ├── native_k8s
│ │ │ └── aqua_sa.yaml
│ │ ├── openshift
│ │ │ └── aqua_sa.yaml
│ │ ├── openshift_ocp3x
│ │ │ └── aqua_sa.yaml
│ │ ├── rancher
│ │ │ └── aqua_sa.yaml
│ │ ├── tkg
│ │ │ └── aqua_sa.yaml
│ │ └── tkgi
│ │ │ └── aqua_sa.yaml
│ ├── aqua_csp_003_secrets
│ │ └── aqua_secrets.yaml
│ ├── aqua_csp_004_configMaps
│ │ ├── aqua_db.yaml
│ │ └── aqua_server.yaml
│ ├── aqua_csp_005_storage
│ │ └── aqua_db_pvc.yaml
│ ├── aqua_csp_006_server_deployment
│ │ ├── aqua_server_deployment_managed_db.yaml
│ │ └── aqua_server_deployment_packaged_db.yaml
│ └── aqua_csp_007_networking
│ │ ├── envoy
│ │ ├── 001_server_gateway_service-envoy.yaml
│ │ ├── 002_envoy-secrets.yaml
│ │ ├── 003_envoy-configmap.yaml
│ │ └── 004_envoy-deployment.yaml
│ │ ├── loadbalancer
│ │ └── aqua_server_gateway_service-lb.yaml
│ │ └── openshift_route
│ │ ├── aqua-gateway-route.yaml
│ │ └── aqua-web-route.yaml
│ ├── operator
│ └── README.md
│ └── test_upgrade
│ ├── 001_aqua_test_upgrade_configMap.yaml
│ ├── 002_aqua_test_uprade_secrets.yaml
│ ├── 003_aqua_test_upgrade_job.yaml
│ └── README.md
└── tenant_manager
├── README.md
└── kubernetes_and_openshift
├── helm
└── README.md
└── manifests
├── 001_tm_namespace
└── aqua_namespace.yaml
├── 002_tm_RBAC
├── aks
│ └── aqua_sa.yaml
├── eks
│ └── aqua_sa.yaml
├── gke
│ └── aqua_sa.yaml
├── ibm
│ └── aqua_sa.yaml
├── k3s
│ └── aqua_sa.yaml
├── native_k8s
│ └── aqua_sa.yaml
├── openshift
│ └── aqua_sa.yaml
├── rancher
│ └── aqua_sa.yaml
├── tkg
│ └── aqua_sa.yaml
└── tkgi
│ └── aqua_sa.yaml
├── 003_tm_secrets
└── aqua_tm_secret.yaml
├── 004_tm_configMaps
├── aqua_tm_config.yaml
└── aqua_tm_db.yaml
├── 005_tm_storage
└── aqua_tm_db_pvc.yaml
├── 006_tm_deployment
├── aqua_tm_deployment_managed_db.yaml
└── aqua_tm_deployment_packaged_db.yaml
└── README.md
/.github/workflow/iac_build.yaml:
--------------------------------------------------------------------------------
1 | name: build
2 | on:
3 | push:
4 | branches:
5 | - 2022.4
6 | pull_request:
7 | jobs:
8 | build:
9 | name: Build
10 | runs-on: ubuntu-18.04
11 | steps:
12 | - name: Checkout code
13 | uses: actions/checkout@v2
14 |
15 | - name: Run Trivy vulnerability scanner in IaC mode
16 | uses: aquasecurity/trivy-action@master
17 | with:
18 | scan-type: 'config'
19 | hide-progress: false
20 | format: 'table'
21 | exit-code: '1'
22 | env:
23 | AQUA_KEY: ${{ secrets.AQUA_KEY }}
24 | AQUA_SECRET: ${{ secrets.AQUA_SECRET }}
25 | TRIVY_RUN_AS_PLUGIN: 'aqua'
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | .vscode/
2 | .idea/
3 | .DS_Store
4 |
--------------------------------------------------------------------------------
/.trivyignore:
--------------------------------------------------------------------------------
1 | AVD-AWS-0036
2 | AVD-AWS-0035
3 | AVD-AWS-0052
4 | AVD-AWS-0053
5 | AVD-AWS-0057
6 | AVD-AWS-0107
7 | AVD-AWS-0132
8 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | 
2 |
3 | # Aqua Enterprise Product Deployment
4 |
5 | ## Overview
6 |
7 | [Aqua Platform](https://www.aquasec.com/aqua-cloud-native-security-platform/) is a layered, full-lifecycle cloud native security platform that secures containerized, serverless, and VM-based applications, from application build, infrastructure through production runtime environments. Aqua Enterprise runs either in SaaS or Self-Hosted edition, at any scale.
8 |
9 | This repository explains different methods to deploy each Aqua component. It also provides a [quick_start](./quick_start) deployment suited for proofs-of-concept (POCs), training, and test environemnts.
10 |
11 | Aqua components can be deployed on multiple platforms such as Kubernetes, AWS ECS, OpenShift, no-orchestrator, and more, using different deployment methods such as manifests, Helm, Operator, proprietary CLI tools, RPM, and scripts. Deployment resources for each Aqua component is listed in the respective directory.
12 |
13 | ### Aqua Enterprise SaaS edition deployment
14 |
15 | Users working with Aqua Enterprise SaaS edition do not need to deploy Aqua server in their datacenter but only the relevant Enforcers to enable runtime protection. Following are the components that are available for Aqua SaaS users:
16 | * [Enforcers](./enforcers):
17 | * **Aqua Enforcer**: containers and host protection
18 | * **KubeEnforcer**: full stack Kubernetes cluster protection
19 | * **VM Enforcer**: VM workloads protection
20 | * **MicroEnforcer**: runtime security for containers running in Containers-as-a-Service (CaaS) environments
21 | * **NanoEnforcer**: runtime protection of serverless functions
22 | * [Scanner](./scanner): Used to scan images, VMWare Tanzu applications, and serverless functions locally or stored in a registry
23 | * [Cloud Connector](./cloud_connector): the Aqua Cloud Connector establishes a secure connection to the Aqua Platform console, giving Aqua Platform remote access to resources on the local clusters.
24 |
25 |
26 | ### Aqua Enterprise Self-Hosted edition deployment
27 |
28 | Aqua Enterprise Self-Hosted edition requires deploying Aqua server and other components in your datacenter. Following are the server components available for deployment:
29 | * [Server](./server): core server components – Console, Gateway, and Database. This deployment is mandatory for Aqua Self-Hosted edition.
30 | * [Tenant Manager](./tenant_manager) *(Optional)*: manage multiple segregated Aqua deployments from a single console
31 | * [CyberCenter](./cyber_center): required for air-gap environments
32 |
33 | After deploying Server components, you can deploy Enforcers and Scanners similar to SaaS users.
34 |
35 | ### Quick-start deployment
36 |
37 | A quick-start option is available for small non-production deployments and quick evaluations. It deploys Aqua Server and all Enforcers, in a single Kubernetes cluster.
38 |
39 | # Deployment methods
40 |
41 | You can deploy the mentioned Aqua components using one of the following methods:
42 | * Manifests
43 | * Helm
44 | * Operator
45 | * AWS Cloudformation
46 | * Aquactl (Aqua CLI)
47 | * RPM (for no-orchestrator environments)
48 | * Scripts
49 |
50 | Each Aqua component can be deployed through a selection of the methods above, as listed in component's directory itself.
51 |
52 | Before you start using the deployment methods in this repository, Aqua strongly recommends you to refer the [Product documentation on Deployments](https://docs.aquasec.com/docs/deployment-overview).
53 |
--------------------------------------------------------------------------------
/cloud_connector/README.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | # Aqua Cloud Connector
4 |
5 | ### Overview
6 |
7 | The Aqua Cloud Connector is used in conjunction with Aqua Platform SaaS Edition (Enterprise Plan) deployments. When deployed on local clusters, i.e., clusters on which Aqua Platform is not deployed, the Aqua Cloud Connector establishes a secure connection to the Aqua Platform console, giving Aqua Platform remote access to resources on the local clusters.
8 |
9 | ### Aqua Cloud Connector Deployment Types
10 | Following are the Deployment types that can be deployed in local cluster:
11 | * [Helm](./kubernetes_and_openshift/helm)
12 | * [Manifests](./kubernetes_and_openshift/manifests)
13 | * [CloudFormation](./ecs/cloudformation/aqua-ecs-fargate)
14 |
15 | ### References
16 | For more information on the Aqua Cloud Connector, refer the product documentation, [Aqua Cloud Connector Overview](https://docs.aquasec.com/docs/aqua-cloud-connector)
--------------------------------------------------------------------------------
/cloud_connector/ecs/cloudformation/aqua-ecs-fargate/README.adoc:
--------------------------------------------------------------------------------
1 | :version: 2022.4
2 | :imageVersion: 2022.4
3 |
4 | = Deploy Aqua Cloud Connector on AWS ECS Cluster
5 |
6 | image:https://s3.amazonaws.com/cloudformation-examples/cloudformation-launch-stack.png[Launch Stack,link=https://console.aws.amazon.com/cloudformation/home?#/stacks/new?stackName=aqua-ecs&templateURL=https://s3.amazonaws.com/aqua-security-public/{version}/CloudConnectorFargateToken.yaml]
7 |
8 | == Overview
9 |
10 | The Aqua Server and Gateway are deployed on a ECS Fargate cluster. In multi-cluster environments, you can deploy Aqua Cloud Connector on different clusters.
11 |
12 | This page contains instructions for deploying Aqua Cloud Connector on any Amazon ECS Fargate cluster.
13 |
14 | For high availability, you must deploy Aqua on 2 availability Zones (AZs).
15 |
16 | Your deployment creates the Aqua Cloud Connector service, on the Fargate ECS instance. A CloudFormation template is used to deploy Aqua Cloud Connector. This can be done either with the AWS CloudFormation Management Console or the AWS Command Line interface (CLI), as explained below.
17 |
18 | *Note:* It is mandatory to use *CloudConnectorFargateToken.yaml* for *SaaS* environments due to token based authentication, for *On-Prem* environments any of the options is suitable.
19 |
20 | == Prerequisites
21 |
22 | - One or more ECS clusters
23 | - Aqua Server DNS/IP
24 | - From Aqua Security: your Aqua credentials (username and password) and CSP License Token
25 | - Aqua Gateway URL
26 |
27 | == Pre-deployment
28 |
29 | *Step 1. Login to the Aqua Registry with your credentials.*
30 |
31 | [source,options="nowrap",subs="attributes"]
32 | ----
33 | docker login registry.aquasec.com -u -p
34 | ----
35 |
36 | *Step 2. Pull the Aqua Cloud Connector image.*
37 |
38 | [source,options="nowrap",subs="attributes"]
39 | ----
40 | docker pull registry.aquasec.com/aqua-cloud-connector:{imageVersion}.RC1
41 | ----
42 |
43 | *Step 3. Push the Cloud Connector image to ECR.*
44 |
45 | == Deployment method 1: CloudFormation Management Console
46 |
47 | *Step 1. Click the Launch Stack icon at the top of this page.* This will take you to the *Create stack* function of the AWS CloudFormation Management Console.
48 |
49 | *Step 2. Ensure that your AWS region is set to where you want to deploy Aqua Cloud Connector.*
50 |
51 | *Step 3. Click Next.*
52 |
53 | *Step 4. Set or modify any of the parameters as explained below.*
54 |
55 | *Step 5. Click Next to create the stack.*
56 |
57 | == Deployment method 2: CLI
58 |
59 | *Step 1. Copy the following command.*
60 |
61 | [source,options="nowrap",subs="attributes"]
62 | ----
63 | aws –region us-east-1 cloudformation create-stack –capabilities CAPABILITY_NAMED_IAM –stack-name aqua-cloud-connector –template-body file://CloudConnectorFargate.yaml \
64 | –parameters ParameterKey=AquaConsoleUsername,ParameterValue=xxxxx \
65 | ParameterKey=AquaConsolePassword,ParameterValue=xxxxx \
66 | ParameterKey=AquaCCImage,ParameterValue=xxxx.dkr.ecr.us-east-1.amazonaws.com/aqua:cloud-connector-x.x\
67 | ParameterKey=ClusterName,ParameterValue=xxxxx \
68 | ParameterKey=AquaGatewayUrl,ParameterValue=xxxxx
69 | ----
70 |
71 | *Step 2. Set the parameters as explained below.*
72 |
73 | [source,options="nowrap",subs="attributes"]
74 | ----
75 | AquaConsoleUsername = The Console user name from Aqua server
76 | AquaConsolePassword = The Console user Password
77 | AquaCCImage = The ECR path for the Aqua Cloud Connector product image
78 | ClusterName = The existing ECS cluster name
79 | AquaGatewayUrl = Aqua Gateway IP address
80 | ----
81 |
82 | *Step 3. Run the AWS create-stack CLI command.*
83 |
84 | This procedure will deploy Aqua Cloud Connector in your desired cluster and the newly deployed Cloud Connector will get added to the existing Aqua server.
--------------------------------------------------------------------------------
/cloud_connector/kubernetes_and_openshift/helm/README.md:
--------------------------------------------------------------------------------
1 | 
2 |
3 | # Deploy Aqua Cloud Connector using Helm
4 |
5 | You can deploy Cloud Connector in your Kubernetes cluster, using the Helm charts. For deployment instructions, refer to the [aqua-helm repository](https://github.com/aquasecurity/aqua-helm/tree/2022.4/cloud-connector).
6 |
7 | Ensure that you use the latest branch of the Aqua Security Helm repository.
8 |
9 | # Issues and feedback
10 |
11 | If you encounter any problems or would like to give us feedback on deployments, we encourage you to raise issues here on GitHub.
12 |
--------------------------------------------------------------------------------
/cloud_connector/kubernetes_and_openshift/manifests/001_cloud_connector_aqua_sa.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | imagePullSecrets:
3 | - name: aqua-registry
4 | kind: ServiceAccount
5 | metadata:
6 | annotations:
7 | description: Service account for pulling Aqua images and for Aqua privileged
8 | labels:
9 | deployedby: aqua-yaml
10 | name: aqua-sa
11 | namespace: aqua
--------------------------------------------------------------------------------
/cloud_connector/kubernetes_and_openshift/manifests/002_cloud_connector_secrets.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Secret
3 | metadata:
4 | name: user-secret
5 | namespace: aqua
6 | data:
7 | username:
8 | password:
9 | ## Mandatory for SaaS Environments:
10 | # token :
11 |
--------------------------------------------------------------------------------
/cloud_connector/kubernetes_and_openshift/manifests/003_cloud_connector_configmap.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ConfigMap
3 | metadata:
4 | name: aqua-cloud-connector-conf
5 | namespace: aqua
6 | data:
7 | aqua-cloud-connector-config: |
8 | tunnels:
9 | # Azure Container Registry
10 | #- host: .azurecr.io
11 | # Google Container Registry
12 | #- host: gke.gcr.io
13 | # JFrog Container Registry
14 | #- host: .jfrog.io
15 | # On-premises private registry with static IP address
16 | #- host: 20.101.1.253:443
17 | # Amazon Container Registry
18 | # This is a special case which creates four different URIs for ECR
19 | # You should only provide the region
20 | #- service:
21 | # type: ecr
22 | # region: eu-west-2
23 |
--------------------------------------------------------------------------------
/cloud_connector/kubernetes_and_openshift/manifests/004_cloud_connector_deployment.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: aqua-cloud-connector
6 | name: aqua-cloud-connector
7 | namespace: aqua
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: aqua-cloud-connector
13 | template:
14 | metadata:
15 | labels:
16 | app: aqua-cloud-connector
17 | name: aqua-cloud-connector
18 | namespace: aqua
19 | spec:
20 | containers:
21 | - env:
22 | - name: AQUA_SERVER
23 | value: ":443"
24 | - name: AQUA_CLOUD_CONNECTOR_CONFIG_FILE_PATH
25 | value: /etc/config/connector.yaml
26 | - name: AQUA_CLOUD_CONNECTOR_USERNAME
27 | valueFrom:
28 | secretKeyRef:
29 | key: username
30 | name: user-secret
31 | - name: AQUA_CLOUD_CONNECTOR_PASSWORD
32 | valueFrom:
33 | secretKeyRef:
34 | key: password
35 | name: user-secret
36 | ## Mandatory for SaaS Environments:
37 | #- name: AQUA_CLOUD_CONNECTOR_TOKEN
38 | # valueFrom:
39 | # secretKeyRef:
40 | # key: token
41 | # name: user-secret
42 |
43 | - name: AQUA_CLOUD_CONNECTOR_HEALTH_PORT # Default port is 8080
44 | value: ""
45 | - name: AQUA_TLS_VERIFY
46 | value: "1"
47 | image: registry.aquasec.com/aqua-cloud-connector:2022.4
48 | imagePullPolicy: Always
49 | name: aqua-cloud-connector
50 | terminationMessagePath: /dev/termination-log
51 | terminationMessagePolicy: File
52 | livenessProbe:
53 | httpGet:
54 | path: /health
55 | port: 8080
56 | volumeMounts:
57 | - name: config
58 | mountPath: /etc/config
59 | volumes:
60 | - name: config
61 | configMap:
62 | name: aqua-cloud-connector-conf
63 | items:
64 | - path: connector.yaml
65 | key: aqua-cloud-connector-config
66 | dnsPolicy: ClusterFirst
67 | imagePullSecrets:
68 | - name: aqua-registry
69 | restartPolicy: Always
70 | schedulerName: default-scheduler
71 | securityContext:
72 | runAsUser: 11431
73 | runAsGroup: 11433
74 | fsGroup: 11433
75 | serviceAccount: aqua-sa
76 | serviceAccountName: aqua-sa
77 | terminationGracePeriodSeconds: 30
78 |
--------------------------------------------------------------------------------
/cloud_connector/kubernetes_and_openshift/manifests/README.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | # Deploy Aqua Cloud-Connector using manifests
4 |
5 | ## Overview
6 | When deployed on local clusters, i.e., clusters on which Aqua Platform is not deployed, the Aqua Cloud
7 | Connector establishes a secure connection to the Aqua Platform console, giving Aqua Platform remote
8 | access to resources on the local clusters.
9 |
10 | **Step 1. Create a namespace by name aqua (if not already done).**
11 |
12 | ```SHELL
13 | kubectl create namespace aqua
14 | ```
15 |
16 | **Step 2. Create a docker-registry secret (if not already done).**
17 |
18 | ```SHELL
19 | kubectl create secret docker-registry aqua-registry \
20 | --docker-server=registry.aquasec.com \
21 | --docker-username= \
22 | --docker-password= \
23 | --docker-email= \
24 | -n aqua
25 | ```
26 |
27 | **Step 3. (Optional) Create a service account and RBAC for your deployment platform (if not already done).**
28 |
29 | ```SHELL
30 | kubectl apply -f https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/cloud_connector/kubernetes_and_openshift/manifests/001_cloud_connector_aqua_sa.yaml
31 | ```
32 |
33 | ## Deploy Aqua Cloud-Connector using manifests
34 |
35 | **Step 1. Create the secrets manually or download, edit, and apply the secrets.** Provide base64 username and password values for consoleI
36 |
37 | ```SHELL
38 | kubectl apply -f https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/cloud_connector/kubernetes_and_openshift/manifests/002_cloud_connector_secrets.yaml
39 | ```
40 |
41 | **Step 2. Deploy directly or download, edit, and run the deployment configMaps**
42 |
43 | ```SHELL
44 | kubectl apply -f https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/cloud_connector/kubernetes_and_openshift/manifests/003_cloud_connector_configmap.yaml
45 | ```
46 |
47 | **Step 3. Deploy Cloud-Connector Deployment**
48 |
49 | ```SHELL
50 | kubectl apply -f https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/cloud_connector/kubernetes_and_openshift/manifests/004_cloud_connector_deployment.yaml
51 | ```
52 |
--------------------------------------------------------------------------------
/cyber_center/README.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | # Aqua CyberCenter
4 |
5 | ## Overview
6 |
7 | Aqua’s CyberCenter is a cloud-based cyber-intelligence knowledge base, maintained and operated by Aqua Security. The CyberCenter can be deployed in your air-gap environments. This offline CyberCenter is used for communication with server and scanner to share data on security issues such as vulnerabilities, sensitive data, malware, etc. This data can be used to identify security issues in the workloads and artifacts.
8 |
9 | ## Deployment methods
10 | * [manifests](./kubernetes_and_openshift/manifests)
11 |
12 | ## Supported platforms
13 | * [Kubernetes and Openshift](./kubernetes_and_openshift)
14 |
15 | ## Suited for
16 | * Aqua Enterprise Self-Hosted edition
17 |
18 | ## References
19 | * [CyberCenter Description](https://docs.aquasec.com/v2022.4/docs/cybercenter-description)
20 | * [Information Sent to CyberCenter](https://docs.aquasec.com/v2022.4/docs/info-sent-to-cybercenter)
--------------------------------------------------------------------------------
/cyber_center/ecs/cloudformation/aqua-ecs-fargate/README.adoc:
--------------------------------------------------------------------------------
1 | :version: 2022.4
2 | :imageVersion: 2022.4
3 |
4 | = Deploy Cyber Center on AWS ECS Fargate Cluster
5 |
6 | image:https://s3.amazonaws.com/cloudformation-examples/cloudformation-launch-stack.png[Launch Stack,link=https://console.aws.amazon.com/cloudformation/home?#/stacks/new?stackName=aqua-ecs&templateURL=https://s3.amazonaws.com/aqua-security-public/{version}/CyberCenterFargate.yaml]
7 |
8 | == Overview
9 |
10 | This page contains instructions for deploying Aqua Cyber Center Self-Hosted edition on an Amazon ECS Fargate cluster. Using the deployment instructions in this page.
11 |
12 | Your deployment creates the following services:
13 |
14 | - Aqua Cyber Center, deployed with an Amazon Network Load Balancer
15 |
16 | In addition, it creates an IAM role for granting Aqua Server, the access to ECR (Elastic Container Registry).
17 |
18 | A CloudFormation template is used to deploy Cyber Center.
19 |
20 | == Prerequisites
21 |
22 | - A VPC with at least 2 subnets
23 | - From Aqua Security: your Aqua credentials (username and password).
24 |
25 | == Pre-deployment
26 |
27 | *Step 1. Login to the Aqua Registry with your credentials.*
28 |
29 | [source,options="nowrap",subs="attributes"]
30 | ----
31 | docker login registry.aquasec.com -u -p
32 | ----
33 |
34 | *Step 2. Pull the Aqua product images for the Server (Console) and Gateway.*
35 |
36 | [source,options="nowrap",subs="attributes"]
37 | ----
38 | docker pull registry.aquasec.com/cc-premium:latest
39 | ----
40 |
41 | *Step 3. Push both of the images to ECR.*
42 |
43 | == Deployment method: CloudFormation Management Console
44 |
45 | *Step 1. Click the Launch Stack icon at the top of this page.* This will take you to the *Create stack* function of the AWS CloudFormation Management Console.
46 |
47 | *Step 2. Ensure that your AWS region is set to where you want to deploy Aqua Enterprise.*
48 |
49 | *Step 3. Click Next.*
50 |
51 | *Step 4. Set or modify any of the parameters*.
52 |
53 | *Step 5. Click Next to create the stack.*
54 |
55 | It will typically require up to 20 minutes for Aqua Cyber Center to be deployed. When completed, you can obtain the DNS name of the Aqua Cyber Center from the console output, under key name `AquaCyberCenterConnection`.
56 |
57 | == Version upgrade
58 |
59 | To upgrade your Aqua Enterprise version, modify the existing stack with the new Aqua product images.
60 |
--------------------------------------------------------------------------------
/cyber_center/kubernetes_and_openshift/manifests/001_cybercenter_serviceAccount.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | imagePullSecrets:
3 | - name: aqua-registry
4 | kind: ServiceAccount
5 | metadata:
6 | annotations:
7 | description: Service account for pulling Aqua images and for Aqua privileged
8 | labels:
9 | deployedby: aqua-yaml
10 | name: aqua-sa
11 | namespace: aqua
12 |
--------------------------------------------------------------------------------
/cyber_center/kubernetes_and_openshift/manifests/002_cybercenter_deploy.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | labels:
5 | app: aqua-cc
6 | name: aqua-cc
7 | namespace: aqua
8 | spec:
9 | ports:
10 | - name: https
11 | protocol: TCP
12 | port: 443
13 | targetPort: 5000
14 | selector:
15 | app: aqua-cc
16 | type: ClusterIP
17 | ---
18 | apiVersion: apps/v1
19 | kind: Deployment
20 | metadata:
21 | labels:
22 | app: aqua-cc
23 | name: aqua-cc
24 | namespace: aqua
25 | spec:
26 | replicas: 1
27 | selector:
28 | matchLabels:
29 | app: aqua-cc
30 | template:
31 | metadata:
32 | labels:
33 | app: aqua-cc
34 | name: aqua-cc
35 | namespace: aqua
36 | spec:
37 | serviceAccount: aqua-sa
38 | securityContext:
39 | runAsUser: 11431
40 | runAsGroup: 11433
41 | fsGroup: 11433
42 | containers:
43 | - name: aqua-cc
44 | image: "registry.aquasec.com/cc-premium:latest"
45 | imagePullPolicy: Always
46 | args:
47 | - --address=:5000
48 | - --offline-key=pleaseopen
49 | ports:
50 | - containerPort: 5000
51 | # env:
52 | # - name: AQUA_PRIVATE_KEY
53 | # value: "/opt/aquasec/ssl/cc.key"
54 | # - name: AQUA_PUBLIC_KEY
55 | # value: "/opt/aquasec/ssl/cc.crt"
56 | # - name: AQUA_ROOT_CA
57 | # value: "/opt/aquasec/ssl/ca.crt"
58 | # volumeMounts:
59 | # - mountPath: /opt/aquasec/ssl
60 | # name: aqua-grpc-cc
61 | # readOnly: true
62 | # volumes:
63 | # - name: aqua-grpc-cc
64 | # secret:
65 | # secretName: aqua-grpc-cc
66 | # items:
67 | # - key: aqua_cc.crt
68 | # path: cc.crt
69 | # - key: aqua_cc.key
70 | # path: cc.key
71 | # - key: rootCA.crt
72 | # path: ca.crt
73 |
--------------------------------------------------------------------------------
/cyber_center/kubernetes_and_openshift/manifests/README.md:
--------------------------------------------------------------------------------
1 | # Deploy Aqua CyberCenter using manifests
2 |
3 | ## Overview
4 |
5 | This repository shows the manifest yaml files required to deploy the Aqua CyberCenter on the following Kubernetes platforms:
6 | * Kubernetes
7 | * OpenShift
8 | * Kubernetes engines: EKS, GKE, ICP, AKS, TKG, and TKGI
9 |
10 | Before you follow the deployment steps explained below, Aqua strongly recommends you refer to the product documentation, [Deploy Offline CyberCenter](https://docs.aquasec.com/v2022.4/docs/deploy-offline-cybercenter) for detailed information.
11 |
12 | ## Specific OpenShift notes
13 | The deployment commands shown below use the **kubectl** cli. You can also deploy using the **oc** cli commands, to work on all platforms including OpenShift.
14 |
15 | ## Prerequisites
16 | * Your Aqua credentials: username and password
17 | * Your Aqua Enterprise License Token
18 |
19 | It is recommended that you complete the sizing and capacity assessment for the deployment. Refer to [Sizing Guide](https://docs.aquasec.com/docs/sizing-guide).
20 |
21 | ## Considerations
22 |
23 | ### CyberCenter image for deployment
24 |
25 | The required CyberCenter image is added in the [CyberCenter deploy yaml file](./002_cybercenter_deploy.yaml#L44) at the line 44. The deployment uses the following image:
26 |
27 | * **cc-premium:latest**: Provides support for identifying vulnerabilities related to all supported programming languages and operating systems.
28 |
29 | ### mTLS
30 |
31 | * **mTLS with server:** To configure the CyberCenter with mTLS (mutual TLS) to have secure communication with server, refer to the product documentation, [Configure mTLS between the Offline CyberCenter and Server](https://docs.aquasec.com/docs/configure-mtls-between-the-offline-cybercenter-and-server).
32 | * ***(Optional)* mTLS with scanner:** If you deploy additional scanners for the scanning operation, the offline CyberCenter communicates with these scanners. To configure the offline CyberCenter with mTLS to have secure communication with scanner, refer to the product documentation, [Configure mTLS between the Offline CyberCenter and Scanner](https://docs.aquasec.com/docs/configure-mtls-between-the-offline-cybercenter-and-scanner).
33 |
34 | ## Pre-deployment
35 |
36 | You can skip any of the steps if you have already performed.
37 |
38 | **Step 1. Create a namespace (or an OpenShift project) by name aqua (if not already done).**
39 |
40 | ```SHELL
41 | kubectl create namespace aqua
42 | ```
43 |
44 | **Step 2. Create a docker-registry secret (if not already done).**
45 |
46 | ```SHELL
47 | kubectl create secret docker-registry aqua-registry \
48 | --docker-server=registry.aquasec.com \
49 | --docker-username= \
50 | --docker-password= \
51 | --docker-email= \
52 | -n aqua
53 | ```
54 |
55 | **Step 3. Create a service account (if not already done).**
56 |
57 | ```SHELL
58 | kubectl apply -f https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/cyber_center/kubernetes_and_openshift/manifests/001_cybercenter_serviceAccount.yaml
59 | ```
60 |
61 | ## Deploy the CyberCenter using manifests
62 |
63 | ```SHELL
64 | kubectl apply -f https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/cyber_center/kubernetes_and_openshift/manifests/002_cybercenter_deploy.yaml
65 | ```
66 |
67 | ## Post-deployment
68 | After the offline CyberCenter is deployed successfully, you must disable **Fast Scanning** from Aqua UI to scan artifacts successfully. For more information on disabling this option, refer to [Configure Scan Options](https://docs.aquasec.com/v2022.4/docs/configure-scan-options#section-configure-scan-options).
--------------------------------------------------------------------------------
/enforcers/README.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | # Aqua Enforcers
4 |
5 | ### Overview
6 |
7 | Aqua Enforcers secure your workloads and infrastructure during runtime.
8 |
9 | ### Enforcers Types
10 | Following are the enforcers that can be deployed in Aqua:
11 | * [Aqua Enforcer](./aqua_enforcer): full runtime protection for containers, as well as selected host-related functionality.
12 | * [Kube Enforcer](./kube_enforcer): runtime security for your Kubernetes workloads and infrastructure. It can be deployed with advanced configuration and/or co-requisite Starboard.
13 | * [VM Enforcer](./vm_enforcer): enforcement and assurance functionality for hosts (VMs) and Kubernetes nodes.
14 | * [Windows Enforcer](./windows_enforcer): full runtime protection for containers, as well as selected host-related functionality for Windows platforms.
15 |
16 | ### Suited for
17 | * Aqua SaaS edition
18 | * Aqua Self-Hosted Enterprise edition
19 |
20 | ### References
21 | For more information on the Aqua enforcers, refer the product documentation, [Enforcers Overview](https://docs.aquasec.com/docs/enforcers-overview) and [Assurance and Enforcement Overview](https://docs.aquasec.com/docs/assurance-and-enforcement-overview).
22 |
23 |
--------------------------------------------------------------------------------
/enforcers/aqua_enforcer/README.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | # Aqua Enforcer
4 |
5 | ## Overview
6 |
7 | Aqua Enforcers provide full runtime protection and other functionality for containers and selected host-related functionality.
8 |
9 | In Kubernetes, the enforcer runs as a DaemonSet deployment for workload runtime security, blocking unauthorized deployments, monitoring and restricting runtime activities and generating audit events.
10 |
11 | ## Deployment methods
12 | * [Manifests and Aquactl](./kubernetes_and_openshift/manifests)
13 | * [Helm](./kubernetes_and_openshift/helm)
14 | * [Operator](./kubernetes_and_openshift/operator)
15 | * [AWS CloudFormation ECS-EC2](./ecs/cloudformation/aqua-ecs-c2)
16 |
17 | ## Suited for
18 | * Aqua Enterprise SaaS
19 | * Aqua Enterprise Self-Hosted
20 |
21 | ## Supported platforms
22 | * Kubernetes and Openshift (SaaS and Self-Hosted)
23 | * AWS ECS (Self-Hosted only)
24 | * Docker (SaaS and Self-Hosted)
25 |
26 | ### Note:
27 | * For OpenShift version 3.x use RBAC definition from ./aqua_enforcer/kubernetes_and_openshift/manifests/001_aqua_enforcer_rbac/openshift_ocp3x
28 | * For OpenShift version 4.x use RBAC definition from ./aqua_enforcer/kubernetes_and_openshift/manifests/001_aqua_enforcer_rbac/openshift
29 |
30 |
31 | ## References
32 | Before you start using any of the deployment methods documented in this reposiory, Aqua strongly recommends you to refer the following product documentation:
33 | * [Deploy Aqua Enforcer(s)](https://docs.aquasec.com/docs/deploy-k8s-aqua-enforcers)
34 | * [Kubernetes with Helm Charts](https://docs.aquasec.com/docs/kubernetes-with-helm#section-step-4-deploy-the-aqua-enforcer)
35 | * [Deploy Aqua on Amazon Elastic Container Service (ECS)](https://docs.aquasec.com/docs/amazon-elastic-container-service-ecs#section-step-2-deploy-aqua-enforcers).
36 | * [Enforcers Overview](https://docs.aquasec.com/docs/enforcers-overview#section-aqua-enforcers) and [Aqua Enforcer](https://docs.aquasec.com/docs/aqua-enforcer).
--------------------------------------------------------------------------------
/enforcers/aqua_enforcer/docker/compose/aqua-enforcer.env:
--------------------------------------------------------------------------------
1 | AQUA_TOKEN=token
2 | AQUA_SERVER=gateway ip address:8443
3 | AQUA_LOGICAL_NAME="Default"
4 |
--------------------------------------------------------------------------------
/enforcers/aqua_enforcer/docker/compose/docker-compose-enforcer.yaml:
--------------------------------------------------------------------------------
1 | version: '3.8'
2 | services:
3 | aqua-enforcer-deployment:
4 | image: registry.aquasec.com/enforcer:2022.4
5 | container_name: aqua-enforcer
6 | env_file:
7 | - aqua-enforcer.env
8 | restart: always
9 | pid: "host"
10 | privileged: true
11 | volumes:
12 | - /var/run:/var/run
13 | - /dev:/dev
14 | - /opt/aquasec:/host/opt/aquasec:ro
15 | - /opt/aquasec/tmp:/opt/aquasec/tmp
16 | - /opt/aquasec/audit:/opt/aquasec/audit
17 | - /proc:/host/proc:ro
18 | - /sys:/host/sys:ro
19 | - /etc:/host/etc:ro
20 |
--------------------------------------------------------------------------------
/enforcers/aqua_enforcer/ecs/cloudformation/aqua-ecs-ec2/README.adoc:
--------------------------------------------------------------------------------
1 | :version: 2022.4
2 | :imageVersion: 2022.4
3 |
4 | = Deploy Aqua Enforcer on AWS ECS Cluster
5 |
6 | image:https://s3.amazonaws.com/cloudformation-examples/cloudformation-launch-stack.png[Launch Stack,link=https://console.aws.amazon.com/cloudformation/home?#/stacks/new?stackName=aqua-ecs&templateURL=https://s3.amazonaws.com/aqua-security-public/{version}/aquaEnforcer.yaml]
7 |
8 | == Overview
9 |
10 | The Aqua Server and Gateway are deployed on a ECS EC2 cluster. In multi-cluster environments, you can deploy Aqua Enforcers on different clusters.
11 |
12 | This page contains instructions for deploying Aqua Enforcer on any Amazon ECS EC2 cluster.
13 |
14 | For high availability, you must deploy Aqua on 2 availability Zones (AZs).
15 |
16 | Your deployment creates the Aqua Enforcer service, on the specific ECS instance. A CloudFormation template is used to deploy Aqua Enforcer. This can be done either with the AWS CloudFormation Management Console or the AWS Command Line interface (CLI), as explained below.
17 |
18 | == Prerequisites
19 |
20 | - One or more ECS clusters
21 | - Aqua Gateway (existing) service DNS/IP
22 | - From Aqua Security: your Aqua credentials (username and password) and Aqua Enterprise License Token
23 | - Aqua Enforcer Group Token
24 | - If the default capacity provider strategy is configured as AGS in AWS ECS, use launch type as EC2 in deployment method.
25 | # LaunchType: EC2
26 | - For bottlerocket platform uncomment following lines:
27 | [source,options="nowrap",subs="attributes"]
28 | ----
29 | # DockerSecurityOptions:
30 | # - 'label:user:system_u'
31 | # - 'label:role:system_r'
32 | # - 'label:type:super_t'
33 | # - 'label:level:s0'
34 | ----
35 |
36 | == Pre-deployment
37 |
38 | *Step 1. Login to the Aqua Registry with your credentials.*
39 |
40 | [source,options="nowrap",subs="attributes"]
41 | ----
42 | docker login registry.aquasec.com -u -p
43 | ----
44 |
45 | *Step 2. Pull the Aqua Enforcer image.*
46 |
47 | [source,options="nowrap",subs="attributes"]
48 | ----
49 | docker pull registry.aquasec.com/enforcer:{imageVersion}
50 | ----
51 |
52 | *Step 3. Push the enforcer image to ECR.*
53 |
54 | == Deployment method 1: CloudFormation Management Console
55 |
56 | *Step 1. Click the Launch Stack icon at the top of this page.* This will take you to the *Create stack* function of the AWS CloudFormation Management Console.
57 |
58 | *Step 2. Ensure that your AWS region is set to where you want to deploy Aqua Enforcer.*
59 |
60 | *Step 3. Click Next.*
61 |
62 | *Step 4. Set or modify any of the parameters as explained below.*
63 |
64 | *Step 5. Click Next to create the stack.*
65 |
66 | == Deployment method 2: CLI
67 |
68 | *Step 1. Copy the following command.*
69 |
70 | [source,options="nowrap",subs="attributes"]
71 | ----
72 | aws –region us-east-1 cloudformation create-stack –capabilities CAPABILITY_NAMED_IAM –stack-name aqua-ec2 –template-body file://aquaEnforcer.yaml \
73 | –parameters ParameterKey=AquaGatewayAddress,ParameterValue=xxxxx \
74 | ParameterKey=AquaToken,ParameterValue=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx \
75 | ParameterKey=AquaEnforcerImage,ParameterValue=xxxx.dkr.ecr.us-east-1.amazonaws.com/aqua:enforcer-x.x\
76 | ParameterKey=ECSClusterName,ParameterValue=xxxxx \
77 | ParameterKey=TaskPrivileged,ParameterValue=false
78 | ----
79 |
80 | *Step 2. Set the parameters as explained below.*
81 |
82 | [source,options="nowrap",subs="attributes"]
83 | ----
84 | AquaGatewayAddress = The Gateway Service DNS name or IP address (IP address with port number)
85 | AquaToken = Token from existing Aqua Enforcer group of the Aqua Server
86 | TaskPrivileged = Select Yes to run the Enforcer in priviliged mode or false to run in non-privilged mode
87 | AquaEnforcerImage = The ECR path for the Aqua Enforcer product image
88 | ECSClusterName = The existing ECS cluster name
89 | ----
90 |
91 | *Step 3. Run the AWS create-stack CLI command.*
92 |
93 | This procedure will deploy Aqua Enforcer in your desired cluster and the newly deployed Aqua enforcer will get added to the existing Aqua server.
94 |
95 | ## Special cases
96 | * The ECS cluster with the Bottlerocket OS is currently not supported.
97 |
--------------------------------------------------------------------------------
/enforcers/aqua_enforcer/kubernetes_and_openshift/helm/README.md:
--------------------------------------------------------------------------------
1 | # Deploy Aqua Enforcer using Helm
2 |
3 | You can deploy Aqua Enforcer in your Kubernetes cluster, using the Helm charts. Through this method, Aqua Enforcer is deployed on all Kubernetes cluster nodes. This Helm chart deploys a single Aqua Enforcer container automatically on each node in your cluster.
4 |
5 | For deployment instructions, refer to the [aqua-helm repository](https://github.com/aquasecurity/aqua-helm/tree/2022.4/enforcer#installing-the-chart).
6 |
7 | Ensure that you use the latest branch of the Aqua Security Helm repository.
--------------------------------------------------------------------------------
/enforcers/aqua_enforcer/kubernetes_and_openshift/manifests/001_aqua_enforcer_rbac/aks/aqua_sa.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | imagePullSecrets:
3 | - name: aqua-registry
4 | kind: ServiceAccount
5 | metadata:
6 | annotations:
7 | description: Service account for pulling Aqua images and for Aqua privileged
8 | labels:
9 | deployedby: aqua-yaml
10 | name: aqua-sa
11 | namespace: aqua
12 | ---
13 | apiVersion: rbac.authorization.k8s.io/v1
14 | kind: ClusterRole
15 | metadata:
16 | labels:
17 | rbac.example.com/aggregate-to-monitoring: "true"
18 | deployedby: aqua-yaml
19 | name: aqua-discovery-cr
20 | namespace: aqua
21 | rules:
22 | - apiGroups: [""]
23 | resources: ["nodes", "services", "endpoints", "pods", "deployments", "namespaces","componentstatuses"]
24 | verbs: ["get", "list", "watch"]
25 | - apiGroups: ["rbac.authorization.k8s.io"]
26 | resources: ["*"]
27 | verbs: ["get", "list", "watch"]
28 | ---
29 | apiVersion: rbac.authorization.k8s.io/v1
30 | kind: ClusterRoleBinding
31 | metadata:
32 | name: aqua-discovery-crb
33 | namespace: aqua
34 | roleRef:
35 | apiGroup: rbac.authorization.k8s.io
36 | kind: ClusterRole
37 | name: aqua-discovery-cr
38 | subjects:
39 | - kind: ServiceAccount
40 | name: aqua-sa
41 | namespace: aqua
--------------------------------------------------------------------------------
/enforcers/aqua_enforcer/kubernetes_and_openshift/manifests/001_aqua_enforcer_rbac/eks/aqua_sa.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | imagePullSecrets:
3 | - name: aqua-registry
4 | kind: ServiceAccount
5 | metadata:
6 | annotations:
7 | description: Service account for pulling Aqua images and for Aqua privileged
8 | labels:
9 | deployedby: aqua-yaml
10 | name: aqua-sa
11 | namespace: aqua
12 | ---
13 | apiVersion: rbac.authorization.k8s.io/v1
14 | kind: ClusterRole
15 | metadata:
16 | labels:
17 | rbac.example.com/aggregate-to-monitoring: "true"
18 | deployedby: aqua-yaml
19 | name: aqua-discovery-cr
20 | namespace: aqua
21 | rules:
22 | - apiGroups: [""]
23 | resources: ["nodes", "services", "endpoints", "pods", "deployments", "namespaces","componentstatuses"]
24 | verbs: ["get", "list", "watch"]
25 | - apiGroups: ["rbac.authorization.k8s.io"]
26 | resources: ["*"]
27 | verbs: ["get", "list", "watch"]
28 | ---
29 | apiVersion: rbac.authorization.k8s.io/v1
30 | kind: ClusterRoleBinding
31 | metadata:
32 | name: aqua-discovery-crb
33 | namespace: aqua
34 | roleRef:
35 | apiGroup: rbac.authorization.k8s.io
36 | kind: ClusterRole
37 | name: aqua-discovery-cr
38 | subjects:
39 | - kind: ServiceAccount
40 | name: aqua-sa
41 | namespace: aqua
--------------------------------------------------------------------------------
/enforcers/aqua_enforcer/kubernetes_and_openshift/manifests/001_aqua_enforcer_rbac/gke/aqua_sa.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | imagePullSecrets:
3 | - name: aqua-registry
4 | kind: ServiceAccount
5 | metadata:
6 | annotations:
7 | description: Service account for pulling Aqua images and for Aqua privileged
8 | labels:
9 | deployedby: aqua-yaml
10 | name: aqua-sa
11 | namespace: aqua
12 | ---
13 | apiVersion: rbac.authorization.k8s.io/v1
14 | kind: ClusterRole
15 | metadata:
16 | labels:
17 | rbac.example.com/aggregate-to-monitoring: "true"
18 | deployedby: aqua-yaml
19 | name: aqua-discovery-cr
20 | namespace: aqua
21 | rules:
22 | - apiGroups: [""]
23 | resources: ["nodes", "services", "endpoints", "pods", "deployments", "namespaces","componentstatuses"]
24 | verbs: ["get", "list", "watch"]
25 | - apiGroups: ["rbac.authorization.k8s.io"]
26 | resources: ["*"]
27 | verbs: ["get", "list", "watch"]
28 | ---
29 | apiVersion: rbac.authorization.k8s.io/v1
30 | kind: ClusterRoleBinding
31 | metadata:
32 | name: aqua-discovery-crb
33 | namespace: aqua
34 | roleRef:
35 | apiGroup: rbac.authorization.k8s.io
36 | kind: ClusterRole
37 | name: aqua-discovery-cr
38 | subjects:
39 | - kind: ServiceAccount
40 | name: aqua-sa
41 | namespace: aqua
--------------------------------------------------------------------------------
/enforcers/aqua_enforcer/kubernetes_and_openshift/manifests/001_aqua_enforcer_rbac/ibm/aqua_sa.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: rbac.authorization.k8s.io/v1
2 | kind: ClusterRole
3 | metadata:
4 | name: aqua-psp-cr
5 | rules:
6 | - apiGroups: ["extensions"]
7 | resourceNames: ["ibm-privileged-psp"]
8 | resources: ["podsecuritypolicies"]
9 | verbs: ["use"]
10 | ---
11 | apiVersion: rbac.authorization.k8s.io/v1
12 | kind: ClusterRoleBinding
13 | metadata:
14 | name: aqua-psp-crb
15 | roleRef:
16 | apiGroup: rbac.authorization.k8s.io
17 | kind: ClusterRole
18 | name: aqua-privileged-clusterrole
19 | subjects:
20 | - apiGroup: rbac.authorization.k8s.io
21 | kind: Group
22 | name: system:serviceaccounts:aqua
23 | ---
24 | apiVersion: v1
25 | imagePullSecrets:
26 | - name: aqua-registry
27 | kind: ServiceAccount
28 | metadata:
29 | annotations:
30 | description: Service account for pulling Aqua images and for Aqua privileged
31 | labels:
32 | deployedby: aqua-yaml
33 | name: aqua-sa
34 | namespace: aqua
35 | ---
36 | apiVersion: rbac.authorization.k8s.io/v1
37 | kind: ClusterRole
38 | metadata:
39 | labels:
40 | rbac.example.com/aggregate-to-monitoring: "true"
41 | deployedby: aqua-yaml
42 | name: aqua-discovery-cr
43 | namespace: aqua
44 | rules:
45 | - apiGroups: [""]
46 | resources: ["nodes", "services", "endpoints", "pods", "deployments", "namespaces","componentstatuses"]
47 | verbs: ["get", "list", "watch"]
48 | - apiGroups: ["rbac.authorization.k8s.io"]
49 | resources: ["*"]
50 | verbs: ["get", "list", "watch"]
51 | ---
52 | apiVersion: rbac.authorization.k8s.io/v1
53 | kind: ClusterRoleBinding
54 | metadata:
55 | name: aqua-discovery-crb
56 | namespace: aqua
57 | roleRef:
58 | apiGroup: rbac.authorization.k8s.io
59 | kind: ClusterRole
60 | name: aqua-discovery-cr
61 | subjects:
62 | - kind: ServiceAccount
63 | name: aqua-sa
64 | namespace: aqua
--------------------------------------------------------------------------------
/enforcers/aqua_enforcer/kubernetes_and_openshift/manifests/001_aqua_enforcer_rbac/k3s/aqua_sa.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | imagePullSecrets:
3 | - name: aqua-registry
4 | kind: ServiceAccount
5 | metadata:
6 | annotations:
7 | description: Service account for pulling Aqua images and for Aqua privileged
8 | labels:
9 | deployedby: aqua-yaml
10 | name: aqua-sa
11 | namespace: aqua
12 | ---
13 | apiVersion: rbac.authorization.k8s.io/v1
14 | kind: ClusterRole
15 | metadata:
16 | labels:
17 | rbac.example.com/aggregate-to-monitoring: "true"
18 | deployedby: aqua-yaml
19 | name: aqua-discovery-cr
20 | namespace: aqua
21 | rules:
22 | - apiGroups: [""]
23 | resources: ["nodes", "services", "endpoints", "pods", "deployments", "namespaces","componentstatuses"]
24 | verbs: ["get", "list", "watch"]
25 | - apiGroups: ["rbac.authorization.k8s.io"]
26 | resources: ["*"]
27 | verbs: ["get", "list", "watch"]
28 | ---
29 | apiVersion: rbac.authorization.k8s.io/v1
30 | kind: ClusterRoleBinding
31 | metadata:
32 | name: aqua-discovery-crb
33 | namespace: aqua
34 | roleRef:
35 | apiGroup: rbac.authorization.k8s.io
36 | kind: ClusterRole
37 | name: aqua-discovery-cr
38 | subjects:
39 | - kind: ServiceAccount
40 | name: aqua-sa
41 | namespace: aqua
--------------------------------------------------------------------------------
/enforcers/aqua_enforcer/kubernetes_and_openshift/manifests/001_aqua_enforcer_rbac/native_k8s/aqua_sa.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | imagePullSecrets:
3 | - name: aqua-registry
4 | kind: ServiceAccount
5 | metadata:
6 | annotations:
7 | description: Service account for pulling Aqua images and for Aqua privileged
8 | labels:
9 | deployedby: aqua-yaml
10 | name: aqua-sa
11 | namespace: aqua
12 | ---
13 | apiVersion: rbac.authorization.k8s.io/v1
14 | kind: ClusterRole
15 | metadata:
16 | labels:
17 | rbac.example.com/aggregate-to-monitoring: "true"
18 | deployedby: aqua-yaml
19 | name: aqua-discovery-cr
20 | namespace: aqua
21 | rules:
22 | - apiGroups: [""]
23 | resources: ["nodes", "services", "endpoints", "pods", "deployments", "namespaces","componentstatuses"]
24 | verbs: ["get", "list", "watch"]
25 | - apiGroups: ["rbac.authorization.k8s.io"]
26 | resources: ["*"]
27 | verbs: ["get", "list", "watch"]
28 | ---
29 | apiVersion: rbac.authorization.k8s.io/v1
30 | kind: ClusterRoleBinding
31 | metadata:
32 | name: aqua-discovery-crb
33 | namespace: aqua
34 | roleRef:
35 | apiGroup: rbac.authorization.k8s.io
36 | kind: ClusterRole
37 | name: aqua-discovery-cr
38 | subjects:
39 | - kind: ServiceAccount
40 | name: aqua-sa
41 | namespace: aqua
--------------------------------------------------------------------------------
/enforcers/aqua_enforcer/kubernetes_and_openshift/manifests/001_aqua_enforcer_rbac/openshift/aqua_sa.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | imagePullSecrets:
3 | - name: aqua-registry
4 | kind: ServiceAccount
5 | metadata:
6 | annotations:
7 | description: Service account for pulling Aqua images and for Aqua privileged
8 | labels:
9 | deployedby: aqua-yaml
10 | name: aqua-sa
11 | namespace: aqua
12 | ---
13 | kind: ClusterRole
14 | apiVersion: rbac.authorization.k8s.io/v1
15 | metadata:
16 | name: aqua-discovery-cr
17 | labels:
18 | rbac.example.com/aggregate-to-monitoring: "true"
19 | rules:
20 | - apiGroups: [""]
21 | resources: ["nodes", "services", "endpoints", "pods", "deployments", "namespaces","componentstatuses"]
22 | verbs: ["get", "list", "watch"]
23 | - apiGroups: ["rbac.authorization.k8s.io"]
24 | resources: ["*"]
25 | verbs: ["get", "list", "watch"]
26 | - apiGroups: [""]
27 | resources: ["imagestreams", "imagestreams/layers"]
28 | verbs: ["get", "list", "watch"]
29 | ---
30 | apiVersion: rbac.authorization.k8s.io/v1
31 | kind: ClusterRoleBinding
32 | metadata:
33 | name: aqua-discovery-crb
34 | roleRef:
35 | name: aqua-discovery-cr
36 | apiGroup: rbac.authorization.k8s.io
37 | kind: ClusterRole
38 | subjects:
39 | - kind: ServiceAccount
40 | name: aqua-sa
41 | namespace: aqua
42 | ---
43 | kind: ClusterRoleBinding
44 | apiVersion: rbac.authorization.k8s.io/v1
45 | metadata:
46 | name: cluster-reader
47 | subjects:
48 | - kind: ServiceAccount
49 | name: aqua-sa
50 | namespace: aqua
51 | roleRef:
52 | apiGroup: rbac.authorization.k8s.io
53 | kind: ClusterRole
54 | name: cluster-reader
55 | ---
56 | allowHostDirVolumePlugin: true
57 | allowHostIPC: false
58 | allowHostNetwork: false
59 | allowHostPID: true
60 | allowHostPorts: false
61 | allowPrivilegeEscalation: false
62 | allowPrivilegedContainer: false
63 | allowedCapabilities:
64 | - SYS_ADMIN
65 | - NET_ADMIN
66 | - NET_RAW
67 | - SYS_PTRACE
68 | - KILL
69 | - MKNOD
70 | - SETGID
71 | - SETUID
72 | - SYS_MODULE
73 | - AUDIT_CONTROL
74 | - SYSLOG
75 | - SYS_CHROOT
76 | - SYS_RESOURCE
77 | - IPC_LOCK
78 | - LINUX_IMMUTABLE
79 | - CHOWN
80 | - DAC_OVERRIDE
81 | - FSETID
82 | - FOWNER
83 | - SETFCAP
84 | - SETPCAP
85 | - NET_BIND_SERVICE
86 | - AUDIT_WRITE
87 | - IPC_LOCK
88 | apiVersion: security.openshift.io/v1
89 | defaultAddCapabilities: null
90 | fsGroup:
91 | type: RunAsAny
92 | groups: []
93 | kind: SecurityContextConstraints
94 | metadata:
95 | annotations:
96 | kubernetes.io/description: aqua scc provides all features of the restricted SCC
97 | but allows users to run with any non-root UID and access hostPath. The user must
98 | specify the UID or it must be specified on the by the manifest of the container runtime.
99 | release.openshift.io/create-only: "true"
100 | name: aqua-scc
101 | priority: null
102 | readOnlyRootFilesystem: false
103 | requiredDropCapabilities: null
104 | runAsUser:
105 | type: RunAsAny
106 | seLinuxContext:
107 | type: MustRunAs
108 | supplementalGroups:
109 | type: RunAsAny
110 | users:
111 | - system:serviceaccount:aqua:aqua-sa
112 | volumes:
113 | - configMap
114 | - downwardAPI
115 | - emptyDir
116 | - persistentVolumeClaim
117 | - projected
118 | - secret
119 | - hostPath
120 |
--------------------------------------------------------------------------------
/enforcers/aqua_enforcer/kubernetes_and_openshift/manifests/001_aqua_enforcer_rbac/openshift_ocp3x/aqua_sa.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | imagePullSecrets:
3 | - name: aqua-registry
4 | kind: ServiceAccount
5 | metadata:
6 | annotations:
7 | description: Service account for pulling Aqua images and for Aqua privileged
8 | labels:
9 | deployedby: aqua-yaml
10 | name: aqua-sa
11 | namespace: aqua
12 | ---
13 | kind: ClusterRole
14 | apiVersion: rbac.authorization.k8s.io/v1
15 | metadata:
16 | name: aqua-discovery-cr
17 | labels:
18 | rbac.example.com/aggregate-to-monitoring: "true"
19 | rules:
20 | - apiGroups: [""]
21 | resources: ["nodes", "services", "endpoints", "pods", "deployments", "namespaces","componentstatuses"]
22 | verbs: ["get", "list", "watch"]
23 | - apiGroups: ["rbac.authorization.k8s.io"]
24 | resources: ["*"]
25 | verbs: ["get", "list", "watch"]
26 | - apiGroups: [""]
27 | resources: ["imagestreams", "imagestreams/layers"]
28 | verbs: ["get", "list", "watch"]
29 | ---
30 | apiVersion: rbac.authorization.k8s.io/v1
31 | kind: ClusterRoleBinding
32 | metadata:
33 | name: aqua-discovery-crb
34 | roleRef:
35 | name: aqua-discovery-cr
36 | apiGroup: rbac.authorization.k8s.io
37 | kind: ClusterRole
38 | subjects:
39 | - kind: ServiceAccount
40 | name: aqua-sa
41 | namespace: aqua
42 | ---
43 | kind: ClusterRoleBinding
44 | apiVersion: rbac.authorization.k8s.io/v1
45 | metadata:
46 | name: cluster-reader
47 | subjects:
48 | - kind: ServiceAccount
49 | name: aqua-sa
50 | namespace: aqua
51 | roleRef:
52 | apiGroup: rbac.authorization.k8s.io
53 | kind: ClusterRole
54 | name: cluster-reader
55 | ---
56 | allowHostDirVolumePlugin: true
57 | allowHostIPC: false
58 | allowHostNetwork: false
59 | allowHostPID: true
60 | allowHostPorts: false
61 | allowPrivilegeEscalation: false
62 | allowPrivilegedContainer: false
63 | allowedCapabilities:
64 | - SYS_ADMIN
65 | - NET_ADMIN
66 | - NET_RAW
67 | - SYS_PTRACE
68 | - KILL
69 | - MKNOD
70 | - SETGID
71 | - SETUID
72 | - SYS_MODULE
73 | - AUDIT_CONTROL
74 | - SYSLOG
75 | - SYS_CHROOT
76 | - SYS_RESOURCE
77 | - IPC_LOCK
78 | - LINUX_IMMUTABLE
79 | apiVersion: security.openshift.io/v1
80 | defaultAddCapabilities: []
81 | fsGroup:
82 | type: RunAsAny
83 | groups: []
84 | kind: SecurityContextConstraints
85 | metadata:
86 | annotations:
87 | kubernetes.io/description: aqua scc provides all features of the restricted SCC
88 | but allows users to run with any non-root UID and access hostPath. The user must
89 | specify the UID or it must be specified on the by the manifest of the container runtime.
90 | release.openshift.io/create-only: "true"
91 | name: aqua-scc
92 | priority: 2
93 | readOnlyRootFilesystem: false
94 | requiredDropCapabilities: []
95 | runAsUser:
96 | type: RunAsAny
97 | seLinuxContext:
98 | type: RunAsAny
99 | supplementalGroups:
100 | type: RunAsAny
101 | users:
102 | - system:serviceaccount:aqua:aqua-sa
103 | volumes:
104 | - configMap
105 | - downwardAPI
106 | - emptyDir
107 | - persistentVolumeClaim
108 | - projected
109 | - secret
110 | - hostPath
111 |
--------------------------------------------------------------------------------
/enforcers/aqua_enforcer/kubernetes_and_openshift/manifests/001_aqua_enforcer_rbac/rancher/aqua_sa.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | imagePullSecrets:
3 | - name: aqua-registry
4 | kind: ServiceAccount
5 | metadata:
6 | annotations:
7 | description: Service account for pulling Aqua images and for Aqua privileged
8 | labels:
9 | deployedby: aqua-yaml
10 | name: aqua-sa
11 | namespace: aqua
12 | ---
13 | apiVersion: rbac.authorization.k8s.io/v1
14 | kind: ClusterRole
15 | metadata:
16 | labels:
17 | rbac.example.com/aggregate-to-monitoring: "true"
18 | deployedby: aqua-yaml
19 | name: aqua-discovery-cr
20 | namespace: aqua
21 | rules:
22 | - apiGroups: [""]
23 | resources: ["nodes", "services", "endpoints", "pods", "deployments", "namespaces","componentstatuses"]
24 | verbs: ["get", "list", "watch"]
25 | - apiGroups: ["rbac.authorization.k8s.io"]
26 | resources: ["*"]
27 | verbs: ["get", "list", "watch"]
28 | ---
29 | apiVersion: rbac.authorization.k8s.io/v1
30 | kind: ClusterRoleBinding
31 | metadata:
32 | name: aqua-discovery-crb
33 | namespace: aqua
34 | roleRef:
35 | apiGroup: rbac.authorization.k8s.io
36 | kind: ClusterRole
37 | name: aqua-discovery-cr
38 | subjects:
39 | - kind: ServiceAccount
40 | name: aqua-sa
41 | namespace: aqua
42 |
--------------------------------------------------------------------------------
/enforcers/aqua_enforcer/kubernetes_and_openshift/manifests/001_aqua_enforcer_rbac/tkg/aqua_sa.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | imagePullSecrets:
3 | - name: aqua-registry
4 | kind: ServiceAccount
5 | metadata:
6 | annotations:
7 | description: Service account for pulling Aqua images and for Aqua privileged
8 | labels:
9 | deployedby: aqua-yaml
10 | name: aqua-sa
11 | namespace: aqua
12 | ---
13 | apiVersion: rbac.authorization.k8s.io/v1
14 | kind: ClusterRole
15 | metadata:
16 | labels:
17 | rbac.example.com/aggregate-to-monitoring: "true"
18 | deployedby: aqua-yaml
19 | name: aqua-discovery-cr
20 | namespace: aqua
21 | rules:
22 | - apiGroups: [""]
23 | resources: ["nodes", "services", "endpoints", "pods", "deployments", "namespaces","componentstatuses"]
24 | verbs: ["get", "list", "watch"]
25 | - apiGroups: ["rbac.authorization.k8s.io"]
26 | resources: ["*"]
27 | verbs: ["get", "list", "watch"]
28 | ---
29 | apiVersion: rbac.authorization.k8s.io/v1
30 | kind: ClusterRoleBinding
31 | metadata:
32 | name: aqua-discovery-crb
33 | namespace: aqua
34 | roleRef:
35 | apiGroup: rbac.authorization.k8s.io
36 | kind: ClusterRole
37 | name: aqua-discovery-cr
38 | subjects:
39 | - kind: ServiceAccount
40 | name: aqua-sa
41 | namespace: aqua
42 | ---
43 | kind: RoleBinding
44 | apiVersion: rbac.authorization.k8s.io/v1
45 | metadata:
46 | name: rolebinding-default-privileged-sa-ns_default
47 | namespace: aqua
48 | roleRef:
49 | kind: ClusterRole
50 | name: psp:vmware-system-privileged
51 | apiGroup: rbac.authorization.k8s.io
52 | subjects:
53 | - kind: Group
54 | apiGroup: rbac.authorization.k8s.io
55 | name: system:serviceaccounts
56 |
--------------------------------------------------------------------------------
/enforcers/aqua_enforcer/kubernetes_and_openshift/manifests/001_aqua_enforcer_rbac/tkgi/aqua_sa.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | imagePullSecrets:
3 | - name: aqua-registry
4 | kind: ServiceAccount
5 | metadata:
6 | annotations:
7 | description: Service account for pulling Aqua images and for Aqua privileged
8 | labels:
9 | deployedby: aqua-yaml
10 | name: aqua-sa
11 | namespace: aqua
12 | ---
13 | apiVersion: rbac.authorization.k8s.io/v1
14 | kind: ClusterRole
15 | metadata:
16 | labels:
17 | rbac.example.com/aggregate-to-monitoring: "true"
18 | deployedby: aqua-yaml
19 | name: aqua-discovery-cr
20 | namespace: aqua
21 | rules:
22 | - apiGroups: [""]
23 | resources: ["nodes", "services", "endpoints", "pods", "deployments", "namespaces","componentstatuses"]
24 | verbs: ["get", "list", "watch"]
25 | - apiGroups: ["rbac.authorization.k8s.io"]
26 | resources: ["*"]
27 | verbs: ["get", "list", "watch"]
28 | ---
29 | apiVersion: rbac.authorization.k8s.io/v1
30 | kind: ClusterRoleBinding
31 | metadata:
32 | name: aqua-discovery-crb
33 | namespace: aqua
34 | roleRef:
35 | apiGroup: rbac.authorization.k8s.io
36 | kind: ClusterRole
37 | name: aqua-discovery-cr
38 | subjects:
39 | - kind: ServiceAccount
40 | name: aqua-sa
41 | namespace: aqua
42 |
--------------------------------------------------------------------------------
/enforcers/aqua_enforcer/kubernetes_and_openshift/manifests/002_aqua_enforcer_configMap.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ConfigMap
3 | metadata:
4 | name: aqua-csp-enforcer
5 | namespace: aqua
6 | data:
7 | AQUA_HEALTH_MONITOR_ENABLED: "true"
8 | AQUA_INSTALL_PATH: "/var/lib/aquasec"
9 | # AQUA_PRODUCT_PATH: "/opt/aquasec"
10 | AQUA_SERVER: "aqua-gateway:8443"
11 | RESTART_CONTAINERS: "no"
12 | AQUA_LOGICAL_NAME: ""
13 | AQUA_EXPRESS_MODE: "false" # Change to true, to enable express mode deployment of enforcer
14 | # AQUA_PUBLIC_KEY: "/opt/aquasec/ssl/aqua_enforcer.crt"
15 | # AQUA_PRIVATE_KEY: "/opt/aquasec/ssl/aqua_enforcer.key"
16 | # AQUA_ROOT_CA: "/opt/aquasec/ssl/rootCA.crt"
17 | # AQUA_OCP_FULL_VERSION: #set this variable with the exact OCP version to allow accurate vulnerability scanning
18 |
--------------------------------------------------------------------------------
/enforcers/aqua_enforcer/kubernetes_and_openshift/manifests/003_aqua_enforcer_secrets.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | data:
3 | ### Aqua enforcer token input needed - Base64 encoded ###
4 | token: ""
5 | kind: Secret
6 | metadata:
7 | annotations:
8 | description: Aqua Enforcer token secret
9 | labels:
10 | deployedby: aqua-yaml
11 | name: enforcer-token
12 | namespace: aqua
13 | type: Opaque
14 |
--------------------------------------------------------------------------------
/enforcers/aqua_enforcer/kubernetes_and_openshift/operator/README.md:
--------------------------------------------------------------------------------
1 | # Deploy Aqua Enforcer using Operator
2 |
3 | You can deploy Aqua Enforcer in your OpenShift cluster using a Kubernetes Operator. Use the following resources from the aqua-operator repository:
4 |
5 | * [Deploy Aqua Operator in your OpenShift cluster](https://github.com/aquasecurity/aqua-operator/blob/2022.4/docs/DeployOpenShiftOperator.md#deploying-the-aqua-operator)
6 | * Deploy Aqua Enforcer using [AquaEnforcer CRD](https://github.com/aquasecurity/aqua-operator/blob/2022.4/deploy/crds/operator_v1alpha1_aquaenforcer_cr.yaml) and by following the [deployment instructions](https://github.com/aquasecurity/aqua-operator/blob/2022.4/docs/DeployOpenShiftOperator.md#deploying-aqua-enterprise-using-custom-resources)
7 | * You can refer CR usage examples from the [Operator repository](https://github.com/aquasecurity/aqua-operator/blob/2022.4/docs/DeployOpenShiftOperator.md#cr-examples)
8 |
9 | Ensure that you use the latest branch of the Aqua Security Operator repository.
--------------------------------------------------------------------------------
/enforcers/kube_enforcer/README.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | # Aqua KubeEnforcer
4 |
5 | ## Overview
6 |
7 | The KubeEnforcer runs as a deployment and provides admission runtime security for Kubernetes workloads and infrastructure.
8 |
9 | A single KubeEnforcer can be deployed on each Kubernetes cluster and uses native Kubernetes Admission Controller APIs to perform its functions, without the need for an Aqua Enforcer:
10 |
11 | * [MutatingAdmissionWebhook](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#mutatingadmissionwebhook): seamlessly applies security controls for deployments
12 | * [ValidatingAdmissionWebhook](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#validatingadmissionwebhook) enforces Assurance Policies on newly deployed workloads
13 |
14 | ## Deployment methods
15 | * [Manifests and Aquactl](./kubernetes_and_openshift/manifests)
16 | * [Helm](./kubernetes_and_openshift/helm)
17 | * [Operator](./kubernetes_and_openshift/operator)
18 |
19 | ## Supported platforms
20 | * Kubernetes and Openshift
21 |
22 | KubeEnforcers are supported on Linux platforms (with exception of VMware Tanzu TKGI).
23 |
24 | ## Suited for
25 | * Aqua Enterprise SaaS
26 | * Aqua Enterprise Self-Hosted
27 |
28 | ## References
29 |
30 | Before you start using any of the deployment methods documented in this reposiory, Aqua strongly recommends you to refer the following product documentation:
31 | * [Deploy Kube Enforcer(s)](https://docs.aquasec.com/docs/deploy-k8s-aqua-kubeenforcers).
32 | * [Enforcers Overview](https://docs.aquasec.com/docs/enforcers-overview#section-kube-enforcers).
--------------------------------------------------------------------------------
/enforcers/kube_enforcer/kubernetes_and_openshift/helm/README.md:
--------------------------------------------------------------------------------
1 | ## Deploy KubeEnforcer using Helm
2 |
3 | You can deploy KubeEnforcer in your Kubernetes cluster, using the Helm charts. KubeEnforcer can be deployed on the same cluster as the Aqua Server or on a different cluster, per your configuration. KubeEnforcer can be deployed with Starboard and/or advanced configuration by passing the required parameters through Helm commands. For deployment instructions, use the following resources:
4 |
5 | * [Install KubeEnforcer using helm charts](https://github.com/aquasecurity/aqua-helm/tree/2022.4/kube-enforcer#deploy-the-helm-chart)
6 | * [Pass the required parameters for KubeEnforcer Advanced configuration](https://github.com/aquasecurity/aqua-helm/tree/2022.4/kube-enforcer#configurable-parameters)
7 |
8 | Ensure that you use the latest branch of the Aqua Security Helm repository.
--------------------------------------------------------------------------------
/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/README.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | # Aqua KubeEnforcer Types
4 |
5 | The KubeEnforcer runs as a deployment and provides admission runtime security for Kubernetes workloads and infrastructure.
6 |
7 | KubeEnforcer can optionally be deployed with advanced configuration per your requirement. Refer the following for the deployment steps using manifest yaml files:
8 |
9 | * [KubeEnforcer](./kube_enforcer): provides runtime security for your Kubernetes workloads and infrastructure, should be used for OpenShift 4.x
10 | * [KubeEnforcer_ocp3x](./kube_enforcer_ocp3x): provides runtime security for your Kubernetes workloads and infrastructure, should be used for OpenShift 3.x.
11 | * [KubeEnforcer Advanced](./kube_enforcer_advanced): is a method of deploying Aqua KubeEnforcer in a special advanced configuration for Pod Enforcer injection.
12 |
13 | ## Deployment methods
14 |
15 | * manifests
16 | * Aquactl
17 |
--------------------------------------------------------------------------------
/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer/002_kube_enforcer_secrets.yaml:
--------------------------------------------------------------------------------
1 | # ---
2 | # apiVersion: v1
3 | # data:
4 | # # Please follow instruction in document to generate new SSL certs
5 | # aqua_ke.key: ""
6 | # aqua_ke.crt: ""
7 | # kind: Secret
8 | # metadata:
9 | # annotations:
10 | # description: Kube Enforcer SSL certificates to communicate with Kube API server
11 | # labels:
12 | # deployedby: aqua-yaml
13 | # name: kube-enforcer-ssl
14 | # namespace: aqua
15 | # type: Opaque
16 | ---
17 | apiVersion: v1
18 | kind: Secret
19 | metadata:
20 | annotations:
21 | description: Aqua Enforcer token secret
22 | labels:
23 | deployedby: aqua-yaml
24 | name: aqua-kube-enforcer-token
25 | namespace: aqua
26 | type: Opaque
27 | data:
28 | ## In the Enforcers screen, edit the KubeEnforcer to get the token from the default KubeEnforcer group configuration. - Base64 encoded ##
29 | token: ""
30 |
--------------------------------------------------------------------------------
/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer/004_kube_enforcer_scc.yaml:
--------------------------------------------------------------------------------
1 | allowHostDirVolumePlugin: true
2 | allowHostIPC: true
3 | allowHostNetwork: true
4 | allowHostPID: true
5 | allowHostPorts: false
6 | allowPrivilegeEscalation: true
7 | allowPrivilegedContainer: true
8 | apiVersion: security.openshift.io/v1
9 | defaultAddCapabilities: []
10 | fsGroup:
11 | type: RunAsAny
12 | groups: []
13 | kind: SecurityContextConstraints
14 | metadata:
15 | annotations:
16 | kubernetes.io/description: aqua scc provides all features of the restricted SCC
17 | but allows users to run with any non-root UID and access hostPath. The user
18 | must specify the UID or it must be specified on the by the manifest of the container
19 | runtime.
20 | release.openshift.io/create-only: "true"
21 | name: aqua-kube-enforcer-scc
22 | priority: null
23 | readOnlyRootFilesystem: false
24 | requiredDropCapabilities: [ALL]
25 | runAsUser:
26 | type: RunAsAny
27 | seLinuxContext:
28 | type: MustRunAs
29 | seccompProfiles:
30 | - '*'
31 | supplementalGroups:
32 | type: RunAsAny
33 | users:
34 | - system:serviceaccount:aqua:aqua-kube-enforcer-sa
35 | volumes:
36 | - configMap
37 | - downwardAPI
38 | - emptyDir
39 | - hostPath
40 | - persistentVolumeClaim
41 | - projected
42 | - secret
43 |
--------------------------------------------------------------------------------
/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced/002_kube_enforcer_secrets.yaml:
--------------------------------------------------------------------------------
1 | # ---
2 | # apiVersion: v1
3 | # data:
4 | # # Please follow instruction in document to generate new SSL certs
5 | # server.key: ""
6 | # server.crt: ""
7 | # kind: Secret
8 | # metadata:
9 | # annotations:
10 | # description: Kube Enforcer SSL certificates to communicate with Kube API server
11 | # labels:
12 | # deployedby: aqua-yaml
13 | # name: aqua-kube-enforcer-certs
14 | # namespace: aqua
15 | # type: Opaque
16 | ---
17 | apiVersion: v1
18 | kind: Secret
19 | metadata:
20 | annotations:
21 | description: Aqua Enforcer token secret
22 | labels:
23 | deployedby: aqua-yaml
24 | name: aqua-kube-enforcer-token
25 | namespace: aqua
26 | type: Opaque
27 | data:
28 | ## In the Enforcers screen, edit the KubeEnforcer to get the token from the default KubeEnforcer group configuration. - Base64 encoded ##
29 | token: ""
30 |
--------------------------------------------------------------------------------
/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced/004_kube_enforcer_scc.yaml:
--------------------------------------------------------------------------------
1 | allowHostDirVolumePlugin: true
2 | allowHostIPC: true
3 | allowHostNetwork: true
4 | allowHostPID: true
5 | allowHostPorts: false
6 | allowPrivilegeEscalation: true
7 | allowPrivilegedContainer: true
8 | apiVersion: security.openshift.io/v1
9 | defaultAddCapabilities: []
10 | fsGroup:
11 | type: RunAsAny
12 | groups: []
13 | kind: SecurityContextConstraints
14 | metadata:
15 | annotations:
16 | kubernetes.io/description: aqua scc provides all features of the restricted SCC
17 | but allows users to run with any non-root UID and access hostPath. The user
18 | must specify the UID or it must be specified on the by the manifest of the container
19 | runtime.
20 | release.openshift.io/create-only: "true"
21 | name: aqua-kube-enforcer-scc
22 | priority: null
23 | readOnlyRootFilesystem: false
24 | requiredDropCapabilities: [ALL]
25 | runAsUser:
26 | type: RunAsAny
27 | seLinuxContext:
28 | type: MustRunAs
29 | seccompProfiles:
30 | - '*'
31 | supplementalGroups:
32 | type: RunAsAny
33 | users:
34 | - system:serviceaccount:aqua:aqua-kube-enforcer-sa
35 | volumes:
36 | - configMap
37 | - downwardAPI
38 | - emptyDir
39 | - hostPath
40 | - persistentVolumeClaim
41 | - projected
42 | - secret
43 |
--------------------------------------------------------------------------------
/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_trivy/002_kube_enforcer_secrets.yaml:
--------------------------------------------------------------------------------
1 | # ---
2 | # apiVersion: v1
3 | # data:
4 | # # Please follow instruction in document to generate new SSL certs
5 | # server.key: ""
6 | # server.crt: ""
7 | # kind: Secret
8 | # metadata:
9 | # annotations:
10 | # description: Kube Enforcer SSL certificates to communicate with Kube API server
11 | # labels:
12 | # deployedby: aqua-yaml
13 | # name: aqua-kube-enforcer-certs
14 | # namespace: aqua
15 | # type: Opaque
16 | ---
17 | apiVersion: v1
18 | kind: Secret
19 | metadata:
20 | annotations:
21 | description: Aqua Enforcer token secret
22 | labels:
23 | deployedby: aqua-yaml
24 | name: aqua-kube-enforcer-token
25 | namespace: aqua
26 | type: Opaque
27 | data:
28 | ## In the Enforcers screen, edit the KubeEnforcer to get the token from the default KubeEnforcer group configuration. - Base64 encoded ##
29 | token: ""
30 |
--------------------------------------------------------------------------------
/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_trivy/004_kube_enforcer_scc.yaml:
--------------------------------------------------------------------------------
1 | allowHostDirVolumePlugin: true
2 | allowHostIPC: true
3 | allowHostNetwork: true
4 | allowHostPID: true
5 | allowHostPorts: false
6 | allowPrivilegeEscalation: true
7 | allowPrivilegedContainer: true
8 | apiVersion: security.openshift.io/v1
9 | defaultAddCapabilities: []
10 | fsGroup:
11 | type: RunAsAny
12 | groups: []
13 | kind: SecurityContextConstraints
14 | metadata:
15 | annotations:
16 | kubernetes.io/description: aqua scc provides all features of the restricted SCC
17 | but allows users to run with any non-root UID and access hostPath. The user
18 | must specify the UID or it must be specified on the by the manifest of the container
19 | runtime.
20 | release.openshift.io/create-only: "true"
21 | name: aqua-kube-enforcer-scc
22 | priority: null
23 | readOnlyRootFilesystem: false
24 | requiredDropCapabilities: [ALL]
25 | runAsUser:
26 | type: RunAsAny
27 | seLinuxContext:
28 | type: MustRunAs
29 | seccompProfiles:
30 | - '*'
31 | supplementalGroups:
32 | type: RunAsAny
33 | users:
34 | - system:serviceaccount:aqua:aqua-kube-enforcer-sa
35 | volumes:
36 | - configMap
37 | - downwardAPI
38 | - emptyDir
39 | - hostPath
40 | - persistentVolumeClaim
41 | - projected
42 | - secret
43 |
--------------------------------------------------------------------------------
/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_ocp3x/002_kube_enforcer_secrets.yaml:
--------------------------------------------------------------------------------
1 | # ---
2 | # apiVersion: v1
3 | # data:
4 | # # Please follow instruction in document to generate new SSL certs
5 | # aqua_ke.key: ""
6 | # aqua_ke.crt: ""
7 | # kind: Secret
8 | # metadata:
9 | # annotations:
10 | # description: Kube Enforcer SSL certificates to communicate with Kube API server
11 | # labels:
12 | # deployedby: aqua-yaml
13 | # name: kube-enforcer-ssl
14 | # namespace: aqua
15 | # type: Opaque
16 | ---
17 | apiVersion: v1
18 | kind: Secret
19 | metadata:
20 | annotations:
21 | description: Aqua Enforcer token secret
22 | labels:
23 | deployedby: aqua-yaml
24 | name: aqua-kube-enforcer-token
25 | namespace: aqua
26 | type: Opaque
27 | data:
28 | ## In the Enforcers screen, edit the KubeEnforcer to get the token from the default KubeEnforcer group configuration. - Base64 encoded ##
29 | token: ""
30 |
--------------------------------------------------------------------------------
/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_trivy/002_kube_enforcer_secrets.yaml:
--------------------------------------------------------------------------------
1 | # ---
2 | # apiVersion: v1
3 | # data:
4 | # # Please follow instruction in document to generate new SSL certs
5 | # aqua_ke.key: ""
6 | # aqua_ke.crt: ""
7 | # kind: Secret
8 | # metadata:
9 | # annotations:
10 | # description: Kube Enforcer SSL certificates to communicate with Kube API server
11 | # labels:
12 | # deployedby: aqua-yaml
13 | # name: kube-enforcer-ssl
14 | # namespace: aqua
15 | # type: Opaque
16 | ---
17 | apiVersion: v1
18 | kind: Secret
19 | metadata:
20 | annotations:
21 | description: Aqua Enforcer token secret
22 | labels:
23 | deployedby: aqua-yaml
24 | name: aqua-kube-enforcer-token
25 | namespace: aqua
26 | type: Opaque
27 | data:
28 | ## In the Enforcers screen, edit the KubeEnforcer to get the token from the default KubeEnforcer group configuration. - Base64 encoded ##
29 | token: ""
30 |
--------------------------------------------------------------------------------
/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_trivy/004_kube_enforcer_scc.yaml:
--------------------------------------------------------------------------------
1 | allowHostDirVolumePlugin: true
2 | allowHostIPC: true
3 | allowHostNetwork: true
4 | allowHostPID: true
5 | allowHostPorts: false
6 | allowPrivilegeEscalation: true
7 | allowPrivilegedContainer: true
8 | apiVersion: security.openshift.io/v1
9 | defaultAddCapabilities: []
10 | fsGroup:
11 | type: RunAsAny
12 | groups: []
13 | kind: SecurityContextConstraints
14 | metadata:
15 | annotations:
16 | kubernetes.io/description: aqua scc provides all features of the restricted SCC
17 | but allows users to run with any non-root UID and access hostPath. The user
18 | must specify the UID or it must be specified on the by the manifest of the container
19 | runtime.
20 | release.openshift.io/create-only: "true"
21 | name: aqua-kube-enforcer-scc
22 | priority: null
23 | readOnlyRootFilesystem: false
24 | requiredDropCapabilities: [ALL]
25 | runAsUser:
26 | type: RunAsAny
27 | seLinuxContext:
28 | type: MustRunAs
29 | seccompProfiles:
30 | - '*'
31 | supplementalGroups:
32 | type: RunAsAny
33 | users:
34 | - system:serviceaccount:aqua:aqua-kube-enforcer-sa
35 | volumes:
36 | - configMap
37 | - downwardAPI
38 | - emptyDir
39 | - hostPath
40 | - persistentVolumeClaim
41 | - projected
42 | - secret
43 |
--------------------------------------------------------------------------------
/enforcers/kube_enforcer/kubernetes_and_openshift/operator/README.md:
--------------------------------------------------------------------------------
1 | # Deploy KubeEnforcer using Operator
2 |
3 | You can deploy KubeEnforcer in your OpenShift cluster using a Kubernetes Operator. Use the following resources from the aqua-operator repository:
4 |
5 | * [Deploy Aqua Operator in your OpenShift cluster](https://github.com/aquasecurity/aqua-operator/blob/2022.4/docs/DeployOpenShiftOperator.md#deploying-the-aqua-operator)
6 | * Deploy KubeEnforcer using [AquaKubeEnforcer CRD](https://github.com/aquasecurity/aqua-operator/blob/2022.4/deploy/crds/operator_v1alpha1_aquakubeenforcer_cr.yaml) and by following the [deployment instructions](https://github.com/aquasecurity/aqua-operator/blob/2022.4/docs/DeployOpenShiftOperator.md#deploying-aqua-enterprise-using-custom-resources)
7 | * You can refer CR usage examples from the [Operator repository](https://github.com/aquasecurity/aqua-operator/blob/2022.4/docs/DeployOpenShiftOperator.md#cr-examples)
8 |
9 | Ensure that you use the latest branch of the Aqua Security Operator repository.
--------------------------------------------------------------------------------
/enforcers/micro_enforcer/aws_fargate_sidecar/requirements.txt:
--------------------------------------------------------------------------------
1 | certifi==2024.8.30
2 | charset-normalizer==3.4.0
3 | docker==7.1.0
4 | idna==3.10
5 | requests==2.32.3
6 | urllib3==2.2.3
7 |
--------------------------------------------------------------------------------
/enforcers/vm_enforcer/README.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | # VM Enforcer
4 |
5 | ## Overview
6 | VM Enforcers provide the enforcement and assurance for your hosts (VMs). It is required that you deploy a VM Enforcer on each host that you want to protect.
7 |
8 | ## Prerequisites
9 |
10 | * **Linux:** [runC](https://www.docker.com/blog/runc/) container runtime environment
11 | * **Windows:** No specific prerequisites required. It is available as a Windows service.
12 |
13 | ## Deployment methods
14 |
15 | * [**Ansible Playbook**](./ansible/): for deploying VM Enforcer on a set of wide range of linux operating system VMs at a time
16 | * [**Debian Package**](./deb/): for deploying VM Enforcer on one or more VMs using the Debian package
17 | * [**RPM Package**](./rpm/): for deploying VM Enforcer on Red Hat based operating system which supports the `.rpm` packages
18 | * [**Shell Script**](./shell/): for depoying VM Enforcer using script
19 |
20 | ## Suited for
21 |
22 | * Aqua Enterprise SaaS
23 | * Aqua Enterprise Self-Hosted
24 |
25 | ## Resources
26 |
27 | * [VM Enforcer Overview](https://docs.aquasec.com/docs/enforcers-overview#section-vm-enforcers)
28 | * [Create a VM Enforcer Group and VM Enforcer](https://docs.aquasec.com/docs/create-a-vm-enforcer-group-and-vm-enforcer)
--------------------------------------------------------------------------------
/enforcers/vm_enforcer/ansible/.gitignore:
--------------------------------------------------------------------------------
1 | hosts*
2 | *.retry
--------------------------------------------------------------------------------
/enforcers/vm_enforcer/ansible/README.md:
--------------------------------------------------------------------------------
1 | # Deploy VM Enforcer using Ansible Playbook
2 |
3 | ## Overview
4 |
5 | You can use an Ansible playbook to deploy VM Enforcers on the desired VM Enforcer group. This procedure is supported for Linux platforms only.
6 |
7 | ## Prerequisites
8 |
9 | * VM Enforcer Group token. Refer to [Create a VM Enforcer Group and VM Enforcer](https://docs.aquasec.com/docs/create-a-vm-enforcer-group-and-vm-enforcer) to create this token.
10 | * Aqua username and password
11 | * The following packages:
12 | * runC
13 | * wget
14 |
15 | ## Preparation
16 |
17 | **Step 1. Download the Ansible playbook**
18 |
19 | ```shell
20 | git clone https://github.com/aquasecurity/deployments.git -b 2022.4
21 | cd ./deployments/enforcers/vm_enforcer/ansible/
22 | ```
23 |
24 | **Step 2. Create a `hosts` file with the IP or DNS addresses of the VM(s).** For example:
25 |
26 | ```bash
27 | [all] # list the IP/DNS addresses of the VMs to deploy VM Enforcer
28 | 10.0.0.1 ansible_ssh_private_key_file=~/.ssh/test-key ansible_user=test-user
29 | 10.0.0.x ansible_ssh_private_key_file=~/.ssh/test-key
30 | test.aqua.com ansible_user=test-user
31 | ```
32 |
33 | ## Deploy VM Enforcers on all VMs using ansible-playbook
34 |
35 | Add the [mandatory\optional variables](#mandatory-variables) with the `--extra-vars` flag in the deployment command as shown below, and run the command.
36 |
37 | Mandatory:
38 | * USERNAME
39 | * PASSWORD
40 | * ENFORCER_VERSION
41 | * TOKEN
42 | * GATEWAY_ENDPOINT
43 |
44 | Optional (**MANDATORY** for aqua **cloud** users with value `true`)
45 | * AQUA_TLS_VERIFY_VALUE
46 |
47 | ```shell
48 | ansible-playbook vm-enforcer.yaml -i ./path/to/hosts -e vme_install=true --extra-vars "USERNAME= PASSWORD= ENFORCER_VERSION= TOKEN= GATEWAY_ENDPOINT=:
49 | AQUA_TLS_VERIFY="
50 |
51 | ```
52 | ## Uninstall VM Enforcer from all VMs using ansible-playbook
53 |
54 | ```shell
55 | ansible-playbook vm-enforcer.yaml -i ./path/to/hosts -e vme_uninstall=true
56 | ```
57 |
58 | ## References
59 | * Getting started with [Ansible](https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html) and [Run your first Playbook](https://docs.ansible.com/ansible/latest/network/getting_started/first_playbook.html) guides.
60 | * [Aqua VM Enforcer Overview](../README.md) and all other [Aqua Enforcers types](../../README.md) overview
61 | * Aqua VM Enforcers [official documentation](https://docs.aquasec.com/docs/vm-enforcer)
62 |
--------------------------------------------------------------------------------
/enforcers/vm_enforcer/ansible/roles/vm-enforcer-deploy/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | USERNAME: ""
3 | PASSWORD: ""
4 | ENFORCER_VERSION: ""
5 | ENFORCER_MAJOR_VERSION: "2022.4"
6 | TOKEN: ""
7 | GATEWAY_ENDPOINT: ""
8 | AQUA_TLS_VERIFY: "false"
9 | AQUA_ROOT_CA: ""
10 | AQUA_PUBLIC_KEY: ""
11 | AQUA_PRIVATE_KEY: ""
12 | INSTALL_PATH: "/opt"
13 | ENFORCER_RUNC_DIRECTORY: "{{ INSTALL_PATH }}/aqua-runc"
14 | ENFORCER_RUNC_FS_DIRECTORY: "{{ ENFORCER_RUNC_DIRECTORY }}/aqua-enforcer"
15 | SYSTEMD_FOLDER: "/etc/systemd/system"
16 | ENFORCER_SERVICE_FILE_NAME: "aqua-enforcer.service"
17 | ENFORCER_SERVICE_TEMPLATE_FILE_NAME: "aqua-enforcer.template.service"
18 | ENFORCER_SERVICE_TEMPLATE_FILE_NAME_OLD: "aqua-enforcer.template.old.service"
19 | RUN_SCRIPT_FILE_NAME: "run.sh"
20 | RUN_SCRIPT_TEMPLATE_FILE_NAME: "run.template.sh"
21 | ENFORCER_SERVICE_SYSTEMD_FILE_PATH: "{{ SYSTEMD_FOLDER }}/{{ ENFORCER_SERVICE_FILE_NAME }}"
22 | ENFORCER_RUNC_CONFIG_FILE_NAME: "config.json"
23 | ENFORCER_RUNC_TAR_FILE_NAME: "aqua-host-enforcer.{{ ENFORCER_VERSION }}.tar"
24 | ENFORCER_RUNC_AMD64_RPM_FILE_NAME: "aqua-vm-enforcer-{{ ENFORCER_VERSION }}.x86_64.rpm"
25 | ENFORCER_RUNC_ARM64_RPM_FILE_NAME: "aqua-vm-enforcer-{{ ENFORCER_VERSION }}.aarch64.rpm"
26 | ENFORCER_SELINUX_POLICY_FILE_NAME: "aquavme"
27 | ENFORCER_DOWNLOAD_BASEURL: "https://download.aquasec.com/host-enforcer"
28 | ROOT_CA_FILENAME: "{% if AQUA_ROOT_CA != None %}{{ AQUA_ROOT_CA | basename }}{% endif %}"
29 | PUBLIC_KEY_FILENAME: "{% if AQUA_PUBLIC_KEY != None %}{{ AQUA_PUBLIC_KEY | basename }}{% endif %}"
30 | PRIVATE_KEY_FILENAME: "{% if AQUA_PRIVATE_KEY != None %}{{ AQUA_PRIVATE_KEY | basename }}{% endif %}"
31 | AQUA_ROOT_CA_PATH: "{% if AQUA_ROOT_CA != None %}/opt/aquasec/ssl/{{ ROOT_CA_FILENAME }}{% endif %}"
32 | AQUA_PUBLIC_KEY_PATH: "{% if AQUA_PUBLIC_KEY != None %}/opt/aquasec/ssl/{{ PUBLIC_KEY_FILENAME }}{% endif %}"
33 | AQUA_PRIVATE_KEY_PATH: "{% if AQUA_PRIVATE_KEY != None %}/opt/aquasec/ssl/{{ PRIVATE_KEY_FILENAME }}{% endif %}"
34 |
--------------------------------------------------------------------------------
/enforcers/vm_enforcer/ansible/roles/vm-enforcer-deploy/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - include_tasks: vme-install.yml
3 | when: vme_install is defined | bool and ansible_os_family != "RedHat"
4 |
5 | - include_tasks: vme-uninstall.yml
6 | when: vme_uninstall is defined | bool and ansible_os_family != "RedHat"
7 |
8 | - include_tasks: vme-rpm-install.yml
9 | when: vme_install is defined | bool and ansible_os_family == "RedHat"
10 |
11 | - name: checking vm-enfrocer installed with rpm and uninstalling using rpm
12 | block:
13 | - name: checking vm-enfrocer installed with rpm
14 | package_facts:
15 | manager: auto
16 |
17 | - name: including rpm uninstall task
18 | include_tasks: vme-rpm-uninstall.yml
19 | when: vme_uninstall is defined | bool and "'aqua-vm-enforcer*' in ansible_facts.packages"
--------------------------------------------------------------------------------
/enforcers/vm_enforcer/ansible/roles/vm-enforcer-deploy/tasks/vme-rpm-install.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Create config folder
3 | file:
4 | path: "{{ item }}"
5 | state: directory
6 | with_items:
7 | - "/etc/conf"
8 | - "{{ INSTALL_PATH }}/aquasec/tmp/"
9 |
10 | - name: set tls certificates values
11 | block:
12 | - name: create ssl directory
13 | file:
14 | path: "{{ INSTALL_PATH }}/aquasec/ssl"
15 | state: directory
16 | - name: copy rootCA to /opt/aquasec/ssl
17 | template:
18 | src: "{{ item }}"
19 | dest: /opt/aquasec/ssl
20 | with_items:
21 | - "{{ AQUA_ROOT_CA }}"
22 | when: AQUA_ROOT_CA != None
23 | - name: copy certs to /opt/aquasec/ssl
24 | template:
25 | src: "{{ item }}"
26 | dest: /opt/aquasec/ssl
27 | with_items:
28 | - "{{ AQUA_PUBLIC_KEY }}"
29 | - "{{ AQUA_PRIVATE_KEY }}"
30 | when: AQUA_PUBLIC_KEY != None and AQUA_PRIVATE_KEY != None
31 |
32 | - name: copying config /etc/conf/
33 | template:
34 | src: aquasec.j2
35 | dest: /etc/conf/aquavmenforcer.json
36 |
37 | - name: Installing dependencies tar and jq
38 | ansible.builtin.package:
39 | name:
40 | - tar
41 | - jq
42 | state: present
43 |
44 | - name: downloading rpm file
45 | block:
46 | - name: Download x86_64 App
47 | get_url:
48 | url: "{{ ENFORCER_DOWNLOAD_BASEURL }}/{{ ENFORCER_MAJOR_VERSION }}/{{ ENFORCER_RUNC_AMD64_RPM_FILE_NAME }}"
49 | dest: "{{ INSTALL_PATH }}/aquasec/tmp/"
50 | username: "{{ USERNAME }}"
51 | password: "{{ PASSWORD }}"
52 | when: ansible_architecture == "x86_64"
53 |
54 | - name: Download aarch64 App
55 | get_url:
56 | url: "{{ ENFORCER_DOWNLOAD_BASEURL }}/{{ ENFORCER_MAJOR_VERSION }}/{{ ENFORCER_RUNC_ARM64_RPM_FILE_NAME }}"
57 | dest: "{{ INSTALL_PATH }}/aquasec/tmp/"
58 | username: "{{ USERNAME }}"
59 | password: "{{ PASSWORD }}"
60 | when: ansible_architecture == "aarch64"
61 |
62 | - name: installing RPM
63 | block:
64 | - name: Installing VM-Enforcer rpm x86_64 package
65 | yum:
66 | name: "{{ INSTALL_PATH }}/aquasec/tmp/{{ ENFORCER_RUNC_AMD64_RPM_FILE_NAME }}"
67 | state: latest
68 | disable_gpg_check: yes
69 | when: ansible_architecture == "x86_64"
70 |
71 | - name: Installing VM-Enforcer rpm aarch64 package
72 | yum:
73 | name: "{{ INSTALL_PATH }}/aquasec/tmp/{{ ENFORCER_RUNC_ARM64_RPM_FILE_NAME }}"
74 | state: latest
75 | disable_gpg_check: yes
76 | when: ansible_architecture == "aarch64"
77 |
--------------------------------------------------------------------------------
/enforcers/vm_enforcer/ansible/roles/vm-enforcer-deploy/tasks/vme-rpm-uninstall.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Deleting config folder
3 | file:
4 | path: "{{ item }}"
5 | state: absent
6 | with_items:
7 | - "/etc/conf/aquavmenforcer.json"
8 | - "{{ INSTALL_PATH }}/aquasec/tmp/"
9 |
10 | - name: Uninstalling RPM
11 | block:
12 | - name: Uninstalling VM-Enforcer rpm x86_64 package
13 | ansible.builtin.package:
14 | name: "aqua-vm-enforcer*"
15 | state: absent
16 | when: ansible_architecture == "x86_64"
17 |
18 | - name: Uninstalling VM-Enforcer rpm aarch64 package
19 | ansible.builtin.package:
20 | name: "aqua-vm-enforcer*"
21 | state: absent
22 | when: ansible_architecture == "aarch64"
--------------------------------------------------------------------------------
/enforcers/vm_enforcer/ansible/roles/vm-enforcer-deploy/tasks/vme-uninstall.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Stop enforcer service
3 | systemd:
4 | name: aqua-enforcer
5 | state: stopped
6 | daemon_reload: yes
7 | ignore_errors: yes
8 |
9 | - name: Disable enforcer service
10 | systemd:
11 | name: aqua-enforcer
12 | enabled: no
13 | ignore_errors: yes
14 |
15 | - name: removing vm-enforcer service and files
16 | file:
17 | path: "{{ item }}"
18 | state: absent
19 | with_items:
20 | - "{{ ENFORCER_SERVICE_SYSTEMD_FILE_PATH }}"
21 | - "/usr/lib/systemd/system/{{ ENFORCER_SERVICE_FILE_NAME }}"
22 | - "/etc/init.d/{{ ENFORCER_SERVICE_FILE_NAME }}"
23 | - "{{ INSTALL_PATH }}/aquasec"
24 | - "{{ INSTALL_PATH }}/aqua-runc"
25 | - "/opt/aquasec/tmp/aquasec.log"
26 |
27 | - name: Diabling aquavme policy from selinux if enabled
28 | shell: semodule -X 300 -r {{ ENFORCER_SELINUX_POLICY_FILE_NAME }}
29 | when: ansible_selinux.status == "enabled"
--------------------------------------------------------------------------------
/enforcers/vm_enforcer/ansible/roles/vm-enforcer-deploy/templates/aquasec.j2:
--------------------------------------------------------------------------------
1 | {
2 | "AQUA_GATEWAY": "{{ GATEWAY_ENDPOINT }}",
3 | "AQUA_TOKEN": "{{ TOKEN }}",
4 | "AQUA_TLS_VERIFY": "{{ AQUA_TLS_VERIFY }}",
5 | "AQUA_ROOT_CA": "{{ AQUA_ROOT_CA_PATH }}",
6 | "AQUA_PUBLIC_KEY": "{{ AQUA_PUBLIC_KEY_PATH }}",
7 | "AQUA_PRIVATE_KEY": "{{ AQUA_PRIVATE_KEY_PATH }}"
8 | }
--------------------------------------------------------------------------------
/enforcers/vm_enforcer/ansible/vm-enforcer.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | - hosts: all
3 | gather_facts: true
4 | roles:
5 | - role: "vm-enforcer-deploy"
6 | become: true
--------------------------------------------------------------------------------
/enforcers/vm_enforcer/deb/.gitignore:
--------------------------------------------------------------------------------
1 | bin
2 | pkg
3 | ./archives/*.tar
4 |
--------------------------------------------------------------------------------
/enforcers/vm_enforcer/deb/README.md:
--------------------------------------------------------------------------------
1 | # Deploy VM Enforcer using DEB Package
2 |
3 | ## Overview
4 | Debian is a popular and freely-available computer operating system that uses the Linux kernel and other program components obtained from the GNU project.
5 |
6 | You can use DEB package to deploy a VM Enforcer on one or more VMs (hosts).
7 |
8 | ## Prerequisites
9 | Following packages are required for installing the VM Enforcer DEB package:
10 | * wget
11 | * tar
12 | * jq
13 | * runc
14 |
15 | ## Deploy VM Enforcer
16 |
17 |
18 | **Step 1. Download the DEB package for your architecture, using an authorized username and password.**
19 |
20 |
21 | * **x86_64/amd64:**
22 |
23 | ```shell
24 | wget -v https://download.aquasec.com/host-enforcer//aqua-vm-enforcer-.x86_64.deb \
25 | --user= \
26 | --ask-password
27 | ```
28 | * **arm64:**
29 |
30 | ```shell
31 | wget -v https://download.aquasec.com/host-enforcer//aqua-vm-enforcer-.aarch64.deb \
32 | --user= \
33 | --ask-password
34 | ```
35 |
36 | Make sure to replace the `` and `` with the relevant versions, check aqua release page [aqua update releases](https://docs.aquasec.com/docs/update-releases).
37 |
38 |
39 | **Step 2. Copy the downloaded DEB package to the target VM(s).**
40 |
41 |
42 | **Step 3. Write the `aquavmenforcer.json` configuration file.**
43 |
44 | ```shell
45 | sudo mkdir -p /etc/conf/
46 | sudo touch /etc/conf/aquavmenforcer.json
47 | ```
48 |
49 | **Step 4. Run the following command with the relevant values for:**
50 |
51 | * `GATEWAY_HOSTNAME` and `PORT`: Aqua Gateway host/IP address and port
52 | * `TOKEN_VALUE`: Enforcer group token
53 | * `AQUA_TLS_VERIFY_VALUE`: *(Optional)* false\true. Set up the enforcer with tls-verify optionally. This configuration is **MANDATORY** for aqua **cloud** users, by setting up with value `true`.
54 | * If `AQUA_TLS_VERIFY_VALUE` value is `true` below values are **MANDATORY** :
55 | * `ROOT_CA_PATH`: path to root CA certififate (Incase of self-signed certificate otherwise `ROOT_CA_PATH` is **OPTIONAL** )
56 | [NOTE]: ROOT_CA_PATH certificate value must be same as that is used to generate Gateway certificates
57 | * `PUBLIC_KEY_PATH`: path to Client public certififate
58 | * `PRIVATE_KEY_PATH`: path to Client private key
59 |
60 | ```shell
61 | sudo tee /etc/conf/aquavmenforcer.json << EOF
62 | {
63 | "AQUA_GATEWAY": "{GATEWAY_HOSTNAME}:{PORT}",
64 | "AQUA_TOKEN": "{TOKEN_VALUE}",
65 | "AQUA_TLS_VERIFY": {AQUA_TLS_VERIFY_VALUE},
66 | "AQUA_ROOT_CA": "{ROOT_CA_PATH}",
67 | "AQUA_PUBLIC_KEY": "{PUBLIC_KEY_PATH}",
68 | "AQUA_PRIVATE_KEY": "{PRIVATE_KEY_PATH}"
69 | }
70 | EOF
71 | ```
72 |
73 | **Step 5. Deploy the DEB package.**
74 |
75 | ```shell
76 | sudo dpkg -i /path/to/aqua-vm-enforcer-{version}.{amd64}.deb
77 | ```
78 |
79 | ## Upgrade
80 |
81 | To upgrade VM Enforcer using the DEB package:
82 |
83 | 1. Download the (updated) DEB package. Refer to step 1 in the [Deploy VM Enforcer](#deploy-vm-enforcer) section.
84 | 2. Upgrade VM Enforcer.
85 |
86 | ```shell
87 | sudo dpkg -i /path/to/aqua-vm-enforcer-..deb
88 | ```
89 |
90 | ## Troubleshooting
91 |
92 | ### Check the logs
93 |
94 | Check the VM Enforcer application logs.
95 |
96 | ```shell
97 | cat /opt/aquasec/tmp/aquasec.log
98 | ```
99 |
100 | ### Check the Journal
101 |
102 | 1. Check the service status.
103 |
104 | ```shell
105 | sudo systemctl status aqua-enforcer
106 | ```
107 |
108 | 2. Check the journal logs.
109 |
110 | If the service status is inactive or showing any errors, you can check the journalctl logs for more details.
111 |
112 | ```shell
113 | sudo journalctl -u aqua-enforcer.service
114 | ```
115 |
116 | ## Uninstall
117 | Uninstall the VM Enforcer DEB package:
118 |
119 | ```shell
120 | sudo dpkg -r aqua-vm-enforcer
121 | ```
122 |
123 | ## Build a DEB package (optional)
124 |
125 | To Build a DEB package for VM Enforcer:
126 | 1. Update the DEB scripts as required.
127 | 2. Update the DEB version in `nfpm.yaml`.
128 | 3. Upload the VM Enforcer archive to `archives` folder.
129 | 4. Create environment variables, `DEB_ARCH` and `DEB_VERSION`.
130 |
131 | ```shell
132 | export DEB_ARCH=amd64 #change to arm64 for arm based systems
133 | export DEB_VERSION=2.10.0 #mention version for VM Enforcer
134 | ```
135 |
136 | 5. Download NFPM (DEB Package Creator).
137 |
138 | ```shell
139 | echo 'deb [trusted=yes] https://repo.goreleaser.com/apt/ /' | sudo tee /etc/apt/sources.list.d/goreleaser.list
140 | sudo apt update
141 | sudo apt install nfpm
142 | ```
143 |
144 | 6. Build the DEB package.
145 |
146 | ```shell
147 | mkdir -p pkg
148 | nfpm pkg --packager deb --target ./pkg/
149 | ```
150 |
--------------------------------------------------------------------------------
/enforcers/vm_enforcer/deb/archives/README.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | ## Aqua VM Enforcer archive directory
4 |
5 | *Place Aqua Enforcer Tar Here *
--------------------------------------------------------------------------------
/enforcers/vm_enforcer/deb/nfpm.yaml:
--------------------------------------------------------------------------------
1 | name: aqua-vm-enforcer
2 | arch: $DEB_ARCH
3 | platform: "linux"
4 | version: v${DEB_VERSION}
5 | section: "default"
6 | priority: "extra"
7 | depends:
8 | - bash
9 | - tar
10 | - jq
11 | - runc
12 | replaces:
13 | - aqua-vm-enforcer
14 | provides:
15 | - aqua-vm-enforcer
16 | maintainer: "Amir Jerbi "
17 | description: |
18 | Aqua Enterprise is a layered, full-lifecycle cloud native security platform that secures containerized, serverless, and VM-based applications, from CI/CD pipelines through production runtime environments.
19 | vendor: "aqua-enterprise"
20 | homepage: "https://github.com/aquasecurity/deployments"
21 | license: "MIT"
22 | disable_globbing: false
23 | contents:
24 | - src: ../templates/*
25 | dst: /tmp/aqua/templates/
26 | - src: ./archives/*
27 | dst: /tmp/aqua/
28 | - src: ./selinux/aquavme/aquavme.pp
29 | dst: /usr/share/selinux/targeted/aquavme.pp
30 | scripts:
31 | postinstall: ./scripts/postinstall.sh
32 | preremove: ./scripts/preuninstall.sh
33 | postremove: ./scripts/postuninstall.sh
34 |
--------------------------------------------------------------------------------
/enforcers/vm_enforcer/deb/scripts/README.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | ## Aqua VM Enforcer RPM Scripts
--------------------------------------------------------------------------------
/enforcers/vm_enforcer/deb/scripts/postuninstall.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 |
3 | ENFORCER_SERVICE_FILE_NAME="aqua-enforcer.service"
4 | SELINUX_POLICY_MODULE="aquavme"
5 |
6 |
7 | error_message(){
8 | echo "Error: ${1}"
9 | exit 1
10 | }
11 |
12 |
13 | remove_service() {
14 | rm -f /etc/systemd/system/${ENFORCER_SERVICE_FILE_NAME}
15 | rm -f /usr/lib/systemd/system/${ENFORCER_SERVICE_FILE_NAME}
16 | rm -f /etc/init.d/${ENFORCER_SERVICE_FILE_NAME}
17 | systemctl daemon-reload
18 | systemctl reset-failed
19 | if [ $? -eq 0 ]; then
20 | echo "Info: VM Enforcer service was successfully removed."
21 | else
22 | error_message "Unable to remove the service. please check the logs."
23 | fi
24 | }
25 |
26 | remove_policy_module() {
27 | rm -rf /usr/share/selinux/targeted/${SELINUX_POLICY_MODULE}.pp
28 | /usr/sbin/semodule -s targeted -X 300 -r ${SELINUX_POLICY_MODULE} &> /dev/null || :
29 | echo "Info: Removed Selinux Policy module ${SELINUX_POLICY_MODULE}"
30 |
31 | }
32 |
33 | remove_dirs() {
34 | rm -rf /opt/aquasec
35 | rm -rf /opt/aqua-runc
36 | rm -rf /tmp/aqua
37 | }
38 |
39 | remove_logs() {
40 | rm -f /opt/aquasec/tmp/aquasec.log
41 | }
42 |
43 | remove() {
44 | remove_service
45 | remove_policy_module
46 | remove_dirs
47 | remove_logs
48 | }
49 |
50 | restart_service() {
51 | systemctl daemon-reload
52 | systemctl try-restart ${ENFORCER_SERVICE_FILE_NAME}
53 | if [ $? -eq 0 ]; then
54 | echo "Info: VM Enforcer was successfully re-deployed and started."
55 | else
56 | error_message "Unable to re-start service. please check the logs."
57 | fi
58 | }
59 |
60 |
61 | action="$1"
62 |
63 | case "$action" in
64 | "0" | "remove")
65 | remove
66 | ;;
67 | "1" | "upgrade")
68 | restart_service
69 | ;;
70 | esac
--------------------------------------------------------------------------------
/enforcers/vm_enforcer/deb/scripts/preuninstall.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 |
3 | ENFORCER_SERVICE_FILE_NAME="aqua-enforcer.service"
4 |
5 | stop_service() {
6 | systemctl stop ${ENFORCER_SERVICE_FILE_NAME}
7 | if [ $? -eq 0 ]; then
8 | echo "Info: VM Enforcer service stopped."
9 | else
10 | error_message "Unable to stop the service. please check the logs."
11 | fi
12 | systemctl disable ${ENFORCER_SERVICE_FILE_NAME}
13 | if [ $? -eq 0 ]; then
14 | echo "Info: VM Enforcer service disabled."
15 | else
16 | error_message "Unable to disable the service. please check the logs."
17 | fi
18 | }
19 |
20 | action="$1"
21 |
22 | case "$action" in
23 | "0" | "remove")
24 | stop_service
25 | ;;
26 | "1" | "upgrade")
27 | ### pass
28 | ;;
29 | esac
--------------------------------------------------------------------------------
/enforcers/vm_enforcer/deb/selinux/aquavme/README.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | # Aqua VM Enforcer Selinux Policy
5 |
6 |
7 | ##### Prerequisites
8 | 1) Selinux
9 | 2) Selinux Policy Devel
10 | `sudo yum install setools-console selinux-policy-devel`
11 |
12 | ##### Build
13 | 1) Update Policy Source File (.te) according to requirements
14 | 2) Compile the policy (in directory with .te file),
15 | `sudo make NAME=targeted -f /usr/share/selinux/devel/Makefile`
16 | `sudo make NAME=targeted -f /usr/share/selinux/devel/Makefile clean`
17 | 3) Use the compiled policy (.pp) file inside Aqua VM Enforcer RPM
--------------------------------------------------------------------------------
/enforcers/vm_enforcer/deb/selinux/aquavme/aquavme.pp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aquasecurity/deployments/524ccd94bfb2c80921d954dd3fbb509cfe4e390d/enforcers/vm_enforcer/deb/selinux/aquavme/aquavme.pp
--------------------------------------------------------------------------------
/enforcers/vm_enforcer/deb/selinux/aquavme/aquavme.te:
--------------------------------------------------------------------------------
1 |
2 | module aquavme 1.0;
3 |
4 | require {
5 | type init_t;
6 | type user_tmp_t;
7 | type usr_t;
8 | type iptables_t;
9 | type rpm_script_t;
10 | type unconfined_service_t;
11 | type container_runtime_t;
12 | type container_runtime_tmpfs_t;
13 | type container_runtime_exec_t;
14 | class process siginh;
15 | class file { write entrypoint };
16 | class chr_file { read write };
17 | class unix_dgram_socket { read write };
18 | class unix_stream_socket { read write };
19 | }
20 |
21 |
22 | #============= init_t ==============
23 | allow init_t unconfined_service_t:process siginh;
24 | allow init_t usr_t:file write;
25 | allow init_t user_tmp_t:file write;
26 |
27 |
28 | #============= iptables_t ==============
29 | allow iptables_t container_runtime_tmpfs_t:chr_file { read write };
30 | allow iptables_t container_runtime_t:unix_dgram_socket { read write };
31 | allow iptables_t container_runtime_t:unix_stream_socket { read write };
32 | allow iptables_t usr_t:file write;
33 |
34 |
35 | #============= rpm_script_t ==============
36 | allow rpm_script_t container_runtime_exec_t:file entrypoint;
--------------------------------------------------------------------------------
/enforcers/vm_enforcer/golden_image/AquaGoldenImagePrep.bat:
--------------------------------------------------------------------------------
1 | @echo off
2 | SETLOCAL ENABLEEXTENSIONS
3 |
4 | set AQUA_ROOT_DIR=C:\Program Files\AquaSec
5 | set AQUA_DATA_DIR=C:\Program Files\AquaSec\data
6 |
7 | cmd /c exit /b 0
8 |
9 | goto check_Permissions
10 |
11 | :check_Permissions
12 | net session >nul 2>&1
13 | if %errorLevel% NEQ 0 (
14 | echo Administrator privilege is required.
15 | exit 1
16 | )
17 |
18 | :check_commandline
19 | set OPTION=%1
20 | IF "%OPTION%" EQU "--silent" goto stop_service
21 | IF "%OPTION%" EQU "--help" goto display_usage
22 | goto display_prompt
23 |
24 | :display_usage
25 | @echo.
26 | @echo Aqua Security Golden Image Preparation script
27 | @echo.
28 | @echo Usage: %0 [--silent ^| --help]
29 | @echo.
30 | goto end
31 |
32 | :display_prompt
33 | @echo.
34 | SET /P PROCEED=The Aqua Golden Image preparation script will perform irreversible cleanup actions on the VM Enforcer. Proceed? [Y/N]
35 | IF /I "%PROCEED%" NEQ "Y" goto end
36 |
37 | :please_wait
38 | @echo.
39 | @echo Please wait
40 |
41 | :stop_service
42 | net stop slkd >nul 2>&1
43 | net stop containermonitor >nul 2>&1
44 | goto delete_database
45 |
46 | :delete_database
47 | del /Q /F "%AQUA_DATA_DIR%\*" >nul 2>&1
48 | goto delete_guid
49 |
50 | :delete_guid
51 | del /Q /F "%AQUA_DATA_DIR%\guid" >nul 2>&1
52 | goto create_golden_image_file
53 |
54 | :create_golden_image_file
55 | copy /y NUL "%AQUA_ROOT_DIR%\GOLDEN_IMAGE" >nul 2>&1
56 | goto print_success
57 |
58 | :print_success
59 | @echo.
60 | @echo Operation successful. The VM Enforcer is ready for Golden Image creation.
61 | goto end
62 |
63 | :end
64 |
--------------------------------------------------------------------------------
/enforcers/vm_enforcer/golden_image/AquaGoldenImagePrep.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 |
3 | # Prepares VM golden image for deployment of VM enforcer
4 | # Preparation is done as follows:
5 | # 1. perform cleanup of previously installed VM enforcer (stop and remove data).
6 | # 2. create special GOLDEN_IMAGE file to control VM enforcer to be deployed into image.
7 |
8 | AQUA_ROOT_DIR=
9 | SILENT_MODE=0
10 | DEBUG_MODE=0
11 |
12 | display_usage()
13 | {
14 | echo "Aqua Security Golden Image Preparation script"
15 | echo "Usage: $(basename $0) [ --silent | --help ]"
16 |
17 | exit 0
18 | }
19 |
20 | check_permissions()
21 | {
22 | [ $(id -u) != 0 ] && echo "ROOT privileges are required to run this script." && exit 1
23 | }
24 |
25 | parse_command_line()
26 | {
27 | while [ $# -gt 0 ]; do
28 | case "$1" in
29 | --silent ) SILENT_MODE=1 ;;
30 | --debug ) DEBUG_MODE=1 ;;
31 | --help ) display_usage ;;
32 | esac
33 | shift
34 | done
35 | }
36 |
37 | display_prompt()
38 | {
39 | echo
40 | echo -n "The Aqua Golden Image preparation script will perform irreversible cleanup actions on the VM Enforcer. Proceed? [Y/N]: "
41 | read user_input
42 | [ "$user_input" != "y" ] && exit 0
43 | }
44 |
45 | dbg()
46 | {
47 | [ "$DEBUG_MODE" = 1 ] && echo $1
48 | }
49 |
50 | detect_install_dir()
51 | {
52 | dbg "[debug]: detecting VM enforcer installation directory"
53 | if [ -f /etc/aquasec ]; then
54 | # Try reading installation directory path from the configuration file.
55 | dbg "[debug]: trying to read installation path from file /etc/aquasec"
56 | AQUA_ROOT_DIR=$(cat /etc/aquasec)
57 | fi
58 | if [ ! -d "$AQUA_ROOT_DIR" ]; then
59 | dbg "[debug]: trying /opt/aquasec as installation path"
60 | AQUA_ROOT_DIR=/opt/aquasec
61 | fi
62 | if [ ! -d "$AQUA_ROOT_DIR" ]; then
63 | dbg "[debug]: trying /var/lib/aquasec as installation path"
64 | AQUA_ROOT_DIR=/var/lib/aquasec
65 | fi
66 | if [ ! -d "$AQUA_ROOT_DIR" ]; then
67 | # Try reading installation directory path from the environment variable.
68 | dbg "[debug]: trying to read installation path from AQUA_INSTALL_PATH environment variable"
69 | AQUA_ROOT_DIR=$(printenv AQUA_INSTALL_DIR)
70 | fi
71 | if [ ! -d "$AQUA_ROOT_DIR" ]; then
72 | echo "Failed detecting VM enforcer intallation directory, exiting."
73 | exit 1
74 | fi
75 | }
76 |
77 | stop_vm_enforcer()
78 | {
79 | dbg "[debug]: stopping VM enforcer"
80 | vm_enforcer_service="aqua-enforcer"
81 | rc=0
82 | for i in {1..3}; do
83 | systemctl stop "$vm_enforcer_service" 2>&1 | grep -iv "not loaded"
84 | systemctl is-active --quiet "$vm_enforcer_service"
85 | rc=$?
86 |
87 | [ "$rc" != 0 ] && break
88 |
89 | sleep 1s
90 | done
91 |
92 | if [ "$rc" = 0 ]; then
93 | # Case when service is still running.
94 | echo "Failed stopping vm enforcer, exiting"
95 | exit 1
96 | fi
97 | }
98 |
99 | delete_vm_enforcer_data()
100 | {
101 | dbg "[debug]: deleting VM enforcer data"
102 | db_dir="$AQUA_ROOT_DIR"/data
103 | rm -rf "$db_dir"/*
104 | rm -rf "$db_dir"/guid
105 | }
106 |
107 |
108 | create_golden_image_file()
109 | {
110 | dbg "[debug]: creating golden image file"
111 | touch "$AQUA_ROOT_DIR"/GOLDEN_IMAGE
112 | }
113 |
114 | parse_command_line "$@"
115 | check_permissions
116 | detect_install_dir
117 |
118 | [ "$SILENT_MODE" = 0 ] && display_prompt
119 |
120 | echo "Please wait."
121 | stop_vm_enforcer
122 | delete_vm_enforcer_data
123 |
124 | create_golden_image_file
125 |
126 | echo "Operation successful. The VM Enforcer is ready for Golden Image creation."
127 |
128 | exit 0
129 |
--------------------------------------------------------------------------------
/enforcers/vm_enforcer/golden_image/README.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | # Aqua VM Enforcer
4 |
5 | ## Golden Image
6 |
7 | ### Overview
8 |
9 | You can prepare a golden image for automated and easy deployment of VMs (hosts) with VM Enforcers. This procedure can be used for Linux and Windows VMs running any of the operating systems supported for VM Enforcer deployment.
10 |
11 | ### Deployment steps
12 |
13 | Refer to the [Product documentation](https://docs.aquasec.com/v2022.4/docs/vm-enforcer-golden-image) for the complete description and instructions.
--------------------------------------------------------------------------------
/enforcers/vm_enforcer/rpm/.gitignore:
--------------------------------------------------------------------------------
1 | bin
2 | pkg
3 | ./archives/*.tar
4 |
--------------------------------------------------------------------------------
/enforcers/vm_enforcer/rpm/README.md:
--------------------------------------------------------------------------------
1 | # Deploy VM Enforcer using RPM Package
2 |
3 | ## Overview
4 | Red Hat Linux and its derivatives such as CentOS and Fedora use RPM Package Manager to manage and install software. RPM also refers to the `rpm`, `yum` and `dnf` commands and `.rpm` file format.
5 |
6 | You can use RPM package to deploy a VM Enforcer on one or more VMs (hosts).
7 |
8 | ## Prerequisites
9 | Following packages are required for installing VM Enforcer `.rpm` package:
10 | * wget
11 | * tar
12 | * jq
13 | * runc
14 |
15 | ## Deploy VM Enforcer
16 |
17 | **Step 1. Download the RPM package for your architecture, using an authorized username and password.**
18 |
19 |
20 | * **x86_64/amd64:**
21 |
22 | ```shell
23 | wget -v https://download.aquasec.com/host-enforcer//aqua-vm-enforcer-.x86_64.rpm \
24 | --user= \
25 | --ask-password
26 | ```
27 | * **arm64:**
28 |
29 | ```shell
30 | wget -v https://download.aquasec.com/host-enforcer//aqua-vm-enforcer-.aarch64.rpm \
31 | --user= \
32 | --ask-password
33 | ```
34 |
35 | Make sure to replace the `` and `` with the relevant versions, check aqua release page [aqua update releases](https://docs.aquasec.com/docs/update-releases).
36 |
37 | **Step 2. Copy the downloaded RPM package onto the target VM(s).**
38 |
39 |
40 | **Step 3. Write the `aquavmenforcer.json` configuration file**
41 |
42 | ```shell
43 | sudo mkdir -p /etc/conf/
44 | sudo touch /etc/conf/aquavmenforcer.json
45 | ```
46 |
47 | **Step 4. Run the following command with the relevant values for:**
48 |
49 | * `GATEWAY_HOSTNAME` and `PORT`: Aqua Gateway host/IP address and port
50 | * `TOKEN_VALUE`: Enforcer group token
51 | * `AQUA_TLS_VERIFY_VALUE`: false\true, Set up the enforcer with tls-verify. This is optional, but it is **MANDATORY** for aqua **cloud** users with value `true`.
52 | * If `AQUA_TLS_VERIFY_VALUE` value is `true` below values are **MANDATORY** :
53 | * `ROOT_CA_PATH`: path to root CA certififate (Incase of self-signed certificate otherwise `ROOT_CA_PATH` is **OPTIONAL** )
54 | [NOTE]: ROOT_CA_PATH certificate value must be same as that is used to generate Gateway certificates
55 | * `PUBLIC_KEY_PATH`: path to Client public certififate
56 | * `PRIVATE_KEY_PATH`: path to Client private key
57 |
58 | ```shell
59 | sudo tee /etc/conf/aquavmenforcer.json << EOF
60 | {
61 | "AQUA_GATEWAY": "{GATEWAY_HOSTNAME}:{PORT}",
62 | "AQUA_TOKEN": "{TOKEN_VALUE}",
63 | "AQUA_TLS_VERIFY": {AQUA_TLS_VERIFY_VALUE},
64 | "AQUA_ROOT_CA": "{ROOT_CA_PATH}",
65 | "AQUA_PUBLIC_KEY": "{PUBLIC_KEY_PATH}",
66 | "AQUA_PRIVATE_KEY": "{PRIVATE_KEY_PATH}"
67 | }
68 | EOF
69 | ```
70 |
71 | **Step 5. Deploy the RPM**
72 |
73 | ```shell
74 | sudo rpm -ivh /path/to/aqua-vm-enforcer-{version}.{arch}.rpm
75 | ```
76 |
77 | ## Upgrade
78 |
79 | To upgrade the VM Enforcer using the RPM package:
80 |
81 | 1. Download the (updated) RPM package. Refer to step 1 in the [Deploy VM Enforcer](#deploy-vm-enforcer) section.
82 | 2. Upgrade the VM Enforcer using the following command:
83 |
84 | ```shell
85 | sudo rpm -U /path/to/aqua-vm-enforcer-..rpm
86 | ```
87 |
88 | ## Troubleshooting
89 |
90 | ### Check the logs
91 |
92 | Check the VM Enforcer application logs.
93 |
94 | ```shell
95 | cat /opt/aquasec/tmp/aquasec.log
96 | ```
97 |
98 | ### Check the Journal
99 |
100 | 1. Check the service status.
101 |
102 | ```shell
103 | sudo systemctl status aqua-enforcer
104 | ```
105 |
106 | 2. Check the journal logs.
107 |
108 | If the service status is inactive or shows any errors, you can check the journalctl logs for more details:
109 |
110 | ```shell
111 | sudo journalctl -u aqua-enforcer.service
112 | ```
113 |
114 | ## Uninstall
115 | To uninstall the VM Enforcer `rpm` package:
116 |
117 | ```shell
118 | sudo rpm -e aqua-vm-enforcer
119 | ```
120 |
121 | ## Build an RPM package (optional)
122 |
123 | To Build an RPM package for VM-Enforcer:
124 | 1. Update the RPM scripts as required.
125 | 2. Update the RPM version in `nfpm.yaml`.
126 | 3. Upload the VM-Enforcer archive to `archives` folder.
127 | 4. Create environment variables of `RPM_ARCH` and `RPM_VERSION`.
128 |
129 | ```shell
130 | export RPM_ARCH=x86_64 #change to arm64 for arm based systems
131 | export RPM_VERSION=2022.4 #mention version for VM Enforcer
132 | ```
133 |
134 | 5. Download NFPM (RPM Package Creator).
135 |
136 | ```shell
137 | echo '[goreleaser]
138 | name=GoReleaser
139 | baseurl=https://repo.goreleaser.com/yum/
140 | enabled=1
141 | gpgcheck=0' | sudo tee /etc/yum.repos.d/goreleaser.repo
142 | sudo yum install nfpm
143 |
144 | ```
145 |
146 | 6. Build the RPM.
147 |
148 | ```shell
149 | mkdir -p pkg
150 | nfpm pkg --packager rpm --target ./pkg/
151 | ```
--------------------------------------------------------------------------------
/enforcers/vm_enforcer/rpm/archives/README.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | ## Aqua VM Enforcer archive directory
4 |
5 | *Place Aqua Enforcer Tar Here *
--------------------------------------------------------------------------------
/enforcers/vm_enforcer/rpm/nfpm.yaml:
--------------------------------------------------------------------------------
1 | name: aqua-vm-enforcer
2 | arch: $RPM_ARCH
3 | platform: "linux"
4 | version: v${RPM_VERSION}
5 | section: "default"
6 | priority: "extra"
7 | depends:
8 | - bash
9 | - tar
10 | - jq
11 | - runc
12 | replaces:
13 | - aqua-vm-enforcer
14 | provides:
15 | - aqua-vm-enforcer
16 | maintainer: "Amir Jerbi "
17 | description: |
18 | Aqua Enterprise is a layered, full-lifecycle cloud native security platform that secures containerized, serverless, and VM-based applications, from CI/CD pipelines through production runtime environments.
19 | vendor: "aqua-enterprise"
20 | homepage: "https://github.com/aquasecurity/deployments"
21 | license: "MIT"
22 | disable_globbing: false
23 | contents:
24 | - src: ../templates/*
25 | dst: /tmp/aqua/templates/
26 | - src: ./archives/*
27 | dst: /tmp/aqua/
28 | - src: ./selinux/aquavme/aquavme.pp
29 | dst: /usr/share/selinux/targeted/aquavme.pp
30 | scripts:
31 | postinstall: ./scripts/postinstall.sh
32 | preremove: ./scripts/preuninstall.sh
33 | postremove: ./scripts/postuninstall.sh
--------------------------------------------------------------------------------
/enforcers/vm_enforcer/rpm/scripts/README.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | ## Aqua VM Enforcer RPM Scripts
--------------------------------------------------------------------------------
/enforcers/vm_enforcer/rpm/scripts/postuninstall.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 |
3 | ENFORCER_SERVICE_FILE_NAME="aqua-enforcer.service"
4 | SELINUX_POLICY_MODULE="aquavme"
5 |
6 |
7 | error_message(){
8 | echo "Error: ${1}"
9 | exit 1
10 | }
11 |
12 |
13 | remove_service() {
14 | rm -f /etc/systemd/system/${ENFORCER_SERVICE_FILE_NAME}
15 | rm -f /usr/lib/systemd/system/${ENFORCER_SERVICE_FILE_NAME}
16 | rm -f /etc/init.d/${ENFORCER_SERVICE_FILE_NAME}
17 | systemctl daemon-reload
18 | systemctl reset-failed
19 | if [ $? -eq 0 ]; then
20 | echo "Info: VM Enforcer service was successfully removed."
21 | else
22 | error_message "Unable to remove the service. please check the logs."
23 | fi
24 | }
25 |
26 | remove_policy_module() {
27 | rm -rf /usr/share/selinux/targeted/${SELINUX_POLICY_MODULE}.pp
28 | /usr/sbin/semodule -s targeted -X 300 -r ${SELINUX_POLICY_MODULE} &> /dev/null || :
29 | echo "Info: Removed Selinux Policy module ${SELINUX_POLICY_MODULE}"
30 |
31 | }
32 |
33 | remove_dirs() {
34 | rm -rf /opt/aquasec
35 | rm -rf /opt/aqua-runc
36 | rm -rf /tmp/aqua
37 | }
38 |
39 | remove_logs() {
40 | rm -f /opt/aquasec/tmp/aquasec.log
41 | }
42 |
43 | remove() {
44 | remove_service
45 | remove_policy_module
46 | remove_dirs
47 | remove_logs
48 | }
49 |
50 | restart_service() {
51 | systemctl daemon-reload
52 | systemctl try-restart ${ENFORCER_SERVICE_FILE_NAME}
53 | if [ $? -eq 0 ]; then
54 | echo "Info: VM Enforcer was successfully re-deployed and started."
55 | else
56 | error_message "Unable to re-start service. please check the logs."
57 | fi
58 | }
59 |
60 |
61 | action="$1"
62 |
63 | case "$action" in
64 | "0" | "remove")
65 | remove
66 | ;;
67 | "1" | "upgrade")
68 | restart_service
69 | ;;
70 | esac
--------------------------------------------------------------------------------
/enforcers/vm_enforcer/rpm/scripts/preuninstall.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 |
3 | ENFORCER_SERVICE_FILE_NAME="aqua-enforcer.service"
4 |
5 | stop_service() {
6 | systemctl stop ${ENFORCER_SERVICE_FILE_NAME}
7 | if [ $? -eq 0 ]; then
8 | echo "Info: VM Enforcer service stopped."
9 | else
10 | error_message "Unable to stop the service. please check the logs."
11 | fi
12 | systemctl disable ${ENFORCER_SERVICE_FILE_NAME}
13 | if [ $? -eq 0 ]; then
14 | echo "Info: VM Enforcer service disabled."
15 | else
16 | error_message "Unable to disable the service. please check the logs."
17 | fi
18 | }
19 |
20 | action="$1"
21 |
22 | case "$action" in
23 | "0" | "remove")
24 | stop_service
25 | ;;
26 | "1" | "upgrade")
27 | ### pass
28 | ;;
29 | esac
--------------------------------------------------------------------------------
/enforcers/vm_enforcer/rpm/selinux/aquavme/README.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | # Aqua VM Enforcer Selinux Policy
5 |
6 |
7 | ##### Prerequisites
8 | 1) Selinux
9 | 2) Selinux Policy Devel
10 | `sudo yum install setools-console selinux-policy-devel`
11 |
12 | ##### Build
13 | 1) Update Policy Source File (.te) according to requirements
14 | 2) Compile the policy (in directory with .te file),
15 | `sudo make NAME=targeted -f /usr/share/selinux/devel/Makefile`
16 | `sudo make NAME=targeted -f /usr/share/selinux/devel/Makefile clean`
17 | 3) Use the compiled policy (.pp) file inside Aqua VM Enforcer RPM
--------------------------------------------------------------------------------
/enforcers/vm_enforcer/rpm/selinux/aquavme/aquavme.pp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aquasecurity/deployments/524ccd94bfb2c80921d954dd3fbb509cfe4e390d/enforcers/vm_enforcer/rpm/selinux/aquavme/aquavme.pp
--------------------------------------------------------------------------------
/enforcers/vm_enforcer/rpm/selinux/aquavme/aquavme.te:
--------------------------------------------------------------------------------
1 |
2 | module aquavme 1.0;
3 |
4 | require {
5 | type init_t;
6 | type user_tmp_t;
7 | type usr_t;
8 | type iptables_t;
9 | type rpm_script_t;
10 | type unconfined_service_t;
11 | type container_runtime_t;
12 | type container_runtime_tmpfs_t;
13 | type container_runtime_exec_t;
14 | class process siginh;
15 | class file { write entrypoint };
16 | class chr_file { read write };
17 | class unix_dgram_socket { read write };
18 | class unix_stream_socket { read write };
19 | }
20 |
21 |
22 | #============= init_t ==============
23 | allow init_t unconfined_service_t:process siginh;
24 | allow init_t usr_t:file write;
25 | allow init_t user_tmp_t:file write;
26 |
27 |
28 | #============= iptables_t ==============
29 | allow iptables_t container_runtime_tmpfs_t:chr_file { read write };
30 | allow iptables_t container_runtime_t:unix_dgram_socket { read write };
31 | allow iptables_t container_runtime_t:unix_stream_socket { read write };
32 | allow iptables_t usr_t:file write;
33 |
34 |
35 | #============= rpm_script_t ==============
36 | allow rpm_script_t container_runtime_exec_t:file entrypoint;
--------------------------------------------------------------------------------
/enforcers/vm_enforcer/rpm/selinux/aquavme/fcos_aquavme.pp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aquasecurity/deployments/524ccd94bfb2c80921d954dd3fbb509cfe4e390d/enforcers/vm_enforcer/rpm/selinux/aquavme/fcos_aquavme.pp
--------------------------------------------------------------------------------
/enforcers/vm_enforcer/rpm/selinux/aquavme/fcos_aquavme.te:
--------------------------------------------------------------------------------
1 |
2 | module fcos_aquavme 1.0;
3 |
4 | require {
5 | type systemd_tmpfiles_t;
6 | type chkpwd_t;
7 | type init_t;
8 | type install_t;
9 | type sshd_t;
10 | type user_tmp_t;
11 | type syslogd_t;
12 | type shadow_t;
13 | type unconfined_service_t;
14 | class file { open read write };
15 | class process { noatsecure rlimitinh siginh };
16 | class capability net_admin;
17 | class cap_userns sys_ptrace;
18 | }
19 |
20 | #============= init_t ==============
21 | allow init_t install_t:process siginh;
22 | allow init_t unconfined_service_t:process siginh;
23 | allow init_t user_tmp_t:file { open write };
24 |
25 | #============= sshd_t ==============
26 | allow sshd_t chkpwd_t:process { noatsecure rlimitinh siginh };
27 | allow sshd_t shadow_t:file { open read };
28 |
29 | #============= syslogd_t ==============
30 | allow syslogd_t self:cap_userns sys_ptrace;
31 |
32 | #============= systemd_tmpfiles_t ==============
33 | allow systemd_tmpfiles_t self:capability net_admin;
34 |
--------------------------------------------------------------------------------
/enforcers/vm_enforcer/shell/uninstall_vme.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 |
3 | ENFORCER_SERVICE_FILE_NAME="aqua-enforcer.service"
4 | ENFORCER_SERVICE_NAME="aqua-enforcer"
5 |
6 | error_message(){
7 | echo "Error: ${1}"
8 | exit 1
9 | }
10 |
11 | stop_service() {
12 | sudo systemctl stop ${ENFORCER_SERVICE_NAME}
13 | echo "Info: VM Enforcer service was successfully stop."
14 | }
15 |
16 | remove_service() {
17 | rm -f /etc/systemd/system/${ENFORCER_SERVICE_FILE_NAME}
18 | systemctl daemon-reload
19 | systemctl reset-failed
20 | if [ $? -eq 0 ]; then
21 | echo "Info: VM Enforcer service was successfully removed."
22 | else
23 | error_message "Unable to remove the service. please check the logs."
24 | fi
25 | }
26 |
27 | remove_dirs() {
28 | rm -rf /opt/aquasec
29 | rm -rf /opt/aqua-runc
30 | rm -rf /tmp/aqua
31 | if [ $? -eq 0 ]; then
32 | echo "Info: VM Enforcer dirs were successfully removed."
33 | else
34 | error_message "Unable to remove folders. please check the logs."
35 | fi
36 |
37 | }
38 |
39 | remove_selinux_module() {
40 | semodule -l | grep aquavme
41 | if [ $? -eq 0 ]; then
42 | echo "Info: Removing SElinux policy module."
43 | semodule -r aquavme
44 | else
45 | echo "Info: SElinux policy module not found"
46 | fi
47 | }
48 |
49 | remove_selinux_module_fedora() {
50 | semodule -l | grep aquavme
51 | if [ $? -eq 0 ]; then
52 | echo "Info: Removing SElinux policy module."
53 | semodule -r fcos_aquavme
54 | else
55 | echo "Info: SElinux policy module not found"
56 | fi
57 | }
58 |
59 | is_it_rhel() {
60 | cat /etc/*release | grep PLATFORM_ID | grep "platform:el8\|platform:el9" &>/dev/null
61 |
62 | if [ $? -eq 0 ]; then
63 | echo "Info: This is RHEL 8\9 system. Going to disable SELinux policy module if exists"
64 | remove_selinux_module
65 | fi
66 | }
67 |
68 | is_it_fedora() {
69 | cat /etc/*release | grep PLATFORM_ID | grep "platform:f3" &>/dev/null
70 |
71 | if [ $? -eq 0 ]; then
72 | echo "Info: This is a Fedora system. Going to disable SELinux policy module if exists"
73 | remove_selinux_module_fedora
74 | fi
75 | }
76 |
77 |
78 | stop_service
79 | remove_service
80 | remove_dirs
81 | is_it_rhel
82 | is_it_fedora
--------------------------------------------------------------------------------
/enforcers/vm_enforcer/templates/aqua-enforcer.template.old.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Aqua Security Enforcer RunC
3 |
4 | [Service]
5 | Type=forking
6 | ExecStart={{ .Values.WorkingDirectory }}/run.sh
7 | ExecStopPost={{ .Values.RuncPath }} delete enforcer
8 | WorkingDirectory={{ .Values.WorkingDirectory }}
9 | PIDFile=/run/aqua-enforcer.pid
10 | Restart=always
11 |
12 | [Install]
13 | WantedBy=multi-user.target
--------------------------------------------------------------------------------
/enforcers/vm_enforcer/templates/aqua-enforcer.template.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Aqua Security Enforcer RunC
3 |
4 | [Service]
5 | Type=forking
6 | ExecStart={{ .Values.RuncPath }} run -d --pid-file /run/aqua-enforcer.pid enforcer
7 | ExecStopPost={{ .Values.RuncPath }} delete -f enforcer
8 | WorkingDirectory={{ .Values.WorkingDirectory }}
9 | PIDFile=/run/aqua-enforcer.pid
10 | Restart=always
11 | StandardOutput=file:/opt/aquasec/tmp/aquasec.log
12 | StandardError=file:/opt/aquasec/tmp/aquasec.log
13 |
14 | [Install]
15 | WantedBy=multi-user.target
--------------------------------------------------------------------------------
/enforcers/vm_enforcer/templates/run.template.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | {{ .Values.RuncPath }} run -d --pid-file /run/aqua-enforcer.pid enforcer > /opt/aquasec/tmp/aquasec.log 2>&1
4 |
5 | exit 0
--------------------------------------------------------------------------------
/enforcers/windows_enforcer/kubernetes/001_aqua_windows_enforcer_rbac/aks/aqua_sa.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | imagePullSecrets:
3 | - name: aqua-registry
4 | kind: ServiceAccount
5 | metadata:
6 | annotations:
7 | description: Service account for pulling Aqua images and for Aqua privileged
8 | labels:
9 | deployedby: aqua-yaml
10 | name: aqua-sa
11 | namespace: aqua
12 | ---
13 | apiVersion: rbac.authorization.k8s.io/v1
14 | kind: ClusterRole
15 | metadata:
16 | labels:
17 | rbac.example.com/aggregate-to-monitoring: "true"
18 | deployedby: aqua-yaml
19 | name: aqua-discovery-cr
20 | namespace: aqua
21 | rules:
22 | - apiGroups: [""]
23 | resources: ["nodes", "services", "endpoints", "pods", "deployments", "namespaces","componentstatuses"]
24 | verbs: ["get", "list", "watch"]
25 | - apiGroups: ["rbac.authorization.k8s.io"]
26 | resources: ["*"]
27 | verbs: ["get", "list", "watch"]
28 | ---
29 | apiVersion: rbac.authorization.k8s.io/v1
30 | kind: ClusterRoleBinding
31 | metadata:
32 | name: aqua-discovery-crb
33 | namespace: aqua
34 | roleRef:
35 | apiGroup: rbac.authorization.k8s.io
36 | kind: ClusterRole
37 | name: aqua-discovery-cr
38 | subjects:
39 | - kind: ServiceAccount
40 | name: aqua-sa
41 | namespace: aqua
--------------------------------------------------------------------------------
/enforcers/windows_enforcer/kubernetes/002_aqua_windows_enforcer_configMap.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ConfigMap
3 | metadata:
4 | name: aqua-csp-windows-enforcer
5 | namespace: aqua
6 | data:
7 | AQUA_SERVER: ""
8 | AQUA_ENFORCER_TYPE: "full"
9 |
--------------------------------------------------------------------------------
/enforcers/windows_enforcer/kubernetes/003_aqua_windows_enforcer_secrets.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | data:
3 | ### Aqua enforcer token input needed - Base64 encoded ###
4 | token: ""
5 | kind: Secret
6 | metadata:
7 | annotations:
8 | description: Aqua Windows Enforcer token secret
9 | labels:
10 | deployedby: aqua-yaml
11 | name: windows-enforcer-token
12 | namespace: aqua
13 | type: Opaque
14 |
--------------------------------------------------------------------------------
/enforcers/windows_enforcer/kubernetes/README.md:
--------------------------------------------------------------------------------
1 |
2 | # Deploy Aqua Windows Enforcer using manifests
3 | ## Overview
4 |
5 | This repository shows the manifest yaml files required to deploy Aqua Widnows Enforcer on the following Kubernetes platforms:
6 | * AKS
7 |
8 | Before you follow the deployment steps explained below, Aqua strongly recommends you refer the product documentation, [Deploy Aqua Enforcer(s)](https://docs.aquasec.com/docs/deploy-k8s-aqua-enforcers) for detailed information.
9 |
10 | ## Prerequisites for manifest deployment
11 |
12 | - Your Aqua credentials: username and password
13 | - Access to Aqua registry to pull images
14 | - The target Enforcer Group token
15 | - Access to the target Aqua gateway
16 |
17 | It is recommended that you complete the sizing and capacity assessment for the deployment. Refer to [Sizing Guide](https://docs.aquasec.com/docs/sizing-guide).
18 |
19 | ## Considerations
20 |
21 | You may consider the following options for deploying the Aqua Enforcer:
22 |
23 | - Gateway
24 |
25 | - To connect with an external Gateway, update the **AQUA_SERVER** value with the gateway endpoint address in the *002_aqua_windows_enforcer_configMaps.yaml* configMap manifest file.
26 |
27 | ## Supported platforms
28 | | < PLATFORM > | Description |
29 | | ---------------------- | ------------------------------------------------------------ |
30 | | aks | Microsoft Azure Kubernetes Service (AKS) |
31 |
32 |
33 | ## Pre-deployment
34 | You can skip any of the steps if you have already performed.
35 |
36 | **Step 1. Create a namespace (or an OpenShift project) by name aqua (if not already done).**
37 |
38 | ```SHELL
39 | kubectl create namespace aqua
40 | ```
41 |
42 | **Step 2. Create a docker-registry secret (if not already done).**
43 |
44 | ```SHELL
45 | kubectl create secret docker-registry aqua-registry \
46 | --docker-server=registry.aquasec.com \
47 | --docker-username= \
48 | --docker-password= \
49 | --docker-email= \
50 | -n aqua
51 | ```
52 |
53 | **Step 3. Create a service account and RBAC for your deployment platform (if not already done).** Replace the platform name from [Supported platforms](#supported-platforms).
54 |
55 | ```SHELL
56 | kubectl apply -f https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/enforcers/windows_enforcer/kubernetes/001_aqua_windows_enforcer_rbac/aks/aqua_sa.yaml
57 | ```
58 |
59 | ## Deploy Aqua Enforcer using manifests
60 |
61 | **Step 1. Create secrets for deployment**
62 |
63 | * Create the token secret that authenticates the Aqua Windows Enforcer over the Aqua Server.
64 |
65 | ```SHELL
66 | kubectl create secret generic windows-enforcer-token --from-literal=token= -n aqua
67 | ```
68 |
69 | (or)
70 |
71 | * Download, edit, and apply the secrets.
72 |
73 | ```SHELL
74 | kubectl apply -f https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/enforcers/windows_enforcer/kubernetes/003_aqua_windows_enforcer_secrets.yaml
75 | ```
76 |
77 | **Step 2. Deploy directly or download, edit, and apply ConfigMap as required.**
78 |
79 | ```SHELL
80 | kubectl apply -f https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/enforcers/windows_enforcer/kubernetes/002_aqua_windows_enforcer_configMap.yaml
81 | ```
82 |
83 | **Step 3. Deploy Aqua Enforcer as daemonset.**
84 |
85 | ```SHELL
86 | kubectl apply -f https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/enforcers/windows_enforcer/kubernetes/004_aqua_windows_enforcer_daemonset.yaml
87 | ```
88 |
--------------------------------------------------------------------------------
/quick_start/README.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | # Quick-start deployment
4 |
5 | ## Overview
6 |
7 | Quick-start deployment can be used to deploy Aqua Enterprise in your Kubernetes cluster quickly and easily.
8 |
9 | It is suited for:
10 | - proofs-of-concept (POCs)
11 | - environments intended for instruction, development, and test
12 |
13 | It is **not** suited for:
14 | - production usage
15 | - enterprise-grade deployments
16 | - deployment on other Kubernetes platforms
17 |
18 | ## Deployment methods
19 | - [Manifests](./kubernetes_and_openshift/manifests)
20 | - [Helm](./kubernetes_and_openshift/helm)
21 |
22 | ## Suited for
23 | - Aqua Enterprise Self-Hosted
24 |
25 | ## Resources
26 | - [Quick-Start Guide for Kubernetes](https://docs.aquasec.com/docs/quick-start-guide-for-kubernetes)
--------------------------------------------------------------------------------
/quick_start/kubernetes_and_openshift/Aquactl/README.md:
--------------------------------------------------------------------------------
1 | # Quick-Start Deployment of Aqua Enterprise using Aquactl
2 | Aquactl is the command-line utility to automate the quick-start deployment of Aqua Enterprise. Command shown in this section creates (downloads) manifests (yaml files) quickly and prepares them for the Aqua Enterprise deployment.
3 |
4 | ## Command Syntax
5 |
6 | ```SHELL
7 | aquactl download all [flags]
8 | ```
9 |
10 | ## Flags
11 | You can pass the following deployment options through flags, as required.
12 |
13 | You can pass non-mandatory flags only if the configuration is absolutely required. Without passing these flags, Aqua Enterprise will be deployed on a single cluster with default configuration for the purpose of non-production usage.
14 |
15 | ### Aquactl operation
16 |
17 | Flag and parameter type | Values |
18 | | ---------------------- | ------------------------------------------------------------ |
19 | | -p or --platform, (string) (mandatory flag) | Orchestration platform to deploy Aqua Enterprise on. you should pass one of the following as required: **kubernetes, aks, eks, gke, iks, openshift, tkgi, rancher** |
20 | | * -v or --version
21 | (string) (mandatory flag) | Major version of Aqua Enterprise to deploy. For example: **2022.4** |
22 | | -r or --registry (string) | Docker registry containing the Aqua Enterprise product images, it defaults to **registry.aquasec.com** |
23 | | --pull-policy (string) | The Docker image pull policy that should be used in deployment for the Aqua product images, it defaults to **IfNotPresent** |
24 | | --service-account (string) | Kubernetes service account name, it defaults to **aqua-sa** |
25 | | -n, --namespace (string) | Kubernetes namespace name, it defaults to **aqua** |
26 | | --output-dir (string) | Output directory for the manifests (YAML files), it defaults to **aqua-deploy**, the directory aquactl was launched in |
27 | | --add-registry-secret (string) | Create Registry secret for *aqua-registry* |
28 | | --tls-verify (common name validation) | Check that the peer's certificate is chained up to a trusted certificate authority and
29 | that the peer's host-name matches its certificate |
30 |
31 | ### Aqua database configuration
32 |
33 | Flag and type | Values |
34 | | ---------------------- | ------------------------------------------------------------ |
35 | | --external-db (Boolean) | Include this flag if you want to use external managed database, instead of the Aqua packaged database, it defaults to **false**|
36 | | --internal-db-size (string) | Size of the Aqua packaged database, it must be **S** (default), **M**, or **L**|
37 | | --external-db-host (string) | External database IP or DNS, it does not have a default value|
38 | | --external-db-port (int) | External database port, it defaults to **5432** |
39 | | --external-db-username (string) | Username of the external database, it does not have a default value |
40 | | --external-db-password (string)| Password for the user of the external database, it does not have a default value |
41 |
42 | ### Aqua Gateway configuration
43 |
44 | Flag and type | Values |
45 | | ---------------------- | ------------------------------------------------------------ |
46 | | --ingress-gw (string) | Route for Aqua Gateway connectivity, example: **envoy**, it does not have a default value|
47 |
48 | ### Aqua Enforcer and KubeEnforcer configuration
49 |
50 | Flag and type | Values |
51 | | ---------------------- | ------------------------------------------------------------ |
52 | | --batch-install-ke-token (string) | Aqua KubeEnforcer group token, it defaults to **ke-token** |
53 | | --batch-install-token (string) | Aqua Enforcer group token, it defaults to **enforcer-token** |
54 | | --exclude-daemon-set | Do not download Aqua Enforcer manifest files |
55 | | --exclude-ke | Do not download KubeEnforcer manifest files |
56 | | --ke-advanced-configuration | Set this to use advanced configuration for the KubeEnforcer |
57 | | --ke-no-ssl | Set this to bypass generation of the SSL cert for the KubeEnforcer |
58 |
59 | ### Usage example
60 |
61 | ```SHELL
62 | aquactl download all --platform eks --version 2022.4
63 | ```
64 |
65 | After the manifests are created, follow the instructions that appear on the console to perform the actual deployment.
--------------------------------------------------------------------------------
/quick_start/kubernetes_and_openshift/helm/README.md:
--------------------------------------------------------------------------------
1 | # Quick-start deployment of Aqua Enterprise using Helm
2 |
3 | The quick-start deployment is used to deploy Aqua Enterprise in your Kubernetes cluster quickly and easily. It is suited for proofs-of-concept (POCs) and environments intended for instruction, development, and test but not for production environments. For deployment instructions, refer to the [aqua-helm repository](https://github.com/aquasecurity/aqua-helm/tree/2022.4/quick-start-deployment-not-for-production-purposes).
4 |
5 | Ensure that you use the latest branch of the Aqua Security Helm repository.
6 |
7 | For production usage, enterprise-grade deployments, advanced use cases, and deployment on other Kubernetes platforms, deploy Aqua Enterprise with the required Aqua components (such as server, enforcers, scanner, so on.) on your orchestration platform. For more information, refer to the Product documentation, [Deploy Aqua Enterprise](https://docs.aquasec.com/docs/deployment-overview).
--------------------------------------------------------------------------------
/quick_start/kubernetes_and_openshift/operator/README.md:
--------------------------------------------------------------------------------
1 | # Deploy Aqua Enterprise using Operator
2 |
3 | You can deploy Aqua Enterprise with all the components in a single cluster using a Kubernetes Operator. Use the following resources from the aqua-operator repository:
4 |
5 | * [Deploy Aqua Operator in your OpenShift cluster](https://github.com/aquasecurity/aqua-operator/blob/2022.4/docs/DeployOpenShiftOperator.md#deploying-the-aqua-operator)
6 | * Deploy Aqua server using [AquaCSP CRD](https://github.com/aquasecurity/aqua-operator/blob/2022.4/deploy/crds/operator_v1alpha1_aquacsp_cr.yaml) and by following the [deployment instructions](https://github.com/aquasecurity/aqua-operator/blob/2022.4/docs/DeployOpenShiftOperator.md#deploying-aqua-enterprise-using-custom-resources)
7 | * You can refer CR usage examples from the [Operator repository](https://github.com/aquasecurity/aqua-operator/blob/2022.4/docs/DeployOpenShiftOperator.md#Example-Deploying-the-Aqua-Server-with-an-Aqua-Enforcer-and-KubeEnforcer-all-in-one-CR)
8 |
9 | Ensure that you use the latest branch of the Aqua Security Operator repository.
--------------------------------------------------------------------------------
/scanner/README.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | # Aqua Scanner
4 |
5 | ## Overview
6 | Aqua scanner performs scanning of the following objects for security issues:
7 | * Container images
8 | * VMware Tanzu applications
9 | * Serverless Functions
10 |
11 | ## Deployment methods
12 | * [Manifests and Aquactl](./kubernetes_and_openshift/manifests/)
13 | * [Helm](./kubernetes_and_openshift/helm/)
14 | * [Operator](./kubernetes_and_openshift/operator/)
15 | * [AWS CloudFormation on EC2 clusters](./ecs/cloudformation/aqua-ecs-ec2)
16 |
17 | ## Suited for
18 | * Aqua Enterprise SaaS
19 | * Aqua Enterprise Self-Hosted
20 |
21 | ## Supported platforms
22 | * Kubernetes and Openshift (SaaS and Self-Hosted)
23 | * AWS ECS (Self-Hosted only)
24 | * Docker (SaaS and Self-Hosted)
25 |
26 | ## References
27 | Before you start using any method to deploy Aqua scanner, Aqua strongly recommends you to refer the Product documentation:
28 | * [Deploy Scanner(s)](https://docs.aquasec.com/docs/deploy-k8s-scanners)
29 | * [Kubernetes with Helm Charts](https://docs.aquasec.com/docs/kubernetes-with-helm#section-step-2-deploy-the-aqua-server-database-gateway-and-scanner).
--------------------------------------------------------------------------------
/scanner/ecs/cloudformation/aqua-ecs-ec2/README.adoc:
--------------------------------------------------------------------------------
1 | :version: 2022.4
2 | :imageVersion: 2022.4
3 |
4 | = Deploy Aqua Scanner on AWS ECS Cluster
5 |
6 | image:https://s3.amazonaws.com/cloudformation-examples/cloudformation-launch-stack.png[Launch Stack,link=https://console.aws.amazon.com/cloudformation/home?#/stacks/new?stackName=aqua-ecs&templateURL=https://s3.amazonaws.com/aqua-security-public/{version}/aquaScannerToken.yaml]
7 |
8 | == Overview
9 |
10 | The Aqua Server and Gateway are deployed on a ECS EC2 cluster. In multi-cluster environments, you can deploy Aqua Scanners on different clusters.
11 |
12 | This page contains instructions for deploying Aqua Scanner on any Amazon ECS EC2 cluster.
13 |
14 | For high availability, you must deploy Aqua on 2 availability Zones (AZs).
15 |
16 | Your deployment creates the Aqua Scanner service, on the specific ECS instance. A CloudFormation template is used to deploy Aqua Scanner. This can be done either with the AWS CloudFormation Management Console or the AWS Command Line interface (CLI), as explained below.
17 |
18 | *Note:* It is mandatory to use *aquaScannerToken.yaml* for *SaaS* environments due to token based authentication, for *On-Prem* environments the aquaScanner.yaml option is suitable, due to lack of token based authentication.
19 |
20 |
21 | == Prerequisites
22 |
23 | - One or more ECS clusters
24 | - Aqua Server DNS/IP
25 | - From Aqua Security: your Aqua credentials (username and password) and CSP License Token
26 | - Aqua Scanner Token or Username and Password (for Username Password please use aquaScanner.yaml manifest)
27 |
28 | == Pre-deployment
29 |
30 | *Step 1. Login to the Aqua Registry with your credentials.*
31 |
32 | [source,options="nowrap",subs="attributes"]
33 | ----
34 | docker login registry.aquasec.com -u -p
35 | ----
36 |
37 | *Step 2. Pull the Aqua Scanner image.*
38 |
39 | [source,options="nowrap",subs="attributes"]
40 | ----
41 | docker pull registry.aquasec.com/scanner:{imageVersion}
42 | ----
43 |
44 | *Step 3. Push the scanner image to ECR.*
45 |
46 | == Deployment method 1: CloudFormation Management Console
47 |
48 | *Step 1. Click the Launch Stack icon at the top of this page.* This will take you to the *Create stack* function of the AWS CloudFormation Management Console.
49 |
50 | *Step 2. Ensure that your AWS region is set to where you want to deploy Aqua Scanner.*
51 |
52 | *Step 3. Click Next.*
53 |
54 | *Step 4. Set or modify any of the parameters as explained below.*
55 |
56 | *Step 5. Click Next to create the stack.*
57 |
58 | == Deployment method 2: CLI
59 |
60 | *Step 1. Copy the following command.*
61 |
62 | [source,options="nowrap",subs="attributes"]
63 | ----
64 | aws –region us-east-1 cloudformation create-stack –capabilities CAPABILITY_NAMED_IAM –stack-name aqua-scanner –template-body file://aquaScanner.yaml \
65 | –parameters ParameterKey=AquaServerAddress,ParameterValue=xxxxx \
66 | ParameterKey=AquaScannerUserName,ParameterValue=xxxxx \
67 | ParameterKey=AquaScannerPassword,ParameterValue=xxxxx \
68 | ParameterKey=AquaScannerImage,ParameterValue=xxxx.dkr.ecr.us-east-1.amazonaws.com/aqua:scanner-x.x\
69 | ParameterKey=ECSClusterName,ParameterValue=xxxxx
70 | ----
71 |
72 | *Step 2. Set the parameters as explained below.*
73 |
74 | [source,options="nowrap",subs="attributes"]
75 | ----
76 | AquaServerAddress = The Server DNS name or IP address (IP address with port number)
77 | AquaScannerUserName = The Scanner user name from Aqua server
78 | AquaScannerPassword = The Scanner user Password
79 | AquaScannerImage = The ECR path for the Aqua Scanner product image
80 | ECSClusterName = The existing ECS cluster name
81 | ----
82 |
83 | *Step 3. Run the AWS create-stack CLI command.*
84 |
85 | This procedure will deploy Aqua Scanner in your desired cluster and the newly deployed scanner will get added to the existing Aqua server.
--------------------------------------------------------------------------------
/scanner/kubernetes_and_openshift/helm/README.md:
--------------------------------------------------------------------------------
1 | # Deploy Aqua Scanner using Helm
2 |
3 | You can deploy Scanner in your Kubernetes cluster, using the Helm charts. For deployment instructions, refer to the [aqua-helm repository](https://github.com/aquasecurity/aqua-helm/tree/2022.4/scanner#Installing-the-Chart).
4 |
5 | Ensure that you use the latest branch of the Aqua Security Helm repository.
--------------------------------------------------------------------------------
/scanner/kubernetes_and_openshift/manifests/001_scanner_serviceAccount.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | imagePullSecrets:
3 | - name: aqua-registry
4 | kind: ServiceAccount
5 | metadata:
6 | annotations:
7 | description: Service account for pulling Aqua images and for Aqua privileged
8 | labels:
9 | deployedby: aqua-yaml
10 | name: aqua-sa
11 | namespace: aqua
--------------------------------------------------------------------------------
/scanner/kubernetes_and_openshift/manifests/002_scanner_secrets.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Secret
3 | metadata:
4 | annotations:
5 | description: Aqua Scanner username and password
6 | labels:
7 | deployedby: aqua-yaml
8 | name: aqua-scanner
9 | namespace: aqua
10 | type: Opaque
11 | data:
12 | # Aqua Scanner Username - Base64 Encoded
13 | AQUA_SCANNER_USERNAME: ""
14 | # Aqua Scanner Password - Base64 Encoded
15 | AQUA_SCANNER_PASSWORD: ""
16 | # Base64 Encoded - Aqua web root cert
17 | aqua-web-root-cert: ""
18 | # ---
19 | # Use the following kubectl command to create registry secret to authenticate during image pull
20 | ## kubectl create secret docker-registry aqua-registry --docker-server= --docker-username= --docker-password= --docker-email= -n aqua
21 | # If you already have the credentials already configured in .docker/config.json file use the following secret block to add docker pull secrets
22 | # apiVersion: v1
23 | # data:
24 | # .dockerconfigjson: ## Input Needed ##
25 | # kind: Secret
26 | # metadata:
27 | # annotations:
28 | # description: Secret for pulling Aqua images
29 | # labels:
30 | # deployedby: aqua-yaml
31 | # name: aqua-registry
32 | # namespace: aqua
33 | # type: kubernetes.io/dockerconfigjson
--------------------------------------------------------------------------------
/scanner/kubernetes_and_openshift/manifests/003_scanner_configmap.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ConfigMap
3 | metadata:
4 | name: aqua-scanner-config
5 | namespace: aqua
6 | data:
7 | # Aqua Scanner IP/Domain/Servicename followed by HTTPS port.
8 | AQUA_SERVER: "aqua-web:443"
9 |
10 | # Scanner's private key for HTTPS and Mutual Auth with offline CyberCenter
11 | #AQUA_PRIVATE_KEY: "/opt/aquasec/ssl/key.pem"
12 |
13 | # Scanner's public key for HTTPS and Mutual Auth with offline CyberCenter
14 | #AQUA_PUBLIC_KEY: "/opt/aquasec/ssl/cert.pem"
15 |
16 | # Scanner's root CA cert for HTTPS and Mutual Auth. The root CA certificate file should be mutual for both CyberCenter and Scanner certificates
17 | #AQUA_ROOT_CA: "/opt/aquasec/ssl/ca.pem"
18 |
19 | # Set this to 1 to establish mTLS connection with CyberCenter
20 | #OFFLINE_CC_MTLS_ENABLE: "1"
21 |
22 | #health monitor is supported from SaaS scanner version 2407.4.20 and for on-prem 2022.4.613.7
23 | # enable below two values for health check monitor (liveness probe)
24 | #AQUA_HEALTH_MONITOR_ENABLED: "true"
25 | #AQUA_HEALTH_MONITOR_PORT: "8081"
26 |
27 |
28 |
--------------------------------------------------------------------------------
/scanner/kubernetes_and_openshift/manifests/004_scanner_deploy.yaml:
--------------------------------------------------------------------------------
1 | #---
2 | #apiVersion: v1
3 | #kind: PersistentVolumeClaim
4 | #metadata:
5 | # name: aqua-scanner-pvc
6 | # namespace: aqua
7 | #spec:
8 | # accessModes:
9 | # - ReadWriteOnce
10 | # resources:
11 | # requests:
12 | # storage: 20Gi
13 | ---
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | name: aqua-scanner
18 | namespace: aqua
19 | labels:
20 | app: aqua-scanner
21 | aqua.component: scanner
22 | spec:
23 | replicas: 1
24 | template:
25 | metadata:
26 | labels:
27 | app: aqua-scanner
28 | aqua.component: scanner
29 | spec:
30 | serviceAccountName: aqua-sa
31 | securityContext:
32 | runAsUser: 11431
33 | runAsGroup: 11433
34 | fsGroup: 11433
35 | containers:
36 | - name: kube-scanner
37 | image: registry.aquasec.com/scanner:2022.4
38 | imagePullPolicy: Always
39 | # livenessProbe:
40 | # httpGet:
41 | # port: 8081
42 | # path: /healthz
43 | # scheme: HTTP
44 | # initialDelaySeconds: 15
45 | # periodSeconds: 60
46 | # successThreshold: 1
47 | # failureThreshold: 3
48 | # timeoutSeconds: 1
49 | # resources:
50 | # limits:
51 | # cpu: 2000m
52 | # memory: 1Gi
53 | # requests:
54 | # cpu: 1000m
55 | # memory: 512Mi
56 | command: ["/bin/sh"]
57 | args: ["-c", "/opt/aquasec/scannercli daemon --host https://${AQUA_SERVER} --user ${AQUA_SCANNER_USERNAME} --password ${AQUA_SCANNER_PASSWORD} --no-verify"]
58 | env:
59 | - name: AQUA_SCANNER_LOGICAL_NAME
60 | valueFrom:
61 | fieldRef:
62 | fieldPath: metadata.name
63 | # Optional environment variable, to set the max amount of consecutive attempts before back off. There will be a random interval between connection attempts.
64 | # (This and AQUA_CONNECTIVITY_BACKOFF_DURATION should both be set to trigger the backoff mechanism)
65 | #- name: AQUA_MAX_CONSECUTIVE_CONNECTION_ATTEMPTS
66 | # value: "5"
67 | # Optional environment variable, to set the amount of time (in seconds) in which there is no attempt to connect.
68 | # Once this duration passes, the reconnect mechanisim will be triggered again till max attempts.
69 | #- name: AQUA_CONNECTIVITY_BACKOFF_DURATION
70 | # value: "120"
71 | envFrom:
72 | - secretRef:
73 | name: aqua-scanner
74 | - configMapRef:
75 | name: aqua-scanner-config
76 | volumeMounts:
77 | #- name: "docker-socket-mount"
78 | # mountPath: "/var/run/docker.sock"
79 | - name: "ssl-certs"
80 | mountPath: "/etc/ssl/certs/aqua-ssl.crt"
81 | # - mountPath: /opt/aquascans
82 | # name: aquascans
83 | # - mountPath: /opt/aquasec/ssl
84 | # name: aqua-grpc-scanner
85 | # readOnly: true
86 | volumes:
87 | #- name: "docker-socket-mount"
88 | # hostPath:
89 | # path: "/var/run/docker.sock"
90 | - name: "ssl-certs"
91 | secret:
92 | secretName: "aqua-scanner"
93 | items:
94 | - key: aqua-web-root-cert
95 | path: aqua-ssl.crt
96 | # - name: aquascans
97 | # persistentVolumeClaim:
98 | # claimName: aqua-scanner-pvc
99 | # - name: aqua-grpc-scanner
100 | # secret:
101 | # secretName: aqua-grpc-scanner
102 | # items:
103 | # - key: aqua_scanner.crt
104 | # path: cert.pem
105 | # - key: aqua_scanner.key
106 | # path: key.pem
107 | # - key: rootCA.crt
108 | # path: ca.pem
109 | imagePullSecrets:
110 | - name: aqua-registry
111 | selector:
112 | matchLabels:
113 | app: aqua-scanner
114 |
--------------------------------------------------------------------------------
/scanner/kubernetes_and_openshift/operator/README.md:
--------------------------------------------------------------------------------
1 | # Deploy Aqua Scanner using Operator
2 |
3 | You can deploy Scanner in your OpenShift cluster using a Kubernetes Operator. Use the following resources from the aqua-operator repository:
4 |
5 | * [Deploy Aqua Operator in your OpenShift cluster](https://github.com/aquasecurity/aqua-operator/blob/2022.4/docs/DeployOpenShiftOperator.md#deploying-the-aqua-operator)
6 | * Deploy Scanner using [AquaScanner CRD](https://github.com/aquasecurity/aqua-operator/blob/2022.4/deploy/crds/operator_v1alpha1_aquascanner_cr.yaml) and by following the [deployment instructions](https://github.com/aquasecurity/aqua-operator/blob/2022.4/docs/DeployOpenShiftOperator.md#deploying-aqua-enterprise-using-custom-resources)
7 | * You can refer CR usage examples from the [Operator repository](https://github.com/aquasecurity/aqua-operator/blob/2022.4/docs/DeployOpenShiftOperator.md#cr-examples)
8 |
9 | Ensure that you use the latest branch of the Aqua Security Operator repository.
--------------------------------------------------------------------------------
/server/README.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | # Aqua Server
4 |
5 | ## Overview
6 | Server includes the following components:
7 | * Console (Aqua UI)
8 | * Gateway
9 | * Database (Optional)
10 |
11 | ## Deployment methods
12 | * [Manifests and Aquactl](./kubernetes_and_openshift/manifests)
13 | * [Helm](./kubernetes_and_openshift/helm)
14 | * [Operator](./kubernetes_and_openshift/operator)
15 | * [AWS CloudFormation ECS-EC2](./ecs/cloudformation/aqua-ecs-ec2)
16 | * [AWS CloudFormation ECS-Fargate](./ecs/cloudformation/aqua-ecs-fargate)
17 |
18 | ## Supported platforms
19 | * Kubernetes and Openshift
20 | * AWS ECS
21 | * Docker
22 |
23 | ### Note:
24 | * For OpenShift version 3.x use RBAC definition from ./kubernetes_and_openshift/manifests/aqua_csp_002_RBAC/openshift_ocp3x
25 | * For OpenShift version 4.x use RBAC definition from ./kubernetes_and_openshift/manifests/aqua_csp_002_RBAC/openshift
26 |
27 | ## Suited for
28 | * Aqua Enterprise Self-Hosted edition
29 |
30 | ## References
31 | Before you start using any of the deployment methods documented in this reposiory, Aqua strongly recommends you to refer the following product documentation:
32 | * [Deploy Server Components](https://docs.aquasec.com/docs/deploy-k8s-server-components)
33 | * [Kubernetes with Helm Charts](https://docs.aquasec.com/docs/kubernetes-with-helm)
34 | * [Deploy Aqua on Amazon Elastic Container Service (ECS)](https://docs.aquasec.com/docs/amazon-elastic-container-service-ecs#section-step-1-deploy-the-aqua-server-gateway-and-database).
--------------------------------------------------------------------------------
/server/docker/compose/aqua-db.env:
--------------------------------------------------------------------------------
1 | POSTGRES_PASSWORD=DB_PASSWORD
2 |
--------------------------------------------------------------------------------
/server/docker/compose/aqua-docker-compose-server.yaml:
--------------------------------------------------------------------------------
1 | version: '3.8'
2 | services:
3 | aqua-db:
4 | image: registry.aquasec.com/database:2022.4
5 | ports:
6 | - "5432:5432"
7 | container_name: aquadb
8 | env_file:
9 | - aqua-db.env
10 | volumes:
11 | - /var/lib/aqua-db/data:/var/lib/postgresql/data
12 |
13 | aqua-web:
14 | image: registry.aquasec.com/console:2022.4
15 | ports:
16 | - "8080:8080"
17 | - "443:8443"
18 | container_name: aquaweb
19 | env_file:
20 | - aqua-web.env
21 | volumes:
22 | - /var/run/docker.sock:/var/run/docker.sock
23 |
24 | aqua-gateway:
25 | image: registry.aquasec.com/gateway:2022.4
26 | ports:
27 | - "3622:3622"
28 | - "8443:8443"
29 | container_name: aqua-gateway
30 | env_file:
31 | - aqua-gateway.env
32 |
--------------------------------------------------------------------------------
/server/docker/compose/aqua-gateway.env:
--------------------------------------------------------------------------------
1 | AQUA_CONSOLE_SECURE_ADDRESS=hostaddress:443
2 | SCALOCK_DBHOST=aqua-db
3 | SCALOCK_DBNAME=scalock
4 | SCALOCK_DBUSER=postgres
5 | SCALOCK_DBPASSWORD=DB_PASSWORD
6 | SCALOCK_AUDIT_DBHOST=aqua-db
7 | SCALOCK_AUDIT_DBNAME=slk_audit
8 | SCALOCK_AUDIT_DBUSER=postgres
9 | SCALOCK_AUDIT_DBPASSWORD=DB_PASSWORD
10 |
--------------------------------------------------------------------------------
/server/docker/compose/aqua-web.env:
--------------------------------------------------------------------------------
1 | SCALOCK_DBHOST=aqua-db
2 | SCALOCK_DBNAME=scalock
3 | SCALOCK_DBUSER=postgres
4 | SCALOCK_DBPASSWORD=DB_PASSWORD
5 | SCALOCK_AUDIT_DBHOST=aqua-db
6 | SCALOCK_AUDIT_DBNAME=slk_audit
7 | SCALOCK_AUDIT_DBUSER=postgres
8 | SCALOCK_AUDIT_DBPASSWORD=DB_PASSWORD
9 |
--------------------------------------------------------------------------------
/server/kubernetes_and_openshift/helm/README.md:
--------------------------------------------------------------------------------
1 | # Deploy Aqua Server using Helm
2 |
3 | You can deploy Server in your Kubernetes cluster, using the Helm charts. For deployment instructions, refer to the [aqua-helm repository](https://github.com/aquasecurity/aqua-helm/tree/2022.4/server).
4 |
5 | Ensure that you use the latest branch of the Aqua Security Helm repository.
--------------------------------------------------------------------------------
/server/kubernetes_and_openshift/manifests/aqua_csp_001_namespace/aqua_namespace.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | labels:
5 | deployedby: aqua-deployments
6 | name: aqua
--------------------------------------------------------------------------------
/server/kubernetes_and_openshift/manifests/aqua_csp_002_RBAC/aks/aqua_sa.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | imagePullSecrets:
3 | - name: aqua-registry
4 | kind: ServiceAccount
5 | metadata:
6 | annotations:
7 | description: Service account for pulling Aqua images and for Aqua privileged
8 | labels:
9 | deployedby: aqua-yaml
10 | name: aqua-sa
11 | namespace: aqua
12 | ---
13 | apiVersion: rbac.authorization.k8s.io/v1
14 | kind: ClusterRole
15 | metadata:
16 | labels:
17 | rbac.example.com/aggregate-to-monitoring: "true"
18 | deployedby: aqua-yaml
19 | name: aqua-discovery-cr
20 | namespace: aqua
21 | rules:
22 | - apiGroups: [""]
23 | resources: ["nodes", "services", "endpoints", "pods", "deployments", "namespaces","componentstatuses"]
24 | verbs: ["get", "list", "watch"]
25 | - apiGroups: ["rbac.authorization.k8s.io"]
26 | resources: ["*"]
27 | verbs: ["get", "list", "watch"]
28 | ---
29 | apiVersion: rbac.authorization.k8s.io/v1
30 | kind: ClusterRoleBinding
31 | metadata:
32 | name: aqua-discovery-crb
33 | namespace: aqua
34 | roleRef:
35 | apiGroup: rbac.authorization.k8s.io
36 | kind: ClusterRole
37 | name: aqua-discovery-cr
38 | subjects:
39 | - kind: ServiceAccount
40 | name: aqua-sa
41 | namespace: aqua
--------------------------------------------------------------------------------
/server/kubernetes_and_openshift/manifests/aqua_csp_002_RBAC/eks/aqua_sa.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | imagePullSecrets:
3 | - name: aqua-registry
4 | kind: ServiceAccount
5 | metadata:
6 | annotations:
7 | description: Service account for pulling Aqua images and for Aqua privileged
8 | labels:
9 | deployedby: aqua-yaml
10 | name: aqua-sa
11 | namespace: aqua
12 | ---
13 | apiVersion: rbac.authorization.k8s.io/v1
14 | kind: ClusterRole
15 | metadata:
16 | labels:
17 | rbac.example.com/aggregate-to-monitoring: "true"
18 | deployedby: aqua-yaml
19 | name: aqua-discovery-cr
20 | namespace: aqua
21 | rules:
22 | - apiGroups: [""]
23 | resources: ["nodes", "services", "endpoints", "pods", "deployments", "namespaces","componentstatuses"]
24 | verbs: ["get", "list", "watch"]
25 | - apiGroups: ["rbac.authorization.k8s.io"]
26 | resources: ["*"]
27 | verbs: ["get", "list", "watch"]
28 | ---
29 | apiVersion: rbac.authorization.k8s.io/v1
30 | kind: ClusterRoleBinding
31 | metadata:
32 | name: aqua-discovery-crb
33 | namespace: aqua
34 | roleRef:
35 | apiGroup: rbac.authorization.k8s.io
36 | kind: ClusterRole
37 | name: aqua-discovery-cr
38 | subjects:
39 | - kind: ServiceAccount
40 | name: aqua-sa
41 | namespace: aqua
--------------------------------------------------------------------------------
/server/kubernetes_and_openshift/manifests/aqua_csp_002_RBAC/gke/aqua_sa.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | imagePullSecrets:
3 | - name: aqua-registry
4 | kind: ServiceAccount
5 | metadata:
6 | annotations:
7 | description: Service account for pulling Aqua images and for Aqua privileged
8 | labels:
9 | deployedby: aqua-yaml
10 | name: aqua-sa
11 | namespace: aqua
12 | ---
13 | apiVersion: rbac.authorization.k8s.io/v1
14 | kind: ClusterRole
15 | metadata:
16 | labels:
17 | rbac.example.com/aggregate-to-monitoring: "true"
18 | deployedby: aqua-yaml
19 | name: aqua-discovery-cr
20 | namespace: aqua
21 | rules:
22 | - apiGroups: [""]
23 | resources: ["nodes", "services", "endpoints", "pods", "deployments", "namespaces","componentstatuses"]
24 | verbs: ["get", "list", "watch"]
25 | - apiGroups: ["rbac.authorization.k8s.io"]
26 | resources: ["*"]
27 | verbs: ["get", "list", "watch"]
28 | ---
29 | apiVersion: rbac.authorization.k8s.io/v1
30 | kind: ClusterRoleBinding
31 | metadata:
32 | name: aqua-discovery-crb
33 | namespace: aqua
34 | roleRef:
35 | apiGroup: rbac.authorization.k8s.io
36 | kind: ClusterRole
37 | name: aqua-discovery-cr
38 | subjects:
39 | - kind: ServiceAccount
40 | name: aqua-sa
41 | namespace: aqua
--------------------------------------------------------------------------------
/server/kubernetes_and_openshift/manifests/aqua_csp_002_RBAC/ibm/aqua_sa.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: rbac.authorization.k8s.io/v1
2 | kind: ClusterRole
3 | metadata:
4 | name: aqua-psp-cr
5 | rules:
6 | - apiGroups: ["extensions"]
7 | resourceNames: ["ibm-privileged-psp"]
8 | resources: ["podsecuritypolicies"]
9 | verbs: ["use"]
10 | ---
11 | apiVersion: rbac.authorization.k8s.io/v1
12 | kind: ClusterRoleBinding
13 | metadata:
14 | name: aqua-psp-crb
15 | roleRef:
16 | apiGroup: rbac.authorization.k8s.io
17 | kind: ClusterRole
18 | name: aqua-privileged-clusterrole
19 | subjects:
20 | - apiGroup: rbac.authorization.k8s.io
21 | kind: Group
22 | name: system:serviceaccounts:aqua
23 | ---
24 | apiVersion: v1
25 | imagePullSecrets:
26 | - name: aqua-registry
27 | kind: ServiceAccount
28 | metadata:
29 | annotations:
30 | description: Service account for pulling Aqua images and for Aqua privileged
31 | labels:
32 | deployedby: aqua-yaml
33 | name: aqua-sa
34 | namespace: aqua
35 | ---
36 | apiVersion: rbac.authorization.k8s.io/v1
37 | kind: ClusterRole
38 | metadata:
39 | labels:
40 | rbac.example.com/aggregate-to-monitoring: "true"
41 | deployedby: aqua-yaml
42 | name: aqua-discovery-cr
43 | namespace: aqua
44 | rules:
45 | - apiGroups: [""]
46 | resources: ["nodes", "services", "endpoints", "pods", "deployments", "namespaces","componentstatuses"]
47 | verbs: ["get", "list", "watch"]
48 | - apiGroups: ["rbac.authorization.k8s.io"]
49 | resources: ["*"]
50 | verbs: ["get", "list", "watch"]
51 | ---
52 | apiVersion: rbac.authorization.k8s.io/v1
53 | kind: ClusterRoleBinding
54 | metadata:
55 | name: aqua-discovery-crb
56 | namespace: aqua
57 | roleRef:
58 | apiGroup: rbac.authorization.k8s.io
59 | kind: ClusterRole
60 | name: aqua-discovery-cr
61 | subjects:
62 | - kind: ServiceAccount
63 | name: aqua-sa
64 | namespace: aqua
--------------------------------------------------------------------------------
/server/kubernetes_and_openshift/manifests/aqua_csp_002_RBAC/k3s/aqua_sa.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | imagePullSecrets:
3 | - name: aqua-registry
4 | kind: ServiceAccount
5 | metadata:
6 | annotations:
7 | description: Service account for pulling Aqua images and for Aqua privileged
8 | labels:
9 | deployedby: aqua-yaml
10 | name: aqua-sa
11 | namespace: aqua
12 | ---
13 | apiVersion: rbac.authorization.k8s.io/v1
14 | kind: ClusterRole
15 | metadata:
16 | labels:
17 | rbac.example.com/aggregate-to-monitoring: "true"
18 | deployedby: aqua-yaml
19 | name: aqua-discovery-cr
20 | namespace: aqua
21 | rules:
22 | - apiGroups: [""]
23 | resources: ["nodes", "services", "endpoints", "pods", "deployments", "namespaces","componentstatuses"]
24 | verbs: ["get", "list", "watch"]
25 | - apiGroups: ["rbac.authorization.k8s.io"]
26 | resources: ["*"]
27 | verbs: ["get", "list", "watch"]
28 | ---
29 | apiVersion: rbac.authorization.k8s.io/v1
30 | kind: ClusterRoleBinding
31 | metadata:
32 | name: aqua-discovery-crb
33 | namespace: aqua
34 | roleRef:
35 | apiGroup: rbac.authorization.k8s.io
36 | kind: ClusterRole
37 | name: aqua-discovery-cr
38 | subjects:
39 | - kind: ServiceAccount
40 | name: aqua-sa
41 | namespace: aqua
--------------------------------------------------------------------------------
/server/kubernetes_and_openshift/manifests/aqua_csp_002_RBAC/native_k8s/aqua_sa.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | imagePullSecrets:
3 | - name: aqua-registry
4 | kind: ServiceAccount
5 | metadata:
6 | annotations:
7 | description: Service account for pulling Aqua images and for Aqua privileged
8 | labels:
9 | deployedby: aqua-yaml
10 | name: aqua-sa
11 | namespace: aqua
12 | ---
13 | apiVersion: rbac.authorization.k8s.io/v1
14 | kind: ClusterRole
15 | metadata:
16 | labels:
17 | rbac.example.com/aggregate-to-monitoring: "true"
18 | deployedby: aqua-yaml
19 | name: aqua-discovery-cr
20 | namespace: aqua
21 | rules:
22 | - apiGroups: [""]
23 | resources: ["nodes", "services", "endpoints", "pods", "deployments", "namespaces","componentstatuses"]
24 | verbs: ["get", "list", "watch"]
25 | - apiGroups: ["rbac.authorization.k8s.io"]
26 | resources: ["*"]
27 | verbs: ["get", "list", "watch"]
28 | ---
29 | apiVersion: rbac.authorization.k8s.io/v1
30 | kind: ClusterRoleBinding
31 | metadata:
32 | name: aqua-discovery-crb
33 | namespace: aqua
34 | roleRef:
35 | apiGroup: rbac.authorization.k8s.io
36 | kind: ClusterRole
37 | name: aqua-discovery-cr
38 | subjects:
39 | - kind: ServiceAccount
40 | name: aqua-sa
41 | namespace: aqua
--------------------------------------------------------------------------------
/server/kubernetes_and_openshift/manifests/aqua_csp_002_RBAC/openshift/aqua_sa.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | imagePullSecrets:
3 | - name: aqua-registry
4 | kind: ServiceAccount
5 | metadata:
6 | annotations:
7 | description: Service account for pulling Aqua images and for Aqua privileged
8 | labels:
9 | deployedby: aqua-yaml
10 | name: aqua-sa
11 | namespace: aqua
12 | ---
13 | kind: ClusterRole
14 | apiVersion: rbac.authorization.k8s.io/v1
15 | metadata:
16 | name: aqua-discovery-cr
17 | labels:
18 | rbac.example.com/aggregate-to-monitoring: "true"
19 | rules:
20 | - apiGroups: [""]
21 | resources: ["nodes", "services", "endpoints", "pods", "deployments", "namespaces","componentstatuses"]
22 | verbs: ["get", "list", "watch"]
23 | - apiGroups: ["rbac.authorization.k8s.io"]
24 | resources: ["*"]
25 | verbs: ["get", "list", "watch"]
26 | - apiGroups: [""]
27 | resources: ["imagestreams", "imagestreams/layers"]
28 | verbs: ["get", "list", "watch"]
29 | ---
30 | apiVersion: rbac.authorization.k8s.io/v1
31 | kind: ClusterRoleBinding
32 | metadata:
33 | name: aqua-discovery-crb
34 | roleRef:
35 | name: aqua-discovery-cr
36 | apiGroup: rbac.authorization.k8s.io
37 | kind: ClusterRole
38 | subjects:
39 | - kind: ServiceAccount
40 | name: aqua-sa
41 | namespace: aqua
42 | ---
43 | kind: ClusterRoleBinding
44 | apiVersion: rbac.authorization.k8s.io/v1
45 | metadata:
46 | name: cluster-reader
47 | subjects:
48 | - kind: ServiceAccount
49 | name: aqua-sa
50 | namespace: aqua
51 | roleRef:
52 | apiGroup: rbac.authorization.k8s.io
53 | kind: ClusterRole
54 | name: cluster-reader
55 | ---
56 | allowHostDirVolumePlugin: true
57 | allowHostIPC: false
58 | allowHostNetwork: false
59 | allowHostPID: true
60 | allowHostPorts: false
61 | allowPrivilegeEscalation: false
62 | allowPrivilegedContainer: false
63 | allowedCapabilities:
64 | - SYS_ADMIN
65 | - NET_ADMIN
66 | - NET_RAW
67 | - SYS_PTRACE
68 | - KILL
69 | - MKNOD
70 | - SETGID
71 | - SETUID
72 | - SYS_MODULE
73 | - AUDIT_CONTROL
74 | - SYSLOG
75 | - SYS_CHROOT
76 | - SYS_RESOURCE
77 | - IPC_LOCK
78 | - LINUX_IMMUTABLE
79 | apiVersion: security.openshift.io/v1
80 | defaultAddCapabilities: null
81 | fsGroup:
82 | type: RunAsAny
83 | groups: []
84 | kind: SecurityContextConstraints
85 | metadata:
86 | annotations:
87 | kubernetes.io/description: aqua scc provides all features of the restricted SCC
88 | but allows users to run with any non-root UID and access hostPath. The user must
89 | specify the UID or it must be specified on the by the manifest of the container runtime.
90 | release.openshift.io/create-only: "true"
91 | name: aqua-scc
92 | priority: null
93 | readOnlyRootFilesystem: false
94 | requiredDropCapabilities: null
95 | runAsUser:
96 | type: RunAsAny
97 | seLinuxContext:
98 | type: MustRunAs
99 | supplementalGroups:
100 | type: RunAsAny
101 | users:
102 | - system:serviceaccount:aqua:aqua-sa
103 | volumes:
104 | - configMap
105 | - downwardAPI
106 | - emptyDir
107 | - persistentVolumeClaim
108 | - projected
109 | - secret
110 | - hostPath
111 |
--------------------------------------------------------------------------------
/server/kubernetes_and_openshift/manifests/aqua_csp_002_RBAC/openshift_ocp3x/aqua_sa.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | imagePullSecrets:
3 | - name: aqua-registry
4 | kind: ServiceAccount
5 | metadata:
6 | annotations:
7 | description: Service account for pulling Aqua images and for Aqua privileged
8 | labels:
9 | deployedby: aqua-yaml
10 | name: aqua-sa
11 | namespace: aqua
12 | ---
13 | kind: ClusterRole
14 | apiVersion: rbac.authorization.k8s.io/v1
15 | metadata:
16 | name: aqua-discovery-cr
17 | labels:
18 | rbac.example.com/aggregate-to-monitoring: "true"
19 | rules:
20 | - apiGroups: [""]
21 | resources: ["nodes", "services", "endpoints", "pods", "deployments", "namespaces","componentstatuses"]
22 | verbs: ["get", "list", "watch"]
23 | - apiGroups: ["rbac.authorization.k8s.io"]
24 | resources: ["*"]
25 | verbs: ["get", "list", "watch"]
26 | - apiGroups: [""]
27 | resources: ["imagestreams", "imagestreams/layers"]
28 | verbs: ["get", "list", "watch"]
29 | ---
30 | apiVersion: rbac.authorization.k8s.io/v1
31 | kind: ClusterRoleBinding
32 | metadata:
33 | name: aqua-discovery-crb
34 | roleRef:
35 | name: aqua-discovery-cr
36 | apiGroup: rbac.authorization.k8s.io
37 | kind: ClusterRole
38 | subjects:
39 | - kind: ServiceAccount
40 | name: aqua-sa
41 | namespace: aqua
42 | ---
43 | kind: ClusterRoleBinding
44 | apiVersion: rbac.authorization.k8s.io/v1
45 | metadata:
46 | name: cluster-reader
47 | subjects:
48 | - kind: ServiceAccount
49 | name: aqua-sa
50 | namespace: aqua
51 | roleRef:
52 | apiGroup: rbac.authorization.k8s.io
53 | kind: ClusterRole
54 | name: cluster-reader
55 | ---
56 | allowHostDirVolumePlugin: true
57 | allowHostIPC: false
58 | allowHostNetwork: false
59 | allowHostPID: true
60 | allowHostPorts: false
61 | allowPrivilegeEscalation: false
62 | allowPrivilegedContainer: false
63 | allowedCapabilities:
64 | - SYS_ADMIN
65 | - NET_ADMIN
66 | - NET_RAW
67 | - SYS_PTRACE
68 | - KILL
69 | - MKNOD
70 | - SETGID
71 | - SETUID
72 | - SYS_MODULE
73 | - AUDIT_CONTROL
74 | - SYSLOG
75 | - SYS_CHROOT
76 | - SYS_RESOURCE
77 | - IPC_LOCK
78 | - LINUX_IMMUTABLE
79 | apiVersion: security.openshift.io/v1
80 | defaultAddCapabilities: []
81 | fsGroup:
82 | type: RunAsAny
83 | groups: []
84 | kind: SecurityContextConstraints
85 | metadata:
86 | annotations:
87 | kubernetes.io/description: aqua scc provides all features of the restricted SCC
88 | but allows users to run with any non-root UID and access hostPath. The user must
89 | specify the UID or it must be specified on the by the manifest of the container runtime.
90 | release.openshift.io/create-only: "true"
91 | name: aqua-scc
92 | priority: 2
93 | readOnlyRootFilesystem: false
94 | requiredDropCapabilities: []
95 | runAsUser:
96 | type: RunAsAny
97 | seLinuxContext:
98 | type: RunAsAny
99 | supplementalGroups:
100 | type: RunAsAny
101 | users:
102 | - system:serviceaccount:aqua:aqua-sa
103 | volumes:
104 | - configMap
105 | - downwardAPI
106 | - emptyDir
107 | - persistentVolumeClaim
108 | - projected
109 | - secret
110 | - hostPath
111 |
--------------------------------------------------------------------------------
/server/kubernetes_and_openshift/manifests/aqua_csp_002_RBAC/rancher/aqua_sa.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | imagePullSecrets:
3 | - name: aqua-registry
4 | kind: ServiceAccount
5 | metadata:
6 | annotations:
7 | description: Service account for pulling Aqua images and for Aqua privileged
8 | labels:
9 | deployedby: aqua-yaml
10 | name: aqua-sa
11 | namespace: aqua
12 | ---
13 | apiVersion: rbac.authorization.k8s.io/v1
14 | kind: ClusterRole
15 | metadata:
16 | labels:
17 | rbac.example.com/aggregate-to-monitoring: "true"
18 | deployedby: aqua-yaml
19 | name: aqua-discovery-cr
20 | namespace: aqua
21 | rules:
22 | - apiGroups: [""]
23 | resources: ["nodes", "services", "endpoints", "pods", "deployments", "namespaces","componentstatuses"]
24 | verbs: ["get", "list", "watch"]
25 | - apiGroups: ["rbac.authorization.k8s.io"]
26 | resources: ["*"]
27 | verbs: ["get", "list", "watch"]
28 | ---
29 | apiVersion: rbac.authorization.k8s.io/v1
30 | kind: ClusterRoleBinding
31 | metadata:
32 | name: aqua-discovery-crb
33 | namespace: aqua
34 | roleRef:
35 | apiGroup: rbac.authorization.k8s.io
36 | kind: ClusterRole
37 | name: aqua-discovery-cr
38 | subjects:
39 | - kind: ServiceAccount
40 | name: aqua-sa
41 | namespace: aqua
42 |
--------------------------------------------------------------------------------
/server/kubernetes_and_openshift/manifests/aqua_csp_002_RBAC/tkg/aqua_sa.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | imagePullSecrets:
3 | - name: aqua-registry
4 | kind: ServiceAccount
5 | metadata:
6 | annotations:
7 | description: Service account for pulling Aqua images and for Aqua privileged
8 | labels:
9 | deployedby: aqua-yaml
10 | name: aqua-sa
11 | namespace: aqua
12 | ---
13 | apiVersion: rbac.authorization.k8s.io/v1
14 | kind: ClusterRole
15 | metadata:
16 | labels:
17 | rbac.example.com/aggregate-to-monitoring: "true"
18 | deployedby: aqua-yaml
19 | name: aqua-discovery-cr
20 | namespace: aqua
21 | rules:
22 | - apiGroups: [""]
23 | resources: ["nodes", "services", "endpoints", "pods", "deployments", "namespaces","componentstatuses"]
24 | verbs: ["get", "list", "watch"]
25 | - apiGroups: ["rbac.authorization.k8s.io"]
26 | resources: ["*"]
27 | verbs: ["get", "list", "watch"]
28 | ---
29 | apiVersion: rbac.authorization.k8s.io/v1
30 | kind: ClusterRoleBinding
31 | metadata:
32 | name: aqua-discovery-crb
33 | namespace: aqua
34 | roleRef:
35 | apiGroup: rbac.authorization.k8s.io
36 | kind: ClusterRole
37 | name: aqua-discovery-cr
38 | subjects:
39 | - kind: ServiceAccount
40 | name: aqua-sa
41 | namespace: aqua
42 | ---
43 | kind: RoleBinding
44 | apiVersion: rbac.authorization.k8s.io/v1
45 | metadata:
46 | name: rolebinding-default-privileged-sa-ns_default
47 | namespace: aqua
48 | roleRef:
49 | kind: ClusterRole
50 | name: psp:vmware-system-privileged
51 | apiGroup: rbac.authorization.k8s.io
52 | subjects:
53 | - kind: Group
54 | apiGroup: rbac.authorization.k8s.io
55 | name: system:serviceaccounts
56 |
--------------------------------------------------------------------------------
/server/kubernetes_and_openshift/manifests/aqua_csp_002_RBAC/tkgi/aqua_sa.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | imagePullSecrets:
3 | - name: aqua-registry
4 | kind: ServiceAccount
5 | metadata:
6 | annotations:
7 | description: Service account for pulling Aqua images and for Aqua privileged
8 | labels:
9 | deployedby: aqua-yaml
10 | name: aqua-sa
11 | namespace: aqua
12 | ---
13 | apiVersion: rbac.authorization.k8s.io/v1
14 | kind: ClusterRole
15 | metadata:
16 | labels:
17 | rbac.example.com/aggregate-to-monitoring: "true"
18 | deployedby: aqua-yaml
19 | name: aqua-discovery-cr
20 | namespace: aqua
21 | rules:
22 | - apiGroups: [""]
23 | resources: ["nodes", "services", "endpoints", "pods", "deployments", "namespaces","componentstatuses"]
24 | verbs: ["get", "list", "watch"]
25 | - apiGroups: ["rbac.authorization.k8s.io"]
26 | resources: ["*"]
27 | verbs: ["get", "list", "watch"]
28 | ---
29 | apiVersion: rbac.authorization.k8s.io/v1
30 | kind: ClusterRoleBinding
31 | metadata:
32 | name: aqua-discovery-crb
33 | namespace: aqua
34 | roleRef:
35 | apiGroup: rbac.authorization.k8s.io
36 | kind: ClusterRole
37 | name: aqua-discovery-cr
38 | subjects:
39 | - kind: ServiceAccount
40 | name: aqua-sa
41 | namespace: aqua
42 |
--------------------------------------------------------------------------------
/server/kubernetes_and_openshift/manifests/aqua_csp_003_secrets/aqua_secrets.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | data:
3 | ### Aqua database password. Defaults to "password". Please change the same if needed.
4 | password: dUd3aFRuaE9LNmhFSWYrUExid2lGOHF6ZjVWWWgrRjA=
5 | kind: Secret
6 | metadata:
7 | annotations:
8 | description: Aqua database password secret
9 | labels:
10 | deployedby: aqua-yaml
11 | name: aqua-db
12 | namespace: aqua
13 | type: Opaque
14 | ---
15 | apiVersion: v1
16 | data:
17 | ### Aqua database password. Defaults to "password". Please change the same if needed.
18 | password: dUd3aFRuaE9LNmhFSWYrUExid2lGOHF6ZjVWWWgrRjA=
19 | kind: Secret
20 | metadata:
21 | annotations:
22 | description: Aqua audit database password secret
23 | labels:
24 | deployedby: aqua-yaml
25 | name: aqua-audit-db
26 | namespace: aqua
27 | type: Opaque
28 | # ---
29 | # The following certs is used to provide secure HTTPS communication between all the Aqua components
30 | # If the certs are self signed the same needs to be mounted into scanner container for secure HTTPS communication.
31 | # apiVersion: v1
32 | # data:
33 | # aqua_web.key: ## Input Needed - base64 value of Private cert ##
34 | # aqua_web.crt: ## Input Needed - base64 value of Public cert ##
35 | # rootCA.crt: ## Input Needed - base64 value of Root CA cert ##
36 | # kind: Secret
37 | # metadata:
38 | # annotations:
39 | # description: Aqua SSL certificates
40 | # labels:
41 | # deployedby: aqua-yaml
42 | # name: aqua-grpc-web
43 | # namespace: aqua
44 | # type: Opaque
45 | # ---
46 | # apiVersion: v1
47 | # data:
48 | # aqua_gateway.key: ## Input Needed - base64 value of Private cert ##
49 | # aqua_gateway.crt: ## Input Needed - base64 value of Public cert ##
50 | # rootCA.crt: ## Input Needed - base64 value of Root CA cert ##
51 | # kind: Secret
52 | # metadata:
53 | # annotations:
54 | # description: Aqua SSL certificates
55 | # labels:
56 | # deployedby: aqua-yaml
57 | # name: aqua-grpc-gateway
58 | # namespace: aqua
59 | # type: Opaque
60 | # ---
61 | # Use the following kubectl command to create registry secret to authenticate during image pull
62 | ## kubectl create secret docker-registry aqua-registry --docker-server= --docker-username= --docker-password= --docker-email= -n aqua
63 | # If you already have the credentials already configured in .docker/config.json file use the following secret block to add docker pull secrets
64 | # apiVersion: v1
65 | # data:
66 | # .dockerconfigjson: ## Input Needed ##
67 | # kind: Secret
68 | # metadata:
69 | # annotations:
70 | # description: Secret for pulling Aqua images
71 | # labels:
72 | # deployedby: aqua-yaml
73 | # name: aqua-registry
74 | # namespace: aqua
75 | # type: kubernetes.io/dockerconfigjson
76 | # ---
77 | # # Use the following secret block to add admin password and license as env variable. If not set the admin will be prompted for the same up on initial login.
78 | # apiVersion: v1
79 | # data:
80 | # ### Aqua admin password
81 | # ADMIN_PASSWORD: ## Input Needed ##
82 | # LICENSE_TOKEN: ## Input Needed ##
83 | # kind: Secret
84 | # metadata:
85 | # annotations:
86 | # description: Aqua administrator password and License tokens
87 | # labels:
88 | # deployedby: aqua-yaml
89 | # name: aqua-csp-server-secret
90 | # namespace: aqua
91 | # type: Opaque
92 |
--------------------------------------------------------------------------------
/server/kubernetes_and_openshift/manifests/aqua_csp_004_configMaps/aqua_db.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ConfigMap
3 | metadata:
4 | name: aqua-csp-db-config
5 | namespace: aqua
6 | data:
7 | AQUA_ENV_SIZE: "S" # Possible values: “S”, “M”, “L”, defaults to “S”.
8 | PGDATA: "/var/lib/postgresql/data/db-files"
--------------------------------------------------------------------------------
/server/kubernetes_and_openshift/manifests/aqua_csp_004_configMaps/aqua_server.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ConfigMap
3 | metadata:
4 | name: aqua-csp-server-config
5 | namespace: aqua
6 | data:
7 | # The name of the HTTP header used by the Aqua Server for authentication. Defaults to the standard Authorization header. Can be used when running behind reverse proxies that override this header.
8 | #AUTHORIZATION_HEADER: "aqua-auth"
9 |
10 | # DNS name or IP address of the host of the Postgres Audit database.
11 | SCALOCK_AUDIT_DBHOST: "aqua-audit-db"
12 |
13 | # Name of the Postgres Audit database; all letters must be lower-case
14 | SCALOCK_AUDIT_DBNAME: "slk_audit"
15 |
16 | # Port of the Postgres Audit database.
17 | SCALOCK_AUDIT_DBPORT: "5432"
18 |
19 | # Set the value of this variable to require to strictly require an SSL encrypted connection to the Postgres Audit database.
20 | SCALOCK_AUDIT_DBSSL: "require"
21 |
22 | # Username for connection to the Postgres Audit database.
23 | SCALOCK_AUDIT_DBUSER: "postgres"
24 |
25 | # DNS name or IP address of the host of the Postgres configuration database.
26 | SCALOCK_DBHOST: "aqua-db"
27 |
28 | # Name of the Postgres configuration database name; all letters must be lower-case.
29 | SCALOCK_DBNAME: "scalock"
30 |
31 | # Port of the Postgres configuration database.
32 | SCALOCK_DBPORT: "5432"
33 |
34 | # Set the value of this variable to require to strictly require an SSL-encrypted connection to the Postgres configuration database.
35 | SCALOCK_DBSSL: "require"
36 |
37 | # Username for connection to the Postgres configuration database
38 | SCALOCK_DBUSER: "postgres"
39 |
40 | # Setting this might be helpful for problem determination. Acceptable values are DEBUG, INFO, WARN, and ERROR
41 | SCALOCK_LOG_LEVEL: "INFO"
42 |
43 | # Configure this variable with the IP address or DNS name of the Aqua Server, including the port number (8443 by default).
44 | AQUA_CONSOLE_SECURE_ADDRESS: "aqua-web:443"
45 |
46 | # Specify the desired public IP address of the Aqua Gateway. Used to make the Enforcer connect to the Gateway through this IP address.
47 | SCALOCK_GATEWAY_PUBLIC_IP: "aqua-gateway"
48 |
49 | # Specify 0.0.0.0:80 to bring up an HTTP responder on port 80, for use with active load balancers. The port can be changed as needed.
50 | HEALTH_MONITOR: "0.0.0.0:8082"
51 |
52 | # Server's private key for HTTPS and Mutual Auth
53 | #AQUA_PRIVATE_KEY: "/opt/aquasec/ssl/key.pem"
54 |
55 | # Server's public key for HTTPS and Mutual Auth
56 | #AQUA_PUBLIC_KEY: "/opt/aquasec/ssl/cert.pem"
57 |
58 | # Server's root CA cert for HTTPS and Mutual Auth. The root CA certificate file should be mutual for both Gateway and Server certificates
59 | #AQUA_ROOT_CA: "/opt/aquasec/ssl/ca.pem"
60 |
61 | # Set this to 1 configures the gateway to verify the certificate sent by the Enforcer. This is required if you configure mutual authentication between the Enforcer and gateway.
62 | #AQUA_VERIFY_ENFORCER: "1"
63 |
64 | #AQUA_CLUSTER_MODE: "active-active"
65 |
66 | # DNS name or IP address of the host of the Postgres pubsub database
67 | #AQUA_PUBSUB_DBHOST: "aqua-db"
68 |
69 | # Database schema name; set this to the name of your choice. All letters must be lower-case.
70 | #AQUA_PUBSUB_DBNAME: "aqua_pubsub"
71 |
72 | # Username for connection to the Postgres pubsub database
73 | #AQUA_PUBSUB_DBUSER: "postgres"
74 | #AQUA_PUBSUB_DBPORT: "5432"
75 |
76 | # DNS name or IP address of an Aqua Gateway that the Aqua Enforcer will first connect to.
77 | #BATCH_INSTALL_GATEWAY: "aqua-gateway"
78 |
79 | # Orchestrator type to be configured on enforcers.
80 | #BATCH_INSTALL_ORCHESTRATOR: "Kubernetes"
81 |
82 | # Name of the Batch Install object used to connect Aqua Enforcers to the environment.
83 | #BATCH_INSTALL_NAME: "aquayaml-default"
84 |
85 | AQUA_GATEWAY_TOKEN: "1234"
86 | AQUA_DEFAULT_GATEWAY_TOKEN: "1234"
87 |
88 | # URL of HTTPS proxy, if used.
89 | #https_proxy: ""
90 |
91 | # URL of HTTP proxy, if used.
92 | #http_proxy: ""
93 |
94 | # List of addresses that bypass the proxy. Specify the URLs of internal private registries, if used.
95 | #no_proxy: ""
96 |
97 | # Batch installation to token to authenticate enforcer with server
98 | #BATCH_INSTALL_TOKEN: ""
99 |
100 | # Batch installation group name for KubeEnforcer
101 | #AQUA_KE_GROUP_NAME: ""
102 |
103 | # Batch installation token to authenticate KubeEnforcer with server
104 | #AQUA_KE_GROUP_TOKEN: ""
105 |
106 | # Set this to 1 to establish mTLS connection with aqua offline cybercenter
107 | #OFFLINE_CC_MTLS_ENABLE: "1"
108 |
--------------------------------------------------------------------------------
/server/kubernetes_and_openshift/manifests/aqua_csp_005_storage/aqua_db_pvc.yaml:
--------------------------------------------------------------------------------
1 | # Create a PVC for the Aqua Database
2 | apiVersion: v1
3 | kind: PersistentVolumeClaim
4 | metadata:
5 | name: aqua-db-pvc
6 | namespace: aqua
7 | spec:
8 | accessModes:
9 | - ReadWriteOnce
10 | resources:
11 | requests:
12 | storage: 50Gi
13 | ---
14 | # Create a PVC for the Aqua Database
15 | apiVersion: v1
16 | kind: PersistentVolumeClaim
17 | metadata:
18 | name: aqua-audit-db-pvc
19 | namespace: aqua
20 | spec:
21 | accessModes:
22 | - ReadWriteOnce
23 | resources:
24 | requests:
25 | storage: 50Gi
--------------------------------------------------------------------------------
/server/kubernetes_and_openshift/manifests/aqua_csp_007_networking/envoy/001_server_gateway_service-envoy.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: aqua-web
5 | namespace: aqua
6 | labels:
7 | app: aqua-web
8 | spec:
9 | ports:
10 | - port: 443
11 | protocol: TCP
12 | targetPort: 8443
13 | name: aqua-web-ssl
14 | - port: 8080
15 | protocol: TCP
16 | targetPort: 8080
17 | name: aqua-web
18 | selector:
19 | app: aqua-web
20 | type: LoadBalancer
21 | ---
22 | #headless service for aqua gateway
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: aqua-gateway-headless
27 | namespace: aqua
28 | labels:
29 | app: aqua-gateway
30 | spec:
31 | clusterIP: None
32 | type: ClusterIP
33 | ports:
34 | - name: aqua-gate-ssl
35 | port: 8443
36 | protocol: TCP
37 | targetPort: 8443
38 | - name: aqua-gate
39 | port: 3622
40 | protocol: TCP
41 | targetPort: 3622
42 | - name: aqua-health
43 | port: 8082
44 | protocol: TCP
45 | targetPort: 8082
46 | selector:
47 | app: aqua-gateway
48 |
--------------------------------------------------------------------------------
/server/kubernetes_and_openshift/manifests/aqua_csp_007_networking/envoy/002_envoy-secrets.yaml:
--------------------------------------------------------------------------------
1 | # apiVersion: v1
2 | # data:
3 | # # Please follow instruction in document to generate new SSL certs
4 | # tls.key: ""
5 | # tls.crt: ""
6 | # kind: Secret
7 | # metadata:
8 | # annotations:
9 | # description: Aqua LB SSL certificates to communicate with external enforcers using TLS
10 | # labels:
11 | # deployedby: aqua-yaml
12 | # name: aqua-lb-certs
13 | # namespace: aqua
14 | # type: Opaque
--------------------------------------------------------------------------------
/server/kubernetes_and_openshift/manifests/aqua_csp_007_networking/envoy/004_envoy-deployment.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: v1
3 | kind: Service
4 | metadata:
5 | name: aqua-lb
6 | namespace: aqua
7 | spec:
8 | type: LoadBalancer
9 | selector:
10 | app: envoy
11 | ports:
12 | - name: https
13 | port: 443
14 | protocol: TCP
15 | targetPort: 8443
16 | ---
17 | apiVersion: apps/v1
18 | kind: Deployment
19 | metadata:
20 | name: envoy
21 | namespace: aqua
22 | labels:
23 | aqua.component: envoy
24 | spec:
25 | replicas: 1
26 | selector:
27 | matchLabels:
28 | app: envoy
29 | template:
30 | metadata:
31 | labels:
32 | aqua.component: envoy
33 | app: envoy
34 | spec:
35 | serviceAccount: aqua-sa
36 | containers:
37 | - name: envoy
38 | image: registry.aquasec.com/envoy:2022.4
39 | env:
40 | - name: ENVOY_UID
41 | value: "0"
42 | imagePullPolicy: IfNotPresent
43 | ports:
44 | - name: https
45 | containerPort: 8443
46 | volumeMounts:
47 | - name: config
48 | mountPath: /etc/envoy
49 | # - name: certs
50 | # mountPath: /etc/ssl/envoy
51 | readinessProbe:
52 | httpGet:
53 | scheme: HTTPS
54 | path: /healthz
55 | httpHeaders:
56 | - name: x-envoy-livenessprobe
57 | value: healthz
58 | port: 8443
59 | initialDelaySeconds: 3
60 | periodSeconds: 10
61 | successThreshold: 1
62 | timeoutSeconds: 1
63 | livenessProbe:
64 | httpGet:
65 | scheme: HTTPS
66 | path: /healthz
67 | httpHeaders:
68 | - name: x-envoy-livenessprobe
69 | value: healthz
70 | port: 8443
71 | initialDelaySeconds: 10
72 | periodSeconds: 10
73 | successThreshold: 1
74 | timeoutSeconds: 1
75 | volumes:
76 | - name: config
77 | configMap:
78 | defaultMode: 420
79 | name: envoy-conf
80 | # - name: certs
81 | # secret:
82 | # defaultMode: 420
83 | # secretName: aqua-lb-certs
84 |
--------------------------------------------------------------------------------
/server/kubernetes_and_openshift/manifests/aqua_csp_007_networking/loadbalancer/aqua_server_gateway_service-lb.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: aqua-gateway
5 | namespace: aqua
6 | labels:
7 | app: aqua-gateway
8 | spec:
9 | type: LoadBalancer
10 | ports:
11 | - port: 8443
12 | protocol: TCP
13 | targetPort: 8443
14 | name: aqua-gateway-ssl
15 | - port: 3622
16 | protocol: TCP
17 | targetPort: 3622
18 | name: aqua-gateway
19 | selector:
20 | app: aqua-gateway
21 | ---
22 | apiVersion: v1
23 | kind: Service
24 | metadata:
25 | name: aqua-web
26 | namespace: aqua
27 | labels:
28 | app: aqua-web
29 | spec:
30 | ports:
31 | - port: 443
32 | protocol: TCP
33 | targetPort: 8443
34 | name: aqua-web-ssl
35 | - port: 8080
36 | protocol: TCP
37 | targetPort: 8080
38 | name: aqua-web
39 | selector:
40 | app: aqua-web
41 | type: LoadBalancer
42 |
--------------------------------------------------------------------------------
/server/kubernetes_and_openshift/manifests/aqua_csp_007_networking/openshift_route/aqua-gateway-route.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: aqua-gateway
5 | namespace: aqua
6 | labels:
7 | app: aqua-gateway
8 | spec:
9 | type: LoadBalancer
10 | ports:
11 | - port: 8443
12 | protocol: TCP
13 | targetPort: 8443
14 | name: aqua-gateway-ssl
15 | - port: 3622
16 | protocol: TCP
17 | targetPort: 3622
18 | name: aqua-gateway
19 | selector:
20 | app: aqua-gateway
21 | ---
22 | kind: Route
23 | apiVersion: route.openshift.io/v1
24 | metadata:
25 | name: aqua-gateway
26 | namespace: aqua
27 | labels:
28 | app: aqua-gateway
29 | spec:
30 | to:
31 | kind: Service
32 | name: aqua-gateway
33 | weight: 100
34 | port:
35 | targetPort: aqua-gateway-ssl
36 | tls:
37 | termination: passthrough
38 | insecureEdgeTerminationPolicy: None
39 | wildcardPolicy: None
--------------------------------------------------------------------------------
/server/kubernetes_and_openshift/manifests/aqua_csp_007_networking/openshift_route/aqua-web-route.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: aqua-web
5 | namespace: aqua
6 | labels:
7 | app: aqua-web
8 | spec:
9 | ports:
10 | - port: 443
11 | protocol: TCP
12 | targetPort: 8443
13 | name: aqua-web-ssl
14 | - port: 8080
15 | protocol: TCP
16 | targetPort: 8080
17 | name: aqua-web
18 | selector:
19 | app: aqua-web
20 | type: LoadBalancer
21 | ---
22 | kind: Route
23 | apiVersion: route.openshift.io/v1
24 | metadata:
25 | name: aqua-web
26 | namespace: aqua
27 | labels:
28 | app: aqua-web
29 | spec:
30 | to:
31 | kind: Service
32 | name: aqua-web
33 | weight: 100
34 | port:
35 | # Please change the targetPort to aqua-web if you would like to use http protocol(insecure mode)
36 | targetPort: aqua-web-ssl
37 | tls:
38 | termination: passthrough
39 | insecureEdgeTerminationPolicy: Redirect
40 | wildcardPolicy: None
41 |
--------------------------------------------------------------------------------
/server/kubernetes_and_openshift/operator/README.md:
--------------------------------------------------------------------------------
1 | # Deploy Aqua Server using Operator
2 |
3 | You can deploy Server for the Aqua Enterprise in your OpenShift cluster using a Kubernetes Operator. Use the following resources from the aqua-operator repository:
4 |
5 | * [Deploy Aqua Operator in your OpenShift cluster](https://github.com/aquasecurity/aqua-operator/blob/2022.4/docs/DeployOpenShiftOperator.md#deploying-the-aqua-operator)
6 | * Deploy Aqua server using [AquaCSP CRD](https://github.com/aquasecurity/aqua-operator/blob/2022.4/deploy/crds/operator_v1alpha1_aquacsp_cr.yaml) and by following the [deployment instructions](https://github.com/aquasecurity/aqua-operator/blob/2022.4/docs/DeployOpenShiftOperator.md#deploying-aqua-enterprise-using-custom-resources)
7 | * You can refer CR usage examples from the [Operator repository](https://github.com/aquasecurity/aqua-operator/blob/2022.4/docs/DeployOpenShiftOperator.md#Example-Simple-deployment-of-the-Aqua-Server)
8 |
9 | Ensure that you use the latest branch of the Aqua Security Operator repository.
--------------------------------------------------------------------------------
/server/kubernetes_and_openshift/test_upgrade/001_aqua_test_upgrade_configMap.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ConfigMap
3 | metadata:
4 | name: aqua-csp-test-upgrade-config
5 | namespace: aqua
6 | data:
7 | SCALOCK_DBUSER: "postgres"
8 | SCALOCK_DBNAME: "scalock"
9 | SCALOCK_DBHOST: "aqua-db"
10 | SCALOCK_DBPORT: "5432"
11 | SCALOCK_AUDIT_DBUSER: "postgres"
12 | SCALOCK_AUDIT_DBNAME: "slk_audit"
13 | SCALOCK_AUDIT_DBHOST: "aqua-audit-db"
14 | SCALOCK_AUDIT_DBPORT: "5432"
--------------------------------------------------------------------------------
/server/kubernetes_and_openshift/test_upgrade/002_aqua_test_uprade_secrets.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | data:
3 | ### Aqua database password. Defaults to "password". Please change the same if needed.
4 | password: dUd3aFRuaE9LNmhFSWYrUExid2lGOHF6ZjVWWWgrRjA=
5 | kind: Secret
6 | metadata:
7 | annotations:
8 | description: Aqua database password secret
9 | labels:
10 | deployedby: aqua-yaml
11 | name: aqua-db
12 | namespace: aqua
13 | type: Opaque
14 | ---
15 | apiVersion: v1
16 | data:
17 | ### Aqua database password. Defaults to "password". Please change the same if needed.
18 | password: dUd3aFRuaE9LNmhFSWYrUExid2lGOHF6ZjVWWWgrRjA=
19 | kind: Secret
20 | metadata:
21 | annotations:
22 | description: Aqua audit database password secret
23 | labels:
24 | deployedby: aqua-yaml
25 | name: aqua-audit-db
26 | namespace: aqua
27 | type: Opaque
--------------------------------------------------------------------------------
/server/kubernetes_and_openshift/test_upgrade/003_aqua_test_upgrade_job.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: batch/v1
2 | kind: Job
3 | metadata:
4 | name: test-upgrade
5 | namespace: aqua
6 | spec:
7 | template:
8 | metadata:
9 | labels:
10 | app: test-upgrade
11 | name: test-upgrade
12 | spec:
13 | serviceAccount: aqua-sa
14 | imagePullSecrets:
15 | - name: aqua-registry
16 | containers:
17 | - name: test-upgrade
18 | image: registry.aquasec.com/console:2022.4
19 | command: ["/opt/aquasec/sedockweb"]
20 | args: ["test-upgrade"]
21 | envFrom:
22 | - configMapRef:
23 | name: aqua-csp-test-upgrade-config
24 | env:
25 | - name: SCALOCK_DBPASSWORD
26 | valueFrom:
27 | secretKeyRef:
28 | key: password
29 | name: aqua-db
30 | - name: SCALOCK_AUDIT_DBPASSWORD
31 | valueFrom:
32 | secretKeyRef:
33 | key: password
34 | name: aqua-audit-db
35 | restartPolicy: Never
36 |
37 |
--------------------------------------------------------------------------------
/server/kubernetes_and_openshift/test_upgrade/README.md:
--------------------------------------------------------------------------------
1 | ## Aqua test-upgrade
2 |
3 | The primary function of the test upgrade is to provide a dry-run for the upgrade process and ensure when upgrading the environment, the outcome is already determined successfull. This can be done by running the new console image in interactive mode, with the test-upgrade command. This can be done while the current console container is still running, and thus requires no downtime.
4 |
5 | ## Prerequisites
6 |
7 | To test the upgrade, it is required to use the database credentials and connection variables for the Aqua console deployment. This is configured in the associated configmap and secret.
8 | - `SCALOCK_DBUSER`
9 | - `SCALOCK_DBNAME`
10 | - `SCALOCK_DBHOST`
11 | - `SCALOCK_DBPORT`
12 | - `SCALOCK_DBSSL`
13 | - `SCALOCK_AUDIT_DBUSER`
14 | - `SCALOCK_AUDIT_DBNAME`
15 | - `SCALOCK_AUDIT_DBHOST`
16 | - `SCALOCK_AUDIT_DBPORT`
17 | - `SCALOCK_AUDIT_DBSSL`
18 |
19 |
20 | ## Test the Aqua Console upgrade
21 |
22 | 1. **Create test-upgrade configmap**
23 |
24 | As specified in the prerequisites above, please update the configmap manifest file with appropriate values before applying it. This defines the database connection settings.
25 |
26 | ```SHELL
27 | $ kubectl apply -f https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/server/kubernetes_and_openshift/test_upgrade/001_aqua_test_upgrade_configMap.yaml
28 | ```
29 |
30 | 2. **Create test-upgrade secrets**
31 |
32 | As specified in the prerequisites above, please update the upgrade secrets manifest file with appropriate values before applying it. This defines the database password secret.
33 |
34 | ```shell
35 | $ kubectl apply -f https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/server/kubernetes_and_openshift/test_upgrade/002_aqua_test_uprade_secrets.yaml
36 | ```
37 |
38 | 3. **Deploy the Console testing the ugprade**
39 |
40 | Deployment of the Console should result in a successful or error output. This indicates the database's ability to upgrade to the new version.
41 |
42 | ```shell
43 | $ kubectl apply -f https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/server/kubernetes_and_openshift/test_upgrade/003_aqua_test_upgrade_job.yaml
44 | ```
45 |
46 | ## Upgrade the Aqua installation
47 |
48 | 1. **Deploy the upgraded Console**
49 |
50 | Redeploy the Aqua console and other deployed components with the new release version that was tested.
51 |
52 |
53 |
--------------------------------------------------------------------------------
/tenant_manager/README.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | # Deploy Tenant Manager
4 |
5 | ## Overview
6 |
7 | The Aqua Tenant Manager is an optional application that allows creating security policies and distribute them to multiple domains (groups) of these instances (tenants). This ensures uniformity in the application of all security policies, or those that are selected, across the organization.
8 |
9 | The Tenant Manager is a web-based application with a simple, intuitive user interface (UI). This enables a single administrator to maintain enterprise's security policies quite easily.
10 |
11 | ## Deployment methods
12 | - [manifests](./kubernetes_and_openshift/manifests)
13 | - [Helm](./kubernetes_and_openshift/helm)
14 |
15 | ## Suited for
16 | - Aqua Enterprise Self-Hosted
17 |
18 | ## Resources
19 | - [Deploy the Tenant Manager](https://docs.aquasec.com/docs/tm-deploy)
20 | - [What is the Tenant Manager](https://docs.aquasec.com/docs/tm-what-is)
--------------------------------------------------------------------------------
/tenant_manager/kubernetes_and_openshift/helm/README.md:
--------------------------------------------------------------------------------
1 | # Deploy Aqua Tenant Manager using Helm
2 |
3 | You can deploy Tenant Manager in your Kubernetes cluster, using the Helm charts. For deployment instructions, refer to the [aqua-helm repository](https://github.com/aquasecurity/aqua-helm/tree/2022.4/tenant-manager#aqua-security-tenant-manager-helm-chart).
4 |
5 | Ensure that you use the latest branch of the Aqua Security Helm repository.
--------------------------------------------------------------------------------
/tenant_manager/kubernetes_and_openshift/manifests/001_tm_namespace/aqua_namespace.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | labels:
5 | deployedby: aqua-deployments
6 | name: aqua
--------------------------------------------------------------------------------
/tenant_manager/kubernetes_and_openshift/manifests/002_tm_RBAC/aks/aqua_sa.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | imagePullSecrets:
3 | - name: aqua-registry
4 | kind: ServiceAccount
5 | metadata:
6 | annotations:
7 | description: Service account for pulling Aqua images and for Aqua privileged
8 | labels:
9 | deployedby: aqua-yaml
10 | name: aqua-sa
11 | namespace: aqua
12 | ---
13 | apiVersion: rbac.authorization.k8s.io/v1
14 | kind: ClusterRole
15 | metadata:
16 | labels:
17 | rbac.example.com/aggregate-to-monitoring: "true"
18 | deployedby: aqua-yaml
19 | name: aqua-discovery-cr
20 | namespace: aqua
21 | rules:
22 | - apiGroups: [""]
23 | resources: ["nodes", "services", "endpoints", "pods", "deployments", "namespaces","componentstatuses"]
24 | verbs: ["get", "list", "watch"]
25 | - apiGroups: ["rbac.authorization.k8s.io"]
26 | resources: ["*"]
27 | verbs: ["get", "list", "watch"]
28 | ---
29 | apiVersion: rbac.authorization.k8s.io/v1
30 | kind: ClusterRoleBinding
31 | metadata:
32 | name: aqua-discovery-crb
33 | namespace: aqua
34 | roleRef:
35 | apiGroup: rbac.authorization.k8s.io
36 | kind: ClusterRole
37 | name: aqua-discovery-cr
38 | subjects:
39 | - kind: ServiceAccount
40 | name: aqua-sa
41 | namespace: aqua
--------------------------------------------------------------------------------
/tenant_manager/kubernetes_and_openshift/manifests/002_tm_RBAC/eks/aqua_sa.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | imagePullSecrets:
3 | - name: aqua-registry
4 | kind: ServiceAccount
5 | metadata:
6 | annotations:
7 | description: Service account for pulling Aqua images and for Aqua privileged
8 | labels:
9 | deployedby: aqua-yaml
10 | name: aqua-sa
11 | namespace: aqua
12 | ---
13 | apiVersion: rbac.authorization.k8s.io/v1
14 | kind: ClusterRole
15 | metadata:
16 | labels:
17 | rbac.example.com/aggregate-to-monitoring: "true"
18 | deployedby: aqua-yaml
19 | name: aqua-discovery-cr
20 | namespace: aqua
21 | rules:
22 | - apiGroups: [""]
23 | resources: ["nodes", "services", "endpoints", "pods", "deployments", "namespaces","componentstatuses"]
24 | verbs: ["get", "list", "watch"]
25 | - apiGroups: ["rbac.authorization.k8s.io"]
26 | resources: ["*"]
27 | verbs: ["get", "list", "watch"]
28 | ---
29 | apiVersion: rbac.authorization.k8s.io/v1
30 | kind: ClusterRoleBinding
31 | metadata:
32 | name: aqua-discovery-crb
33 | namespace: aqua
34 | roleRef:
35 | apiGroup: rbac.authorization.k8s.io
36 | kind: ClusterRole
37 | name: aqua-discovery-cr
38 | subjects:
39 | - kind: ServiceAccount
40 | name: aqua-sa
41 | namespace: aqua
--------------------------------------------------------------------------------
/tenant_manager/kubernetes_and_openshift/manifests/002_tm_RBAC/gke/aqua_sa.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | imagePullSecrets:
3 | - name: aqua-registry
4 | kind: ServiceAccount
5 | metadata:
6 | annotations:
7 | description: Service account for pulling Aqua images and for Aqua privileged
8 | labels:
9 | deployedby: aqua-yaml
10 | name: aqua-sa
11 | namespace: aqua
12 | ---
13 | apiVersion: rbac.authorization.k8s.io/v1
14 | kind: ClusterRole
15 | metadata:
16 | labels:
17 | rbac.example.com/aggregate-to-monitoring: "true"
18 | deployedby: aqua-yaml
19 | name: aqua-discovery-cr
20 | namespace: aqua
21 | rules:
22 | - apiGroups: [""]
23 | resources: ["nodes", "services", "endpoints", "pods", "deployments", "namespaces","componentstatuses"]
24 | verbs: ["get", "list", "watch"]
25 | - apiGroups: ["rbac.authorization.k8s.io"]
26 | resources: ["*"]
27 | verbs: ["get", "list", "watch"]
28 | ---
29 | apiVersion: rbac.authorization.k8s.io/v1
30 | kind: ClusterRoleBinding
31 | metadata:
32 | name: aqua-discovery-crb
33 | namespace: aqua
34 | roleRef:
35 | apiGroup: rbac.authorization.k8s.io
36 | kind: ClusterRole
37 | name: aqua-discovery-cr
38 | subjects:
39 | - kind: ServiceAccount
40 | name: aqua-sa
41 | namespace: aqua
--------------------------------------------------------------------------------
/tenant_manager/kubernetes_and_openshift/manifests/002_tm_RBAC/ibm/aqua_sa.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: rbac.authorization.k8s.io/v1
2 | kind: ClusterRole
3 | metadata:
4 | name: aqua-psp-cr
5 | rules:
6 | - apiGroups: ["extensions"]
7 | resourceNames: ["ibm-privileged-psp"]
8 | resources: ["podsecuritypolicies"]
9 | verbs: ["use"]
10 | ---
11 | apiVersion: rbac.authorization.k8s.io/v1
12 | kind: ClusterRoleBinding
13 | metadata:
14 | name: aqua-psp-crb
15 | roleRef:
16 | apiGroup: rbac.authorization.k8s.io
17 | kind: ClusterRole
18 | name: aqua-privileged-clusterrole
19 | subjects:
20 | - apiGroup: rbac.authorization.k8s.io
21 | kind: Group
22 | name: system:serviceaccounts:aqua
23 | ---
24 | apiVersion: v1
25 | imagePullSecrets:
26 | - name: aqua-registry
27 | kind: ServiceAccount
28 | metadata:
29 | annotations:
30 | description: Service account for pulling Aqua images and for Aqua privileged
31 | labels:
32 | deployedby: aqua-yaml
33 | name: aqua-sa
34 | namespace: aqua
35 | ---
36 | apiVersion: rbac.authorization.k8s.io/v1
37 | kind: ClusterRole
38 | metadata:
39 | labels:
40 | rbac.example.com/aggregate-to-monitoring: "true"
41 | deployedby: aqua-yaml
42 | name: aqua-discovery-cr
43 | namespace: aqua
44 | rules:
45 | - apiGroups: [""]
46 | resources: ["nodes", "services", "endpoints", "pods", "deployments", "namespaces","componentstatuses"]
47 | verbs: ["get", "list", "watch"]
48 | - apiGroups: ["rbac.authorization.k8s.io"]
49 | resources: ["*"]
50 | verbs: ["get", "list", "watch"]
51 | ---
52 | apiVersion: rbac.authorization.k8s.io/v1
53 | kind: ClusterRoleBinding
54 | metadata:
55 | name: aqua-discovery-crb
56 | namespace: aqua
57 | roleRef:
58 | apiGroup: rbac.authorization.k8s.io
59 | kind: ClusterRole
60 | name: aqua-discovery-cr
61 | subjects:
62 | - kind: ServiceAccount
63 | name: aqua-sa
64 | namespace: aqua
--------------------------------------------------------------------------------
/tenant_manager/kubernetes_and_openshift/manifests/002_tm_RBAC/k3s/aqua_sa.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | imagePullSecrets:
3 | - name: aqua-registry
4 | kind: ServiceAccount
5 | metadata:
6 | annotations:
7 | description: Service account for pulling Aqua images and for Aqua privileged
8 | labels:
9 | deployedby: aqua-yaml
10 | name: aqua-sa
11 | namespace: aqua
12 | ---
13 | apiVersion: rbac.authorization.k8s.io/v1
14 | kind: ClusterRole
15 | metadata:
16 | labels:
17 | rbac.example.com/aggregate-to-monitoring: "true"
18 | deployedby: aqua-yaml
19 | name: aqua-discovery-cr
20 | namespace: aqua
21 | rules:
22 | - apiGroups: [""]
23 | resources: ["nodes", "services", "endpoints", "pods", "deployments", "namespaces","componentstatuses"]
24 | verbs: ["get", "list", "watch"]
25 | - apiGroups: ["rbac.authorization.k8s.io"]
26 | resources: ["*"]
27 | verbs: ["get", "list", "watch"]
28 | ---
29 | apiVersion: rbac.authorization.k8s.io/v1
30 | kind: ClusterRoleBinding
31 | metadata:
32 | name: aqua-discovery-crb
33 | namespace: aqua
34 | roleRef:
35 | apiGroup: rbac.authorization.k8s.io
36 | kind: ClusterRole
37 | name: aqua-discovery-cr
38 | subjects:
39 | - kind: ServiceAccount
40 | name: aqua-sa
41 | namespace: aqua
--------------------------------------------------------------------------------
/tenant_manager/kubernetes_and_openshift/manifests/002_tm_RBAC/native_k8s/aqua_sa.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | imagePullSecrets:
3 | - name: aqua-registry
4 | kind: ServiceAccount
5 | metadata:
6 | annotations:
7 | description: Service account for pulling Aqua images and for Aqua privileged
8 | labels:
9 | deployedby: aqua-yaml
10 | name: aqua-sa
11 | namespace: aqua
12 | ---
13 | apiVersion: rbac.authorization.k8s.io/v1
14 | kind: ClusterRole
15 | metadata:
16 | labels:
17 | rbac.example.com/aggregate-to-monitoring: "true"
18 | deployedby: aqua-yaml
19 | name: aqua-discovery-cr
20 | namespace: aqua
21 | rules:
22 | - apiGroups: [""]
23 | resources: ["nodes", "services", "endpoints", "pods", "deployments", "namespaces","componentstatuses"]
24 | verbs: ["get", "list", "watch"]
25 | - apiGroups: ["rbac.authorization.k8s.io"]
26 | resources: ["*"]
27 | verbs: ["get", "list", "watch"]
28 | ---
29 | apiVersion: rbac.authorization.k8s.io/v1
30 | kind: ClusterRoleBinding
31 | metadata:
32 | name: aqua-discovery-crb
33 | namespace: aqua
34 | roleRef:
35 | apiGroup: rbac.authorization.k8s.io
36 | kind: ClusterRole
37 | name: aqua-discovery-cr
38 | subjects:
39 | - kind: ServiceAccount
40 | name: aqua-sa
41 | namespace: aqua
--------------------------------------------------------------------------------
/tenant_manager/kubernetes_and_openshift/manifests/002_tm_RBAC/openshift/aqua_sa.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | imagePullSecrets:
3 | - name: aqua-registry
4 | kind: ServiceAccount
5 | metadata:
6 | annotations:
7 | description: Service account for pulling Aqua images and for Aqua privileged
8 | labels:
9 | deployedby: aqua-yaml
10 | name: aqua-sa
11 | namespace: aqua
12 | ---
13 | kind: ClusterRole
14 | apiVersion: rbac.authorization.k8s.io/v1
15 | metadata:
16 | name: aqua-discovery-cr
17 | labels:
18 | rbac.example.com/aggregate-to-monitoring: "true"
19 | rules:
20 | - apiGroups: [""]
21 | resources: ["nodes", "services", "endpoints", "pods", "deployments", "namespaces","componentstatuses"]
22 | verbs: ["get", "list", "watch"]
23 | - apiGroups: ["rbac.authorization.k8s.io"]
24 | resources: ["*"]
25 | verbs: ["get", "list", "watch"]
26 | - apiGroups: [""]
27 | resources: ["imagestreams", "imagestreams/layers"]
28 | verbs: ["get", "list", "watch"]
29 | ---
30 | apiVersion: rbac.authorization.k8s.io/v1
31 | kind: ClusterRoleBinding
32 | metadata:
33 | name: aqua-discovery-crb
34 | roleRef:
35 | name: aqua-discovery-cr
36 | apiGroup: rbac.authorization.k8s.io
37 | kind: ClusterRole
38 | subjects:
39 | - kind: ServiceAccount
40 | name: aqua-sa
41 | namespace: aqua
42 | ---
43 | kind: ClusterRoleBinding
44 | apiVersion: rbac.authorization.k8s.io/v1
45 | metadata:
46 | name: cluster-reader
47 | subjects:
48 | - kind: ServiceAccount
49 | name: aqua-sa
50 | namespace: aqua
51 | roleRef:
52 | apiGroup: rbac.authorization.k8s.io
53 | kind: ClusterRole
54 | name: cluster-reader
55 | ---
56 | allowHostDirVolumePlugin: true
57 | allowHostIPC: false
58 | allowHostNetwork: false
59 | allowHostPID: true
60 | allowHostPorts: false
61 | allowPrivilegeEscalation: false
62 | allowPrivilegedContainer: false
63 | allowedCapabilities:
64 | - SYS_ADMIN
65 | - NET_ADMIN
66 | - NET_RAW
67 | - SYS_PTRACE
68 | - KILL
69 | - MKNOD
70 | - SETGID
71 | - SETUID
72 | - SYS_MODULE
73 | - AUDIT_CONTROL
74 | - SYSLOG
75 | - SYS_CHROOT
76 | apiVersion: security.openshift.io/v1
77 | defaultAddCapabilities: null
78 | fsGroup:
79 | type: RunAsAny
80 | groups: []
81 | kind: SecurityContextConstraints
82 | metadata:
83 | annotations:
84 | kubernetes.io/description: aqua scc provides all features of the restricted SCC
85 | but allows users to run with any non-root UID and access hostPath. The user must
86 | specify the UID or it must be specified on the by the manifest of the container runtime.
87 | release.openshift.io/create-only: "true"
88 | name: aqua-scc
89 | priority: null
90 | readOnlyRootFilesystem: false
91 | requiredDropCapabilities: null
92 | runAsUser:
93 | type: RunAsAny
94 | seLinuxContext:
95 | type: MustRunAs
96 | supplementalGroups:
97 | type: RunAsAny
98 | users:
99 | - system:serviceaccount:aqua:aqua-sa
100 | volumes:
101 | - configMap
102 | - downwardAPI
103 | - emptyDir
104 | - persistentVolumeClaim
105 | - projected
106 | - secret
107 | - hostPath
108 |
--------------------------------------------------------------------------------
/tenant_manager/kubernetes_and_openshift/manifests/002_tm_RBAC/rancher/aqua_sa.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | imagePullSecrets:
3 | - name: aqua-registry
4 | kind: ServiceAccount
5 | metadata:
6 | annotations:
7 | description: Service account for pulling Aqua images and for Aqua privileged
8 | labels:
9 | deployedby: aqua-yaml
10 | name: aqua-sa
11 | namespace: aqua
12 | ---
13 | apiVersion: rbac.authorization.k8s.io/v1
14 | kind: ClusterRole
15 | metadata:
16 | labels:
17 | rbac.example.com/aggregate-to-monitoring: "true"
18 | deployedby: aqua-yaml
19 | name: aqua-discovery-cr
20 | namespace: aqua
21 | rules:
22 | - apiGroups: [""]
23 | resources: ["nodes", "services", "endpoints", "pods", "deployments", "namespaces","componentstatuses"]
24 | verbs: ["get", "list", "watch"]
25 | - apiGroups: ["rbac.authorization.k8s.io"]
26 | resources: ["*"]
27 | verbs: ["get", "list", "watch"]
28 | ---
29 | apiVersion: rbac.authorization.k8s.io/v1
30 | kind: ClusterRoleBinding
31 | metadata:
32 | name: aqua-discovery-crb
33 | namespace: aqua
34 | roleRef:
35 | apiGroup: rbac.authorization.k8s.io
36 | kind: ClusterRole
37 | name: aqua-discovery-cr
38 | subjects:
39 | - kind: ServiceAccount
40 | name: aqua-sa
41 | namespace: aqua
42 |
--------------------------------------------------------------------------------
/tenant_manager/kubernetes_and_openshift/manifests/002_tm_RBAC/tkg/aqua_sa.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | imagePullSecrets:
3 | - name: aqua-registry
4 | kind: ServiceAccount
5 | metadata:
6 | annotations:
7 | description: Service account for pulling Aqua images and for Aqua privileged
8 | labels:
9 | deployedby: aqua-yaml
10 | name: aqua-sa
11 | namespace: aqua
12 | ---
13 | apiVersion: rbac.authorization.k8s.io/v1
14 | kind: ClusterRole
15 | metadata:
16 | labels:
17 | rbac.example.com/aggregate-to-monitoring: "true"
18 | deployedby: aqua-yaml
19 | name: aqua-discovery-cr
20 | namespace: aqua
21 | rules:
22 | - apiGroups: [""]
23 | resources: ["nodes", "services", "endpoints", "pods", "deployments", "namespaces","componentstatuses"]
24 | verbs: ["get", "list", "watch"]
25 | - apiGroups: ["rbac.authorization.k8s.io"]
26 | resources: ["*"]
27 | verbs: ["get", "list", "watch"]
28 | ---
29 | apiVersion: rbac.authorization.k8s.io/v1
30 | kind: ClusterRoleBinding
31 | metadata:
32 | name: aqua-discovery-crb
33 | namespace: aqua
34 | roleRef:
35 | apiGroup: rbac.authorization.k8s.io
36 | kind: ClusterRole
37 | name: aqua-discovery-cr
38 | subjects:
39 | - kind: ServiceAccount
40 | name: aqua-sa
41 | namespace: aqua
42 | ---
43 | kind: RoleBinding
44 | apiVersion: rbac.authorization.k8s.io/v1
45 | metadata:
46 | name: rolebinding-default-privileged-sa-ns_default
47 | namespace: aqua
48 | roleRef:
49 | kind: ClusterRole
50 | name: psp:vmware-system-privileged
51 | apiGroup: rbac.authorization.k8s.io
52 | subjects:
53 | - kind: Group
54 | apiGroup: rbac.authorization.k8s.io
55 | name: system:serviceaccounts
56 |
--------------------------------------------------------------------------------
/tenant_manager/kubernetes_and_openshift/manifests/002_tm_RBAC/tkgi/aqua_sa.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | imagePullSecrets:
3 | - name: aqua-registry
4 | kind: ServiceAccount
5 | metadata:
6 | annotations:
7 | description: Service account for pulling Aqua images and for Aqua privileged
8 | labels:
9 | deployedby: aqua-yaml
10 | name: aqua-sa
11 | namespace: aqua
12 | ---
13 | apiVersion: rbac.authorization.k8s.io/v1
14 | kind: ClusterRole
15 | metadata:
16 | labels:
17 | rbac.example.com/aggregate-to-monitoring: "true"
18 | deployedby: aqua-yaml
19 | name: aqua-discovery-cr
20 | namespace: aqua
21 | rules:
22 | - apiGroups: [""]
23 | resources: ["nodes", "services", "endpoints", "pods", "deployments", "namespaces","componentstatuses"]
24 | verbs: ["get", "list", "watch"]
25 | - apiGroups: ["rbac.authorization.k8s.io"]
26 | resources: ["*"]
27 | verbs: ["get", "list", "watch"]
28 | ---
29 | apiVersion: rbac.authorization.k8s.io/v1
30 | kind: ClusterRoleBinding
31 | metadata:
32 | name: aqua-discovery-crb
33 | namespace: aqua
34 | roleRef:
35 | apiGroup: rbac.authorization.k8s.io
36 | kind: ClusterRole
37 | name: aqua-discovery-cr
38 | subjects:
39 | - kind: ServiceAccount
40 | name: aqua-sa
41 | namespace: aqua
42 |
--------------------------------------------------------------------------------
/tenant_manager/kubernetes_and_openshift/manifests/003_tm_secrets/aqua_tm_secret.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | data:
3 | password: dUd3aFRuaE9LNmhFSWYrUExid2lGOHF6ZjVWWWgrRjA=
4 | kind: Secret
5 | metadata:
6 | annotations:
7 | description: Aqua Tenant Manager database password secret
8 | creationTimestamp: null
9 | labels:
10 | deployedby: aqua-yaml
11 | name: aqua-tm-db
12 | namespace: aqua
13 | type: Opaque
14 |
--------------------------------------------------------------------------------
/tenant_manager/kubernetes_and_openshift/manifests/004_tm_configMaps/aqua_tm_config.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ConfigMap
3 | metadata:
4 | name: aqua-tenant-manager-config
5 | namespace: aqua
6 | data:
7 | # DNS name or IP address of the host of the Postgres database.
8 | AQUA_TM_DBHOST: "aqua-tm-db"
9 |
10 | # Name of the Postgres database; all letters must be lower-case
11 | AQUA_TM_DBNAME: "tenantmanager"
12 |
13 | # Port of the Postgres database.
14 | AQUA_TM_DBPORT: "5432"
15 |
16 | # Username for connection to the Postgres database.
17 | AQUA_TM_DBUSER: "postgres"
18 |
19 | # DNS name or IP address of the host of the Postgres Audit database.
20 | AQUA_TM_AUDIT_DBHOST: "aqua-tm-db"
21 |
22 | # Name of the Postgres Audit database; all letters must be lower-case
23 | AQUA_TM_AUDIT_DBNAME: "tm_audit"
24 |
25 | # Port of the Postgres Audit database.
26 | AQUA_TM_AUDIT_DBPORT: "5432"
27 |
28 | # Username for connection to the Postgres Audit database.
29 | AQUA_TM_AUDIT_DBUSER: "postgres"
30 |
31 | SCALOCK_LOG_LEVEL: "INFO"
32 |
--------------------------------------------------------------------------------
/tenant_manager/kubernetes_and_openshift/manifests/004_tm_configMaps/aqua_tm_db.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ConfigMap
3 | metadata:
4 | name: aqua-csp-tm-db-config
5 | namespace: aqua
6 | data:
7 | AQUA_ENV_SIZE: "S"
8 | PGDATA: "/var/lib/postgresql/data/db-files"
9 |
--------------------------------------------------------------------------------
/tenant_manager/kubernetes_and_openshift/manifests/005_tm_storage/aqua_tm_db_pvc.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: PersistentVolumeClaim
3 | metadata:
4 | creationTimestamp: null
5 | name: aqua-tm-db-pvc
6 | namespace: aqua
7 | spec:
8 | accessModes:
9 | - ReadWriteOnce
10 | resources:
11 | requests:
12 | storage: 50Gi
13 | status: {}
14 |
--------------------------------------------------------------------------------
/tenant_manager/kubernetes_and_openshift/manifests/006_tm_deployment/aqua_tm_deployment_managed_db.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: aqua-tenantmanager
5 | namespace: aqua
6 | labels:
7 | app: aqua-tenantmanager
8 | spec:
9 | ports:
10 | - port: 8081
11 | name: aqua-tenantmanager
12 | protocol: TCP
13 | targetPort: 8081
14 | - port: 443
15 | name: aqua-tenantmanager-ssl
16 | protocol: TCP
17 | targetPort: 8444
18 | selector:
19 | app: aqua-tenantmanager
20 | type: LoadBalancer
21 | ---
22 | apiVersion: apps/v1
23 | kind: Deployment
24 | metadata:
25 | name: aqua-tenantmanager
26 | namespace: aqua
27 | spec:
28 | selector:
29 | matchLabels:
30 | app: aqua-tenantmanager
31 | template:
32 | metadata:
33 | labels:
34 | app: aqua-tenantmanager
35 | name: aqua-tenantmanager
36 | spec:
37 | serviceAccount: aqua-sa
38 | securityContext:
39 | runAsUser: 11431
40 | runAsGroup: 11433
41 | fsGroup: 11433
42 | containers:
43 | - name: aqua-tenantmanager
44 | image: registry.aquasec.com/tenantmanager:2022.4
45 | imagePullPolicy: IfNotPresent
46 | livenessProbe:
47 | httpGet:
48 | path: /
49 | port: 8081
50 | initialDelaySeconds: 60
51 | periodSeconds: 30
52 | readinessProbe:
53 | httpGet:
54 | path: /
55 | port: 8081
56 | initialDelaySeconds: 60
57 | periodSeconds: 30
58 | env:
59 | - name: AQUA_TM_DBPASSWORD
60 | valueFrom:
61 | secretKeyRef:
62 | name: aqua-tm-db
63 | key: password
64 | - name: AQUA_TM_AUDIT_DBPASSWORD
65 | valueFrom:
66 | secretKeyRef:
67 | name: aqua-tm-db
68 | key: password
69 | envFrom:
70 | - configMapRef:
71 | name: aqua-tenant-manager-config
72 | ports:
73 | - containerPort: 8081
74 | protocol: TCP
75 | - containerPort: 8444
76 | protocol: TCP
77 |
--------------------------------------------------------------------------------
/tenant_manager/kubernetes_and_openshift/manifests/README.md:
--------------------------------------------------------------------------------
1 | # Deploy Tenant Manager using manifests
2 |
3 | ## Overview
4 |
5 | The Aqua Tenant Manager is an optional application that allows creating security policies and distribute them to multiple domains (groups) of these instances (tenants). This ensures uniformity in the application of all security policies, or those that are selected, across the organization.
6 |
7 | The Tenant Manager is a web-based application with a simple, intuitive user interface (UI). This enables a single administrator to maintain enterprise's security policies quite easily.
8 |
9 | ## Supported platforms
10 | | < PLATFORM > | Description |
11 | | ---------------------- | ------------------------------------------------------------ |
12 | | aks | Microsoft Azure Kubernetes Service (AKS) |
13 | | eks | Amazon Elastic Kubernetes Service (EKS) |
14 | | gke | Google Kubernetes Engine (GKE) |
15 | | ibm | IBM Cloud Private (ICP) |
16 | | k3s | fully CNCF certified Kubernetes |
17 | | native_k8s | Kubernetes |
18 | | openshift | OpenShift (Red Hat) |
19 | | rancher | Rancher / Kubernetes |
20 | | tkg | VMware Tanzu Kubernetes Grid (TKG) |
21 | | tkgi | VMware Tanzu Kubernetes Grid Integrated Edition (TKGI) |
22 |
23 | ## Pre-deployment
24 |
25 | You can skip any of the steps that you have already performed.
26 |
27 | **Step 1. Create the aqua namespace (if not already done)**
28 |
29 | ```SHELL
30 | kubectl create namespace aqua
31 | ```
32 |
33 | **Step 2. Create the docker-registry secret (if not already done)**
34 |
35 | ```SHELL
36 | kubectl create secret docker-registry aqua-registry \
37 | --docker-server=registry.aquasec.com \
38 | --docker-username= \
39 | --docker-password= \
40 | --docker-email= \
41 | -n aqua
42 | ```
43 |
44 | **Step 3. Create a service account and RBAC for your deployment platform (if not already done).** Replace the platform name from [Supported platforms](#supported-platforms).
45 |
46 | ```SHELL
47 | kubectl apply -f https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/tenant_manager/kubernetes_and_openshift/manifests/002_tm_RBAC/< PLATFORM >/aqua_sa.yaml
48 | ```
49 |
50 | ## Deployment
51 |
52 | The Tenant Manager supports both the Aqua packaged DB and an external DB installation. Follow the appropriate set of instructions:
53 | - [Deploy the Tenant Manager with the Aqua packaged DB](#Deploy-the-Tenant-Manager-with-the-Aqua-packaged-DB)
54 | - [Deploy the Tenant Manager with an external DB](#Deploy-the-Tenant-Manager-with-an-external-DB)
55 |
56 | ### Deploy the Tenant Manager with the Aqua packaged DB
57 |
58 | **Step 1. Create the Tenant Manager database password secret**
59 |
60 | ```shell
61 | kubectl apply -f https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/tenant_manager/kubernetes_and_openshift/manifests/003_tm_secrets/aqua_tm_secret.yaml
62 | ```
63 |
64 | **Step 2. Deploy the Tenant Manager database && tenant manager ConfigMap**
65 |
66 | ```shell
67 | kubectl apply -f https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/tenant_manager/kubernetes_and_openshift/manifests/004_tm_configMaps/aqua_tm_db.yaml
68 | ```
69 | ```shell
70 | kubectl apply -f https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/tenant_manager/kubernetes_and_openshift/manifests/004_tm_configMaps/aqua_tm_config.yaml
71 | ```
72 |
73 | **Step 3. Deploy the Tenant Manager database PVC**
74 |
75 | ```shell
76 | kubectl apply -f https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/tenant_manager/kubernetes_and_openshift/manifests/005_tm_storage/aqua_tm_db_pvc.yaml
77 | ```
78 |
79 | **Step 4. Deploy the Tenant Manager with packaged DB**
80 |
81 | ```shell
82 | kubectl apply -f https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/tenant_manager/kubernetes_and_openshift/manifests/006_tm_deployment/aqua_tm_deployment_packaged_db.yaml
83 | ```
84 |
85 | ### Deploy the Tenant Manager with an external DB
86 |
87 | **Step 1. Configure and deploy the Tenant Manager ConfigMap**
88 |
89 | Download and update the ConfigMap [aqua_tm_config.yaml](./004_tm_configMaps/aqua_tm_config.yaml) with the relevant DB host, username, and password.
90 | Then apply the ConfigMap:
91 |
92 | ```shell
93 | kubectl apply -f aqua_tm_config.yaml
94 | ```
95 |
96 | **Step 2. Deploy the Tenant Manager service**
97 |
98 | ```shell
99 | kubectl apply -f https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/tenant_manager/kubernetes_and_openshift/manifests/006_tm_deployment/aqua_tm_deployment_managed_db.yaml.yaml
100 | ```
--------------------------------------------------------------------------------