jetstack-secure/examples/machinehub.yaml at 137686f4e428ec2f06ec9149950de3c6e99ad7bf · jetstack/jetstack-secure · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
# An example agent config for MachineHub output mode.
#
# For example:
#
#  export ARK_SUBDOMAIN=      # your CyberArk tenant subdomain
#  export ARK_USERNAME=       # your CyberArk username
#  export ARK_SECRET=         # your CyberArk password
#
#  OPTIONAL: the URL for the CyberArk Discovery API if not using the production environment
#  # export ARK_DISCOVERY_API=https://platform-discovery.integration-cyberark.cloud/api/v2
#
#  go run . agent --one-shot --machine-hub -v 6 --agent-config-file ./examples/machinehub.yaml

data-gatherers:
# Gather Kubernetes API server version information
- name: ark/discovery
  kind: k8s-discovery

# Gather Kubernetes secrets, excluding specific types
- name: ark/secrets
  kind: k8s-dynamic
  config:
    resource-type:
      version: v1
      resource: secrets
    field-selectors:
    - type!=kubernetes.io/dockercfg
    - type!=kubernetes.io/dockerconfigjson
    - type!=bootstrap.kubernetes.io/token
    - type!=helm.sh/release.v1
    filters:
    - ExcludeTLSSecretsWithoutClientCert

# Gather Kubernetes service accounts
- name: ark/serviceaccounts
  kind: k8s-dynamic
  config:
    resource-type:
      resource: serviceaccounts
      version: v1

# Gather Kubernetes roles
- name: ark/roles
  kind: k8s-dynamic
  config:
    resource-type:
      version: v1
      group: rbac.authorization.k8s.io
      resource: roles

# Gather Kubernetes cluster roles
- name: ark/clusterroles
  kind: k8s-dynamic
  config:
    resource-type:
      version: v1
      group: rbac.authorization.k8s.io
      resource: clusterroles

# Gather Kubernetes role bindings
- name: ark/rolebindings
  kind: k8s-dynamic
  config:
    resource-type:
      version: v1
      group: rbac.authorization.k8s.io
      resource: rolebindings

# Gather Kubernetes cluster role bindings
- name: ark/clusterrolebindings
  kind: k8s-dynamic
  config:
    resource-type:
      version: v1
      group: rbac.authorization.k8s.io
      resource: clusterrolebindings

# Gather Kubernetes jobs
- name: ark/jobs
  kind: k8s-dynamic
  config:
    resource-type:
      version: v1
      group: batch
      resource: jobs

# Gather Kubernetes cron jobs
- name: ark/cronjobs
  kind: k8s-dynamic
  config:
    resource-type:
      version: v1
      group: batch
      resource: cronjobs

# Gather Kubernetes deployments
- name: ark/deployments
  kind: k8s-dynamic
  config:
    resource-type:
      version: v1
      group: apps
      resource: deployments

# Gather Kubernetes stateful sets
- name: ark/statefulsets
  kind: k8s-dynamic
  config:
    resource-type:
      version: v1
      group: apps
      resource: statefulsets

# Gather Kubernetes daemon sets
- name: ark/daemonsets
  kind: k8s-dynamic
  config:
    resource-type:
      version: v1
      group: apps
      resource: daemonsets

# Gather Kubernetes pods
- name: ark/pods
  kind: k8s-dynamic
  config:
    resource-type:
      version: v1
      resource: pods