README
¶
Jetstack Secure manages your machine identities across Cloud Native Kubernetes and OpenShift environments and builds a detailed view of the enterprise security posture.
This repo contains the open source in-cluster agent of Jetstack Secure, that sends data to the Jetstack Secure SaaS.
Wondering about Preflight? Preflight was the name for the project that was the foundation for the Jetstack Secure platform. It was a tool to perform configuration checks on a Kubernetes cluster using OPA's REGO policy. We decided to incorporate that functionality as part of the Jetstack Secure SaaS service, making this component a basic agent. You can find the old Preflight Check functionality in the git history ( tagged as
preflight-local-checkand you also check this documentation.
Installation
Please review the documentation for the agent before getting started.
The released container images are cryptographically signed by
cosign, with
SLSA provenance and a
CycloneDX SBOM attached. For instructions on how to
verify those signatures and attachments, refer to
this guide.
Local Execution
To build and run a version from master:
go run main.go agent --agent-config-file ./path/to/agent/config/file.yaml -p 0h1m0s
You can find the example agent file here.
You might also want to run a local echo server to monitor requests the agent sends:
go run main.go echo
Metrics
The Jetstack-Secure agent exposes its metrics through a Prometheus server, on port 8081.
The Prometheus server is disabled by default but can be enabled by passing the --enable-metrics flag to the agent binary.
Release Process
The release process is semi-automated. It starts with the following manual steps:
- Choose the next semver version number. This project has only ever incremented the "patch" number (never the "minor" number) regardless of the scope of the changes.
- Create a branch.
- Increment version numbers in the
venafi-kubernetes-agentHelm chart. (thejetstack-secureHelm chart uses a different version scheme and is updated and released separately):- Increment the
versionvalue in Chart.yaml. DO NOT use avprefix. Thevprefix breaks Helm OCI operations. - Increment
appVersionvalue in Chart.yaml. Use avprefix, to match the Docker image tag. - Increment the
image.tagvalue in values.yaml. Use avprefix. - Commit the changes.
- Increment the
- Create a pull request and wait for it to be approved.
- Merge the branch.
- Push a semver tag with a
vprefix:vX.Y.Z.
This will trigger the following automated processes:
-
Two Docker images are built and pushed to a public
quay.ioregistry, by the release-master workflow:quay.io/jetstack/preflight: is pulled directly by tier 1 Jetstack Secure users, who do not have access to the Jetstack Enterprise Registry.quay.io/jetstack/venafi-agent: is mirrored to a public Venafi OCI registry for Venafi TLS Protect for Kubernetes users.
-
The Docker images are mirrored by private Venafi CI pipelines, to:
- Jetstack Enterprise Registry: for Tier 2 Jetstack Secure users. Tier 2 grants users access to this registry.
- Venafi private Registry: for Tier 2 Venafi TLS Protect for Kubernetes users. Tier 2 grants users access to this registry.
- Venafi public Registry: for Tier 1 Venafi TLS Protect for Kubernetes users. Tier 1 users do not have access to the private registry. (TODO)
Helm Chart: venafi-kubernetes-agent
The venafi-kubernetes-agent chart is released manually, as follows:
export VERSION=0.1.43
helm package deploy/charts/venafi-kubernetes-agent --version "${VERSION}"
helm push venafi-kubernetes-agent-${VERSION}.tgz oci://eu.gcr.io/jetstack-secure-enterprise/charts
ℹ️ To test the Helm chart before releasing it, use a pre-release suffix. E.g.
export VERSION=0.1.43-alpha.0.
The chart will be mirrored to:
registry.venafi.cloud/charts/venafi-kubernetes-agent(Public)private-registry.venafi.cloud/charts/venafi-kubernetes-agent(Private, US)private-registry.venafi.eu/charts/venafi-kubernetes-agent(Private, EU)
Helm Chart: jetstack-agent
The jetstack-agent chart has a different version number to the agent.
This is because the first version of this chart was given version 0.1.0,
while the app version at the time was 0.1.38.
And this allows the chart to be updated and released more frequently than the Docker image if necessary.
This chart is for Jetstack Secure.
- Create a branch
- Increment version numbers.
- Increment the
versionvalue in Chart.yaml. DO NOT use avprefix. Thevprefix breaks Helm OCI operations. - Increment the
appVersionvalue in Chart.yaml. Use avprefix, to match the Docker image tag. - Increment the
image.tagvalue in values.yaml. Use avprefix, to match the Docker image tag.
- Increment the
- Create a pull request and wait for it to be approved.
- Merge the branch
- Push a tag, using the format:
chart-vX.Y.Z. This unique tag format is recognized by the private CI pipeline that builds and publishes the chart.
The chart will be published to the Jetstack Enterprise Registry by a private CI pipeline managed by Venafi.
Documentation
¶
There is no documentation for this package.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
Package api provides types for Preflight reports and some common helpers.
|
Package api provides types for Preflight reports and some common helpers. |
|
pkg
|
|
|
datagatherer
Package datagatherer provides the DataGatherer interface.
|
Package datagatherer provides the DataGatherer interface. |
|
datagatherer/k8s
Package k8s provides datagatherers for different parts of the Kubernetes API.
|
Package k8s provides datagatherers for different parts of the Kubernetes API. |