Skip to content

Commit

Permalink
Reorganized and Updated docs (#655)
Browse files Browse the repository at this point in the history
* Reorganized and Updated docs

* adds redirects for old pages

Co-authored-by: Cesar Rodriguez <cesar@accurics.com>
  • Loading branch information
amirbenv and Cesar Rodriguez authored Apr 13, 2021
1 parent 9baf154 commit 8625834
Show file tree
Hide file tree
Showing 7 changed files with 22 additions and 12 deletions.
File renamed without changes.
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,14 @@

## Overview
Terrascan can be integrated with K8s [admissions webhooks](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/).
It can be used as one of the validating webhooks to be used and scan new configurations.

In this guide, we'll demonstrate how Terrascan can be configured to:
* Scan configuration changes policies when an object is being created or updated
* Allow / reject the request in case a violation is detected
Admission controllers help you control what resources are created on a kubernetes cluster. By using terrascan as an admission controller, resources violating security policies can be blocked from getting created in a kubernetes cluster.

Steps to configure terrascan as an admission controller:
- SSL certificates: You can use valid SSL certificates or create self signed certificates and have your kubernetes cluster trust it.
- Create terrascan config file
- Run terrascan in server mode
- Make sure terrascan is accessible via HTTPS from the kubernetes API server.
- Configure a ValidatingWebhookConfiguration resource in kubernetes cluster pointing to the terrascan server

## Installation Guide

Expand All @@ -21,7 +23,7 @@ Your Terrascan instance has the following requirements for being able to scan K8
- Generate a self-signed certificate and have your K8s cluster trust it. To add a trusted CA to ca-pemstore, as demonstrated in [paraspatidar's blog post](https://medium.com/@paraspatidar/add-ssl-tls-certificate-or-pem-file-to-kubernetes-pod-s-trusted-root-ca-store-7bed5cd683d).
3. Use the Terrascan docker as demonstrated in this document, or run it from the sources.

### Run Terrascan webhook service
### Run Terrascan in Server Mode
Run Terrascan docker image in your server using the following command:
```bash
sudo docker run -p 443:9443 -v <DATA_PATH>:/data -u root -e K8S_WEBHOOK_API_KEY=<API_KEY> accurics/terrascan server --cert-path /data/cert.pem --key-path /data/key.pem -c /data/config.toml
Expand All @@ -31,7 +33,7 @@ Run Terrascan docker image in your server using the following command:
`<DATA_PATH>` is a directory path in your server where both the certificate and the private key .pem files are stored.
In addition, this directory is used to save the webhook logs. (An SQLite file)

You can specify a config file that specifies which policies to use in the scan and which violations should lead to rejection.
You can specify a config file that specifies which policies to use in the scan and which violations should lead to rejection. Policies below the [severity] level will be ignored. Policies below the [k8s-deny-rules] denied-severity will be logged and displayed by terrascan, but will not lead to a rejected admission response to the k8s API server.

A config file example: ```config.toml```
```bash
Expand Down Expand Up @@ -60,7 +62,7 @@ You can specify the following configurations:
* **denied-categories** - one or more policy categories that are not allowed in the detected violations
* **denied-severity** - the minimal level of severity that should cause a rejection

### Configure K8s to send webhooks
### Configure a ValidatingWebhookConfiguration Resource in Kubernetes Cluster
Configure a new ```ValidatingWebhookConfiguration``` in your Kubernetes environment and specify your Terrascan server endpoint.

Example:
Expand Down
File renamed without changes.
File renamed without changes.
1 change: 1 addition & 0 deletions docs/requirements.txt
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
mkdocs==1.1.2
mkdocs-material==7.1.0
mkdocs-diagrams==1.0.0
mkdocs-redirects==1.0.1
File renamed without changes.
15 changes: 11 additions & 4 deletions mkdocs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -38,9 +38,12 @@ extra:
# Navigation
nav:
- Home: index.md
- Getting Started:
- Quickstart: getting-started/quickstart.md
- Usage: getting-started/usage.md
- Getting Started: getting-started.md
- Usage: usage.md
- Integrations:
- K8s Admission Controller: integrations/admission-controller-webhooks-usage.md
- Atlantis: integrations/atalantis-integration.md
- Github, Argo, and More: integrations/cicd.md
- Architecture: architecture.md
- Policies:
- Policy Reference: policies.md
Expand All @@ -50,7 +53,6 @@ nav:
- GitHub: policies/github.md
- Kubernetes: policies/k8s.md
# - Educational Resources: learning.md
- CI/CD Integration: cicd.md
- Contributing: contributing.md
- Changelog: changelog.md
- About: about.md
Expand All @@ -72,6 +74,11 @@ google_analytics:
plugins:
- diagrams
- search
- redirects:
redirect_maps:
'getting-started/quickstart.md': 'getting-started.md'
'getting-started/usage.md': 'usage.md'
'cicd.md': 'integrations/cicd.md'

extra_javascript:
- https://cdnjs.cloudflare.com/ajax/libs/tablesort/5.2.1/tablesort.min.js
Expand Down

0 comments on commit 8625834

Please sign in to comment.