{"id":13533246,"url":"https://github.com/appvia/krane","last_synced_at":"2025-04-04T08:09:19.972Z","repository":{"id":37076697,"uuid":"163434843","full_name":"appvia/krane","owner":"appvia","description":"Kubernetes RBAC static analysis \u0026 visualisation tool","archived":false,"fork":false,"pushed_at":"2024-03-26T19:55:09.000Z","size":1081,"stargazers_count":660,"open_issues_count":49,"forks_count":34,"subscribers_count":18,"default_branch":"master","last_synced_at":"2024-04-18T02:05:08.210Z","etag":null,"topics":["analysis","k8s","kubernetes","rbac","rbac-configuration","rbac-management","rbac-roles","redisgraph","role-based-access-control","security","security-hardening","security-scanner","security-tools","static-analysis","visualisation"],"latest_commit_sha":null,"homepage":"","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/appvia.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-12-28T17:35:01.000Z","updated_at":"2024-06-19T03:02:39.867Z","dependencies_parsed_at":"2023-11-18T21:33:28.719Z","dependency_job_id":"5ed8ddcc-c995-4ee6-aac6-c041abd206fc","html_url":"https://github.com/appvia/krane","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/appvia%2Fkrane","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/appvia%2Fkrane/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/appvia%2Fkrane/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/appvia%2Fkrane/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/appvia","download_url":"https://codeload.github.com/appvia/krane/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247142074,"owners_count":20890653,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["analysis","k8s","kubernetes","rbac","rbac-configuration","rbac-management","rbac-roles","redisgraph","role-based-access-control","security","security-hardening","security-scanner","security-tools","static-analysis","visualisation"],"created_at":"2024-08-01T07:01:17.985Z","updated_at":"2025-04-04T08:09:19.946Z","avatar_url":"https://github.com/appvia.png","language":"Ruby","funding_links":[],"categories":["Kubernetes","Ruby","Repositories / Tools","Ruby (88)","Инструменты","Other"],"sub_categories":["Defending","Безопасность Kubernetes"],"readme":"# Krane\n\n\u003e Kubernetes RBAC Analysis made Easy\n\n![Stability:Beta](https://img.shields.io/badge/stability-beta-orange)\n![CircleCI](https://img.shields.io/circleci/build/github/appvia/krane/master)\n[![GitHub tag (latest SemVer)](https://img.shields.io/github/v/release/appvia/krane)](https://github.com/appvia/krane/releases/latest)\n![License: Apache-2.0](https://img.shields.io/github/license/appvia/krane)\n![Docker Repository on Quay.io](https://img.shields.io/badge/container-ready-brightgreen)\n\n_Krane_ is a simple Kubernetes RBAC static analysis tool. It identifies potential security risks in K8s RBAC design and makes suggestions on how to mitigate them. _Krane_ dashboard presents current RBAC security posture and lets you navigate through its definition.\n\n## Features\n\n- **RBAC Risk rules** - _Krane_ evaluates a set of built-in RBAC risk rules. These can be modified or extended with a set of custom rules.\n- **Portability** - _Krane_ can run in one of the following modes:\n * Locally as a CLI or [docker container](https://quay.io/repository/appvia/krane?tab=tags).\n * In CI/CD pipelines as a step action detecting potential RBAC flaws before it gets applied to the cluster.\n * As a standalone service continuously analysing state of RBAC within a Kubernetes cluster.\n- **Reporting** - _Krane_ produces an easy to understand RBAC risk report in machine-readable format.\n- **Dashboard** - _Krane_ comes with a simple Dashboard UI helping you understand in-cluster RBAC design. Dashboard presents high-level overview of RBAC security posture and highlights detected risks. It also allows for further RBAC controls inspection via faceted tree and graph network views.\n- **Alerting** - It will alert on detected medium and high severity risks via its Slack integration.\n- **RBAC in the Graph** - _Krane_ indexes entirety of Kubernetes RBAC in a local Graph database which makes any further ad-hoc interrogating of RBAC data easy, with arbitrary CypherQL queries.\n\n## Contents\n\n- [Quick Start](#quick-start)\n- [Usage Guide](#usage-guide)\n- [Architecture](#architecture)\n- [Kubernetes Deployment](#kubernetes-deployment)\n- [Notifications](#notifications)\n- [Local Development](#local-development)\n- [Contributing to Krane](#contributing-to-krane)\n- [Community](#community)\n- [Roadmap](#roadmap)\n- [License](#license)\n\n## Quick Start\n\nYou can get started with Krane by installing it via Helm chart in your target Kubernetes cluster or running it locally with Docker.\n\n### Install Helm chart\n\nIt is assumed that you have [Helm CLI](https://helm.sh/docs/intro/install/) installed on your machine.\n\n```sh\n$ helm repo add appvia https://appvia.github.io/krane\n$ helm repo update\n$ helm install krane appvia/krane --namespace krane --create-namespace\n```\n\nFollow Helm chart installation output on how to port-forward Krane dashboard.\n\n### Run with Docker\n\nIt is assumed that you have [docker](https://docs.docker.com/get-docker/) running on your local machine. Install [docker-compose](https://docs.docker.com/compose/install/#install-compose) if you haven't already.\n\nKrane depends on RedisGraph. `docker-compose` stack defines all what's required to build and run _Krane_ service locally. It'll also take care of its [RedisGraph](https://oss.redislabs.com/redisgraph/) dependency.\n\n```\ndocker-compose up -d\n```\n\n_Krane_ docker image will be pre-built automatically if not already present on local machine.\n\nNote that when running `docker-compose` locally, _Krane_ won't start RBAC _report_ and _dashboard_ automatically. Instead, the container will sleep for 24h by default - this value can be adjusted in `docker-compose.override.yml`. Exec into a running _Krane_ container to run commands. Local `docker-compose` will also mount kube config (`~/.kube/config`) inside the container enabling you to run reports against any Kubernetes clusters to which you already have access to.\n\nExec into a running Krane container.\n```sh\ndocker-compose exec krane bash\n```\n\nOnce in the container you can start using `krane` commands. Try `krane -help`.\n```sh\nkrane -h\n```\n\nTo inspect what services are running and the associated ports:\n```\ndocker-compose ps\n```\n\nTo stop _Krane_ and its dependency services:\n```\ndocker-compose down\n```\n\n## Usage Guide\n\n### Commands\n\n```\n$ krane --help\n\n NAME:\n\n krane\n\n DESCRIPTION:\n\n Kubernetes RBAC static analysis \u0026 visualisation tool\n\n COMMANDS:\n\n dashboard Start K8s RBAC dashboard server\n help Display global or [command] help documentation\n report Run K8s RBAC report\n\n GLOBAL OPTIONS:\n\n -h, --help\n Display help documentation\n\n -v, --version\n Display version information\n\n -t, --trace\n Display backtrace when an error occurs\n\n AUTHOR:\n\n Marcin Ciszak \u003cmarcin.ciszak@appvia.io\u003e - Appvia Ltd \u003cappvia.io\u003e\n```\n\n### Generate RBAC report\n\n#### With local `kubectl` context\n\nTo run a report against a running cluster you must provide a _kubectl_ context\n```\nkrane report -k \u003ccontext\u003e\n```\n\nYou may also pass `-c \u003ccluster-name\u003e` flag if you plan to run the tool against multiple clusters and index RBAC graph separately for each cluster name.\n\n#### From RBAC files stored in directory\n\nTo run a report against local RBAC yaml/json files, provide a directory path\n```\nkrane report -d \u003c/path/to/rbac-directory\u003e\n```\nNOTE: _Krane_ expects the following files (in either YAML or JSON format) to be present in specified directory path:\n - psp\n - roles\n - clusterroles\n - rolebindings\n - clusterrolebindings\n\nIf Pod Security Policies are not in use you may bypass the expectation above by creating a `psp` file manually with the following content:\n```json\n{\n \"items\": []\n}\n```\n\nNote, `PodSecurityPolicy` was deprecated in Kubernetes v1.21, and removed from Kubernetes in v1.25.\n\n#### Inside a Kubernetes cluster\n\nTo run a report from a container running in Kubernetes cluster\n```\nkrane report --incluster\n```\nNOTE: Service account used by _Krane_ will require access to RBAC resources. See [Prerequisites](k8s/one-time/prerequisites.yaml) for details.\n\n#### In CI/CD pipeline\n\nTo validate RBAC definition as a step in CI/CD pipeline\n```\nkrane report --ci -d \u003c/path/to/rbac-directory\u003e\n```\nNOTE: _Krane_ expects certain naming convention to be followed for locally stored RBAC resource files. See [section](#from-rbac-files-stored-in-the-filesystem) above. In order to run `krane` commands it's recommended that CI executor references [quay.io/appvia/krane:latest](https://quay.io/repository/appvia/krane?tab=tags) docker image.\n\nCI mode is enabled by `--ci` flag. _Krane_ will return non zero status code along with details of breaking risk rules when one or more dangers have been detected.\n\n### Visualisation Dashboard\n\nTo view RBAC facets tree, network graph and latest report findings you need to start dashboard server first.\n```\nkrane dashboard\n```\n\nCluster flag `-c \u003ccluster-name\u003e` may be passed if you want to run the dashboard against specific cluster name. Dashboard will look for data related to specified cluster name which is cached on the file system.\n\nCommand above will start local web server on default port `8000`, and display the dashboard link.\n\n## Architecture\n\n### RBAC Data indexed in a local Graph database\n\n_Krane_ indexes RBAC entites in RedisGraph. This allows us to query network of dependencies efficiently and simply using subset of [CypherQL](https://oss.redislabs.com/redisgraph/cypher_support/) supported by [RedisGraph](https://oss.redislabs.com/redisgraph/).\n\n#### Schema\n\n![Krane Entity Graph](doc/images/krane-graph-diagram.svg \"Krane Entity Graph\")\n\n#### Nodes\n\nThe following nodes are created in the Graph for the relevant RBAC objects:\n\n* `Psp` - A PSP node containing attributes around the pod security policy. Only applicable when working with K8s \u003c 1.25.\n* `Rule` - Rule node represents access control rule around Kubernetes resources.\n* `Role` - Role node represents a given Role or ClusterRole. `kind` attribute defines type of role.\n* `Subject` - Subject represents all possible actors in the cluster (`kind`: User, Group and ServiceAccount)\n* `Namespace` - Kubernetes Namespace node.\n\n#### Edges\n\n* `:SECURITY` - Defines a link between Rule and Psp nodes. Only applicable when working with K8s \u003c 1.25.\n* `:GRANT` - Defines a link between Role and Rule associated with that role.\n* `:ASSIGN` - Defines a link between an Actor (Subject) and given Role/ClusterRole (Role node).\n* `:RELATION` - Defines a link between two different Actor (Subject) nodes.\n* `:SCOPE` - Defines a link between Role and Namespace nodes.\n* `:ACCESS` - Defines a link between Subject and Namespace nodes.\n* `:AGGREGATE` - Defines a link between ClusterRoles (one ClusterRole aggregates another) `A-(aggregates)-\u003eB`\n* `:COMPOSITE` - Defines a link between ClusterRoles (one ClusterRole can be aggregated in another) `A\u003c-(is a composite of)-B`\n\nAll edges are bidirectional, which means graph can be queried in either direction.\nOnly exceptions are `:AGGREGATE` and `:COMPOSITE` relations which are uni-directional, though concerned with the same edge nodes.\n\n#### Querying the Graph\n\nIn order to query the graph directly you can exec into a running `redisgraph` container, start `redis-cli` and run your arbitrary queries. Follow official [instructions](https://oss.redislabs.com/redisgraph/) for examples of [commands](https://oss.redislabs.com/redisgraph/commands/).\n\nYou can also query the Graph from _Krane_ console. First exec into running _Krane_ container, then\n\n```ruby\n# Start Krane console - this will open interactive ruby shell with Krane code preloaded\n\nconsole\n\n# Instantiate Graph client\n\ngraph = Krane::Clients::RedisGraph.client cluster: 'default'\n\n# Run arbitrary CypherQL query against indexed RBAC Graph\n\nres = graph.query(%Q(\n MATCH (r:Rule {resource: \"configmaps\", verb: \"update\"})\u003c-[:GRANT]-(ro:Role)\u003c-[:ASSIGN]-(s:Subject)\n RETURN s.kind as subject_kind, s.name as subject_name, ro.kind as role_kind, ro.name as role_name))\n\n# Print the results\n\nres.print_resultset\n```\n\n```\n# Results...\n+----------------+--------------------------------+-----------+------------------------------------------------+\n| subject_kind | subject_name | role_kind | role_name |\n+----------------+--------------------------------+-----------+------------------------------------------------+\n| ServiceAccount | bootstrap-signer | Role | system:controller:bootstrap-signer |\n| User | system:kube-controller-manager | Role | system::leader-locking-kube-controller-manager |\n| ServiceAccount | kube-controller-manager | Role | system::leader-locking-kube-controller-manager |\n| User | system:kube-scheduler | Role | system::leader-locking-kube-scheduler |\n| ServiceAccount | kube-scheduler | Role | system::leader-locking-kube-scheduler |\n+----------------+--------------------------------+-----------+------------------------------------------------+\n```\n\nNote: Example query above will select all Subjects with assigned Roles/ClusterRoles granting access to `update configmaps`.\n\n## Configuration\n\n### RBAC Risk Rules\n\nRBAC risk rules are defined in the [Rules](config/rules.yaml) file. The structure of each rule is largely self-explanatory.\nBuilt-in set can be expanded / overridden by adding extra custom rules to the [Cutom Rules](config/custom-rules.yaml) file.\n\n#### Risk Rule Macros\n\nMacros are \"containers\" for a set of common/shared attributes, and referenced by one or more risk rules. If you choose to use macro in a given risk rule you would need to reference it by name, e.g. `macro: \u003cmacro-name\u003e`. Note that attributes defined in referenced `macro` will take precedence over the same attributes defined on the rule level.\n\nMacro can contain any of the following attributes:\n\n- `query` - [RedisGraph query](#querying-the-graph). Has precedence over `template`. Requires `writer` to be defined.\n- `writer` - Writer is a Ruby expression used to format `query` result set. Writer has precedence over `template`.\n- `template` - Built-in query/writer template name. If `query` \u0026 `writer` are not specified then chosen query generator will be used along with matching writer.\n\n#### Risk Rule attributes\n\nRule can contain any of the following attributes:\n\n- `id` [Required] Rule id is a unique rule identifier.\n- `group_title` [Required] Title applying to all items falling under this risk check.\n- `severity` [Required] Severity, as one of :danger, :warning, :info.\n- `info` [Required] Textual information about the check and suggestions on how to mitigate the risk.\n- `query` [Conditonal] [RedisGraph query](#querying-the-graph).\n - Has precedence over `template`. Requires `writer` to be defined.\n- `writer` [Conditonal] Writer is a Ruby expression used to format query result set.\n - Writer has precedence over `template`. Requires `query` to be defined.\n- `template` [Conditonal] Built-in query/writer template name. If `query` \u0026 `writer` are not specified then chosen query generator will be used along with matching writer.\n - Some built-in templates require `match_rules` attribute to be specified on individual rule level in order to build correct query. Templates currently requiring it:\n\n - **_risky-role_** - Builds multi-match graph query based on the access rules specified by `match_rules`. Generated graph query returns the following columns:\n - role_name\n - role_kind\n - namespace_name (an _array_ is returned if multiple items returned)\n\n- `match_rules` [Conditonal] Required when `template` relies on match rules in order to build a query.\n - Example:\n ```yaml\n match_rules:\n - resources: ['cronjobs']\n verbs: ['update']\n ```\n Attributes and values follow [Kubernetes RBAC role specification](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-examples).\n\n- `custom_params` [Optional] List of custom key-value pairs to be evaluated and replaced in a rule `query` and `writer` representation.\n - Example:\n ```yaml\n custom_params:\n - attrA: valueA\n - attrB: valueB\n ```\n Template placeholders for the keys above `{{attrA}}` and `{{attrB}}` will be replaced with `valueA` and `valueB` respectively.\n\n- `threshold` [Optional] Numeric value. When definied this will become available as template placeholder `{{threshold}}` in the `writer` expression.\n- `macro` [Optional] Reference to common parameters defined in a named macro.\n- `disabled` [Optional] When set to `true` it'll disable given rule and exclude it from evaluation.\n By default all rules are enabled.\n\n#### Risk Rule examples\n\n##### Explicit query \u0026 writer expression\n```yaml\n- id: verbose-rule-example\n group_title: Example rule\n severity: :danger\n info: Risk description and instructions on how to mitigate it goes here\n query: |\n MATCH\n (s:Subject)-[:ACCESS]-\u003e(ns:Namespace)\n WHERE\n NOT s.name IN {{whitelist_subject_names}}\n RETURN\n s.kind as subject_kind,\n s.name as subject_name,\n COLLECT(ns.name) as namespace_names\n ORDER BY\n subject_kind,\n subject_name,\n namespace_names DESC\n threshold: 2\n writer: |\n if result.namespace_names.count \u003e {{threshold}}\n \"#{result.subject_kind} #{result.subject_name} can access namespaces: #{result.namespace_names.join(', ')}\"\n end\n disabled: true\n```\n\nThe example above explicitly defines a graph `query` which is used to evaluate RBAC risk, and a `writer` expression used to format query result set. The query simply selects all `Subjects` (excluding whitelisted) and `Namespaces` to which they have access to. Note that the result set will only include `Subjects` having access to more than `2` Namespaces (Noticed `threshold` value there?). Last `writer`'s expression will be captured as formatted result item output.\n\n`writer` can access the result set item via `result` object with methods matching elements returned by the query, e.g. `result.subject_kind`, `result.subject_name` etc.\n\nNote:\n- `{{threshold}}` placeholder in the `writer` expression will be replaced by the rule's `threshold` keyword value.\n- `{{whitelist_subject_names}}` represents a custom field which will be interpolated with [Whitelist](#rbac-risk-whitelist) values defined for a given rule `id`. If a placeholder field name is not defined in the whitelist it'll be substituted with an empty array `['']` by default. Read more on whitelisting below.\n\n##### Templated Risk Rule\n\nBuilt-in templates simplify risk rule definition significantly, however, they are designed to extract specific kind of information and may not be a good fit for your custom rules. If you find yourself reusing the same `query` or `writer` expressions across multiple rules, you should consider extracting those to a `macro` and reference it in your custom rules to DRY them up.\n\n```yaml\n- id: risky-any-verb-secrets\n group_title: Risky Roles/ClustersRoles allowing all actions on secrets\n severity: :danger\n info: Roles/ClusterRoles allowing all actions on secrets. This might be dangerous. Review listed Roles!\n template: risky-role\n match_rules:\n - resources: ['secrets']\n verbs: ['*']\n```\n\nExample above shows one of the built-in rules. It references `risky-role` template which upon processing will expand the rule by injecting `query` and `writer` expressions before rule evalutation triggers. `match_rules` will be used to build appropriate match query.\n\n\n### RBAC Risk Whitelist\n\nOptional whitelist contains a set of custom defined attribute names and respective (whitelisted) values.\n\n#### Whitelist attributes\n\nAttribute names and their values are arbitrary. They are defined in the [Whitelist](config/whitelist.yaml) file and divided into three separate sections:\n - `global` - Top level scope. Custom attributes defined here will apply to all Risk Rules regardless of the cluster name.\n - `common` - Custom attributes will be scoped to specific Risk Rule `id` regardless of the cluster name.\n - `cluster` (with nested list of cluster names) - Custom attributes will apply to specific Risk Rule `id` for a given cluster name.\n\n\nEach [Risk Rule](#rbac-risk-rules), upon evaluation, will attempt to interpolate all parameter placeholders used in the `query`, e.g. `{{your_whitelist_attribute_name}}`. If a placeholder parameter name (i.e. a name between the double curly brackets) matches any of the whitelisted attribute names for that Risk Rule `id`, it will be replaced with its calculated value.\nIf no values are found for a given placeholder, it'll be substituted with `['']`.\n\n#### Whitelist examples\n\nExample whitelist below produces the following `placeholder-key =\u003e value` mapping for a [Risk Rule](#rbac-risk-rules) with `id` attribute value matching _\"some-risk-rule-id\"_\n```\n{{whitelist_role_names}} =\u003e ['acp:prometheus:operator']\n{{whitelist_subject_names}} =\u003e ['privileged-psp-user', 'another-user']\n```\n\nThe placeholder keys above, when used in the custom graph queries, will be replaced by their respective values upon Risk Rule evaluation.\n\nExample:\n```yaml\n---\nrules:\n global: # global scope - applies to all risk rule and cluster names\n whitelist_role_names: # custom attribute name\n - acp:prometheus:operator # custom attribute values\n\n common: # common scope - applies to specific risk rule id regardless of cluster name\n some-risk-rule-id: # this corresponds to risk rule id defined in config/rules.yaml\n whitelist_subject_names: # custom attribute name\n - privileged-psp-user # custom attribute values\n\n cluster: # cluster scope - applies to speciifc risk rule id and cluster name\n default: # example cluster name\n some-risk-rule-id: # risk rule id\n whitelist_subject_names: # custom attribute nane\n - another-user # custom attribute values\n```\n\n## Kubernetes Deployment\n\n_Krane_ can be deployed to a local or remote Kubernetes clusters easily.\n\n### K8s Prerequisites\n\nKubernetes namespace, service account along with appropriate RBAC must be present in the cluster. See the [Prerequisites](k8s/one-time/prerequisites.yaml) for reference.\n\nDefault _Krane_ entrypoint executes [bin/in-cluster-run](bin/in-cluster-run) which waits for RedisGraph instance to become available before starting RBAC _report_ loop and _dashboard_ web server.\n\nYou may control certain aspects of in-cluster execution with the following environment variables:\n\n* `KRANE_REPORT_INTERVAL` - Defines interval in seconds for RBAC static analysis report run. Default: `300` (in seconds, i.e. 5 minutes).\n* `KRANE_REPORT_OUTPUT` - Defines RBAC risk report output format. Possible values `:json`, `:yaml`, `:none`. Default: `:json`.\n\n### Local or Remote K8s Cluster\n\n#### Helm Chart\n\nBefore we begin, you'll need the following tools:\n* [Helm CLI](https://helm.sh/docs/intro/install/)\n\nInstall helm chart:\n```sh\n$ helm repo add appvia https://appvia.github.io/krane\n$ helm repo update\n$ helm install krane appvia/krane --namespace krane --create-namespace\n```\n\nSee [values.yaml](charts/krane/values.yaml) file for details of other settable options and parameters.\n\n#### K8s manifests\n\n```sh\nkubectl create \\\n --context \u003cdocker-desktop\u003e \\\n --namespace krane \\\n -f k8s/redisgraph-service.yaml \\\n -f k8s/redisgraph-deployment.yaml \\\n -f k8s/krane-service.yaml \\\n -f k8s/krane-deployment.yaml\n```\n\nNote that _Krane_ dashboard service is not exposed by default!\n```sh\nkubectl port-forward svc/krane 8000 \\\n --context=\u003cdocker-desktop\u003e \\\n --namespace=krane\n\n# Open Krane dashboard at http://localhost:8000\n```\n\nYou can find the example deployment manifests in [k8s](k8s/) directory.\n\nModify manifests as required for your deployments making sure you reference the correct version of _Krane_ docker image in its [deployment file](k8s/krane-deployment.yml). See [Krane Docker Registry](https://quay.io/repository/appvia/krane?tab=tags) for available tags, or just use `latest`.\n\n#### Compose-on-Kubernetes\n\nIf your K8s cluster comes with built-in [Compose-on-Kubernetes](https://github.com/docker/compose-on-kubernetes) controller support (`docker-desktop` supports it by default), then you can deploy _Krane_ and its dependencies with a single [docker stack](https://docs.docker.com/engine/reference/commandline/stack_deploy/) command:\n\n```sh\ndocker stack deploy \\\n --orchestrator kubernetes \\\n --namespace krane \\\n --compose-file docker-compose.yml \\\n --compose-file docker-compose.k8s.yml krane\n```\n\nNote: Make sure your current kube context is set correctly prior to running the command above!\n\nThe application Stack should be now deployed to a Kubernetes cluster and all services ready and exposed. Note that _Krane_ will automatically start its report loop and dashboard server.\n\n```sh\ndocker stack services --orchestrator kubernetes --namespace krane krane\n```\n\nCommand above will produce the following output:\n```\nID NAME MODE REPLICAS IMAGE PORTS\n0de30651-dd5 krane_redisgraph replicated 1/1 redislabs/redisgraph:1.99.7 *:6379-\u003e6379/tcp\naa377a5f-62b krane_krane replicated 1/1 quay.io/appvia/krane:latest *:8000-\u003e8000/tcp\n```\n\nCheck your Kubernetes cluster RBAC security posture by visiting http://localhost:8000.\n\nNote that for remote cluster deployments you'll likely need to port-forward _Krane_ service first\n```sh\nkubectl --context=my-remote-cluster --namespace=krane port-forward svc/krane 8000\n```\n\nTo delete the Stack\n```sh\ndocker stack rm krane \\\n --orchestrator kubernetes \\\n --namespace krane\n```\n## Notifications\n\nKrane will notify you about detected anomalies of medium and high severity via its Slack integration.\n\nTo enable notifications specify Slack `webhook_url` \u0026 `channel` in the [config/config.yaml](config/config.yaml) file, or alternatively set both `SLACK_WEBHOOK_URL` and `SLACK_CHANNEL` environment variables. Environment variables will take precedence over config file values.\n\n## Local Development\n\nThis section describes steps to enable local development.\n\n### Setup\n\nInstall _Krane_ code dependencies with\n```sh\n./bin/setup\n```\n\n### Dependencies\n\n_Krane_ depends on [RedisGraph](https://oss.redislabs.com/redisgraph/). `docker-compose` is the quickest way to get _Krane_'s dependencies running locally.\n\n```sh\ndocker-compose up -d redisgraph\n```\n\nTo inspect RedisGraph service is up:\n```sh\ndocker-compose ps\n```\n\nTo stop services:\n```sh\ndocker-compose down\n```\n\n### Development\n\nAt this point you should be able to modify _Krane_ codebase and test results by invoking commands in local shell.\n\n```sh\n$ ./bin/krane --help # to get help\n$ ./bin/krane report -k docker-desktop # to generate your first report for\n # local docker-desktop k8s cluster\n...\n```\n\nTo enable Dashboard UI local development mode\n```sh\n$ cd dashboard\n$ npm install\n$ npm start\n```\n\nThis will automatically start the Dashboard server, open default browser and watch for source files changes.\n\n_Krane_ comes preconfigured for improved developer experience with [Skaffold](https://skaffold.dev/). Iterating on the project and validating the application by running the entire stack in local or remote Kubernetes cluster just got easier.\nCode hot-reload enables local changes to be automatically propagated to the running container for faster development lifecycle.\n\n```sh\nskaffold dev --kube-context docker-desktop --namespace krane --port-forward\n```\n\n### Tests\n\nRun tests locally with\n```sh\nbundle exec rspec\n```\n\n## Contributing to Krane\n\nWe welcome any contributions from the community! Have a look at our [contribution](CONTRIBUTING.md) guide for more information on how to get started. If you use _Krane_, find it useful, or are generally interested in Kubernetes security then please let us know by **Starring** and **Watching** this repo. Thanks!\n\n## Get Involved\n\nJoin discussion on our [Community channel](https://www.appvia.io/join-the-appvia-community).\n\nKrane is a community project and we welcome your contributions. To report a bug, suggest an improvement, or request a new feature please open a Github issue. Refer to our [contributing](CONTRIBUTING.md) guide for more information on how you can help.\n\n## Roadmap\n\nSee our [Roadmap](https://github.com/appvia/krane/projects/1) for details about our plans for the project.\n\n\n## License\n\nAuthor: Marcin Ciszak \u003cmarcin.ciszak@appvia.io\u003e\n\nCopyright (c) 2019-2020 [Appvia Ltd](https://appvia.io)\n\nThis project is distributed under the [Apache License, Version 2.0](./LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fappvia%2Fkrane","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fappvia%2Fkrane","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fappvia%2Fkrane/lists"}