BLOG

Jenkins Integration with AccuKnox Policy Tool Plugin

Accuknox , Open Source

Jenkins integration with AccuKnoxPolicyToolPlugin allows pushing AccuKnox Auto discovered & Template policies to Kubernetes cluster or GitHub repository.


Introduction

Jenkins is the leading CI/CD tool over the years. Since it is an open-source, easy to install, manage, and supports multiple customised plugins. In this blog, we will take a look at how to integrate AccuKnox Policy Tool through Jenkins.

This plugin allows you to apply or push AccuKnox Auto-discovered and Policy-Template policies to the Kubernetes cluster or GitHub repository of your choosing. Without any further ado, let’s configure the plugin and experience it in action.

Prerequisite

  • A Jenkins installation running version 2.164.1or higher (with jdk8 or jdk11).
  • A node with Kubectl configured
  • A Kubernetes cluster(Optional)
  • A GitHub token with read/write permission
  • A GitHub repository to update the policies

Since the Quick Usage Guide are all furnished on the GitHub Readme, we’ll skip over those details and directly get started with the configuration.

The Lab Setup

Like all other plugins, we will describe how we can configure the plugin. Lets install the plugin by cloning the Jenkins Plugin repository from AccuKnox GitHub.

git clone https://github.com/accuknox/jenkins-integration

Jenkins-Integration-1

Once we clone the repository we’ll go inside the jenkins-integration folder and create a clean build.

cd jenkins-integration
mvn clean package

Jenkins-Integration-2

This will create knoxautopol.hpi file under the target folder.

[INFO] --- maven-jar-plugin:3.1.1:test-jar (maybe-test-jar) @ knoxautopol ---
[INFO] Skipping packaging of the test-jar
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 05:09 min
[INFO] Finished at: 2022-05-30T16:55:14+05:30
[INFO] ------------------------------------------------------------------------
➜ jenkins-integration git:(main) ✗ ls target
classes generated-test-sources knoxautopol knoxautopol.jar surefire-reports tmp
generated-sources jenkins-for-test knoxautopol.hpi maven-status test-classes
➜ jenkins-integration git:(main) ✗

Jenkins-Integration-3

We will upload this file to Jenkins Plugin Manager by navigating to Manage Jenkins >> Manage Plugins >> Advanced >> Deploy Plugin

Manage Jenkins Plugin

Manage Jenkins Plugin

Plugin Manager

Upload Plugin

Upload Plugin

Once the plugin is deployed we will configure it using the following:

  1. Web Interface
  2. Pipeline Script

I. Web Interface

  • Within the Jenkins dashboard, select a Job and then select "Configure"
  • Scroll down to the "Build" section
    Select "AccuKnox CLI"
  • In the checkbox, select which is applicable (eg. Push to GitHub )
  • Open the Advanced tab
  • Fill in the necessary details like GitHub username, token, etc
  • Save

  • Jenkins-3

Configure Project

Add Build ToolAdd Build Tool

Configure PluginConfigure Plugin

II. Pipeline Script

The AccuKnox-CLI plugin provides the function KnoxAutoPol() for Jenkins Pipeline support. Which needs the same variables we configured via the web interface. So let's take a look at the sample script which can be used in a pipeline.

node {
  stage('AccuKnox Policy push to GitHub') {
  steps {
    KnoxAutoPol(useAutoApply: false,
    pushToGit: true,
    gitBaseBranchName: deploy-demo,
    gitBranchName: demobranch,
    gitToken: gh_demotoken,
    gitRepoUrl: https://github.com/demouser/demorepo.git,
    gitUserName: demouser )
  }
 }
}


Pipeline-Script

Once either one of the configurations is done we can hit Build Now and check out the output.

Output 1

Output-1

Output 2

Output-2

Output 3

Output-3

As we can see, the Plugin was able to discover and create a staggering 1100+ policies based on the workloads present in the Kubernetes cluster and push them to a new branch, it was also able to create PR to the branch which was pre- configured with Continuous Deployment.

Conclusion

With the use of the AccuKnox Policy Tool Plugin, the generation of policies for all the workloads becomes very easy. The plugin autogenerates policies that are relevant to the workloads deployed to the Kubernetes cluster. Allowing the user an ability to either directly apply them to the cluster or push them to a repository for further evaluation.

Now you can protect your workloads in minutes using AccuKnox, it is available to protect your Kubernetes and other cloud workloads using Kernel Native Primitives such as AppArmor, SELinux, and eBPF.

Reach out to us if you are seeking additional guidance in planning your cloud security program.