AccuKnox’s Discovery Engine plays a crucial role in securing and observing workloads by generating policies and telemetry information. It works in conjunction with knoxctl, a tool that fetches information from the Discovery Engine operating within the accuknox-agents namespace. For all of the commands, if they have any standalone flags please append them at the end of the command.
Key Features
Policy Generation: The Discovery Engine creates discovered policies and recommended hardening policies, aiding in the effective management and security of workloads.
Telemetry Data Summarization: It provides summaries of telemetry data collected by Kubearmor, focusing on specific network, file, and process events occurring within the cluster. This data is instrumental in understanding and monitoring the operational aspects of the workloads.
By leveraging the Discovery Engine, users can gain valuable insights and maintain robust security standards for their cluster environments.
Summary Command
The knoxctl summary command offers a detailed overview of observability data by connecting to the Discovery Engine. It leverages telemetry insights from KubeArmor to enhance the visibility of Kubernetes workloads.
Summary Usage
knoxctl summary [flag] [option]
Summary Flags
| Flag | Description |
|---|---|
--dump | Dump JSON and text data to knoxctl_out directory and skip the TUI. |
--glance | Take a quick glance at summary data. |
--gRPC <string> | Connect to a gRPC endpoint. |
-n, --namespace <stringArray> | Specify the namespace for which you need to get the summary information. |
-o, --operation <string> | Filter summary by type: process, file, or network. |
-v, --view <string> | Output format in the terminal, available in JSON or table format. |
Discover Command
The discover command in knoxctl is designed to retrieve specific workload-targeted policies from the Discovery Engine. It provides an efficient way to fetch dynamically generated policies for enhanced security measures.
Discover Usage
knoxctl discover [flag] [options]
Discovery Flags
| Flag | Description |
|---|---|
--dump | Dump policies to knoxctl_out directory and skip TUI. |
--gRPC <string> | Provide gRPC server information. |
-l, --labels <strings> | Filter by policy label. |
-n, --namespace <strings> | Filter by namespace. |
-p, --policy <strings> | Specify the type of policies to be discovered (defaults to [KubeArmorPolicy]). |
-v, --view <string> | View policies as table, yaml, or json. |
Network Policies
Discovery Engine also generates network policies. To fetch those, you can do the following
knoxctl discover -p NetworkPolicy
To get both network and kubearmor policies, you can do the following
knoxctl discover -p NetworkPolicy,KubearmorPolicy
Recommend Command
The recommend command helps in hardening the workloads with industry standard hardening policies generated by Discovery Engine. These policies include multiple tags such as MITRE, PCI-DSS, etc. Application of these policies set a strong secure baseline for the workloads.
Recommend Usage
knoxctl recommend [flag] [option]
Recommend Flags
| Flag | Description |
|---|---|
--dump | Dump policies to knoxctl_out directory and skip TUI. |
--gRPC <string> | gRPC address of the discovery engine. |
-h, --help | Display help information for the recommend command. |
-n, --namespace <strings> | Filter by namespace. |
-p, --policy <strings> | Types of policy that can be recommended: KubeArmorPolicy, KyvernoPolicy (default: [KubeArmorPolicy]). |
-v, --view <string> | View policies as table, yaml, or json. |
Regex Support
We support RE2 regex syntax which you can use to filter out namespaces. To filter namepaces using regex you can do the following (this is an example with summary command):
knoxctl summary -n '<regex-pattern>' or knoxctl summary --namespace '<regex-pattern>'
knoxctl summary -n 'kube-*'
Essentially to filter out using regex you can do the following
knoxctl [command] [flag] '<regex-pattern>'
We are expanding regex support further for more subcommands. Currently regex is supported only for Discovery Engine subcommands with specific flags.