Enhance report details and visibility, add PV dynamic provisioning ch…

…eck, and refactor code structure

Enhancements and Refactoring:
- Fetch additional information for the report
- Improve report visibility
- Add PV dynamic provisioning check
- Refactor code structure for better maintainability

---------

Signed-off-by: David Alima <davida@armosec.io>

.github/workflows/docker-build-scan.yml

@@ -2,12 +2,14 @@ name: Build, push and scan Docker image
 
 on:
   push:
+    branches:
+      - main
     paths:
-      - "poc-prerequisite/kubescape-sizing-checker/Dockerfile"
-      - "poc-prerequisite/kubescape-sizing-checker/cmd"
-      - "poc-prerequisite/kubescape-sizing-checker/pkg"
-      - "poc-prerequisite/kubescape-sizing-checker/go.mod"
-      - "poc-prerequisite/kubescape-sizing-checker/go.sum"
+      - "poc-prerequisite/Dockerfile"
+      - "poc-prerequisite/cmd"
+      - "poc-prerequisite/pkg"
+      - "poc-prerequisite/go.mod"
+      - "poc-prerequisite/go.sum"
   workflow_dispatch:
 
 jobs:
@@ -22,8 +24,8 @@ jobs:
       - name: Build local image for scanning
         run: |
           docker build \
-            -t local/kubescape-sizing-checker:latest \
-            ./poc-prerequisite/kubescape-sizing-checker
+            -t local/kubescape-prerequisite:latest \
+            ./poc-prerequisite
 
       # 2) Run Kubescape scan on local image
 
@@ -33,7 +35,7 @@ jobs:
 
       - name: Run Kubescape to scan local image
         run: |
-          $HOME/.kubescape/bin/kubescape scan image local/kubescape-sizing-checker:latest \
+          $HOME/.kubescape/bin/kubescape scan image local/kubescape-prerequisite:latest \
             --severity-threshold high \
             --format sarif \
             --output results-image.sarif
@@ -63,10 +65,10 @@ jobs:
           # Build and push multi-architecture images
           docker buildx build \
             --platform linux/amd64,linux/arm64 \
-            -t quay.io/danvid/kubescape-sizing-checker:latest \
-            -t quay.io/danvid/kubescape-sizing-checker:${SHORT_SHA} \
+            -t quay.io/danvid/kubescape-prerequisite:latest \
+            -t quay.io/danvid/kubescape-prerequisite:${SHORT_SHA} \
             --push \
-            ./poc-prerequisite/kubescape-sizing-checker
+            ./poc-prerequisite
 
       # 4) upload results GitHub Code Scanning
       - name: Upload image scan results to GitHub Code Scanning

.github/workflows/k8s-manifest-scan.yml

@@ -2,8 +2,10 @@ name: NSA Compliance Scan
 
 on:
   push:
+    branches:
+      - main
     paths:
-      - "poc-prerequisite/kubescape-sizing-checker/k8s-manifest.yaml"
+      - "poc-prerequisite/k8s-manifest.yaml"
   workflow_dispatch:
 
 jobs:
@@ -20,7 +22,7 @@ jobs:
       - name: Run NSA Compliance scan
         run: |
           $HOME/.kubescape/bin/kubescape scan framework nsa \
-            ./poc-prerequisite/kubescape-sizing-checker/k8s-manifest.yaml \
+            ./poc-prerequisite/k8s-manifest.yaml \
             --severity-threshold high \
             --format sarif \
             --output results-nsa.sarif

poc-prerequisite/kubescape-sizing-checker/Dockerfile → poc-prerequisite/Dockerfile

@@ -17,15 +17,15 @@
 
     # 3. Build the binary with the correct OS/ARCH
     RUN CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH \
-        go build -o sizing-checker ./cmd
+        go build -o kubescape-prerequisite ./cmd/checker
 
     # ---------------------------------------
     # 2) Final minimal image
     # ---------------------------------------
     FROM scratch
 
-    COPY --from=builder /app/sizing-checker /sizing-checker
+    COPY --from=builder /app/kubescape-prerequisite /kubescape-prerequisite
     USER 1000:1000
     WORKDIR /
 
-    ENTRYPOINT ["/sizing-checker"]
+    ENTRYPOINT ["/kubescape-prerequisite"]

poc-prerequisite/README.md

@@ -1,100 +1,120 @@
-# ARMO POC Prerequisite Validation Script
+# Kubescape Prerequisites Checker
 
-This script is designed to validate the prerequisites for the ARMO Security Proof of Concept (POC). It performs the following checks:
+## Overview
 
-1. Network accessibility
-2. Helm chart installation permissions
-3. eBPF support on all nodes
-4. Persistent Volume (PV) support
+Kubescape Prerequisites Checker analyzes your Kubernetes cluster and generates recommended Helm values to ensure Kubescape runs smoothly and efficiently.
 
 ## Prerequisites
 
-- A Kubernetes cluster
-- kubectl configured to access the cluster
-- Helm installed and configured
-- A file named `ip_list.txt` containing a list of IP addresses to check for network accessibility
+- **Kubeconfig** configured for access to the Kubernetes cluster where you plan to deploy Armo.
 
-## Usage
+## Run the Check
+
+There are two ways to run the check:
+
+### Option 1 - Local Run
 
-1. Clone this repository and navigate to the directory:
-   ```bash
+1. Navigate to the command directory and Execute the program:
+   ```sh
    git clone https://github.com/armosec/armo-platform-tools.git
    cd armo-platform-tools/poc-prerequisite/
-   chmod +x armo-poc-prerequisite.sh
-   ```
-
-2. Run the script:
-   ```bash
-   ./armo-poc-prerequisite.sh
+   go run ./cmd/checker
    ```
 
-## Script Details
+### Option 2 - In-cluster Run
 
-### check_network_accessibility
+#### Prerequisites
 
-This function checks if the network is accessible by trying to connect to each IP address listed in `ip_list.txt` on port 443 using `nc` (netcat).
+- **Permissions** to create ServiceAccounts, ClusterRoles, ClusterRoleBindings, and Jobs.
 
-### verify_helm_permissions
+1. **Deploy the Kubernetes manifest:**
 
-This function verifies that you have the necessary permissions to install Helm charts by performing a dry-run installation of the `kubescape` chart.
+   Apply the Kubernetes manifest to set up the necessary resources:
 
-### check_ebpf_support
-
-This function checks if eBPF is supported on all nodes in the cluster by creating a DaemonSet that attempts to access `/sys/fs/bpf`.
-
-### check_pv_support
+   ```sh
+   kubectl apply -f k8s-manifest.yaml
+   ```
 
-This function checks if Persistent Volume Claims (PVCs) can be successfully bound by creating a test PVC.
+2. **Verify Job Completion:**
 
-## Output
+   Check the status and logs of the Job:
 
-The script will output the status of each check:
+   ```sh
+   kubectl wait --for=condition=complete job/kubescape-prerequisite --timeout=60s
+   kubectl logs job/kubescape-prerequisite
+   ```
 
-- ✅ for a successful check
-- ❌ for a failed check
+3. **Export the Files:**
 
-If any checks fail, detailed failure messages will be printed.
+   Retrieve the `recommended-values.yaml` and `prerequisites-report.html` from the ConfigMap:
 
-## Example `ip_list.txt`
+   ```sh
+   kubectl get configmap kubescape-prerequisites-report -n default -o go-template='{{ index .data "recommended-values.yaml" }}' > recommended-values.yaml
+   kubectl get configmap kubescape-prerequisites-report -n default -o go-template='{{ index .data "prerequisites-report.html" }}' > prerequisites-report.html
+   ```
 
-```
-192.168.1.1
-10.0.0.1
-172.16.0.1
-```
+## Usage
 
-## Example Output
+### Deploy Kubescape with Recommended Resources
 
-```plaintext
-✅ Network accessibility check passed.
-✅ Helm chart installation permissions check passed.
-✅ eBPF support check passed.
-✅ PV support check passed.
+Use Helm to deploy Kubescape using the recommended values:
 
-🎉🐼 Your cluster is ready for the ARMO Security POC.
+```sh
+helm upgrade --install kubescape kubescape/kubescape-operator \
+  --namespace kubescape --create-namespace \
+  --values recommended-values.yaml [other parameters]
 ```
 
-If any checks fail, the output will look like this:
+### View the Prerequisites Report
 
-```plaintext
-❌ Network accessibility check failed.
-###    Details    ###
-failed to access: 192.168.1.1 10.0.0.1
+If you want to review the prerequisites report, open the HTML file:
 
-✅ Helm chart installation permissions check passed.
-❌ eBPF support check failed.
-###    Details    ###
-failed on nodes: node1 node2
+**Open in Browser:**
 
-✅ PV support check passed.
+- **macOS:**
+    ```sh
+    open prerequisites-report.html
+    ```
+- **Linux:**
+    ```sh
+    xdg-open prerequisites-report.html
+    ```
+- **Windows (Git Bash):**
+    ```sh
+    start prerequisites-report.html
+    ```
 
-🚨 Your cluster is not ready for the ARMO Security POC. Failures: 2
+## Output
+### Local Run
+```------------------------------------------------------------
+✅ Prerequisites report generated locally!
+• /tmp/prerequisites-report.html (HTML report)
+• /tmp/recommended-values.yaml (Helm values file)
+
+📋 Open /tmp/prerequisites-report.html in your browser for details.
+🚀 Use the generated recommended-values.yaml to optimize Kubescape for your cluster.
+------------------------------------------------------------
 ```
 
-## Troubleshooting
 
-- Ensure `kubectl` is configured to access your cluster.
-- Verify Helm is installed and configured correctly.
-- Check the `ip_list.txt` file for correct IP addresses.
+### In-cluster Run
+```sh
+kubectl logs job/kubescape-prerequisite
+```
+```------------------------------------------------------------
+✅ Prerequisites report stored in Kubernetes ConfigMap!
+• ConfigMap Name: prerequisites-report
+• Namespace: default
+------------------------------------------------------------
+
+⬇️ To export the report and recommended values to local files, run the following commands:
+    kubectl get configmap kubescape-prerequisites-report -n default -o go-template='{{ index .data "prerequisites-report.html" }}' > prerequisites-report.html
+    kubectl get configmap kubescape-prerequisites-report -n default -o go-template='{{ index .data "recommended-values.yaml" }}' > recommended-values.yaml
+
+📋 Open prerequisites-report.html in your browser for details.
+🚀 Use the generated recommended-values.yaml to optimize Kubescape for your cluster.
+------------------------------------------------------------
+```
 
-For further assistance, please contact support.
+### Report example
+![alt text](Report-example.png)

poc-prerequisite/bash-script/README.md

@@ -0,0 +1,100 @@
+# ARMO POC Prerequisite Validation Script
+
+This script is designed to validate the prerequisites for the ARMO Security Proof of Concept (POC). It performs the following checks:
+
+1. Network accessibility
+2. Helm chart installation permissions
+3. eBPF support on all nodes
+4. Persistent Volume (PV) support
+
+## Prerequisites
+
+- A Kubernetes cluster
+- kubectl configured to access the cluster
+- Helm installed and configured
+- A file named `ip_list.txt` containing a list of IP addresses to check for network accessibility
+
+## Usage
+
+1. Clone this repository and navigate to the directory:
+   ```bash
+   git clone https://github.com/armosec/armo-platform-tools.git
+   cd armo-platform-tools/poc-prerequisite/bash-script/
+   chmod +x armo-poc-prerequisite.sh
+   ```
+
+2. Run the script:
+   ```bash
+   ./armo-poc-prerequisite.sh
+   ```
+
+## Script Details
+
+### check_network_accessibility
+
+This function checks if the network is accessible by trying to connect to each IP address listed in `ip_list.txt` on port 443 using `nc` (netcat).
+
+### verify_helm_permissions
+
+This function verifies that you have the necessary permissions to install Helm charts by performing a dry-run installation of the `kubescape` chart.
+
+### check_ebpf_support
+
+This function checks if eBPF is supported on all nodes in the cluster by creating a DaemonSet that attempts to access `/sys/fs/bpf`.
+
+### check_pv_support
+
+This function checks if Persistent Volume Claims (PVCs) can be successfully bound by creating a test PVC.
+
+## Output
+
+The script will output the status of each check:
+
+- ✅ for a successful check
+- ❌ for a failed check
+
+If any checks fail, detailed failure messages will be printed.
+
+## Example `ip_list.txt`
+
+```
+192.168.1.1
+10.0.0.1
+172.16.0.1
+```
+
+## Example Output
+
+```plaintext
+✅ Network accessibility check passed.
+✅ Helm chart installation permissions check passed.
+✅ eBPF support check passed.
+✅ PV support check passed.
+
+🎉🐼 Your cluster is ready for the ARMO Security POC.
+```
+
+If any checks fail, the output will look like this:
+
+```plaintext
+❌ Network accessibility check failed.
+###    Details    ###
+failed to access: 192.168.1.1 10.0.0.1
+
+✅ Helm chart installation permissions check passed.
+❌ eBPF support check failed.
+###    Details    ###
+failed on nodes: node1 node2
+
+✅ PV support check passed.
+
+🚨 Your cluster is not ready for the ARMO Security POC. Failures: 2
+```
+
+## Troubleshooting
+
+- Ensure `kubectl` is configured to access your cluster.
+- Verify Helm is installed and configured correctly.
+- Check the `ip_list.txt` file for correct IP addresses.
+
+For further assistance, please contact support.