secureCodeBox Uninstallation

Uninstall Scanner / Hook

If you want to uninstall every scanner and every hook you can simply delete the namespace in which they were installed (if you did not install any resources you still need in the same namespace).

If you want to uninstall specific scanners or hooks you can delete them via helm. For example if you installed nmap using helm install nmap secureCodeBox/nmap --version v2.0.0-rc.11 you can delete nmap like this:

helm delete nmap

Uninstall CascadingRules

If you want to delete some CascadingRules you can do so using kubectl. For example if you want to uninstall a Cascading Rule for nmap:

kubectl delete cascadingrules.cascading.securecodebox.io nmap-hostscan

Uninstall the Operator and Its Roles, ServiceAccounts and RoleBindings

To uninstall the operator it is not enough to delete the operator via helm because the operator creates Roles, ServiceAccounts and RoleBindings used by parsers, lurchers and hooks in every namespace where scanners and hooks are executed. These cannot be uninstalled via helm because they cannot be referenced via Kubernetes OwnerReferences.

Make sure you delete all scans and uninstall all scanners/hooks before uninstalling the operator to avoid problems. First delete the namespace for the operator:

kubectl delete namespace securecodebox-system

Delete Roles, RoleBindings and ServiceAccounts

The operator creates ServiceAccounts, Roles and RoleBindings in every namespace where scans / hooks are executed. You will have to delete these manually for each namespace where scans were scheduled. The given examples are valid only for scanners that were executed in the default namespace.

To list the ServiceAccounts, Roles and RoleBings that were created by the operator you can execute the follwing command:

kubectl get roles,rolebindings,serviceaccounts lurcher parser
NAME CREATED AT
role.rbac.authorization.k8s.io/lurcher 2020-10-14T11:15:38Z
role.rbac.authorization.k8s.io/parser 2020-10-14T11:17:54Z
NAME ROLE AGE
rolebinding.rbac.authorization.k8s.io/lurcher Role/lurcher 85m
rolebinding.rbac.authorization.k8s.io/parser Role/parser 83m
NAME SECRETS AGE
serviceaccount/lurcher 1 85m
serviceaccount/parser 1 83m

To delete the Roles for lurcher and parser you can execute the following command:

kubectl delete roles lurcher parser

To delete the RoleBindings for lurcher and parser you can execute:

kubectl delete rolebindings lurcher parser

To delete the ServiceAccounts for lurcher and parser you can execute:

kubectl delete serviceaccounts lurcher parser

Delete CRDs

Deleting the namespace of the operator will not delete the Custom Resource Definitions (CRDs) that were defined. To list all CRDs you can execute the following command:

kubectl get crds
NAME CREATED AT
cascadingrules.cascading.securecodebox.io 2020-10-14T09:32:19Z
parsedefinitions.execution.securecodebox.io 2020-10-14T09:32:19Z
scancompletionhooks.execution.securecodebox.io 2020-10-14T09:32:19Z
scans.execution.securecodebox.io 2020-10-14T09:32:19Z
scantypes.execution.securecodebox.io 2020-10-14T09:32:19Z
scheduledscans.execution.securecodebox.io 2020-10-14T09:32:19Z

To delete these CRDs you can execute the following command:

kubectl delete crd cascadingrules.cascading.securecodebox.io \
parsedefinitions.execution.securecodebox.io \
scancompletionhooks.execution.securecodebox.io \
scans.execution.securecodebox.io \
scantypes.execution.securecodebox.io \
scheduledscans.execution.securecodebox.io

Delete Volumes

Some Resources like the elastic stack require a persistent volume. To list all persistent volumes in the default namespace you can execute:

kubectl get pvc
NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS REASON AGE
pvc-6002bffb-51ac-4767-a5a8-9f8834ffa7ec 30Gi RWO Delete Bound default/elasticsearch-master-elasticsearch-master-0 standard 3h30m

To delete a persistent volume you can execute:

kubectl delete pvc pvc-6002bffb-51ac-4767-a5a8-9f8834ffa7ec