Accurics Kubernetes support is made up of two parts: One, the scanning of Kubernetes specific IaC such as Helm or Kustomize, and also the scanning of the running kubernetes cluster. This allows ensuring policy compliance of the IaC and cloud sides, as well as detecting drift between definitions in IaC and what is actually running in the kubernetes cluster.
We currently support Helm and Kustomize as Kubernetes IaC languages. For scanning Kubernetes clusters, we support managed kubernetes instances from AWS Elastic Kubernetes Service(EKS), Azure Kubernetes Service(AKS), and Google Cloud’s Google Kubernetes Engine(GKE).
|Authentication and Authorization||For IaC scanning you will have to configure integration with your source code repository such as Bitbucket, GitHub, or AWS Code Commit.|
For scanning Kubernetes clusters, you will need to set up an Accurics environment with authentication to the appropriate cloud provider, with the appropriate details such as VPC or region where the cluster is located.
|Networking||To perform a scan of the Kubernetes cluster(s), tcp connectivity is required between the Accurics platform and the kubernetes cluster api server. This is usually over TCP port 443. We understand that for production instances, exposing them to the internet for a public scan is often not allowed. In these cases, an on-premise “bot” can be configured to perform the scan on behalf of the Accurics Platform. In this situation, the bot will need to run on a network with TCP access to the Kubernetes cluster. Details about setting up and using the on-premise bot can be found in the “Using the On-Premise Bot” section, below.|
|Licensing||Depending on your Accurics license, there may be limitations about the number or types of environments which you may scan.|
Setting up a new Accurics Environment for Kubernetes
While the steps below could be used to add an IaC repo and Kubernetes scan to an existing environment, for the sake of simplicity we will describe starting with a fresh environment. For more particular use cases, please contact Accurics Support.
To start, click the “New” button at the top right corner of the Dashboard in the Accurics Web UI to create a new environment. Then…
- Give the new environment a name, and select “Enterprise mode,” then click Next
- Select the appropriate cloud provider, and configure cloud scan with the appropriate details for that provider. For AWS, select the VPC where the EKS clusters are running, or for AKS select the Resource Group where the AKS clusters are running, when finished, click Next
- For the IaC Setup page:
- Select the integration for the repo where your kubernetes IaC is stored.
- Further down the page, In the “Select IaC Type” dropdown, specify “Kubernetes”
- Click the Select button to the right of the “Select Repository and folder” field. In the dialog that appears, select the repository containing the IaC to scan. If the code is not at the top level of the repository, use the Select Folder dialog to select the appropriate directory. For Kustomize code bases, select either the base directory, or the overlay directory you wish to scan. When ready, click Submit
- For Kustomize IaC projects, click the gear icon to the right of the IaC Repository Select button. In the dialog that appears, ensure the “Use Kustomize” checkbox is selected, and then click Submit
- When everything is configured on the IaC Setup page, click the Next button in the lower right corner
- For the Policies page, select at least one Kubernetes policy. This will apply to both IaC and any kubernetes clusters discovered during cloud scans. When ready, click Next
- Finally, on the Finish page review your selections. If you need to make changes, you can navigate back through the settings pages by clicking the Previous button. Once everything looks good, click the Finish button
At this point, the Accurics platform will automatically fetch the IaC code and perform an IaC scan on it. In a short amount of time, the IaC scan results will be displayed in the dashboard (the browser refresh button may have to be clicked to show the results).
Perform a Cloud Scan
As with other Accurics cloud scans, click the dropdown beside “Quick Scan” on the dashboard and select “Configure Scan.” In the Scan Options dialog, select the resources you wish to scan, ensuring to include your cloud providers Kubernetes service type (AKS, EKS, or GKE). When happy with the selections, click the “Run Scan” button to initiate the cloud scan. As the scan runs, the scan status and completion bar will show to the left of the “Cancel Scan” button at the top of the Dashboard page. Depending on the number of resource types selected, as well as the size of your Kubernetes clusters, the scan may take from one minute to longer – around 10 minutes to gather all the data from a larger cluster. Once complete, the status bar will display “Cloud Scan Done,” and scan results will appear in the tables below.
Using the On-Premises Bot with Kubernetes
For detailed information on deploying an on-premises Bot, see On-premises Bot.
The on-premise bot is associated with an Accurics Environment at setup (or can be added later through Environments->edit).
- After defining and installing an on-premise bot, create or edit an Accurics Environment.
- On the IaC Setup page, expand the “Integrate with On-premises Bot”
- Select the bot which has appropriate network access to your cluster
- Continue configuring the rest of the IaC Setup page, and the rest of the environment.
Once an on-premise bot is associated with the environment, attempts to scan kubernetes clusters will be run by the bot, not the core Accurics platform.