In this codelab we will create a script that given an Azure subscription, we will scan the entire AKS clusters in the subscription, using Alcide Kubernetes Advisor.
Alcide Advisor is an agentless Kubernetes audit, compliance and hygiene scanner that's built to ensure a friction free DevSecOps workflows. Alcide Advisor can be plugged in early in the development process and before moving to production.
With Alcide Advisor, the security checks you can cover includes:
- Kubernetes infrastructure vulnerability scanning.
- Hunting misplaced secrets, or excessive privileges for secret access.
- Workload hardening from Pod Security to network policies.
- Istio security configuration and best practices.
- Ingress Controllers for security best practices.
- Kubernetes API server access privileges.
- Kubernetes operators security best practices.
- Deployment conformance to labeling, annotating, resource limits and much more ...
In this codelab we will use an Azure Subscription, and scan the various AKS deployed in this subscription using Alcide Kubernetes Advisor.
Make sure your Azure AKS clusters running as part of your Azure Subscription
Azure offers multiple sign-in options, if you do not already have your Azure CLI working against your Azure Subscription, refer to ‘Sign in with Azure CLI' guide.
Let's initially list our AKS clusters.
az aks list | \
jq -r '.[] | "Cluster Name: \(.name) ,Resource Group: \(.resourceGroup)"'
Getting a specific cluster credentials should be straight forward once you have the list of clusters and their resource groups.
cluster_name=mycluster && \
cluster_rg=mycluster_rg && \
az aks get-credentials --overwrite-existing --name $cluster_name --resource-group $cluster_rg
For Linux
cd /tmp/training/advisor &&\
curl -o advisor https://alcide.blob.core.windows.net/generic/stable/linux/advisor &&\
chmod +x advisor
For Mac
cd /tmp/training/advisor &&\
curl -o advisor https://alcide.blob.core.windows.net/generic/stable/darwin/advisor &&\
chmod +x advisor
Make sure you have Alcide Kubernetes Advisor in your PATH environment variable.
We are going to start with an initial cluster scan using the buitin scan profile.
cluster_name=mycluster && \
./advisor validate cluster --cluster-context $cluster_name \
--namespace-include=* --namespace-exclude=- --outfile scan.html
Open in your browser the generated report scan.html and review the result across the various categories.
Now that we know how to list our clusters, get its credntials and scan it with Alcide Advisor,
Lets put everything toghether into a script that we can run.
#!/usr/bin/env bash
alcide_download_advisor(){
echo "Downloading Alcide Advisor"
curl -o kube-advisor https://alcide.blob.core.windows.net/generic/stable/linux/advisor
chmod +x kube-advisor
}
alcide_scan_current_cluster(){
local outdir=$1
CURRENT_CONTEXT=`kubectl config current-context`
alcide_scan_cluster $outdir ${CURRENT_CONTEXT}
}
alcide_scan_cluster(){
local outdir=$1
local context=$2
echo "Running: './kube-advisor --eula-sign validate cluster --cluster-context $context --namespace-include=\"*\" --outfile $outdir/$context.html'"
./kube-advisor --eula-sign validate cluster --cluster-context $context --namespace-include="*" --outfile $outdir/$context.html
}
scan_aks_clusters(){
local outdir=$1
local CLUSTERS=`az aks list | jq -r '.[] | "\(.name):\(.resourceGroup)" '`
for cluster in ${CLUSTERS}
do
local cluster_name=`echo $cluster | tr ':' ' ' | awk '{ print $1}'`
local cluster_rg=`echo $cluster | tr ':' ' ' | awk '{ print $2}'`
echo Scanning $cluster_name $cluster_rg
az aks get-credentials --overwrite-existing --name $cluster_name --resource-group $cluster_rg
alcide_scan_current_cluster $outdir $cluster_name
done
}
outdir=$(mktemp -d -t alcide-advisor-XXXXXXXXXX)
pushd $outdir
alcide_download_advisor
scan_aks_clusters $outdir
popd
The script can be found https://github.com/alcideio/pipeline/blob/master/scripts/aks-advisor-scan.sh
In this codelab we learned how to:
- List AKS Clusters
- Get AKS cluster credentials
- Scan with Alcide Advisor a cluster
- Automate the scan of AKS clusters in an Azure Subscription
