In this codelab we will create a script that given an Azure subscription, we will scan the entire AKS clusters in the subscription, using Alcide Kubernetes Advisor.

Alcide Code-to-production secutiry

Alcide Advisor is an agentless Kubernetes audit, compliance and hygiene scanner that's built to ensure a friciton free DevSecOps workflows. Alcide Advisor can be plugged early in the development process and before moving to production.

With Alcide Advisor, the security checks you can cover includes:

In this codelab we will use an Azure Subscription, and scan the various AKS deployed in this subscription using Alcide Kubernetes Advisor.

Make sure your Azure AKS clusters running as part of your Azure Subscription

Alcide Code-to-production secutiry

Azure offers multiple sign-in options, if you do not already have your Azure CLI working against your Azure Subscription, refer to ‘Sign in with Azure CLI' guide.

Alcide Code-to-production secutiry

Let's initially list our AKS clusters.

az aks list | \
jq -r '.[] | "Cluster Name: \(.name) ,Resource Group: \(.resourceGroup)"'

Alcide Code-to-production secutiry

Getting a specific cluster credentials should be straight forward once you have the list of clusters and their resource groups.

cluster_name=mycluster && \
cluster_rg=mycluster_rg && \
az aks get-credentials --overwrite-existing --name $cluster_name  --resource-group $cluster_rg

Alcide Code-to-production secutiry

For Linux

cd /tmp/training/advisor &&\
curl -o advisor https://alcide.blob.core.windows.net/generic/stable/linux/advisor &&\
chmod +x advisor

For Mac

cd /tmp/training/advisor &&\
curl -o advisor https://alcide.blob.core.windows.net/generic/stable/darwin/advisor &&\
chmod +x advisor

Make sure you have Alcide Kubernetes Advisor in your PATH environment variable.
We are going to start with an initial cluster scan using the buitin scan profile.

cluster_name=mycluster && \
./advisor validate cluster --cluster-context $cluster_name \
--namespace-include=* --namespace-exclude=-  --outfile scan.html

Open in your browser the generated report scan.html and review the result across the various categories.

Alcide Code-to-production secutiry

Now that we know how to list our clusters, get its credntials and scan it with Alcide Advisor,
Lets put everything toghether into a script that we can run.

#!/usr/bin/env bash

alcide_download_advisor(){
    echo "Downloading Alcide Advisor"
    curl -o kube-advisor https://alcide.blob.core.windows.net/generic/stable/linux/advisor
    chmod +x kube-advisor  
}

alcide_scan_current_cluster(){
    local outdir=$1

    CURRENT_CONTEXT=`kubectl config current-context`
    alcide_scan_cluster $outdir ${CURRENT_CONTEXT}
}

alcide_scan_cluster(){
    local outdir=$1
    local context=$2
    
    echo "Running: './kube-advisor --eula-sign validate cluster --cluster-context $context --namespace-include=\"*\" --outfile $outdir/$context.html'"
    ./kube-advisor --eula-sign validate cluster --cluster-context $context --namespace-include="*" --outfile $outdir/$context.html
}

scan_aks_clusters(){
    local outdir=$1
    local CLUSTERS=`az aks list | jq -r '.[] | "\(.name):\(.resourceGroup)" '`

    for cluster in ${CLUSTERS}
    do
        local cluster_name=`echo $cluster | tr ':' ' ' | awk '{ print $1}'`
        local cluster_rg=`echo $cluster | tr ':' ' '  | awk '{ print $2}'`

        echo Scanning $cluster_name $cluster_rg 
        az aks get-credentials --overwrite-existing --name $cluster_name  --resource-group $cluster_rg
        alcide_scan_current_cluster $outdir $cluster_name
    done  
}



outdir=$(mktemp -d -t alcide-advisor-XXXXXXXXXX)


pushd $outdir
alcide_download_advisor
scan_aks_clusters $outdir
popd

The script can be found https://github.com/alcideio/pipeline/blob/master/scripts/aks-advisor-scan.sh

In this codelab we learned how to:

Alcide Code-to-production secutiry