In this codelab we will create a script that given a GCP Project, we will scan the entire GKE clusters in the project, using Alcide Kubernetes Advisor.
Alcide Advisor is an agentless Kubernetes audit, compliance and hygiene scanner that's built to ensure a friction free DevSecOps workflows. Alcide Advisor can be plugged in early in the development process and before moving to production.
With Alcide Advisor, the security checks you can cover includes:
- Kubernetes infrastructure vulnerability scanning.
- Hunting misplaced secrets, or excessive privileges for secret access.
- Workload hardening from Pod Security to network policies.
- Istio security configuration and best practices.
- Ingress Controllers for security best practices.
- Kubernetes API server access privileges.
- Kubernetes operators security best practices.
- Deployment conformance to labeling, annotating, resource limits and much more ...
In this codelab we will use a GCP Project, to scan the various GKE clusters deployed in this project by using Alcide Kubernetes Advisor.
Make sure your Google GKE clusters running as part of your GCP Project
GCP offers multiple sign-in options, if you do not already have your gcloud cli working against your GCP Project, refer to ‘Initializing Cloud SDK' guide.
- Install and Set Up kubectl.
- Install and Set Up gcloud CLI
Let's initially list our GKE clusters.
gcloud container clusters list --sort-by=NUM_NODES 2> /dev/null | \
awk '{ print $1 }' | grep -v NAME
Getting a specific cluster credentials should be straight forward once you have the list of clusters and their resource groups.
cluster=mycluster && \
region=mycluster_rg && \
gcloud --quiet container clusters get-credentials --region $region $cluster
For Linux
cd /tmp/training/advisor &&\
curl -o advisor https://alcide.blob.core.windows.net/generic/stable/linux/advisor &&\
chmod +x advisor
For Mac
cd /tmp/training/advisor &&\
curl -o advisor https://alcide.blob.core.windows.net/generic/stable/darwin/advisor &&\
chmod +x advisor
Make sure you have Alcide Kubernetes Advisor in your PATH environment variable.
We are going to start with an initial cluster scan using the buitin scan profile.
cluster_name=mycluster && \
./advisor validate cluster --cluster-context $cluster_name \
--namespace-include=* --namespace-exclude=- --outfile scan.html
Open in your browser the generated report scan.html and review the result across the various categories.
Now that we know how to list our clusters, get its credntials and scan it with Alcide Advisor,
Lets put everything toghether into a script that we can run.
#!/usr/bin/env bash
alcide_download_advisor(){
curl -o kube-advisor https://alcide.blob.core.windows.net/generic/stable/linux/advisor
chmod +x kube-advisor
}
alcide_scan_current_cluster(){
local outdir=$1
CURRENT_CONTEXT=`kubectl config current-context`
alcide_scan_cluster $outdir ${CURRENT_CONTEXT}
}
alcide_scan_cluster(){
local outdir=$1
local context=$2
./kube-advisor --eula-sign validate cluster --cluster-context $context --namespace-include="*" --outfile $outdir/$context.html
}
scan_gke_clusters(){
local outdir=$1
local CLUSTER_NAMES=`gcloud container clusters list --sort-by=NUM_NODES 2> /dev/null | awk '{ print $1 }' | grep -v NAME`
#echo ${CLUSTER_NAMES}
for cluster in ${CLUSTER_NAMES}
do
local region=`gcloud container clusters list --filter=name:$cluster | awk '{ print $2}' | grep -v LOCATION`
echo Scanning $cluster
gcloud --quiet container clusters get-credentials --region $region $cluster
alcide_scan_current_cluster $outdir
done
}
outdir=$(mktemp -d -t alcide-advisor-XXXXXXXXXX)
pushd $outdir
alcide_download_advisor
scan_gke_clusters $outdir
popd
The script can be found https://github.com/alcideio/pipeline/blob/master/scripts/gke-advisor-scan.sh
In this codelab we learned how to:
- List GKE Clusters
- Get GKE cluster credentials
- Scan with Alcide Advisor a cluster
- Automate the scan of GKE clusters in a GCP Project
