In this codelab we will create a script that given a GCP Project, we will scan the entire GKE clusters in the project, using Alcide Kubernetes Advisor.

Alcide Code-to-production secutiry

Alcide Advisor is an agentless Kubernetes audit, compliance and hygiene scanner that's built to ensure a friciton free DevSecOps workflows. Alcide Advisor can be plugged early in the development process and before moving to production.

With Alcide Advisor, the security checks you can cover includes:

In this codelab we will use a GCP Project, to scan the various GKE clusters deployed in this project by using Alcide Kubernetes Advisor.

Make sure your Google GKE clusters running as part of your GCP Project

Alcide Code-to-production secutiry

GCP offers multiple sign-in options, if you do not already have your gcloud cli working against your GCP Project, refer to ‘Initializing Cloud SDK' guide.

Alcide Code-to-production secutiry

Let's initially list our GKE clusters.

gcloud container clusters list --sort-by=NUM_NODES 2> /dev/null  | \
awk '{ print $1 }' | grep -v NAME

Alcide Code-to-production secutiry

Getting a specific cluster credentials should be straight forward once you have the list of clusters and their resource groups.

cluster=mycluster && \
region=mycluster_rg && \
gcloud --quiet container clusters get-credentials --region $region $cluster

Alcide Code-to-production secutiry

For Linux

cd /tmp/training/advisor &&\
curl -o advisor https://alcide.blob.core.windows.net/generic/stable/linux/advisor &&\
chmod +x advisor

For Mac

cd /tmp/training/advisor &&\
curl -o advisor https://alcide.blob.core.windows.net/generic/stable/darwin/advisor &&\
chmod +x advisor

Make sure you have Alcide Kubernetes Advisor in your PATH environment variable.
We are going to start with an initial cluster scan using the buitin scan profile.

cluster_name=mycluster && \
./advisor validate cluster --cluster-context $cluster_name \
--namespace-include=* --namespace-exclude=-  --outfile scan.html

Open in your browser the generated report scan.html and review the result across the various categories.

Alcide Code-to-production secutiry

Now that we know how to list our clusters, get its credntials and scan it with Alcide Advisor,
Lets put everything toghether into a script that we can run.

#!/usr/bin/env bash

alcide_download_advisor(){
    curl -o kube-advisor https://alcide.blob.core.windows.net/generic/stable/linux/advisor
    chmod +x kube-advisor  
}

alcide_scan_current_cluster(){
    local outdir=$1

    CURRENT_CONTEXT=`kubectl config current-context`
    alcide_scan_cluster $outdir ${CURRENT_CONTEXT}
}

alcide_scan_cluster(){
    local outdir=$1
    local context=$2
    
    ./kube-advisor --eula-sign validate cluster --cluster-context $context --namespace-include="*" --outfile $outdir/$context.html
}

scan_gke_clusters(){
    local outdir=$1
    local CLUSTER_NAMES=`gcloud container clusters list --sort-by=NUM_NODES 2> /dev/null  | awk '{ print $1 }' | grep -v NAME`

    #echo ${CLUSTER_NAMES}
    for cluster in ${CLUSTER_NAMES}
    do
        local region=`gcloud container clusters list --filter=name:$cluster | awk '{ print $2}' | grep -v LOCATION`
        echo Scanning $cluster
        gcloud --quiet container clusters get-credentials --region $region $cluster
        alcide_scan_current_cluster $outdir
    done  
}



outdir=$(mktemp -d -t alcide-advisor-XXXXXXXXXX)


pushd $outdir
alcide_download_advisor
scan_gke_clusters $outdir
popd

The script can be found https://github.com/alcideio/pipeline/blob/master/scripts/gke-advisor-scan.sh

In this codelab we learned how to:

Alcide Code-to-production secutiry