In this tutorial we will learn about Alcide Kubernetes Advisor, and how we can integrate it with CircleCI to implement continuous security and cluster hygiene for one or more Kubernetes clusters.

Alcide Advisor is an agentless Kubernetes audit, compliance and hygiene scanner that's built to ensure a friction free DevSecOps workflows. Alcide Advisor can be plugged in early in the development process and before moving to production.

With Alcide Advisor, the security checks you can cover includes:

• Kubernetes infrastructure vulnerability scanning.
• Hunting misplaced secrets, or excessive privileges for secret access.
• Workload hardening from Pod Security to network policies.
• Istio security configuration and best practices.
• Ingress Controllers for security best practices.
• Kubernetes API server access privileges.
• Kubernetes operators security best practices.
• Deployment conformance to labeling, annotating, resource limits and much more ...

• CircleCI account
• Google GKE cluster running as part of your GCP Project

We will need to create a service account that allows us to pull GKE cluster credentials into the pipleline.

There is a nice blog post that explains how GCP Kubernetes IAM roles maps to Kubernetes RBAC.

If you do not have such service account available already please follow instructions here: GKE IAM Service Account to configure

Alcide Kubernetes Advisor runs against a kubernetes cluster and requires access to kubeconfig to authenticate & authorize itself to the cluster.

If your pipeline can run kubectl commands against the cluster successfully - you should be ready to initiate a scan.

Under Project Settings –> Build Settings –> Environment Variables
Make sure you have:

• GCLOUD_SERVICE_KEY
• GOOGLE_PROJECT_ID
• GOOGLE_COMPUTE_ZONE

With CircleCI the pipeline trigger relies on a .circleci/config.yaml
and normally will fire a pipeline when changes are made to the hosting git repository.

Your .circleci/config.yaml

version: 2.1
orbs:
  alcide: alcideio/alcide-advisor@1.0.3
  gcp-cli: circleci/gcp-cli@1.0.6
  gcr: circleci/gcp-gcr@0.0.2
  k8s: circleci/kubernetes@0.3.0  



jobs:
  deploy_and_scan_cluster:
    description: "Deploy resources into a cluster"  
    machine: true
    parameters:
      cluster:
        description: "The Kubernetes cluster name."
        type: string
    steps:
      - checkout
      #
      # make sure you have the following environment variables defined:
      # GCLOUD_SERVICE_KEY, GOOGLE_PROJECT_ID, GOOGLE_COMPUTE_ZONE
      #
      - gcr/gcr-auth
      - gcp-cli/install
      - k8s/install
      - run: |
          gcloud container clusters get-credentials <<parameters.cluster>>
      - run: |
          echo "Deploy resources into the cluster"
          kubectl get pods --all-namespaces  
      - alcide/alcide_advisor_scan:
          #cluster_context: 'myclustercontext'
          report_format: 'html'
          fail_on_critical: false
          alcide_apiserver: ''
          policy_profile: ''                      

workflows:
  advisor_scan:
    jobs:
      - deploy_and_scan_cluster:
          cluster: demo-cluster

Review the scan report in your pipeline artifact

The pipeline will publish the scan results into your Pipeline Artifacts under the advisor-report directory

In this codelab we covered:

• GCP service account creation for GKE access
• Automate the scan of GKE clusters in a CircleCI pipeline