In this tutorial we will learn about Alcide Kubernetes Advisor, and how we can integrate it with CircleCI to implement continous security and cluster hygiene for one or more Kubernetes clusters.

Alcide Code-to-production secutiry

Alcide Advisor is an agentless Kubernetes audit, compliance and hygiene scanner that's built to ensure a friciton free DevSecOps workflows. Alcide Advisor can be plugged early in the development process and before moving to production.

With Alcide Advisor, the security checks you can cover includes:

Alcide Code-to-production secutiry

We will need to create a service account that allows us to pull GKE cluster credentials into the pipleline.

There is a nice blog post that explains how GCP Kubernetes IAM roles maps to Kubernetes RBAC.

If you do not have such service account available already please follow instructions here: GKE IAM Service Account to configure

Alcide Code-to-production secutiry

Alcide Kubernetes Advisor runs against a kubernetes cluster and requires access to kubeconfig to authenticate & authorize itself to the cluster.

If your pipeline can run kubectl commands against the cluster successfully - you should be ready to initiate a scan.

Alcide Code-to-production secutiry

Under Project Settings –> Build Settings –> Environment Variables
Make sure you have:

Alcide Code-to-production secutiry

With CircleCI the pipeline trigger relies on a .circleci/config.yaml
and normally will fire a pipeline when changes are made to the hosting git repository.

Your .circleci/config.yaml

version: 2.1
orbs:
  alcide: alcideio/alcide-advisor@1.0.3
  gcp-cli: circleci/gcp-cli@1.0.6
  gcr: circleci/gcp-gcr@0.0.2
  k8s: circleci/kubernetes@0.3.0  



jobs:
  deploy_and_scan_cluster:
    description: "Deploy resources into a cluster"  
    machine: true
    parameters:
      cluster:
        description: "The Kubernetes cluster name."
        type: string
    steps:
      - checkout
      #
      # make sure you have the following environment variables defined:
      # GCLOUD_SERVICE_KEY, GOOGLE_PROJECT_ID, GOOGLE_COMPUTE_ZONE
      #
      - gcr/gcr-auth
      - gcp-cli/install
      - k8s/install
      - run: |
          gcloud container clusters get-credentials <<parameters.cluster>>
      - run: |
          echo "Deploy resources into the cluster"
          kubectl get pods --all-namespaces  
      - alcide/alcide_advisor_scan:
          #cluster_context: 'myclustercontext'
          report_format: 'html'
          fail_on_critical: false
          alcide_apiserver: ''
          policy_profile: ''                      

workflows:
  advisor_scan:
    jobs:
      - deploy_and_scan_cluster:
          cluster: demo-cluster

Review the scan report in your pipeline artifact

The pipeline will publish the scan results into your Pipeline Artifacts under the advisor-report directory

Alcide Code-to-production secutiry

In this codelab we covered:

Alcide Code-to-production secutiry