In this tutorial we will learn about Alcide Kubernetes Advisor, and how we can integrate it with CircleCI to implement continous security and cluster hygiene for one or more Kubernetes clusters.
Alcide Advisor is an agentless Kubernetes audit, compliance and hygiene scanner that's built to ensure a friciton free DevSecOps workflows. Alcide Advisor can be plugged early in the development process and before moving to production.
We will need to create a service account that allows us to pull GKE cluster credentials into the pipleline.
There is a nice blog post that explains how GCP Kubernetes IAM roles maps to Kubernetes RBAC.
If you do not have such service account available already please follow instructions here: GKE IAM Service Account to configure
Alcide Kubernetes Advisor runs against a kubernetes cluster and requires access to kubeconfig to authenticate & authorize itself to the cluster.
If your pipeline can run kubectl commands against the cluster successfully - you should be ready to initiate a scan.
Under Project Settings –> Build Settings –> Environment Variables
Make sure you have:
With CircleCI the pipeline trigger relies on a .circleci/config.yaml
and normally will fire a pipeline when changes are made to the hosting git repository.
version: 2.1 orbs: alcide: email@example.com gcp-cli: firstname.lastname@example.org gcr: email@example.com k8s: firstname.lastname@example.org jobs: deploy_and_scan_cluster: description: "Deploy resources into a cluster" machine: true parameters: cluster: description: "The Kubernetes cluster name." type: string steps: - checkout # # make sure you have the following environment variables defined: # GCLOUD_SERVICE_KEY, GOOGLE_PROJECT_ID, GOOGLE_COMPUTE_ZONE # - gcr/gcr-auth - gcp-cli/install - k8s/install - run: | gcloud container clusters get-credentials <<parameters.cluster>> - run: | echo "Deploy resources into the cluster" kubectl get pods --all-namespaces - alcide/alcide_advisor_scan: #cluster_context: 'myclustercontext' report_format: 'html' fail_on_critical: false alcide_apiserver: '' policy_profile: '' workflows: advisor_scan: jobs: - deploy_and_scan_cluster: cluster: demo-cluster
The pipeline will publish the scan results into your Pipeline Artifacts under the advisor-report directory
In this codelab we covered: