In this codelab we will create a script that given a AWS Region, we will scan the entire EKS clusters in the project, using Alcide Kubernetes Advisor.

Alcide Code-to-production security

Alcide Advisor is an agentless Kubernetes audit, compliance and hygiene scanner that's built to ensure a friction free DevSecOps workflows. Alcide Advisor can be plugged in early in the development process and before moving to production.

With Alcide Advisor, the security checks you can cover includes:

In this codelab we will use a AWS, to scan the various EKS clusters deployed in this project by using Alcide Kubernetes Advisor.

Make sure your Amazon EKS clusters are running as part of your AWS Region

Alcide Code-to-production security

AWS offers multiple sign-in options, if you do not already have your aws cli working against your AWS Account, refer to ‘AWS Command Line Interface'.
Make sure your're using an IAM user with permmitions to your Amazon EKS clusters and the default region is where your clusters are running.

Use ‘aws configure get region' to see the configured region

Alcide Code-to-production security

Let's initially list our EKS clusters.

aws eks list-clusters --output text | cut -c10-


aws eks list-clusters | jq -c '.[][]' | tr -d '"'

Alcide Code-to-production security

Getting a specific cluster credentials should be straight forward once you have the list of clusters and their resource groups.

local KUBECONFIG=/tmp/advisor-config && \
local cluster=<mycluster> && \
local region=<mycluster_rg> && \
aws eks update-kubeconfig --name $cluster --alias $cluster --region $region

Alcide Code-to-production security

For Linux

cd /tmp/training/advisor &&\
curl -o advisor &&\
chmod +x advisor

For Mac

cd /tmp/training/advisor &&\
curl -o advisor &&\
chmod +x advisor

Make sure you have Alcide Kubernetes Advisor in your PATH environment variable.
We are going to start with an initial cluster scan using the buitin scan profile.

cluster_name=<mycluster> && \
./advisor validate cluster --cluster-context $cluster_name \
--namespace-include=* --namespace-exclude=-  --outfile scan.html

Open in your browser the generated report scan.html and review the result across the various categories.

Alcide Code-to-production security

Now that we know how to list our clusters, get its credntials and scan it with Alcide Advisor,
Lets put everything toghether into a script that we can run.

#!/usr/bin/env bash

    echo "Downloading Alcide Advisor"
    if [[ "$OSTYPE" == "linux-gnu" ]]; then
        # Linux
        local os="linux"
    elif [[ "$OSTYPE" == "darwin"* ]]; then
        # Mac OSX
        local os="darwin"
        echo "Unsupported OS, Currently Alcide Advisor is supported on Linux or MacOS only"

    curl -o kube-advisor$os/advisor
    chmod +x kube-advisor

    local outdir=$1
    local CURRENT_CONTEXT=`kubectl config current-context`

    if [[ $(kubectl auth can-i get po 2> /dev/null) == "yes" ]]; then
        echo Scanning $cluster
        alcide_scan_cluster $outdir ${CURRENT_CONTEXT}
        echo "The current user doesn't have read permissions to the cluster: ${CURRENT_CONTEXT}"

    local outdir=$1
    local context=$2
    ./kube-advisor --eula-sign validate cluster --cluster-context $context --namespace-include="*" --outfile $outdir/$context.html

    local outdir=$1
    local CLUSTER_NAMES=`aws eks list-clusters | jq -c '.[][]' | tr -d '"'`
    local KUBECONFIG=$outdir/advisor-config

    #echo ${CLUSTER_NAMES}
    for cluster in ${CLUSTER_NAMES}
        aws eks update-kubeconfig --name $cluster --alias $cluster
        alcide_scan_current_cluster $outdir

outdir=$(mktemp -d -t alcide-advisor-XXXXXXXXXX)

pushd $outdir
scan_eks_clusters $outdir

The script can be found

In this codelab we learned how to:

Alcide Code-to-production security