In this codelab we will create a script that given a AWS Region, we will scan the entire EKS clusters in the project, using Alcide Kubernetes Advisor.

Alcide Code-to-production secutiry

Alcide Advisor is an agentless Kubernetes audit, compliance and hygiene scanner that's built to ensure a friciton free DevSecOps workflows. Alcide Advisor can be plugged early in the development process and before moving to production.

With Alcide Advisor, the security checks you can cover includes:

In this codelab we will use a AWS, to scan the various EKS clusters deployed in this project by using Alcide Kubernetes Advisor.

Make sure your Amazon EKS clusters are running as part of your AWS Region

Alcide Code-to-production secutiry

AWS offers multiple sign-in options, if you do not already have your aws cli working against your AWS Account, refer to ‘AWS Command Line Interface'.
Make sure your're using an IAM user with permmitions to your Amazon EKS clusters and the default region is where your clusters are running.

Use ‘aws configure get region' to see the configured region

Alcide Code-to-production secutiry

Let's initially list our EKS clusters.

aws eks list-clusters --output text | cut -c10-

or

aws eks list-clusters | jq -c '.[][]' | tr -d '"'

Alcide Code-to-production secutiry

Getting a specific cluster credentials should be straight forward once you have the list of clusters and their resource groups.

local KUBECONFIG=/tmp/advisor-config && \
local cluster=<mycluster> && \
local region=<mycluster_rg> && \
aws eks update-kubeconfig --name $cluster --alias $cluster --region $region

Alcide Code-to-production secutiry

For Linux

cd /tmp/training/advisor &&\
curl -o advisor https://alcide.blob.core.windows.net/generic/stable/linux/advisor &&\
chmod +x advisor

For Mac

cd /tmp/training/advisor &&\
curl -o advisor https://alcide.blob.core.windows.net/generic/stable/darwin/advisor &&\
chmod +x advisor

Make sure you have Alcide Kubernetes Advisor in your PATH environment variable.
We are going to start with an initial cluster scan using the buitin scan profile.

cluster_name=<mycluster> && \
./advisor validate cluster --cluster-context $cluster_name \
--namespace-include=* --namespace-exclude=-  --outfile scan.html

Open in your browser the generated report scan.html and review the result across the various categories.

Alcide Code-to-production secutiry

Now that we know how to list our clusters, get its credntials and scan it with Alcide Advisor,
Lets put everything toghether into a script that we can run.

#!/usr/bin/env bash

alcide_download_advisor(){
    echo "Downloading Alcide Advisor"
    if [[ "$OSTYPE" == "linux-gnu" ]]; then
        # Linux
        local os="linux"
    elif [[ "$OSTYPE" == "darwin"* ]]; then
        # Mac OSX
        local os="darwin"
    else
        echo "Unsupported OS, Currently Alcide Advisor is supported on Linux or MacOS only"
        exit
    fi

    curl -o kube-advisor https://alcide.blob.core.windows.net/generic/stable/$os/advisor
    chmod +x kube-advisor
}

alcide_scan_current_cluster(){
    local outdir=$1
    local CURRENT_CONTEXT=`kubectl config current-context`

    if [[ $(kubectl auth can-i get po 2> /dev/null) == "yes" ]]; then
        echo Scanning $cluster
        alcide_scan_cluster $outdir ${CURRENT_CONTEXT}
    else
        echo "The current user doesn't have read permissions to the cluster: ${CURRENT_CONTEXT}"
    fi
}

alcide_scan_cluster(){
    local outdir=$1
    local context=$2
    
    ./kube-advisor --eula-sign validate cluster --cluster-context $context --namespace-include="*" --outfile $outdir/$context.html
}

scan_eks_clusters(){
    local outdir=$1
    local CLUSTER_NAMES=`aws eks list-clusters | jq -c '.[][]' | tr -d '"'`
    local KUBECONFIG=$outdir/advisor-config

    #echo ${CLUSTER_NAMES}
    for cluster in ${CLUSTER_NAMES}
    do
        aws eks update-kubeconfig --name $cluster --alias $cluster
        alcide_scan_current_cluster $outdir
    done  
}



outdir=$(mktemp -d -t alcide-advisor-XXXXXXXXXX)


pushd $outdir
alcide_download_advisor
scan_eks_clusters $outdir
popd

The script can be found https://github.com/alcideio/pipeline/blob/master/scripts/eks-advisor-scan.sh

In this codelab we learned how to:

Alcide Code-to-production secutiry