Difference between revisions of "K8s security scanner"
Jump to navigation
Jump to search
| Line 15: | Line 15: | ||
``` | ``` | ||
kubectl get vulnerabilityreports --all-namespaces -o wide | kubectl get vulnerabilityreports --all-namespaces -o wide | ||
| + | ``` | ||
| + | |||
| + | ``` | ||
| + | kubectl -n test describe vulnerabilityreports replicaset-foo | ||
| + | ``` | ||
| + | |||
| + | |||
| + | ``` | ||
kubectl delete replicaset $(kubectl get replicaset -o jsonpath='{ .items[?(@.spec.replicas==0)].metadata.name }') | kubectl delete replicaset $(kubectl get replicaset -o jsonpath='{ .items[?(@.spec.replicas==0)].metadata.name }') | ||
``` | ``` | ||
Revision as of 19:00, 4 April 2023
https://github.com/aquasecurity/trivy
https://blog.aquasec.com/kubernetes-cluster-security-with-trivy
https://aquasecurity.github.io/trivy/v0.33/tutorials/kubernetes/cluster-scanning/
Trivy on Microk8s
microk8s enable community microk8s enable trivy kubectl get pod -n trivy-system
It might take awhile for trivy to adjust pods to your k8s size but when all pods are in a healthy state run
kubectl get vulnerabilityreports --all-namespaces -o wide
kubectl -n test describe vulnerabilityreports replicaset-foo
kubectl delete replicaset $(kubectl get replicaset -o jsonpath='{ .items[?(@.spec.replicas==0)].metadata.name }')
To blow out namespace
kubectl delete all --all -n test
Get reports
Inspect created VulnerabilityReports by:
kubectl get vulnerabilityreports --all-namespaces -o wide
Inspect created ConfigAuditReports by:
kubectl get configauditreports --all-namespaces -o wide
Inspect the work log of trivy-operator by:
kubectl logs -n trivy-system deployment/trivy-operator