Difference between revisions of "K8s security scanner"
Jump to navigation
Jump to search
(Created page with "https://github.com/aquasecurity/trivy") |
|||
| (11 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
https://github.com/aquasecurity/trivy | https://github.com/aquasecurity/trivy | ||
| + | |||
| + | https://blog.aquasec.com/kubernetes-cluster-security-with-trivy | ||
| + | |||
| + | https://aquasecurity.github.io/trivy/v0.33/tutorials/kubernetes/cluster-scanning/ | ||
| + | |||
| + | # Trivy on Microk8s | ||
| + | ``` | ||
| + | microk8s enable community | ||
| + | microk8s enable trivy | ||
| + | kubectl get pod -n trivy-system | ||
| + | ``` | ||
| + | |||
| + | It might take awhile for trivy to adjust pods to your k8s size but when all pods are in a healthy state run | ||
| + | ``` | ||
| + | kubectl get vulnerabilityreports --all-namespaces -o wide | ||
| + | ``` | ||
| + | |||
| + | ``` | ||
| + | kubectl -n test describe vulnerabilityreports replicaset-foo | ||
| + | ``` | ||
| + | |||
| + | |||
| + | ``` | ||
| + | ns=test; kubectl -n $ns delete replicaset $(kubectl -n $ns get replicaset -o jsonpath='{ .items[?(@.spec.replicas==0)].metadata.name }') | ||
| + | # or | ||
| + | kubectl config set-context --current --namespace=test | ||
| + | kubectl delete replicaset $(kubectl get replicaset -o jsonpath='{ .items[?(@.spec.replicas==0)].metadata.name }') | ||
| + | ``` | ||
| + | To blow out namespace | ||
| + | ``` | ||
| + | kubectl delete all --all -n test | ||
| + | ``` | ||
| + | |||
| + | Get reports | ||
| + | ``` | ||
| + | Inspect created VulnerabilityReports by: | ||
| + | |||
| + | kubectl get vulnerabilityreports --all-namespaces -o wide | ||
| + | |||
| + | Inspect created ConfigAuditReports by: | ||
| + | |||
| + | kubectl get configauditreports --all-namespaces -o wide | ||
| + | |||
| + | Inspect the work log of trivy-operator by: | ||
| + | |||
| + | kubectl logs -n trivy-system deployment/trivy-operator | ||
| + | ``` | ||
| + | |||
| + | |||
| + | # Upgrade Microk8s add-ons | ||
| + | ``` | ||
| + | microk8s disable ingress && sleep 30 && microk8s enable ingress | ||
| + | microk8s disable registry && sleep 30 && microk8s enable registry | ||
| + | ``` | ||
Latest revision as of 19:50, 4 April 2023
https://github.com/aquasecurity/trivy
https://blog.aquasec.com/kubernetes-cluster-security-with-trivy
https://aquasecurity.github.io/trivy/v0.33/tutorials/kubernetes/cluster-scanning/
Trivy on Microk8s
microk8s enable community microk8s enable trivy kubectl get pod -n trivy-system
It might take awhile for trivy to adjust pods to your k8s size but when all pods are in a healthy state run
kubectl get vulnerabilityreports --all-namespaces -o wide
kubectl -n test describe vulnerabilityreports replicaset-foo
ns=test; kubectl -n $ns delete replicaset $(kubectl -n $ns get replicaset -o jsonpath='{ .items[?(@.spec.replicas==0)].metadata.name }')
# or
kubectl config set-context --current --namespace=test
kubectl delete replicaset $(kubectl get replicaset -o jsonpath='{ .items[?(@.spec.replicas==0)].metadata.name }')
To blow out namespace
kubectl delete all --all -n test
Get reports
Inspect created VulnerabilityReports by:
kubectl get vulnerabilityreports --all-namespaces -o wide
Inspect created ConfigAuditReports by:
kubectl get configauditreports --all-namespaces -o wide
Inspect the work log of trivy-operator by:
kubectl logs -n trivy-system deployment/trivy-operator
Upgrade Microk8s add-ons
microk8s disable ingress && sleep 30 && microk8s enable ingress microk8s disable registry && sleep 30 && microk8s enable registry