Difference between revisions of "K8s security scanner"

From UVOO Tech Wiki
Jump to navigation Jump to search
 
(9 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
https://github.com/aquasecurity/trivy
 
https://github.com/aquasecurity/trivy
 +
 +
https://blog.aquasec.com/kubernetes-cluster-security-with-trivy
 +
 +
https://aquasecurity.github.io/trivy/v0.33/tutorials/kubernetes/cluster-scanning/
  
 
# Trivy on Microk8s
 
# Trivy on Microk8s
Line 11: Line 15:
 
```
 
```
 
kubectl get vulnerabilityreports --all-namespaces -o wide
 
kubectl get vulnerabilityreports --all-namespaces -o wide
 +
```
 +
 +
```
 +
kubectl -n test describe vulnerabilityreports replicaset-foo
 +
```
 +
 +
 +
```
 +
ns=test; kubectl -n $ns delete replicaset $(kubectl -n $ns get replicaset -o jsonpath='{ .items[?(@.spec.replicas==0)].metadata.name }')
 +
# or
 +
kubectl config set-context --current --namespace=test
 +
kubectl delete replicaset $(kubectl get replicaset -o jsonpath='{ .items[?(@.spec.replicas==0)].metadata.name }')
 +
```
 +
To blow out namespace
 +
```
 +
kubectl delete all --all -n test
 
```
 
```
  
Line 26: Line 46:
  
 
     kubectl logs -n trivy-system deployment/trivy-operator
 
     kubectl logs -n trivy-system deployment/trivy-operator
 +
```
 +
 +
 +
# Upgrade Microk8s add-ons
 +
```
 +
microk8s disable ingress && sleep 30 && microk8s enable ingress
 +
microk8s disable registry && sleep 30 &&  microk8s enable registry
 
```
 
```

Latest revision as of 19:50, 4 April 2023

https://github.com/aquasecurity/trivy

https://blog.aquasec.com/kubernetes-cluster-security-with-trivy

https://aquasecurity.github.io/trivy/v0.33/tutorials/kubernetes/cluster-scanning/

Trivy on Microk8s

microk8s enable community
microk8s enable trivy
kubectl get pod -n trivy-system

It might take awhile for trivy to adjust pods to your k8s size but when all pods are in a healthy state run 

kubectl get vulnerabilityreports --all-namespaces -o wide

kubectl -n test describe vulnerabilityreports replicaset-foo

ns=test; kubectl -n $ns delete replicaset $(kubectl -n $ns get replicaset -o jsonpath='{ .items[?(@.spec.replicas==0)].metadata.name }')
# or
kubectl config set-context --current --namespace=test
kubectl delete replicaset $(kubectl get replicaset -o jsonpath='{ .items[?(@.spec.replicas==0)].metadata.name }')

To blow out namespace 

kubectl delete all --all -n test

Get reports 

Inspect created VulnerabilityReports by:

    kubectl get vulnerabilityreports --all-namespaces -o wide

Inspect created ConfigAuditReports by:

    kubectl get configauditreports --all-namespaces -o wide

Inspect the work log of trivy-operator by:

    kubectl logs -n trivy-system deployment/trivy-operator

Upgrade Microk8s add-ons

microk8s disable ingress && sleep 30 && microk8s enable ingress
microk8s disable registry && sleep 30 &&  microk8s enable registry
Retrieved from "https://tech.uvoo.io/index.php?title=K8s_security_scanner&oldid=3978"