Kubei is a vulnerabilities scanning tool that allows users to get an accurate and immediate risk assessment of their kubernetes clusters. Kubei scans all images that are being used in a Kubernetes cluster, including images of application pods and system pods. It doesn’t scan the entire image registries and doesn’t require preliminary integration with CI/CD pipelines.
It is a configurable tool which allows users to define the scope of the scan (target namespaces), the speed, and the vulnerabilities level of interest.
It provides a graphical UI which allows the viewer to identify where and what should be replaced, in order to mitigate the discovered vulnerabilities.
Prerequisites
~/.kube/config) is properly configured for the target cluster.Required Permissions
Configurations
The file deploy/kubei.yaml is used to deploy and configure Kubei on your cluster.
IGNORE_NAMESPACES env variable to ignore specific namespaces. Set TARGET_NAMESPACE to scan a specific namespace, or leave empty to scan all namespaces.MAX_PARALLELISM env variable for the maximum number of simultaneous scanners.SEVERITY_THRESHOLD threshold will be reported. Supported levels are Unknown, Negligible, Low, Medium, High, Critical, Defcon1. Default is Medium.DELETE_JOB_POLICY env variable to define whether or not to delete completed scanner jobs. Supported values are:All – All jobs will be deleted.Successful – Only successful jobs will be deleted (default).Never – Jobs will never be deleted.Usage
kubectl apply -f https://raw.githubusercontent.com/Portshift/kubei/master/deploy/kubei.yamlkubectl -n kubei get pod -lapp=kubei kubectl -n kubei port-forward $(kubectl -n kubei get pods -lapp=kubei -o jsonpath='{.items[0].metadata.name}') 8080kubectl -n kubei logs $(kubectl -n kubei get pods -lapp=kubei -o jsonpath='{.items[0].metadata.name}')Running Kubei with an external HTTP/HTTPS proxy
Uncomment and configure the proxy env variables for the Clair and Kubei deployments in deploy/kubei.yaml.
Amazon ECR support
Create an AWS IAM user with AmazonEC2ContainerRegistryFullAccess permissions.
Use the user credentials (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_DEFAULT_REGION) to create the following secret:
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
name: ecr-sa
namespace: kubei
type: Opaque
data:
AWS_ACCESS_KEY_ID: $(echo -n 'XXXX'| base64 -w0)
AWS_SECRET_ACCESS_KEY: $(echo -n 'XXXX'| base64 -w0)
AWS_DEFAULT_REGION: $(echo -n 'XXXX'| base64 -w0)
EOF
Note:
ecr-saAWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_DEFAULT_REGIONGoogle GCR Support
Create a Google service account with Artifact Registry Reader permissions.
Use the service account json file to create the following secret
kubectl -n kubei create secret generic –from-file=sa.json gcr-sa
Note:
gcr-sasa.json must be the name of the service account json file when generating the secretLimitations
Nginx server blocks let you run more than one website on a single server. Each block…
Tor Browser is a modified version of Firefox that routes all your web traffic through the Tor…
Vagrant is a command-line tool that makes it easy to build and manage virtual machine environments.…
VMware Tools is a set of drivers and services that improves the performance of an Ubuntu…
Java developers use project management tools to automate building their applications. Apache Maven is an open source…
Running programs built for Microsoft's framework on a Linux system is easier than you think. Mono is…