The goal of this project is to provide a vulnerability scanner that continuously scans containers deployed in a Kubernetes cluster.
The project creates for each pod a vulnerability scanner container based on the open-source project Trivy.
The vulnerability scanner is a sidecar container injected into the pod using the open-source project k8s-sidecar-injector.
The vulnerability scanner sidecar container is kubevscan-agent.
Set the environment variables defined in the setup.sh script. The variables ORG and DOMAIN are used to generated certs for the sidecar injector. The variables DEPLOYMENT and CLUSTER are used to create certs directories (example DEPLOYMENT=us-east-1 and CLUSTER=PRODUCTION).
ORG=
DOMAIN=
DEPLOYMENT=
CLUSTER=
Run the setup script which installs and configures the sidecar injector into the Kubernetes cluster.
$ ./setup.sh
Starting to deploy components...
Set required variables in ca.conf csr-prod.conf..
Generating certs..
...
Check the sidecar injector logs.
$ kubectl logs --tail=60 -n kube-system -l k8s-app=k8s-sidecar-injector
172.18.0.1 - - [15/Oct/2020:14:29:30 +0000] "GET /health HTTP/2.0" 200 12 "" "kube-probe/1.18"
I1015 14:36:37.504124 1 main.go:131] triggering ConfigMap reconciliation
I1015 14:36:37.504153 1 watcher.go:151] Fetching ConfigMaps...
I1015 14:36:37.508225 1 watcher.go:158] Fetched 1 ConfigMaps
I1015 14:36:37.508488 1 watcher.go:179] Loaded InjectionConfig kubevscan from ConfigMap sidecar-test:kubevscan
I1015 14:36:37.508515 1 watcher.go:164] Found 1 InjectionConfigs in sidecar-test
I1015 14:36:37.508521 1 main.go:137] got 1 updated InjectionConfigs from reconciliation
I1015 14:36:37.508525 1 main.go:151] updating server with newly loaded configurations (1 loaded from disk, 1 loaded from k8s api)
I1015 14:36:37.508531 1 main.go:153] configuration replaced
172.18.0.1 - - [15/Oct/2020:14:36:40 +0000] "GET /health HTTP/2.0" 200 12 "" "kube-probe/1.18"
...
Deploy the test pod with the sidecar injector annotation injector.tumblr.com/request=kubescan
$ kubectl create -f kubernetes/debug-pod.yaml
pod/debian-debug created
Check the logs generated by Trivy sidecar in /var/log/kubevscan directory.