Skip to content

Kubernetes security scanner based on the open-source container vulnerability scanner Trivy.

License

Notifications You must be signed in to change notification settings

nonstandardlogic/kubevscan

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

41 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Kubevscan

What is this?

The goal of this project is to provide a vulnerability scanner that continuously scans containers deployed in a Kubernetes cluster.

The project creates for each pod a vulnerability scanner container based on the open-source project Trivy.

The vulnerability scanner is a sidecar container injected into the pod using the open-source project k8s-sidecar-injector.

The vulnerability scanner sidecar container is kubevscan-agent.

Installation

Set the environment variables defined in the setup.sh script. The variables ORG and DOMAIN are used to generated certs for the sidecar injector. The variables DEPLOYMENT and CLUSTER are used to create certs directories (example DEPLOYMENT=us-east-1 and CLUSTER=PRODUCTION).

ORG=
DOMAIN=
DEPLOYMENT=
CLUSTER=

Run the setup script which installs and configures the sidecar injector into the Kubernetes cluster.

$ ./setup.sh 
Starting to deploy components...

Set required variables in ca.conf csr-prod.conf..
Generating certs..
...

Check the sidecar injector logs.

$ kubectl logs --tail=60 -n kube-system -l k8s-app=k8s-sidecar-injector
172.18.0.1 - - [15/Oct/2020:14:29:30 +0000] "GET /health HTTP/2.0" 200 12 "" "kube-probe/1.18"
I1015 14:36:37.504124       1 main.go:131] triggering ConfigMap reconciliation
I1015 14:36:37.504153       1 watcher.go:151] Fetching ConfigMaps...
I1015 14:36:37.508225       1 watcher.go:158] Fetched 1 ConfigMaps
I1015 14:36:37.508488       1 watcher.go:179] Loaded InjectionConfig kubevscan from ConfigMap sidecar-test:kubevscan
I1015 14:36:37.508515       1 watcher.go:164] Found 1 InjectionConfigs in sidecar-test
I1015 14:36:37.508521       1 main.go:137] got 1 updated InjectionConfigs from reconciliation
I1015 14:36:37.508525       1 main.go:151] updating server with newly loaded configurations (1 loaded from disk, 1 loaded from k8s api)
I1015 14:36:37.508531       1 main.go:153] configuration replaced
172.18.0.1 - - [15/Oct/2020:14:36:40 +0000] "GET /health HTTP/2.0" 200 12 "" "kube-probe/1.18"
...

Quick Start

Deploy the test pod with the sidecar injector annotation injector.tumblr.com/request=kubescan

$ kubectl create -f kubernetes/debug-pod.yaml
pod/debian-debug created

Check the logs generated by Trivy sidecar in /var/log/kubevscan directory.

About

Kubernetes security scanner based on the open-source container vulnerability scanner Trivy.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published