Kuberneter¶
From version 1.6, KICS calls the Kubernetes API to scan resources deployed in the runtime K8s cluster. The runtime information of the resources is obtained by providing the K8s credentials as environment variables and a kuberneter path to KICS, via -p
flag. The scan happens immediately after this information is obtained. In the end, results are shown as for any other KICS scan.
Configure K8s Credentials¶
For KICS to get the runtime information of your resources, you need to provide your K8s Credentials as environment variables.
Using Config File¶
MacOS and Linux:
export K8S_CONFIG_FILE="<K8S_CONFIG_FILE>"
Windows:
SET K8S_CONFIG_FILE=<K8S_CONFIG_FILE>
Powershell:
$Env:K8S_CONFIG_FILE="<K8S_CONFIG_FILE>"
Using Service Account Token¶
Note that your Service Account Token should have list permissions for the chosen resources. Additionally to that, note that K8S_CA_DATA
and K8S_SA_TOKEN_DATA
should be base64 encoded.
MacOS and Linux:
export K8S_HOST="<K8S_HOST>"
export K8S_CA_FILE="<K8S_CA_FILE>" or export K8S_CA_DATA="K8S_CA_DATA"
export K8S_SA_TOKEN_FILE="K8S_SA_TOKEN_FILE>" or export K8S_SA_TOKEN_DATA="K8S_SA_TOKEN_DATA"
Windows:
SET K8S_HOST=<K8S_HOST>
SET K8S_CA_FILE=<K8S_CA_FILE> or SET K8S_CA_DATA=<K8S_CA_DATA>
SET K8S_SA_TOKEN_FILE=<K8S_SA_TOKEN_FILE> or SET K8S_SA_TOKEN_DATA=<K8S_SA_TOKEN_DATA>
Powershell:
$Env:K8S_HOST="<K8S_HOST>"
$Env:K8S_CA_FILE="<K8S_CA_FILE>" or $Env:K8S_CA_DATA="<K8S_CA_DATA>"
$Env:K8S_CA_FILE="<K8S_SA_TOKEN_FILE>" or $Env:K8S_CA_DATA="<K8S_SA_TOKEN_DATA>"
Using Certificate¶
Note that your "certificate user" should have list permissions for the chosen resources. Additionally to that, note that K8S_CA_DATA
, K8S_CERT_DATA
, and K8S_KEY_DATA
should be base64 encoded.
MacOS and Linux:
export K8S_HOST="<K8S_HOST>"
export K8S_CA_FILE="<K8S_CA_FILE>" or export K8S_CA_DATA="K8S_CA_DATA"
export K8S_CERT_FILE="<K8S_CERT_FILE>" or export K8S_CERT_DATA="K8S_CERT_DATA"
export K8S_KEY_FILE="<K8S_KEY_FILE>" or export K8S_KEY_DATA="K8S_KEY_DATA"
Windows:
SET K8S_HOST=<K8S_HOST>
SET K8S_CA_FILE=<K8S_CA_FILE> or SET K8S_CA_DATA=<K8S_CA_DATA>
SET K8S_CERT_FILE=<K8S_CERT_FILE> or SET K8S_CERT_DATA=<K8S_CERT_DATA>
SET K8S_KEY_FILE=<K8S_KEY_FILE> or SET K8S_KEY_DATA=<K8S_KEY_DATA>
Powershell:
$Env:K8S_HOST="<K8S_HOST>"
$Env:K8S_CA_FILE="<K8S_CA_FILE>" or $Env:K8S_CA_DATA="<K8S_CA_DATA>"
$Env:K8S_CERT_FILE="<K8S_CERT_FILE>" or $Env:K8S_CERT_DATA="<K8S_CERT_DATA>"
$Env:K8S_KEY_FILE="<K8S_KEY_FILE>" or $Env:K8S_KEY_DATA="<K8S_KEY_DATA>"
KICS Kuberneter Path Syntax¶
kuberneter::{namespaces}:{apiVersions}:{kinds}
To import all the namespaces, apiVersions, or kinds, please use: *
. For example, kuberneter::*:*:*
.
To specify the namespaces, apiVersions, or kinds, please use: separator +
. For example,kuberneter::*:apps/v1+v1:ServiceAccount
.
The API Versions and their respective kinds (both case sensitive) are listed below:
API Versions | Kinds |
---|---|
apps/v1 | DaemonSet Deployment ReplicaSet StatefulSet |
core/v1 | LimitRange Pod PersistentVolume PersistentVolumeClaim ReplicationController ResourceQuota Secret ServiceAccount Service |
batch/v1 | CronJob Job |
networking.k8s.io/v1 | IngressClass Ingress NetworkPolicy |
policy/v1 | PodDisruptionBudget |
rbac.authorization.k8s.io/v1 | ClusterRoleBinding ClusterRole RoleBinding Role |
apps/v1beta1 | Deployment StatefulSet |
apps/v1beta2 | DaemonSet Deployment ReplicaSet S tatefulSet |
batch/v1beta1 | CronJob |
networking.k8s.io/v1beta1 | IngressClass Ingress |
policy/v1beta1 | PodDisruptionBudget PodSecurityPolicy |
rbac.authorization.k8s.io/v1alpha1 | ClusterRoleBinding ClusterRole RoleBinding Role |
rbac.authorization.k8s.io/v1beta1 | ClusterRoleBinding ClusterRole RoleBinding Role |
Running KICS to scan runtime K8s cluster¶
When running KICS using a kuberneter path, the resources are imported using the credentials set as environment variables in Kubernetes format to the current working directory in a new folder named kics-extract-kuberneter
following the above-described structure.
KICS will then run a scan on these local files.
If the flag -o, --output-path
is passed, the folder kics-extract-kuberneter
will be generated in the reports directory instead.
Imported Resources tree structure:¶
▾ kics-extract-kuberneter/
▾ {apiGroup}/
▾ {apiVersion}/
▾ {kind}.yaml
Run KICS to scan runtime K8s cluster with Docker¶
To run KICS Kuberneter with Docker, you can simply pass the K8s Credentials that were set as environment variables to the docker run command and use the kuberneter path syntax
Examples:
Using Config File¶
docker run -v <credentials_path>:/credentials -v ${PWD}:/path/ -e K8S_CONFIG_FILE=/credentials/<config-file-name> checkmarx/kics:latest scan -p "kuberneter::*:*:*" -v --no-progress -o /path/results
Using Service Account Token¶
docker run -v ${PWD}:/path/ -e K8S_HOST -e K8S_CA_DATA -e K8S_SA_TOKEN_DATA kuberneter scan -p "kuberneter::*:*:*" -v --no-progress -o /path/results
Using Certificate¶
docker run -v ${PWD}:/path/ -e K8S_HOST -e K8S_CA_DATA -e K8S_SA_TOKEN_DATA kuberneter scan -p "kuberneter::*:*:*" -v --no-progress -o /path/results
Using Certificate¶
docker run -v ${PWD}:/path/ -e K8S_HOST -e K8S_CA_DATA -e K8S_CERT_DATA -e K8S_KEY_DATA checkmarx/kics:latest scan -p "kuberneter::*:*:*" -v --no-progress -o /path/results