https://github.com/nonstandardlogic/kubevscan

Kubernetes security scanner based on the open-source container vulnerability scanner Trivy.
https://github.com/nonstandardlogic/kubevscan

Last synced: about 1 month ago
JSON representation

Kubernetes security scanner based on the open-source container vulnerability scanner Trivy.

• Host: GitHub
• URL: https://github.com/nonstandardlogic/kubevscan
• Owner: nonstandardlogic
• License: apache-2.0
• Created: 2020-10-15T10:06:17.000Z (almost 4 years ago)
• Default Branch: main
• Last Pushed: 2020-11-04T13:21:19.000Z (almost 4 years ago)
• Last Synced: 2024-07-04T09:25:16.844Z (2 months ago)
• Language: Ruby
• Homepage:
• Size: 68.4 KB
• Stars: 23
• Watchers: 2
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# Kubevscan

## What is this?

The goal of this project is to provide a vulnerability scanner that continuously scans containers deployed in a Kubernetes cluster.

The project creates for each pod a vulnerability scanner container based on the open-source project [Trivy](https://github.com/aquasecurity/trivy).

The vulnerability scanner is a sidecar container injected into the pod using the open-source project [k8s-sidecar-injector](https://github.com/tumblr/k8s-sidecar-injector).

The vulnerability scanner sidecar container is [kubevscan-agent](https://github.com/nonstandardlogic/kubevscan-agent).

## Installation

Set the environment variables defined in the *setup.sh* script. 

The variables *ORG* and *DOMAIN* are used to generated [certs](https://github.com/tumblr/k8s-sidecar-injector/blob/master/docs/tls.md) for the sidecar injector. 

The variables *DEPLOYMENT* and *CLUSTER* are used to create certs directories (example DEPLOYMENT=us-east-1 and CLUSTER=PRODUCTION). 

    ORG=

    DOMAIN=

    DEPLOYMENT=

    CLUSTER=

Run the setup script which installs and configures the sidecar injector into the Kubernetes cluster.

    $ ./setup.sh 

    Starting to deploy components...

    Set required variables in ca.conf csr-prod.conf..

    Generating certs..

    ...

Check the sidecar injector logs.

    $ kubectl logs --tail=60 -n kube-system -l k8s-app=k8s-sidecar-injector

    172.18.0.1 - - [15/Oct/2020:14:29:30 +0000] "GET /health HTTP/2.0" 200 12 "" "kube-probe/1.18"

    I1015 14:36:37.504124       1 main.go:131] triggering ConfigMap reconciliation

    I1015 14:36:37.504153       1 watcher.go:151] Fetching ConfigMaps...

    I1015 14:36:37.508225       1 watcher.go:158] Fetched 1 ConfigMaps

    I1015 14:36:37.508488       1 watcher.go:179] Loaded InjectionConfig kubevscan from ConfigMap sidecar-test:kubevscan

    I1015 14:36:37.508515       1 watcher.go:164] Found 1 InjectionConfigs in sidecar-test

    I1015 14:36:37.508521       1 main.go:137] got 1 updated InjectionConfigs from reconciliation

    I1015 14:36:37.508525       1 main.go:151] updating server with newly loaded configurations (1 loaded from disk, 1 loaded from k8s api)

    I1015 14:36:37.508531       1 main.go:153] configuration replaced

    172.18.0.1 - - [15/Oct/2020:14:36:40 +0000] "GET /health HTTP/2.0" 200 12 "" "kube-probe/1.18"

    ...

## Quick Start

Deploy the test pod with the sidecar injector annotation *injector.tumblr.com/request=kubescan*

    $ kubectl create -f kubernetes/debug-pod.yaml

    pod/debian-debug created

Check the logs generated by Trivy sidecar in */var/log/kubevscan* directory.