Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/nonstandardlogic/kubevscan
Kubernetes security scanner based on the open-source container vulnerability scanner Trivy.
https://github.com/nonstandardlogic/kubevscan
Last synced: about 1 month ago
JSON representation
Kubernetes security scanner based on the open-source container vulnerability scanner Trivy.
- Host: GitHub
- URL: https://github.com/nonstandardlogic/kubevscan
- Owner: nonstandardlogic
- License: apache-2.0
- Created: 2020-10-15T10:06:17.000Z (almost 4 years ago)
- Default Branch: main
- Last Pushed: 2020-11-04T13:21:19.000Z (almost 4 years ago)
- Last Synced: 2024-07-04T09:25:16.844Z (2 months ago)
- Language: Ruby
- Homepage:
- Size: 68.4 KB
- Stars: 23
- Watchers: 2
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Kubevscan
## What is this?
The goal of this project is to provide a vulnerability scanner that continuously scans containers deployed in a Kubernetes cluster.
The project creates for each pod a vulnerability scanner container based on the open-source project [Trivy](https://github.com/aquasecurity/trivy).
The vulnerability scanner is a sidecar container injected into the pod using the open-source project [k8s-sidecar-injector](https://github.com/tumblr/k8s-sidecar-injector).
The vulnerability scanner sidecar container is [kubevscan-agent](https://github.com/nonstandardlogic/kubevscan-agent).
## Installation
Set the environment variables defined in the *setup.sh* script.
The variables *ORG* and *DOMAIN* are used to generated [certs](https://github.com/tumblr/k8s-sidecar-injector/blob/master/docs/tls.md) for the sidecar injector.
The variables *DEPLOYMENT* and *CLUSTER* are used to create certs directories (example DEPLOYMENT=us-east-1 and CLUSTER=PRODUCTION).ORG=
DOMAIN=
DEPLOYMENT=
CLUSTER=Run the setup script which installs and configures the sidecar injector into the Kubernetes cluster.
$ ./setup.sh
Starting to deploy components...Set required variables in ca.conf csr-prod.conf..
Generating certs..
...Check the sidecar injector logs.
$ kubectl logs --tail=60 -n kube-system -l k8s-app=k8s-sidecar-injector
172.18.0.1 - - [15/Oct/2020:14:29:30 +0000] "GET /health HTTP/2.0" 200 12 "" "kube-probe/1.18"
I1015 14:36:37.504124 1 main.go:131] triggering ConfigMap reconciliation
I1015 14:36:37.504153 1 watcher.go:151] Fetching ConfigMaps...
I1015 14:36:37.508225 1 watcher.go:158] Fetched 1 ConfigMaps
I1015 14:36:37.508488 1 watcher.go:179] Loaded InjectionConfig kubevscan from ConfigMap sidecar-test:kubevscan
I1015 14:36:37.508515 1 watcher.go:164] Found 1 InjectionConfigs in sidecar-test
I1015 14:36:37.508521 1 main.go:137] got 1 updated InjectionConfigs from reconciliation
I1015 14:36:37.508525 1 main.go:151] updating server with newly loaded configurations (1 loaded from disk, 1 loaded from k8s api)
I1015 14:36:37.508531 1 main.go:153] configuration replaced
172.18.0.1 - - [15/Oct/2020:14:36:40 +0000] "GET /health HTTP/2.0" 200 12 "" "kube-probe/1.18"
...## Quick Start
Deploy the test pod with the sidecar injector annotation *injector.tumblr.com/request=kubescan*
$ kubectl create -f kubernetes/debug-pod.yaml
pod/debian-debug createdCheck the logs generated by Trivy sidecar in */var/log/kubevscan* directory.