Skip to content
main
Switch branches/tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Kubevscan

What is this?

The goal of this project is to provide a vulnerability scanner that continuously scans containers deployed in a Kubernetes cluster.

The project creates for each pod a vulnerability scanner container based on the open-source project Trivy.

The vulnerability scanner is a sidecar container injected into the pod using the open-source project k8s-sidecar-injector.

The vulnerability scanner sidecar container is kubevscan-agent.

Installation

Set the environment variables defined in the setup.sh script. The variables ORG and DOMAIN are used to generated certs for the sidecar injector. The variables DEPLOYMENT and CLUSTER are used to create certs directories (example DEPLOYMENT=us-east-1 and CLUSTER=PRODUCTION).

ORG=
DOMAIN=
DEPLOYMENT=
CLUSTER=

Run the setup script which installs and configures the sidecar injector into the Kubernetes cluster.

$ ./setup.sh 
Starting to deploy components...

Set required variables in ca.conf csr-prod.conf..
Generating certs..
...

Check the sidecar injector logs.

$ kubectl logs --tail=60 -n kube-system -l k8s-app=k8s-sidecar-injector
172.18.0.1 - - [15/Oct/2020:14:29:30 +0000] "GET /health HTTP/2.0" 200 12 "" "kube-probe/1.18"
I1015 14:36:37.504124       1 main.go:131] triggering ConfigMap reconciliation
I1015 14:36:37.504153       1 watcher.go:151] Fetching ConfigMaps...
I1015 14:36:37.508225       1 watcher.go:158] Fetched 1 ConfigMaps
I1015 14:36:37.508488       1 watcher.go:179] Loaded InjectionConfig kubevscan from ConfigMap sidecar-test:kubevscan
I1015 14:36:37.508515       1 watcher.go:164] Found 1 InjectionConfigs in sidecar-test
I1015 14:36:37.508521       1 main.go:137] got 1 updated InjectionConfigs from reconciliation
I1015 14:36:37.508525       1 main.go:151] updating server with newly loaded configurations (1 loaded from disk, 1 loaded from k8s api)
I1015 14:36:37.508531       1 main.go:153] configuration replaced
172.18.0.1 - - [15/Oct/2020:14:36:40 +0000] "GET /health HTTP/2.0" 200 12 "" "kube-probe/1.18"
...

Quick Start

Deploy the test pod with the sidecar injector annotation injector.tumblr.com/request=kubescan

$ kubectl create -f kubernetes/debug-pod.yaml
pod/debian-debug created

Check the logs generated by Trivy sidecar in /var/log/kubevscan directory.

About

Kubernetes security scanner based on the open-source container vulnerability scanner Trivy.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published