Skip to content

Commit

Permalink
docs(kubernetes): add Kubernetes documentation (#3482)
Browse files Browse the repository at this point in the history
  • Loading branch information
@sergargar
sergargar authored Mar 13, 2024
1 parent 58ee45b commit d6b2b0c
Show file tree
Hide file tree
Showing 6 changed files with 163 additions and 18 deletions.
23 changes: 21 additions & 2 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ It contains hundreds of controls covering CIS, NIST 800, NIST CSF, CISA, RBI, Fe
| AWS | 302 | 61 -> `prowler aws --list-services` | 27 -> `prowler aws --list-compliance` | 6 -> `prowler aws --list-categories` |
| GCP | 73 | 11 -> `prowler gcp --list-services` | 1 -> `prowler gcp --list-compliance` | 2 -> `prowler gcp --list-categories`|
| Azure | 91 | 14 -> `prowler azure --list-services` | CIS soon | 2 -> `prowler azure --list-categories` |
| Kubernetes | Work In Progress | - | CIS soon | - |
| Kubernetes | 83 | 7 -> `prowler kubernetes --list-services` | CIS soon | 7 -> `prowler kubernetes --list-categories` |

# 📖 Documentation

Expand Down Expand Up @@ -99,7 +99,7 @@ python prowler.py -v

You can run Prowler from your workstation, an EC2 instance, Fargate or any other container, Codebuild, CloudShell and Cloud9.

![Architecture](https://github.com/prowler-cloud/prowler/assets/38561120/080261d9-773d-4af1-af79-217a273e3176)
![Architecture](https://github.com/prowler-cloud/prowler/assets/38561120/710f0def-6e3e-4b3e-b8fa-4b3e7db1ed9f)

# 📝 Requirements

Expand Down Expand Up @@ -273,6 +273,25 @@ prowler gcp --credentials-file path
```
> By default, `prowler` will scan all accessible GCP Projects, use flag `--project-ids` to specify the projects to be scanned.
## Kubernetes

For non in-cluster execution, you can provide the location of the KubeConfig file with the following argument:

```console
prowler kubernetes --kubeconfig-file path
```

For in-cluster execution, you can use the supplied yaml to run Prowler as a job:
```console
kubectl apply -f job.yaml
kubectl apply -f prowler-role.yaml
kubectl apply -f prowler-rolebinding.yaml
kubectl get pods --> prowler-XXXXX
kubectl logs prowler-XXXXX
```

> By default, `prowler` will scan all namespaces in your active Kubernetes context, use flag `--context` to specify the context to be scanned and `--namespaces` to specify the namespaces to be scanned.
# 📃 License

Prowler is licensed as Apache License 2.0 as specified in each file. You may obtain a copy of the License at
Expand Down
37 changes: 30 additions & 7 deletions docs/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ Prowler is available as a project in [PyPI](https://pypi.org/project/prowler/),

* `Python >= 3.9`
* `Python pip >= 3.9`
* AWS, GCP and/or Azure credentials
* AWS, GCP, Azure and/or Kubernetes credentials

_Commands_:

Expand All @@ -29,7 +29,7 @@ Prowler is available as a project in [PyPI](https://pypi.org/project/prowler/),
_Requirements_:

* Have `docker` installed: https://docs.docker.com/get-docker/.
* AWS, GCP and/or Azure credentials
* AWS, GCP, Azure and/or Kubernetes credentials
* In the command below, change `-v` to your local directory path in order to access the reports.

_Commands_:
Expand All @@ -46,7 +46,7 @@ Prowler is available as a project in [PyPI](https://pypi.org/project/prowler/),

_Requirements for Ubuntu 20.04.3 LTS_:

* AWS, GCP and/or Azure credentials
* AWS, GCP, Azure and/or Kubernetes credentials
* Install python 3.9 with: `sudo apt-get install python3.9`
* Remove python 3.8 to avoid conflicts if you can: `sudo apt-get remove python3.8`
* Make sure you have the python3 distutils package installed: `sudo apt-get install python3-distutils`
Expand All @@ -66,7 +66,7 @@ Prowler is available as a project in [PyPI](https://pypi.org/project/prowler/),

_Requirements for Developers_:

* AWS, GCP and/or Azure credentials
* AWS, GCP, Azure and/or Kubernetes credentials
* `git`, `Python >= 3.9`, `pip` and `poetry` installed (`pip install poetry`)

_Commands_:
Expand All @@ -83,7 +83,7 @@ Prowler is available as a project in [PyPI](https://pypi.org/project/prowler/),

_Requirements_:

* AWS, GCP and/or Azure credentials
* AWS, GCP, Azure and/or Kubernetes credentials
* Latest Amazon Linux 2 should come with Python 3.9 already installed however it may need pip. Install Python pip 3.9 with: `sudo yum install -y python3-pip`.
* Make sure setuptools for python is already installed with: `pip3 install setuptools`

Expand All @@ -100,7 +100,7 @@ Prowler is available as a project in [PyPI](https://pypi.org/project/prowler/),
_Requirements_:

* `Brew` installed in your Mac or Linux
* AWS, GCP and/or Azure credentials
* AWS, GCP, Azure and/or Kubernetes credentials

_Commands_:

Expand Down Expand Up @@ -160,7 +160,7 @@ You can run Prowler from your workstation, an EC2 instance, Fargate or any other
![Architecture](img/architecture.png)
## Basic Usage

To run Prowler, you will need to specify the provider (e.g `aws`, `gcp` or `azure`):
To run Prowler, you will need to specify the provider (e.g `aws`, `gcp`, `azure` or `kubernetes`):

???+ note
If no provider specified, AWS will be used for backward compatibility with most of v2 options.
Expand Down Expand Up @@ -197,6 +197,7 @@ For executing specific checks or services you can use options `-c`/`checks` or `
prowler azure --checks storage_blob_public_access_level_is_disabled
prowler aws --services s3 ec2
prowler gcp --services iam compute
prowler kubernetes --services etcd apiserver
```

Also, checks and services can be excluded with options `-e`/`--excluded-checks` or `--excluded-services`:
Expand All @@ -205,6 +206,7 @@ Also, checks and services can be excluded with options `-e`/`--excluded-checks`
prowler aws --excluded-checks s3_bucket_public_access
prowler azure --excluded-services defender iam
prowler gcp --excluded-services kms
prowler kubernetes --excluded-services controllermanager
```

More options and executions methods that will save your time in [Miscellaneous](tutorials/misc.md).
Expand Down Expand Up @@ -275,5 +277,26 @@ prowler gcp --project-ids <Project ID 1> <Project ID 2> ... <Project ID N>

See more details about GCP Authentication in [Requirements](getting-started/requirements.md)

## Kubernetes

Prowler allows you to scan your Kubernetes Cluster either from within the cluster or from outside the cluster.

For non in-cluster execution, you can provide the location of the KubeConfig file with the following argument:

```console
prowler kubernetes --kubeconfig-file path
```

For in-cluster execution, you can use the supplied yaml to run Prowler as a job:
```console
kubectl apply -f job.yaml
kubectl apply -f prowler-role.yaml
kubectl apply -f prowler-rolebinding.yaml
kubectl get pods --> prowler-XXXXX
kubectl logs prowler-XXXXX
```

> By default, `prowler` will scan all namespaces in your active Kubernetes context, use flag `--context` to specify the context to be scanned and `--namespaces` to specify the namespaces to be scanned.
## Prowler v2 Documentation
For **Prowler v2 Documentation**, please check it out [here](https://github.com/prowler-cloud/prowler/blob/8818f47333a0c1c1a457453c87af0ea5b89a385f/README.md).
15 changes: 14 additions & 1 deletion docs/tutorials/configuration_file.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ The following list includes all the Azure checks with configurable variables tha

| Check Name | Value | Type |
|---------------------------------------------------------------|--------------------------------------------------|-----------------|
| `network_public_ip_shodan` | `shodan_api_key` | String |
| `network_public_ip_shodan` | `shodan_api_key` | String |
| `app_ensure_php_version_is_latest` | `php_latest_version` | String |
| `app_ensure_python_version_is_latest` | `python_latest_version` | String |
| `app_ensure_java_version_is_latest` | `java_latest_version` | String |
Expand All @@ -51,6 +51,19 @@ The following list includes all the Azure checks with configurable variables tha

### Configurable Checks

## Kubernetes

### Configurable Checks
The following list includes all the Azure checks with configurable variables that can be changed in the configuration yaml file:

| Check Name | Value | Type |
|---------------------------------------------------------------|--------------------------------------------------|-----------------|
| `audit_log_maxbackup` | `audit_log_maxbackup` | String |
| `audit_log_maxsize` | `audit_log_maxsize` | String |
| `audit_log_maxage` | `audit_log_maxage` | String |
| `apiserver_strong_ciphers` | `apiserver_strong_ciphers` | String |
| `kubelet_strong_ciphers_only` | `kubelet_strong_ciphers` | String |

## Config YAML File Structure

???+ note
Expand Down
4 changes: 4 additions & 0 deletions docs/tutorials/custom-checks-metadata.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,10 @@ CustomChecksMetadata:
Checks:
compute_instance_public_ip:
Severity: critical
kubernetes:
Checks:
apiserver_anonymous_requests:
Severity: low
```
## Usage
Expand Down
5 changes: 5 additions & 0 deletions docs/tutorials/reporting.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,11 @@ And then by the provider specific columns:
- RESOURCE_ID
- RESOURCE_NAME

#### KUBERNETES

- NAMESPACE
- RESOURCE_ID
- RESOURCE_NAME

???+ note
Since Prowler v3 the CSV column delimiter is the semicolon (`;`)
Expand Down
97 changes: 89 additions & 8 deletions job.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,92 @@
apiVersion: v1
kind: Pod
apiVersion: batch/v1
kind: Job
metadata:
name: prowler
spec:
containers:
- name: prowler
image: docker.io/prowler/kubernetes
command: ["prowler"]
args: ["kubernetes"]
imagePullPolicy: Never
template:
metadata:
labels:
app: prowler
spec:
containers:
- name: prowler
image: docker.io/prowler/kubernetes
command: ["prowler"]
args: ["kubernetes", "-z"]
imagePullPolicy: Never
volumeMounts:
- name: var-lib-cni
mountPath: /var/lib/cni
readOnly: true
- mountPath: /var/lib/etcd
name: var-lib-etcd
readOnly: true
- mountPath: /var/lib/kubelet
name: var-lib-kubelet
readOnly: true
- mountPath: /var/lib/kube-scheduler
name: var-lib-kube-scheduler
readOnly: true
- mountPath: /var/lib/kube-controller-manager
name: var-lib-kube-controller-manager
readOnly: true
- mountPath: /etc/systemd
name: etc-systemd
readOnly: true
- mountPath: /lib/systemd/
name: lib-systemd
readOnly: true
- mountPath: /srv/kubernetes/
name: srv-kubernetes
readOnly: true
- mountPath: /etc/kubernetes
name: etc-kubernetes
readOnly: true
- mountPath: /usr/local/mount-from-host/bin
name: usr-bin
readOnly: true
- mountPath: /etc/cni/net.d/
name: etc-cni-netd
readOnly: true
- mountPath: /opt/cni/bin/
name: opt-cni-bin
readOnly: true
hostPID: true
restartPolicy: Never
volumes:
- name: var-lib-cni
hostPath:
path: /var/lib/cni
- hostPath:
path: /var/lib/etcd
name: var-lib-etcd
- hostPath:
path: /var/lib/kubelet
name: var-lib-kubelet
- hostPath:
path: /var/lib/kube-scheduler
name: var-lib-kube-scheduler
- hostPath:
path: /var/lib/kube-controller-manager
name: var-lib-kube-controller-manager
- hostPath:
path: /etc/systemd
name: etc-systemd
- hostPath:
path: /lib/systemd
name: lib-systemd
- hostPath:
path: /srv/kubernetes
name: srv-kubernetes
- hostPath:
path: /etc/kubernetes
name: etc-kubernetes
- hostPath:
path: /usr/bin
name: usr-bin
- hostPath:
path: /etc/cni/net.d/
name: etc-cni-netd
- hostPath:
path: /opt/cni/bin/
name: opt-cni-bin

0 comments on commit d6b2b0c

Please sign in to comment.