From d6b2b0ca1369a2dd50f4822fea31344a082ab854 Mon Sep 17 00:00:00 2001 From: Sergio Garcia <38561120+sergargar@users.noreply.github.com> Date: Wed, 13 Mar 2024 15:37:49 +0100 Subject: [PATCH] docs(kubernetes): add Kubernetes documentation (#3482) --- README.md | 23 +++++- docs/index.md | 37 +++++++-- docs/tutorials/configuration_file.md | 15 +++- docs/tutorials/custom-checks-metadata.md | 4 + docs/tutorials/reporting.md | 5 ++ job.yaml | 97 ++++++++++++++++++++++-- 6 files changed, 163 insertions(+), 18 deletions(-) diff --git a/README.md b/README.md index a4cb0a8fa7..678314d97b 100644 --- a/README.md +++ b/README.md @@ -50,7 +50,7 @@ It contains hundreds of controls covering CIS, NIST 800, NIST CSF, CISA, RBI, Fe | AWS | 302 | 61 -> `prowler aws --list-services` | 27 -> `prowler aws --list-compliance` | 6 -> `prowler aws --list-categories` | | GCP | 73 | 11 -> `prowler gcp --list-services` | 1 -> `prowler gcp --list-compliance` | 2 -> `prowler gcp --list-categories`| | Azure | 91 | 14 -> `prowler azure --list-services` | CIS soon | 2 -> `prowler azure --list-categories` | -| Kubernetes | Work In Progress | - | CIS soon | - | +| Kubernetes | 83 | 7 -> `prowler kubernetes --list-services` | CIS soon | 7 -> `prowler kubernetes --list-categories` | # 📖 Documentation @@ -99,7 +99,7 @@ python prowler.py -v You can run Prowler from your workstation, an EC2 instance, Fargate or any other container, Codebuild, CloudShell and Cloud9. -![Architecture](https://github.com/prowler-cloud/prowler/assets/38561120/080261d9-773d-4af1-af79-217a273e3176) +![Architecture](https://github.com/prowler-cloud/prowler/assets/38561120/710f0def-6e3e-4b3e-b8fa-4b3e7db1ed9f) # 📝 Requirements @@ -273,6 +273,25 @@ prowler gcp --credentials-file path ``` > By default, `prowler` will scan all accessible GCP Projects, use flag `--project-ids` to specify the projects to be scanned. +## Kubernetes + +For non in-cluster execution, you can provide the location of the KubeConfig file with the following argument: + +```console +prowler kubernetes --kubeconfig-file path +``` + +For in-cluster execution, you can use the supplied yaml to run Prowler as a job: +```console +kubectl apply -f job.yaml +kubectl apply -f prowler-role.yaml +kubectl apply -f prowler-rolebinding.yaml +kubectl get pods --> prowler-XXXXX +kubectl logs prowler-XXXXX +``` + +> By default, `prowler` will scan all namespaces in your active Kubernetes context, use flag `--context` to specify the context to be scanned and `--namespaces` to specify the namespaces to be scanned. + # 📃 License Prowler is licensed as Apache License 2.0 as specified in each file. You may obtain a copy of the License at diff --git a/docs/index.md b/docs/index.md index 9ee78d1030..6af61d7e6b 100644 --- a/docs/index.md +++ b/docs/index.md @@ -15,7 +15,7 @@ Prowler is available as a project in [PyPI](https://pypi.org/project/prowler/), * `Python >= 3.9` * `Python pip >= 3.9` - * AWS, GCP and/or Azure credentials + * AWS, GCP, Azure and/or Kubernetes credentials _Commands_: @@ -29,7 +29,7 @@ Prowler is available as a project in [PyPI](https://pypi.org/project/prowler/), _Requirements_: * Have `docker` installed: https://docs.docker.com/get-docker/. - * AWS, GCP and/or Azure credentials + * AWS, GCP, Azure and/or Kubernetes credentials * In the command below, change `-v` to your local directory path in order to access the reports. _Commands_: @@ -46,7 +46,7 @@ Prowler is available as a project in [PyPI](https://pypi.org/project/prowler/), _Requirements for Ubuntu 20.04.3 LTS_: - * AWS, GCP and/or Azure credentials + * AWS, GCP, Azure and/or Kubernetes credentials * Install python 3.9 with: `sudo apt-get install python3.9` * Remove python 3.8 to avoid conflicts if you can: `sudo apt-get remove python3.8` * Make sure you have the python3 distutils package installed: `sudo apt-get install python3-distutils` @@ -66,7 +66,7 @@ Prowler is available as a project in [PyPI](https://pypi.org/project/prowler/), _Requirements for Developers_: - * AWS, GCP and/or Azure credentials + * AWS, GCP, Azure and/or Kubernetes credentials * `git`, `Python >= 3.9`, `pip` and `poetry` installed (`pip install poetry`) _Commands_: @@ -83,7 +83,7 @@ Prowler is available as a project in [PyPI](https://pypi.org/project/prowler/), _Requirements_: - * AWS, GCP and/or Azure credentials + * AWS, GCP, Azure and/or Kubernetes credentials * Latest Amazon Linux 2 should come with Python 3.9 already installed however it may need pip. Install Python pip 3.9 with: `sudo yum install -y python3-pip`. * Make sure setuptools for python is already installed with: `pip3 install setuptools` @@ -100,7 +100,7 @@ Prowler is available as a project in [PyPI](https://pypi.org/project/prowler/), _Requirements_: * `Brew` installed in your Mac or Linux - * AWS, GCP and/or Azure credentials + * AWS, GCP, Azure and/or Kubernetes credentials _Commands_: @@ -160,7 +160,7 @@ You can run Prowler from your workstation, an EC2 instance, Fargate or any other ![Architecture](img/architecture.png) ## Basic Usage -To run Prowler, you will need to specify the provider (e.g `aws`, `gcp` or `azure`): +To run Prowler, you will need to specify the provider (e.g `aws`, `gcp`, `azure` or `kubernetes`): ???+ note If no provider specified, AWS will be used for backward compatibility with most of v2 options. @@ -197,6 +197,7 @@ For executing specific checks or services you can use options `-c`/`checks` or ` prowler azure --checks storage_blob_public_access_level_is_disabled prowler aws --services s3 ec2 prowler gcp --services iam compute +prowler kubernetes --services etcd apiserver ``` Also, checks and services can be excluded with options `-e`/`--excluded-checks` or `--excluded-services`: @@ -205,6 +206,7 @@ Also, checks and services can be excluded with options `-e`/`--excluded-checks` prowler aws --excluded-checks s3_bucket_public_access prowler azure --excluded-services defender iam prowler gcp --excluded-services kms +prowler kubernetes --excluded-services controllermanager ``` More options and executions methods that will save your time in [Miscellaneous](tutorials/misc.md). @@ -275,5 +277,26 @@ prowler gcp --project-ids ... See more details about GCP Authentication in [Requirements](getting-started/requirements.md) +## Kubernetes + +Prowler allows you to scan your Kubernetes Cluster either from within the cluster or from outside the cluster. + +For non in-cluster execution, you can provide the location of the KubeConfig file with the following argument: + +```console +prowler kubernetes --kubeconfig-file path +``` + +For in-cluster execution, you can use the supplied yaml to run Prowler as a job: +```console +kubectl apply -f job.yaml +kubectl apply -f prowler-role.yaml +kubectl apply -f prowler-rolebinding.yaml +kubectl get pods --> prowler-XXXXX +kubectl logs prowler-XXXXX +``` + +> By default, `prowler` will scan all namespaces in your active Kubernetes context, use flag `--context` to specify the context to be scanned and `--namespaces` to specify the namespaces to be scanned. + ## Prowler v2 Documentation For **Prowler v2 Documentation**, please check it out [here](https://github.com/prowler-cloud/prowler/blob/8818f47333a0c1c1a457453c87af0ea5b89a385f/README.md). diff --git a/docs/tutorials/configuration_file.md b/docs/tutorials/configuration_file.md index 3c7dac1c07..478675345b 100644 --- a/docs/tutorials/configuration_file.md +++ b/docs/tutorials/configuration_file.md @@ -41,7 +41,7 @@ The following list includes all the Azure checks with configurable variables tha | Check Name | Value | Type | |---------------------------------------------------------------|--------------------------------------------------|-----------------| -| `network_public_ip_shodan` | `shodan_api_key` | String | +| `network_public_ip_shodan` | `shodan_api_key` | String | | `app_ensure_php_version_is_latest` | `php_latest_version` | String | | `app_ensure_python_version_is_latest` | `python_latest_version` | String | | `app_ensure_java_version_is_latest` | `java_latest_version` | String | @@ -51,6 +51,19 @@ The following list includes all the Azure checks with configurable variables tha ### Configurable Checks +## Kubernetes + +### Configurable Checks +The following list includes all the Azure checks with configurable variables that can be changed in the configuration yaml file: + +| Check Name | Value | Type | +|---------------------------------------------------------------|--------------------------------------------------|-----------------| +| `audit_log_maxbackup` | `audit_log_maxbackup` | String | +| `audit_log_maxsize` | `audit_log_maxsize` | String | +| `audit_log_maxage` | `audit_log_maxage` | String | +| `apiserver_strong_ciphers` | `apiserver_strong_ciphers` | String | +| `kubelet_strong_ciphers_only` | `kubelet_strong_ciphers` | String | + ## Config YAML File Structure ???+ note diff --git a/docs/tutorials/custom-checks-metadata.md b/docs/tutorials/custom-checks-metadata.md index 6a32238d06..2a7f0e6ad6 100644 --- a/docs/tutorials/custom-checks-metadata.md +++ b/docs/tutorials/custom-checks-metadata.md @@ -31,6 +31,10 @@ CustomChecksMetadata: Checks: compute_instance_public_ip: Severity: critical + kubernetes: + Checks: + apiserver_anonymous_requests: + Severity: low ``` ## Usage diff --git a/docs/tutorials/reporting.md b/docs/tutorials/reporting.md index 5ce5024312..64a41d6b0b 100644 --- a/docs/tutorials/reporting.md +++ b/docs/tutorials/reporting.md @@ -106,6 +106,11 @@ And then by the provider specific columns: - RESOURCE_ID - RESOURCE_NAME +#### KUBERNETES + +- NAMESPACE +- RESOURCE_ID +- RESOURCE_NAME ???+ note Since Prowler v3 the CSV column delimiter is the semicolon (`;`) diff --git a/job.yaml b/job.yaml index 528e299e6a..77fe47a1aa 100644 --- a/job.yaml +++ b/job.yaml @@ -1,11 +1,92 @@ -apiVersion: v1 -kind: Pod +apiVersion: batch/v1 +kind: Job metadata: name: prowler spec: - containers: - - name: prowler - image: docker.io/prowler/kubernetes - command: ["prowler"] - args: ["kubernetes"] - imagePullPolicy: Never + template: + metadata: + labels: + app: prowler + spec: + containers: + - name: prowler + image: docker.io/prowler/kubernetes + command: ["prowler"] + args: ["kubernetes", "-z"] + imagePullPolicy: Never + volumeMounts: + - name: var-lib-cni + mountPath: /var/lib/cni + readOnly: true + - mountPath: /var/lib/etcd + name: var-lib-etcd + readOnly: true + - mountPath: /var/lib/kubelet + name: var-lib-kubelet + readOnly: true + - mountPath: /var/lib/kube-scheduler + name: var-lib-kube-scheduler + readOnly: true + - mountPath: /var/lib/kube-controller-manager + name: var-lib-kube-controller-manager + readOnly: true + - mountPath: /etc/systemd + name: etc-systemd + readOnly: true + - mountPath: /lib/systemd/ + name: lib-systemd + readOnly: true + - mountPath: /srv/kubernetes/ + name: srv-kubernetes + readOnly: true + - mountPath: /etc/kubernetes + name: etc-kubernetes + readOnly: true + - mountPath: /usr/local/mount-from-host/bin + name: usr-bin + readOnly: true + - mountPath: /etc/cni/net.d/ + name: etc-cni-netd + readOnly: true + - mountPath: /opt/cni/bin/ + name: opt-cni-bin + readOnly: true + hostPID: true + restartPolicy: Never + volumes: + - name: var-lib-cni + hostPath: + path: /var/lib/cni + - hostPath: + path: /var/lib/etcd + name: var-lib-etcd + - hostPath: + path: /var/lib/kubelet + name: var-lib-kubelet + - hostPath: + path: /var/lib/kube-scheduler + name: var-lib-kube-scheduler + - hostPath: + path: /var/lib/kube-controller-manager + name: var-lib-kube-controller-manager + - hostPath: + path: /etc/systemd + name: etc-systemd + - hostPath: + path: /lib/systemd + name: lib-systemd + - hostPath: + path: /srv/kubernetes + name: srv-kubernetes + - hostPath: + path: /etc/kubernetes + name: etc-kubernetes + - hostPath: + path: /usr/bin + name: usr-bin + - hostPath: + path: /etc/cni/net.d/ + name: etc-cni-netd + - hostPath: + path: /opt/cni/bin/ + name: opt-cni-bin