prowler-cloud · jfagoagas · Mar 13, 2024 · Mar 4, 2024 · Mar 4, 2024 · Mar 4, 2024
diff --git a/README.md b/README.md
@@ -50,7 +50,7 @@ It contains hundreds of controls covering CIS, NIST 800, NIST CSF, CISA, RBI, Fe
 | AWS | 302 | 61 -> `prowler aws --list-services` | 27 -> `prowler aws --list-compliance` | 6 -> `prowler aws --list-categories` |
 | GCP | 73 | 11 -> `prowler gcp --list-services` | 1 -> `prowler gcp --list-compliance` | 2 -> `prowler gcp --list-categories`|
 | Azure | 91 | 14 -> `prowler azure --list-services` | CIS soon | 2 -> `prowler azure --list-categories` |
-| Kubernetes | Work In Progress | - | CIS soon | - |
+| Kubernetes | 83 | 7 -> `prowler kubernetes --list-services` | CIS soon | 7 -> `prowler kubernetes --list-categories` |
 
 # 📖 Documentation
 
@@ -99,7 +99,7 @@ python prowler.py -v
 
 You can run Prowler from your workstation, an EC2 instance, Fargate or any other container, Codebuild, CloudShell and Cloud9.
 
-![Architecture](https://github.com/prowler-cloud/prowler/assets/38561120/080261d9-773d-4af1-af79-217a273e3176)
+![Architecture](https://github.com/prowler-cloud/prowler/assets/38561120/710f0def-6e3e-4b3e-b8fa-4b3e7db1ed9f)
 
 # 📝 Requirements
 
@@ -273,6 +273,25 @@ prowler gcp --credentials-file path
 ```
 > By default, `prowler` will scan all accessible GCP Projects, use flag `--project-ids` to specify the projects to be scanned.
 
+## Kubernetes
+
+For non in-cluster execution, you can provide the location of the KubeConfig file with the following argument:
+
+```console
+prowler kubernetes --kubeconfig-file path
+```
+
+For in-cluster execution, you can use the supplied yaml to run Prowler as a job:
+```console
+kubectl apply -f job.yaml
+kubectl apply -f prowler-role.yaml
+kubectl apply -f prowler-rolebinding.yaml
+kubectl get pods --> prowler-XXXXX
+kubectl logs prowler-XXXXX
+```
+
+> By default, `prowler` will scan all namespaces in your active Kubernetes context, use flag `--context` to specify the context to be scanned and `--namespaces` to specify the namespaces to be scanned.
+
 # 📃 License
 
 Prowler is licensed as Apache License 2.0 as specified in each file. You may obtain a copy of the License at

diff --git a/docs/index.md b/docs/index.md
@@ -15,7 +15,7 @@ Prowler is available as a project in [PyPI](https://pypi.org/project/prowler/),
 
     * `Python >= 3.9`
     * `Python pip >= 3.9`
-    * AWS, GCP and/or Azure credentials
+    * AWS, GCP, Azure and/or Kubernetes credentials
 
     _Commands_:
 
@@ -29,7 +29,7 @@ Prowler is available as a project in [PyPI](https://pypi.org/project/prowler/),
     _Requirements_:
 
     * Have `docker` installed: https://docs.docker.com/get-docker/.
-    * AWS, GCP and/or Azure credentials
+    * AWS, GCP, Azure and/or Kubernetes credentials
     * In the command below, change `-v` to your local directory path in order to access the reports.
 
     _Commands_:
@@ -46,7 +46,7 @@ Prowler is available as a project in [PyPI](https://pypi.org/project/prowler/),
 
     _Requirements for Ubuntu 20.04.3 LTS_:
 
-    * AWS, GCP and/or Azure credentials
+    * AWS, GCP, Azure and/or Kubernetes credentials
     * Install python 3.9 with: `sudo apt-get install python3.9`
     * Remove python 3.8 to avoid conflicts if you can: `sudo apt-get remove python3.8`
     * Make sure you have the python3 distutils package installed: `sudo apt-get install python3-distutils`
@@ -66,7 +66,7 @@ Prowler is available as a project in [PyPI](https://pypi.org/project/prowler/),
 
     _Requirements for Developers_:
 
-    * AWS, GCP and/or Azure credentials
+    * AWS, GCP, Azure and/or Kubernetes credentials
     * `git`, `Python >= 3.9`, `pip` and `poetry` installed (`pip install poetry`)
 
     _Commands_:
@@ -83,7 +83,7 @@ Prowler is available as a project in [PyPI](https://pypi.org/project/prowler/),
 
     _Requirements_:
 
-    * AWS, GCP and/or Azure credentials
+    * AWS, GCP, Azure and/or Kubernetes credentials
     * Latest Amazon Linux 2 should come with Python 3.9 already installed however it may need pip. Install Python pip 3.9 with: `sudo yum install -y python3-pip`.
     * Make sure setuptools for python is already installed with: `pip3 install setuptools`
 
@@ -100,7 +100,7 @@ Prowler is available as a project in [PyPI](https://pypi.org/project/prowler/),
     _Requirements_:
 
     * `Brew` installed in your Mac or Linux
-    * AWS, GCP and/or Azure credentials
+    * AWS, GCP, Azure and/or Kubernetes credentials
 
     _Commands_:
 
@@ -160,7 +160,7 @@ You can run Prowler from your workstation, an EC2 instance, Fargate or any other
 ![Architecture](img/architecture.png)
 ## Basic Usage
 
-To run Prowler, you will need to specify the provider (e.g `aws`, `gcp` or `azure`):
+To run Prowler, you will need to specify the provider (e.g `aws`, `gcp`, `azure` or `kubernetes`):
 
 ???+ note
     If no provider specified, AWS will be used for backward compatibility with most of v2 options.
@@ -197,6 +197,7 @@ For executing specific checks or services you can use options `-c`/`checks` or `
 prowler azure --checks storage_blob_public_access_level_is_disabled
 prowler aws --services s3 ec2
 prowler gcp --services iam compute
+prowler kubernetes --services etcd apiserver
 ```
 
 Also, checks and services can be excluded with options `-e`/`--excluded-checks` or `--excluded-services`:
@@ -205,6 +206,7 @@ Also, checks and services can be excluded with options `-e`/`--excluded-checks`
 prowler aws --excluded-checks s3_bucket_public_access
 prowler azure --excluded-services defender iam
 prowler gcp --excluded-services kms
+prowler kubernetes --excluded-services controllermanager
 ```
 
 More options and executions methods that will save your time in [Miscellaneous](tutorials/misc.md).
@@ -275,5 +277,26 @@ prowler gcp --project-ids <Project ID 1> <Project ID 2> ... <Project ID N>
 
 See more details about GCP Authentication in [Requirements](getting-started/requirements.md)
 
+## Kubernetes
+
+Prowler allows you to scan your Kubernetes Cluster either from within the cluster or from outside the cluster.
+
+For non in-cluster execution, you can provide the location of the KubeConfig file with the following argument:
+
+```console
+prowler kubernetes --kubeconfig-file path
+```
+
+For in-cluster execution, you can use the supplied yaml to run Prowler as a job:
+```console
+kubectl apply -f job.yaml
+kubectl apply -f prowler-role.yaml
+kubectl apply -f prowler-rolebinding.yaml
+kubectl get pods --> prowler-XXXXX
+kubectl logs prowler-XXXXX
+```
+
+> By default, `prowler` will scan all namespaces in your active Kubernetes context, use flag `--context` to specify the context to be scanned and `--namespaces` to specify the namespaces to be scanned.
+
 ## Prowler v2 Documentation
 For **Prowler v2 Documentation**, please check it out [here](https://github.com/prowler-cloud/prowler/blob/8818f47333a0c1c1a457453c87af0ea5b89a385f/README.md).
diff --git a/docs/tutorials/configuration_file.md b/docs/tutorials/configuration_file.md
@@ -41,7 +41,7 @@ The following list includes all the Azure checks with configurable variables tha
 
 | Check Name                                                    | Value                                            | Type            |
 |---------------------------------------------------------------|--------------------------------------------------|-----------------|
-| `network_public_ip_shodan`                                   | `shodan_api_key`                    | String         |
+| `network_public_ip_shodan`                                    | `shodan_api_key`                                 | String          |
 | `app_ensure_php_version_is_latest`                            | `php_latest_version`                             | String          |
 | `app_ensure_python_version_is_latest`                         | `python_latest_version`                          | String          |
 | `app_ensure_java_version_is_latest`                           | `java_latest_version`                            | String          |
@@ -51,6 +51,19 @@ The following list includes all the Azure checks with configurable variables tha
 
 ### Configurable Checks
 
+## Kubernetes
+
+### Configurable Checks
+The following list includes all the Azure checks with configurable variables that can be changed in the configuration yaml file:
+
+| Check Name                                                    | Value                                            | Type            |
+|---------------------------------------------------------------|--------------------------------------------------|-----------------|
+| `audit_log_maxbackup`                                         | `audit_log_maxbackup`                            | String          |
+| `audit_log_maxsize`                                           | `audit_log_maxsize`                              | String          |
+| `audit_log_maxage`                                            | `audit_log_maxage`                               | String          |
+| `apiserver_strong_ciphers`                                    | `apiserver_strong_ciphers`                       | String          |
+| `kubelet_strong_ciphers_only`                                 | `kubelet_strong_ciphers`                         | String          |
+
 ## Config YAML File Structure
 
 ???+ note

diff --git a/docs/tutorials/custom-checks-metadata.md b/docs/tutorials/custom-checks-metadata.md
@@ -31,6 +31,10 @@ CustomChecksMetadata:
     Checks:
       compute_instance_public_ip:
         Severity: critical
+  kubernetes:
+    Checks:
+      apiserver_anonymous_requests:
+        Severity: low
 ```
 
 ## Usage

diff --git a/docs/tutorials/reporting.md b/docs/tutorials/reporting.md
@@ -106,6 +106,11 @@ And then by the provider specific columns:
 - RESOURCE_ID
 - RESOURCE_NAME
 
+#### KUBERNETES
+
+- NAMESPACE
+- RESOURCE_ID
+- RESOURCE_NAME
 
 ???+ note
     Since Prowler v3 the CSV column delimiter is the semicolon (`;`)

diff --git a/job.yaml b/job.yaml
@@ -1,11 +1,92 @@
-apiVersion: v1
-kind: Pod
+apiVersion: batch/v1
+kind: Job
 metadata:
   name: prowler
 spec:
-  containers:
-  - name: prowler
-    image: docker.io/prowler/kubernetes
-    command: ["prowler"]
-    args: ["kubernetes"]
-    imagePullPolicy: Never
+  template:
+    metadata:
+      labels:
+        app: prowler
+    spec:
+      containers:
+      - name: prowler
+        image: docker.io/prowler/kubernetes
+        command: ["prowler"]
+        args: ["kubernetes", "-z"]
+        imagePullPolicy: Never
+        volumeMounts:
+            - name: var-lib-cni
+              mountPath: /var/lib/cni
+              readOnly: true
+            - mountPath: /var/lib/etcd
+              name: var-lib-etcd
+              readOnly: true
+            - mountPath: /var/lib/kubelet
+              name: var-lib-kubelet
+              readOnly: true
+            - mountPath: /var/lib/kube-scheduler
+              name: var-lib-kube-scheduler
+              readOnly: true
+            - mountPath: /var/lib/kube-controller-manager
+              name: var-lib-kube-controller-manager
+              readOnly: true
+            - mountPath: /etc/systemd
+              name: etc-systemd
+              readOnly: true
+            - mountPath: /lib/systemd/
+              name: lib-systemd
+              readOnly: true
+            - mountPath: /srv/kubernetes/
+              name: srv-kubernetes
+              readOnly: true
+            - mountPath: /etc/kubernetes
+              name: etc-kubernetes
+              readOnly: true
+            - mountPath: /usr/local/mount-from-host/bin
+              name: usr-bin
+              readOnly: true
+            - mountPath: /etc/cni/net.d/
+              name: etc-cni-netd
+              readOnly: true
+            - mountPath: /opt/cni/bin/
+              name: opt-cni-bin
+              readOnly: true
+      hostPID: true
+      restartPolicy: Never
+      volumes:
+        - name: var-lib-cni
+          hostPath:
+            path: /var/lib/cni
+        - hostPath:
+            path: /var/lib/etcd
+          name: var-lib-etcd
+        - hostPath:
+            path: /var/lib/kubelet
+          name: var-lib-kubelet
+        - hostPath:
+            path: /var/lib/kube-scheduler
+          name: var-lib-kube-scheduler
+        - hostPath:
+            path: /var/lib/kube-controller-manager
+          name: var-lib-kube-controller-manager
+        - hostPath:
+            path: /etc/systemd
+          name: etc-systemd
+        - hostPath:
+            path: /lib/systemd
+          name: lib-systemd
+        - hostPath:
+            path: /srv/kubernetes
+          name: srv-kubernetes
+        - hostPath:
+            path: /etc/kubernetes
+          name: etc-kubernetes
+        - hostPath:
+            path: /usr/bin
+          name: usr-bin
+        - hostPath:
+            path: /etc/cni/net.d/
+          name: etc-cni-netd
+        - hostPath:
+            path: /opt/cni/bin/
+          name: opt-cni-bin