Kubei是一个漏洞扫描和CIS Docker基准测试工具,它能够对kubernetes集群进行准确,即时的风险评估。Kubei扫描Kubernetes集群中正在使用的所有图像,包括应用程序Pod和系统Pod的镜像。它不会扫描整个镜像注册表,也不需要与CI / CD进行初步集成。
它是一种可配置的工具,可以定义扫描范围(目标名称空间),速度和关注的漏洞级别,还提供了图形用户界面。
安装要求:
Kubernetes集群已准备就绪,并且已~/.kube/config
为目标集群正确配置了kubeconfig
需要的权限
- 在集群范围内读取secret。这是用于获取私有镜像仓库的镜像的拉取凭据。
- 列出集群范围内的Pod。
- 在集群范围内创建job。创建job将扫描其名称空间中的目标容器
部署
---
apiVersion: v1
kind: Namespace
metadata:
name: kubei
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kubei
namespace: kubei
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubei
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["list"]
- apiGroups: ["batch"]
resources: ["jobs"]
verbs: ["create","delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubei
subjects:
- kind: ServiceAccount
name: kubei
namespace: kubei
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubei
---
apiVersion: v1
kind: Service
metadata:
name: clair
namespace: kubei
labels:
app: clair
spec:
type: ClusterIP
ports:
- port: 6060
protocol: TCP
name: apiserver
- port: 6061
protocol: TCP
name: health
selector:
app: clair
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: clair
namespace: kubei
labels:
app: clair
spec:
replicas: 1
selector:
matchLabels:
app: clair
template:
metadata:
labels:
app: clair
kubeiShouldScan: "false"
spec:
initContainers:
- name: check-db-ready
image: postgres:12-alpine
command: ['sh', '-c', 'until pg_isready -h postgres -p 5432; do echo waiting for