Kubei: A Flexible Kubernetes Runtime Scanner
Kubei is a vulnerability scanning tool that allows users to get an accurate and immediate risk assessment of their Kubernetes clusters. Kubei scans all images that are being used in a Kubernetes cluster, including images of application pods and system pods. It doesn’t scan the entire image registry and doesn’t require preliminary integration with CI/CD pipelines.
It is a configurable tool that allows users to define the scope of the scan (target namespaces), the speed, and the vulnerability level of interest.
It provides a graphical UI that allows the viewer to identify where and what should be replaced, in order to mitigate the discovered vulnerabilities.
Prerequisites
- A Kubernetes cluster is ready, and Kubeconfig (
~/.kube/config
) is properly configured for the target cluster.
Required permissions
- Read secrets in cluster scope. This is required for getting image to pull secrets for scanning private image repositories.
- List pods in cluster scope. This is required for calculating the target pods that need to be scanned.
- Create jobs in cluster scope. This is required for creating the jobs that will scan the target pods in their namespaces.
Configurations
The file deploy/kubei.yaml
is used to deploy and configure Kubei on your cluster.
- Set the scan scope. Set the
IGNORE_NAMESPACES
env variable to ignore specific namespaces. SetTARGET_NAMESPACE
to scan a specific namespace, or leave empty to scan all namespaces. - Set the scan speed. Expedite scanning by running parallel scanners. Set the
MAX_PARALLELISM
env variable for the maximum number of simultaneous scanners. - Set severity level threshold. Vulnerabilities with severity level higher than or equal to
SEVERITY_THRESHOLD
threshold will be reported. Supported levels areUnknown
,Negligible
,Low
,Medium
,High
,Critical
,Defcon1
. Default isMedium
. - Set the delete job policy. Set the
DELETE_JOB_POLICY
env variable to define whether or not to delete completed scanner jobs. Supported values are:
All
– All jobs will be deleted.Successful
– Only successful jobs will be deleted (default).Never
– Jobs will never be deleted.
Usage
- Run the following command to deploy Kubei on the cluster:
kubectl apply -f https://raw.githubusercontent.com/Portshift/kubei/master/deploy/kubei.yaml
- Run the following command to verify that Kubei is up and running:
kubectl -n kubei get pod -lapp=kubei
- Then, port forwarding into the Kubei webapp via the following command:
kubectl -n kubei port-forward $(kubectl -n kubei get pods -lapp=kubei -o jsonpath="{.items[0].metadata.name}") 8080
- In your browser, navigate to https://localhost:8080/view/ , and then click ‘GO’ to run a scan.
- To check the state of Kubei, and the progress of ongoing scans, run the following command:
kubectl -n kubei logs $(kubectl -n kubei get pods -lapp=kubei -o jsonpath="{.items[0].metadata.name}")
- Refresh the page (https://localhost:8080/view/) to update the results.
Running Kubei with an external HTTP/HTTPS proxy
Uncomment and configure the proxy env variables for the Clair and Kubei deployments in deploy/kubei.yaml
.
Limitations
- Supports Kubernetes Image Manifest V 2, Schema 2 (https://docs.docker.com/registry/spec/manifest-v2-2/). It will fail to scan on earlier versions.
- The CVE database will update once a day.