Integrate with Kubernetes

Overview

Integrating with Kubernetes Platform allows Bridgecrew to scan and fix misconfigurations in your Kubernetes clusters.

How to Integrate

Part 1 - In Bridgecrew

  1. From Integrations Catalog, under Cloud Providers, select Kubernetes.
1896
  1. Enter a name for your token and add a description (Optional), then select Create.
    Note: Tokens are specific per user and enforce the role and permission assigned to that user within the organization.
1916
  1. Save the API Token, then select Next. (The Token will not be available later.)
1920
  1. Create a name for your Cluster, then select Next.
1904
  1. Select the relevant Kubernetes version and copy the module code.
1920

Part 2 - In Kubernetes

Paste the module and run the commands in your Kubernetes CLI.

Namespace filtering

If you want to suppress a namespace from scans, update the above CLI commands to add a skip section. See the below example skipping the kube-system namespace:

kubectl create ns bridgecrew
kubectl create secret generic bridgecrew-rt-secret \ 
    --from-literal=apikey=<my_api_key> \
    --from-literal=repoid='runtime/<my_cluster_name>' \
    --from-literal=skip='kube-system' -n bridgecrew

If you have already deployed the integration, you can update the skipped namespaces as shown below:

kubectl patch secret bridgecrew-rt-secret -n bridgecrew -p='{"stringData":{"skip": "kube-system,default"}}'

Kubernetes Versioning

Use this command for pre-1.19 versions:

kubectl apply -f https://raw.githubusercontent.com/bridgecrewio/bridgecrew-kubernetes/master/bridgecrew-cronjob-pre-1.19.yaml

Use this command for versions 1.19 and higher:

kubectl apply -f https://raw.githubusercontent.com/bridgecrewio/bridgecrew-kubernetes/master/bridgecrew-cronjob.yaml

Resource Requests and Limits

By default, the manifest specifies the following resource requests and limits:

  • CPU: 0.5
  • Memory: 512 Mi

We recommend allocating 1 vCPU and 1 Gi for every 1000 resources in the cluster. The following table shows sample values that work as a starting point. You may need to modify these numbers based on the details of your cluster, and in many cases you may be able to use smaller values.

If the scanning job does not complete within an hour, we recommend increasing these limits and / or decreasing the cron job frequency.

# ResourcesvCPU RequestvCPU LimitMem RequestMem Limit
< 10000.50.5512 Mi512 Mi
1000 - 15000.51512 Mi1 Gi
1500 - 2500121 Gi2 Gi