Integrate with Kubernetes
Overview
Integrating with Kubernetes Platform allows Bridgecrew to scan and fix misconfigurations in your Kubernetes clusters.
How to Integrate
Part 1 - In Bridgecrew
- From Integrations Catalog, under Cloud Providers, select Kubernetes.
- Enter a name for your token and add a description (Optional), then select Create.
Note: Tokens are specific per user and enforce the role and permission assigned to that user within the organization.
- Save the API Token, then select Next. (The Token will not be available later.)
- Create a name for your Cluster, then select Next.
- Select the relevant Kubernetes version and copy the module code.
Part 2 - In Kubernetes
Paste the module and run the commands in your Kubernetes CLI.
Namespace filtering
If you want to suppress a namespace from scans, update the above CLI commands to add a skip section. See the below example skipping the kube-system namespace:
kubectl create ns bridgecrew
kubectl create secret generic bridgecrew-rt-secret \
--from-literal=apikey=<my_api_key> \
--from-literal=repoid='runtime/<my_cluster_name>' \
--from-literal=skip='kube-system' -n bridgecrew
If you have already deployed the integration, you can update the skipped namespaces as shown below:
kubectl patch secret bridgecrew-rt-secret -n bridgecrew -p='{"stringData":{"skip": "kube-system,default"}}'
Kubernetes Versioning
Use this command for pre-1.19 versions:
kubectl apply -f https://raw.githubusercontent.com/bridgecrewio/bridgecrew-kubernetes/master/bridgecrew-cronjob-pre-1.19.yaml
Use this command for versions 1.19 and higher:
kubectl apply -f https://raw.githubusercontent.com/bridgecrewio/bridgecrew-kubernetes/master/bridgecrew-cronjob.yaml
Resource Requests and Limits
By default, the manifest specifies the following resource requests and limits:
- CPU: 0.5
- Memory: 512 Mi
We recommend allocating 1 vCPU and 1 Gi for every 1000 resources in the cluster. The following table shows sample values that work as a starting point. You may need to modify these numbers based on the details of your cluster, and in many cases you may be able to use smaller values.
If the scanning job does not complete within an hour, we recommend increasing these limits and / or decreasing the cron job frequency.
| # Resources | vCPU Request | vCPU Limit | Mem Request | Mem Limit |
|---|---|---|---|---|
| < 1000 | 0.5 | 0.5 | 512 Mi | 512 Mi |
| 1000 - 1500 | 0.5 | 1 | 512 Mi | 1 Gi |
| 1500 - 2500 | 1 | 2 | 1 Gi | 2 Gi |
Updated over 1 year ago