Kubernetes Clusters
Overview
Executing Bridgecrew scans within a Kubernetes environment provides insight into violations of running resources. The Bridgecrew CLI is deployed with a CronJob and runs hourly by default to scan Kubernetes resources. Scan results can be reviewed from Kubernetes or within the Bridgecrew Console.
Deploying the Bridgecrew Scanner
After you get a Bridgecrew API Token, create your namespace, secret, and cronjob.
Replace <my_api_key> below with your API Token
Replace <my_cluster_name> with the name of your Kubernetes cluster.
kubectl create ns bridgecrew
kubectl create secret generic bridgecrew-rt-secret \
--from-literal=apikey=<my_api_key> \
--from-literal=repoid='runtime/<my_cluster_name>' -n bridgecrew
kubectl apply -f https://raw.githubusercontent.com/bridgecrewio/bridgecrew-kubernetes/master/bridgecrew-cronjob.yaml
Executing a scan immediately
If you want to execute a one-time scan immediately you can trigger a job from the cronjob as follows
kubectl create job bridgecrew-scan --from=cronjob/bridgecrew -n bridgecrew
Reviewing output using the Kubernetes CLI
kubectl get jobs -n bridgecrew
kubectl logs job/<job-name> -n bridgecrew
Note that the job will take at least 30 seconds to run. You can monitor the status of the pod to confirm it completes before reviewing logs.
kubectl get pods -n bridgecrew
Reviewing checks in Bridgecrew
On the Incidents tab you can see the checks in the incidents tab if you search for K8S. You can also filter by the cluster name you specified above. For example, runtime/<my_cluster_name>
Skipping Check per Kubernetes resource
To skip a check on a given Kubernetes resource, add the following annotation pattern to the resource.
annotations:
bridgecrew.io/skip#: <check_id>=<suppression_comment>
#
is any number (to allow for more than one skip annotation).<check_id>
is one of the available check scanners.<suppression_comment>
is an optional suppression reason to be included in the output
You can also annotate a deployed resource via command line.
kubectl annotate <resource> <resource_name> bridgecrew.io/skip#="<check_id>=<suppression_comment>"
Suppression Examples
apiVersion: v1
kind: Pod
metadata:
name: nginx
annotations:
bridgecrew.io/skip1: CKV_K8S_11=Ignore CPU limits. Using BestEffort scheduling.
spec:
containers:
- name: nginx
image: nginx
imagePullPolicy: Always
kubectl annotate pod nginx bridgecrew.io/skip1="CKV_K8S_11=Ignore CPU limits. Using BestEffort scheduling."
Updated over 2 years ago