Executing Bridgecrew scans within a Kubernetes environment provides insight into violations of running resources. The Bridgecrew CLI is deployed with a CronJob and runs hourly by default to scan Kubernetes resources. Scan results can be reviewed from Kubernetes or within the Bridgecrew Console.
After you get a Bridgecrew API Token, create your namespace, secret, and cronjob.
Replace <my_api_key> below with your API Token
Replace <my_cluster_name> with the name of your Kubernetes cluster.
kubectl create ns bridgecrew kubectl create secret generic bridgecrew-rt-secret \ --from-literal=apikey=<my_api_key> \ --from-literal=repoid='runtime/<my_cluster_name>' -n bridgecrew kubectl apply -f https://raw.githubusercontent.com/bridgecrewio/bridgecrew-kubernetes/master/bridgecrew-cronjob.yaml
If you want to execute a one-time scan immediately you can trigger a job from the cronjob as follows
kubectl create job bridgecrew-scan --from=cronjob/bridgecrew -n bridgecrew
kubectl get jobs -n bridgecrew kubectl logs job/<job-name> -n bridgecrew
Note that the job will take at least 30 seconds to run. You can monitor the status of the pod to confirm it completes before reviewing logs.
kubectl get pods -n bridgecrew
On the Incidents tab you can see the checks in the incidents tab if you search for K8S. You can also filter by the cluster name you specified above. For example, runtime/<my_cluster_name>
To skip a check on a given Kubernetes resource, add the following annotation pattern to the resource.
annotations: bridgecrew.io/skip#: <check_id>=<suppression_comment>
#is any number (to allow for more than one skip annotation).
<check_id>is one of the available check scanners.
<suppression_comment>is an optional suppression reason to be included in the output
You can also annotate a deployed resource via command line.
kubectl annotate <resource> <resource_name> bridgecrew.io/skip#="<check_id>=<suppression_comment>"
apiVersion: v1 kind: Pod metadata: name: nginx annotations: bridgecrew.io/skip1: CKV_K8S_11=Ignore CPU limits. Using BestEffort scheduling. spec: containers: - name: nginx image: nginx imagePullPolicy: Always
kubectl annotate pod nginx bridgecrew.io/skip1="CKV_K8S_11=Ignore CPU limits. Using BestEffort scheduling."
Updated 4 months ago