Kubernetes Clusters

Overview

Executing Bridgecrew scans within a Kubernetes environment provides insight into violations of running resources. The Bridgecrew CLI is deployed with a CronJob and runs hourly by default to scan Kubernetes resources. Scan results can be reviewed from Kubernetes or within the Bridgecrew Console.

Deploying the Bridgecrew Scanner

After you get a Bridgecrew API Token, create your namespace, secret, and cronjob.

Replace <my_api_key> below with your API Token
Replace <my_cluster_name> with the name of your Kubernetes cluster.

kubectl create ns bridgecrew
kubectl create secret generic bridgecrew-rt-secret \ 
    --from-literal=apikey=<my_api_key> \
    --from-literal=repoid='runtime/<my_cluster_name>' -n bridgecrew

kubectl apply -f https://raw.githubusercontent.com/bridgecrewio/bridgecrew-kubernetes/master/bridgecrew-cronjob.yaml

Executing a scan immediately

If you want to execute a one-time scan immediately you can trigger a job from the cronjob as follows

kubectl create job bridgecrew-scan --from=cronjob/bridgecrew -n bridgecrew

Reviewing output using the Kubernetes CLI

kubectl get jobs -n bridgecrew
kubectl logs job/<job-name> -n bridgecrew

Note that the job will take at least 30 seconds to run. You can monitor the status of the pod to confirm it completes before reviewing logs.

kubectl get pods -n bridgecrew

Reviewing checks in Bridgecrew

On the Incidents tab you can see the checks in the incidents tab if you search for K8S. You can also filter by the cluster name you specified above. For example, runtime/<my_cluster_name>

Skipping Check per Kubernetes resource

To skip a check on a given Kubernetes resource, add the following annotation pattern to the resource.

annotations:
    bridgecrew.io/skip#: <check_id>=<suppression_comment>
  • # is any number (to allow for more than one skip annotation).
  • <check_id> is one of the available check scanners.
  • <suppression_comment> is an optional suppression reason to be included in the output

You can also annotate a deployed resource via command line.

kubectl annotate <resource> <resource_name> bridgecrew.io/skip#="<check_id>=<suppression_comment>"

Suppression Examples

apiVersion: v1
kind: Pod
metadata:
  name: nginx
  annotations:
    bridgecrew.io/skip1: CKV_K8S_11=Ignore CPU limits.  Using BestEffort scheduling.
spec:
  containers:
  - name: nginx
    image: nginx
    imagePullPolicy: Always
kubectl annotate pod nginx bridgecrew.io/skip1="CKV_K8S_11=Ignore CPU limits.  Using BestEffort scheduling."