Skip to content

Production readiness can scan images from a k8s cluster using trivy, run kube-bench and linux-bench. It will generate a json output and an html/pdf report.

License

Apache-2.0, Unknown licenses found

Licenses found

Apache-2.0
LICENSE
Unknown
LICENCE.md
Notifications You must be signed in to change notification settings

coreeng/prod-readiness

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

24 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Production readiness

This tool will help running diagnostic to have a better understanding of a cluster in terms of security and best practises. Use it to identify security vulnerabilities in your cluster and container images.

Prerequisites

To prepare your environment you must install trivy and docker as the image scan utility require both command line tools. Then download the production-readiness tool from the releases area.

Cluster scan

The report command will perform both container image scan and security compliance scan. You can run either report individually by referring to the corresponding sections below.

The command will generate an HTML report for all types of scans. The summary report can be opened by opening index.html in the browser.

Usage

production-readiness report  --context <cluster-name>

Container Image scanning

The scan command can be used to scan your container images for vulnerabilities. It will look up running containers in all namespaces that matches an optional label selector (--filters-labels) and perform a vulnerability scan against using trivy for each container image. It will then generate an HTML or Markdown report summarising the vulnerabilities found, their severity, CVE reference and how many containers are affected.

It can also provide a break down of the vulnerabilities per area (--area-labels) / team (--teams-labels) when specified.

Here is a sample report: Sample Report

Usage

To generate a report for a given cluster:

production-readiness scan --context <cluster-name>

To generate a report broken down per team name, specify the label used to identify the team name:

production-readiness scan --context <cluster-name> --teams-labels=<label>

Run production-readiness scan --help for a complete list of options available.

Rendering the report as HTML, Mark-down or PDF

The vulnerability report can be rendered using the template of your choice. There are two available templates for convenience:

A custom template file can be specified using the --report-template-filename command line argument.

HTML files can be converted to PDF files in various ways. One tool that works for us is wkhtmltopdf which can be use as follows:

wkhtmltopdf <report.html> <report.pdf>

Cluster security compliance scanning

The cis-scan command can be used to scan compliance of the cluster with the k8s CIS benchmark, NSA k8s Hardening Guidance and Pod Security Standards (PSS). It will perform a compliance scan against using trivy for whole kubernetes cluster. Then it will generate an HTML report and will show which criteria has been passed and which failed. Report allows to see vulnerable resources, their severity, description, suggested resolution and references.

Here is a sample report: Sample Report

Usage

To run compliance scan just execute: production-readiness cis-scan --context "sandbox-azure" --context points to context to use from kube config file. Optional parameter --benchmarks k8s-cis,k8s-nsa,k8s-pss-restricted can be used to run specific scan type.

Limitations

  • At the moment, cluster admin privileges is required by trivy as it needs to create trivy-tmp namespace just for testing purposes. The tool should be modified to work with 'read-only' permissions to the cluster or at least within a namespace we (CECG) own. We need to be super careful especially with live environments.
  • Security compliance scans may not work on GCP if there is no CNI on the node in /opt/cni/bin location

Roadmap

  • Use trivy library rather than the command line (to prevent: "trivy": executable file not found in $PATH ) - see #17
  • Use docker library rather than the command line (to prevent: "docker": executable file not found in $PATH ) - see #17
  • Run CIS benchmark with limited permissions - see #18
  • Improve CIS benchmark report - see #14
  • Run cloud provider specific CIS benchmark - see #21

About

Production readiness can scan images from a k8s cluster using trivy, run kube-bench and linux-bench. It will generate a json output and an html/pdf report.

Resources

License

Apache-2.0, Unknown licenses found

Licenses found

Apache-2.0
LICENSE
Unknown
LICENCE.md

Stars

Watchers

Forks

Packages

No packages published