You can get the Policy Compliance report for EKS, AKS, and GKE by performing a compliance scan on those worker nodes that have accessibility to the EKS/GKE/AKS cluster. These scans help to ensure the security and compliance of the worker nodes by identifying security configuration risks. You can do a compliance scan either using Qualys scanner or cloud agent.
Qualys Scanner:
To perform the compliance scan using the scanner, you need to:
Open the ssh port to allow the scanner remote access to your worker node.
Create the K8s auth record in the Qualys cloud platform.
Qualys Cloud Agent:
To perform a compliance scan using the cloud agent, you need to install Qualys Cloud Agent, which could connect to Qualys Platform.
The PC scan relies on the kubectl CLI Client.
Prerequisites Setup on worker Node:
Install kubectl client on the host with the root account.
Ensure that the kubectl binary path and its parent folder are owned by the root user and group(root:root) and that no writable permission is given to others
Configurekubectl client to get the connectivity from the AWS EKS Cluster. The default kubectl configuration file is /root/.kube/config
Ensure that the kubectl configuration file and its parent folder are owned by the root user and group(root:root) and that no writable permission is given to others.
Test the following commands on the root account. Server Version: used as the discovery of Kubernetes on EKS, to ensure connectivity with the EKS Cluster.
which kubectl
kubectl version -o='yaml'
Execute Verification Script
To verify all the above-stated prerequisites required to run Kubernetes scan and return the message as the output, execute the script below with the root user or run with sudo: