Getting PA / PC Report for EKS AKS and GKE
You can get the Policy Audit / Policy Compliance report for EKS, AKS, and GKE by performing a compliance scan on those worker nodes that have accessibility to the EKS/GKE/AKS cluster. These scans help to ensure the security and compliance of the worker nodes by identifying security configuration risks. You can do a compliance scan either using Qualys scanner or cloud agent.
Qualys Scanner:
To perform the compliance scan using the scanner, you need to:
-
Open the ssh port to allow the scanner remote access to your worker node.
-
Create the K8s auth record in the Qualys cloud platform.
Qualys Cloud Agent:
To perform a compliance scan using the cloud agent, you need to install Qualys Cloud Agent, which could connect to Qualys Platform.
The PA / PC scan relies on thekubectl CLI Client.
Prerequisites Setup on worker Node:
-
Install kubectl client on the host with the root account.
-
Ensure that the kubectl binary path and its parent folder are owned by the root user and group(root:root) and that no writable permission is given to others
-
Configurekubectl client to get the connectivity from the AWS EKS Cluster. The default kubectl configuration file is /root/.kube/config
-
Ensure that the kubectl configuration file and its parent folder are owned by the root user and group(root:root) and that no writable permission is given to others.
-
Test the following commands on the root account. Server Version: used as the discovery of Kubernetes on EKS, to ensure connectivity with the EKS Cluster.
-
which kubectl
-
kubectl version -o='yaml'
Execute Verification Script
To verify all the above-stated prerequisites required to run Kubernetes scan and return the message as the output, execute the script below with the root user or run with sudo: