Getting PA / PC Report for EKS AKS and GKE

You can get the Policy Audit / Policy Compliance report for EKS, AKS, and GKE by performing a compliance scan on those worker nodes that have accessibility to the EKS/GKE/AKS cluster. These scans help to ensure the security and compliance of the worker nodes by identifying security configuration risks. You can do a compliance scan either using Qualys scanner or cloud agent.

Qualys Scanner:

To perform the compliance scan using the scanner, you need to:

  • Open the ssh port to allow the scanner remote access to your worker node. 

  • Create the K8s auth record in the Qualys cloud platform.

Qualys Cloud Agent: 

To perform a compliance scan using the cloud agent, you need to install Qualys Cloud Agent, which could connect to Qualys Platform.

The PA / PC scan relies on thekubectl CLI Client.

Prerequisites Setup on worker Node:

  1.  Install kubectl client on the host with the root account.

  2.  Ensure that the kubectl binary path and its parent folder are  owned by the root user and group(root:root) and that no writable permission is given to others

  3. Configurekubectl client to get the connectivity from the AWS EKS Cluster. The default kubectl configuration file is  /root/.kube/config

  4. Ensure that the kubectl configuration file and its parent folder are owned by the root user and group(root:root) and that no writable permission is given to others.

  5. Test the following commands on the root account. Server Version: used as the discovery of Kubernetes on EKS, to ensure connectivity with the EKS Cluster.

  • which kubectl

  • kubectl version -o='yaml'

Execute Verification Script 

To verify all the above-stated prerequisites required to run Kubernetes scan and return the message as the output, execute the script below with the root user or run with sudo:

host verification script