Scan Setup and Privilege Level for Kubernetes

Kubernetes simplifies container management by automating operational tasks and providing built-in commands for deploying applications, rolling out updates, scaling applications to meet changing demands, monitoring performance, and streamlining the overall application management process.

When you scan for a Kubernetes instance, you must consider the following prerequisites.

• Kubectl Utility
• Kubectl Configuration File

Kubectl Utility

kubectl is the primary tool for interacting with Kubernetes clusters. It is used for managing cluster resources, executing commands against clusters, and accessing cluster configurations. Without kubectl, the control evaluation cannot perform necessary checks on the Kubernetes environment.

Pre-requisites:

• kubectl utility must be installed and configured. Verify kubectl configuration using the command kubectl config view.
• kubectl executable must not have write permission for the group or others.
• kubectl's parent directory also must not have write permission for the group or others.

For more information related to installation and configuration of kubectl, refer to the following links

• Linux: Install and Set Up kubectl on Linux

• EKS: Connect kubectl to an EKS cluster by creating a kubeconfig file

• GKE: Install kubectl and configure cluster access

Note: The kubectl utility successfully detects Kubernetes execution only when it is installed and has the necessary permissions.

Kubectl Configuration File

A kubectl configuration file is referred to as a kubeconfig file, is a YAML-formatted file used by the kubectl command-line utility to configure access to Kubernetes clusters. This file contains authentication credentials, cluster information, context settings, and other configuration details necessary for kubectl to communicate with Kubernetes clusters.

Note: You can verify the kubeconfig file currently in use to ensure that it can be used for subsequent execution.

When the kubectl file is configured, the kubectl file must be present in one of the following locations:

1. If the --kubeconfig flag is set, then only that file is loaded. The flag may only be set once and no merging takes place.
2. If $KUBECONFIG environment variable is set, then it is used as a list of paths (normal path delimiting rules for your system). These paths are merged.
   1.  When a value is modified, it is modified in the file that defines the stanza.
   2.  When a value is created, it is created in the first file that exists.
   3.  If no files in the chain exist, then it creates the last file in the list.
      
3.  Otherwise, ${HOME}/.kube/config is used, and no merging takes place.

Note: Kubernetes execution is successfully detected only when the kubeconfig file is present in any one of the above specified locations.

Scan Prerequisites Validation Script for Kubernetes

You must run the script. Execute the script kubernetes_scan_privilege_check.sh, Host Verification Script, with the root or sudo user.

This script helps validate all the prerequisites required to run the Kubernetes scan for policy compliance. Once the script is executed, it shows whether prerequisites are matched or misconfigured. You must continue to execute and fix the error until the message - All the prerequisite steps are satisfying to scan Kubernetes is displayed.