mirror of
https://github.com/prowler-cloud/prowler.git
synced 2026-05-06 08:47:18 +00:00
Pablo Fernandez Guerra (PFE)
d23c2f3b53
Co-authored-by: Pablo F.G <pablo.fernandez@prowler.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
171 lines
6.7 KiB
Plaintext
171 lines
6.7 KiB
Plaintext
---
|
|
title: 'Getting Started with Kubernetes'
|
|
---
|
|
|
|
## Prowler Cloud
|
|
|
|
### Step 1: Access Prowler Cloud/App
|
|
|
|
1. Navigate to [Prowler Cloud](https://cloud.prowler.com/) or launch [Prowler App](/user-guide/tutorials/prowler-app)
|
|
2. Go to "Configuration" > "Providers"
|
|
|
|
|
|
|
|
3. Click "Add Provider"
|
|
|
|
|
|
|
|
4. Select "Kubernetes"
|
|
|
|
5. Enter your Kubernetes Cluster context from your kubeconfig file and optionally provide a friendly alias
|
|
|
|
### Step 2: Configure Kubernetes Authentication
|
|
|
|
For Kubernetes, Prowler App uses a `kubeconfig` file to authenticate. Paste the contents of your `kubeconfig` file into the `Kubeconfig content` field.
|
|
|
|
By default, the `kubeconfig` file is located at `~/.kube/config`.
|
|
|
|
|
|
|
|
### Step 3: Additional Setup for EKS, GKE, AKS, or External Clusters
|
|
|
|
If you are adding an **EKS**, **GKE**, **AKS** or external cluster, follow these additional steps to ensure proper authentication:
|
|
|
|
**Make sure your cluster allows traffic from the Prowler Cloud IP address `52.48.254.174/32`**
|
|
|
|
1. Apply the necessary Kubernetes resources to your EKS, GKE, AKS or external cluster (you can find the files in the [`kubernetes` directory of the Prowler repository](https://github.com/prowler-cloud/prowler/tree/master/kubernetes)):
|
|
|
|
```console
|
|
kubectl apply -f kubernetes/prowler-sa.yaml
|
|
kubectl apply -f kubernetes/prowler-role.yaml
|
|
kubectl apply -f kubernetes/prowler-rolebinding.yaml
|
|
```
|
|
|
|
2. Generate a long-lived token for authentication:
|
|
|
|
```console
|
|
kubectl create token prowler-sa -n prowler-ns --duration=0
|
|
```
|
|
|
|
- **Security Note:** The `--duration=0` option generates a non-expiring token, which may pose a security risk if not managed properly. Choose an appropriate expiration time based on security policies. For a limited-time token, set `--duration=<TIME>` (e.g., `--duration=24h`).
|
|
<Note>
|
|
**Important:** If the token expires, Prowler Cloud can no longer authenticate with the cluster. Generate a new token and **remove and re-add the provider in Prowler Cloud** with the updated `kubeconfig`.
|
|
</Note>
|
|
<Tip>
|
|
**Token Expiration Limits**
|
|
|
|
|
|
When the Kubernetes cluster has `--service-account-max-token-expiration` configured, any token requested with a duration exceeding the maximum allowed value (including `--duration=0`) is automatically reduced to the cluster's maximum token expiration time. As an alternative solution, create a legacy Secret manually. Although Kubernetes no longer creates these secrets automatically, manual creation and linking to a ServiceAccount is still supported. These tokens do not expire until the secret or ServiceAccount is deleted.
|
|
|
|
**Steps:**
|
|
|
|
1. Create a `secret-sa.yaml` file (or any preferred name) with the following content:
|
|
|
|
```yaml
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: prowler-token-long-lived
|
|
namespace: prowler-ns
|
|
annotations:
|
|
kubernetes.io/service-account.name: "prowler-sa"
|
|
type: kubernetes.io/service-account-token
|
|
```
|
|
|
|
2. Apply the secret:
|
|
|
|
```console
|
|
kubectl apply -f secret-sa.yaml
|
|
```
|
|
|
|
3. Retrieve the token (which will be permanent):
|
|
|
|
```console
|
|
kubectl get secret prowler-token-long-lived -n prowler-ns -o jsonpath='{.data.token}' | base64 --decode
|
|
```
|
|
</Tip>
|
|
|
|
3. Update your `kubeconfig` to use the ServiceAccount token:
|
|
|
|
```console
|
|
kubectl config set-credentials prowler-sa --token=<SA_TOKEN>
|
|
kubectl config set-context <CONTEXT_NAME> --user=prowler-sa
|
|
```
|
|
|
|
Replace `<SA_TOKEN>` with the generated token and `<CONTEXT_NAME>` with your KubeConfig Context Name of your EKS, GKE or AKS cluster.
|
|
|
|
4. Add the modified `kubeconfig` in Prowler Cloud and test the connection.
|
|
|
|
## Prowler CLI
|
|
|
|
### Non In-Cluster Execution
|
|
|
|
For execution outside the cluster environment, specify the location of the [kubeconfig](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) file using the following argument:
|
|
|
|
```console
|
|
prowler kubernetes --kubeconfig-file /path/to/kubeconfig
|
|
```
|
|
|
|
<Note>
|
|
If no `--kubeconfig-file` is provided, Prowler will use the default KubeConfig file location (`~/.kube/config`).
|
|
|
|
</Note>
|
|
|
|
<Note>
|
|
`prowler` will scan the active Kubernetes context by default. Use the [`--context`](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/kubernetes/context/) flag to specify the context to be scanned.
|
|
|
|
</Note>
|
|
|
|
<Note>
|
|
By default, `prowler` will scan all namespaces in your active Kubernetes context. Use the [`--namespace`](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/kubernetes/namespace/) flag to specify the namespace(s) to be scanned.
|
|
|
|
</Note>
|
|
|
|
### In-Cluster Execution
|
|
|
|
For in-cluster execution, use the supplied yaml files inside `/kubernetes`:
|
|
|
|
* [prowler-sa.yaml](https://github.com/prowler-cloud/prowler/blob/master/kubernetes/prowler-sa.yaml)
|
|
* [job.yaml](https://github.com/prowler-cloud/prowler/blob/master/kubernetes/job.yaml)
|
|
* [prowler-role.yaml](https://github.com/prowler-cloud/prowler/blob/master/kubernetes/prowler-role.yaml)
|
|
* [prowler-rolebinding.yaml](https://github.com/prowler-cloud/prowler/blob/master/kubernetes/prowler-rolebinding.yaml)
|
|
|
|
They can be used to run Prowler as a job within a new Prowler namespace:
|
|
|
|
```console
|
|
kubectl apply -f kubernetes/prowler-sa.yaml
|
|
kubectl apply -f kubernetes/job.yaml
|
|
kubectl apply -f kubernetes/prowler-role.yaml
|
|
kubectl apply -f kubernetes/prowler-rolebinding.yaml
|
|
kubectl get pods --namespace prowler-ns --> prowler-XXXXX
|
|
kubectl logs prowler-XXXXX --namespace prowler-ns
|
|
```
|
|
|
|
<Note>
|
|
By default, `prowler` will scan all namespaces in your active Kubernetes context. Use the [`--namespace`](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/kubernetes/namespace/) flag to specify the namespace(s) to be scanned.
|
|
|
|
</Note>
|
|
<Tip>
|
|
**Identifying the cluster in reports**
|
|
|
|
When running in in-cluster mode, the Kubernetes API does not expose the actual cluster name by default.
|
|
|
|
To uniquely identify the cluster in logs and reports:
|
|
|
|
- Use the `--cluster-name` flag to manually set the cluster name:
|
|
```bash
|
|
prowler -p kubernetes --cluster-name production-cluster
|
|
```
|
|
- Or set the `CLUSTER_NAME` environment variable:
|
|
```yaml
|
|
env:
|
|
- name: CLUSTER_NAME
|
|
value: production-cluster
|
|
```
|
|
|
|
</Tip>
|
|
|
|
<Tip>
|
|
To set up a production-ready CronJob that runs Prowler on a schedule and sends findings to Prowler Cloud, see the [Run Kubernetes In-Cluster and Send Findings to Prowler Cloud](/user-guide/cookbooks/kubernetes-in-cluster) cookbook.
|
|
</Tip>
|