CLI Tool Commands and Parameters - Kubernetes IaC
CLI Tool Commands and Parameters Overview for Kubernetes IaC
After you have setup the command line interface (CLI) Infrastructure as Code (IaC) scanning tool via Docker or local executable, you're ready to start using it with your Kubernetes infrastructure. InsightCloudSec supports scanning HELM charts, Kustomize overlays, and YAML manifest files.
Note: Kubernetes IaC scanning functionality (including viewing the scan results) is currently only available via the CLI tool and not recorded in the InsightCloudSec cloud console. If you have questions or issues, reach out to us using the Customer Support Portal.
Scanning Terraform and CFT
To scan Terraform and/or AWS CloudFormation Template (CFT) infrastructure, the CLI IaC Scanning Tool utilizes different commands and parameters that are detailed on the CLI Commands and Parameters - Terraform and CloudFormation page.
Prerequisites
Before scanning Kubernetes files with the scanning tool, ensure you have the following:
- The scanning tool is setup properly
- A user in InsightCloudSec with the Editor or greater entitlement for IaC
- An API key for your user
- Review Users, Groups, and Roles (Administration) for more information on creating an API key via the UI
- Check out Kubernetes - IaC Supported Resources for details on what is supported
Rename Executable
When you download the
mimicsexecutable initially, the file name will be suffixed with the version and architecture. We recommend renaming the executable tomimics(for Mac/Linux) ormimics.exe(for Windows) for ease of use. The examples below and on other pages utilize a simplified executable name.
Flags & Parameters
There is only one command to invoke Kubernetes IaC scanning: kubechk. This command does not have any sub-commands. The flags and parameters are the same regardless if you're using mimics via local executable or Docker.
Global Flags
| Name | Type | Description |
|---|---|---|
--api-key | string | InsightCloudSec API Key Note: If using the Docker version of the CLI, this is better passed as a Docker environment variable. Review the Docker Examples for more information |
--base-url | string | InsightCloudSec base URL, including protocol (e.g., http://localhost:8080/)Note: If using the Docker version of the CLI, this is better passed as a Docker environment variable. Review the Docker Examples for more information |
--ca-certificate | string | Sets the trusted authorities for SSL verification using a CA bundle file (.pem) (supersedes --no-verify) |
--config-file | string | Configuration file location (default: .mimics.yaml or $HOME/.mimics.yaml) |
-h, --help | N/A | Displays the help menu. Contextual help for each command is also available in the following formats: ./mimics help [command] or ./mimics [command] [-h|--help]Because each command may have sub-commands, the help menu is also available in this format: ./mimics [command] [sub-command] [-h|--help] |
--no-color | N/A | Disables color output |
--no-verify | N/A | Disables SSL verification for all API calls to InsightCloudSec. This is superseded by the usage of --ca-certificate |
--log-format | string | Sets the log format. Options: "text", "json" (default: "text") |
--log-level | string | Sets the log level. Options: "trace", "debug", "info", "warn", "error", "fatal" (default: "info") |
--log-path | string | Sets the log file path (default: "./log/mimics.log") |
Kubernetes Flags
| Name | Type | Description |
|---|---|---|
-d, --debug | N/A | Debug trace level |
--expect | string | Specify a Google CEL expression to indicate an expectation from the scan summary, e.g, "(Critical + High) < 3" |
-f, --filename | strings | One or more file names (or directories) that contain the configuration file(s) to scan. Multiple files separated with a '---' is supported |
-o, --output | string | Output format. Options are: html, junit, yaml, and json. Default is html |
--outputfile | string | File name for the output. Default is insightcloudsec.html |
-p, --report-passed | N/A | Report passed checks |
Using mimics with Kubernetes
mimics with KubernetesUse of the scanning tool depends on how you set it up. Below are several examples using the scanning tool with each setup method. A few things to note before using mimics with Kubernetes:
- Kubernetes IaC scanning is not available in the InsightCloudSec user interface
- Kubernetes IaC scanning results are also not available in the InsightCloudSec user interface, so ensure you use the
--outputfileflag to save your results - Kubernetes IaC scan policies are not editable or configurable currently. All rules will be executed and any single rule failure will cause the entire scan to be marked as a failure.
Docker
Because the scanning tool is invoked using a public Docker image, the base kubechk command is more complicated than invoking the local executable:
docker run [docker flags] public.ecr.aws/rapid7-insightcloudsec/ics/mimics:latest kubechk [flags]
Important Docker Flags
InsightCloudSec recommends providing the following Docker flags with each invocation:
- Use
-vto establish a local volume that the Docker container can pull files from- Use
-eto establish an environment variable the Docker container recognizes -- two variables will need to be passed into the image: InsightCloudSec URL and API Key
Simple Example
docker run
-v $(pwd):/data \
-e MIMICS_BASE_URL=$ICS_BASE_URL \
-e MIMICS_API_KEY=$ICS_API_KEY \
public.ecr.aws/rapid7-insightcloudsec/ics/mimics:latest \
kubechk -f mydeployment.yaml
Validate multiple YAML files
docker run
-v $(pwd):/data \
-e MIMICS_BASE_URL=$ICS_BASE_URL \
-e MIMICS_API_KEY=$ICS_API_KEY \
public.ecr.aws/rapid7-insightcloudsec/ics/mimics:latest \
kubechk -f mydeployment.yaml -f myotherdeployment.yaml
Local Executable
Validate all the resources found under the namespace "myns" of a cluster with kubectl get
kubectl get all -n myns -o yaml | mimics kubechk --report-passed -f - \
--api-key "<my-api-key>" \
--base-url "http://localhost:8001/" \
--no-verify
Validate resource kustomization
kubectl kustomize helloWorld | mimics kubechk -f - \
--api-key "<my-api-key>" \
--base-url "http://localhost:8001/" \
--no-verify
Validate Helm Chart
helm template kaudit deploy/charts/kaudit --set k8sAuditEnvironment=eks | mimics kubechk -f - \
--api-key "<my-api-key>" \
--base-url "http://localhost:8001/" \
--no-verify
Validate Helm Chart and fail the pipeline on Critical and High severity findings
helm template kaudit deploy/charts/kaudit --set k8sAuditEnvironment=eks | mimics kubechk --expect="(Critical + High) == 0" -f - \
--api-key "<my-api-key>" \
--base-url "http://localhost:8001/" \
--no-verify
Updated 9 months ago