CLI Tool Commands and Parameters - Kubernetes IaC

Feature Deprecated

This feature has been deprecated and is no longer actively maintained. The documentation will remain available until further notice. For questions or issues, reach out to your CSM or to support through the Customer Support Portal.

After you have setup the command line interface (CLI) Infrastructure as Code (IaC) scanning tool via Docker or local executable, you're ready to start using it with your Kubernetes infrastructure. InsightCloudSec supports scanning HELM charts, Kustomize overlays, and YAML manifest files. Kubernetes IaC scanning functionality (including viewing the scan results) is currently only available via the CLI tool and not recorded in the InsightCloudSec console. To scan Terraform and/or AWS CloudFormation Template (CFT) infrastructure, the CLI IaC Scanning Tool utilizes different commands and parameters that are detailed on the CLI Commands and Parameters - Terraform and CloudFormation page.

Prerequisites

Before scanning Kubernetes files with the scanning tool, ensure you have the following:

Rename Executable

When you download the mimics executable initially, the file name will be suffixed with the version and architecture. We recommend renaming the executable to mimics (for Mac/Linux) or mimics.exe (for Windows) for ease of use. The examples below and on other pages utilize a simplified executable name.

Flags & Parameters

There is only one command to invoke Kubernetes IaC scanning: kubechk. This command does not have any sub-commands. The flags and parameters are the same regardless if you're using mimics via local executable or Docker.

Global Flags

NameTypeDescription
--api-keystringInsightCloudSec API Key
Note: If using the Docker version of the CLI, this is better passed as a Docker environment variable. Review the Docker Examples for more information*
--base-urlstringInsightCloudSec base URL, including protocol (e.g., http://localhost:8080/)
Note: If using the Docker version of the CLI, this is better passed as a Docker environment variable. Review the Docker Examples for more information
--ca-certificatestringSets the trusted authorities for SSL verification using a CA bundle file (.pem) (supersedes --no-verify)
--config-filestringConfiguration file location (default: .mimics.yaml or $HOME/.mimics.yaml)
-h, --helpN/ADisplays the help menu. Contextual help for each command is also available in the following formats: ./mimics help [command] or ./mimics [command] [-h|--help]
Because each command may have sub-commands, the help menu is also available in this format: ./mimics [command] [sub-command] [-h|--help]
--no-colorN/ADisables color output
--no-verifyN/ADisables SSL verification for all API calls to InsightCloudSec. This is superseded by the usage of --ca-certificate
--log-formatstringSets the log format. Options: "text", "json" (default: "text")
--log-levelstringSets the log level. Options: "trace", "debug", "info", "warn", "error", "fatal" (default: "info")
--log-pathstringSets the log file path (default: "./log/mimics.log")

Kubernetes Flags

NameTypeDescription
-d, --debugN/ADebug trace level
--expectstringSpecify a Google CEL expression to indicate an expectation from the scan summary, e.g, "(Critical + High) < 3"
-f, --filenamestringsOne or more file names (or directories) that contain the configuration file(s) to scan. Multiple files separated with a '---' is supported
-o, --outputstringOutput format. Options are: html, junit, yaml, and json. Default is html
--outputfilestringFile name for the output. Default is insightcloudsec.html
-p, --report-passedN/AReport passed checks

Using <code>mimics</code> with Kubernetes

Use of the scanning tool depends on how you set it up. Below are several examples using the scanning tool with each setup method. A few things to note before using mimics with Kubernetes:

  • Kubernetes IaC scanning is not available in the InsightCloudSec user interface
  • Kubernetes IaC scanning results are also not available in the InsightCloudSec user interface, so ensure you use the --outputfile flag to save your results
  • Kubernetes IaC scan policies are not editable or configurable currently. All rules will be executed and any single rule failure will cause the entire scan to be marked as a failure.

Docker

Because the scanning tool is invoked using a public Docker image, the base kubechk command is more complicated than invoking the local executable:

bash
1
docker run [docker flags] public.ecr.aws/rapid7-insightcloudsec/ics/mimics:latest kubechk [flags]

Important Docker Flags

InsightCloudSec recommends providing the following Docker flags with each invocation:

  • Use -v to establish a local volume that the Docker container can pull files from
  • Use -e to establish an environment variable the Docker container recognizes -- two variables will need to be passed into the image: InsightCloudSec URL and API Key

Simple Example

bash
1
docker run
2
-v $(pwd):/data \
3
-e MIMICS_BASE_URL=$ICS_BASE_URL \
4
-e MIMICS_API_KEY=$ICS_API_KEY \
5
public.ecr.aws/rapid7-insightcloudsec/ics/mimics:latest \
6
kubechk -f mydeployment.yaml

Validate multiple YAML files

bash
1
docker run
2
-v $(pwd):/data \
3
-e MIMICS_BASE_URL=$ICS_BASE_URL \
4
-e MIMICS_API_KEY=$ICS_API_KEY \
5
public.ecr.aws/rapid7-insightcloudsec/ics/mimics:latest \
6
kubechk -f mydeployment.yaml -f myotherdeployment.yaml

Local Executable

Validate all the resources found under the namespace "myns" of a cluster with <code>kubectl get</code>

bash
1
kubectl get all -n myns -o yaml | mimics kubechk --report-passed -f - \
2
--api-key "<my-api-key>" \
3
--base-url "http://localhost:8001/" \
4
--no-verify

Validate resource kustomization

bash
1
kubectl kustomize helloWorld | mimics kubechk -f - \
2
--api-key "<my-api-key>" \
3
--base-url "http://localhost:8001/" \
4
--no-verify

Validate Helm Chart

bash
1
helm template kaudit deploy/charts/kaudit --set k8sAuditEnvironment=eks | mimics kubechk -f - \
2
--api-key "<my-api-key>" \
3
--base-url "http://localhost:8001/" \
4
--no-verify

Validate Helm Chart and fail the pipeline on Critical and High severity findings

bash
1
helm template kaudit deploy/charts/kaudit --set k8sAuditEnvironment=eks | mimics kubechk --expect="(Critical + High) == 0" -f - \
2
--api-key "<my-api-key>" \
3
--base-url "http://localhost:8001/" \
4
--no-verify