CLI Tool Commands and Parameters - Kubernetes IaC

CLI Tool Commands and Parameters Overview for Kubernetes IaC

After you have setup the command line interface (CLI) Infrastructure as Code (IaC) scanning tool via Docker or local executable, you're ready to start using it with your Kubernetes infrastructure. InsightCloudSec supports scanning HELM charts, Kustomize overlays, and YAML manifest files.

Note: Kubernetes IaC scanning functionality (including viewing the scan results) is currently only available via the CLI tool and not recorded in the InsightCloudSec cloud console. If you have questions or issues, reach out to us using the Customer Support Portal.

🚧

Scanning Terraform and CFT

To scan Terraform and/or AWS CloudFormation Template (CFT) infrastructure, the CLI IaC Scanning Tool utilizes different commands and parameters that are detailed on the CLI Commands and Parameters - Terraform and CloudFormation page.

Prerequisites

Before scanning Kubernetes files with the scanning tool, ensure you have the following:

📘

Rename Executable

When you download the mimics executable initially, the file name will be suffixed with the version and architecture. We recommend renaming the executable to mimics (for Mac/Linux) or mimics.exe (for Windows) for ease of use. The examples below and on other pages utilize a simplified executable name.

Flags & Parameters

There is only one command to invoke Kubernetes IaC scanning: kubechk. This command does not have any sub-commands. The flags and parameters are the same regardless if you're using mimics via local executable or Docker.

Global Flags

Name

Type

Description

--api-key

string

API key for InsightCloudSec

Note: If using the Docker version of the CLI, this is better passed as a Docker environment variable. Review the Docker Examples for more information

--base-url

string

URL where InsightCloudSec resides (default: "http://localhost:8001/")

Note: If using the Docker version of the CLI, this is better passed as a Docker environment variable. Review the Docker Examples for more information

--ca-certificate

string

Sets the trusted authorities for SSL verification using a CA bundle file (.pem)

--config

string

Filepath for the configuration file (default: $HOME/.mimics.yaml)

-h, --help

N/A

Displays the help menu. Contextual help for each command is also available in the following formats: ./mimics help [command] or ./mimics [command] [-h|--help]

Because each command may have sub-commands, the help menu is also available in this format: ./mimics [command] [sub-command] [-h|--help]

--no-color

N/A

Disables color output

--no-verify

N/A

Disables SSL verification for all API calls to InsightCloudSec. This is superseded by the usage of --ca-certificate

Kubernetes Flags

Name

Type

Description

-d, --debug

N/A

Debug trace level

--expect

string

Specify a Google CEL expression to indicate an expectation from the scan summary, e.g, "(Critical + High) < 3"

-f, --filename

strings

One or more file names (or directories) that contain the configuration file(s) to scan. Multiple files separated with a '---' is supported

-o, --output

string

Output format. Options are: html, junit, yaml, and json. Default is html

--outputfile

string

File name for the output. Default is insightcloudsec.html

-p, --report-passed

N/A

Report passed checks

Using mimics with Kubernetes

Use of the scanning tool depends on how you set it up. Below are several examples using the scanning tool with each setup method. A few things to note before using mimics with Kubernetes:

  • Kubernetes IaC scanning is not available in the InsightCloudSec user interface
  • Kubernetes IaC scanning results are also not available in the InsightCloudSec user interface, so ensure you use the --outputfile flag to save your results
  • Kubernetes IaC scan policies are not editable or configurable currently. All rules will be executed and any single rule failure will cause the entire scan to be marked as a failure.

Docker

Because the scanning tool is invoked using a public Docker image, the base kubechk command is more complicated than invoking the local executable:

docker run [docker flags] public.ecr.aws/rapid7-insightcloudsec/ics/mimics:latest kubechk [flags]

📘

Important Docker Flags

InsightCloudSec recommends providing the following Docker flags with each invocation:

  • Use -v to establish a local volume that the Docker container can pull files from
  • Use -e to establish an environment variable the Docker container recognizes -- two variables will need to be passed into the image: InsightCloudSec URL and API Key

Simple Example

docker run
-v $(pwd):/data \
-e MIMICS_BASE_URL=$ICS_BASE_URL \
-e MIMICS_API_KEY=$ICS_API_KEY \
public.ecr.aws/rapid7-insightcloudsec/ics/mimics:latest \
kubechk -f mydeployment.yaml

Validate multiple YAML files

docker run
-v $(pwd):/data \
-e MIMICS_BASE_URL=$ICS_BASE_URL \
-e MIMICS_API_KEY=$ICS_API_KEY \
public.ecr.aws/rapid7-insightcloudsec/ics/mimics:latest \
kubechk -f mydeployment.yaml -f myotherdeployment.yaml

Local Executable

Validate all the resources found under the namespace "myns" of a cluster with kubectl get

kubectl get all -n myns -o yaml | mimics kubechk --report-passed -f - \
--api-key "<my-api-key>" \
--base-url "http://localhost:8001/" \
--no-verify

Validate resource kustomization

kubectl kustomize helloWorld | mimics kubechk -f - \
--api-key "<my-api-key>" \
--base-url "http://localhost:8001/" \
--no-verify

Validate Helm Chart

helm template kaudit deploy/charts/kaudit --set k8sAuditEnvironment=eks | mimics kubechk -f - \
--api-key "<my-api-key>" \
--base-url "http://localhost:8001/" \
--no-verify

Validate Helm Chart and fail the pipeline on Critical and High severity findings

helm template kaudit deploy/charts/kaudit --set k8sAuditEnvironment=eks | mimics kubechk --expect="(Critical + High) == 0" -f - \
--api-key "<my-api-key>" \
--base-url "http://localhost:8001/" \
--no-verify

Did this page help you?