CLI Tool Commands and Parameters - Kubernetes IaC
Feature Deprecated
This feature has been deprecated and is no longer actively maintained. The documentation will remain available until further notice. For questions or issues, reach out to your CSM or to support through the Customer Support Portal.
After you have setup the command line interface (CLI) Infrastructure as Code (IaC) scanning tool via Docker or local executable, you're ready to start using it with your Kubernetes infrastructure. InsightCloudSec supports scanning HELM charts, Kustomize overlays, and YAML manifest files. Kubernetes IaC scanning functionality (including viewing the scan results) is currently only available via the CLI tool and not recorded in the InsightCloudSec console. To scan Terraform and/or AWS CloudFormation Template (CFT) infrastructure, the CLI IaC Scanning Tool utilizes different commands and parameters that are detailed on the CLI Commands and Parameters - Terraform and CloudFormation page.
Prerequisites
Before scanning Kubernetes files with the scanning tool, ensure you have the following:
- The scanning tool is setup properly
- A user in InsightCloudSec with the Editor or greater entitlement for IaC
- An API key for your user
- Review Users, Groups, and Roles (Administration) for more information on creating an API key via the UI
- Check out Kubernetes - IaC Supported Resources for details on what is supported
Rename Executable
When you download the mimics
executable initially, the file name will be suffixed with the version and architecture. We recommend renaming the executable to mimics
(for Mac/Linux) or mimics.exe
(for Windows) for ease of use. The examples below and on other pages utilize a simplified executable name.
Flags & Parameters
There is only one command to invoke Kubernetes IaC scanning: kubechk
. This command does not have any sub-commands. The flags and parameters are the same regardless if you're using mimics
via local executable or Docker.
Global Flags
Name | Type | Description |
---|---|---|
--api-key | string | InsightCloudSec API Key Note: If using the Docker version of the CLI, this is better passed as a Docker environment variable. Review the Docker Examples for more information* |
--base-url | string | InsightCloudSec base URL, including protocol (e.g., http://localhost:8080/ ) Note: If using the Docker version of the CLI, this is better passed as a Docker environment variable. Review the Docker Examples for more information |
--ca-certificate | string | Sets the trusted authorities for SSL verification using a CA bundle file (.pem) (supersedes --no-verify ) |
--config-file | string | Configuration file location (default: .mimics.yaml or $HOME/.mimics.yaml ) |
-h , --help | N/A | Displays the help menu. Contextual help for each command is also available in the following formats: ./mimics help [command] or ./mimics [command] [-h|--help] Because each command may have sub-commands, the help menu is also available in this format: ./mimics [command] [sub-command] [-h|--help] |
--no-color | N/A | Disables color output |
--no-verify | N/A | Disables SSL verification for all API calls to InsightCloudSec. This is superseded by the usage of --ca-certificate |
--log-format | string | Sets the log format. Options: "text" , "json" (default: "text" ) |
--log-level | string | Sets the log level. Options: "trace" , "debug" , "info" , "warn" , "error" , "fatal" (default: "info" ) |
--log-path | string | Sets the log file path (default: "./log/mimics.log" ) |
Kubernetes Flags
Name | Type | Description |
---|---|---|
-d , --debug | N/A | Debug trace level |
--expect | string | Specify a Google CEL expression to indicate an expectation from the scan summary, e.g, "(Critical + High) < 3" |
-f , --filename | strings | One or more file names (or directories) that contain the configuration file(s) to scan. Multiple files separated with a '---' is supported |
-o , --output | string | Output format. Options are: html , junit , yaml , and json . Default is html |
--outputfile | string | File name for the output. Default is insightcloudsec.html |
-p , --report-passed | N/A | Report passed checks |
Using <code>mimics</code> with Kubernetes
Use of the scanning tool depends on how you set it up. Below are several examples using the scanning tool with each setup method. A few things to note before using mimics
with Kubernetes:
- Kubernetes IaC scanning is not available in the InsightCloudSec user interface
- Kubernetes IaC scanning results are also not available in the InsightCloudSec user interface, so ensure you use the
--outputfile
flag to save your results - Kubernetes IaC scan policies are not editable or configurable currently. All rules will be executed and any single rule failure will cause the entire scan to be marked as a failure.
Docker
Because the scanning tool is invoked using a public Docker image, the base kubechk
command is more complicated than invoking the local executable:
bash
1docker run [docker flags] public.ecr.aws/rapid7-insightcloudsec/ics/mimics:latest kubechk [flags]
Important Docker Flags
InsightCloudSec recommends providing the following Docker flags with each invocation:
- Use
-v
to establish a local volume that the Docker container can pull files from - Use
-e
to establish an environment variable the Docker container recognizes -- two variables will need to be passed into the image: InsightCloudSec URL and API Key
Simple Example
bash
1docker run2-v $(pwd):/data \3-e MIMICS_BASE_URL=$ICS_BASE_URL \4-e MIMICS_API_KEY=$ICS_API_KEY \5public.ecr.aws/rapid7-insightcloudsec/ics/mimics:latest \6kubechk -f mydeployment.yaml
Validate multiple YAML files
bash
1docker run2-v $(pwd):/data \3-e MIMICS_BASE_URL=$ICS_BASE_URL \4-e MIMICS_API_KEY=$ICS_API_KEY \5public.ecr.aws/rapid7-insightcloudsec/ics/mimics:latest \6kubechk -f mydeployment.yaml -f myotherdeployment.yaml
Local Executable
Validate all the resources found under the namespace "myns" of a cluster with <code>kubectl get</code>
bash
1kubectl get all -n myns -o yaml | mimics kubechk --report-passed -f - \2--api-key "<my-api-key>" \3--base-url "http://localhost:8001/" \4--no-verify
Validate resource kustomization
bash
1kubectl kustomize helloWorld | mimics kubechk -f - \2--api-key "<my-api-key>" \3--base-url "http://localhost:8001/" \4--no-verify
Validate Helm Chart
bash
1helm template kaudit deploy/charts/kaudit --set k8sAuditEnvironment=eks | mimics kubechk -f - \2--api-key "<my-api-key>" \3--base-url "http://localhost:8001/" \4--no-verify
Validate Helm Chart and fail the pipeline on Critical and High severity findings
bash
1helm template kaudit deploy/charts/kaudit --set k8sAuditEnvironment=eks | mimics kubechk --expect="(Critical + High) == 0" -f - \2--api-key "<my-api-key>" \3--base-url "http://localhost:8001/" \4--no-verify