A K8s admission controller for security and operational best practices (Based on Checkov)
Whorf is your last line of defence against deploying vulnerable or misconfigured kubernetes objects.
It is easily deployed by simply running the setup.sh script. This will download the default kubernetes objects into a local bridgecrew directory. It will customise to your local requirements and deploy into the kubernetes cluster currently in context
curl –o setup.sh https://raw.githubusercontent.com/bridgecrewio/checkov/master/admissioncontroller/setup.sh
chmod +x ./setup.sh
Get an API key
./setup.sh <a unique cluster name> <bc-api-key>
kubectl delete -f bridgecrew<timestamp>
After installation the check which would block a kubernetes object from being deployed are created and deployed as a kubernetes ConfigMap.
The default checks are only a small subset of the entire kubernetes range focusing only on root and privileged access and capabilities.
These can be found in the file checkovconfig.yaml. The default example is below where k8sac/cluster would be replaced with k8sac/'your cluster name'
apiVersion: v1
kind: ConfigMap
metadata:
creationTimestamp: null
name: checkovconfig
namespace: bridgecrew
data:
.checkov.yaml: |
branch: master
repo-id: k8sac/cluster
download-external-modules: false
evaluate-variables: true
external-modules-download-path: .external_modules
framework: kubernetes
hard-fail-on:
- CKV_K8S_1
- CKV_K8S_2
- CKV_K8S_3
- CKV_K8S_4
- CKV_K8S_5
- CKV_K8S_6
- CKV_K8S_7
- CKV_K8S_16
- CKV_K8S_17
- CKV_K8S_18
- CKV_K8S_19
- CKV_K8S_20
- CKV_K8S_21
- CKV_K8S_23
- CKV_K8S_27
- CKV_K8S_39
- CKV_K8S_49
output:
- json