Kubernetes Remote Scanner

Cloud Security (InsightCloudSec)’s new Kubernetes Remote Scanner expands our existing Kubernetes Security Guardrails and Container Vulnerability Assessment capabilities by improving Cloud Security (InsightCloudSec)’s agentless approach for better usability and simplified operation of harvesting Kubernetes entities that exist within different Kubernetes clusters running across different cloud accounts. This solution currently only works with managed clusters.

Feature Overview

Cloud Security (InsightCloudSec) harvests the Kubernetes services via the cloud provider API and creates a Kubernetes cluster entry linked under your cloud account.
Cluster access is generated using the account access credentials provided by the user.
Cluster resources are harvested and associated with the parent cloud account.
Cloud Security (InsightCloudSec) automatically performs a scan, repeating scans periodically at a defined interval.
Cloud Security (InsightCloudSec) automatically synchronizes the badges associated with the cloud account that contains the Kubernetes service and the tags associated with the Kubernetes cluster into the cloud account that represents the cluster. This allows the user to filter the Kubernetes resources and insights using these badges and tags.
To migrate between scanners, refer to the instructions on the Clusters Account Setup & Management page.

Prerequisites & Deployment

The Kubernetes Remote Scanner requires the appropriate configuration and permissions for your desired Cloud Service Provider (CSP) accounts (e.g., EKS, AKS) in order to harvest and populate cloud accounts built on the data associated with your clusters. Before getting started with the Kubernetes Remote Scanner you will need to ensure you have the following:

An existing Cloud Security (InsightCloudSec) installation (version 22.10.26 or later)
Appropriate permissions for your desired Cloud Service Providers in order to harvest the resource information specific to each provider
An existing Kubernetes cluster with network access available to Cloud Security (InsightCloudSec)
- Ports 443 and 6443 are used for communications from Cloud Security (InsightCloudSec) to Kubernetes clusters
- In general, we recommend that Network access be provided through a dedicated access list for Cloud Security (InsightCloudSec)

Configuring Permissions

Depending on your preferred cloud service providers, you must provision the following permissions to enable the Kubernetes Remote Scanner.

ℹ️

Subjectaccessreview Details

For more information on the subjectaccessreview permission, see the Kubernetes Scanners Overview FAQ.

AWS

The following permissions are required for Cloud Security (InsightCloudSec) to access the Elastic Kubernetes Service (EKS):


"eks:DescribeCluster",
"eks:ListClusters"

Azure

The following permissions are required for Cloud Security (InsightCloudSec) to retrieve the credentials needed to authenticate and connect to AKS clusters for scanning purposes:


"actions": [
  "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action",
  "Microsoft.ContainerService/managedClusters/read"
]

The following data-level permissions are required for Cloud Security (InsightCloudSec) to read all cluster resources and create subjectaccessreviews to validate access permissions within the Kubernetes cluster:


"dataActions": [
  "Microsoft.ContainerService/managedClusters/*/read",
  "Microsoft.ContainerService/managedClusters/authorization.k8s.io/subjectaccessreviews/write"
]

GCP

The following permissions/roles are needed for a service account in order to scan a Kubernetes cluster in the Google Kubernetes Engine (GKE):

Kubernetes Engine Cluster Viewer (roles/container.clusterViewer)
- Provides access to get and list GKE clusters and get cluster credentials.
- Note: This role is a subset of the Kubernetes Engine Viewer role (roles/container.viewer)
- Provides permissions: container.clusters.get, container.clusters.list, resourcemanager.projects.get, resourcemanager.projects.list
Kubernetes Engine Viewer (roles/container.viewer)
- Provides read-only access to resources within GKE clusters, such as nodes, pods, and GKE API objects
- Review the GCP documentation for more information about the permissions this role provides
Permission needed for secrets visibility and validation: container.secrets.list
Permission needed for subjectaccessreview creation: container.subjectAccessReviews.create

ℹ️

Onboarding Roles

One of the recommended roles for onboarding a GCP account, the Viewer role (roles/viewer), includes most of the permissions above.

Configuring Kubernetes Access

Currently, Cloud Security (InsightCloudSec) offers support for the following CSPs and their Kubernetes service equivalents:

AWS (Elastic Kubernetes Service (EKS))
Azure (Azure Kubernetes Service (AKS))
GCP (Google Kubernetes Engine (GKE))

AWS (EKS)

To enable access for EKS you will need to either update your existing AWS IAM Role/Read Access Permissions Cloud Security (InsightCloudSec) Harvester role to include EKS or configure a new (dedicated, separate) AWS role for Cloud Security (InsightCloudSec) that provides read access to EKS. Rapid7 recommends using your existing AWS IAM Role for Cloud Security (InsightCloudSec) (the “harvesting” role) and update the configuration to provide read access to EKS clusters resources. To provide the role access to the Kubernetes clusters you will need to configure the role ARN in the cloud account and allow Cloud Security (InsightCloudSec) the permission to assume this role. Otherwise, you must create a new role and provide the harvester role with read access permissions to the EKS cluster. The specific permissions are listed in Configuring Permissions. For both options, the role needs to be configured in the aws-auth ConfigMap in each EKS cluster.

ℹ️

New Onboarding

As of Cloud Security (InsightCloudSec) v. 23.4.11, the new universal onboarding experience for AWS accounts uses CloudFormation Templates (CFTs) to automatically provision relevant accounts with the necessary policies and roles. This means it is easiest to perform Container Vulnerability Assessment (CVA) configuration while onboarding an account/organization. Review AWS Cloud - Onboarding for more information.

Update existing role (recommended)

Provisioning access permission for reading the Kubernetes cluster resources from EKS requires the following steps:

Define the access permissions in the EKS cluster RBAC:
- Create a ClusterRole using the provided YAML file that allows read access to all Kubernetes resources
- Create a ClusterRoleBinding to a Kubernetes RBAC group; this will bind the role to all service accounts that are under the provided group
MAP an IAM role using eksctl or by directly editing the ConfigMap. Refer to the AWS Docs for details

Open a command shell within the desired directory and run the following command to connect to your Kubernetes cluster in the command line, ensuring you replace the placeholder values appropriately: aws eks --region <region-name> update-kubeconfig --name <cluster-name>.
Review the AWS EKS Documentation for more information.

Copy the following example file to a local file to the desired directory and save it as ClusterRole-Create.yaml:


apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-reader-role
rules:
  - apiGroups:
      - '*'
    resources:
      - '*'
    verbs:
      - get
      - list
  - apiGroups:
      - authorization.k8s.io
    resources:
      - subjectaccessreviews
    verbs:
      - create

Within the desired directory, run this command to create the cluster role in Kubernetes: kubectl apply -f ClusterRole-Create.yaml

In the same directory, copy the following example file to a local file and save it as ClusterRoleBinding-Apply.yaml:


apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-reader-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-reader-role
subjects:
  - kind: Group
    name: cluster-reader-group
    apiGroup: rbac.authorization.k8s.io

In the same command shell, run this command to create the cluster role in Kubernetes: kubectl apply -f ClusterRoleBinding-Apply.yaml

The final step is to map the existing IAM role to the cluster-reader-group by configuring aws-auth ConfigMap. There are two ways to perform this configuration:

Using eksctl, an open source tool that simplifies the configuration of EKS.
Directly editing the ConfigMap

ℹ️

Recommended Implementation

We encourage you to use the standard harvesting role by default because it already has the established trust relationship to the harvesting role (for example, arn:aws:iam::{account_id}:role/rapid7-consolidated).

As a prerequisite to this step, you will need to know the ARN for the harvester role for making this mapping (e.g., arn:aws:iam::050283019178:role/rapid7-readonly).

You can find this role under Cloud > Clouds on the individual cloud settings page in the Account Information card.

Using eksctl

If you haven’t already, download and install ekstctl.
Use the following command to perform the configuration:


eksctl create iamidentitymapping \
    --cluster my-cluster \
    --region=region-code \
    --arn arn:aws:iam::111122223333:role/rapid7-readonly \
    --group cluster-reader-group \
    --no-duplicate-arns

Directly edit the ConfigMap

Run the following command to open the ConfigMap for editing: kubectl edit -n kube-system configmap/aws-auth.
This will open vim by default; if you prefer to use a different editor, like nano, use the following command instead: KUBE_EDITOR="nano" kubectl edit -n kube-system configmap/aws-auth
Adjust the maproles section to look something like the example below, ensuring you replace the rolearn with the harvesting role mentioned above:


apiVersion: v1
data:
  mapRoles: |
    - groups:
      - cluster-reader-group
      rolearn: arn:aws:iam::111122223333:role/rapid7-readonly
      username: my-role

Create new role

The following steps outline the details for the configuration of a separate role that provides access to EKS.

Note that the completion of these steps only create the new separate role and you will still need to grant access through the process outlined above.

ℹ️

Trust Policy Required

If you use a different role than the standard harvesting role, that role must have the same AssumeRolePolicy (Trust policy) to the ICS Installation role (for example, arn:aws:iam::{account_id}:role/rapid7-consolidated).

From Cloud Security (InsightCloudSec) navigate to Cloud>Clouds and select your target account from the Clouds Listing tab.
Select the Settings tab and click the Update EKS Scanner Role button.
Select or create your new separate role as desired and complete the form with the required account details.
Click OK to finalize your changes.
Refer to the steps outlined in the Provide an existing IAM Role With Read Access Permissions to EKS section and complete them as outlined for your new role.

Once you complete the steps to provide Read Access Permissions to EKS, Kubernetes access will be configured and the cluster will begin harvesting (assuming it is not in a paused state within Cloud Security (InsightCloudSec)).

Azure (AKS)

To enable Azure Kubernetes Service (AKS) access for InsightCloudSec (Cloud Security), you need to update the permissions for your existing Cloud Security (InsightCloudSec) Azure Application from Azure - Onboarding. The easiest way to update permissions is by creating and assigning a new custom role, which you can do using the Azure CLI or Azure Portal.

⚠️

Existing Azure Application

If you do not have an Azure account onboarded with Cloud Security (InsightCloudSec), you will need to follow those instructions to setup an application and apply the necessary roles.

Create and assign a custom role using the Azure CLI

ℹ️

Application and subscription IDs required

You’ll need your Azure application and subscription ID before you can create and assign the custom role.

You can find your subscription ID by running: az account list --output table
You can find your application ID by running: az ad app list --display-name \"<your-app-name>\" --query \"[].appId\" --output table

To create and assign a custom role using the Azure CLI:

On your local machine, create a JSON file named ics-kubernetes-role.json with the following content, replacing YOUR_SUBSCRIPTION_ID with your actual subscription ID:


{
    "Name": "ICS Kubernetes Read All/Create subjectaccessreview",
    "Description": "Role that allows a user to read all resources on a kubernetes cluster and create subjectaccessreviews",
    "AssignableScopes": [
        "/subscriptions/YOUR_SUBSCRIPTION_ID"
    ],
    "Actions": [
        "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action",
        "Microsoft.ContainerService/managedClusters/read"
    ],
    "NotActions": [],
    "DataActions": [
        "Microsoft.ContainerService/managedClusters/*/read",
        "Microsoft.ContainerService/managedClusters/authorization.k8s.io/subjectaccessreviews/write"
    ],
    "NotDataActions": []
}

Run the following command in the same directory as your JSON file:


az role definition create --role-definition ics-kubernetes-role.json

Assign the custom role to your Cloud Security (InsightCloudSec) Azure Application:


az role assignment create --assignee <APPLICATION_ID> --role "ICS Kubernetes Read All/Create subjectaccessreview" --scope "/subscriptions/YOUR_SUBSCRIPTION_ID"

Kubernetes access is now configured and the cluster will begin harvesting (assuming it is not in a paused state in Cloud Security (InsightCloudSec)).

Create a custom role using the Azure Portal

ℹ️

Finding Your Application ID

You’ll need your Azure application ID before you can create and assign the custom role. To find your application ID, go to Azure Active Directory > App registrations in the Azure Portal.

To create and assign a custom role using the Azure Portal:

Log in to the Azure Portal as an admin user for the account that hosts your Cloud Security (InsightCloudSec) Application.
Find your subscription, then go to Access control (IAM) > Roles.
Click + Add > Add custom role
Enter the Basics:
- Name: ICS Kubernetes Read All/Create subjectaccessreview
- Description: Role that allows a user to read all resources on a Kubernetes cluster and create subjectaccessreviews
- Assignable scope: Select your subscription.
Click the Permissions tab.
Click Add permissions and add the following:
- Actions:
  - Microsoft.ContainerService/managedClusters/listClusterUserCredential/action
  - Microsoft.ContainerService/managedClusters/read
- Data Actions:
  - Microsoft.ContainerService/managedClusters/*/read
  - Microsoft.ContainerService/managedClusters/authorization.k8s.io/subjectaccessreviews/write
Click Review + create to create the role.
Go to Access control (IAM).
Click + Add > Add role assignment.
Search for and select the new ICS Kubernetes Read All/Create subjectaccessreview role.
Click Next.
For the Members:
- Leave Assign access to as the default (User, group, or service principal).
- Click + Select members.
- Search for and select your InsightCloudSec Azure Application. Click Select.
Click Review + assign to complete the role assignment.

Kubernetes access is now configured and the cluster will begin harvesting (assuming it is not in a paused state in Cloud Security (InsightCloudSec)).

GCP (GKE)

To enable access for GKE you will need to update your existing Cloud Security (InsightCloudSec) GCP Project (from GCP - Onboarding) to include the permissions/roles mentioned in Configuring Permissions.

⚠️

Existing GCP Project

If you do not have an GCP project onboarded with Cloud Security (InsightCloudSec), you will need to follow those instructions to setup an application and apply the necessubjectaccessreviewy roles.

Within your GCP console navigate into the project that is associated with Cloud Security (InsightCloudSec).
Navigate to IAM & Admin>Roles.
Edit the role associated with Cloud Security (InsightCloudSec).
- Find the role and click the vertical three dots to expose the menu.
- Click Edit.
- Click + ADD PERMISSIONS.
- Filter for the "container.secrets.list" permission and select the checkbox next to it.
- Click ADD.

Once you complete the steps to provide Read Access Permissions to GKE, Kubernetes access will be configured and the cluster will begin harvesting (assuming it is not in a paused state within Cloud Security (InsightCloudSec)).

What’s Next?

Refer to the Kubernetes Security Guardrails Overview page for an overview of this feature and a summary of the prerequisites.

Jump to the Using Kubernetes Security Guardrails page to view details on using the feature and exploring the imported data.