Google Cloud Services integration

Kubescape CLI integration

Setup

Kubescape GKE is based on the official GCP SDK and it supports authentication based on the local execution context of the CLI:

• GOOGLE_APPLICATION_CREDENTIALS environment variable or
• ~/.config/gcloud/application_default_credentials.json file

Make sure that one of them is defined properly in the execution context of Kubescape.

If you're missing the application_default_credentials.json, but you do have GCP access from the shell, run the following command to create it:

gcloud auth application-default login

Troubleshooting

Make sure that this command works

gcloud container clusters describe <cluster name> --zone <cluster zone> --project <GCP project>

Kubescape in-cluster integration

Kubescape in-cluster components can be authorized to access Google Container Registry (for container vulnerability scanning) and Google Kubernetes Engine (for Kubernetes risk assestment). Both authorizations are supported using GKE workload identities.

🚧

Workload identity support

The workload identity is not enabled by default in GKE as of today. Please makes sure you are not interfering with existing application in the cluster by enabling it.

Check that your cluster has workload identity enabled by running this command:

gcloud container clusters describe <CLUSTER_NAME> | grep workloadPool

We have prepared a ready to use recipe for setting this up, see it here