This uses the Kubescape CLI to scan the clusters and run commands.
The Google Kubernetes Engine (GKE) integration is based on the official GCP SDK.
To install Kubescape in Google Cloud Services, you must:
- Set up your credentials.
- Set up a service account.
- Create an IAM role for the service account.
- Bind the IAM role to the service account.
- Install and upgrade the Kubescape Helm chart.
Authentication is based on the local execution context of the CLI and must be defined in the execution context of Kubescape.
Set one of the following:
- GOOGLE_APPLICATION_CREDENTIALS` environment variable
If you're missing the
application_default_credentials.json file, but you do have GCP access from the shell, run the following command to create it:
gcloud auth application-default login
Run the following to ensure you can access your cluster:
gcloud container clusters describe <cluster name> --zone <cluster zone> --project <GCP project>
Kubescape in-cluster components can be authorized to access Google Container Registry (GCR) for container vulnerability scanning and GKE for Kubernetes risk assessment. Both authorizations are supported using GKE workload identities.
The workload identity is not enabled by default in GKE. Ensure you aren't interfering with existing applications in the cluster by enabling it.
Ensure that your cluster has workload identity enabled by running this command:
gcloud container clusters describe <CLUSTER_NAME> | grep workloadPool
Use this recipe to finish setting up the GCP IAM authorization and Kubescape integration.
After you’ve installed Kubescape and successfully authorized the components, you can use Kubescape CLI commands to scan clusters hosted in GCP and send the scan results to ARMO Platform to visualize your data.
kubescape scan . --submit --account=<accountID>
Updated 2 months ago