Integration with cloud providers

AWS - EKS

Integrate with Kubescape CLI

Kubescape EKS integration is based on the official AWS Go SDK and it supports authentication based on the local execution context of the CLI:

  • ~/.aws/credentials file or
  • AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables or
  • in case of EC2 instances, access to IAM role through EC2 metadata service

The way EKS authentication is constructed, Kubescape EKS integration should work automatically from any shell where from you are accessing your cluster.

Troubleshooting

Make sure that you have cluster access through:

kubectl get nodes

Make sure you have the proper EKS related IAM roles in AWS CLI itself:

aws eks describe-cluster --name <cluster name> --region <cluster region>

Kubescape first looks for the KS_CLOUD_REGION environment variable to get your cluster region. If this variable is not set, Kubescape tries to get the cluster region from the cluster's name. So if Kubescape is not able to identify your cluster region, make sure you set this environment variable.
On top of that, set the KS_CLOUD_PROVIDER environment variable to eks.

Integrate with Kubescape Microservice

The Kubescape microservice is based on the CLI and therefore expects the same mechanisms in its execution context.
You can add the environment variables to the Kubescape cronjob with the following command:

kubectl patch -n armo-system cronjob armo-kubescape  -p='{"spec": {"jobTemplate": {"spec": {"template": {"spec": {"containers": [{"name": "kubescape","env": [{"name":"KS_CLOUD_REGION", "value": "<region>"}, {"name":"KS_CLOUD_PROVIDER", "value": "eks"}]}]}}}}}}'

We are going to add an example of authorization via EKS IAM roles for the ServiceAccount, stay tuned!

GCP - GKE

Integrate with Kubescape CLI

Kubescape GKE is based on the official GCP SDK and it supports authentication based on the local execution context of the CLI:

  • GOOGLE_APPLICATION_CREDENTIALS environment variable or
  • ~/.config/gcloud/application_default_credentials.json file

Make sure that one of them is defined properly in the execution context of Kubescape.

If you're missing the application_default_credentials.json, but you do have GCP access from the shell, run the following command to create it:

gcloud auth application-default login

Troubleshooting

Make sure that this command works

gcloud container clusters describe <cluster name> --zone <cluster zone> --project <GCP project>

Kubescape first looks for the KS_CLOUD_REGION and KS_GKE_PROJECT environment variables to get your cluster region and project, respectively. If these variables are not set, Kubescape tries to get the cluster region and project from the cluster name. So if Kubescape is not able to identify your cluster's region/project, make sure you set the proper environment variable.
On top of that, set the KS_CLOUD_PROVIDER environment variable to gke.

Integrate with Kubescape Microservice

The Kubescape microservice is based on the CLI and therefore expects the same mechanisms in its execution context.
You can add the environment variables to the Kubescape cronjob with the following command:

kubectl patch -n armo-system cronjob armo-kubescape  -p='{"spec": {"jobTemplate": {"spec": {"template": {"spec": {"containers": [{"name": "kubescape","env": [{"name":"KS_CLOUD_REGION", "value": "<region>"},{"name":"KS_GKE_PROJECT", "value": "<project>"}, {"name":"KS_CLOUD_PROVIDER", "value": "gke"}]}]}}}}}}'

We are going to add an example of authorization via service account, stay tuned!

Azure - AKS

CLI

Kubescape AKS integration is based on the official AKS Go SDK and it supports authentication based on the local execution context of the CLI. The supported authentication methods are:

  • Client credentials
  • X509 certificates
  • Username/password
  • Managed identities for Azure resources

The authentication types are evaluated in the order listed above.

To see how to configure each authentication type, check the documentation here.

On top of that, you need to set the following environment variables:

  • AZURE_SUBSCRIPTION_ID - Azure's subscription ID
  • AZURE_RESOURCE_GROUP - Azure's resource group linked to the cluster
  • KS_CLOUD_PROVIDER - Set to "aks"

Troubleshooting

Confirm you can access the API by following the commands below:

az account set --subscription <subscription_id>
az aks get-credentials --resource-group <resource_group> --name <cluster_name>

Integrate with Kubescape Microservice

The Kubescape microservice is based on the CLI and therefore expects the same mechanisms in its execution context.
You can add the necessary environment variables to the Kubescape cronjob with the following command:

kubectl patch -n armo-system cronjob armo-kubescape  -p='{"spec": {"jobTemplate": {"spec": {"template": {"spec": {"containers": [{"name": "kubescape","env": [{"name":"AZURE_SUBSCRIPTION_ID", "value": "<subscription_id>"}, {"name":"AZURE_RESOURCE_GROUP", "value": "<resource_group>"}, {"name":"KS_CLOUD_PROVIDER", "value": "aks"}]}]}}}}}}'

Did this page help you?