Running a command-line scan
You can scan a cluster using kubescape scan
. These are the default options we suggest you start with:
kubescape scan --server api.armosec.io
--verbose
: display all resources, including those that do not trigger a security control--server
: creates an account and sends scan results to the ARMO Platform
If you do not specify a certain framework, all frameworks will be tested against.
Permissions
The RBAC permissions required for Kubescape to scan a cluster are as follows:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kubescape-role
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["get", "list", "describe", "watch"]
# The host-scanner DaemonSet runs in dedicated namespace applied by kubescape at the begining of the scan. Kubescape will then remove the namespace once the scanning process is done
- apiGroups: ["apps"]
resources: ["daemonsets"]
verbs: ["*"]
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["*"]
We are working on listing the exact permissions that Kubescape needs
Updated 26 days ago
What’s Next