Container to monitor Kubernetes clusters' security
- 50 GB of storage in the form of emptyDir.
- External internet access from the Kubernetes cluster.
The Snyk monitor (kubernetes-monitor) requires some minimal configuration items in order to work correctly.
As with any Kubernetes deployment, the kubernetes-monitor runs within a single namespace.
If you do not already have access to a namespace where you want to deploy the monitor, you can run the following command to create one:
kubectl create namespace snyk-monitorNotice our namespace is called snyk-monitor and it is used for the following commands in scoping the resources.
The Snyk monitor relies on using your Snyk Integration ID, and using a dockercfg file. The dockercfg file is necessary to allow the monitor to look up images in private registries. Usually a copy of the dockercfg resides in $HOME/.docker/config.json.
Both of these items must be provided from a Kubernetes secret. The secret must be called snyk-monitor. The steps to create the secret are as such:
- Create a file named
dockercfg.json. Store yourdockercfgin there; it should look like this:
{
"auths": {
"gcr.io": {
"auth": "BASE64-ENCODED-AUTH-DETAILS"
}
// Add other registries as necessary
}
}If access to private registries is not needed, the dockercfg.json file contents should look like this:
{}- Locate your Snyk Integration ID from the Snyk Integrations page (navigate to https://app.snyk.io/org/YOUR-ORGANIZATION-NAME/manage/integrations/kubernetes) and copy it. The Snyk Integration ID is a UUID and looks similar to the following:
abcd1234-abcd-1234-abcd-1234abcd1234
The Snyk Integration ID is used in the --from-literal=integrationId= parameter in the next step.
- Finally, create the secret in Kubernetes by running the following command:
kubectl create secret generic snyk-monitor -n snyk-monitor --from-file=./dockercfg.json --from-literal=integrationId=abcd1234-abcd-1234-abcd-1234abcd1234Note that the secret must be namespaced, and the namespace (which we configured earlier) is called snyk-monitor.
The kubernetes-monitor can run in one of two modes: constrained to a single namespace, or with access to the whole cluster.
In other words, the monitor can scan containers in one particular namespace, or it can scan all containers in your cluster.
The choice of which deployment to use depends on the permissions you have on your cluster.
For cluster-scoped deployment you can create the necessary ServiceAccount, ClusterRole, and ClusterRoleBinding required for the monitor's deployment.
These objects ensure the monitor has the right (limited) level of access to resources in the cluster. The command is as follows:
kubectl apply -f snyk-monitor-cluster-permissions.yamlNote that even though the monitor operates in the whole cluster, the ClusterRole ensures it can only read or watch resources; the monitor can never modify your objects!
For a namespaced deployment you can create the necessary ServiceAccount, Role, and RoleBinding required for the monitor's deployment:
kubectl apply -f snyk-monitor-namespaced-permissions.yamlSimilarly to the cluster-scoped deployment, this Role ensures the monitor can only read or watch resources, never to modify them!
By default, the Snyk monitor sends workload information to Snyk using a default cluster name.
To change the cluster name, you can modify snyk-monitor-namespaced-permissions.yaml (for the Namespaced deployment) or snyk-monitor-cluster-permissions.yaml (for the Cluster-scoped deployment) and set the string value of clusterName to the name of your cluster. You will now see your workloads appearing in Snyk under the new cluster name.
Finally, to launch the Snyk monitor in your cluster, run the following:
kubectl apply -f snyk-monitor-deployment.yaml