Kubernetes Connector

This topic describes how to onboard the Kubernetes connector. Using the Kubernetes connector enables you to view real-time compliant or non-compliant data, and to integrate compliance into your DevOps pipeline.
Onboarding the Kubernetes connector includes the following steps:

To access the latest information about this topic and all Cloud Security releases, check out the Release notes and notices.

Understanding the Kubernetes connector

The Kubernetes connector enables you to collect data from Docker Containers, Docker Hosts & Docker Daemons and evaluate Docker content against the Center for Internet Security (CIS) Docker 1.12 Benchmark.

This policy is created based on the recommended Docker Host, Docker Container, and Docker Daemon settings defined by CIS Kubernetes 1.12.0 Benchmark Version 1.0.0, published on September 15th, 2016

This also supports CIS Kubernetes 1.13.0 Benchmark Version 1.0.0, published on January 19th, 2017.

In addition, the Kubernetes connector enables you to collect data from Kubernetes Master & Kubernetes Workers and evaluate Kubernetes content against the Center for Internet Security (CIS) Kubernetes Benchmark 1.2.0.

A Kubernetes CIS policy is available as out-of-the-box content. Using this policy, you can evaluate Docker containers, Kubernetes Master & Kubernetes Workers against CIS security benchmarks in a Kubernetes cluster (a Linux container) that is managed by Kubernetes as a single system. This policy covers security recommendations that you should follow to prepare the host or cluster that you plan to use for executing containerized workloads.

Securing the Docker host and Kubernetes clustered environments and following your infrastructure security best practices helps build a solid and secure foundation for executing containerized workloads.

The Kubernetes connector enables you to collect the below:

Docker data (Docker Host, Docker Container, and Docker Daemon)
Kubernetes data (Kubernetes Master & Kubernetes Worker)

License utilization

The following resources consume a product license:

  • Kubernetes master
  • Kubernetes worker

Back to top

Completing prerequisites

Ensure that the computer on which the connector is downloaded meets the following prerequisites:

Kubernetes deployment requirements:

Ensure that the computer on which the connector is downloaded has Java OpenJDK 11.0.2 installed on it.

For clustered environments, this release supports CIS Kubernetes 1.12.0 and 1.13.0 for Kubernetes.
The OS on the Docker host must be Ubuntu 16, Red Hat Enterprise Linux 7, or CentOS 7.
sudo with no password and docker group must be configured for the user from which Kubernetes connector needs to be run.

The connector must be deployed on the Linux machine with SSH connectivity to the master and workers.
The connector machine should have kubectl configured on it. 
Ensure that Kubernetes cluster is deployed using kubeadm v1.8.x

Kubernetes connector Requirements:

    • SSH (default 22) port outbound to the Kubernetes hosts is configured.

Onboarding the Kubernetes connector

  1. Log in to Cloud Security with your registered credentials.
  2. Select Configure icon > Connectors.
  3. Click Add Connector.
  4. Under Connector Type > On Premise Connectors (Installable), click Kubernetes Connector and then click Continue.
  5. In the connector name field, specify a name for the Kubernetes connector.
    This name must be unique and must not have already been created.
    If the name entered is not already displayed on the Manage Connectors page, a green check mark and available label appear next to the field.

  6. Specify the credentials for Kubernetes cluster to be evaluated:

    Username: A user account on admin host (Host from which Kubernetes cluster has been created) that has access to the master and minions of Kubernetes cluster on which compliance check needs to be executed.

    Private Key Location: The location of the pem key on the admin host (Host from which Kubernetes cluster has been created). This key is used to communicate with the masters and minions of the cluster. e.g. /root/.ssh/id_rsa

    Kubernetes kube config: The location of the Kubernetes kube configuration file used to configure access to Kubernetes when used in conjunction with the kubectl. e.g. /root/.kube/config

    username : ubuntu 
    key location : /root/.ssh/id_rsa
    chmod -x run.sh
    #To check the connectivity from connector machine to Master/worker, run the following command:
    ssh -i <key location> <UserName>@<Master/worker node>

  7. Select the method for triggering collection cycles by choosing one of the following options from the Collection Mode menu:

    1. Select On Demand to enable on-demand scanning.
    2. Select Scheduled and select the hours or minutes for which Kubernetes resources will be periodically collected and evaluated.

  8. Click Continue.

  9. If the download does not start automatically, click Download Connector setup and unzip the Kubernetes Connector.zip file using any standard compression tool.
    The zip file will have the name that you specified for the connector in Step 3.
  10. Execute the command chmod +x run.sh to grant execute permissions to the run.sh file. Then run the connector using the run.sh command.


    The time to complete data collection depends upon the number of targets that you have in your environment. Leave the command window open and switch over to the UI.
  11. Click Continue.

  12. Clear the default compliance policies that you will not use to evaluate your Kubernetes cluster.
    To update a policy that you have selected, if an update is available, click Update in the information banner to the right of the selected policy and then click Update Policy on the confirmation message that appears.
  13. Click Continue.

    The connector is downloaded and available in Cloud Security and the policies can be evaluated on the schedule you have set.
    As soon as the connector begins sending data, it displays in the green 'Running' state. It then collects the data and begins publishing it back to Cloud Security.

Performing next steps

To manage connector configuration and settings, see Managing connectors.

To assess the resources including why a rule failed, see Managing resources.

Back to top

Was this page helpful? Yes No Submitting... Thank you