Scan Kubernetes Cluster Environments

In Tenable Cloud Security, you can assign policies to Kubernetes cluster environments and perform cloud scans on these environments to check if they comply with the assigned policies. You can initiate a scan from the Tenable Cloud Security Console, the command line (CLI), or using Helm Chart.

Note: You might see the resource count in a Kubernetes cluster changing during the scan. This is due to the frequently changing run-time state of the Kubernetes cluster. For example, pods and other resources in the cluster might go through different phases in their life cycle.

Before you begin:

  • Download and install the Tenable Cloud Security CLI. For more information, see Set up Code Analysis through CLI.

  • Ensure that you have the following access:

    • Read access to the kube-system namespace resource (excluding the resources within the kube-system namespace).

    • Read access to the list of namespaces present in the cluster.

    • (Only for Azure) Read access to query a configmap named container-azm-ms-aks-k8scluster within the kube-system namespace.

  1. Access Tenable Cloud Security.

    The Dashboard page appears.

  2. Click the Projects & Connections tab.

    The Projects & Connections page appears.

  3. Hover over the project that you want to scan and click Run Scan > Configure Cloud Scan.

    The Scan Options window appears.

  4. Select one of the following options as required by your cloud provider:

    • AWS — Elastic Kubernetes Service (EKS)

    • AzureKubernetes Cluster

    • Google Cloud Platform — Google Kubernetes Engine

  5. Click Run Scan.

    A message confirms that Tenable Cloud Security initiated the cloud scan.

In the CLI, you can use the pipeline mode or the configuration file mode to scan cluster environments. Tenable Cloud Security scans clusters as part of a regular cloud scan.

To run a scan using the pipeline mode:

  1. In the Tenable Cloud Security CLI, run the following command to scan Kubernetes cluster environments, where:

    • cluster triggers the scan for the Kubernetes cluster.
      • Note: Add the cluster command to scan Kubernetes clusters.
    • provider is the cloud provider: AWS, Azure, or Google Cloud Platform.
    • token is the API token.
    accurics scan k8s -cluster -mode=pipeline -provider=<aws/azure/gcp> -appurl=https://cloud.tenable.com/cns -token=<token>
    Tip: Some commonly used flags include:

    • wait — Lists the violation reports on the terminal.

    • fail — Returns an exit code of 1.

    • verbose — Lists violation details.

    Run accurics -h to access Help. For more information about flags, see Tenable Cloud Security Commands and Options.

    Once the scan completes, Tenable Cloud Security displays the violation reports from the scan.

    Note: Tenable Cloud Security displays the resources and misconfigurations from this scan under Cloud (not IaC) in the Projects tab.

To run a scan using the configuration file:

  1. Access Tenable Cloud Security
  2. In the left navigation bar, click .

    The Dashboard page appears.

  3. Click the Projects & Connections tab.

    The Projects & Connections page appears.

  4. Click K8s Clusters.

    The K8s Clusters page appears.

  5. Select the Kubernetes cluster project you want to scan.

    The Kubernetes Cluster pane appears.

  6. Click Configuration to download the configuration file.

  7. In the Tenable Cloud Security CLI, run the following command to scan the Kubernetes cluster project, where configuration file path is the location of the configuration file:

    accurics scan k8s -cluster -config=<configuration file path>

    Tip: Some commonly used flags include:

    • wait — Lists the violation reports on the terminal.

    • fail — Returns an exit code of 1.

    • verbose — Lists violation details.

    Run accurics -h to access Help. For more information about flags, see Tenable Cloud Security Commands and Options.

    8. Once the scan completes, Tenable Cloud Security shows the violation reports from the scan on the Projects and Connections tab.

    Note: Tenable Cloud Security displays the resources and misconfigurations from this scan under Cloud (not IaC) in the Projects tab.

  1. Access Tenable Cloud Security
  2. In the left navigation bar, click .

    The Dashboard page appears.

  3. Click the Projects & Connections tab.

    The Projects & Connections page appears.

  4. Click K8s Clusters.

    The K8s Clusters page appears.

  5. Select the Kubernetes cluster project that you want to scan.

    The Kubernetes Cluster pane appears.

  6. Click Helm to download the Helm Chart file.

    Tenable Cloud Security downloads the accurics-kubescan-helm.zip.

  7. Extract the zip file and follow the instructions in the instructions.txt file to deploy the Helm Chart resources.

    8. Once the scan completes, Tenable Cloud Security shows the violation reports from the scan.