Securing Kubernetes deployments with Mondoo GitHub Actions

In this article, we will show you how to secure your Kubernetes cluster with Mondoo and GitHub Actions. We will use the Mondoo GitHub Action to scan our Kubernetes manifests for security vulnerabilities and compliance issues. The Mondoo GitHub Action is a simple and effective way to secure your Kubernetes workloads.

Benefits of Scanning a Kubernetes Deployment within a Github Action

As organizations increasingly adopt Kubernetes for container orchestration, ensuring the security and stability of deployments has become paramount. Integrating security and compliance checks directly into the CI/CD pipeline is an effective way to achieve this. GitHub Actions, a popular CI/CD tool, provides an excellent platform for automating these checks. In this post, we'll explore the benefits of scanning a Kubernetes deployment within a GitHub Action.

Continuous Security and Compliance

By incorporating Kubernetes scans into your GitHub Actions workflow, you ensure that every deployment is automatically checked for security vulnerabilities and compliance issues. This continuous monitoring helps catch potential problems early, before they make it to production.

• Early Detection: Identify vulnerabilities in container images, misconfigurations, and compliance violations early in the development cycle.
• Reduced Risk: Proactively addressing security issues reduces the risk of breaches and downtime.

Automated Workflow

Automation is a key advantage of using GitHub Actions for Kubernetes scanning. Automated workflows mean that scans are performed consistently, without relying on manual intervention.

• Consistency: Automated scans ensure that security checks are applied uniformly across all deployments.
• Efficiency: Saves time and resources by reducing the need for manual security reviews.

Integration with DevOps Practices

GitHub Actions seamlessly integrates with existing DevOps practices, enabling teams to incorporate security into their development workflows without significant changes to their processes.

• Shift Left Security: Encourages a "shift left" approach, integrating security early in the development process.
• Continuous Delivery: Maintains the pace of continuous delivery by embedding security checks into the CI/CD pipeline.

Visibility and Accountability

Running scans within GitHub Actions provides visibility into the security posture of your Kubernetes deployments. It also creates an audit trail, making it easier to track and address issues.

• Transparency: Provides clear visibility into security and compliance status for all stakeholders.
• Auditability: Creates a record of security checks, useful for audits and compliance reviews.

Customizable and Extensible

GitHub Actions offers flexibility and extensibility, allowing you to customize the scanning process according to your specific requirements. You can use pre-built actions or create custom ones to suit your needs.

• Flexibility: Tailor the scanning process to match your unique security policies and compliance requirements.
• Extensibility: Easily extend the workflow with additional actions or integrations as needed.

Cost-Effective

Using GitHub Actions for Kubernetes scanning can be more cost-effective than other solutions, especially for organizations already using GitHub for version control and CI/CD.

• Cost Savings: Leverage existing GitHub infrastructure to avoid additional costs associated with third-party tools.
• Resource Optimization: Efficiently utilize resources by consolidating CI/CD and security workflows within GitHub.

How to achive this with Mondoo GitHub Action

Mondoo provides a GitHub Action that makes it easy to scan Kubernetes deployments for security vulnerabilities and compliance issues. The Mondoo GitHub Action integrates seamlessly with GitHub Actions, allowing you to add security checks to your CI/CD pipeline with minimal effort.

 1name: Mondoo Manifest Check
 2on:
 3  push: {}
 4jobs:
 5    steps:
 6      - uses: actions/checkout@v4
 7      - name: Manifest Check
 8        uses: mondoohq/actions/k8s-manifest@main
 9        with:
10          path: k8s/manifests
11        env:
12          MONDOO_CONFIG_BASE64: '${{ secrets.MONDOO_SERVICE_ACCOUNT }}'

In this example, we define a GitHub Actions workflow that scans Kubernetes manifests located in the k8s/manifests directory. The Mondoo GitHub Action is triggered whenever changes are pushed to the repository. The action uses the MONDOO_SERVICE_ACCOUNT secret to authenticate with the Mondoo API. On the Mondoo side, you can create a service account with the following documentation.

So let's use following deployment for scanning Kubernetes deployments with Mondoo GitHub Actions:

 1apiVersion: apps/v1
 2kind: Deployment
 3metadata:
 4  labels:
 5    app: whoami
 6  name: whoami
 7spec:
 8  replicas: 1
 9  selector:
10    matchLabels:
11      app: whoami
12  template:
13    metadata:
14      labels:
15        app: whoami
16    spec:
17      containers:
18      - image: containous/whoami
19        args: [ "-port", "8080" ]
20        imagePullPolicy: Always
21        name: whoami
22        ports:
23        - containerPort: 8080
24          protocol: TCP
25      restartPolicy: Always

With the submission of this manifest to your GitHub repository, the Mondoo GitHub Action will automatically scan the deployment for security vulnerabilities and compliance issues. The detailed scan results will be available in the GitHub Actions logs, allowing you to quickly identify and remediate any issues.

And also a visual representation in the Mondoo Console is available:

Conclusion

By adding this workflow to your GitHub Actions configuration, you can automatically scan your Kubernetes deployments for security vulnerabilities and compliance issues. The Mondoo GitHub Action provides detailed reports on the scan results, helping you identify and remediate any issues quickly.