Securing Kubernetes cluster with Mondoo GitHub Actions


In this article, we will show you how to secure your Kubernetes cluster with Mondoo and GitHub Actions. We will use the Mondoo GitHub Action to scan deployed Kubernetes manifests for security vulnerabilities and compliance issues. The Mondoo GitHub Action is a simple and effective way to secure your Kubernetes workloads.

About all the benefits why you want to use Mondoo GitHub Actions to secure your Kubernetes cluster, we have written in the article Mondoo GitHub Actions for Kubernetes Deployments.

Scanning Kubernetes Deployments with Mondoo GitHub Actions

The main difference between the previous article and this one is that we will focus on scanning Kubernetes deployments that are already running in your cluster. This is a common use case when you want to ensure that your production workloads are secure and compliant.

 1name: Mondoo Cluster Scan
 3  schedule:
 4    - cron: '0 0 * * *'
 6    runs-on:
 7      - self-hosted
 8    steps:
 9      - name: create kubeconfig file artifact
10        env:
11          KUBECONFIG: $GITHUB_WORKSPACE/kubeconfig
12        run: |
13          echo "${{ secrets.KUBECONFIG }}" | base64 -d > kubeconfig          
14      - uses: mondoohq/actions/k8s@v11.0.0
15        env:
16          MONDOO_CONFIG_BASE64: '${{ secrets.MONDOO_SERVICE_ACCOUNT }}'
17          KUBECONFIG: kubeconfig
18          CI: false

The GitHub Action workflow above will scan your Kubernetes cluster for security vulnerabilities and compliance issues. The workflow will run each day at 00:00. The Mondoo GitHub Action will use the provided kubeconfig file to connect to your Kubernetes cluster and scan the deployed manifests.

The kubeconfig file is stored as a secret in the GitHub repository.

Finally, the executing Github runner also needs to have network access to the cluster. The runner can be self-hosted or GitHub-hosted relying on the network configuration of the cluster.

This gives a lot of output in the GitHub Actions logs, so you can quickly identify and fix issues. Here is just the summarized output shown:

But also a visual representation in the Mondoo Console is available of all scanned Kubernetes cluster assets:

Go Back explore our courses

We are here for you

You are interested in our courses or you simply have a question that needs answering? You can contact us at anytime! We will do our best to answer all your questions.

Contact us