HashiCorp Nomad and Vault: Dynamic Secrets
In a cloud-native environment, secrets management is a critical aspect of security. HashiCorp Vault is a popular tool for managing secrets and protecting
In this article, we will show you how to secure your Kubernetes cluster with Mondoo and GitHub Actions. We will use the Mondoo GitHub Action to scan deployed Kubernetes manifests for security vulnerabilities and compliance issues. The Mondoo GitHub Action is a simple and effective way to secure your Kubernetes workloads.
About all the benefits why you want to use Mondoo GitHub Actions to secure your Kubernetes cluster, we have written in the article Mondoo GitHub Actions for Kubernetes Deployments.
The main difference between the previous article and this one is that we will focus on scanning Kubernetes deployments that are already running in your cluster. This is a common use case when you want to ensure that your production workloads are secure and compliant.
1name: Mondoo Cluster Scan
2on:
3 schedule:
4 - cron: '0 0 * * *'
5jobs:
6 runs-on:
7 - self-hosted
8 steps:
9 - name: create kubeconfig file artifact
10 env:
11 KUBECONFIG: $GITHUB_WORKSPACE/kubeconfig
12 run: |
13 echo "${{ secrets.KUBECONFIG }}" | base64 -d > kubeconfig
14 - uses: mondoohq/actions/k8s@v11.0.0
15 env:
16 MONDOO_CONFIG_BASE64: '${{ secrets.MONDOO_SERVICE_ACCOUNT }}'
17 KUBECONFIG: kubeconfig
18 CI: false
The GitHub Action workflow above will scan your Kubernetes cluster for security vulnerabilities and compliance issues. The workflow will run each day at 00:00. The Mondoo GitHub Action will use the provided kubeconfig file to connect to your Kubernetes cluster and scan the deployed manifests.
The kubeconfig file is stored as a secret in the GitHub repository.
Finally, the executing Github runner also needs to have network access to the cluster. The runner can be self-hosted or GitHub-hosted relying on the network configuration of the cluster.
This gives a lot of output in the GitHub Actions logs, so you can quickly identify and fix issues. Here is just the summarized output shown:
But also a visual representation in the Mondoo Console is available of all scanned Kubernetes cluster assets:
You are interested in our courses or you simply have a question that needs answering? You can contact us at anytime! We will do our best to answer all your questions.
Contact us