Securing Kubernetes cluster with Mondoo GitHub Actions

thumbnail
Martin Buchleitner | 13.05.2024 Mondoo, Infrastructure as Code

Bicycle

In this article, we will show you how to secure your Kubernetes cluster with Mondoo and GitHub Actions. We will use the Mondoo GitHub Action to scan deployed Kubernetes manifests for security vulnerabilities and compliance issues. The Mondoo GitHub Action is a simple and effective way to secure your Kubernetes workloads.

About all the benefits why you want to use Mondoo GitHub Actions to secure your Kubernetes cluster, we have written in the article Mondoo GitHub Actions for Kubernetes Deployments.

Scanning Kubernetes Deployments with Mondoo GitHub Actions

The main difference between the previous article and this one is that we will focus on scanning Kubernetes deployments that are already running in your cluster. This is a common use case when you want to ensure that your production workloads are secure and compliant.

 1name: Mondoo Cluster Scan
 2on:
 3  schedule:
 4    - cron: '0 0 * * *'
 5jobs:
 6    runs-on:
 7      - self-hosted
 8    steps:
 9      - name: create kubeconfig file artifact
10        env:
11          KUBECONFIG: $GITHUB_WORKSPACE/kubeconfig
12        run: |
13          echo "${{ secrets.KUBECONFIG }}" | base64 -d > kubeconfig          
14      - uses: mondoohq/actions/k8s@v11.0.0
15        env:
16          MONDOO_CONFIG_BASE64: '${{ secrets.MONDOO_SERVICE_ACCOUNT }}'
17          KUBECONFIG: kubeconfig
18          CI: false

The GitHub Action workflow above will scan your Kubernetes cluster for security vulnerabilities and compliance issues. The workflow will run each day at 00:00. The Mondoo GitHub Action will use the provided kubeconfig file to connect to your Kubernetes cluster and scan the deployed manifests.

The kubeconfig file is stored as a secret in the GitHub repository.

Finally, the executing Github runner also needs to have network access to the cluster. The runner can be self-hosted or GitHub-hosted relying on the network configuration of the cluster.

This gives a lot of output in the GitHub Actions logs, so you can quickly identify and fix issues. Here is just the summarized output shown:

But also a visual representation in the Mondoo Console is available of all scanned Kubernetes cluster assets:

Go Back explore our courses
Similar Articles & Courses
Our Recommendation

Mondoo Essentials

Gain hands-on experience with Mondoo, mastering its features, custom policies, and advanced security management.

Mondoo Advanced

Master Mondoo’s advanced features in one day, focusing on policy scoring, exception handling, data exporting, smart ticketing, and custom compliance frameworks.

thumbnail
Matthias Theuermann | 14.11.2024 Devops

Understanding DevOps and Cloud Maturity Models: A Guide to Elevating Your IT Strategy

In today’s fast-paced technological landscape, DevOps and Cloud practices are integral to accelerating software delivery and optimizing cloud resources. But as

thumbnail
Martin Buchleitner | 04.11.2024 Devops, IAC

Efficient Testing Environments with Vagrant and Ansible: Simplifying Automation

Setting up consistent testing environments is essential for development, and Vagrant combined with Ansible is a powerful, flexible solution for automating this

thumbnail
Martin Buchleitner | 17.10.2024 Infrastructure as Code, Devops, HashiCorp, Packer, Vault, Mondoo

Github Action to Build Golden Images with HashiCorp Packer

In previous posts we have already shown multiple ways to use HashiCorp Packer to build Golden Images. In this post we will show how to automate the process with

thumbnail
Martin Buchleitner | 16.10.2024 Infrastructure as Code, Devops, HashiCorp, Consul

Automating DNS Updates from Kubernetes - HashiCorp Style

In dynamic Kubernetes environments, managing DNS records can be a challenge. As services scale, redeploy, or change IP addresses, ensuring that DNS records

We are here for you

You are interested in our courses or you simply have a question that needs answering? You can contact us at anytime! We will do our best to answer all your questions.

Contact us