Securing Kubernetes cluster with Mondoo GitHub Actions

thumbnail
Martin Buchleitner | 13.05.2024 Mondoo, Infrastructure as Code

Bicycle

In this article, we will show you how to secure your Kubernetes cluster with Mondoo and GitHub Actions. We will use the Mondoo GitHub Action to scan deployed Kubernetes manifests for security vulnerabilities and compliance issues. The Mondoo GitHub Action is a simple and effective way to secure your Kubernetes workloads.

About all the benefits why you want to use Mondoo GitHub Actions to secure your Kubernetes cluster, we have written in the article Mondoo GitHub Actions for Kubernetes Deployments.

Scanning Kubernetes Deployments with Mondoo GitHub Actions

The main difference between the previous article and this one is that we will focus on scanning Kubernetes deployments that are already running in your cluster. This is a common use case when you want to ensure that your production workloads are secure and compliant.

 1name: Mondoo Cluster Scan
 2on:
 3  schedule:
 4    - cron: '0 0 * * *'
 5jobs:
 6    runs-on:
 7      - self-hosted
 8    steps:
 9      - name: create kubeconfig file artifact
10        env:
11          KUBECONFIG: $GITHUB_WORKSPACE/kubeconfig
12        run: |
13          echo "${{ secrets.KUBECONFIG }}" | base64 -d > kubeconfig          
14      - uses: mondoohq/actions/k8s@v11.0.0
15        env:
16          MONDOO_CONFIG_BASE64: '${{ secrets.MONDOO_SERVICE_ACCOUNT }}'
17          KUBECONFIG: kubeconfig
18          CI: false

The GitHub Action workflow above will scan your Kubernetes cluster for security vulnerabilities and compliance issues. The workflow will run each day at 00:00. The Mondoo GitHub Action will use the provided kubeconfig file to connect to your Kubernetes cluster and scan the deployed manifests.

The kubeconfig file is stored as a secret in the GitHub repository.

Finally, the executing Github runner also needs to have network access to the cluster. The runner can be self-hosted or GitHub-hosted relying on the network configuration of the cluster.

This gives a lot of output in the GitHub Actions logs, so you can quickly identify and fix issues. Here is just the summarized output shown:

But also a visual representation in the Mondoo Console is available of all scanned Kubernetes cluster assets:

Go Back explore our courses
Similar Articles & Courses
Our Recommendation

Mondoo Essentials

Gain hands-on experience with Mondoo, mastering its features, custom policies, and advanced security management.

Mondoo Advanced

Master Mondoo’s advanced features in one day, focusing on policy scoring, exception handling, data exporting, smart ticketing, and custom compliance frameworks.

thumbnail
Martin Buchleitner | 17.10.2024 Infrastructure as Code, Devops, HashiCorp, Packer, Vault, Mondoo

Github Action to Build Golden Images with HashiCorp Packer

In previous posts we have already shown multiple ways to use HashiCorp Packer to build Golden Images. In this post we will show how to automate the process with

thumbnail
Martin Buchleitner | 16.10.2024 Infrastructure as Code, Devops, HashiCorp, Consul

Automating DNS Updates from Kubernetes - HashiCorp Style

In dynamic Kubernetes environments, managing DNS records can be a challenge. As services scale, redeploy, or change IP addresses, ensuring that DNS records

thumbnail
Paul Strebenitzer | 10.10.2024 Devops

AI in DevOps: Revolutionizing Automation with Generative AI

The rise of AI in DevOps has been causing a revolution in how we approach software development and operations. We're witnessing a shift in our industry, where

We are here for you

You are interested in our courses or you simply have a question that needs answering? You can contact us at anytime! We will do our best to answer all your questions.

Contact us