Kubernetes Integrations in Mend Container
Overview
This feature offers agentless scanning of Container Images from Kubernetes Clusters to indicate which images are deployed and on which resources and environments.
Getting it done
Navigate to the organization’s Integrations page (
→ Integrations):
Click on a logo to create a new integration:
Amazon EKS
The Mend Kubernetes (K8s) integration can connect with your Amazon EKS service using your provided access and secret keys.
Prerequisites before you Configure Mend’s Kubernetes Integration for Amazon EKS
Your Mend user must be an organization administrator.
Your Amazon EKS role that owns the access and secret keys provided to Mend for authentication must have an IAM policy attached with the necessary actions for all relevant K8s clusters. See the Amazon EKS setup for Mend K8s integration access section of this document for instructions.
AWS PrivateLink or CIDRs for public access are not supported.
Private-only EKS clusters are not supported.
Amazon EKS Setup for Mend K8s Integration Access
Create/Edit an AWS user with the following IAM policy that includes these policy permissions:
CODE{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "eks:ListTagsForResource", "eks:AccessKubernetesApi", "eks:DescribeCluster", "eks:ListClusters" ], "Resource": "arn:aws:eks:<REGION>:<ACCOUNT_ID>:cluster/*" } ] }
Mend Tip: If you are scanning images from your private ECR, make sure to include the permissions needed for Mend to integrate with your private registries: Configure your private Amazon Elastic Container Registry (ECR) with Mend. Also, here are additional reading sources from AWS:
Create access and secret keys for this user via the Security Credentials tab → Access keys section within AWS. Keep the access and secret keys on hand for the integration steps later on within the Mend Application. For assistance within AWS, read here: Managing access keys (console).
Apply Mend’s Cluster Role provided below to each of the clusters you wish to integrate. This step allows Mend access to the clusters to obtain the list of running images. In the
mend-readonly-group.yamlYAML file example below, we usereadonly-groupas the value for thegroupname:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: readonly-clusterrole
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: readonly-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: readonly-clusterrole
subjects:
- kind: Group
name: readonly-group
apiGroup: rbac.authorization.k8s.io
"*" can be replaced with a specific list of resources, based on your needs.
Mend Tip: You can apply the YAML file above with kubectl via the following command: kubectl apply -f mend-readonly-group.yaml. Also, here are additional reading sources from AWS:
Within the ConfigMap, add your AWS user (from step one) and its ARN under the
mapUserssection:Open the ConfigMap (i.e via the kubectl command:
kubectl edit configmap aws-auth -n kube-system)Using our
readonly-groupexample from step three, add to themapUserssection (or create amapUserssection, if needed) the following:CODEmapUsers: | - groups: - readonly-group userarn: <USER_ARN> username: <USERNAME>
Save your changes and exit out of the files. You are now ready to configure the integration within the Mend Application.
Set up the Mend Kubernetes Integration for Amazon EKS in the Mend Platform UI
Step 1 - General Details
Fill in the desired Display Name (mandatory).
Add a Description (optional).
Select the Environment (Production/Dev/QA/Staging). (Mandatory; multi-selection is supported).
Step 2 - Authentication
Fill in the Region, Access Key and Secret Key of your Amazon EKS:
Once configured, use the Test Connection button to verify connectivity. Once verified, you can proceed to the next step.
Step 3 - Clusters
The summary of detected clusters will be displayed. Click Next to proceed to the next step.
Step 4 - Configuration
Fill in the Configuration information to define your scan schedule:
Enable Schedule - Toggle off to disable scheduling.
Scan Time
Frequency
Scan on Connect - While toggled on, it means a scan will be triggered automatically once the integration setup is completed.
Scheduling image registry scans is crucial for maintaining the security and integrity of your container images. By default, a scan interval of 7 days will be applied. You can change the scan interval in 1-day increments or select specific days of the week when you wish for scans to be executed.
Note: After the first scan (in which the latest 10 tags are scanned), in every scheduled scan only newly pushed images from the registry or changed images will be scanned. This is because vulnerability and package updates occur automatically in an asynchronous manner, keeping the security information up-to-date without requiring new scans.
Click the Next () button at the bottom right to move on to the next step.
Step 5 - Summary
In this step, the summary of your input from the previous steps will be displayed. You can go back to the previous screens of the wizard to make changes, by clicking the ‘Back’ button at the bottom right corner of the screen. If you wish to confirm your configuration and add your registry, click the ‘Done’ button:
A Registry Added Successfully message will pop-up at the bottom-left corner of the user interface once the integration credentials and configuration have been verified:
Reference
Mend Kubernetes Integration - Amazon EKS Parameters
Parameter | Description |
|---|---|
Display Name | The name of your K8s integration. This will be displayed in the Integrations dashboard → Kubernetes tab. |
Description | Optional. Provide any text. We recommend providing information that will help you remember the integration. |
Region | Select the AWS region where your Amazon EKS is hosted. The region options are:
|
Environments | Select the type of environment of your Amazon EKS (multiple options can be selected). The environment options are:
|
Access method | The method to authenticate Mend with your Amazon EKS environment. The available options are:
|
Access Key | Provide your user access key for your EKS environment |
Secret Key | Provide your user secret key for your EKS environment. |
Native K8s
The Mend Kubernetes (K8s) cluster integration can connect with your Native K8s service using your provided kubeconfig file.
Prerequisites before you Configure Mend.io’s Kubernetes Integration for Native K8s
Your Mend user must be an organization administrator
Your provided kubeconfig file is in JSON or YAML file format and contains the following scopes:
apiVersion
kind
clusters
users
contexts
Set up the Mend Kubernetes Integration for Native K8s in the Mend Platform UI
Step 1 - General Details
Fill in the desired Display Name (mandatory).
Add a Description (optional).
Select the Environment (Production/Dev/QA/Staging). (Mandatory; multi-selection is supported).
Step 2 - Authentication
Drag and drop your Kubeconfig file into the designated box or click the + button to browse for it in your file system.
Once uploaded, use the Test Connection button to verify connectivity. Once verified, you can proceed to the next step.
Step 3 - Clusters
The summary of detected clusters will be displayed. Click Next to proceed to the next step.
Step 4 - Configuration
Fill in the Configuration information to define your scan schedule:
Enable Schedule - Toggle off to disable scheduling.
Scan Time
Frequency
Scan on Connect - While toggled on, it means a scan will be triggered automatically once the integration setup is completed.
Scheduling image registry scans is crucial for maintaining the security and integrity of your container images. By default, a scan interval of 7 days will be applied. You can change the scan interval in 1-day increments or select specific days of the week when you wish for scans to be executed.
Note: After the first scan (in which the latest 10 tags are scanned), in every scheduled scan only newly pushed images from the registry or changed images will be scanned. This is because vulnerability and package updates occur automatically in an asynchronous manner, keeping the security information up-to-date without requiring new scans.
Click the Next () button at the bottom right to move on to the next step.
Step 5 - Summary
In this step, the summary of your input from the previous steps will be displayed. You can go back to the previous screens of the wizard to make changes, by clicking the ‘Back’ button at the bottom right corner of the screen. If you wish to confirm your configuration and add your registry, click the ‘Done’ button:
A Registry Added Successfully message will pop-up at the bottom-left corner of the user interface once the integration credentials and configuration have been verified:
Reference
Mend Kubernetes Integration - Native K8s Parameters
Parameter | Description |
Display Name | The name of your K8s integration. This will be displayed in the Integrations dashboard → Kubernetes tab. |
Description | Optional. Provide any text. We recommend providing information that will help you remember the integration. |
Environment | Select the type of environment of your K8s native service (multiple options can be selected). The environment options are:
|
Kubeconfig | Drag & drop or click on Select File to provide your kubeconfig file for the integration. |