Prep your Kubernetes Clusters for a Scan by Mend Container

Overview

This feature offers agentless scanning of Container Images from Kubernetes Clusters to indicate which images are deployed and on which resources and environments.

Getting it done

Navigate to the organization’s Integrations page ( → Integrations):
Click on a logo to create a new integration:

Amazon EKS

The Mend Kubernetes (K8s) integration can connect with your Amazon EKS service using your provided access and secret keys.

Prerequisites before you configure Mend’s Kubernetes integration for Amazon EKS

Your Mend user must be an organization administrator.
Your Amazon EKS role that owns the access and secret keys provided to Mend for authentication must have an IAM policy attached with the necessary actions for all relevant K8s clusters. See the Amazon EKS setup for Mend K8s integration access section of this document for instructions.

Amazon EKS setup for Mend K8s integration access

Create/Edit an AWS user with the following IAM policy that includes these policy permissions:

CODE

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole",
                "eks:ListTagsForResource",
                "eks:AccessKubernetesApi",
                "eks:DescribeCluster",
                "eks:ListClusters"
            ],
            "Resource": "<USER_ARN>"
        }
    ]
}

Mend Tip: If you are scanning images from your private ECR, make sure to include the permissions needed for Mend to integrate with your private registries: Configure your private Amazon Elastic Container Registry (ECR) with Mend. Also, here are additional reading sources from AWS:

Create access and secret keys for this user via the Security Credentials tab → Access keys section within AWS. Keep the access and secret keys on hand for the integration steps later on within the Mend Application. For assistance within AWS, read here: Managing access keys (console).
Apply Mend’s Cluster Role provided below to each of the clusters you wish to integrate. This step allows Mend access to the clusters to obtain the list of running images. In the mend-readonly-group.yaml YAML file example below, we use readonly-group as the value for the group name:

CODE

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: readonly-clusterrole
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: readonly-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: readonly-clusterrole
subjects:
- kind: Group
  name: readonly-group
  apiGroup: rbac.authorization.k8s.io

"*" can be replaced with a specific list of resources, based on your needs.

Mend Tip: You can apply the YAML file above with kubectl via the following command:
kubectl apply -f mend-readonly-group.yaml. Also, here are additional reading sources from AWS:

Within the ConfigMap, add your AWS user (from step one) and its ARN under the mapUsers section:
1. Open the ConfigMap (i.e via the kubectl command: kubectl edit configmap aws-auth -n kube-system)
2. Using our readonly-group example from step three, add to the mapUsers section (or create a mapUsers section, if needed) the following:
  CODE
```
 mapUsers: |
    - userarn: <USER_ARN>
      username: <USERNAME>
      groups:
      - readonly-group
```
Save your changes and exit out of the files. You are now ready to configure the integration within the Mend Application.

Reference

Mend Kubernetes integration - Amazon EKS parameters

Parameter	Description
Display Name	The name of your K8s integration. This will be displayed in the Integrations dashboard → Kubernetes tab.
Description	Optional. Provide any text. We recommend providing information that will help you remember the integration.
Region	Select the AWS region where your Amazon EKS is hosted. The region options are: `us-east-(1-2)` `us-west-(1-2)` `af-south-1` `ap-east-1` `ap-south-1` `ap-northeast-(1-3)` `ap-southeast-(1-2)` `ca-central-1` `eu-central-1` `eu-west-(1-3)` `eu-south-1` `eu-north-1` `me-south-1` `sa-east-1`
Environments	Select the type of environment of your Amazon EKS (multiple options can be selected). The environment options are: `Production` `Dev` `QA` `Staging`
Access method	The method to authenticate Mend with your Amazon EKS environment. The available options are: `Access Key & Secret Key`
Access Key	Provide your user access key for your EKS environment
Secret Key	Provide your user secret key for your EKS environment.

Native K8s

The Mend Kubernetes (K8s) cluster integration can connect with your Native K8s service using your provided kubeconfig file.

Prerequisites before you configure Mend.io’s Kubernetes integration for Native K8s

Your Mend user must be an organization administrator
Your provided kubeconfig file is in JSON or YAML file format and contains the following scopes:
- apiVersion
- kind
- clusters
- users
- contexts

Set up the Mend Kubernetes integration for Native K8s in the Mend Platform UI

Fill in the desired Display Name (mandatory).
Add a Description (optional).
Select the Environment (Production/Dev/QA/Staging). (Mandatory; multi-selection is supported).
Drag and drop your Kubeconfig file into the designated box or click the + button to browse for it in your file system.
Confirm the number of clusters identified is correct and which are accessible to Mend for the integration:

Reference

Mend Kubernetes integration - Native K8s parameters

Parameter	Description
Display Name	The name of your K8s integration. This will be displayed in the Integrations dashboard → Kubernetes tab.
Description	Optional. Provide any text. We recommend providing information that will help you remember the integration.
Environment	Select the type of environment of your K8s native service (multiple options can be selected). The environment options are: Production Dev QA Staging
Kubeconfig	Drag & drop or click on Select File to provide your kubeconfig file for the integration.