kubernetes
Scan Command
With nctl, scan any Kubernetes cluster without deploying anything on the cluster. Just point the kubeconfig file and it will scan the cluster and generate a full fledged scan report.
nctl scan kubernetes [flags]
By default, nctl scans the cluster referenced by the kubeconfig file located at ~/.kube/config. If the kubeconfig is in a different location, use the --kubeconfig argument to point to that location. The cluster is scanned for these Nirmata curated policysets -
It is also possible to scan a Kubernetes cluster against custom Policies using the --policies or --policy-sets flag which are describe below.
Once the scan is complete, nctl provides a summary report on the policy status for different resources in the cluster grouped by Policy Category and also by namespaces. To view detailed reports, use the --expand flag.
Scan Options
| Flag | Shorthand | Description |
|---|---|---|
--cluster |
scan resources across the whole cluster (default value false) | |
--audit-as-warn |
report violations from policies in audit mode as warnings instead of failures | |
--help |
-h |
help for kubernetes command |
--details |
see details of a scan to get info about violating resources and violated policies | |
--exception <strings> |
-e |
Policy exception to be considered when evaluating policies against resources |
--exclude-cluster-polex |
Exclude in-cluster policy exceptions in evaluation of cluster scan | |
--exclude-cluster-policies |
Exclude in-cluster policies in evaluation of cluster scan | |
--exclude-cluster-res |
Exclude in-cluster resources in evaluation of cluster scan | |
--file <string> |
mention the file name to store scan result | |
--namespace <string> |
-n |
scan for only specific namespaces in the cluster. It is possible to provide a list of comma separated namespaces |
--output <string> |
-o |
choose the output format of scan result. Available options are: json, text,yaml and sarif with the default option being text |
--kube-context <string> |
see the kube context from configured kubeconfig. Default is the current or sole context | |
--kubeconfig <string> |
show the kubeconfig path (defaults to $HOME/.kube/kubeconfig) | |
--policies <strings> |
-p |
specify path to policy files (local path, github URL, helm URL) to scan against custom policies |
--policy-sets <string> |
scan against different policy sets in one command, use this flag to provide a comma-separated list of policy sets to scan the resources(pss-baseline, pss-restricted, rbac-best-practices) | |
--policy-view |
to see which policy got violated in the detailed scan results, use this flag combined with the --details flag |
|
--resources <strings> |
-r |
path to resource files (local path, github URL). scan specific resource files instead of all resources in a cluster, use this flag to point to a local path or gitHub URL containing the resource files. When combined with the --policies flag, this command can be used in a CI pipeline to check for misconfigurations in Kubernetes manifests |
values-file <string> |
Use this flag followed by the file path to extract values of policy variables |