Kubernetes Integration

Integration guide for Resmo Kubernetes Integration.

Resmo + Kubernetes Integration Fundamentals

Resmo seamlessly integrates with Kubernetes to ensure your resources stay secure and compliant.

What does Resmo offer to Kubernetes users?

• Collect and monitor all your Kubernetes resources in one place

• Run automated audits with predefined or custom rules

• Set up notification rules to get alerted on rule violation

• Query your assets and receive instant answers

• Use the Best Practices pack to check your Kubernetes security and compliance posture.

How does the integration work?

Resmo Kubernetes Integration collects resources by establishing a trust relationship in your cluster. After you copy and paste the YAML specified in the How to install section to your Kubernetes cluster, a CronJob starts operating periodically. Once triggered, it sends requests to our servers, pulling resources inside the cluster. Then, we process them on the server. The app operating in your Kubernetes cluster is provided as a docker image without any authorization limits. Resmo performs the resource validation with a unique IngestKey. Note: An IngestKey is different for each integration.

• YAML

• IngestKey

Available resources

Resmo Kubernetes integration aggregates deployments, jobs, pods, cluster roles, services, and more.

KubernetesResource Directory

Common queries and rules

• List job containers without livenessProbe.

• Find deployment containers with privilege escalation.

• See Kubernetes services with NodePort and LoadBalancer type.

• Find pod containers with privileged ports.

• List replicaset in default namespace.

• Identify cronjob containers without a memory limit.

Integration walkthrough

How to install

1. Apply the following YAML to your Kubernetes cluster:

apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: resmo-data-collector
spec:
  schedule: "*/30 * * * *"
  successfulJobsHistoryLimit: 1
  failedJobsHistoryLimit: 1
  jobTemplate:
    spec:
      backoffLimit: 2
      template:
        metadata:
          name: resmo-data-collector
        spec:
          restartPolicy: Never
          serviceAccountName: resmo-data-collector-service-account
          containers:
            - name: resmo-data-collector
              image: resmoio/resmo-kubernetes-agent:0.0.1
              imagePullPolicy: IfNotPresent
              env:
                - name: RESMO_KUBERNETES_ENDPOINT
                  value: "https://id.resmo.app/integration/kubernetes/ingest"
                - name: RESMO_INGEST_KEY
                  value: "f039650b-6410-4cf1-93d9-5cf240b6ba62"
              resources:
                limits:
                  cpu: "300m"
                  memory: "200Mi"
                requests:
                  cpu: "200m"
                  memory: "100Mi"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: resmo-data-collector-role
rules:
  - apiGroups:
      - ""
    resources:
      - configmaps
      - endpoints
      - persistentvolumeclaims
      - persistentvolumeclaims/status
      - pods
      - replicationcontrollers
      - replicationcontrollers/scale
      - serviceaccounts
      - services
      - services/status
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - bindings
      - events
      - limitranges
      - namespaces/status
      - pods/log
      - pods/status
      - replicationcontrollers/status
      - resourcequotas
      - resourcequotas/status
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - namespaces
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - discovery.k8s.io
    resources:
      - endpointslices
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - apps
    resources:
      - controllerrevisions
      - daemonsets
      - daemonsets/status
      - deployments
      - deployments/scale
      - deployments/status
      - replicasets
      - replicasets/scale
      - replicasets/status
      - statefulsets
      - statefulsets/scale
      - statefulsets/status
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - autoscaling
    resources:
      - horizontalpodautoscalers
      - horizontalpodautoscalers/status
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - batch
    resources:
      - cronjobs
      - cronjobs/status
      - jobs
      - jobs/status
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - daemonsets
      - daemonsets/status
      - deployments
      - deployments/scale
      - deployments/status
      - ingresses
      - ingresses/status
      - networkpolicies
      - replicasets
      - replicasets/scale
      - replicasets/status
      - replicationcontrollers/scale
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - policy
    resources:
      - poddisruptionbudgets
      - poddisruptionbudgets/status
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - networking.k8s.io
    resources:
      - ingresses
      - ingresses/status
      - networkpolicies
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - rbac.authorization.k8s.io
    resources:
      - roles
      - rolebindings
      - clusterroles
      - clusterrolebindings
    verbs:
      - get
      - list
      - watch
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: resmo-data-collector-service-account
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: resmo-data-collector-role-binding
subjects:
  - kind: ServiceAccount
    name: resmo-data-collector-service-account
    namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: resmo-data-collector-role

2. Log in to your Resmo account and navigate to the Integrations page.

1. Select Kubernetes and click the Add Integration button from the bottom right corner of the opening modal.

2. Paste your Ingest Key into the related field. (Ingest Key is used as a secret for authentication.)

3. Hit the Create button, and you can start querying your Kubernetes resources!

How to uninstall

1. Log in to your Resmo account.

2. Navigate to Integrations and select Kubernetes. Go to the Connected Integrations tab from the opening modal and select the one you want to remove.

3. To temporarily pause the integration, click Disable. To remove it permanently, click Delete.