checkov VS Kyverno

Checkov https://www.checkov.io A static analysis tool to scan infrastructure code for misconfigs, secrets, and best practice violations.

PR #6647

Checkov infrastructure-as-code misconfig detection

Link do repo

Link: https://github.com/bridgecrewio/checkov

Checkov: static analysis for IaC

Prior to deploying kubernetes manifest files to EKS Cluster, supplementary steps need to be added to prevent security and misconfiguration issue by using both *Checkov *and Trivy . Also, we will use seperate ArgoCD account from admin user that we’ve used in the previous lab. This will follow ArgoCD RBAC rule to secure ArgoCD and EKS cluster ultimately.

The workflow also includes a step for infrastructure code scan to scan Terraform code. This uses Checkov action against infrastructure-as-code, open source packages, container images, and CI/CD configurations to identify misconfigurations, vulnerabilities, and license compliance issues.

1. Checkov: https://github.com/bridgecrewio/checkov Checkov is a static code analysis tool that helps developers prevent cloud misconfigurations during the development phase by scanning Terraform, CloudFormation, Kubernetes, and more.

Checkov Owner/Maintainer: Prisma Cloud by Palo Alto Networks (acquired in 2021) Age: First released on GitHub on March 31st, 2021 License: Apache License 2.0

Tools: Open Policy Agent (OPA) Gatekeeper (https://open-policy-agent.github.io/gatekeeper/) and Kyverno (https://kyverno.io/) are widely used for enforcing policies on Kubernetes. They act as admission controllers, intercepting requests to the Kubernetes API server and validating them against predefined policies.

The most common Kubernetes native policy engines are Kyverno and OPA Gatekeeper.

🛠️ Tools like Kyverno and OPA Gatekeeper make writing policies easier.

curl -LO https://github.com/kyverno/kyverno/releases/download/v1.12.0/kyverno-cli_v1.12.0_linux_x86_64.tar.gz tar -xvf kyverno-cli_v1.12.0_linux_x86_64.tar.gz sudo cp kyverno /usr/local/bin/

For next few months along with my internship I was focusing was on building projects, learning go and Kubernetes, and leaning about another CNCF project called CNCF Kyverno, it is a Kubernetes native policy engine. If we go back a little bit, when ORAS did not come for LFX, I started searching for other CNCF projects I that is when I saw KubeEdge, the project I am currently working under and Kyverno where I became an official contributor later. I started learning about Kyverno, one of my friends recommended me to contribute to Kyverno and I would also recommend any newbie who wants to start contributing to open source that you should choose an active project (where maintainers are active and regularly help contributors). I can recommend Kyverno to any beginner because it has a really good documentation and maintainers a very supportive. Luckily all three projects I have contributed to till now have been amazing. Also I would suggest that at KubeEdge, we are continuously trying to improve our documentation so if you think you would want to help us, please join the community and contribute.

How projects uniquely utilize etcd: I initially knew that configuration data was stored in etcd. However, I never knew that a project could utilize it to store other important information. For example, Kyverno uses it to store policy reports.

kubectl create -f https://github.com/kyverno/kyverno/releases/download/v1.11.1/install.yaml

Bart: Our numerous podcast discussions with seasoned professionals show that GitOps has been a recurring theme in about 90% of our conversations. Almost every guest we've interviewed has emphasized its importance, often mentioning it as their primary tool alongside other essentials like cert manager, Kyverno, or OPA, depending on their preferences.

Anyway, I haven’t checked for sure as I’m away from laptop but it should be possible to use something like Kyverno to block that operation. We had to do similar in the past to hotfix a bug in our CLI tool. I wrote a blog post about it that might give you an idea: https://www.giantswarm.io/blog/restricting-cluster-admin-permissions

Cosign is used for signing containers through a variety of different methods. It has strong integration with other open source tools, such as Kyverno.