To scan the Kubernetes Cluster, Kubescape needs to read the kubeconfig file located at ~/.kube/config, and then it needs to read the client-certificate and key file that can actually located at everywhere that is defined in that file to get access to the Kubernetes Cluster. So strict mode is not practical in this case.
By the way, can the package name cli-kubescape get changed into kubescape directly? kubescape is a reserved name and I can’t manage to have that name.
Kubescape is a Cloud Native Computing Foundation (CNCF) sandbox project. It is an open-source Kubernetes security platform and includes risk analysis, security compliance, and misconfiguration scanning. Targeted at the DevSecOps practitioner or platform engineer, it offers an easy-to-use CLI interface, flexible output formats, and automated scanning capabilities.
Can you please refer to the Process for reviewing classic confinement snaps and let us know which of the requirements for classic confinement your snap has (ie. the ability to read the client-certificate and key file located anywhere?) - and which of the supported categories for classic confinement it fits within? Thanks.
Hi! Thank you for your reply! It exactly fits the category "kubernetes tools requiring arbitrary authentication agents ", and the requirements for classic confinement are the exactly same reason as the discussion link you provided in that category (the ability to read the client-certificate and key file located anywhere Classic confinement for kontena-lens).
The linked forum request of kontena-lens requires reading kubeconfig and might execute specific cloud binaries to get the specific cloud-config, which is not the case here, I suppose. Here, the snap only wants to read the kuneconfig file and then read the key and certificate files from the location provided in the kubeconfig file.
I know the path for the client-certificate and key file can be set by the user to any location, including personal files, home directories, or any removable media. These locations are as adequate as any other strict mode snap.
If I have overlooked anything here, @alexmurray please feel free to correct me.
@0xnishit Hi! Just to correct you that it’s exactly the same case as kontena-lens, since we (kubescape) need to use kubeconfig and get authenticated into the Kubernetes cluster to do security scanning, the key and certificate files is just an example and here lists all the cases supported by the kubeconfig to do the authentication: Classic confinement for kontena-lens
understood the requirement, this snap needs to authenticate to k8s clusters running on the cloud and do security scanning, and for authentication, it might need to run different cloud-specific binaries to run and fetch the k8s cluster details
@advocacy can you please perform the required vetting?
