Kubernetes

Overview

Visualize and analyze Kubernetes resources, including pods, nodes, namespaces, and deployments. Monitor cluster health, track resource utilization, and ensure governance across Kubernetes environments. Detect vulnerabilities, optimize resource allocation, and ensure compliance with organizational policies and best practices for secure and efficient cluster management.

Configurations

Configuration	Description
Blueprint Account Name	A human-readable name for your account that will be used to identify this account across the application.
IAM Role ARN	The ARN of the IAM role that Kscope will assume to access the Kubernetes cluster. This role should have the necessary permissions to read cluster resources.
External ID	The external ID required to assume the IAM role for enhanced security. This is auto-generated and stored in Secrets Manager when you deploy the CloudFormation stack.
Region	The AWS region where your EKS cluster is hosted.
Cluster Name	The name of your Kubernetes (EKS) cluster to be monitored.
Enable CIS Kubernetes Benchmark	Enable this to run automated checks against the CIS Kubernetes Benchmark for security best practices.
Enable Vulnerability Scan	Enable this to perform vulnerability scanning for vulnerabilities in Kubernetes environment.
Data Crawl Frequency	The frequency at which Kscope should scan the cluster for resources (like pods, services, etc.).
Event Crawl Frequency	The frequency at which Kscope will crawl the account to monitor the cluster for events (like deployments, scaling, etc.).

Permissions

The Kubernetes blueprint requires an IAM role with permissions to access your EKS cluster and read Kubernetes resources. The role uses a cross-account assume role pattern with an external ID for enhanced security, similar to the AWS blueprint.

Prerequisite: Enable EKS API Authentication Mode

The CloudFormation stack uses EKS access entries, which require the cluster's authentication mode to be set to EKS API and ConfigMap. Verify and enable this before deploying the stack.

Check current mode:

aws eks describe-cluster --name <cluster-name> \
  --query 'cluster.accessConfig.authenticationMode' --output text

The output should be API_AND_CONFIG_MAP. If it is not, enable it:

Enable EKS API and ConfigMap mode:

aws eks update-cluster-config --name <cluster-name> \
  --access-config authenticationMode=API_AND_CONFIG_MAP

Alternatively, enable it in the AWS Console under EKS → Cluster → Access → Authentication mode → EKS API and ConfigMap.

[!WARNING] Changing authentication mode is a one-way operation — you cannot revert to CONFIG_MAP once API mode is enabled.

Deployment

Deploy the CloudFormation stack to set up all required IAM, EKS, and Kubernetes RBAC resources in a single click. No manual kubectl steps are required — the stack automatically applies the ClusterRole and ClusterRoleBinding via the Kubernetes API.

[!NOTE] The CloudFormation template manages the full lifecycle. Stack updates re-apply RBAC; stack deletion removes the ClusterRole, ClusterRoleBinding, and access entries.

Option 1: Quick Deploy

Option 2: Manual Deployment

1. Download the CloudFormation template kubernetes.yml
2. Sign in to the AWS Management Console
3. Navigate to CloudFormation
4. Create a new stack and upload the template
5. Enter the required parameters

Configuration Parameters

Parameter	Description	Default
ResourcePrefix	Prefix for all resource names (customizable for multiple deployments)	kscope
KscopeAccountId	The AWS account ID of the Kscope platform that will assume the IAM role. You can view this in the Kubernetes blueprint configuration page	N/A
EKSClusterNames	Comma-separated list of EKS cluster names to grant access to. Use * to grant access to all clusters in the region.	*

Infrastructure Created

The CloudFormation stack creates the following resources automatically, in dependency order:

1. Secrets Manager secret — Auto-generated external ID stored as a JSON key/value pair ({"externalId":"..."}) for secure cross-account role assumption
2. IAM managed policy — Scoped permissions to access EKS, EC2, IAM, and CloudWatch Logs resources for the specified cluster
3. IAM role (crawler) — Cross-account role with external ID condition; Kscope assumes this role to crawl the cluster
4. IAM role (setup Lambda) — Execution role for the one-time RBAC setup Lambda
5. EKS access entry (crawler) — Maps the crawler IAM role to the kscope-kubernetes-crawler Kubernetes username
6. EKS access entry (setup Lambda) — Grants the setup Lambda AmazonEKSClusterAdminPolicy to apply RBAC resources
7. Lambda function — Applies the kscope-kubernetes-crawler ClusterRole and ClusterRoleBinding to the cluster during stack create/update/delete
8. Kubernetes ClusterRole — Scoped read (and remediation patch) permissions for the crawler identity
9. Kubernetes ClusterRoleBinding — Binds the ClusterRole to the kscope-kubernetes-crawler user

IAM Permissions

The IAM policy attached to the crawler role grants the following permissions:

• EKS: eks:DescribeCluster, eks:ListClusters, eks:DescribeNodegroup, eks:ListNodegroups, eks:DescribeAddon, eks:ListAddons, eks:DescribeFargateProfile, eks:ListFargateProfiles, eks:ListUpdates, eks:DescribeUpdate
• EC2: ec2:DescribeInstances, ec2:DescribeSecurityGroups, ec2:DescribeSubnets, ec2:DescribeVpcs, ec2:DescribeVolumes, ec2:DescribeNetworkInterfaces
• IAM: iam:GetRole, iam:ListAttachedRolePolicies, iam:ListRolePolicies
• CloudWatch Logs: logs:DescribeLogGroups, logs:DescribeLogStreams, logs:GetLogEvents, logs:FilterLogEvents (scoped to /aws/eks/* log groups)
• STS: sts:AssumeRole (scoped to the crawler role itself, for credential refresh)

Resource Naming

All resources use the configurable ResourcePrefix parameter for naming:

• IAM Role: {ResourcePrefix}-kubernetes-crawler-role-{Region}
• IAM Policy: {ResourcePrefix}-kubernetes-crawler-policy-{Region}
• External ID Secret: /{ResourcePrefix}/kubernetes-crawler/role/external-id
• Setup Lambda: {ResourcePrefix}-k8s-setup-{Region}
• Kubernetes ClusterRole / ClusterRoleBinding: kscope-kubernetes-crawler

Outputs

After deployment, the stack provides the following outputs:

• RoleArn: The ARN of the IAM role to be assumed by Kscope
• RoleName: The name of the IAM role
• ExternalIdSecretArn: The ARN of the AWS Secrets Manager secret containing the auto-generated External ID
• ClusterRegion: The AWS region where the EKS cluster is configured

Retrieving Configuration Values

To retrieve the External ID from AWS Secrets Manager:

1. Using AWS Console:

   • Navigate to AWS Secrets Manager in the region where you deployed the stack
   • Find the secret using the ARN from the ExternalIdSecretArn stack output
   • Click "Retrieve secret value" and copy the externalId field

2. Using AWS CLI:

   aws secretsmanager get-secret-value \
     --secret-id /<ResourcePrefix>/kubernetes-crawler/role/external-id \
     --query 'SecretString' --output text | jq -r '.externalId'

Kubernetes Permissions

The kscope-kubernetes-crawler ClusterRole created by the stack grants the following Kubernetes permissions:

Kubernetes Resources

• read:namespaces
• read:services
• read:serviceaccounts
• read:pods
• read:replicasets
• read:deployments
• read:daemonsets
• read:configmaps
• read:nodes
• read:persistentvolumes
• read:persistentvolumeclaims
• read:events

Kubernetes RBAC

• read:clusterroles
• read:clusterrolebindings
• read:roles
• read:rolebindings

KubeBench

• read:namespaces
• read:services
• read:serviceaccounts
• read:pods
• read:replicasets
• read:deployments
• read:daemonsets
• read:configmaps
• read:nodes
• read:persistentvolumes
• read:persistentvolumeclaims
• read:events

Remediation

• patch:deployments
• patch:statefulsets
• patch:daemonsets
• patch:pods
• patch:jobs
• patch:cronjobs
• patch:replicasets
• patch:roles
• patch:clusterroles

Remediation

The Kubernetes blueprint supports generating manifest patches for security and configuration remediations. Patches are generated but NOT automatically applied — they require human review and execution via kubectl.

Supported Remediation Types

Type	Description
pod-security	Fix pod security context issues (runAsNonRoot, capabilities, seccomp profiles)
resource-limits	Add or update CPU/memory requests and limits
rbac	Modify Role/ClusterRole rules
custom-patch	Apply user-provided strategic/JSON/merge patches

Example: Apply Generated Patch

After remediation generates a patch, apply it using kubectl:

# Example: Apply pod security patch
kubectl patch deployment my-app -n default --type=strategic -p '{"spec":{"template":{"spec":{"containers":[{"name":"app","securityContext":{"runAsNonRoot":true}}]}}}}'

For more details on Kubernetes RBAC, refer to Using RBAC Authorization.

Schema Model

Resources	Source Entity	Normalized Entity	Description
Kubernetes Cluster	kubernetes.cluster	Cluster	A Kubernetes cluster entity.
Kubernetes Cluster Details	kubernetes.cluster.Cluster	ClusterDetails	Detailed information about a cluster.
Kubernetes ConfigMap	kubernetes.cluster.ConfigMap	ConfigMap	A Kubernetes ConfigMap resource.
Kubernetes Container	kubernetes.cluster.Container	Container	A container running in Kubernetes.
Kubernetes DaemonSet	kubernetes.cluster.DaemonSet	DaemonSet	A DaemonSet resource in Kubernetes.
Kubernetes Deployment	kubernetes.cluster.Deployment	Deployment	A Deployment resource in Kubernetes.
Kubernetes Namespace	kubernetes.cluster.Namespace	Namespace	A namespace within a Kubernetes cluster.
Kubernetes Node	kubernetes.cluster.Node	Node	A node within the Kubernetes cluster.
Kubernetes PersistentVolume	kubernetes.cluster.PersistentVolume	PersistentVolume	A persistent volume resource.
Kubernetes PersistentVolumeClaim	kubernetes.cluster.PersistentVolumeClaim	PersistentVolumeClaim	A claim for a persistent volume.
Kubernetes Pod	kubernetes.cluster.Pod	Pod	A pod running in Kubernetes.
Kubernetes ReplicaSet	kubernetes.cluster.ReplicaSet	ReplicaSet	A ReplicaSet resource in Kubernetes.
Kubernetes Service	kubernetes.cluster.Service	Service	A service in Kubernetes.
Kubernetes ServiceAccount	kubernetes.cluster.ServiceAccount	ServiceAccount	A service account in Kubernetes.
Kubernetes KubeBench	kubernetes.kubebench	KubeBench	Security benchmarking output.
Kubernetes KubeBench Output	kubernetes.kubebench.Output	KubeBenchOutput	Output from the kube-bench tool.
Kubernetes KubeBench Controls	kubernetes.kubebench.Controls	KubeBenchControls	Security controls from kube-bench.
Kubernetes KubeBench Group	kubernetes.kubebench.Group	KubeBenchGroup	A group of related kube-bench checks.
Kubernetes KubeBench Check	kubernetes.kubebench.Check	KubeBenchCheck	An individual check result.
Kubernetes Scan Document	kubernetes.ScanDocument	ScanDocument	A scan document for a cluster.
Kubernetes Image Scan	kubernetes.ImageScan	ImageScan	Results of an image scan.
Kubernetes Resource Scan	kubernetes.ResourceScan	ResourceScan	Scan results for a specific resource.
Kubernetes Control	kubernetes.Control	Control	A security control in the scan results.
Kubernetes Rule	kubernetes.Rule	Rule	A specific rule for compliance or security.
Kubernetes Vulnerable Package	kubernetes.VulnerablePackage	VulnerablePackage	A package identified as vulnerable.
Kubernetes Vulnerability	kubernetes.Vulnerability	Vulnerability	A vulnerability identified in the scan.

Events

Event	Description
FailedScheduling	Indicates a pod could not be scheduled due to insufficient resources or constraints.
SuccessfulCreate	Indicates a resource, such as a pod or deployment, was successfully created.
RegisteredNode	Signals that a new node has been added and registered with the cluster.
LeaderElection	Denotes that a component has successfully assumed the role of the leader in a high-availability setup.