IntegrationsInfrastructure

Integrate with Kubernetes

This guide will walk you through the process of creating Kubernetes Credentials, regardless of how your Kubernetes Cluster is deployed, to authenticate with Kubernetes Tools in the Method Platform.

Summary: The Method Platform enables authenticated scans of your Kubernetes Clusters in 2 ways. The first pertains to AWS hosted Kubernetes Clusters (EKS) and the second is via a Kubernetes Service Account. Read below for further instructions.

Authenticating with an AWS EKS Cluster using AWS Credentials

  1. Follow the workflow outlined under credentials/aws to create an AWS Credential in the Method Platform.

  2. Now that you have an AWS Credential created, whenever running a task that involves a K8s Tool, place the AWS EKS Creds tool at the top of the task to enable the creation of a short lived K8s Cluster Token that will allow authenticated enumeration of the K8s Cluster.

AWS Credential Scope

The AWS Credential that enables the generation of the short lived K8s token must be scoped to view the EKS Cluster Resources in order to enable this workflow.

Authenticating with a K8s Cluster using a Service Account

If you your Cluster is deployed on-prem or you dont want to use the AWS Credential authentication functionality, Method provides straight forward to steps to generate a Service Account and Service Account Token via the MethodK8s ClI.

Download the MethodK8s CLI

  1. Navitgate to the Method-Security Github Orginization and click on the methodk8s repository.

  2. Follow the Quick Start steps in the README.md to get up and running.

Create a K8s Service Account

  1. If you dont want to use the MethodK8s CLI to create a Service Account and or already have one created with a Cluster wide read-only scope skip to the next section.

  2. Ensure your .kube/config is set to the K8s Cluster you want to enumerate and that you have the correct permissions necessary to create a Service Account with a Cluster wide read-only scope.

  3. Run the below command to print the .yml config files to the console. Dont worry this only prints the configuration files and doesnt preform any actions (yet)!

methodk8s serviceaccount configure apply

  1. Now if you want the CLI to apply the yml files for you run the same command with the appended flag.

methodk8s serviceaccount configure apply --run

MethodK8s Namespace Flag

Method enables you to set the namespace you want to Service Account deployed in via the --namespace flag. By default it configured in the default namespace.

Create a K8s Credential in the Method Platform

  1. Ensure your .kube/config is set to the K8s Cluster you want to enumerate.

  2. Using the CLI you downloaded in the above section run the below command. This will print to the command line the values to input into the Method Platform.

methodk8s serviceaccount configure creds

  1. Once you have those values. Navigate to the Method Platform.

  2. Go to Enviroments, and select the desired Enviroment.

  3. In the top right click on Add Credential.

  4. Click the drop down menu and select Create K8s Credential.

  1. Input the values that where printed to the command line.

  2. You’re all set!