Skip to content

In-Cluster Execution

For in-cluster execution, you can use the supplied yaml files inside /kubernetes:

They can be used to run Prowler as a job within a new Prowler namespace:

kubectl apply -f kubernetes/prowler-sa.yaml
kubectl apply -f kubernetes/job.yaml
kubectl apply -f kubernetes/prowler-role.yaml
kubectl apply -f kubernetes/prowler-rolebinding.yaml
kubectl get pods --namespace prowler-ns --> prowler-XXXXX
kubectl logs prowler-XXXXX --namespace prowler-ns
Note

By default, prowler will scan all namespaces in your active Kubernetes context. Use the --namespace flag to specify the namespace(s) to be scanned.

Identifying the cluster in reports

When running in in-cluster mode, the Kubernetes API does not expose the actual cluster name by default.

To uniquely identify the cluster in logs and reports, you can:

  • Use the --cluster-name flag to manually set the cluster name:
    prowler -p kubernetes --cluster-name production-cluster
    
  • Or set the CLUSTER_NAME environment variable:
    env:
        - name: CLUSTER_NAME
          value: production-cluster