Skip to main content

Prowler App

Step 1: Access Prowler Cloud/App

  1. Navigate to Prowler Cloud or launch Prowler App
  2. Go to “Configuration” > “Cloud Providers” Cloud Providers Page
  3. Click “Add Cloud Provider” Add a Cloud Provider
  4. Select “Kubernetes”
  5. Enter your Kubernetes Cluster context from your kubeconfig file and optionally provide a friendly alias

Step 2: Configure Kubernetes Authentication

For Kubernetes, Prowler App uses a kubeconfig file to authenticate. Paste the contents of your kubeconfig file into the Kubeconfig content field. By default, the kubeconfig file is located at ~/.kube/config. Kubernetes Credentials

Step 3: Additional Setup for EKS, GKE, AKS, or External Clusters

If you are adding an EKS, GKE, AKS or external cluster, follow these additional steps to ensure proper authentication: Make sure your cluster allows traffic from the Prowler Cloud IP address 52.48.254.174/32
  1. Apply the necessary Kubernetes resources to your EKS, GKE, AKS or external cluster (you can find the files in the kubernetes directory of the Prowler repository): 
    kubectl apply -f kubernetes/prowler-sa.yaml
kubectl apply -f kubernetes/prowler-role.yaml
kubectl apply -f kubernetes/prowler-rolebinding.yaml
  2. Generate a long-lived token for authentication: 
    kubectl create token prowler-sa -n prowler-ns --duration=0
    • Security Note: The --duration=0 option generates a non-expiring token, which may pose a security risk if not managed properly. Choose an appropriate expiration time based on security policies. For a limited-time token, set --duration=<TIME> (e.g., --duration=24h).
    Important: If the token expires, Prowler Cloud can no longer authenticate with the cluster. Generate a new token and remove and re-add the provider in Prowler Cloud with the updated kubeconfig.
    Token Expiration LimitsWhen the Kubernetes cluster has --service-account-max-token-expiration configured, any token requested with a duration exceeding the maximum allowed value (including --duration=0) is automatically reduced to the cluster’s maximum token expiration time. As an alternative solution, create a legacy Secret manually. Although Kubernetes no longer creates these secrets automatically, manual creation and linking to a ServiceAccount is still supported. These tokens do not expire until the secret or ServiceAccount is deleted.Steps:
    1. Create a secret-sa.yaml file (or any preferred name) with the following content: 
      apiVersion: v1
kind: Secret
metadata:
  name: prowler-token-long-lived
  namespace: prowler-ns
  annotations:
    kubernetes.io/service-account.name: "prowler-sa"
type: kubernetes.io/service-account-token
    2. Apply the secret: 
      kubectl apply -f secret-sa.yaml
    3. Retrieve the token (which will be permanent): 
      kubectl get secret prowler-token-long-lived -n prowler-ns -o jsonpath='{.data.token}' | base64 --decode
  3. Update your kubeconfig to use the ServiceAccount token: 
    kubectl config set-credentials prowler-sa --token=<SA_TOKEN>
kubectl config set-context <CONTEXT_NAME> --user=prowler-sa
    Replace <SA_TOKEN> with the generated token and <CONTEXT_NAME> with your KubeConfig Context Name of your EKS, GKE or AKS cluster.
  4. Add the modified kubeconfig in Prowler Cloud and test the connection.

Prowler CLI

Non In-Cluster Execution

For execution outside the cluster environment, specify the location of the kubeconfig file using the following argument: 
prowler kubernetes --kubeconfig-file /path/to/kubeconfig
If no --kubeconfig-file is provided, Prowler will use the default KubeConfig file location (~/.kube/config).
prowler will scan the active Kubernetes context by default. Use the --context flag to specify the context to be scanned.
By default, prowler will scan all namespaces in your active Kubernetes context. Use the --namespace flag to specify the namespace(s) to be scanned.

In-Cluster Execution

For in-cluster execution, use the supplied yaml files inside /kubernetes: They can be used to run Prowler as a job within a new Prowler namespace: 
kubectl apply -f kubernetes/prowler-sa.yaml
kubectl apply -f kubernetes/job.yaml
kubectl apply -f kubernetes/prowler-role.yaml
kubectl apply -f kubernetes/prowler-rolebinding.yaml
kubectl get pods --namespace prowler-ns --> prowler-XXXXX
kubectl logs prowler-XXXXX --namespace prowler-ns
By default, prowler will scan all namespaces in your active Kubernetes context. Use the --namespace flag to specify the namespace(s) to be scanned.
Identifying the cluster in reportsWhen running in in-cluster mode, the Kubernetes API does not expose the actual cluster name by default.To uniquely identify the cluster in logs and reports:
  • Use the --cluster-name flag to manually set the cluster name:
prowler -p kubernetes --cluster-name production-cluster
  • Or set the CLUSTER_NAME environment variable:
env:
    - name: CLUSTER_NAME
      value: production-cluster